When you’re configuring a router for IPv6, what subnet mask should you use on your point-to-point links? Good question, Cassandra! Or whatever your name is. There’s a lot of names in the world, and I’ve not got time to list them all.
I’ve seen some people use /64s, I’ve seen other people using /127s – and even subnet masks in between. Do any of these people know what they’re doing? Almost certainly not. Ultimately, we’re all just children trying our best to make everyone else believe that we’re functioning adults, desperately scrambling to stay calm and brave in the face of ever-increasing panic.
But hey, that doesn’t mean we can’t work out the pros and cons of both subnet masks – because it turns out that the question of which one to use is actually a bit tricky.
BACKGROUND: IPv4 POINT-TO-POINT SUBNETS
It’s drilled into CCNA students that you can never use the first and last IP in a subnet. Even if you really want to. Even if it’s what you’ve dreamed of since you were a child. Even if you made a promise to a boy in a hospital that you’d use the first and last IP in a subnet: you can’t do it.
This means that you’ll usually see point-to-point links configured with a /30 subnet mask (255.255.255.252). Using a /30 gives us 4 IPs. Two of these IPs are usable – one for each end of the link – and two are wasted. After all, a router doesn’t really need to send traffic to a broadcast address when there’s just one router at the other end of the link.
Well, as it happens, point-to-point links are a special case – because back in the 17th century (December 2000), RFC 3021 proposed ending this madness, and letting people use /31 masks on point-to-point links.
It was only a recommendation – a request for comments, if you will – but almost everyone adopted it. Hey, good news: that boy in the hospital won’t hate you after all!
Try it on a Cisco router. You’ll get a warning message, but it’ll work just fine. Here’s the proof: (Take note of the hostname of this router. It’s important to make sure your router is actively involved in the fight against 21st century fascism. IP is not a protocol for racists).
SMASH_FASCISM(config)#interface GigabitEthernet5/0 SMASH_FASCISM(config-if)#no shut SMASH_FASCISM(config-if)#ip address 192.168.1.0 255.255.255.254 % Warning: use /31 mask on non point-to-point interface cautiously SMASH_FASCISM(config-if)#exit
So, although it’s common for people to use /30s on point-to-point links, you can actually use /31s if you like – two IPs in the subnet, both of them usable. There’s a tiny chance that some extremely old devices might not understand, but if you’re using good hardware, you’re fine.
There’s one more thing we have to understand before we answer our question, and that’s how big IPv6 subnets can be – because most of the time, the answer is “more IPs than your tiny idiot brain can even hope to understand”.
IPv6 – UNDERSTANDING THE SIZE OF SUBNETS
A /128 in IPv6 is the equivalent of a /32 in IPv4 – in other words, one host machine. And just like IPv4, every time you add one to the subnet mask, it doubles the number of IPs. In other words, a /127 gives you two IPs. A /126 gives you four IPs, a /125 gives you eight IPs, and so on.
But you’ll rarely see these subnet masks – we use far, far bigger subnet masks in IPv6. In fact, your ISP will probably give you a big chunk of IPv6 addresses with a /48 prefix.
How many IPs are in a /48? This page at MediaWiki spells it out: there are 1,208,925,819,614,629,174,706,176 addresses. Now, you may be wondering: why is our ISP giving us so many IPs? Well, the truth is: because they love you. They love you, and they’d do anything – literally anything – to make you happy. (Also: because that’s the standard that was decided.)
IPv6 – HOW TO SUBNET YOUR /48
It’s generally recommended that you chop your /48 up into /64s, and use this on *every single subnet* in your network – regardless of how big or small it is.
If you take your /48 allocation, and subnet it into /64s, this will give you 65,536 /64 subnets across your entire organisation.
And by the way, do you know how many IPs there are in a /64? Hold onto your seat: 18,446,744,073,709,551,616. In other words, 18.4 quintillion. Of course there are. Even children know that.
But wait: are we really supposed to use /64s on *every* subnet? Even point-to-point links? That seems wasteful, right? You only need two IPs – yet you’re using a subnet mask that gives you more IPs than most people even know how to count to!
Well, don’t worry about that. That’s IPv4 thinking. The numbers available to us in IPv6 are so truly massive that there’s genuinely no need to worry about wasting IPs. I mean, look at those numbers in that picture up there. Look at them.
There’s also a lot of things in IPv6 that actually break if you use networks smaller than a /64 – for example, SLAAC (StateLess Address Auto-Configuration), and ND (Neighbor Discovery). So, case closed, right? /64s all the way, right?
THE CASE FOR USING /127s IN IPv6
But wait a second. Hang on. Wait. Wait just one minute. Wait. I said wait: if we’re using a point-to-point link… do we actually need SLAAC and Neighbor Discovery?
Good point. That’s why, a few years ago, some people (nerds) made the case that in fact, using /127s have their advantage – and they wrote up their hope and dreams into RFC 6164, which not only recommends using /127 prefixes, but actually requires all vendors to recognise /127s!
