Re: Why IPv6 is a must?
From: David R. Conrad [EMAIL PROTECTED] More realistically, some might consider IPv4 address allocation policies as discouraging the growth of the Internet (I am not among them) ... ** Most, if not all, of the same people who are refused IPv4 address ** allocations will (or should if we expect not to re-create the swamp) be ** refused allocations of IPv6 addresses. Holy smoke! That's really major. This is the first I've heard of this (although it makes technical sense to try and avoid unaggregable allocations). I hadn't realized the registries were trying to guard against routing table bloat as well as address space exhaustion. I'm curious, when did this start, and how was it decided? Wow. Noel
RE: Why IPv6 is a must?
Noel Chiappa wrote: I hadn't realized the registries were trying to guard against routing table bloat as well as address space exhaustion. I'm curious, when did this start, and how was it decided? Miss a few meetings and all kinds of things start happening :)
Re: Why IPv6 is a must?
Noel, At 02:36 PM 11/30/2001 -0500, J. Noel Chiappa wrote: ** Most, if not all, of the same people who are refused IPv4 address ** allocations will (or should if we expect not to re-create the swamp) be ** refused allocations of IPv6 addresses. Holy smoke! That's really major. Huh? This really shouldn't (at this late date) be a surprise to anyone. RIRs allocate TLAs (or sub-TLAs) to TLA Registries. TLAs are the only prefixes that are supposed to be in the default free zone routing tables. Ergo... I hadn't realized the registries were trying to guard against routing table bloat as well as address space exhaustion. I'm curious, when did this start, and how was it decided? Ever since the RIRs existed? See goal number 2 of section 1 of ftp://ftp.isi.edu/in-notes/rfc2050.txt or section 2.2.2 of http://www.arin.net/regserv/ipv6/IPv6.txt. As to how it was decided, my guess would be by default. Rgds, -drc
Re: Why IPv6 is a must?
RIRs allocate TLAs (or sub-TLAs) to TLA Registries. there are no longer such things as TLAs randy
Re: Why IPv6 is a must?
At 12:53 PM 11/29/2001 -0500, Keith Moore wrote: the only benefit that IPv4 has over IPv6 (relative to routing table size) is that IPv4 discourages growth of the Internet. Only? Please. An obvious benefits of v4 over v6 is that it is deployed. Another benefit is the operational experience gained over the years running v4 infrastructures. NAT, despite being the spawn of the devil, at the very least leverages both of these advantages. More realistically, some might consider IPv4 address allocation policies as discouraging the growth of the Internet (I am not among them), but I remain unconvinced IPv6 address allocation policies will be significantly different in the aspects that cause people to be discouraged. Most, if not all, of the same people who are refused IPv4 address allocations will (or should if we expect not to re-create the swamp) be refused allocations of IPv6 addresses. Rgds, -drc
No news [Re: Why IPv6 is a must?]
Eric Rosen wrote: ... Granted, it's easier to talk about the evils of NAT than to explain how billions of new routable addresses are going to be added to the existing routing system. They're going to be added by aggregating them much more effectively than for IPv4 (since the need for aggregation is understood from the start). The hard part of the problem is mainly what's being discussed in the MULTI6 WG, plus the issues in draft-iab-bgparch-02.txt There's no news here. I'm not sure this thread is producing any new ideas. Brian
Re: Why IPv6 is a must?
Sure, in theory one could add zillions of new globally routable addresses without increasing the size of the routing tables in the default-free zone at all. The skepticism is about whether there is (or even could be) a realistic plan to make this happen.
Re: Why IPv6 is a must?
I wish to express doubt on the (as you mentioned in an aside) there should be. Consider what these addresses would be for and the implications of THAT. Eric Rosen wrote: Sure, in theory one could add zillions of new globally routable addresses without increasing the size of the routing tables in the default-free zone at all. The skepticism is about whether there is (or even could be) a realistic plan to make this happen. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
RE: Why IPv6 is a must?
Cheese... this helps... I know it sounds crazy- but it works... but only brie. -Original Message- From: Meritt James [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 9:33 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Why IPv6 is a must? I wish to express doubt on the (as you mentioned in an aside) there should be. Consider what these addresses would be for and the implications of THAT. Eric Rosen wrote: Sure, in theory one could add zillions of new globally routable addresses without increasing the size of the routing tables in the default-free zone at all. The skepticism is about whether there is (or even could be) a realistic plan to make this happen. -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
Re: Why IPv6 is a must?
