In my AusNOG 2011 presentation, "Residential IPv6 CPE - What Not to Do and Other Observations", a couple of my examples of mistakes in some IPv6 CPE implementations were the incorrect use and understanding of IPv6 private addressing. Since then, I've come across other examples of IPv6 private addressing misunderstandings. In this presentation, I want to help people better understand IPv6 private addressing; when to use it, and if you're using it, how to get it right. Discussion of IPv6 private addressing naturally leads to the discussion of one of the most significant features of IPv6 other than the much larger address space; the formal support of nodes (or rather interfaces) having multiple addresses. In the second part of the presentation I'll talk about multi-addressing, including how it works and why it allows a network to have IPv6 private addressing without also having to use any form of NAT to reach the Internet. I'll also talk about some of its other emergent benefits.

1. AusNOG 2019
Getting
IPv6 Private Addressing
Right
Mark Smith
markzzzsmith@gmail.com
@ipv6tao
@markzzzsmith

2. IPv6 Private Addressing:
First Attempt

3. IPv6 Site-Local Addresses
IANA Allocation: fec0::/10

4. IETF IPv6 WG Circa 2002
What is a “site”?
Merge sites with no NAT or
renumbering?

5. “Site”?
Buildings or Campus?
Buildings and Campus?

6. “Site”?
fec0::/10
fec0::/10 fec0::/10
fec0::/10
Campus

7. “Site”?

8. “Site”?
site
”1. The place where anything is fixed;
situation; local position”
”2. A place fitted or chosen for any certain
permanent use or occupation”
https://en.wiktionary.org/wiki/site

9. “Site”?
fec0::/10fec0::/10
Link == Site?
fec0::/10 prefix/addresses on the link?

10. “Site”
Really too geographical.

11. Site-Locals
Sometimes
unsuitable.

12. Site-Local
Networking Issues

13. fec0::/10
fec0::/10
fec0::/10

14. Distinguish instances?
Node internal
Site
Identifier?
VRFs in all
IPv6 nodes?
COMPLEXITY!

15. Merging Site-Local Sites

16. Overlapping or Duplicated
Address Spaces
fec0::/10 fec0::/10
fec0::/10 fec0::/10

17. Lucky? Unique Subnets?
fec0:0:0:1::/64
fec0:0:0:2::/64
fec0:0:0:3::/64
fec0:0:0:a::/64
fec0:0:0:b::/64
fec0:0:0:c::/64
fec0:0:0:a::/64
fec0:0:0:b::/64
fec0:0:0:c::/64
fec0:0:0:1::/64
fec0:0:0:2::/64
fec0:0:0:3::/64

18. Unlucky. Duplicate Subnets.

19. NAT? NO.
https://www.ausnog.net/sites/default/files/ausnog-2016/presentations/1.2_Mark_Smith_AusNOG2016.pdf

20. Renumber Site Subnets?

21. Fundamental problem
fec0:0:0:1::1/64 fec0:0:0:7::3/64 fec0:0:0:7::3/64
Want
Get
Trying to send 1:1 (unicast) to a non-unique
destination.

22. Uniquifying Addresses
Process - Renumbering
Function - NAT
Adding Context - Site ID
VRF

23. “Prevention is better than cure”
Desiderius Erasmus

24. UNIQUE’em
in the
FIRST PLACE.
ALL CONTEXTS!

25. https://ethernethistory.typepad.com/papers/HostNumbers.pdf

26. “Site” too.

28. IPv6 Private Addressing:
Unique Local Unicast
Addressing

31. ULA-C or ULA-L
Type Purpose L Bit Prefix Status
ULA-C
Central ULA
Prefix
Registry
L=0 fc00::/8 Never took off
ULA-L
Local
Network
Generated
L=1 fd00::/8 All current ULAs
All currently valid ULAs start with fd.

32. 40 bit Global ID

33. 40 bit Global ID

34. 40 bit Global ID
“Their values SHOULD NOT be
generated by a human.” -
Me!
Humans may not [RANDOM].

35. This presentation?

36. 40 bit Global ID
AusNOG 2011

37. 40 bit Global ID
AusNOG 2011

38. 40 bit Global ID
Informal registry

39. 40 bit Global ID
No advice on
correct ULAs!

40. Site-Locals and their
problems reproduced!

41. ULA-L Global ID Algorithm
1. 64 bit NTP current time of day
2. System EUI-64 (IEEE), or system serial number
3. Concatenate those two values
4. SHA-1 to get 160 bit hash
5. Least significant 40 bits of SHA-1 hash will be Global ID
6. Append to 8 bits of 0xfd to produce ULA /48 prefix (i.e. L=1)
Summary:

42. Example
My home ULA:
fd██:████:████:████::/48

43. ULA Generators
RFC 7084,
“Basic Requirements for
IPv6 Customer Edge
Routers”
Android Apps
Online - search “IPv6
ULA generator” iPhone Apps(?)

45. Routing
fc00::/7 and longer prefixes
- by default, don’t send or accept
in EGP
fd██:████:████:████::/48
- network operator override to
allow inter-ULA domain routing

46. Other Operational Things

47. Would GUAs do?
Also known as public IPv6 Internet addresses

48. Not really
GUA ULA
Globally Unique
(Assured or
Likely)
✓ ✓
Designed for
Internet
connectivity/reach
ability
✓ ✗
Assigned by RIR/LIR/ISP Local
administrator
or local CPE
$$$ Per
Month/Annum
$0 forever

49. ULA Use Cases

50. ULA Use Cases
fd██:████:████:████::/48
IPv6-in-IPv6
IPv4-in-IPv6
GRE
L2TP
SRv6
etc.
ULA Addressing

52. Why Both?
Internal communication
independent of
external addressing

53. IPv6 Multi-Addressing

54. IPv4 Private and Internet
Addressing
Serial Addressing
Private Addressing Internet Addressing
NAT

55. IPv6 Private and Internet
Addressing
Internet Addressing
Private Addressing
Parallel Addressing

56. IPv6 Node Address Mix
Internet Addressing
Private
Addressing
Local Network

57. IPv6 Node
Interface Multi-Addressing
Link Local
ULAs
Link Locals
GUAs

58. IANA Allocation: fe80::/10

59. Destination Address?
Source Address?
Very basically:
1. Pick smallest scope
Loopback < Link-Local < ULA, GUA
2. Pick ULA over GUA
3. Pick addresses with the most bits in common

61. Origins?

62. Bad for Security?
Copyright 1994
AT&T and Lumeta
Corporation.

63. Innovative Uses

64. https://
www.cs.columbia.edu/~smb/
papers/tarp.pdf

66. http://linuxelcomienzodelalibertad.blogspot.com/
http://linuxelcomienzodelalibertad.blogspot.com/
http://linuxelcomienzodelalibertad.blogspot.com/
Client isolation
SSID:ABCD_Free 2001:db8:0:1234::/64
2001:db8:0:5678::/64
2001:db8:0:abcd::/64

67. Summary
Site-Local
Addressing
Unique Local
Addressing
IPv6 Multi-
Addressing
IPv6 Addressing
Innovations

68. UNIQUE your ULAs!

69. Questions?
CC image courtesy of Kiwithing
http://www.flickr.com/photos/kiwisaotome/
8261132558/sizes/c/
in/photostream/