[LAC-TF] {Disarmed} Re: FW: Creating an IPv6 addressing plan for end users(RIPE)

Jorge Villa villa at reduniv.edu.cu
Tue Mar 15 17:10:44 BRT 2011

Harold, muy buen aporte. Creo que como complemento habria que agregar algunas herramientas para realizar el direccionamiento y gestion de direcciones IPv6, tales como:

IPplan (http://iptrack.sourceforge.net)
IPv6 Optimal Address Paln and Allocation Tool [Marc Blanchet] (http://www.ipv6book.ca/allocation.html)

Arturo, buena informacion complementaria de ese trabajo de Owen y tambien es interesante la del Wiki de ARIN (http://www.getipv6.info/index.php/IPv6_Addressing_Plans)

  ----- Original Message ----- 

  From: Arturo Servin 
  To: lactf at lac.ipv6tf.org 
  Sent: Tuesday, March 15, 2011 3:37 PM
  Subject: {Disarmed} Re: [LAC-TF] FW: Creating an IPv6 addressing plan for end users(RIPE)

  El documento es bastante interesante.

  Aquí hay una presentación con otras recomendaciones de como hacer el plan de direccionamiento.


  Sería interesante saber si la gente está usando (o interesada más) en asignaciones secuenciales o por bisección (no estoy seguro que esos sean los términos correctos en castellano).


  On 15 Mar 2011, at 16:11, Harold de Dios T. wrote:

    Les comparto un buen documento (abajo descrito en URL) que a muchos de nosotros (directa o indirectamente) será de utilidad. 

    ------ Mensaje reenviado
    De: Ray Soucy <rps at maine.edu>
    Fecha: Tue, 15 Mar 2011 14:56:51 -0400
    Para: Brent Sweeny <sweeny at indiana.edu>
    CC: i2 ipv6 wg <wg-ipv6 at internet2.edu>
    Asunto: Re: Creating an IPv6 addressing plan for end users (RIPE)

    It's a nice document.

    RFC 3627 is worth mentioning.  126-bit prefixes for point-to-point networks are just as easy to use, and with IPv6 there isn't really a concern to save space.

    In Maine we've been looking into the ability to exploit very large address space for subnets and neighbor discovery to perform denial of service attacks by causing enough ND solicitations to fill the neighbor table for a router (e.g. sweeping through every address in a 64-bit prefix) as briefly mentioned in RFC 3756.

    Initial results in the lab (if you can call a few routers and a laptop a lab) are showing this could be a major problem and become one of the most attractive denial of service attacks (I was actually working on this last night).

    Because of this, we're updating our message to not only encourage, but also recommend the use of 126-bit prefixes for any point-to-point network.

    We have also adjusted our recommendation for LAN addressing to allocate 64-bit prefixes, but if possible (e.g. SLAAC is not being used), use a subset of the prefix with an appropriate size to limit the impact of such an attack until better security controls are available.

    For example, you could allocate 2001:db8:0:1234::/64 for a network, but only define it on the gateway as 2001:db8:0:1234::/120 (256).  This helps to mitigate the usefulness of the attack, but maintains the flexibility to migrate to a 64-bit prefix once better controls are in place.

    We also position SLAAC as a less desirable option for a corporate network. DHCPv6 was perceived to be "wrong" by much of the IPv6 community, mainly due to lack of client implementation; but for the enterprise this level of control is highly desirable, especially for a phased deployment of IPv6.  

    Thankfully, Windows (Vista), Mac OS X (Lion), and most Linux distributions now have mature DHCPv6 client implementations, making DHCPv6 a more than viable option for IPv6 deployment.  It also helps avoid IPv6 being used by hosts with less-than-complete implementations as most systems that include DHCPv6 have fairly stable and mature IPv6 implementations.

    I don't think anyone has written an RFC to describe how routers should construct the neighbor table (would love to know if that is not the case), but it would be nice to see something along the lines of not expiring known entries if the table is full formalized as an implementation guideline, or perhaps added as a security feature.

    On Tue, Mar 15, 2011 at 8:39 AM, Brent Sweeny <sweeny at indiana.edu> wrote:

      RIPE sent this to v6-ops, but I expect there's interest in this group too:
      Date: Tue, 15 Mar 2011 10:01:17 +0100
      From: Nathalie Trenaman <MailScanner ha detectado un posible intento de fraude desde "x-msg:" nathalie at ripe.net>
      Subject: Creating an IPv6 addressing plan for end users
      To: ipv6-ops at lists.cluenet.de

      Hi all,

      In our IPv6 courses, we often get the question: I give my customers a
      /48 (or a /56 or a /52) but they have no idea how to distribute that
      space in their network.
      In December Sander Steffann and Surfnet wrote a manual explaining
      exactly that, in clear language with nice graphics. A very useful
      document but it was in Dutch,
      so RIPE NCC decided to translate that document to English.

      Today, we have published that document on our website and we hope this
      document is able to take away some of the fear that end users seem to
      have for these huge blocks.
      You can find this document here:


      short URL:

      We look forward to your feedback, tips and comments.

      With kind regards,

      Nathalie Trenaman
      RIPE NCC Trainer

    Ray Soucy

    Epic Communications Specialist

    Phone: +1 (207) 561-3526

    Networkmaine, a Unit of the University of Maine System

    ------ Fin del mensaje reenviado

    LACTF mailing list
    LACTF at lacnic.net



  LACTF mailing list
  LACTF at lacnic.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.lacnic.net/pipermail/lactf/attachments/20110315/acd1f5fc/attachment.html>

More information about the LACTF mailing list