Mailing List Archive

On 10/May/19 06:27, Doug Barton wrote:
> It's been a while since I was configuring subnets, and last time I did
> the guidance was always no more than 1,000 hosts per subnet/vlan. A
> lot of that was IPv4 thinking regarding broadcast domains, but
> generally speaking we kept to it for dual stacked networks, equating
> an IPv4 /22 with an IPv6 /64. (This was commonly in office
> environments where we used a subnet per floor to accommodate all of
> the desktops, printers, phones, tablets, etc.)
>
> Is this still how people roll nowadays? Have switches and/or other
> network gear advanced to the point where subnets larger than 1k hosts
> are workable? In IPv4 or IPv6? I've done quite a bit of web searching,
> and can't find anything newer than 2014 that has any kind of
> intelligent discussion of this topic.

Well, WLAN environments comes to mind. It is possible to find three or
more thousand devices on a single (V)LAN, be it IPv4 or IPv6. Think
large conferences, a stadium, a concert, e.t.c.

Whether a single LAN can scale to the number of devices a /64 can
maximally support... I don't think so, but I also don't know of anyone
who has tried.

Mark.

On Thu, 9 May 2019, Doug Barton wrote:

> It's been a while since I was configuring subnets, and last time I did the
> guidance was always no more than 1,000 hosts per subnet/vlan. A lot of that
> was IPv4 thinking regarding broadcast domains, but generally speaking we kept
> to it for dual stacked networks, equating an IPv4 /22 with an IPv6 /64. (This
> was commonly in office environments where we used a subnet per floor to
> accommodate all of the desktops, printers, phones, tablets, etc.)
>
> Is this still how people roll nowadays? Have switches and/or other network
> gear advanced to the point where subnets larger than 1k hosts are workable?
> In IPv4 or IPv6? I've done quite a bit of web searching, and can't find
> anything newer than 2014 that has any kind of intelligent discussion of this
> topic.

It's a good topic to bring up. There has been some work on this in the
IETF, for instance https://tools.ietf.org/html/rfc8273

This means there is single broadcast domain and single /64 per customer,
which if properly implemented helps with a lot of the problem space people
like to solve in this area. It however includes moving away from quite a
lot of what you call "IPv4 thinking".

I however do not operate wifi networks so I have no idea how widely this
is implemented in gear available today. If someone else knows, I would
appreciate if they would share.

--
Mikael Abrahamsson email: swmike@swm.pp.se

> On 10 May 2019, at 07:43, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
>
> On Thu, 9 May 2019, Doug Barton wrote:
>
>> It's been a while since I was configuring subnets, and last time I did the guidance was always no more than 1,000 hosts per subnet/vlan. A lot of that was IPv4 thinking regarding broadcast domains, but generally speaking we kept to it for dual stacked networks, equating an IPv4 /22 with an IPv6 /64. (This was commonly in office environments where we used a subnet per floor to accommodate all of the desktops, printers, phones, tablets, etc.)
>>
>> Is this still how people roll nowadays? Have switches and/or other network gear advanced to the point where subnets larger than 1k hosts are workable? In IPv4 or IPv6? I've done quite a bit of web searching, and can't find anything newer than 2014 that has any kind of intelligent discussion of this topic.
>
> It's a good topic to bring up. There has been some work on this in the IETF, for instance https://tools.ietf.org/html/rfc8273
>
> This means there is single broadcast domain and single /64 per customer, which if properly implemented helps with a lot of the problem space people like to solve in this area. It however includes moving away from quite a lot of what you call "IPv4 thinking".
>
> I however do not operate wifi networks so I have no idea how widely this is implemented in gear available today. If someone else knows, I would appreciate if they would share.

My former campus WiFi network used VLAN pooling, so where we had many thousands of devices on the same SSID (eduroam) they were put into one of a set of several dual-stack VLANs on associating, and potentially while moving around campus. This reduced potential broadcast/multicast issues, but then meant (for example) that devices physically next to each other were often not in the same VLAN and thus by default not able to discover services each other were running. That was part of my interest in the dnssd work.

