Re: secdir review of draft-ietf-csi-send-cert-03
Hi Richard, Removing the stuff we agreed upon. On 10-05-31 08:22 PM, Richard L. Barnes wrote: Hey Suresh, Most of these comments look OK to me. Couple of responses inline. --Richard Sec 6 Para 4 The requirement for RFC 3779 extension seems to contradict the use of ETAs as Trust Anchor Material, i.e., the last sentence of the first paragraph in this section. Good catch. I am not sure how to resolve this. One way would be to specify that the ETA EE certificates are exempt from requiring the RFC3779 extensions. Do you have any suggestions? I think the rest of the section is clear enough -- the TA material either has to be a self-signed certificate or it has to be an ETA. So maybe you could just delete the phrase "and MUST always refer to a certificate that includes a RFC 3779 address extension"? Hmm. The ETA certificate itself does not need to have the RFC3779 extension in it, but the relying party needs to fetch an RTA certificate which will contain a RFC3779 extension. As an aside, do you want to specify that in the first case (the non-ETA case), the self-signed TA cert MUST conform to the RPKI profile? Will do. Thanks Suresh ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Gen-ART Telechat Review of draft-ietf-ipfix-export-per-sctp-stream-07
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please wait for direction from your document shepherd or AD before posting a new version of the draft. Document: draft-ietf-ipfix-export-per-sctp-stream-07 Reviewer: Ben Campbell Review Date: 1 June 2010 IESG Telechat date: 3 June 2010 Summary: This draft is ready for publication as a draft standard. Note: This version resolves all of my concerns from my review of version 03. Major issues: None Minor issues: None Nits/editorial comments: None. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: The point is to change it: Was: IPv4 depletion makes CNN
In message , Phil lip Hallam-Baker writes: > We keep coming back to the same old problem and the same reasons we > are going to hope it solves itself without having to change anything. > > 1) Its the wrong type of pain > > IPv4 exhaustion does cause problems, but not really enough problems or > immediate enough problems to create an incentive to move away from the > IPv4 Internet. > > It really does not matter very much to the typical Internet user if > there are other people unable to join the party. It matters even less > to them if those people are in far away countries. > > 2) NAT-NAT IPv4 still beats IPv6 But we are not talking NAT-NAT IPv4 vs IPv6. We are talking NAT-NAT/Distributed NAT IPv4 with plain IPv6. > Even with the restrictions of carrier NAT, most Internet users are > going to prefer an Internet connection that gives access to the > millions of IPv4 hosts than the hundreds of IPv6 hosts. If you present it to them that way then they would agree with you. If you present it to them as NAT-NAT along or NAT-NAT plus IPv6 you will get a different answer especially when IPv6 is not more complicated than IPv4 is today. > This is an adoption trap. Nobody is going to move to IPv6 unless the > functionality is superior to IPv4. > > Saying that IPv6 is X years behind is to miss the point. > > > 3) There is no ask > > ISOC and others are very good at putting out these stories warning > about the imminent IPv4 exhaustion. But this is wasted effort when > the message reaches people who can do nothing in response. > > For a message to be effective, there has to be an ask, there has to be > something concrete that the audience can do in response. > > > As before I will suggest how I would address the issue: > > 1) Branding > > Every technology company that has wanted to establish an > infrastructure to support their product has used branding as leverage. > Remember 'Novell Ready', 'Entrust Ready', 'Windows Vista Ready'? > > We need an Internet Next Ready. And when consumers see that brand they > need to know that what they are getting is going to work with the next > generation Internet. Demanding 'Internet Next Ready' in new products, > in Internet service is the ask. Most of the equipment they already have is IPv6 ready. It's the home router that isn't. > 2) Design for deployment > > People are not going to use IPv6 if it takes the slightest effort on > their part. People are not going to switch their home networks over to > IPv6 if it means a single device on the network is going to stop > working. In my case it would cost me $4K to upgrade my 48" plotter to > an IPv6 capable system. No way is that going to happen till there are > $50 IPv6 plotters on EBay. Turning on IPv6 does not mean that you have to turn off IPv4. You can continue to use IPv4 until you no longer need to use it. > I try to do as little management of my home network as possible. For > the architecture to be acceptable it has to be totally transparent to > me. Otherwise carrier grade NAT is going to be preferable as at least > that is going to work. Except for the additional things that it breaks. > 3) Create incentives > > Even with branding, the incentives have to make sense. Merely having > access to the IPv6 Internet available is not going to cause people to > use it. Pretty much every host on the Internet can use IPSEC at this > point. The portion that use it is ~ 0%. Actually it is well above zero and lots of people are using it without being aware that they are using it. If you turn on IPv6 on your servers you will get traffic. > The way that I plot out a campaign is to list every stakeholder that I > need to take action. I consider the positive/negative balance sheet > from their point of view. I look at the incentive they have to take > action and how they are to get the message that they need to take > action. > > Now I can draft out an architecture that would have the necessary > properties quite easily. And so could many others on this list. But > that would be a mistake. In order to get buy in from all the people > whose buy in is needed, they have to be involved at the design stage. > > Having the had the opportunity to be involved is not the same thing. > ___ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: Gen-ART review of draft-krishnan-v6ops-teredo-update-06
