Search RPD Archives
[resource-policy] Agrigation with IPv6
Mark J Elkins
mje at posix.co.za
Mon Jan 15 11:03:26 UTC 2007
Posix Systems was recently allocated some IPv6/32
I'm trying to understand how I can best meet both customer needs whilst
keeping good aggregation and have come up with the following:
1) I get assigned a /32 (2001:42a0::) - where '42a0' is what ever is
assigned (ok - what Posix was assigned!)
2) I am more or less expected to assign /48's to customers..
..which generally leaves 16 bits to assign to customers
My goal is to aggregate as much as possible - whilst learning from past
It would therefore seem a reasonable thing to split these 16 bits into
something like 6 and 10. The first 6 bits (64 permutations) then becomes
a logical geographical area - eg. Joburg, Cape Town, Swaziland - etc.
and the last 10 bits (1024 permutations) becomes a customer in that
area. This way - if the Cape Town peering point is ever re-resurrected,
I can use a single net-mask (ie Route) to advertise all my Cape Town
clients to that peering center. I might in fact reserve more than one
set of 6 bits for the Johannesburg area (ie - 4 bits for the area and 12
bits for customers) - but that would probably be the only variation.
I'm currently using 4bits for an area and the remainder for customers.
I'm also using a /48 in each area for internal use (ie - local hosting,
dial-up - etc), so if I loose long distant links - all the 'local' stuff
would still work / be accessable.
As far as I can see - many LIR's simply allocate the next logical /48
block to the next customer and disregard any possibility of
regionalising IPv6 addresses.
What do others think? Anything better?
Posix Systems (like other IPS's) does customer hosting of machines,
many of which need multiple IP addresses for different SSL sites - etc.
An assumption is that most people would allocate a full /64 to an
The simple mapping of a MAC address to the Host portion (ie - the last
64bits) of an IPv6 address does not allow for the easy addition of
multiple IP's on the same machine. It does however make scanning a /64
difficult - unless you know that the hosting company only uses one
particular brand of Ethernet card.
Given a MAC address of: 00:0D:56:FE:CB:08, (which auto
becomes...::020d:56ff:fefe:cb08) I propose to turn this into....
NNNN would be a simple sequence number (from 0 or 1 upwards) [I have
noticed that providing a range of IPv6 addresses on a Linux machine ie...
.... only works for decimal values - it chokes on Hex values (A-F)]
The MMMM could map to a security map of what ports that IP address
should be allowed to accept......
The 16 bits could be defines as...
1 - ssh (port 22)
2 - web (port 80)
3 - ssl web (443)
4 - pop3 ( both 110 and 195)
5 - imap (both 143, 220 and 993)
F - anything (no auto firewall)
..thus a value of :0: would not allow the (upstream) firewall to send
through anything, but a value of :ffff: would allow everything
through.. thus a hosting client could define for themselves what ports
the firewall would let through...
I'd then use a common set of filter lists on my firewall - just to look
at those bits - for the majority of customers. There will always be
exceptions to some customers - but this can be handled in the
Anyone done anything like this?
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the RPD