IPv6 subnetting a /64 - what will break, and how to work around it?

In IPv6, you are not supposed to subnet to anything smaller than a /64 (RFC 5375). Among other things, SLAAC does not work with smaller subnets, and apparently also some other features will break.

What are the workarounds for situations where ISPs will only give you a single /64 but you need multiple subnets internally? The common advice seems to be to just find another ISP who will hand out a /56 or /48. In some parts of the world, that may work, but in our area (USA), that's not feasible due to a lack of competition. Most of my clients are lucky if they have a single ISP serving their area. Many people here are still on dial-up.

My clients won't qualify for their own /48 from ARIN.


Solution 1:

If the ISP won't give you more than a /64, then that ISP sucks. If it is any relief I can tell you that I have to deal with ISPs that suck even more than that. Around here it is perfectly normal to take public IPv4 addresses away from customers and put them behind a CGN. And if you ask them for IPv6 addresses, they will tell you that they are not offering IPv6 because there is no shortage of IPv4 addresses yet, and as long as there are servers without IPv6 support they won't offer IPv6 because it is impossible for a dual stack client to connect to an IPv4-only server.

If any ISP would give me what you have, I would take it because it sucks less than what I have been able to get so far.

Moving forward there are two approaches I recommend that you pursue in parallel.

Put pressure on the ISP

Put as much pressure on the ISP as you can. That includes contacting other ISPs and possibly switching if any other ISP can offer you a better deal.

Make sure that you do test what happens if your router requests a delegated /48, /52, /56, or /60 through DHCPv6 on the WAN. I would test all four prefix lengths just in case the DHCPv6 server for some reason will only hand out a specific prefix length and ignores requests for other prefix lengths.

Make the best of what you have

Given that you are probably going to have to live with some hacks moving forward, you have to ask yourself which sucks less IPv4 with hacks or IPv6 with hacks.

There are a few hacks you can use to stretch a single /64 to a lot of hosts.

Turning a link prefix into a routed prefix

If you have a single /64 on the WAN link but no prefix routed to your LAN, you can turn that /64 into a routed prefix with a few steps. Configure the WAN interface on your router as a /126 rather than a /64. Install a neighbor advertisement daemon (such as ndppd) on the router to advertise its own MAC address for every address in the /64 except from the 4 addresses in the /126. With those two steps you will have a routed /64 which you can use on your LAN with the exception of the 4 addresses used for the WAN link.

A modified version of this hack can share the link /64 across multiple routers. The link prefix will then have to be a bit shorter than /126 to accommodate for an IP address to each router, a /120 would be short enough to allow for up to 254 routers.

Each router will obviously only get a prefix which will be longer than /64. I recommend you make the prefix for each router as long as you can while still having enough IP addresses for the LAN on that router. A /112 or /120 for each router would likely be suitable. Each router responds with its own MAC address for neighbor discovery of anything within that router's prefix.

In this variant each router will have identical prefixes configured on their WAN side and will be responding to neighbor discovery requests for the prefix assigned to their LAN side. Obviously none of the LAN prefixes may overlap each other and none of them may overlap the prefix you configured on the WAN side.

So if the ISP router acting as your gateway is on address 2001:db8::1/64, then you can use 2001:db8::/120 as your WAN and you can assign 2001:db8::1:0/112 to the first router, 2001:db8::2:0/112 to the second router, etc.

On the LAN you can stretch a /64 to a lot of hosts either by subnetting or by bridging. You'll have to work out which of the two works best for you.

Subnetting

If you do subnet the /64 you may as well go to the longest prefixes which still have enough addresses for the hosts you need. Don't subnet into /80 prefixes, rather go with /116, /120, or /124 per subnet. Things that do break if you don't use /64 are unlikely to care and by going with /116 or longer you will reduce the impact of certain neighbor discovery DoS attacks (if present in any of your systems).

In such a subnetting configuration you will break SLAAC, so you need a DHCPv6 server to respond on each segment and static IPv6 addresses configured on all devices without DHCPv6 support.

Bridging

Bridging is the other alternative. It essentially means you don't subnet but run your entire LAN as a single IPv6 segment with a /64 prefix. (Should you need to, that /64 can span both LAN and WAN.)

IPv6 is designed to allow bridges to recognize which of the bridged networks each anycast addresses need to be forwarded to. That way you avoid having to broadcast packets across every physical link on your LAN.

Bridges can also apply firewalls and protection against neighbor discovery spoofing on the LAN.

With sufficient intelligence on the bridges there is in principle no limit to how many switches you can bridge a single /64 across.

Solution 2:

Yes, pressuring your ISP to not suck is the preferred option. RIR allocation policies assume that the ISP is giving each customer a /48; there is absolutely zero reason for the ISP to not do that.

IPv6 is not a fan of smaller subnets, however the only thing that is supposed to break, that I'm aware of, is SLAAC. You'll have problems with bugs and assumptions in some IPv6 stacks, which just blindly assume "/64 == subnet", but that's a bug, not a feature, and you can beat up on the vendor to fix it. Whether it gets fixed before your ISP gives you a /48, on the other hand...