Hi Jari, Thanks for your comments. On 10-05-31 06:08 AM, Jari Arkko wrote: Thanks for your review! I have added the following RFC Editor notes as fixes: Please add "Updates: RFC 4380" to the header. Please change s/RA/Router Advertisement (RA)/ on first occurrence. Similarly for s/RS/Router Solicitation (RS)/ After we agree with David on how to update the Security Considerations, I can submit a new revision that includes these fixes as well. Thanks Suresh ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: The point is to change it: Was: IPv4 depletion makes CNN
On 6/1/10 9:57 AM, Olivier MJ Crepin-Leblond wrote: On 30/05/2010 23:52, Phillip Hallam-Baker wrote : People are not going to use IPv6 if it takes the slightest effort on their part. People are not going to switch their home networks over to IPv6 if it means a single device on the network is going to stop working. In my case it would cost me $4K to upgrade my 48" plotter to an IPv6 capable system. No way is that going to happen till there are $50 IPv6 plotters on EBay. Sorry, but that's a red herring. You're speaking about IPv4 decommissioning, not IPv6 implementation. Implementing IPv6 will do nothing to your local plotter. Your computer will keep addressing IPv4 to it. Nothing stops you from always running dual stack at home, with your IPv4 behind your NAT/PAT. Have you tried implementing IPv6 at home? By accident when solving a network drop-out problem within a congested wireless environment, installing an airport extreme router also offered IPv6 over an IPv4 ISP. Everything just worked. When later changing providers, the cable modem needed extensive tweaking before everything worked, which then lowered throughput by about 35%. To overcome this, several commodity routers were tried, but they were unable run DHCP once the modem's NAT was disabled. Double NATs cause additional breakage. Once again, the airport extreme just worked. This was learning the hard way it seems. Unless one is careful, one might find themselves using IPv6 without their knowledge, both globally and locally. Capturing local traffic showed several applications already making use of the local IPv6 address space. And I'd even wager that an IPv4 plotter would work, since an HP IPv4 printer does. -Doug ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: The point is to change it: Was: IPv4 depletion makes CNN
On 1 Jun 2010, at 18:19, ned+i...@mauve.mrochek.com wrote: > As I've stated previously, I believe the main piece that's missing is a > SOHO-grade router that has full IPv6 support, 6to4 support, full > IPv4/NAT/firewall support, plus a readonably intuitive GUI to administer it > all. If such a product exists I continue to be unaware of it. I agree. With the exception (g) of a non-configurable packet filter (besides the NAT function and per-port-based IPv6), Apple's Airport Extreme and Time Capsule do IPv6 very nearly out of the box (it was disabled by default because a load of "Security researchers" took issue with exposing computers to the IPv6 Internet by default). In about ten clicks, and assuming your Internet connection is provided by ethernet to a global IPv4 address, these base stations will set up and advertise a 6to4 routed block for your network, and handle transparent v4/v6 DNS from one proxy. They're supposed to be able to handle custom tunnels, but bugs prevent it from working; it also works as a native router, a host on an existing v6 network, and link-local for configuration (no more slipping/forgotten netmasks). So all in all, I'm quite pleased with them, and they're the reason I decided IPv6 was no longer hard for anybody. No doubt there are others out there, or should be (IE, from ISPs) and of course there's Teredo or custom protocols if you want to stay behind an existing legacy NAT. And of course, if you want to, you can build your own with a Linux box, though I agree that sort of misses the deployability aspect, and is more toward the enthusiast, though that's how my original setup went for my DSL provider. Cheers, Sabahattin ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IPv4 depletion makes CNN
