IPv6 Address Management and Security Questions

I'm trying to draft an IPv6-based version of our location's current routing configuration in anticipation of when our ISP will finally roll it out, and address management has been giving me the biggest headache - ironic, considering IPv6 was supposed to simplify address allocation.
My first config draft was made assuming that I would be getting a static /56 or /60 prefix from the ISP, and I was just going to insert the prefix into my DHCP pools and there would be no issues. That was before reading around and discovering that some ISPs are considering prefix delegation (PD) for both residential and business accounts instead of static blocks. Now I have questions about how to stick as close to the current IPv4 configuration as possible.
For the PD scenario, what I am looking at now are two addresses ranges for each network - a ULA /120 space that I want to control using stateful DHCPv6, and the global space which can be /64 and auto-configured. That way there will be a "private" address space for internal routing in the event of a prefix change or an extended outage. But I'm not sure how the config should look for such a scenario. What I have drafted so far is this:
ipv6 dhcp pool DHCP6_INTERNAL
 address prefix FDAB::1:0/120
 domain-name whatever.net
 dns-server FDAB::1:1
ipv6 dhcp pool DHCP6_DMZ-WIFI
 address prefix FDAB::2:0/120
 domain-name guest.whatever.net
 dns-server FDAB::2:1
interface GigabitEthernet0
 description WAN-LINK
 ipv6 enable
 ipv6 address dhcp
 no ipv6 unreachables
 no ipv6 redirects
 ipv6 flow ingress
 ipv6 flow egress
 ipv6 virtual-reassembly in
 ipv6 nd autoconfig default-route
 ipv6 dhcp client pd hint ::/56
 ipv6 dhcp client pd ISP-PREFIX
 zone-member security OUTSIDE
 speed auto
 duplex auto
 no cdp enable
interface FastEthernet8.1
 description VLAN_1-INTERNAL
 encapsulation dot1Q 1 native
 ipv6 enable
 ipv6 address FDAB::1:1/120
 ipv6 address ISP-PREFIX ::1:0:0:0:1/64
 ipv6 flow ingress
 ipv6 flow egress
 ipv6 virtual-reassembly in
 zone-member security INSIDE
 ip tcp adjust-mss 1300
 ipv6 dhcp server DHCP6_INTERNAL
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
interface FastEthernet8.2
 description VLAN_2-DMZ-WIFI
 encapsulation dot1Q 2
 ipv6 enable
 ipv6 address FDAB::2:1/120
 ipv6 address ISP-PREFIX ::2:0:0:0:1/64
 ipv6 flow ingress
 ipv6 flow egress
 ipv6 virtual-reassembly in
 zone-member security DMZ
 ip tcp adjust-mss 1300
 ipv6 dhcp server DHCP6_DMZ-WIFI
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
Will this config work? By which I mean: will the DHCPv6 servers provide ULA addresses, and will SLAAC work for global address allocation? If not, what needs to be changed?
Also, another question. I found a few references to a prefix name (the "ISP-PREFIX") which can be used as part of a static IPv6 address on an interface, which is a good idea in case the prefix changes. But that brings up another concern - if the prefix changes, that will invalidate ACLs referencing the global addresses using the previous prefix. Is there anything similar to the prefix name string that can be used in ACLs to keep this from occurring?