Tim

> On 10 May 2019, at 06:27, Doug Barton <dougb@dougbarton.email> wrote:
>
> It's been a while since I was configuring subnets, and last time I did the guidance was always no more than 1,000 hosts per subnet/vlan. A lot of that was IPv4 thinking regarding broadcast domains, but generally speaking we kept to it for dual stacked networks, equating an IPv4 /22 with an IPv6 /64. (This was commonly in office environments where we used a subnet per floor to accommodate all of the desktops, printers, phones, tablets, etc.)
>
> Is this still how people roll nowadays? Have switches and/or other network gear advanced to the point where subnets larger than 1k hosts are workable? In IPv4 or IPv6? I've done quite a bit of web searching, and can't find anything newer than 2014 that has any kind of intelligent discussion of this topic.

In the department of "this is how we should have done it".
I would make the subnets match the physical topology. That is a set of (virtual) point to point links.
That gives one host and one router per link. Which results in a broadcast domain of 2. I wouldn't bother with a shared on-link prefix on the link. Just give the host a set of single addresses. Then you don't have to deal with any of the pesky ND issues, DAD, address resolution and so on.

Best regards,
Ole

Hi,

On Fri, May 10, 2019 at 08:26:46AM +0200, Mark Tinka wrote:
> Whether a single LAN can scale to the number of devices a /64 can
> maximally support... I don't think so, but I also don't know of anyone
> who has tried.

Math says there is no way to do that. Like, store 2^63 ND entries
in finite memory...

(The whole reason why /64 semeed a good idea back then was CGA and
"we can make it work with EUI-64 on IEEE-1394 devices!", of which CGA
never truly happened, EUI-64 based on MAC addresses is dying off, and
IEEE-1394 is long gone... I always thought that /64 was a bit silly)

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

> (The whole reason why /64 semeed a good idea back then was CGA and
> "we can make it work with EUI-64 on IEEE-1394 devices!", of which CGA
> never truly happened, EUI-64 based on MAC addresses is dying off, and
> IEEE-1394 is long gone... I always thought that /64 was a bit silly)
Maybe, but this large address space, give you the room for all these ideas (and a lot more like 8+8 etc.).
I think the great benefit and the main driver was (and is) the full automated address configuration.


Holger

Hi,

On Fri, May 10, 2019 at 01:07:44PM +0200, H.Zuleger wrote:
> > (The whole reason why /64 semeed a good idea back then was CGA and
> > "we can make it work with EUI-64 on IEEE-1394 devices!", of which CGA
> > never truly happened, EUI-64 based on MAC addresses is dying off, and
> > IEEE-1394 is long gone... I always thought that /64 was a bit silly)
> Maybe, but this large address space, give you the room for all these ideas (and a lot more like 8+8 etc.).
> I think the great benefit and the main driver was (and is) the full automated address configuration.

I've heard lots of "great ideas" in the last 20 years...

What is left:

- large networks are hard
- can we please do p2p instead, routed, wherever possible
- autoconfig based on hardware identifiers sucks, can we please do
something hash-based (= autoconf in a /96 would quite likely work
perfectly fine)

- we do not have enough bits *in front* of the /64 mark to do nice things

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Mark Tinka mentioned:
>Whether a single LAN can scale to the number of devices a /64 can
>maximally support... I don't think so, but I also don't know of anyone
>who has tried.

