This is part of the design of IPv6. There are (amost) never networks other than /64. This allows the possibility of generating addresses based on a mac address, and frequently changing addresses for privacy reasons.
Most devices will not work on a network with a mask longer than 64. The only common exception is point to point links between routers, which may be a /127.
Removing variable length subnet masks from end networks makes routing and configuration a lot simpler.
You say that but in a few years we'll probably be fighting neighbour discovery DoS attacks. /64 prefixes seem to be the worst thought out idea of IPv6.
IIRC (and I may not RC), ND traffic is supposed to be constrained to a local link.
If this is true, then it would be totally safe to drop ND traffic that didn't originate on your network, and drop ND traffic that occurs on networks that you manage that have manually configured addresses.
So, how would you DoS anything other than your upstream router [0], or the nodes on your own LAN?
[0] Even this DoS seems trivially preventable by dropping ND requests that happen too frequently. If you assume that there is one router on each end of a link, then the rate of ND messages would have to be very low in the ordinary course of operation, no?
Honest question, how does privacy come into play here? If you're given a /64, even if you change the last 64 bits, isn't it trivial for someone to assume everything from the first 64 is you?
Yeah. It is a trivial assumption. In my experience with Comcast Residential internet, one's IPv6 prefix remains the same for as long as one's IPv4 address, which is to say that they remain the same forever.
Comcast hands out allocations as wide as /60, but even this doesn't help much with privacy; if you're being unusually proactive with your network renumbering, that's only four bits of entropy that you're adding to your identifiers. :)
1. The /64 is the same for your whole local network. Granted that at home that is usually not many devices, but it's almost certainly more than one.
2. The /64 changes when you change networks, and unless you have a static IP address it will change for your home network too. On the other hand, if the low 64 bits is derived from your MAC address, it never changes (unless you replace your NIC of course.)
> The /64 is the same for your whole local network.
This means that -at best- IPv6 "Privacy Extensions" give advertisers no more information than they get today with non-Carrier-Grade IPv4 NATs. That's not a big win, in my book. :/
I get that EUI-64 uses your 48-bit MAC address plus 16-bit "ff:fe" token. But I don't really understand why this matters.
First, why does your home office need globally unique identifiers for its devices? 48-bits seems really excessive. A CRC16 hash of the MAC should cover far more before a conflict arises than any home networking devices could handle anyway. (you're really unlucky if you hit a 1:65,536 conflict. But make it CRC32 if you're really worried about that.)
Second, how does having the MAC address make routing simpler? When a packet comes into the router, it has to have a table to say MAC A == LAN port B. So instead, you'd just have it be: IP A == LAN port B. In the reverse direction, the PC already has to ask the router "what is my IP prefix?", so why is that harder than it just asking "what is my IP?" and getting a full address from it?
Third, wouldn't temporary (privacy) addresses undermine this entire EUI-64 setup's efficiency improvements? Now you're back to randomized data in the low 64-bits, so the router and PC need to have some kind of negotiation to know the IP addresses just like before anyway.
Lastly, I do think it's a valid privacy concern. Now when you do something the government doesn't like and they show up, that IP address with your MAC in it lets them say "yep, this is the exact computer that was used." Before, there was the argument that it could have been a Wifi guest. Even worse, it could follow you between dynamic IP reassignments from your ISP, and even from switching to different ISPs.
So all that said ... it doesn't seem like we really need 18 quintillion addresses to do decent routing and subnetting. Just drop EUI-64 as a bad idea, and have 16-bits of randomized values for the home network. And when you go a small business, increase it to 24-bits. Fortune 500, 32-bits.
And now to make the whole system even better ... make most of the IPv6 values used by ISPs 0000, so you can collapse 80% of the address to ::
> First, why does your home office need globally unique identifiers for its devices?
For the same reason that the original plans for the Internet ensured that every connected machine was a peer of every other: a network of peers easily allows for new and novel services on the network.
> Second, how does having the MAC address make routing simpler?
That's not the point. The point of this setup is to provide a way for SLAAC to easily create a stable IPv6 address to make DNS forward and reverse mapping on the LAN easy to manage. There's also an alternative method for stable address creation that doesn't use the system's MAC address.
> Now you're back to randomized data in the low 64-bits, so the router and PC need to have some kind of negotiation to know the IP addresses just like before anyway.
You really need to read how SLAAC works [0]. In particular, pay attention to the Duplicate Address Detection section, and note how DHCPv4 uses a similar method for determining whether or not an IP in a pool is safe to hand out.
After you've read about SLAAC and DAD, read about Neighbor Discovery [1]. This stuff is more well thought out and less complicated than you seem to think that it is.
Most devices will not work on a network with a mask longer than 64. The only common exception is point to point links between routers, which may be a /127.
Removing variable length subnet masks from end networks makes routing and configuration a lot simpler.