DHCPv6-PD is not necessarily dynamic the same way as DHCP was with the public IPv4 addresses in the IPv4 world.
While the outside network (PPPoE, DHCPv6, anything) might be truly dynamic and changing with possibly every login session, the DHCPv6 delegated prefix might be tied to your login credentials or DHCPv6 client's DUID after the first connection. A bit like a DHCP lease reservation.
If that is the case, there is some possibility that your ISP will run reverse route injection, and will always route your "fixed" prefix  to the currently active dynamic "outside" address.
Talk to your ISP and have them confirm that, once the PD'd /48 or /56 is initially assigned, it won't change, and that the same prefix will be delegated every time. Then you can treat it as if it were fully static, and you won't have to go down the ULA path.
I contacted one of our local ISPs, and they're doing it exactly that way: PPPoE for IPv4 and IPv6 (fully dynamic), and DHCPv6-PD with the /48 tied to the PPPoE login credentials. I might change to that ISP sooner or later.
With my current ISP, my IPv6 access is 6RD based. I get a /60, with my current public ipv4 address (by DHCP) embedded into those 60 bits. Readressing is bound to happen sooner or later, and it happens every so often, and it breaks my IPv6 ACLs.
I'm also looking for a way to write IPv6 ACLs with wildcard bits, not prefix/mask, so I can use them with ZBFW. So far, no sign of it.
A few more comments:
ULA addressing: 
It may look tempting, plausible and intuitive to use dual global and ULA addressing. 
I started this way as well. However, it turns out that Windows 7 has (had?) some issues with proper source address selection. The "longest common prefix" rule never seemed to work properly. In some cases, it would pick the global address to talk to ULA hosts, or stubbornly insist to use the ULA address to talk to an IPv6 internet host. It was a frustrating experience. Be sure to test this to the full extent (and back, and again and then some more) with every operating system you intend to use.
Using /120:
Be sure to test this as well, and very thoroughly. Subnet masks longer than /64 are sometimes called "uncharted territory" in IPv6. Longer subnet masks will break SLAAC, and there may be (embedded) devices that will not react benevolently to a subnet mask other than /64, or simply lack support for DHCPv6.
adjust-mss
I see you have "ip tcp adjust-mss 1300". While PMTUd may be mandatory with IPv6, I found it being broken already :-( . "ipv6 tcp adjust-mss .... " is now a separate command since IOS 15.4(1). I would suggest considering it, depending with your experience with PMTUd on IPv6.

Similar Messages

  • Hi, I have forgotten Rescue email address and security questions answers. What I only have is my Apple ID and my password. How can I fix it?

    Hi, I have forgotten Rescue email address and security questions answers. What I only have is my Apple ID and my password. How can I fix it?

    The Three Best Alternatives for Security Questions and Rescue Mail
        1. Use Apple's Express Lane.
              Go to https://expresslane.apple.com ; click 'See all products and services' at the
              bottom of the page. In the next page click 'More Products and Services, then
              'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
              ID security questions' and click 'Continue'. Please be patient waiting for the return
              phone call. It will come in time depending on how heavily the servers are being hit.
         2.  Call Apple Support in your country: Customer Service: Contacting Apple for support or
              Apple ID- Contacting Apple for help with Apple ID account security. Ask to speak to
              Account Security.
         3.  Rescue email address and how to reset Apple ID security questions.
    How to Manage your Apple ID: Manage My Apple ID

  • I accidentally screwed up my apple id when trying to change my primary email address. Password recovery options and security questions arent working either to restore

    I accidentally screwed up my apple id when trying to change my primary email address. Password recovery options and security questions arent working either to restore. Created a new appleid just to get into forums to ask a question but hesitate to sync itunes and iphone with it as i may lose all purchased music apps etc. can anyone help? i have received no email response frm apple support, it's been over 48 hours

    I have the same problem - it is maddening. I rely on this iPad for work so this is not just an annoyance! The above solutions of changing the appleid on the device or on the website do not work.
    The old email address no longer exists - I haven't used it in a year probably and I no longer have the account.  I logged into the appleid website and there is no trace of the old email address so there is nothing that can be deleted or changed there.  On the iPad there is no trace of the old email address so nothing can be deleted there either. I have updated the iPad software and the same problem comes right back.  Every 2 seconds I am asked to log in using the old non-existent email.  The device is currently useless.
    The only recent change to anything was the addition of an Apple TV device, which was set up using the correct login and password.
    Does anyone have any ideas? The iPad has been backed up to the iCloud so presumably it now won't recognize the current iCloud account? So restoring may notbe an option?

  • I forgot my rescue email address and security questions

    i forgot my rescue email address and security questions...i cant remember which email address i used for my rescue email address id

    See Kappy's previous write-up.
    Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities
    for got security questions: Apple Support Communities

  • I forgot rescue email address and security questions

    Help me what do I do if I forgot my resue email address and security questions?

    You need to ask Apple to reset your security questions; ways of doing so include clicking here and picking a method for your country, and filling out and submitting this form.
    (96426)

  • Appleid, recovery email address and security questions were hacked.

    My son's recovery email address and security questions were hacked.  How can we get these changed so he can purchase more apps?  Currently he is being asked to answer security questions that do no pertain to him (like what were you doing on such and such date - he wasn't even born yet).  The email address in the recovery section is r********@answers.com.  We don't know who this is, but it appears they have hacked his account.  He has an itunes balance and I don't want him to lose it.

