Why dynamic IPv6 subnet allocations for home users are evil

23 June 2009

Currently, a home Internet user will be assigned one IP address from their ISP, and their router will then use NAT to share the single IP address amongst all the internal devices which are typically assigned private (RFC 1918) addresses.

The IP address assigned by your ISP is typically dynamic, and that is not a problem for the average home user, or even your typical power user, because the router’s use of NAT shields the internal devices from the mechanics of a changing external IP address.

These assumptions are broken in IPv6, where being able to connect to the Internet, whether you are a router or a device on an internal network, means you need a global IPv6 address. These global IPv6 addresses are assigned by your ISP.

If an ISP were to assign an IPv6 prefix dynamically, that means the addresses of internal devices are prone to change. A router reconfiguration, brief dropout, or even the passage of time could mean suddenly all internal devices need to have their addresses changed.

So far this doesn’t sound like a problem. But often devices that perform a server role, such as web servers, mail servers, printers, refrigerators, air conditioners, etc. (the list is endless) have persistent, long-lived, and bi-directional connections to/from other hosts on the Internet, and therefore need a static and predictable address.

This will become horribly broken and frustrating if ISPs choose to assign IPv6 prefixes to customers on a dynamic basis. I urge ISPs to assign static IPv6 prefixes to all their customers.

I am aware of the existence of unique local addresses (ULAs), which are designed to be used on a local network. In practice, this is problematic because ULAs will cause source address confusion should your global address be unavailable at the moment you try to make a connection, and also doesn’t work for a server that is supposed to be globally accessible.

Deprecating IPv6 prefixes through Router Advertisement is possible, but in practice buggy, not to mention causing active connections to simply hang (and I’m not just talking about the side of the connection that just got deprecated!).

Seriously, we live in an age where people will be starting to connect their refrigerators, air conditioners, and electricity meters to the Internet. Dynamic prefixes just won’t cut it in the next wave of Internet-connected devices.

So, dear ISPs of the world, please make static IPv6 subnets a part of your standard offering — not a “paid upgrade” or anything silly like that. It might kinda-sorta work in the NAT’ed world of IPv4, but you are doing IPv6 customers a disservice.

Update Sep 2014: I’ve rewritten a lot of outdated and poorly written crap in this post.

31 replies

  • Glen Turner says:

    I don’t get it. Why would your machines have static addresses in the first place?

    Imagine the ISP allocates a /64, dynamically or otherwise. Your router then *bridges* that. Your machine autoconfs. Any second or third machine you want to run also autconfs — at no additional expense to the ISP, since they are running stateless DHCP.

    In short, NAT routers appeared because ADSL bridges could only support one IPv4 client. But ADSL bridges can support an infinite number of IPv6 autoconf clients. So there’s no need to route IPv6 at all, let alone NAT it.

    • madsara says:

      “In short, NAT routers appeared because ADSL bridges could only support one IPv4 client”. This is fully untrue.

      First of all, by definition a bridge is not a layer 3 device, it’s layer 2. It doesn’t care about the upper layers, it just forwards layer 2. The ADSL bridge has absolutely nothing to do with IP.

      So you may mean to say “ADSL router”.

      Most xDSL providers tend to use PPPoE. One can bring up multiple PPPoE sessions over a single ADSL bridge. Each of those sessions can have their own IP assignment (assigned by the NCP/IPCP phase), whether it be a /32 or whatever netmask.

      Want to assign a /24 to a PPPoE session? That can be easily done.

      If PPPoE isn’t used, the connection is Ethernet (generally over ATM) and yes, it can support whatever assignments you want.

      I’ve never encountered a xDSL router that could not route a netblock > /32. Generally, it’s the end-user not knowing how to properly configure such a device.

      NAT came about as a (ugly) way to minimize IP exhaustion.

    • Aqua Regia says:

      Static IP addresses have their uses in the home. I use a one wire bus for meteorological data that connects to protocol translator which I can address. Without a fixed IP address I would have great difficult writing (and securing) software that controls and reads this sensor network for calculations and display.

