[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 broadband provisioning

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: IPv6 broadband provisioning
From: David Miles <davidm@thetiger.com>
Date: Sat, 29 Dec 2007 11:46:15 +1100
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <9D1DAA67-98BE-4C65-9269-8B25EFB897CA@muada.com>
References: <9D1DAA67-98BE-4C65-9269-8B25EFB897CA@muada.com>

Iljitsch,

I would strongly suggest alignment with the two existing DSL ForumTR-101 models ( the N:1 and 1:1 VLAN approach) and CableLabs DOCSIS.Let's reuse the same logical architectures so we don't have providerschanging their aggregation network logical constructs to support IPv6.In the 1:1 VLAN model, each subscriber is uniquely identified by S/C-VLAN tags to the BNG. It is the N:1 VLAN model that needs an method toinsert some "access node specific" information into the DHCPv6 exchange.

I'm not sure we need to use global-unicast addresses on the WAN CPEinterface so I'd hazard to say that RA with PIO is not needed. Just dostateless autoconfig for link-local, then move to DHCPv6 for prefixdelegation (ie, M-bit=0, O-bit=1 in the RA). This may causeinteresting CPE implementation-specific issues when sourcing ICMPv6packets out the WAN interface, but the flexibility is there to use the"best" address for the SRC IP. From a customer's perspective, is aglobal-unicast WAN address useful? From an ISP and vendor perspectiveit may add additional complexities. What do you think about such anapproach? This would remove the need to add anything to RA between theISP router and the CPE.

If we assume the reasons we established a L2 DHCPv6 relay agent arestill valid in an IPv6-world, I'd suggest DHCPv6 Layer 2 Relay agentsfor the requirement you describe. What you have described is the veryreason that the DSL Forum implemented L2 DHCP(v4) Relay Agents inTR-101. I'd propose extending something similar to DHCPv6 that would:- Allow a access node (such as a DSLAM) to intercept DHCPv6 messages,and- Insert DHCPv6 Interface-ID and Remote-ID to uniquely identify theIPv6 subscriber

- Encapsulate these messages into a DHCPv6 Relay-Forward structure

- Forward towards the all_dhcp_relay_agents_and_servers address - witha Source IPv6 address of the requesting client inserted into the Relay-Forward

This last part removes the need for the DSLAM to implement a completeIPv6 stack that would require configuration and participation in ND,etc. I would like to explore this part with others as part ofdiscussions within the DHC WG on this issue.

In the n:1 IPoE world we need to consider the layer 2 Ethernet networkas much as IPv6, so some mechanisms you describe for DoS preventionneed to be extended to MAC addresses. To this extent we would usuallyadmit a single learnt MAC per DSL line (does this also imply a singlelink-local?? I guess EUI-64 may not be MAC derived?)

The nasty subject of ND and DAD comes up in the N:1 VLAN approachbecause a "split-horizon" forwarding model is in place. RFC 2460defines a "link" as a medium over which nodes can communicate at alink-layer. The problem with the N:1 VLAN model is that nodes cannotcommunicate with one-another via the link-layer, only with the L3router (BNG). This fundamental problem manifests itself during DAD -consider this:- When a node sends a DAD (for link-local addressing) it uses anunspecified source and the destination is set to the solicited-node MCaddress of the target- Because the network is running split-horizon, only the ISP router(s)will receive these DADs.- The routers cannot relay these messages back into the N:1 VLAN,because the node sending the DAD (still with a tentative address) willimmediately stop address auto-configuration if it receives a DAD withthe target-address equal to its tentative address.- If the router sends a Neighbour Solicitation message and does happento receive a response what should it do? Should it send a NeighbourAdvertisement (which would cause the node with a tentative addressstate to stop?)



Regards,

-David


On 28/12/2007, at 11:58 PM, Iljitsch van Beijnum wrote:

Hi,
(I posted largely the same message to the internet area listyesterday because we had extensive discussions there about DSL Forumstuff.)
One of the things that we haven't quite figured out about IPv6 ishow broadband deployment would work. I think it would be good if wecan agree that customer routers can request an IPv6 prefix usingDHCPv6 prefix delegation. Since there is really no other way to dothis, I don't expect that to be too controversial.
The problem is how ISPs get to enforce restrictions on how packetsflow from devices connected to the DSL or cable modem (or link, auser could buy their own modem which isn't controlled by the ISP).If there is a dedicated physical or virtual interface per customer,this is all simple enough. But I understand this isn't necessarilythe case, and moving in that direction could be costly. So here'sanother approach. Please let me know what you think.
The first device under the control of the ISP, or at least a devicevery low in the aggregation hierarchy, to intercepts routeradvertisements from the ISP's IPv6 router and slightly modifiesthem: it basically injects some bits that are particular to thecustomer/line, so that every customer sees RAs with a prefix uniqueto them.
For instance, if an IPv6 router sits on top of two layers of layer 2aggregation devices, the IPv6 router sends out router advertisementswith prefix 2001:db8:31::/64. The lowest layer of aggregationdevices then insert a 16-bit customer or line ID in bits 48 - 63 sothat customer 9 sees 2001:db8:31:9::/64 and customer 102001:db8:31:a::/64 and so on. (The router advertisements can also begenerated by the layer 2 device itself, but there probably needs tobe some centrally configured info in there, too.)
Customers without an IPv6 router do normal IPv6 stateless autoconfigso the lower 64 bits of the addresses are random, but the ISP onlysees packets with the customer ID number somewhere in the higherbits so they know which packets come from which customer. The layer2 infrastructure can safely impose the restriction that all customertraffic goes to the IPv6 router and not to other customers, becausecustomers don't know their neighbor's prefix is on-link so they'llsend those packets to the router anyway. And the router doesn't needan address in all those prefixes, the users only need to know itslink local address. (Of course add ingress filtering as required.)The router is simply told that all of 2001:db8:31::/48 is on-link soit will do ND for all customer machines, but it doesn't sendredirects.
(I would probably implement a per-customer ND cache LRU algorithm toprevent one user from DoSing a whole town by generating largeamounts of addresses that the router must do neighbor discovery for.There is no reason why a user wouldn't be able to connect a largenumber of machines using a switch but this may not be altogetherdesirable from the ISP's perspective.)

Follow-Ups:
- Re: IPv6 broadband provisioning
  - From: Mikael Abrahamsson <swmike@swm.pp.se>
- Re: IPv6 broadband provisioning
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- IPv6 broadband provisioning
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: IPv6 broadband provisioning
Next by Date: Re: Merge NAT-PT approaches?
Previous by thread: Re: IPv6 broadband provisioning
Next by thread: Re: IPv6 broadband provisioning
Index(es):
- Date
- Thread