Search RPD Archives
[resource-policy] Agrigation with IPv6
Mark J Elkins
mje at posix.co.za
Mon Jan 15 11:03:26 UTC 2007
Posix Systems was recently allocated some IPv6/32
I'm trying to understand how I can best meet both customer needs whilst
keeping good aggregation and have come up with the following:
1) I get assigned a /32 (2001:42a0::) - where '42a0' is what ever is
assigned (ok - what Posix was assigned!)
2) I am more or less expected to assign /48's to customers..
..which generally leaves 16 bits to assign to customers
My goal is to aggregate as much as possible - whilst learning from past
"mistakes".
It would therefore seem a reasonable thing to split these 16 bits into
something like 6 and 10. The first 6 bits (64 permutations) then becomes
a logical geographical area - eg. Joburg, Cape Town, Swaziland - etc.
and the last 10 bits (1024 permutations) becomes a customer in that
area. This way - if the Cape Town peering point is ever re-resurrected,
I can use a single net-mask (ie Route) to advertise all my Cape Town
clients to that peering center. I might in fact reserve more than one
set of 6 bits for the Johannesburg area (ie - 4 bits for the area and 12
bits for customers) - but that would probably be the only variation.
I'm currently using 4bits for an area and the remainder for customers.
I'm also using a /48 in each area for internal use (ie - local hosting,
dial-up - etc), so if I loose long distant links - all the 'local' stuff
would still work / be accessable.
As far as I can see - many LIR's simply allocate the next logical /48
block to the next customer and disregard any possibility of
regionalising IPv6 addresses.
What do others think? Anything better?
----------------------------------------------------------
Posix Systems (like other IPS's) does customer hosting of machines,
many of which need multiple IP addresses for different SSL sites - etc.
An assumption is that most people would allocate a full /64 to an
Ethernet interface.
The simple mapping of a MAC address to the Host portion (ie - the last
64bits) of an IPv6 address does not allow for the easy addition of
multiple IP's on the same machine. It does however make scanning a /64
difficult - unless you know that the hosting company only uses one
particular brand of Ethernet card.
Given a MAC address of: 00:0D:56:FE:CB:08, (which auto
becomes...::020d:56ff:fefe:cb08) I propose to turn this into....
...:56fe:cb08:MMMM:NNNN.
NNNN would be a simple sequence number (from 0 or 1 upwards) [I have
noticed that providing a range of IPv6 addresses on a Linux machine ie...
config_eth1=( "192.96.28.{1..9}/24"
"2001:668:0:3::4000:{0092..0099}/124"
)
.... only works for decimal values - it chokes on Hex values (A-F)]
The MMMM could map to a security map of what ports that IP address
should be allowed to accept......
The 16 bits could be defines as...
1 - ssh (port 22)
2 - web (port 80)
3 - ssl web (443)
4 - pop3 ( both 110 and 195)
5 - imap (both 143, 220 and 993)
...
F - anything (no auto firewall)
..thus a value of :0: would not allow the (upstream) firewall to send
through anything, but a value of :ffff: would allow everything
through.. thus a hosting client could define for themselves what ports
the firewall would let through...
I'd then use a common set of filter lists on my firewall - just to look
at those bits - for the majority of customers. There will always be
exceptions to some customers - but this can be handled in the
traditional way.
Anyone done anything like this?
Other Suggestions?
--
. . ___. .__ Posix Systems - Sth Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, SCO ACE, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
More information about the RPD
mailing list