      This also controls a number of devices around my home like a pellet stove, lights and wood stove. Dynamic addressing of these controls would cause endless grief. Especially since I add automation as quickly as I have the time.

  • Bob Muckley says:

    The bigger problem is management of static assignments. Yes yes, it should be simple but with millions of customers managing N million subnets statically assigned to customers becomes hard. Also one /64 is not good enought, the current ISP thinking is leaning towards a /56 to a home, which I think is way overkill. Remember a /64 is only 1 subnet which sucks as most homes are multiple subnets these days. Think of a wireless LAN behind a Home router. Or guest wireless LAN, or multiple layers of internal LANs with firewalls. The problem is that even if this is assigned via DHCP-PD, nobody has created a DHCP-PD Client/Server to re-delegate the /64 to downstream subnets. The other issue is aggregation of addressing and routing which then requires a much larger subnet to be allocated to each aggregation router, which means address space starts getting eaten up real quick. Also if you need to move a customer to a different aggregation router because of capacity, you can’t guarantee keeping a static address for a customer. Address Management is not simple on the ISP side. And keep in mind that without NAT a Firewall will be required which allows out by default in blocked. Anything but will probably void any support from the providers as w/o a firewall all internal devices are at risk and if you have security issues or become a bot you will be terminated. This all starts to blow the IPv6 dream of open to everything. The other thing to keep in mind is that all these NAT’d subnets in the network now in a full IPv6 world have to be publically addressed and IPv6 only has 2 power of 2 more subnets. Trust me it is going to run out and there are already people starting to try to figure out what to do next.

    • Jeremy says:

      With regards to /56’s, yeah, it is a bit overkill. Internode currently offer /60’s to native trial participants, which gives me 16 /64’s to work with. (I’ve only used two so far.)

      And DHCPv6-PD kinda sucks. I tell you what, it’s painful to keep running all the time, and yeah, re-delegation isn’t possible with any current implementations that I know of.

      Thank goodness the only thing Internode use DHCPv6-PD for is updating their routing tables so they route your static subnet to you. Otherwise I’d commit suicide.

    • Bob Muckley says:

      Jeremy,

      I would be very interested in the issues you experience with DHCPv6-PD. Is it problems with vendor implementation, RFC design, or re-delegation as I stated. I am going to try to push the re-delegation capability through the standards.

      The other issue I didn’t mention is getting customers to properly configure or pre-configuring static addresses to everyones cable modem or Home Router is a nightmare and not realistic. So…… a dynamic assignment to customers is really the only supportable model. Static addressing will of course also be available.

      I am currently trying to design the IPv6 strategy for our company and trying to weigh the balance of all these issues. I also prefer a /60 or a /59 at most. 16-32 subnets per subscriber is more than enough for a home and it still doesn’t eliminate the ability to offer more for specialized situations, but honestly if someone wants more they would more than likely also want a static assignment.

      Any other issues with IPv6 service would be of interest to me, as I would try to account for most of them to make our customers as happy as they can be; and in turn our support staff happier.

  • Brad Landis says:

    What is stopping an end user from subnetting a /64 to a /68? They have **twice as many** IP’s as the internet has in existence right now, so there’s no reason to stop it.

    • Jeremy says:

      Unfortunately SLAAC doesn’t work with anything but a /64.

    • Brad Landis says:

      Wow, that’s just dumb. I don’t see how any house is going to use 16 quintillion addresses. Even if there were $0.99 addressable devices, Bill Gates couldn’t even buy enough devices to fill up the network. I wonder what they were thinking.

  • AC says:

    I like my dynamic IPv4. I don’t want my IP address to be a second phone number, that once in the wild could be used to attack me by anyone.

    • Jeremy says:

      Not sure what I can say to bring you comfort. You are identifiable by so many different methods other than your IP address, I would suggest bathing in petrol each night in addition to completely cutting off your Internet connection.