The RFC also addressed (pun intended) some of the more specific concerns that people had. It’s pretty dry to read, so I’ve tried to make it a bit more understandable:
THE SUBNET-ROUTER ANYCAST ADDRESS
One of the reasons that the use of /127s was historically discouraged was because it meant there’d be a conflict with a thing called the “Subnet-Router Anycast Address”. The name tells you what it is: it’s an address that can always be used to reach a router on a subnet. It’s the very first address in a subnet, and a router will always respond to it.
But here’s the thing: if you’ve only got two routers connected together on a point-to-point link… do you really need your routers to respond to an anycast address? No sir!
The RFC points out that a lot of the recommendations to use /64s were actually based specifically on this concern. But if it’s not a concern, then the /64 recommendation no longer holds true.
But it doesn’t end there: it turns out that using /64s on point-to-point links could potentially open you up to some security threats. Here’s two of them:
PROTECTION FROM PING-PONG ISSUES
No, not the sport. Although no reasonable person would object to ping-pong being made illegal worldwide. No, ping-pong issues arise when packets are sent back and forth between the same router.
Imagine you have two routers:
— Router A has an interface with IPv6 address fd00::1/64.
— Router B has an interface with IPv6 address fd00::2/64.
Router A receives a packet destined for fd00::3. This address is in our subnet, but isn’t directly configured on Router A itself. So, of course, Router A routes it:
— Router A looks in its routing table, and sends the packet out of its directly connected interface – to Router B.
— Router B receives the packet, sees that the address isn’t configured on itself, so it looks in its routing table, and… sends the packet out of its directly connected interface, back to Router A.
— The packet goes back and forth until the packet’s TTL (what IPv6 calls the “hop limit”) expires.
You can see how someone could attack your network using this method – and why using a /127 would prevent this. If you’ve only got two IPs in your point-to-point, there’s no extra IPs to bounce around.
(As it happens, this problem doesn’t happen on newer devices – RFC 4443 states that if a router wants to send a packet to a device on its own subnet, but the packet “cannot be delivered to its destination address for reasons other than congestion”, then an ICMP Destination Unreachable message should be sent to the sender. This means that traffic to addresses that don’t exist will never bounce around – because they’ll never leave the router in the first place.)
NEIGHBOR CACHE EXHAUSTION ISSUES
As a British-English speaker, you have no idea how hard it is to remember to type neighbour as “neighbor”.
Anyway: imagine our two routers again:
— Router A has fd00::1/64.
— Router B has fd00::2/64.
— Router A receives a packet destined for fd00::3. And then, for fd00::4. And then another, for fd00::5. And so on, and so on…
Looks like someone’s doing a ping sweep attack.
Of course, these addresses don’t exist on our subnet. We’ve only got two devices, at each end of the link. But that won’t stop the router making a cache entry for each and every address, in an INCOMPLETE state. And if the attack continues, that cache can quickly fill up. Plus, the router will be sending Neighbor Solicitation messages out, counting down retransmit timers, and so on. An attacker can quickly fill up a router’s resources with an attack like this.
There are ways to mitigate this – for example, you can turn Neighbor Discovery messages off on your point-to-point links – but using /127s eliminates the risk completely.
SO WHAT SHOULD I DO THEN? SHOULD I USE /127s AFTER ALL?
Well… frustratingly, there really doesn’t seem to be a clear and definitive answer. But here’s what we can say for sure:
— Using masks shorter than a /64 breaks some IPv6 functionality – but none of it is functionality that you need on a point-to-point link.
— RFC 6461 states that all vendors MUST support /127 prefixes. That’s fine for modern hardware, or for hardware that isn’t made by garbage companies. But what about older hardware, or hardware that was made on the cheap? You could argue that by using anything other than a /64, you’re setting yourself up for potential problems.
— On the other hand, by using a /64 you could be opening yourself up to security risks.
— On the other-other hand (that’s three hands, Barry!), most if not all of those problems can be fixed individually.
— RIPE (the IP registrar for Europe) suggest that if you do use /127s then you should still allocate the full /64 range.
There’s so much conflicting information out there. I’ve seen blogs claiming that ARIN (the American IP registrar) recommend using /64 everywhere – though I must say I’ve not been able to find a source for this that isn’t more than 10 years old. We’ve come a long way since then.
On the other hand, I attended the RIPE (the European IP registrar) Advanced IPV6 training course, that recommends using /127s for security (see slide). Is it really the case that even the registrars can’t agree?
I honestly can’t find a definitive answer anywhere. There are RFCs that trump other RFCs, and everyone seems to have their own opinion. And whatever you choose, someone will tell you you’re wrong. You know what people who work in networking are like. That’s right: they’re literal trash.
Perhaps RIPE’s compromise is best: allocate a /64 to your point-to-point, but only configure a /127 subnet mask. Don’t be tempted to use the rest of the /64 elsewhere – allocate the entire subnet to that point-to-point in your design, but only actually configure a /127 mask. That way, if problems present themselves in the future, you can at least change the prefix.
So, in conclusion: in your labs, do whatever you like. And in the real world… pfff. Who knows. Not me, and probably not you. Let’s just go to the pub.The pub fixes everything.