At 8:36 AM -0500 11/29/01, Eric Rosen wrote: Sure, in theory one could add zillions of new globally routable addresses without increasing the size of the routing tables in the default-free zone at all. The skepticism is about whether there is (or even could be) a realistic plan to make this happen. What's the realistic plan to prevent the IPv4 routing table from growing to 2^32 route entries? Steve
RE: Why IPv6 is a must?
Completely fantasimal -Original Message- From: Da Silva, Pedro [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 10:42 AM To: [EMAIL PROTECTED] Subject: RE: Why IPv6 is a must? That depends on what you mean by 'realistic' -Original Message- From: Steve Deering [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 3:02 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Why IPv6 is a must? At 8:36 AM -0500 11/29/01, Eric Rosen wrote: Sure, in theory one could add zillions of new globally routable addresses without increasing the size of the routing tables in the default-free zone at all. The skepticism is about whether there is (or even could be) a realistic plan to make this happen. What's the realistic plan to prevent the IPv4 routing table from growing to 2^32 route entries? Steve
Re: Why IPv6 is a must?
% At 8:36 AM -0500 11/29/01, Eric Rosen wrote: % Sure, in theory one could add zillions of new globally routable addresses % without increasing the size of the routing tables in the default-free zone % at all. % % The skepticism is about whether there is (or even could be) a realistic plan % to make this happen. % % What's the realistic plan to prevent the IPv4 routing table from growing % to 2^32 route entries? % % Steve trolling again? :) Nothing, as long as I don't mind lengthy convergence times. --bill
Re: Why IPv6 is a must?
From: Keith Moore [EMAIL PROTECTED] forcing most of the internet into a tree structure has its own scaling problems. A tree structure is not at all needed. What is needed is more aggregation. Please see the definitive mathematical analysis of routing scaling via aggregation: Leonard Kleinrock and Farouk Kamoun, Hierarchical Routing for Large Networks: Performance Evaluation and Optimization, Computer Networks 1 (1977), North-Holland Publishing Co., pp. 155-174. which explains this all clearly. the only benefit that IPv4 has over IPv6 (relative to routing table size) is that IPv4 discourages growth of the Internet. Cazart!, as Hunter Thompson would say. So perhaps what we really need, instead of IPv6, is something that looks less like IPv4 (with a few fields made larger). Noel
Re: Why is this thread alive? (was RE: Why IPv6 is a must?)
Ian King wrote: [..] If folks must continue these tired old arguments, can this please be moved to an IPv6 forum and/or to a NAT forum? Judging from the new names I see chiming in, not all the pros and cons are old news to everyone on this list. An education is occuring for people who've joined [EMAIL PROTECTED] since the last time the topic was thrashed. Hardly a bad thing. cheers, gja
Re: Why IPv6 is a must?
the only benefit that IPv4 has over IPv6 (relative to routing table size) is that IPv4 discourages growth of the Internet. Only? Please. An obvious benefits of v4 over v6 is that it is deployed. that's why I said relative to routing table size. Keith
Re: Why IPv6 is a must?
% What's the realistic plan to prevent the IPv4 routing table from growing % to 2^32 route entries? trolling again? :) it's about as reasonable as the question about the IPv6 routing table. as long as the Internet grows, the routing table is going to grow also. you might be able to slow the rate of growth, but forcing most of the internet into a tree structure has its own scaling problems. the only benefit that IPv4 has over IPv6 (relative to routing table size) is that IPv4 discourages growth of the Internet. Keith
Re: Why IPv6 is a must?
% % % What's the realistic plan to prevent the IPv4 routing table from growing % % to 2^32 route entries? % % trolling again? :) % % % it's about as reasonable as the question about the IPv6 routing table. % % Keith % back in the day, I told the CIDR/PIARA folks that it would be a good idea to plan for 2^32 entries in the routing system and was hooted from the fora. :) I stand in respect for Bill Fenner who has agreed to act as the routing area AD in guiding the effort to seek, prove, and deploy a reasonable routing solution. --bill
Re: Why is this thread alive? (was RE: Why IPv6 is a must?)
This thread has been going on for days, and I've seen little but a rehash of the NATs are God's gift vs. NATs are the tool of Satan that's been going on forever. Now it's branched off into another thread - almost a viral thing. heaven forbid we should discuss real technical issues on the IETF - and even worse, that we should try to discover and illuminate the sticking points in the technical debates that divide our community and keep us from reaching consensus. perhaps you would prefer that everyone simply read about what is happening with the network and not have any input into it? Keith
Re: Why IPv6 is a must?