  • Lotu says:

    Bob makes a very good point about address management at the ISP level. So static prefixes aren’t really an option. Besides you want to have any device we reachable no matter where it moves in the network. For example if I want to reach my laptop I shouldn’t have to know if it using wireless or pluged in the the Ethernet at this moment. Or if I add a gigabit Ethernet card I to a computer I don’t want to have to find out what new address the DHCP sever gave it. Thats why you have a DNS. The real solution to your problem is to have a DynamicDNS server in all routers. This way you can refer to your computer as “black” instead of “2000:34f3:3984:3afd::1″.

  • Gavin says:

    NAT came about because static IP’s were expensive for the less fortunate, and most routers incorperated a firewall. I don’t like the idea at all of one public address on every single device either.

  • Rui Monteiro says:

    I believe that locally, machines communicate only with the Link-local IPv6 Address, that isn’t routable to the exterior!

    So, it doesn’t matter if the first 48 or 56 bits given by your ISP are dynamic or not, internally, in your LAN, only the last 64 bits count for local communications (fe80::/64). You refer the RFC 3879, but that is for fec0::/10 range, not fe80::/64! See wikipedia:

    https://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses

    From what I know, the ISP doesn’t define the subnet, the last 16 or 8 bits from the first 64 ones are not defined by the ISP, so the subnet is defined by you and it is static because of that!

    In any case, I think that is much more advantageous to the ISP, to maintain static addresses, because there are no reasons to switch addresses dynamical in name of nothing, not to mention, the fact that your actions in the Internet become easily identifiable and traceable by your ISP for legal issues!

    • Jeremy says:

      Link-local addresses are, in fact, rarely used for anything other than internally for sending ICMPv6 messages and the like. In theory they could be used for more, but in practice they’re not. You can’t point AAAA records to link-local addresses, so that breaks most things even before we get started.

      The ISP still defines the first 56 or so bits of your address, so being able to address the next 8 or so bits doesn’t improve the situation. If just one bit changes, your configuration is broken.

      For the record, since I wrote this post, I am now working at an ISP, and in the process of deploying IPv6. I have done a trial deployment with dynamic /56 delegation, and have experienced first-hand just how painful it is.

      So the next phase of the trial is using static /56 delegations. It’s a lot harder to implement on the ISP end but the CPE is behaving a lot better. I’m glad I’m testing before deploying!

  • Spencer says:

    It is unhelpful that the original poster, whose blog this is, Jeremy, keeps using the word “subnet”, which is confusing, since it means something a bit different in IPv6 than in IPv4.

    None of this can be news to you, but to clarify terminology, the first 64 bits of an IPv6 address are the “routing prefix”. Some of the documents talk about /48 as the network address, leaving 16 bits for the subnet, but this is kind of like class A, B and C under IPv4, i.e., useless in light of later developments. In classless IPv4, a subnet is whenever you allocate more bits for routing inside a larger (sub)net. Here it just means hierarchical routing.

    Giving out prefixes longer than /64 breaks a lot of stuff. I have a /96 prefix at a colo, and auto-configuration doesn’t work there. I quite agree that we should discourage that. 64 is a lot of bits; it should be adequate for routing. Within your network, you don’t want your ISP dictating your 64 bits of the address; you should be able to use locally administered, universal or temporary random addresses according to your needs.

    Mobile machines, e.g., laptops and phones, have to deal with new prefixes whenever they move (to preserve TCP connections, they would require some form of redirection, a problem phones have dealt with already). This assumes that I could get IPv6 at Starbucks (maybe coming soon with Google taking over that concession from AT&T), but also if I took my laptop to a friend’s house who has IPv6 working wirelessly. If there is an IPv6 address for your refrigerator, it’s going to have to auto-configure, because the refrigerator installers are not going to cope with also having to be sysadmins.

    I agree that if you want to run servers at your home or place of business, you’d like to have a static routing prefix, but I see no reason that the routing prefix couldn’t be allocated dynamically to “residential” customers. They are already served pretty well by zero-configuration DNS. Laptops can see each other on the network without administrative overhead.