    You or your son will need to contact iTunes Support / Apple to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699
    When they've been reset you can then use the steps half-way down this page to update the rescue email address for potential future use : http://support.apple.com/kb/HT5312

  • I need to reset security question but the email that was saved for changing the password and security question is blocked , what can i do

    i need to reset security question but the email that was saved for changing the password and security question is blocked , what can i do?
    i purchased my account but i cant use that because apple ask me about security question and i forgot the correct answer

    Alternatives for Help Resetting Security Questions and/or Rescue Mail
         1. If you have a valid rescue email address, then use this procedure:
             Rescue email address and how to reset Apple ID security questions.
         2. Fill out and submit this form. Select the topic, Account Security. You must
             have a Rescue Email to use this option.
         3. This is the only option if you do not already have a valid Rescue Email.
             These are telephone numbers for contacting Apple Support in your country.
             Apple ID- Contacting Apple for help with Apple ID account security. Select
             the appropriate country and call. Ask to speak to the Account Security Team.
    Note: If you have already forgotten your security questions, then you cannot
             set up a rescue email address in order to reset them. You must set up
             the rescue email address beforehand.
    Your Apple ID: Manage My Apple ID.
                             Apple ID- All about Apple ID security questions.

  • How can i get my password and security questions back? everytime i write my mail in iForgot it doesnt send the mail to  my account, why? someone hacked me but i dont know how.

    how can i get my password and security questions back? everytime i write my mail in iForgot it doesnt send the mail to  my account, why? someone hacked me but i dont know how.
    example;
    my apple mail: [email protected]
    and i write down the account in iForgot [email protected] but i never recieve the mail asking for the new password, why? someone hacked me and change that and the security questions, what can i do?

    Alternatives for Help Resetting Security Questions and Rescue Mail
         1. Apple ID- All about Apple ID security questions.
         2. Rescue email address and how to reset Apple ID security questions
         3. Apple ID- Contacting Apple for help with Apple ID account security.
         4. Fill out and submit this form. Select the topic, Account Security.
         5.  Call Apple Customer Service: Contacting Apple for support in your
              country and ask to speak to Account Security.
    How to Manage your Apple ID: Manage My Apple ID

  • HT5312 i forgot my apple rescue email and security questions

    Plz Help me .i fill i tune gift card 10$ .now i can't buy game in apple store because they ask security questions .i try to reset security questions but they sent to rescue email.but i forgot my apple rescue email and security questions .
    <Email Edited By Host>

    Alternatives for Help Resetting Security Questions and Rescue Mail
         1. Apple ID- All about Apple ID security questions.
         2. Rescue email address and how to reset Apple ID security questions
         3. Apple ID- Contacting Apple for help with Apple ID account security.
         4. Fill out and submit this form. Select the topic, Account Security.
         5.  Call Apple Customer Service: Contacting Apple for support in your
              country and ask to speak to Account Security.
    How to Manage your Apple ID: Manage My Apple ID

  • HT1725 My purchase was stopped and security questions asked. I did not answer correctly and no options given to reset

    Song download interrupted and security question not answered correctly and now I'm here

    If you have a rescue email address (which is not the same thing as an alternate email address) set up on your account then you can try going to https://appleid.apple.com/ and click 'Manage your Apple ID' on the right-hand side of that page and log into your account. Then click on 'Password and Security' on the left-hand side of that page and on the right-hand side you might see an option to send security question reset info to your rescue email address.
    If you don't have a rescue email address then see if the instructions on this user tip helps : https://discussions.apple.com/docs/DOC-4551

  • Someone got into my account and changed email and security questions

    Someone got into my account and changed email and security questions and they ask for them but i do not know them and i just put 40 dollars on there
    <Re-Titled By Host>

    iTunes Store- What to do if your account has been compromised
    Alternatives for Help Resetting Security Questions and/or Rescue Mail
         1. If you have a valid rescue email address, then use this procedure:
             Rescue email address and how to reset Apple ID security questions.
         2. Fill out and submit this form. Select the topic, Account Security. You must
             have a Rescue Email to use this option.
         3. This is the only option if you do not already have a valid Rescue Email.
             These are telephone numbers for contacting Apple Support in your country.
             Apple ID- Contacting Apple for help with Apple ID account security. Select
             the appropriate country and call. Ask to speak to the Account Security Team.
         4. Account security issues almost always require you to speak directly to an
             Apple representative to securely establish your identity as the account holder.
             You can set it up so that Apple calls you, either immediately or at a time
             convenient to you.
                1. Go to www.apple.com/support.
                2. Choose Contact Support and click Contact Us.
                3. Choose Other Apple ID Topics and choose the appropriate topic for
                    your issue.
                4. Follow the onscreen instructions.
             Note: If you have already forgotten your security questions, then you cannot
             set up a rescue email address in order to reset them. You must set up
             the rescue email address beforehand.
    Your Apple ID: Manage My Apple ID.
                            Apple ID- All about Apple ID security questions.