Peter Deutsch wrote: ... The moral of the story? Traffic patterns and metadata can be powerful tools and one person's junk is another person's data. You should not assume that the majority of people shouldn't or wouldn't care about it leaking out, even if at first glance it seems pretty mundane. Absolutely true. Nothing to do with NATs. Any router conceals internal traffic patterns. Any router can hide internal addresses that don't talk to the outside. All the NAT hides is the number of logically (not physically) distinct hosts inside that do talk to the outside. This is not security; it might hide the IP address of your fridge, but it doesn't hide your fridge. Brian
RE: Why IPv6 is a must?
From: Sandy Wills Keith writes: .and you can tell a lot about me by watching the temperature sensors at my house (http://www.cs.utk.edu/~moore/home_temp.html) Such as what? [...] Also, the general locus of values for outside air temp would imply that it's damned cold outside, so he's probably somewhere rather closer to the North pole than I am. I beg to differ. Temperature are not that different from what I am getting nowadays more or less at 45N: highs are even a bit better. And the graph of outside temperature matches the theoretical model, which says that minimum is reached an hour or so after sunrise (and you took into account the fact that the time is probably not measured from sun at noon, but there is an official time zone...) Ok, I quit :-) ciao, .mau.
Re: Why IPv6 is a must?
entirely agree. and you can tell a lot about me by watching the temperature sensors at my house (http://www.cs.utk.edu/~moore/home_temp.html) Such as what? Whether he's gone on vacation, probably--since he's at a .edu, there's a good chance he gets a week or two off at Christmas; if he goes away at that time, he'll probably turn down his thermostat before he goes, and it'll show up on the sensors. A water meter would be an even more reliable indicator. Burglars, obviously, prefer to break into empty houses; watching every house in town is too much work, but having a tool do it for you over the net would be easy. Hmm. I bet the current data-over-water-pipes meters are subject to tapping--since the pipes run into everybody's home, it'd be like a shared Ethernet. With the right cable (say, a single wire from the pipe to the serial port, maybe with an amplifier), and a bit of software, you could monitor your neighbors' water usage. The water companies probably didn't think to encrypt the data. Once again, trusting the topology is a Bad Thing. /===\ |John Stracke |Principal Engineer | |[EMAIL PROTECTED] |Incentive Systems, Inc.| |http://www.incentivesystems.com|My opinions are my own.| |===| |A mime is a wonderful thing to waste. | \===/
RE: Why IPv6 is a must?
If it hides the IP address of your fridge, wouldn't that impair anyone from drinking your milk? If access to the resource is blocked using NAT, then isn't that aspect of security inherent to NAT? Charles +-+-+ | Charles Adams | US Pipe and Foundry| | Network Security Admin | 3300 1st Avenue North | | [EMAIL PROTECTED] | Birmingham, AL 35222 | +-+-+ All opinions expressed here are solely my own. Peter Deutsch wrote: ... The moral of the story? Traffic patterns and metadata can be powerful tools and one person's junk is another person's data. You should not assume that the majority of people shouldn't or wouldn't care about it leaking out, even if at first glance it seems pretty mundane. Absolutely true. Nothing to do with NATs. Any router conceals internal traffic patterns. Any router can hide internal addresses that don't talk to the outside. All the NAT hides is the number of logically (not physically) distinct hosts inside that do talk to the outside. This is not security; it might hide the IP address of your fridge, but it doesn't hide your fridge. Brian
Re: Why IPv6 is a must?
Sandy == Sandy Wills [EMAIL PROTECTED] writes: SandyIf his thermometers (and his thermostat) are available through the Sandy web, perhaps we could run some tests here What kind of Sandy experiments would we need to run, in order to tie this sub-thread back Sandy into the security discussion? Are these thermometers tied at all to his furnace? If we can manipulate one (say the external one) either by putting foil around it or insulation on top of it, can we cause his furnace to misbehave? (Worse would be if we can do this with SNMP Set's...) With finer resolution data we might be able to determine when he wakes up in the morning, how late he is up each day. Why is the basement temperature important? Maybe he has an office there? No, looks too cold. As for him being further north - I suspect that he is rather at higher elevations as it does look cold for Kentucky. As for the comments about C/F --- the presence of F at all means that he was raised in the US. The presence of C means that he is an academic. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another NetBSD/notebook using, kernel hacking, security guy); [
Re: Why IPv6 is a must?