    It has been asserted by some that static prefix allocation is an administrative headache. I can testify that auto-configuration works well, though I can’t say that would be true for all brands of equipment and operating systems.

    We do want to have customer control over at least some bits of the prefix. It would be spiffy to have a dynamic prefix be less than 64 bits long, so you could have separate name spaces and access for your Guest network (programmed into your CPE) and the indoor network with your appliances and personal computers. I’m sure you can think of other uses, too.

    Even so, I think /60 is overkill, and /56 is bouncing the rubble; /62 should be fine, plus or minus 1. Certainly /56 would be wasted on most of us. The best argument for /56 is to limit the size of the ISP’s routing tables and has little to do with what the customer wants.

    I have read that FiOS will give out static /56 addresses to their business customers, who have a clear need for static prefixes, since they publish their address using DNS. Currently I run my business with IPv4 /27 (a block of 32 addresses, of which I can use 29), and I’d be happy to get static /60 or even /64 when they FINALLY will sell me native IPv6. In 2025, at this rate.

    I’m using Hurricane Electric’s tunnel broker service for now, and have a static /64 prefix, which I need because of running DNS, but it imposes an additional round-trip delay of up to 20 ms, since I am near Boston and the (IPv4) RTT just to the tunnel server in NYC is 10ms. Native IPv6 would eliminate that. Also, HE will have to stop offering this for free at some point.

    Dynamic addresses don’t have to randomly break the world. DHCP from our local cable ISP (which friends of mine use: Comcast) changes your IPv4 address rarely to never, with months between, if there is no interruption of service. As long as your modem is powered on, it keeps renewing its dynamic address

    One time, Comcast actually sent out paper mail notices announcing in advance that they were renumbering the whole neighborhood, consolidating the address spaces of neighboring towns. It was a service interruption affecting all customers, though brief.

    Persistence of continuously used addresses should apply here to dynamic prefixes; it ameliorates most of the problems. Dynamic means you have the right to renumber, it doesn’t mean you need to do it gratuitously.

    So absent a power failure (which breaks everything anyway; without fiber to the premises or wide-area wireless, a UPS provides only a tiny island of light), it was extremely infrequent to suffer broken connections and windows of unavailability while waiting for dynamic DNS to update and caches to empty.

    For most people not running servers, dynamic DNS has been sufficient, if they need anything at all. (There are non-DNS solutions to finding your machine when it and you are in different locations.) Temporary random “private” addresses can be just as bad if they break existing connections; the operating system should detect persistent connections and preserve them. Some don’t.

    I’d be OK with a small extra charge for a genuinely static prefix. On the other hand, if the hassle *to the ISP* of dynamic prefixes is actually worse than static, I’m OK with “free” static addresses. I’d be paying extra for business service anyway.

    Everything is two-edged. An advantage of a dynamic prefix is that long-term, it protects your privacy a wee bit, since a static prefix is an extremely definite clue to your location, even if the address of your laptop is obfuscated by random address assignment within the other half of the IPv6 address.

    A DDoS attack with only incoming packets could be as effective at saturating your bandwidth as completed connections overwhelm individual machines, and would affect all users of your prefix, not just the targeted address(es). It would be pretty cool if you could end such an attack merely by resetting your modem and getting a new prefix when it came back up.

    That wouldn’t help popular web sites, but many customers could see the advantages. (That also wouldn’t work with Comcast here and now; you’d have to stay offline until your old address timed out, which could be hours, successfully denying you service. It could become a “feature” if the CPE were programmed to request a new prefix on user demand.)

    • Luca says:

      My provider is starting to offer IPv6 connectivity in my area (xDSL). They use PPPoE and something called IPv6cp (which is NOT DHCP, right? For the time being, they’ll be handing out /64 dynamic address, with a promise of static in the near future.

