New IPv6 prefix and reverse zone

2018-06-21 - News - Tony Finch

Our new IPv6 prefix is 2a05:b400::/32

As part of our planning for more eagerly rolling out IPv6, we concluded that our existing allocation from JISC (2001:630:210::/44) would not be large enough. There are a number of issues:

  • A typical allocation to a department might be a /56, allowing for 256 subnets within the department - the next smaller allocation of /60 is too small to allow for future growth. We only had space for 2048 x/56 allocations, or many fewer if we needed to make any /52 allocations for large institutions.

  • There is nowhere near enough room for ISP-style end-user allocations, such as a /64 per college bedroom or a /64 per device on eduroam.

As a result, we have asked RIPE NCC (the European regional IP address registry) to become an LIR (local internet registry) in our own right. This entitles us to get our own provider-independent ISP-scale IPv6 allocations, amongst other things.

We have now been allocated 2a05:b400::/32 and we will start planning to roll out this new address range and deprecate the old one.

We do not currently have any detailed plans for this process; we will make further announcements when we have more news to share. Any institutions that are planning to request IPv6 allocations might want to wait until the new prefix is available, or talk to if you have questions.

The first bit of technical setup for the new address space is to create the reverse DNS zone, This is now present and working on our DNS servers, though it does not yet contain anything interesting! We have updated the sample stealth secondary nameserver configuration to include this new zone. If you are using the catalog zone configuration your nameserver will already have the new zone.

Edited to add: Those interested in DNSSEC might like to know that this new reverse DNS zone is signed with ECDSA P256 SHA256, whereas our other zones are signed with RSA SHA1. As part of our background project to improve DNSSEC key management, we are going to migrate our other zones to ECDSA as well, which will reduce the size of our zones and provide some improvement in cryptographic security.