Here is a point - what kind of IA would go on these accessible devices? Do you WANT to be able to address (and control) your fridge remotely? How about your home heating? Want to come home to find a disgruntled hacker thought it funny to have your fridge turned off and 130 degrees in your house? Charles Adams wrote: If it hides the IP address of your fridge, wouldn't that impair anyone from drinking your milk? If access to the resource is blocked using NAT, then isn't that aspect of security inherent to NAT? Charles +-+-+ | Charles Adams | US Pipe and Foundry| | Network Security Admin | 3300 1st Avenue North | | [EMAIL PROTECTED] | Birmingham, AL 35222 | +-+-+ All opinions expressed here are solely my own. Peter Deutsch wrote: ... The moral of the story? Traffic patterns and metadata can be powerful tools and one person's junk is another person's data. You should not assume that the majority of people shouldn't or wouldn't care about it leaking out, even if at first glance it seems pretty mundane. Absolutely true. Nothing to do with NATs. Any router conceals internal traffic patterns. Any router can hide internal addresses that don't talk to the outside. All the NAT hides is the number of logically (not physically) distinct hosts inside that do talk to the outside. This is not security; it might hide the IP address of your fridge, but it doesn't hide your fridge. Brian -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
RE: Why IPv6 is a must?
If the url of Keith's home monitoring can be part of the equation, one must not overlook that he is not only an .edu, but at the University of Tennessee, in Knoxville, Tennessee 37996 USA. On UTK's website you will find academic holidays; as well as Keith's office location, phone numbers, and title Dist. Res. Prf-CompSci. His business card on the contact page, reveals the exact location of his personal home page, http://www.cs.utk.edu/~moore/of, where one may find additional information on his past works and hacks for fun. Then go to http://www.lycos.com for a people search, and locate his home number and house with a map and directions. Need anything else? Kenton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Stracke Sent: Wednesday, November 28, 2001 8:52 AM To: IETF Discussion Subject: Re: Why IPv6 is a must? entirely agree. and you can tell a lot about me by watching the temperature sensors at my house (http://www.cs.utk.edu/~moore/home_temp.html) Such as what? Whether he's gone on vacation, probably--since he's at a .edu, there's a good chance he gets a week or two off at Christmas; if he goes away at that time, he'll probably turn down his thermostat before he goes, and it'll show up on the sensors. A water meter would be an even more reliable indicator. Burglars, obviously, prefer to break into empty houses; watching every house in town is too much work, but having a tool do it for you over the net would be easy. Hmm. I bet the current data-over-water-pipes meters are subject to tapping--since the pipes run into everybody's home, it'd be like a shared Ethernet. With the right cable (say, a single wire from the pipe to the serial port, maybe with an amplifier), and a bit of software, you could monitor your neighbors' water usage. The water companies probably didn't think to encrypt the data. Once again, trusting the topology is a Bad Thing. /===\ |John Stracke |Principal Engineer | |[EMAIL PROTECTED] |Incentive Systems, Inc.| |http://www.incentivesystems.com|My opinions are my own.| |===| |A mime is a wonderful thing to waste. | \===/
Re: Why IPv6 is a must?
Brian NAT has simply pushed us back to the pre-1978 situation. On the contrary, NAT has allowed us to maintain global connectivity without requiring every system to have a globally unique address. NAT is what has prevented us from returning to the pre-1978 situation. That's not to say it wouldn't be better to have a million more globally unique addresses. Sure it would, unless that would stress out the routing system unduly. If adding a million more globally unique addresses will stress out the routing system, then one might argue that a solution which provides the addresses but doesn't change the routing system isn't really deployable, and hence doesn't really solve the addressing problem. I think this is the point that Noel keeps trying to drive home, and I'm not sure I understand what the answer is supposed to be.
RE: Why IPv6 is a must?
If it hides the IP address of your fridge, wouldn't that impair anyone from drinking your milk? No. That NAT can still be attacked, or other machines behind the NAT can be attacked, and used to attack the fridge. Or the server the fridge talks to may be subverted. /=\ |John Stracke |Principal Engineer | |[EMAIL PROTECTED] |Incentive Systems, Inc. | |http://www.incentivesystems.com|My opinions are my own. | |=| |Beware of wizards, for you are crunchy and good with ketchup.| \=/
Re: Why IPv6 is a must?
Eric, First of all we are talking about several billion more addresses. Second, you're correct, the NAT kludge has allowed us to delay IPv6, i.e. simulate global connectivity some of the time. But it is hardly a strategy for the next hundred years. IPv6 was designed to help address aggregation, i.e. at least to start from a point not worse than CIDR. But it was a conscious choice not to try to invent a new routing model at the same time. We know that. We have to solve that, *and* we need the several billion addresses too. Brian Eric Rosen wrote: Brian NAT has simply pushed us back to the pre-1978 situation. On the contrary, NAT has allowed us to maintain global connectivity without requiring every system to have a globally unique address. NAT is what has prevented us from returning to the pre-1978 situation. That's not to say it wouldn't be better to have a million more globally unique addresses. Sure it would, unless that would stress out the routing system unduly. If adding a million more globally unique addresses will stress out the routing system, then one might argue that a solution which provides the addresses but doesn't change the routing system isn't really deployable, and hence doesn't really solve the addressing problem. I think this is the point that Noel keeps trying to drive home, and I'm not sure I understand what the answer is supposed to be.