      I’ve been working with IPv4 for almost 15 years, yet I have a hard time wrapping my head around IPv6. Will autoconfiguration take care of everything on my win 7 machines? Also have a couple of unix file servers, and a PAP2T VoIP adapter, which I am pretty sure does not support IPv6.

    • Jeremy says:

      IPV6CP only negotiates the link-local addresses over PPP.

      To get out to the Internet, you either need ICMPv6 Router Solicitation/Advertisement if you just want to use the Internet on the machine that PPP terminates on, or DHCPv6-PD (Prefix Delegation) if you want to allow machines behind the router to access the Internet as well.

      If you fire up your PPPoE session, and discover global IPv6 addresses magically appearing on your ppp0 interface, that’s likely ICMPv6 RS/RA happening automatically.

  • Luca says:

    Thanks Jeremy. I just got an ASUS RT-N66U, which on paper should work. Is anyone using IPv6 for VoIP yet? I’m having a hard time finding a provider that supports it.

    • Jeremy says:

      I don’t know of any IPv6–enabled VoIP providers myself.

      Recent versions of Asterisk support IPv6, but unfortunately IPv4 NAT traversal is disabled if you enable it (which I need), so I cannot make use of it yet.

  • leev says:

    i completely disagree that the ISP should provide static allocation for home users IPv6.
    first, i had myself the same dyn DNS issue and i solved it writing down my own software for a new dyn dns concept. briefly, the dyndns client that you’ll run on your router will also update all IPv6 addresses of your LAN devices based on their MAC addresses (you should try it, is free – more details here (http://www.duia.ro))
    second, in the near future we’ll use “Prefix Assignment in a Home Network” or dynamic IPv6 routing in your multilayered LAN. this RFC is based on OSPFv3 and even if your ISP would give you a fixed ::/56 you might end up with a different ::/64 between one of your home routers and your fridge (if you need more details on how it works you can drop me an email).
    third, dynamic allocation is recommended for ISPs, at least in this trasition period, if we want them to rollout more quickly IPv6. is hard for an ISP to find the best IPv6 allocation plan nowadays and the ideea that they can change the subnet if they want will give them courage. (i speak from my experience here: IPv6 RFCs become obsolete fast enought, some recommends nibble allocation, masks smaller then /126 are not recommended on interfaces because of ND attacks … and so on).
    fourth, many ISPs differentiate between services based on static vs dynamic allocation. if they cannot match the same services as in IPv4 then again, they will delay IPv6 rollout and that’s bad for the customers.

    i personally think this is not the right moment to force an ISP to embrasse IPv6 static allocation but is definetely the time to force an ISP to give you IPv6.

    • Rich says:

      Your software looks nice, but it isn’t usable apart from the service you sell. If I just want to run BIND and have a router that does nothing but forward packets there is no way to do this with dynamic IPv6.

      Really all I need is for printer.mydomain.foo to resolve to the current IP of my printer. I don’t care if it changes every 5 minutes, as long as the printer gets updated with the new IP as soon as it needs to, and the DNS server gets updated with the new IP. The problem is that this seems to be an afterthought – none of the standard tools handle dynamic addressing.

      Most likely ISPs will only change the IP assignment if the router reboots, but that could happen at any time, especially with consumer-level hardware. These routers rarely offer the capability of running custom software on them either – it seems like many don’t even let you disable address assignment if you’re using IPv6 (only for IPv4).

    • leev says:

      my software is free along with my service, that is also free (and will always be). you can check this right here: https://www.duiadns.net/services
      is true, there are some “paid flavors” of my service but just because servers and internet connections cost me money. nevertheless, you have all the features (including IPv6 for LAN) with your free account. initially i’ve made this service for me and then have shared it with all the others because such a feature like “IPv6 for LAN” does’t exist on any other dynamic DNS provider and is VERY usefull. dynamic IPv6 allocation is a fact nowadays and this is the only method to access your “printer” via IPv6.

