Re: IPv6 broadband provisioning

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

On Wed, 2 Jan 2008 18:21:07 +0100 (CET)
Mikael Abrahamsson <swmike@swm.pp.se> wrote:

> On Sat, 29 Dec 2007, David Miles wrote:
> 
> > I'm not sure we need to use global-unicast addresses on the WAN CPE interface
> 
> I would strongly suggest that customer is not allowed to source packets 
> outside if his/her assigned IP space. So if link-local can be used for all 
> packets (when customer has a router), we get a very nice demarcation and 
> can do filtering where we know that our infrastructure is in a certain 
> IPv6 range and customers are in another, and we know none of our equipment 
> is in customer space and vice versa.
> 
> So if possible, assign and route the /56 or /48 to the customer router and 
> this router then needs to make sure it uses its internal IP to source 
> packets destined for global Internet.
>

Maybe I'm missing something really obvious, but how are operators and
their helpdesks going to be able to troubleshoot customer connectivity
problems via offlink ping or traceroute if the link between the
customer and the upstream infrastructure only has link locals? PMTUD
won't work either in certain scenarios due to RPF filtering or
non-forwarding of LL sourced traffic. I wouldn't be all that
comfortable having front line techsupport staff logging into customer
facing aggregation routers for basic troubleshooting, even if it was
into a non-priviledged account.

It's also common for CPE to run a caching DNS servers and NTP
peers these days, which the downstream devices can use, so they'd break
too.

I understand the motive for the suggestion, however I don't really see
how it couldn't be more trouble than it's worth. A ULA prefix on that
upstream link would address some of the issues, but not all of them.
I think to provide global Internet access you really need to ensure a
fully globally addressed path to and from the Internet.

Regards,
Mark.