I might add a view on this too:- Having a global prefix on the WAN interface means a customer is represented by exactly two different IPv6 prefixes (in addition to their /32 in IPv4) from disparate address space. I am mindful ISP routers must perform accounting, rate-limiting/QoS, anti-spoofing and ACL on all these addresses. An extra prefix per subscriber is going to consume additional resources at a time we are already trying to support two prefixes (an IPv4 and IPv6 prefix).
- Increased complexity in the ISP router for IP sessions. For example, a DHCPv6-PD uses a rebind message to reconfirm the prefix (state machine 1) whereas an IA_NA of the WAN interface uses a Confirm message (state machine 2). Two different messages, two different state machines, and more places things could go wrong.
- It requires the DR/BNG/CMTS to advertise the WAN shared prefix in its RA for on-link determination. As RA go to all subscribers (in a common VLAN) you have a P2P consideration where subscribers will initiate ND (on multipoint interfaces) for one-another on their WAN interface. The router must now perform ND proxy for the shared prefix.
- An advantage of the unnumbered model is that we may not need to configure the ISP router with any link information in advance. With a numbered model one would normally have to create an IP interface on the ISP router and configure RA PIO for the WAN prefix.
The disadvantages I see are:- Operational troubleshooting. If the WAN interface did respond to ICMP echo requests you can test the subscriber state from any Internet host. - Traceroutes. If the WAN interface was link-local, a traceroute would indicate the loopback or LAN interface on the CPE as opposed to the WAN interface. - If a loopback interface is used, one may need to devote an entire / 64 to it - the alternative is to use an always-up LAN interface (ie bridge0 interface).
-David On 19/07/2008, at 7:34 AM, Mikael Abrahamsson wrote:
On Fri, 18 Jul 2008, Alain Durand wrote:Thank you for the clarification, I now understand better your goal, but what is the rationale for doing that?I stated this in the beginning of the discussion, but here goes again:I want to protect ISP equipment from outsid/Internet DDOS attacks. I foresee proliferation of basement/FTTC L3 switches (ASIC forwarding, small TCAM, small CPU) with ethernet/vdsl2 PHYs, and I want to be able to rate-limit traffic coming in from the internet to these devices (also my core).Therefore ISP equipment needs to be in separate IP space from customer equipment IP space. This also applies to SOHO market.-- Mikael Abrahamsson email: swmike@swm.pp.se