I just argue that it could be easier to automatically assign a /64 to each customer without having to make configuration changes if the customer decides they want one. As said, I've got a /48 on that server so there are plenty of /64s to go around for each customer to have one.
No problem with that. I think it makes perfect sense to give customers a /64 by default. Just keep two things in mind. If at some point you decide that the /48 needs to be split across multiple servers, it will be convenient to have the /64s that you did assign be located closely together. I don't know how many customers you expect to have on that server. If you do get to for example 8000 customers on that server, try to do a survey on how many customers are using the /64 for something.
Even as you do give each virtual node a /64 you are still going to need a way to route between them.
Having the default route as the other side of the link local address (to the dom0/master domain, as radvd or similar would hand out) would work I imagine instead of configuring routing through the single IP address in the shared /64. Perhaps this would be a lot easier than setting up manual static routes?
AFAIK radvd cannot delegate prefixes. It can just tell nodes what prefix is on a specific link.
I assume you can setup separate virtual network interfaces between dom0 and the individual virtual nodes. From a security perspective it would be better to do it that way. Once the connections to the individual nodes are on different interfaces you can of course use router advertisements to announce a different prefix on each of those interfaces.
But again that is still just a /64 for the link between dom0 and the customer node. They are not actually getting a /64 routed to their node, they are getting a /64 in which they can use SLAAC to consume as many addresses as they like.
Is your suggestion the standard in the hosting industry?
I don't know what is standard. Neither do I know if the industry has agreed on a standard.
My guess is that delegating a prefix to individual servers (physical or virtual) is not standard. They are more likely manually configured as needed.
Having each customer on logically independent links is a good idea from a security perspective, and it more or less force you to allocate a /64 to each link. As far as I remember xen does make it independent links by default, and you have to explicitly bridge them in dom0 if you want them to be one link. On a physical network you can make independent links through the use of VLANs.
Do you think it would better suit your needs to allocate a /64 for the link between dom0 and each customer, and then not route a /64 to each customer. If you don't route a /64 to each customer, then you don't need to mess with DHCPv6 and routing.
I agree with you here! Hence my asking whether this would be a good idea. I still don't understand why MAC address matching just doesn't seem to be supported in DHCPv6 servers though!
I seem to recall some ISC representative stating that there are lots of features that they'd like to add, but they'll have to prioritize, and they need input from users of the DHCPv6 server to decide how to prioritize.