Re: Why IPv6 is a must?
Look, either your fridge is accessible from outside so that you can check how much milk you have from the office, or it isn't. That's independent of whether its address happens to be NATted. It's dependent on the security policy you choose to apply. Brian Charles Adams wrote: If it hides the IP address of your fridge, wouldn't that impair anyone from drinking your milk? If access to the resource is blocked using NAT, then isn't that aspect of security inherent to NAT? Charles +-+-+ | Charles Adams | US Pipe and Foundry| | Network Security Admin | 3300 1st Avenue North | | [EMAIL PROTECTED] | Birmingham, AL 35222 | +-+-+ All opinions expressed here are solely my own. Peter Deutsch wrote: ... The moral of the story? Traffic patterns and metadata can be powerful tools and one person's junk is another person's data. You should not assume that the majority of people shouldn't or wouldn't care about it leaking out, even if at first glance it seems pretty mundane. Absolutely true. Nothing to do with NATs. Any router conceals internal traffic patterns. Any router can hide internal addresses that don't talk to the outside. All the NAT hides is the number of logically (not physically) distinct hosts inside that do talk to the outside. This is not security; it might hide the IP address of your fridge, but it doesn't hide your fridge. Brian
RE: Why IPv6 is a must?
Look, either your fridge is accessible from outside so that you can check how much milk you have from the office, or it isn't. That's independent of whether its address happens to be NATted. It's dependent on the security policy you choose to apply. Brian So does that mean that if I take down my firewall (i.e. my security policy), you'll be able to ping my servers whose addresses are NATted??? Let me propose a new question If there is a means for all hosts to have addresses that are reachable from all other hosts (barring that a security policy is in place), will companies renumber their internal networks to coincide with this addressing scheme? If we (the Internet community) used private addresses and NAT for all hosts that do not want/need/require access from the Internet, would the addressing problem be as much of a problem as it appears to be? If we are as generous with the IPv6 addresses, how soon before we have the same address problem? Charles
RE: Why IPv6 is a must?
Charles Adams wrote: If there is a means for all hosts to have addresses that are reachable from all other hosts (barring that a security policy is in place), will companies renumber their internal networks to coincide with this addressing scheme? If we (the Internet community) used private addresses and NAT for all hosts that do not want/need/require access from the Internet, would the addressing problem be as much of a problem as it appears to be? If we are as generous with the IPv6 addresses, how soon before we have the same address problem? If you want a set of hosts to be only reachable internally, then set the policy to use site local addresses. For the set of nodes that need both internal addresses and external addresses, you don't need NAT like you do for IPv4, because each IPv6 host will have both a site-local a global address to use. This will use exactly the same amount of address space as a static-mapped non-port-sharing IPv4 NAT, and has exactly the same security implications. The difference is that with IPv6, the end host knows its real address, and can take advantage of that knowledge for protocols that need it (IPsec, H.323, FTP, etc). THe only way the IPv4/NAT scenario limits address usage is when ports are shared, which limits which devices get a given port and when. Tony
Re: Why IPv6 is a must?
billions of new routable addresses are going to be added to the existing routing system. That's not a useful measure--what matters is the number of prefixes, not the number of addresses. If everyone on the planet magically converted from IPv4 to IPv6, and kept the same topology, the number of prefixes would not increase. ...modulo multihoming... /\ |John Stracke |Principal Engineer | |[EMAIL PROTECTED] |Incentive Systems, Inc. | |http://www.incentivesystems.com|My opinions are my own. | || |He wondered if Elli was going to buy that explanation. His taste| |for heavily-armed girlfriends did have its drawbacks. | \/
Re: Why IPv6 is a must?
At 3:23 PM -0500 11/28/01, Eric Rosen wrote: Granted, it's easier to talk about the evils of NAT than to explain how billions of new routable addresses are going to be added to the existing routing system. It's not the size (of the address) that matters, but how you use it. Whether you assign one IPv4 address per subscriber and make them use NAT, or give them each a block of a zillion IPv6 addresses, the routing cost is the same. If you really believe it's the total number of addresses that determines the size/cost of the routing system, you'd better start working on moving the world away from IPv4 to IPv-1 with 17-bit addresses. Steve
Re: Why IPv6 is a must?