On 31 May 2010, at 02:49, Phillip Hallam-Baker wrote: > Or we could do what we did last time and pretend that nobody will > deploy carrier grade NAT if we don't specify a way that it can work > without pain. Well, I'd be interested to know what your plan is. Do you think we should use DNS for everything, SRV to specify the location of every service, and make port numbers insignificant? Do you think this is better than IPv6, or that it will take any more time to deploy IPv6? And, what do you think of the NAT scaling problem that you are proposing we mutely suffer in perpetuity? I don't like IPv4+NAT for sure (my favourite has got to be A+P) however I really don't see anything but good coming of (A) not delaying IPv6 deployment any further and (B) making every arrangement to avoid NAT in future. This seems to work for everybody except the end-users, for whom this whole thing is completely insignificant, who drag the market with them into a state of complacency. They don't care. Therefore, I think we must elongate IPv4's life as much as possible, so as to give the unfortunate time to transition, but no more. Then, content providers and end-users can continue enjoying the 'net (albeit more slowly than usual due to all that translation load for all the usual purposes) while the faster and more capable Internet gradually transitions into use. This is the best we can do given that the dual-stack opportunity passed over a decade ago, and even then it was important enough to commence work on what was, and I think is, the obvious (if a little imperfect) plan for the future. That's where we stand today, everybody capable of IPv6, and nobody connected, while the red alert signs all begin to flash. Cheers, Sabahattin ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: The point is to change it: Was: IPv4 depletion makes CNN
> On 30/05/2010 23:52, Phillip Hallam-Baker wrote : > > People are not going to use IPv6 if it takes the slightest effort on > > their part. People are not going to switch their home networks over to > > IPv6 if it means a single device on the network is going to stop > > working. In my case it would cost me $4K to upgrade my 48" plotter to > > an IPv6 capable system. No way is that going to happen till there are > > $50 IPv6 plotters on EBay. > > > Sorry, but that's a red herring. No, not really. Unless you're willing to fully upgrade to IPv6, you're talking about continuing to use NAT for the legacy IPv4 devices. And that buys you into substantial complexity in terms of routing and configuration. > You're speaking about IPv4 decommissioning, not IPv6 implementation. > Implementing IPv6 will do nothing to your local plotter.Your computer > will keep addressing IPv4 to it. > Nothing stops you from always running dual stack at home, with your IPv4 > behind your NAT/PAT. > Have you tried implementing IPv6 at home? As a matter of fact I have. It was a total disaster and after spending several days trying to get it to work I gave up. The specific problems I had were with DNS queries being blocked for mysterious reasons and hairpin routing configuration problems, but the simple fact that such esoteric issues had to be dealt with by a home network admin sort of says it all. As I've stated previously, I believe the main piece that's missing is a SOHO-grade router that has full IPv6 support, 6to4 support, full IPv4/NAT/firewall support, plus a readonably intuitive GUI to administer it all. If such a product exists I continue to be unaware of it. Ned ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: The point is to change it: Was: IPv4 depletion makes CNN
On 5/30/2010 3:52 PM, Phillip Hallam-Baker wrote: We keep coming back to the same old problem and the same reasons we are going to hope it solves itself without having to change anything. 1) Its the wrong type of pain IPv4 exhaustion does cause problems, but not really enough problems or immediate enough problems to create an incentive to move away from the IPv4 Internet. AMEN, and ARIN could recover any number of multiply issued /8's to corporate entities who acquired blocks by merger, like HP for instance. The have TANDEM's DEC's Compaq's and HP's /8's and do they need anywhere near that many IPv4 addresses? NO... So the issue is ARIN and its sloppy operating policies - and yes Cathy (their attorney) has heard this from me already. It really does not matter very much to the typical Internet user if there are other people unable to join the party. It matters even less to them if those people are in far away countries. Duh... the only people who need a fully flat-routed world are the Standards Practitioners. 2) NAT-NAT IPv4 still beats IPv6 Even with the restrictions of carrier NAT, most Internet users are going to prefer an Internet connection that gives access to the millions of IPv4 hosts than the hundreds of IPv6 hosts. Yep This is an adoption trap. Nobody is going to move to IPv6 unless the functionality is superior to IPv4. Saying that IPv6 is X years behind is to miss the point. 3) There is no ask ISOC and others are very good at putting out these stories warning about the imminent IPv4 exhaustion. But this is wasted effort when the message reaches people who can do nothing in response. For a message to be effective, there has to be an ask, there has to be something concrete that the audience can do in response. As before I will suggest how I would address the issue: 1) Branding Every technology company that has wanted to establish an infrastructure to support their product has used branding as leverage. Remember 'Novell Ready', 'Entrust Ready', 'Windows Vista Ready'? We need an Internet Next Ready. And when consumers see that brand they need to know that what they are getting is going to work with the next generation Internet. Demanding 'Internet Next Ready' in new products, in Internet service is the ask. yes but this then is a marketing effort to convince people (the end users) that they need this new gizmo more than the old gizmo and not a technological one. 2) Design for deployment People are not going to use IPv6 if it takes the slightest effort on their part. Yep... People are not going to switch their home networks over to IPv6 if it means a single device on the network is going to stop working. In my case it would cost me $4K to upgrade my 48" plotter to an IPv6 capable system. No way is that going to happen till there are $50 IPv6 plotters on EBay. I try to do as little management of my home network as possible. For the architecture to be acceptable it has to be totally transparent to me. Otherwise carrier grade NAT is going to be preferable as at least that is going to work. Yep, meaning that NAT and not IPv6 is the solution. 