  • Rich says:

    I ran into your blog because I’ve started thinking about how I’ll eventually port my setup to IPv6, and dynamic prefixes would cause a lot of grief unless somebody changes how all the software works.

    Right now I’m using NAT with IPv4 (like everybody). I have a DHCP server which assigns IPs based on MAC (with a pool for guest devices), and those IPs correspond to DNS entries on my DNS server. That works just fine, but it requires NAT.

    With IPv6 I’m not really sure how I’ll be able to handle local DNS. There are DHCPv6 servers that can handle DNS updates, but as far as I can tell those DHCP servers expect hard-coded pools. If I don’t use NAT, then anytime my ISP changes my prefix, then the DHCP server needs to change what IPs it starts handing out (oh, and unless my leases are really short devices may just drop off the network until they’re power-cycled, as the ISP is not guaranteed to only change the prefix when everything in the house is powered off).

    I’d love to use stateless autoconfig, but I’ve yet to see any way to get that to do DNS updates.

    It seems like the whole point of giving every device a routable IP is to make it easy to send packets in both directions, but that doesn’t really work if you can’t tie that into DNS. It seems like the whole IPv6 thing was only looked at from the standpoint of routing packets. Sure, if all you want to support is web browsing it works just fine. However, once you have anything that is a server on the network (like a printer) there isn’t any way to get it to play nicely with DNS.

    • Jeremy says:

      Yes, you are correct in your observations.

      The Microsoft DNS server tries very hard to auto-update local entries with A and AAAA records, but doesn’t get it right all the time, and is prone to leaving behind stale entries. (And not everybody runs a Windows Server at home.)

      It just goes to show, static IPv6 allocations are necessary.

    • Aljoscha Vollmerhaus says:

      I’ve got the exact same problems, I operate quite a few servers at home for testing and developement (self-employed).
      When my provider recently enabled v6 I started thinking about enabling v6 on everything but ran into the exact problems Rich describes.
      Another problem are config files, like my proxy server where i have to define access controls on a subnet basis and a lot of other stuff.

  • Realthunder says:

    I have a practical question for all of you who argue against the idea of statically allocated subnets from ISP.

    I got native IPv6 from my ISP through PPPoE. The PPPoE client is running on my CPE. Every time I dail, I get a new prefix, and my PC can get the new SLAAC address and DHCP allocated address from my CPE. BUT, the problem is that the old addresses are still there. And my internet access will break if the OS chooses the wrong source address, which it does sometimes. Any solution on this? Maybe DHCP reconf option can help, but what about SLAAC?

    • Jeremy says:

      Being the devil’s advocate here, there is a fix for your specific circumstance.

      It is possible to “deprecate” a prefix via Router Advertisement by setting the preferred and valid lifetimes to zero. Some routers (such as the FRITZ!Box) do this when they lose a prefix they received from DHCPv6-PD.

      (Amusing aside: unpatched copies of Windows 7 actually have a bug where they are never able to reuse a deprecated prefix should it become valid again.)

      However taking my devil’s advocate hat off, I understand your problem and believe that is once again another good reason to offer static prefixes. You may pleased to know that the ISP where I work offers static prefixes to all customers. :-)

    • Realthunder says:

      Yes, I can confirm that my win7 does deprecate the SLAAC address. But its DHCP client does not accept reconfiguration, so the address remains prefered, and will only be renewed until about half of its valid time is left. Looks like I have to disable DHCPv6 address allocation on CPE.

    • Jeremy says:

      In practice stateful address assignment via DHCPv6 is rarely necessary.

      I would recommend using SLAAC, and if your ISP changes your prefix quite often, reconfigure your router’s RA settings to make the valid and preferred lifetimes fairly short (say a preferred lifetime of 300 seconds, valid lifetime of 600 seconds, and broadcast RAs every 60 seconds or so).

      Obviously, the shorter the lifetimes, the quicker your devices will shed their old addresses. Thankfully today IPv6 implementations are fairly compliant, so short lifetimes are more tolerable than they were five years ago.

Leave a reply

Change your avatar.