On Wed, Nov 28, 2001 at 03:35:21PM -0500, Keith Moore wrote: The situation today with NAT is that hosts in separate realms can only communicate in 99% of the desired applications, to the extent this is true, it's only because the only applications that people become aware of, are those that can run over NAT. many more useful applications exist, but since they can survive only in less restricted environments, they aren't as well-known. I agree entirely; I will just note, sarcasmcuriously/sarcasm, that the explosive growth of the Internet coincides with the widespread desire for access to a *few* client-server type applications. It's not clear that growth in those applications cannot be satisfied by NATized environments. That said, the network cannot be designed for just that paradigm of application. I'm hoping there will be a different class of killer application that will attract many more people to the Internet and more than likely, I suspect it will _not_ be amenable to a NATized environment. if you're willing to constrain those billions of addresses to use a single path to the net (as NAT does) then the existing routing system does just fine. We could also hope that the next set of killer applications be more adaptable and carry sessions over multiple paths with multiple addresses at the endpoints as end-host multihoming is likely to be more scaleable than the present regime. That would mean not having to give up multihoming for future applications and having to build shims for current ones if no magic bullet routing system is found for IPv6 that allows multihoming as familiar as is common under IPv4. Anyone have an idea for robust source-address selection? anyone? Adi
Re: Why IPv6 is a must?
Eric NAT is what has prevented us from returning to the pre-1978 situation. Keith this is true only if you believe that [blah blah blah] The situation today with NAT is that hosts in separate realms can only communicate in 99% of the desired applications, though perhaps this falls to 80% if one stubbornly ignores the existence of tunneling and port redirection. Pre-1978, you were either directly attached to the Arpanet or you were pretty much out of luck. You have to be very much in the grip of a theory to regard these situations as comparable. Granted, it's easier to talk about the evils of NAT than to explain how billions of new routable addresses are going to be added to the existing routing system.
Re: Why IPv6 is a must?
Do you WANT to be able to address (and control) your fridge remotely? not unless the fridge also maintains its own inventory and orders more milk when its inventory gets low. How about your home heating? absolutely. I want to be able to turn the heat down when I'm out of town, and up before I return, without having to drive home to do this. Want to come home to find a disgruntled hacker thought it funny to have your fridge turned off and 130 degrees in your house? surely you don't think I'd use a Microsoft refrigerator ? Keith
Re: Why IPv6 is a must?
Caitlin Bestler wrote: 3) new devices that plug into residential networks (mostly new) What stops the new devices from having v4 with NAT to translate between the internet and the house. nothing stops them, but if you want to access the devices from outside the house (and in many cases that's the point of such devices) then NAT gets in the way. Keith That's exactly why you want NAT/firewalling and other existing mechanisms. These are devices that do not require global addressability. In fact they SHOULD NOT be globally addressable. SHOULD NOT be globally addressable? Every conceivable device in the home? That's quite a broad policy to impose on home networks. I draw two distinctions: - firewalling is a technology designed to implement policy - NAT is intended to enable connectivity It is quite possible for globally addressable IPv6 devices to be firewalled according to some policy, i.e. IPv6 supports *both* global connectivity and security of the firewalling variety. IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address, not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. I think it was being justified on the basis of enabling connectivity, specifically from outsite-the-home to inside-the-home. This is a problematic scenario for privately addressed IPv4 networks using NAT. Also, there is no reason why IPv6 devices in the home can't decline global addresses and stick with link-local or site-local addressing. At times I suspect an administrative standard for uniquely referring to a private IP address is a specific private IP network would have been the only required improvement in global addressing. Like RSIP? - aidan
Re: Why IPv6 is a must?
John == John Stracke [EMAIL PROTECTED] writes: John Think water meters. Utility companies would love to be able to John stop sending out expensive John humans just to read one dial at each customer each month. You *could* John have a reverse proxy in your home NAT, but that gets harder to John standardize; does customer X have a compatible NAT? is a harder question John than does customer X have an IPv6 network?. Besides, if you've And, given shipworm, if the water meter sees no router advertisements, but notices DHCP, it does that, and does either IPv6-over-UDP-through-NAT, or just plain 6to4 if possible. You run IPsec over that with a manual keys that is configured into the meter when it was installed. As you say - the water company does want security. Why would anyone pay for this? Well, not for water or electricity in these parts, but in places where either is scarce, you need this to provide variable water/electricity rates (In most places in Canada a Hydro bill is for electricity, which speaks for the abundance of one leading to the abundance of the other...) ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another NetBSD/notebook using, kernel hacking, security guy); [
Re: Why IPv6 is a must?
