On 11/26/19 12:13 AM, Sabri Berisha wrote:
----- On Nov 26, 2019, at 1:36 AM, Doug Barton do...@dougbarton.us wrote:
I get that some people still don't like it, but the answer is IPv6. Or,
folks can keep playing NAT games, etc. But one wonders at what point
rolling out IPv6 costs less than all the fun you get with [CG]NAT.
When the MBAs start realizing the risk of not deploying it.
I have some inside knowledge about the IPv6 efforts of a large eyeball network.
For what it's worth, I have extensive experience in both eyeball and
content networks.
In that particular case, the cost of deploying IPv6 internally is not simply
configuring it on the network gear;
We're rehashing old ground here. Perhaps you weren't on the list the
last N times this has come up. My short answer, I didn't say it would be
easy, I said it is less expensive than the alternatives over time.
that has already been done. The cost of fully supporting IPv6 includes (but is
probably not limited to):
- Support for deploying IPv6 across more than 20 different teams;
I don't understand how you're using "teams" here. For the most part you
turn it on, and end-user systems pick up the RA and do the right thing.
If you want something fancier, you can do that with DHCP, static
addressing, etc. In other words, this works the exact same way that IPv4
does.
- Modifying old (ancient) internal code;
What code? IPv4 isn't going away on the inside, so what needs to be
modified? If you're talking monitoring software, etc., if you're still
using software that doesn't understand IPv6, you're way overdue for an
upgrade already.
- Modifying old (ancient) database structures (think 16 character fields for IP
addresses);
Either see above, or much more likely you'd be adding a field, not
modifying the existing one.
- Upgrading/replacing load balancers and other legacy crap that only support
IPv4 (yeah, they still exist);
If we're talking about an enterprise that is seriously still using stuff
this old, it's more likely than not that IPv6 is the least of their
worries. And I'm not being flippant or disrespectful here. For at least
the last 10 years or so, and definitely in the last 5, all of the
enterprise level network gear sold has had support for IPv6. So again,
way overdue for an update, but if this is all you have available, then
you likely have bigger fish to fry. (And feel free to save the
obligatory, "My favorite network widget that I use in my 100%
enterprise-class network does not support IPv6." Yes, I realize that
there are exceptions, but they are the exceptions, not the rule.)
- Modifying the countless home-grown tools that automate firewalls etc;
Yes, this is actually a legitimate point.
- Auditing the PCI infrastructure to ensure it is still compliant after
deploying IPv6;
Also legit, where it applies, although you also have the option of not
deploying on the network with the PCI data. For internal-only things,
it's great to have IPv6, and will become increasingly important as time
goes on, but it's not required.
Execs have bonus targets. IPv6 is not yet important enough to become part of that bonus target: there is no ROI at this point.
That depends heavily on what enterprise you're talking about.
The point I'm trying to make is that there IS an ROI here. For content
providers it's the ability to create a stable network architecture
across all of your sites, and connect directly to the many eyeballs that
are already on IPv6 (cell networks, many ISPs, etc.). There is also the
much harder to define ROI for future-proofing the network, but that's
part of the master class. :)
For eyeball networks the same stable network architecture argument
applies. The immediate ROI is harder to define, but similar, in the
sense that connect directly to the many content networks that have
already deployed IPv6 and future-proofing are both relevant.
Much harder for the eyeball networks to quantify are the savings related
to NOT having to do [CG]NAT, etc. To create that slide you need an exec
who truly understands the (rising over time) costs of twiddling around
with the NATs, as well as the realistic costs involved in rolling out
IPv6 balanced by the long term support. Then you also need an executive
team and board that can understand those slides when they see them.
But it's not all in vain. I'm on Spectrum here at home, and I have
native IPv6 that "just worked" from the moment I plugged my router into
my cable modem.
So there are a non-trivial number of both eyeball and content networks
that already get it. The value proposition obviously does exist, we just
need more people in the right places with the right knowledge and
experience to make it happen.
Doug