3) Create incentives Even with branding, the incentives have to make sense. Merely having access to the IPv6 Internet available is not going to cause people to use it. Pretty much every host on the Internet can use IPSEC at this point. The portion that use it is ~ 0%. This speaks all that needs to be said here, so unless there is some real reason that the Internet is going to break unless IPv6 is rolled out there is no reason to do it. Again - IPv4 and NAT are a very reasonable solution as it network segmentation. The way that I plot out a campaign is to list every stakeholder that I need to take action. I consider the positive/negative balance sheet from their point of view. I look at the incentive they have to take action and how they are to get the message that they need to take action. Now I can draft out an architecture that would have the necessary properties quite easily. And so could many others on this list. But that would be a mistake. In order to get buy in from all the people whose buy in is needed, they have to be involved at the design stage. Having the had the opportunity to be involved is not the same thing. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf <>___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: The point is to change it: Was: IPv4 depletion makes CNN
On 30/05/2010 23:52, Phillip Hallam-Baker wrote : > People are not going to use IPv6 if it takes the slightest effort on > their part. People are not going to switch their home networks over to > IPv6 if it means a single device on the network is going to stop > working. In my case it would cost me $4K to upgrade my 48" plotter to > an IPv6 capable system. No way is that going to happen till there are > $50 IPv6 plotters on EBay. > Sorry, but that's a red herring. You're speaking about IPv4 decommissioning, not IPv6 implementation. Implementing IPv6 will do nothing to your local plotter.Your computer will keep addressing IPv4 to it. Nothing stops you from always running dual stack at home, with your IPv4 behind your NAT/PAT. Have you tried implementing IPv6 at home? Kind regards, Olivier -- Olivier MJ Crépin-Leblond, PhD http://www.gih.com/ocl.html ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IPv4 depletion makes CNN
It is a feature that should be part of the Internet base protocol stack. It is bad enough having to work out which RFCs matter and which should be ignored. Knowing that you have to search out to various other organizations to find secret sauce to make it work is a recipe for chaos. Its bad enough having kludges like the robots.txt file in HTTP. On Mon, May 31, 2010 at 7:59 AM, Arnt Gulbrandsen wrote: > On 05/31/2010 03:49 AM, Phillip Hallam-Baker wrote: >> >> So we need to extend the UPNP protocol so that when the local NAT box >> receives a request to open up an external port, it relays the request >> to the carrier NAT. > > So what are you waiting for? Go ahead, read http://upnp.org, find the > relevant WG, propose the extension, talk to implementers, you know the > routine as well as I do. > > Arnt > -- Website: http://hallambaker.com/ ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IPv4 depletion makes CNN
On Mon, May 31, 2010 at 3:02 AM, Masataka Ohta wrote: > paf wrote: > >> It all works pretty well if the client have IPv4 and IPv6 >> _AND_ both works. But to some degree the functionality and >> user experience goes down if either of IPv4 or IPv6 have >> problems. > > Same is true for a host with two IPv4 addresses and either of > the IPv4 addresses have problems. > > Same is true for a host with two IPv6 addresses and either of > the IPv6 addresses have problems. > > The problem can be solved by carefully designing connection > establishment protocols to support multiple addresses of a > host, which means no solution exists at the connectionless > layer of IP. > > Modified TCP, which send multiple SYN to several addresses > of a peer helps a lot to reduce timeout. I am pretty sure we can fix the problem if we are prepared to adapt the stack somewhat. The alternative is to do nothing and let various people hack the stack up completely with meat axes and then we will be working round the consequences for decades. But really, the challenge is that carrier grade NAT works just fine for the ISPs who have the decision making power here. Whatever happens, 4 billion IPv4 addresses is probably more than enough for the people who really, really care about having an IPv4 address. The punters want to be on the Web, do video conferencing and maybe do some SMTP email. Thats not much of a demand to work with. -- Website: http://hallambaker.com/ ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: IPv4 depletion makes CNN