Since the MAC address space is 48 bits I would thing that would be the max.
-Joe
--
Joe Hamelin, W7COM, Tulalip, WA, +1 (360) 474-7474

Doug Barton wrote on 10/05/2019 05:27:
> It's been a while since I was configuring subnets, and last time I did
> the guidance was always no more than 1,000 hosts per subnet/vlan. A lot
> of that was IPv4 thinking regarding broadcast domains, but generally
> speaking we kept to it for dual stacked networks, equating an IPv4 /22
> with an IPv6 /64. (This was commonly in office environments where we
> used a subnet per floor to accommodate all of the desktops, printers,
> phones, tablets, etc.)
>
> Is this still how people roll nowadays? Have switches and/or other
> network gear advanced to the point where subnets larger than 1k hosts
> are workable? In IPv4 or IPv6? I've done quite a bit of web searching,
> and can't find anything newer than 2014 that has any kind of intelligent
> discussion of this topic.

the question is less "how many can you fit?", but "how few can you get
away with?" and "when things go wrong, how large can you afford your
blast radius to be?"

If your goal is to connect lots of access devices on an enterprise
network, then keep to the physical topology as much as you can, and
segment at layer 3 where it is practical to do so. As the NotPetya
victim organisations found out, it's a good idea to restrict access
between segments to the greatest extent possible (while still
maintaining functionality). RFC8273 has some really great ideas, but
there's a good deal of overhead associated with configuring it, and I
suspect that the loss of functionality (host neighbor discovery, etc)
would made it unattractive to most corporate networks.

I'm sure 1000 hosts on a network will usually work fine, until someone
does something dumb and takes down the entire segment, at which point
you'll have 1000 people shouting at you.

Nick

Hi,

On Fri, May 10, 2019 at 10:14:36PM +0100, Nick Hilliard wrote:
> I'm sure 1000 hosts on a network will usually work fine, until someone
> does something dumb and takes down the entire segment, at which point
> you'll have 1000 people shouting at you.

Just make sure their phones are in the same network segment.

No shouting.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Fri, May 10, 2019 at 10:29:44AM -0700, Joe Hamelin wrote:
> Mark Tinka mentioned:
> >Whether a single LAN can scale to the number of devices a /64 can
> >maximally support... I don't think so, but I also don't know of anyone
> >who has tried.
>
> Since the MAC address space is 48 bits I would thing that would be the max.

47 bits, as one is reseverved for multiple receivers (broadcast, multicast).
Devices with that bit set in their MAC are calling for troubles.
But only true for ethernet.
IEEE802.15.4 has 64 bit MAC and is used in 6LoWPAN.

--
B.Walter <bernd@bwct.de> http://www.bwct.de
Modbus/TCP Ethernet I/O Baugruppen, ARM basierte FreeBSD Rechner uvm.

Gert Doering wrote on 10/05/2019 22:16:
> Just make sure their phones are in the same network segment.
>
> No shouting.

Then they'll all start complaining on WhatsApp over the wifi network ...
waaaaaait - I see what you're suggesting here. Brilliantly evil.

Nick

To be sure, you could always put your phone system on the same network segment too...

Back to the original discussion, it's worth keeping in mind that individual devices can and do have multiple IPv6 addresses, so the IPv6 utilisation vs the number of devices on the layer 2 segment could vary significantly. So if you want to know how many devices are actually on a network segment, you would want to check MAC address tables or filter for unique MAC addresses within the ARP table rather than a ping sweep or similar.

Philip

-----Original Message-----
From: ipv6-ops-bounces+philip.loenneker=tasmanet.com.au@lists.cluenet.de <ipv6-ops-bounces+philip.loenneker=tasmanet.com.au@lists.cluenet.de> On Behalf Of Nick Hilliard
Sent: Saturday, 11 May 2019 7:23 AM
To: Gert Doering <gert@space.net>
Cc: Doug Barton <dougb@dougbarton.email>; ipv6-ops@lists.cluenet.de
Subject: Re: Realistic number of hosts for a /64 subnet?

Gert Doering wrote on 10/05/2019 22:16:
> Just make sure their phones are in the same network segment.
>
> No shouting.

Then they'll all start complaining on WhatsApp over the wifi network ...
waaaaaait - I see what you're suggesting here. Brilliantly evil.

