[Cerowrt-devel] Current state of ipv6 in openwrt barrier breaker

[Dave Taht]

On Mon, Dec 10, 2012 at 12:27 PM, Steven Barth <cyrus at openwrt.org> wrote:
> On 10.12.2012 10:15, Dave Taht wrote:
>>>
>>> * Prefixes are automatically split up and distributed over
>>> downstream-interfaces OR by choice mapped to an ULA-address (NPT66).
>>
>>
>> Hmm. The homenet folk have a prefix assignment and router discovery
>> process defined in their PD over ospf (somewhat crazy)
>> implementation...
>>
>> My expectation here is that ISPs are going to be parsimonious in
>> handing out anything bigger than a /64, certainly anything bigger than
>> a /56 is going to be scarce. So I'd hope that address assignment using
>> NPT66 would start with the bottom addresses and work up.
>
>
> cerowrt would run into problems if the ISPs would only assign a single /64.
> Even NPT would not help here as two distinct ULA /64 could not be mapped to
> the same public /64 without the possibility of collisions. So it might be
> necessary to relay between the downstream interfaces in this case so that
> they share a /64 or did you have something else in mind?

The current lack of anything greater than a /64 from places like free
and comcast...

is why I use ahcp for everything, myself. /128s. I also gain the
ability to move transparently from wired to wireless and back again
without losing my 20 ssh connections or the movie I'm playing. Not
that wires matter anymore.

Not being able to get anything greater than a single delegated /64 has
been quite maddening, to date.

I'm glad to know that free actually distributes a /60 and that comcast
has plans to do /60s or better. and that the principal barrier to
wider distribution of more prefixes is mostly due to flaws in the
dhcp-pd clients.

>
> However I guess and from what I have seen most ISP will probably assign a
> /56 or at least a /60. For OpenWrt a /64 would not so problematic as there
> is - by default - only 1 (bridged) lan-interface so a single /64 is
> sufficient for most users.

Well, I abhor bridging 2.4 and 5 ghz wireless together, and then there
is the ever more popular concept of a "guest" network...

> This is how the prefix distribution works either for the ULA or the public
> prefixes. I've implemented this straight forward not looking at any
> specification as the local prefix distribution should not be mandated imo by
> any RFC.

Heh.

>
> * For ULA fd00::/48, the first /64 would be fd00::/64, the 2nd
> fd00:0:0:1::/64 etc.

It would be my hope to not standardize on fd00::whatever, but to
actually generate random ones. Doing vpns between your standardized
192.168.0.1 addresses is painful.... and with better naming, the pain
of having to remember these large numbers goes away (a bit.)

> * Padding (unused adress-space) is added if the alignment cannot be
> satisfied (e.g. one interface wants a /64, the second a /62, then there will
> be a padding or 1 /64 and 1 /63 in between).
> * If a downstream-interface goes down, its assigned prefix is preserved in
> case it later comes up again.
> * Assignments for a public prefixes are forgotten once the prefix is removed
> (e.g. wan goes down).

My understanding is that public prefixes can be kept until the wan comes up.
That said, I'd argue in favor of expiring them as fast as possible if
ula's already exist.

> In the current implementation the NPT will map the public prefix to the
> lower part of the ULA, meaning a public /56-prefix will be mapped onto
> fd00::/56 if the ULA is fd00::/48 and everything outside this /56 would not
> be mapped so care has to be taken. This is a bit unpredictable - I know -
> but in the end we cannot know what size the public prefix from the ISP will
> be and I guess if there are only a few /64-downstream interfaces it is
> unlikely to clash for a majority of users.
>
>
>
>>
>> Somewhat related to that, is the concept of actually USING ipv6 for a
>> few things that it's good at. For example, a much greater randomized
>> port space can be gained if the dns server is the only daemon
>> listening on a dedicated ipv6 address (like a ::3)
>
>
> I'm currently wondering if it would make sense to implement a randomization
> strategy in case we have e.g. a /56 prefix and only want to assign one or
> two /64 so that the /64 would not always be ...1::/64 and 2::/64 but it
> would be a bit complicated with the dynamic prefix assignment of
> downstream-interfaces and especially when it comes to ULA and us not knowing
> before-hand what length the public prefix will be.

I think randomizing would help against attacks, yes.

Somewhat related, you could do something SLAAC-like on the inner
interface's /64. In prior versions of linux using a dhcp-like address
assignment strategy hashed badly.

(I note that I'm more of a fan of slaac than dhcpv6)

-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html