  • HT5622 How can I correct my rescue email address for my security questions. This email address is currently showing a typo.

    How can I correct my rescue email address for my security questions (when I am logged in with my Apple ID)?. This email address is currently showing a typo.

    You won't be able to change your rescue email address until you can answer your questions, if you don't know the password for that email account and you can't get it reset then you will need to contact Support in the country where you and your iTunes account to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699
    When they've been reset you can then use the steps half-way down this page to update your rescue email address for potential future use : http://support.apple.com/kb/HT5312

  • Hi please help me I'm appleid disable 7.0.4 iPhone 5s by email and security questions forgot not active now please please help me

    Hi please help me I'm appleid disable 7.0.4 iPhone 5s by email and security questions forgot not active now please please help me

    You might be able to re-enable your account via this page : http://appleid.apple.com, then 'reset your password'
    You might then need to log out of your account on your phone by tapping on your id in Settings > iTunes & App Store and then log back in so as to 'refresh' the account on it
    For your security questions, if you don't have a rescue email address, or you don't have access to the email account, then you will need to contact iTunes Support / Apple to get the questions reset.
    Contacting Apple about account security : http://support.apple.com/kb/HT5699 - you can also try this link to get your account re-enabled if the above doesn't work.
    When they've been reset you can then use the steps half-way down this page to update/add a rescue email address for potential future use : http://support.apple.com/kb/HT5312

  • TS1424 WHAT IF I DON'T HAVE AN EXTRA BACKUP EMAIL ADDRESS FOR MY SECURITY QUESTIONS?

    what if I don't have an extra backup email address for my security questions?

    Call your country number from http://support.apple.com/kb/HE57 and ask to speak with the Account Security Team.

  • HT5787 i forgot Icloud password and security question what method i can use to reset it is ther any or what i am still using iphone but my icloud is disabled for to many atempts what now how to rest the password

    i forgot Icloud password and security question what method i can use to reset it is ther any or what i am still using iphone but my icloud is disabled for to many atempts what now how to rest the password

    Hi bekimlorini,
    Thanks for visiting Apple Support Communities.
    You may find this article helpful with resetting your security questions:
    Rescue email address and how to reset Apple ID security questions
    http://support.apple.com/kb/HT5312
    If you're not able to receive email to your rescue email address, you may need to contact iTunes Store Support:
    You'll need to contact iTunes Store support to have your questions and answers reset.
    All the best,
    Jeremy

Maybe you are looking for

  • BT Infinity 3 and 4

    Isn't BT Infinity 3 and 4 suppose to have 30mb upload speed? https://www.youtube.com/watch?v=mgIMG1ek_zI https://www.youtube.com/watch?v=j_T5Bb4u16Q

  • My answer to the friends  who are helping me,but it doesn't work........

    its not working... what I did is..... I start I tunes ,make connection with IPAD,(hear a signe ) but cannot see on my screen(pc-screen)where the IPAD is ???? I see only an externe disk and a dvd .......but NO   IPAD Ican see up( in the corner)...."I

  • OIM 10G : UIX Not found error

    Hello, I've moved OIM 10G 9102 to application server Weblogic in cluster (version 10.3.5.0 - 11g). All the workflows and provisioning pieces are working as expected. However, when a manager user is trying to set his proxy by selecting calender dates.

  • Password for Pages Doc

    How do you suggest a person remember one of the stronger passwords created by password assistant?  It's kind of a catch 22 situation.   While the stronger passwords are cool, nobody could remember one of the strongest ones.   Unlike, 1Password, which

  • Final Cut Pro won't open windows

    Hi I'm pretty new to FInal Cut Pro, and am still getting used to it, so forgive me if this question has a blindingly simple or obvious solution, as I'm reasonably sure it has. For some reason, FCP is not wanting to open certain windows. More specific