IPv6 Security

Multihoming Issues 119If you wanted to make your address allocation system more secure, you could use aRADIUS server to authenticate the prefix delegation. You could create other ways to securethe DHCPv6 messages, but that would require more preconfiguration on the customer’sequipment. The purpose of DHCPv6-PD is to make addressing simpler. If morecoordination and expectations are placed on the skill of the broadband subscriber, theefficiency benefits will be lost.Multihoming IssuesIPv6 addresses are allocated by service providers to end-user organizations. IPv6 addressesare intended to be fully hierarchical to help reduce the size of the core Internet routing table.Because IPv6 has the ability to have far more address blocks than IPv4, it would beimpossible to have a large number of routes in the Internet backbone routers. With theincreasing size of today’s IPv4 Internet routing table, many devices struggle to handle thestorage and the workload of processing the changes. Both memory and processor capacityare factors in the maximum size of the IP routing table. The size of the ForwardingInformation Base (FIB) and the Routing Information Base (RIB) increases with the numberof routes. As the FIB gets larger, so does the lookup time, which affects the forwarding rate.As the size of the routing table increases, so does the time of convergence. If Internetrouters contain both IPv4 and IPv6, the problem gets worse.Because IPv6 addresses are fully hierarchical, you probably do not need to use BGP, exceptin the default-free zone of the Internet backbone. An ISP could simply use a static route topoint to the address block that has been allocated to the customer. In turn, the customercould simply use a default route to point toward the ISP for routing traffic to all unknownprefixes. This would simplify device configurations and also reduce the need for BGP,which would reduce the number of protocols the routers needed to run.Many large organizations that connect to today’s IPv4 Internet enjoy the redundancy thatcomes from connecting to two or more ISPs. This is part of an enterprise organization’sdisaster recovery and business continuity plan. The organization takes in routes from theseproviders (full routes, partial routes, or just the default route) and advertises its own addressspace from its own Autonomous System Number (ASN). Therefore, if one ISP connectionwere to fail, the BGP routing tables would converge and the customer would maintain itsInternet connectivity.If the rules of IPv6 addressing hierarchy were relaxed, many organizations could advertisetheir prefixes to the Internet. The address space would become fragmented, and the size ofthe Internet routing tables would expand out of control. Because of this fear, the addressinghierarchy has been enforced by the IANA, the IETF, the regional registries, and the ISPs.However, various registries (notably ARIN) have started to allow customers to obtainprovider independent (PI) address space. This address space is not likely to be routed byservice providers, but it does give customers additional addresses should they need them.