The entire argument hinges on /64 allocations not being subsettable, with VMs and containers named as examples, but in my experience everything works fine with sub-/64 address ranges.
VMs run with whatever address(es) they’re configured with, which might be a /64 for some reason, but is more likely to be a /96 or even a /128 (do you really need a unique address per thread…?).
Containers of course are assigned an IPv6 address by their runtime, and /128 is standard.
If you’re administrating a network and.someone shows up demanding a /60 because their laptop has vmware installed, just tell them no.
I happen to disagree but it’s from a capable person so I wanted to raise for discussion.
In my own experience with ipv6, I’ve never launched a VM and found that I needed a new /64 to be able to hand out to my network. If I did, I could use local addressing unless I needed to go public, in which case I just ask the closest subnet that hands out ipv6 prefixes.
Why would my laptop need to hand out prefixes unless they were link-local anyway?
This seems more like a tooling problem and a defaults problem than a “needs NAT” problem.
As long as IPv6 isn’t frictionless to use, it’s going to have issues. Why does virtual box/KVM/qemu not have good defaults for handing off a /96 or whatever?
I mean I guess for that very small percentage of people NAT makes sense? Honestly the use of VMs as a local tool seem to be dying out in favor of containers so I’m having trouble imagining why I would need this complex of a network setup locally?
Chris does IT for a computer science department for a college. I imagine the weird networking edge-cases happen with regularity there, but would probably be uncommon elsewhere.
One does not have to use SLAAC, one can use DHCPv6 on an Ipv6 network, at which point the prefix length can easily be anything. One prior employer of mine did that for their office network, albeit with /64 prefixes.
Then if desired, one could use ULA and NPTv6, however unless one has multiple upsteam WAN links, that seems like too much effort - as renumbering should be rather easy.
I’ve not checked, but I suspect DHCPv6-PD could be used with prefix lengths > 64 on the LANs, so keeping things simple.
So the only pain point may then arise from operating a stateful firewall, as it has a similar ability to break things as does NAT44/NAT66. However a much more limited set of breakage, due to addressing being deterministic.
Unfortunately, Android absolutely refuses to do DHCPv6 (by choice, the Google Android developers apparently hate it and refuse to support it). If you want to support Android devices doing IPv6, you need SLAAC and SLAAC requires a /64 as a minimum.
Well, I think Android can also do DHCPv6-PD these days under the right circumstances, but I believe it may require a /64 there as well.
(I’m the author of the linked-to entry, and I really wish Android did DHCPv6 because it not doing so is probably going to keep all Android devices from getting IPv6 on our work wireless network, when we add IPv6 to that.)
The entire argument hinges on /64 allocations not being subsettable, with VMs and containers named as examples, but in my experience everything works fine with sub-/64 address ranges.
VMs run with whatever address(es) they’re configured with, which might be a /64 for some reason, but is more likely to be a /96 or even a /128 (do you really need a unique address per thread…?).
Containers of course are assigned an IPv6 address by their runtime, and /128 is standard.
If you’re administrating a network and.someone shows up demanding a /60 because their laptop has vmware installed, just tell them no.
I happen to disagree but it’s from a capable person so I wanted to raise for discussion.
In my own experience with ipv6, I’ve never launched a VM and found that I needed a new /64 to be able to hand out to my network. If I did, I could use local addressing unless I needed to go public, in which case I just ask the closest subnet that hands out ipv6 prefixes.
Why would my laptop need to hand out prefixes unless they were link-local anyway?
This seems more like a tooling problem and a defaults problem than a “needs NAT” problem.
As long as IPv6 isn’t frictionless to use, it’s going to have issues. Why does virtual box/KVM/qemu not have good defaults for handing off a /96 or whatever?
I mean I guess for that very small percentage of people NAT makes sense? Honestly the use of VMs as a local tool seem to be dying out in favor of containers so I’m having trouble imagining why I would need this complex of a network setup locally?
I think unikernels are overdue for a renaissance. Containers are amazing, but people misunderstand why they are amazing.
And containers can need to have IPv6 addresses as well.
Chris does IT for a computer science department for a college. I imagine the weird networking edge-cases happen with regularity there, but would probably be uncommon elsewhere.
One does not have to use SLAAC, one can use DHCPv6 on an Ipv6 network, at which point the prefix length can easily be anything. One prior employer of mine did that for their office network, albeit with /64 prefixes.
Then if desired, one could use ULA and NPTv6, however unless one has multiple upsteam WAN links, that seems like too much effort - as renumbering should be rather easy.
I’ve not checked, but I suspect DHCPv6-PD could be used with prefix lengths > 64 on the LANs, so keeping things simple.
So the only pain point may then arise from operating a stateful firewall, as it has a similar ability to break things as does NAT44/NAT66. However a much more limited set of breakage, due to addressing being deterministic.
Unfortunately, Android absolutely refuses to do DHCPv6 (by choice, the Google Android developers apparently hate it and refuse to support it). If you want to support Android devices doing IPv6, you need SLAAC and SLAAC requires a /64 as a minimum.
Well, I think Android can also do DHCPv6-PD these days under the right circumstances, but I believe it may require a /64 there as well.
(I’m the author of the linked-to entry, and I really wish Android did DHCPv6 because it not doing so is probably going to keep all Android devices from getting IPv6 on our work wireless network, when we add IPv6 to that.)