Anthony == Anthony Atkielski [EMAIL PROTECTED] writes: Anthony That's exactly why you only need one telephone per family. Anthony These are people who don't need to be individually reachable. Families are going toward a telephone per person with caller id and/or distinctive ring to figure out who should answer. That sure sounds like NAT to me! They would take a phone number per person, but someone there aren't enough phone numbers available cheaply enough or a mechanism to communicate them to the end-node to make this work. Mobile phone companies are offering cell phones for each member of the family with calling plans. My wife and I possess a total of 5 telephone numbers (counting mobile and pagers) because the phone company does not offer the equivalent of mobileIP. Plus her work number, at which I can't reach her after the receptionist has gone home, and her mobile phone is non-functional due to building issues, but that's okay since her patient's pace-makers prefer it that way. Anthony That's also exactly why you only need one telephone per Anthony business. These are employees who don't need to be individually Anthony reachable. The receptionist can have one telephone, and he or Anthony she can just physically bring any other employee who needs to be Anthony contacted to the phone in the reception area. That works for some businesses perhaps. It fails in most white collar work. Ever try to get ahold of someone *AFTER THE RECEPTIONIST HAS GONE HOME*? ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another NetBSD/notebook using, kernel hacking, security guy); [
Re: Why IPv6 is a must?
If a node only requires accessibility by a few specialized nodes (such as a water meter) then making it *visible* to more is just creating a security hole that has to be plugged. Yes, the hole can be plugged easily. If there's a security hole in the meter, putting a firewall in front of it won't help. Remember that the person most likely to be interested in hacking the meter is the customer (reduce their costs); the water company's engineers should consider the LAN the *most* likely point of attack, not the least likely. Meanwhile, if the meter is insecure, the customer should not allow it on their LAN, because it might get used as a way to attack the LAN. (This applies even if the meter uses only outbound connections, as through a NAT; if the attacker can spoof the water company's DNS, then they can feed the meter false instructions.) So, firewalls (and NATs) don't meet either party's needs. Only true security on the device itself will do. You might also want a firewall to protect the rest of the LAN in case the device's security fails; but protecting the device from the outside world is irrelevant. Once again, security and visibility are orthogonal. /\ |John Stracke |Principal Engineer | |[EMAIL PROTECTED] |Incentive Systems, Inc. | |http://www.incentivesystems.com|My opinions are my own. | || |Never underestimate the power of human stupidity. --I forget who| \/
Re: Why IPv6 is a must?
Plus her work number, at which I can't reach her after the receptionist has gone home, and her mobile phone is non-functional due to building issues, but that's okay since her patient's pace-makers prefer it that way. Let me see if I understand this correctly ... your wife is behind a NAT (the receptionist) and it's causing a denial of service? :-) --Ken
Re: Why IPv6 is a must?
Lloyd Wood wrote: On Mon, 26 Nov 2001, Caitlin Bestler wrote: ... My point remains, a globally meaningful address is something that should only be applied when it is useful for that endpoint to be globally addressable. I think we're lucky that this point was not applied to the design of IP twenty-odd years ago. We'd then have a bunch of restricted gateways that translate email - badly - no universal telnet, no universal ftp, and certainly no web... Actually, it *was* applied earlier (by default), and it was as a result of the ensuing disconnects and general uselessness that the Internet (a.k.a. Catenet) concept was developed by Pouzin, Cerf and Kahn. NAT has simply pushed us back to the pre-1978 situation. The references are in RFC 2775, section 2.3. Brian
Re: Why IPv6 is a must?
Let me see if I understand this correctly ... your wife is behind a NAT (the receptionist) and it's causing a denial of service? :-) close. the receptionist is an ALG.
Re: Why IPv6 is a must?
Keith == Keith Moore [EMAIL PROTECTED] writes: Let me see if I understand this correctly ... your wife is behind a NAT (the receptionist) and it's causing a denial of service? :-) Keith close. the receptionist is an ALG. Application Layer Gateway. Yes. that precisely true. Caused by the lack of ability to address the phone in her lab directly. PBXs with extensions are just the application layer gateways that speak DTMF. The point is that: the phone certainly should *NOT* be held up as an example of a system that functions well despite lack of end-node identification. In fact, large amounts of money have been spent (and made, which is the problem - it created new opportunities, which people want to exploit. Ditto for NAT) on the problem. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another NetBSD/notebook using, kernel hacking, security guy); [
Re: Why IPv6 is a must?
