Ray Patrick Soucy

IPv6 Addressing Guidelines

I often get asked how IPv6 addressing works.  Here are some general guidelines that should prevent a lot of headache in your IPv6 rollout.

RFC 2372 is a good starting point.

With IPv6 we provide for every LAN network to be a /64.  A good starting point would be counting your VLAN’s and trying to anticipate how many networks you will need (not how many hosts on said network).  Don’t count any non-routed networks as these can make use of ULA address space (the IPv6 equivalent to RFC 1918 space), for more info on ULA see RFC 4193.

If you assign a /64 to every LAN (as you should) then the rest is deciding how much address space you need for network identifiers (remember, since the host segment of each network is a /64 there is no need to define the number of hosts you will have on any given network).  A /56 for example would provide you with 256 networks, which is more than enough for most mid-sized networks.  If you need more, you could jump up to a /52, providing a 12 bit address space for network identifiers (or 4096) which is the same size as the 802.1Q VLAN ID field.  This could be useful in tracking your IPv6 networks as you could essentially use those 12 bits to encode the hex value of the VLAN ID for any network you create (preventing address space conflicts).  For very large organizations (multi-campus organizations for example) moving up to a /48 provides enough address space for 16 /52s, or 256 /56s (again, these are just examples, I like to keep the breaks 4 bits apart for readability, but you could use any mask in between).  The point is you need to get away from the mindset of determining network sizes based on the number of hosts.

Make use of /126 networks in the zero address space for link networks (router to router) as recommended by RFC 3627.  The main reason for this is because a /64 for link networks (of which a service provider has several) is very wasteful.  Using the zero address space for these also provides the ability to have much shorter addresses for links using the :: notation; e.g. 2001:DB8::1.

With that said, most providers are giving out either /64s or /48s right now.  A /48 is often wasteful, but it’s not like the address space isn’t there.  If you’re going to be using BGP for routing IPv6 (e.g. more than one provider) you’ll want to have something equal to or larger than a /48 (/48 and /32 are the most common prefix sizes we see announced through BGP) as many ISP’s will refuse to route anything smaller than a /48 and in some cases a /32.  Check with who you plan on getting service from first to make sure they will let you advertise your prefix.

If you don’t have need for something that is a /48 or larger, you probably should just try to go through a single provider to assign you a prefix out of their space.

Hurricane Electric offers free IPv6 tunnels with /64 or /48 prefix assignments.  It might be a good option for you to play around with IPv6 before you go out and request a prefix assignment and ASN of your own.

Many people ask if they can use smaller prefixes for LAN networks than a /64.  The answer is no.  You shouldn’t make any network smaller than a /64; the exception being link networks as mentioned above, but even then there are purists who will say no to those and use /64’s there as well.  That’s the entire point of having a 128-bit address space instead of a 64-bit address space.  The intent was to do away with the need for NAT (which is costly in terms of CPU and breaks the Internet).

NAT does not offer true security, and the illusion of security that it provides is dangerous.  You can provide the same level, if not better, security with IPv6 if you have sensible security policy and network design.

Stateless Autoconfiguration (RFC 4862) is your friend; don’t fight it.  It will be some time before we see things like DHCPv6 snooping work its way into Layer-2 security, but work is already in progress for protection against Router Advertisement (RA)... it’s called RA Guard.

In practice, I always use ::1 for the gateway address, but there is no requirement for that.  If you need to assign static IPs to hosts you can start using ::2 or even leave the first handful of addresses empty for future use.  Anything that doesn't have the stateless flag (FFFE inserted in the middle) will not conflict with stateless autoconfiguration addresses.

Note that we’re in a transition phase for IPv6 right now.  That means we’re talking about dual-stack network deployments (IPv6 and IPv4 running side by side).  It’s going to be a while before we can get away with running IPv6-only networks.

In essence, dump the IPv4 mindset, don’t use anything smaller than a /64, and assign a /64 for each VLAN and you’ll be fine.