IPv6 broadband provisioning

[Iljitsch van Beijnum <iljitsch@muada.com>]

Hi,

(I posted largely the same message to the internet area list yesterday  
because we had extensive discussions there about DSL Forum stuff.)

One of the things that we haven't quite figured out about IPv6 is how  
broadband deployment would work. I think it would be good if we can  
agree that customer routers can request an IPv6 prefix using DHCPv6  
prefix delegation. Since there is really no other way to do this, I  
don't expect that to be too controversial.

The problem is how ISPs get to enforce restrictions on how packets  
flow from devices connected to the DSL or cable modem (or link, a user  
could buy their own modem which isn't controlled by the ISP). If there  
is a dedicated physical or virtual interface per customer, this is all  
simple enough. But I understand this isn't necessarily the case, and  
moving in that direction could be costly. So here's another approach.  
Please let me know what you think.

The first device under the control of the ISP, or at least a device  
very low in the aggregation hierarchy, to intercepts router  
advertisements from the ISP's IPv6 router and slightly modifies them:  
it basically injects some bits that are particular to the customer/ 
line, so that every customer sees RAs with a prefix unique to them.

For instance, if an IPv6 router sits on top of two layers of layer 2  
aggregation devices, the IPv6 router sends out router advertisements  
with prefix 2001:db8:31::/64. The lowest layer of aggregation devices  
then insert a 16-bit customer or line ID in bits 48 - 63 so that  
customer 9 sees 2001:db8:31:9::/64 and customer 10 2001:db8:31:a::/64  
and so on. (The router advertisements can also be generated by the  
layer 2 device itself, but there probably needs to be some centrally  
configured info in there, too.)

Customers without an IPv6 router do normal IPv6 stateless autoconfig  
so the lower 64 bits of the addresses are random, but the ISP only  
sees packets with the customer ID number somewhere in the higher bits  
so they know which packets come from which customer. The layer 2  
infrastructure can safely impose the restriction that all customer  
traffic goes to the IPv6 router and not to other customers, because  
customers don't know their neighbor's prefix is on-link so they'll  
send those packets to the router anyway. And the router doesn't need  
an address in all those prefixes, the users only need to know its link  
local address. (Of course add ingress filtering as required.) The  
router is simply told that all of 2001:db8:31::/48 is on-link so it  
will do ND for all customer machines, but it doesn't send redirects.

(I would probably implement a per-customer ND cache LRU algorithm to  
prevent one user from DoSing a whole town by generating large amounts  
of addresses that the router must do neighbor discovery for. There is  
no reason why a user wouldn't be able to connect a large number of  
machines using a switch but this may not be altogether desirable from  
the ISP's perspective.)