Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[resource-policy] Agrigation with IPv6

Mark J Elkins mje at
Mon Jan 15 11:03:26 UTC 2007

Posix Systems was recently allocated some IPv6/32

I'm trying to understand how I can best meet both customer needs whilst 
keeping good aggregation and have come up with the following:

1)  I get assigned a /32 (2001:42a0::) - where '42a0' is what ever is 
assigned (ok - what Posix was assigned!)

2) I am more or less expected to assign /48's to customers..
..which generally leaves 16 bits to assign to customers

My goal is to aggregate as much as possible - whilst learning from past 

It would therefore seem a reasonable thing to split these 16 bits into 
something like 6 and 10. The first 6 bits (64 permutations) then becomes 
a logical geographical area - eg. Joburg, Cape Town, Swaziland - etc. 
and the last 10 bits (1024 permutations) becomes a customer in that 
area. This way - if the Cape Town peering point is ever re-resurrected, 
I can use a single net-mask (ie Route) to advertise all my Cape Town 
clients to that peering center. I might in fact reserve more than one 
set of 6 bits for the Johannesburg area (ie - 4 bits for the area and 12 
bits for customers) - but that would probably be the only variation.
I'm currently using 4bits for an area and the remainder for customers. 
I'm also using a /48 in each area for internal use (ie - local hosting, 
dial-up - etc), so if I loose long distant links - all the 'local' stuff 
would still work / be accessable.

As far as I can see - many LIR's simply allocate the next logical /48 
block to the next customer and disregard any possibility of 
regionalising IPv6 addresses.

What do others think? Anything better?


Posix Systems (like other IPS's)  does customer hosting of machines, 
many of which need multiple IP addresses for different SSL sites - etc. 
An assumption is that most people would allocate a full /64 to an 
Ethernet interface.

The simple mapping of a MAC address to the Host portion (ie - the last 
64bits) of an IPv6 address does not allow for the easy addition of 
multiple IP's on the same machine. It does however make scanning a /64 
difficult - unless you know that the hosting company only uses one 
particular brand of Ethernet card.

Given a MAC address of:   00:0D:56:FE:CB:08,  (which auto 
becomes...::020d:56ff:fefe:cb08) I propose to turn this into....
NNNN would be a simple sequence number (from 0 or 1 upwards) [I have 
noticed that providing a range of IPv6 addresses on a Linux machine ie...
config_eth1=( "192.96.28.{1..9}/24"
.... only works for decimal values - it chokes on Hex  values (A-F)]

The MMMM could map to a security map of what ports that IP address 
should be allowed to accept......
The 16 bits could be defines as...

1 - ssh (port 22)
2 - web (port 80)
3 - ssl web (443)
4 - pop3 ( both 110 and 195)
5 - imap (both 143, 220 and 993)
F - anything (no auto firewall)

..thus a value of :0: would not allow the (upstream) firewall  to send 
through anything, but a value of :ffff: would allow everything 
through..  thus a hosting client could define for themselves what ports 
the firewall would let through...

I'd then use a common set of filter lists on my firewall - just to look 
at those bits - for the majority of customers. There will always be 
exceptions to some customers - but this can be handled in the 
traditional way.

Anyone done anything like this?
Other Suggestions?

  .  .     ___. .__      Posix Systems - Sth Africa
 /| /|       / /__       mje at  -  Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

More information about the RPD mailing list