I'm currently working on adding IPv6 capabilities to our network, and I have some questions on what is considered best practice in 2020 to convert some of the IPv4 concepts we are used to into the IPv6 world.
In the current setup that I have, we are allocated a /64 from the ISP, and the router advertises that prefix for clients to configure themselves using SLAAC. This seems to work fine and as far as I know everyone has IPv6 internet access.
However we like to be able to query things by name, and I'm not sure what the best practice is to provision AAAA records for the clients.
What I have done is deploy stateful DHCPv6 on the dnsmasq instance that runs our DHCPv4 and tell it to hand out ULAs from some range which naturally provisions AAAA records for anyone who asks for an address. This also seems to work fine, but I know there is some dislike of stateful DHCPv6. This also helps me to consolidate the assignment of the servers we have on static IPs exactly as I do for DHCPv4, these servers for various reasons should be accessible at a fixed IP address and we would like that to continue to be the case for IPv6.
The only other way I can think of to do the AAAA records is to send the dnsmasq machine the RA prefix from the router via unicast and then use the dnsmasq to advertise the GUA prefix for slaac using the ra-names option. This wouldn't solve the static address assignments though as far as I can tell and I'm not sure how reliable it actually is. Is there a better way to handle internal AAAA records than ULAs with stateful DHCPv6?
Finally, as things are starting to work, we are now looking at migrating our public services to IPv6. My understanding is that this would require a fixed GUA for the servers to provision public AAAA records. I'm not sure how to achieve this using SLAAC from the edge router, unless there is some kind of dynamic-dns equivalent. Can I again use DHCPv6 or another manual assignment method to pick IPs in our assigned prefix? I was hesitant to do this because I thought it might collide with a SLAAC address and I'm not sure what happens if there's a collision. Alternatively I have the option to ask the ISP for a /48, should I do that and advertise a single /64 for local clients to get connectivity and different /64 for static servers? This seemed like overkill to me, we already wont come close to filling the single /64 but this might be my IPv4 mindset confusing me.
Best Answer
Stop counting hosts, that's IPv4 thinking. Subnets come in one size fits all, enormous. A /64 can address every IP device ever made with plenty room to spare.
Yet the address space is even bigger such that a single site can easily ask for a /48. 64 thousand /64s, 4 hex digits, to give out according to your desired address plan.
Whatever you want! Be generous and plan for growth. Give /64s to every subnet, every VLAN, wifi SSID, security zone, cloud and remote access VPNs, each container host, the "all zeros" /64 for vanity static service addresses, and so on.
Aggregate where possible, to avoid fragmentation. So perhaps delegate /60s or /56s to internal networks like your DHCP server, manual assigned static pool, wifi controller, or container orchestration system. And test environments for all of the above.
Does not have to be dynamic such as DHCP-PD, especially not if you have a static prefix from your ISP. But track things somehow, in an IPAM system.
IPv6 nodes are supposed to do duplicate address detection on all unicast addresses, stateless, DHCPv6, manual, or otherwise. Standard is to stop on duplicates rather than cause difficult to diagnose problems. Randomly generated addresses in a /64 have a very low chance of conflicts.
ULA is no Internet addressing. Being not globally reachable, standard default address selection policy puts them lower priority than even IPv4. See rfc6724. As such, you will want globally routable (not-ULA) addresses on hosts that get on the IPv6 Internet.
Yes, DNS is necessary. Names are easier for humans than IPs.
Yes, knowing the IP is generally a choice between the DHCPv6 server having the state, and a SLAAC node being configured with a dynamic DNS client. Router advertisement flags A and M tell the client stateful or stateless.
AD DS joined hosts are fairly straightforward, it is expected they would add themselves to DNS.
Or perhaps, configure server interfaces with stateless, but with not-random EUI-64 based addresses. Then you can calculate the address beforehand based on the MAC address, and put that in DNS.
And maybe not all devices need to be in DNS. Should personal Android devices be allowed on guest Internet, they don't do DHCPv6. If not managed by a MDM, you won't know their IPs.