Closed dbenoy closed 3 years ago
+1
+1 :)
+1
The common practice now is to use the whole 4 digit section from [::1000]
to [::ffff]
. Anything less than four digits is a static infrastructure assignment. Delegated gateways may take the [::1000]
block and so minimum DHCP is [::2000]
. Dedicated server ULA of DNS is [::53]#53
and DHCP is [::547]#547
... and so on. The whole idea is for non-SLAAC you want easy short hand and full use of that last space [2001:db8::nnnn]
An interesting concept, using the last 4 bytes as a port number encoded address. Still, if you look at RFC 7707 Network Reconnaissance in IPv6 Networks, You may want to expand the pool of your DHCPv6 users to avoid network scan attacks.
Even so, if you go with your suggestion of using prefix::2xxx for DHCPv6 user addresses, OpenWRT still doesn't do this, but rather limits DHCPv6 addresses to prefix::xxx.
In a physically secure environment (employees only) the firewall should prevent enumeration attacks. For a large business if each building or floor has a /64
, then dhcp range from ::2000
to ::ffff
is by far enough addresses to rotate each day randomly (40000 adr's vs 200 devices). You may rotate to help reduce inferences on extrenal web site connectivity with market or technical research concentration.
Intentionally exposed infrastructure like your VPN gateway, primary web portal, authoritative name server, and such are already in global DNS, so no point to obscurity, and convinience dominates.
I appreciate that this is an old issue, but are they any plans to implement this? At least to expand the range to ::2000 to ::ffff rather than just ::0100 to ::0fff which we have now?
IPv6 addresses appear to be assigned with the following: do try = ((uint32_t)rand()) % 0x0fff; while (try < 0x100); Which, for a /64, assigns an address between 0000:0000:0000:0100 and 0000:0000:0000:0fff
Would it be possible to use more of the address space than that? I know many people will appreciate the convenience of three-digit IPv6 suffixes for all their hosts, but I would prefer longer addresses so that my network is a little less vulnerable to ping scans.
Perhaps the 'suffix length' should be a configuration option? Defaulting to three digits but with the option to define an arbitrary length, or an 'auto' which uses the entire available suffix address space?