Nick

> On 13 May 2019, at 06:20, Philip Loenneker <Philip.Loenneker@tasmanet.com.au> wrote:
>
> To be sure, you could always put your phone system on the same network segment too...
>
> Back to the original discussion, it's worth keeping in mind that individual devices can and do have multiple IPv6 addresses, so the IPv6 utilisation vs the number of devices on the layer 2 segment could vary significantly. So if you want to know how many devices are actually on a network segment, you would want to check MAC address tables or filter for unique MAC addresses within the ARP table rather than a ping sweep or similar.

Except those nasty security people are now allowing systems to randomise their MAC addresses. I'm sure some people's Life Goal is to make life as difficult as possible for us network operators.

Sam

--
Sam Wilson
Communications Infrastructure Services, IT Infrastructure
Information Services, The University of Edinburgh
Edinburgh, Scotland, UK

As of Monday 1 October 2018 I will be working 2 days per week, Tuesday and Thursday but with some flexibility as required.



The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

On Tue, 14 May 2019, WILSON Sam wrote:

> Except those nasty security people are now allowing systems to randomise
> their MAC addresses. I'm sure some people's Life Goal is to make life
> as difficult as possible for us network operators.

That's why one should always create solutions that do not depend on any
kind of uniqueness.

15 years ago I checked the mac addresses of our customers (ADSL customer
base). I noticed that 5% of the customers were using the same mac address.
Tracked that down to D-Link shipping lots of routers via electronics
stores, all with the same mac address. Then I was happy I had designed the
solution with single broadcast domain (vlan) per customer so this still
worked. Other ISPs weren't so lucky, and this caused significant customer
service costs.

If you want a robust access network, make sure it works even if the
customers have customer-controlled identifiers that overlap, such as DUID,
MAC addresses etc. Track people on physical ports (so you know where that
port/cable goes) or on username/password (802.1x). Make sure the
customers/users can't affect each other (protect the Internet from them).

--
Mikael Abrahamsson email: swmike@swm.pp.se

On 5/10/19 2:10 PM, Gert Doering wrote:
> Hi,
>
> On Fri, May 10, 2019 at 01:07:44PM +0200, H.Zuleger wrote:
>>> (The whole reason why /64 semeed a good idea back then was CGA and
>>> "we can make it work with EUI-64 on IEEE-1394 devices!", of which CGA
>>> never truly happened, EUI-64 based on MAC addresses is dying off, and
>>> IEEE-1394 is long gone... I always thought that /64 was a bit silly)
>> Maybe, but this large address space, give you the room for all these ideas (and a lot more like 8+8 etc.).
>> I think the great benefit and the main driver was (and is) the full automated address configuration.
>
> I've heard lots of "great ideas" in the last 20 years...
>
> What is left:
>
> - large networks are hard
> - can we please do p2p instead, routed, wherever possible
> - autoconfig based on hardware identifiers sucks, can we please do
> something hash-based (= autoconf in a /96 would quite likely work
> perfectly fine)
>
> - we do not have enough bits *in front* of the /64 mark to do nice things

This! Or maybe rewrite it to "...to do a lot of nice things"

>
> Gert Doering
> -- NetMaster
>

On 5/9/19 9:27 PM, Doug Barton wrote:
> It's been a while since I was configuring subnets, and last time I did
> the guidance was always no more than 1,000 hosts per subnet/vlan. A lot
> of that was IPv4 thinking regarding broadcast domains, but generally
> speaking we kept to it for dual stacked networks, equating an IPv4 /22
> with an IPv6 /64. (This was commonly in office environments where we
> used a subnet per floor to accommodate all of the desktops, printers,
> phones, tablets, etc.)
>
> Is this still how people roll nowadays? Have switches and/or other
> network gear advanced to the point where subnets larger than 1k hosts
> are workable? In IPv4 or IPv6? I've done quite a bit of web searching,
> and can't find anything newer than 2014 that has any kind of intelligent
> discussion of this topic.

Lots of interesting responses, thank you everyone. :)