So we need to extend the UPNP protocol so that when the local NAT box receives a request to open up an external port, it relays the request to the carrier NAT. Or we could do what we did last time and pretend that nobody will deploy carrier grade NAT if we don't specify a way that it can work without pain. On Sun, May 30, 2010 at 11:02 AM, Arnt Gulbrandsen wrote: > On 05/30/2010 04:44 PM, Sabahattin Gucukoglu wrote: >> >> BitTorrent is popular, yes. People at home *are* behind NAT boxes, with >> all the usual pain that implies *. It's just that BitTorrent, being a >> straightforward TCP protocol with no embedded payload addresses **, can >> operate behind NATs, and those NATs can be configured either manually or >> automatically by users or their client software ***. If the NAT should move >> to the ISP, it seems possible that this is no longer true. > > Not quite. > > 1. Bittorrent clients connect to each other via TCP. Each connection is > incoming at one end. Torrent clients mostly use UPNP to accept incoming > connections. > > 2. UPNP is an ethernet-level protocol (it uses UDP/IP broadcasts), so it > works only if the USER is on the public internet. Hence, NAT within the > user's network is now very different from NAT within the ISP's network. > > That's why I said the wide popularity of bittorrent shows that USERS are on > the public internet. > > Arnt > ___ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf > -- Website: http://hallambaker.com/ ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
The point is to change it: Was: IPv4 depletion makes CNN
We keep coming back to the same old problem and the same reasons we are going to hope it solves itself without having to change anything. 1) Its the wrong type of pain IPv4 exhaustion does cause problems, but not really enough problems or immediate enough problems to create an incentive to move away from the IPv4 Internet. It really does not matter very much to the typical Internet user if there are other people unable to join the party. It matters even less to them if those people are in far away countries. 2) NAT-NAT IPv4 still beats IPv6 Even with the restrictions of carrier NAT, most Internet users are going to prefer an Internet connection that gives access to the millions of IPv4 hosts than the hundreds of IPv6 hosts. This is an adoption trap. Nobody is going to move to IPv6 unless the functionality is superior to IPv4. Saying that IPv6 is X years behind is to miss the point. 3) There is no ask ISOC and others are very good at putting out these stories warning about the imminent IPv4 exhaustion. But this is wasted effort when the message reaches people who can do nothing in response. For a message to be effective, there has to be an ask, there has to be something concrete that the audience can do in response. As before I will suggest how I would address the issue: 1) Branding Every technology company that has wanted to establish an infrastructure to support their product has used branding as leverage. Remember 'Novell Ready', 'Entrust Ready', 'Windows Vista Ready'? We need an Internet Next Ready. And when consumers see that brand they need to know that what they are getting is going to work with the next generation Internet. Demanding 'Internet Next Ready' in new products, in Internet service is the ask. 2) Design for deployment People are not going to use IPv6 if it takes the slightest effort on their part. People are not going to switch their home networks over to IPv6 if it means a single device on the network is going to stop working. In my case it would cost me $4K to upgrade my 48" plotter to an IPv6 capable system. No way is that going to happen till there are $50 IPv6 plotters on EBay. I try to do as little management of my home network as possible. For the architecture to be acceptable it has to be totally transparent to me. Otherwise carrier grade NAT is going to be preferable as at least that is going to work. 3) Create incentives Even with branding, the incentives have to make sense. Merely having access to the IPv6 Internet available is not going to cause people to use it. Pretty much every host on the Internet can use IPSEC at this point. The portion that use it is ~ 0%. The way that I plot out a campaign is to list every stakeholder that I need to take action. I consider the positive/negative balance sheet from their point of view. I look at the incentive they have to take action and how they are to get the message that they need to take action. Now I can draft out an architecture that would have the necessary properties quite easily. And so could many others on this list. But that would be a mistake. In order to get buy in from all the people whose buy in is needed, they have to be involved at the design stage. Having the had the opportunity to be involved is not the same thing. ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
RE: IPv4 depletion makes CNN
You articulated the view from my knothole. Thanks! -Original Message- From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of Brian E Carpenter Sent: Friday, May 28, 2010 1:29 AM To: David Conrad Cc: IETF Discussion Subject: Re: IPv4 depletion makes CNN No, it means it is going to require double NAT unless providers deploy IPv6. That is the message that needs to be got across. Brian ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
