VDSL addressing

johnplayerblue

I've bridged my F1K modem and thus far have 5 SVI's a couple of router interfaces an ASA5505 and a couple of VM's bridged to a couple of USB and NIC's on my computer all with public IP address.

All address come from a 512 pool /23 network.

Can anyone explain this to me or point me to a good source.

I like a simple top level explanation before I delve deeper.

I'm VERY new to VDSL so this concept is a bit hard for me to try wrap my head around and how it works at the backend. Guess I've spent far to long in the 1918 world and feeling very confused.

ED E

Eir assign blocks per aggregator for VDSL unlike ADSL which used the RASs(7-10 really large pools). So that /23 serves all the Eir retail customers on your cluster of cabinets (the exchange area).

Be careful, they'll let you lease multiple addresses but if you pull enough you could starve the area and cause others in the locality to go offline.

johnplayerblue

Really? That's very very interesting and cool to know.

That's a very practical and useful bit of knowledge.

I was experimenting in my little lab and have no intention of using anything other than the one WAN address. Simple and clean config with only one gateway.

Mind you, I can see why certain groups of people want an IPv6 version of IPv4 NAT in the FINAL standard of IPv6. You feel very exposed with half a dozen public routable address on your inside network. But in saying that NAT was never intended as a security messure but it is a very useful mechanism in an overall security policy.

An entire enterprise is a whole new level of worry even though you'd be just as safe if not more so with IPv6. Although still hard to move away from a security through obscurity - inside/outside mind set.

Packet

johnplayerblue wrote: »

I was experimenting in my little lab and have no intention of using anything other than the one WAN address. Simple and clean config with only one gateway.

Mind you, I can see why certain groups of people want an IPv6 version of IPv4 NAT in the FINAL standard of IPv6. You feel very exposed with half a dozen public routable address on your inside network. But in saying that NAT was never intended as a security messure but it is a very useful mechanism in an overall security policy.

An entire enterprise is a whole new level of worry even though you'd be just as safe if not more so with IPv6. Although still hard to move away from a security through obscurity - inside/outside mind set.

Yes, better to separate firewall policy from NAT or more accurately NAPT (network address & port translation). IPv6 has prefix translation but that's old-world IPv4 thinking. There is a recent RFC https://tools.ietf.org/html/rfc7934 on why allowing end hosts to have multiple IPv6 is a good idea for the Internet.

On my home connection I turn off the firewall and rely on host security. In the case of IPv6 the LAN prefix is 2^64 and all my addresses are privacy addresses. I see IPv4 address scans trying to ssh in but nothing on IPv6 because it is too big to scan. They'd have to learn my IPv6 addresses by other means.