Michael writes: Families are going toward a telephone per person with caller id and/or distinctive ring to figure out who should answer. That sure sounds like NAT to me! How so? Are they all using the same telephone number? They would take a phone number per person, but someone there aren't enough phone numbers available cheaply enough or a mechanism to communicate them to the end-node to make this work. Where is this? My wife and I possess a total of 5 telephone numbers (counting mobile and pagers) because the phone company does not offer the equivalent of mobileIP. So how is this anything like NAT? NAT would be one telephone number. That works for some businesses perhaps. It fails in most white collar work. It fails in all businesses, in this century. Ever try to get ahold of someone *AFTER THE RECEPTIONIST HAS GONE HOME*? Ever try to connect to machine B when NAT insists in directing all incoming connections to a given port on the one and only external IP address to machine A?
Re: Why IPv6 is a must?
Anthony Atkielski wrote: Caitlin writes: If a node only requires accessibility by a few specialized nodes (such as a water meter) then making it *visible* to more is just creating a security hole that has to be plugged. Only if the information made thus available itself constitutes a security breach, which is not necessarily the case. Knowing how much water someone consumes or how many cans of Coke remain in a distributing machine would probably not be a security issue for most users... I can't help myself. Actually, having access to such stats as amount of power used, coke consumed, late-night pizzas ordered from the Pentagon, or number of routine status messages transmitted from ships of a specific call sign, can reveal a surprising amount of detail. It's fairly well known that the Americans had broken the Japanese codes during World War II, but it's less well known that this was not a one shot break, but an ongoing process of breaks, loss of capability and rebreaks. Periodically the Japanese would reissue their code books and change the callsigns of their various ships. The U.S. code breakers would then have to recreate their penetration by identifying each vessel's new call sign, identify specific message types and using these to rediscover the code groups. One technique they had for this was to detect traffic patterns from specific callsigns; by detecting similar patterns before and after the change, they could identify specific ships. They could then attack the message traffic looking for identical or similar messages, which in turn would lead to new breaks into the system. Another technique was to monitor ambient traffic patterns. A spike in traffic for a vessel or group would indicate potential upcoming operations, especially if you were monitoring major capital ships. Operations research has come a long way since then, and these or similar techniques are now used in industry for marketing and sales purposes. U.S. law enforcement was even using power consumption (as measured by infrared detectors) as an indicator of potential pot growing in your hydroponic basement garden for a while. This last one ran afoul of the illegal search and seizure bits of the U.S. constitution but The World Is A Very Big Place and not everybody might be as picky as the U.S. on such things. The moral of the story? Traffic patterns and metadata can be powerful tools and one person's junk is another person's data. You should not assume that the majority of people shouldn't or wouldn't care about it leaking out, even if at first glance it seems pretty mundane. - peterd -- -- Peter Deutsch work email: [EMAIL PROTECTED] Director of Engineering Edge Delivery Products Content Networking Business Unit private: [EMAIL PROTECTED] Cisco Systems Many people can predict the future. Me, I can predict the past... --
Re: Why IPv6 is a must?
Peter writes: I can't help myself. So I see. Actually, having access to such stats as amount of power used, coke consumed, late-night pizzas ordered from the Pentagon, or number of routine status messages transmitted from ships of a specific call sign, can reveal a surprising amount of detail. Yes, but it does not necessarily reveal anything you wish to keep secret, and even if it does, the traffic analysis required to recover the information may be more costly than the information is worth. It's fairly well known that the Americans had broken the Japanese codes during World War II, but it's less well known that this was not a one shot break, but an ongoing process of breaks, loss of capability and rebreaks. So I suppose anyone planning to bomb Pearl Harbor should use NAT. U.S. law enforcement was even using power consumption (as measured by infrared detectors) as an indicator of potential pot growing in your hydroponic basement garden for a while. They need to recalibrate their equipment. I don't have a garden. I don't even have a basement. This last one ran afoul of the illegal search and seizure bits of the U.S. constitution but The World Is A Very Big Place and not everybody might be as picky as the U.S. on such things. The U.S. is getting pretty fast and loose on the respect of these rights, too. The moral of the story? Traffic patterns and metadata can be powerful tools and one person's junk is another person's data. Sure ... but I really don't think that monitoring Coke machines or water meters is likely to be a source of major security breaches. And for anyone who feels otherwise, there are firewalls, proxies, NAT, and so on. You should not assume that the majority of people shouldn't or wouldn't care about it leaking out, even if at first glance it seems pretty mundane. I'm not merely assuming it, I'm certain of it. Anyone willing to put his signature on a charge slip that contains all his credit-card information is not likely to care about someone monitoring his water consumption, and certainly if he does then he has some pretty skewed priorities.
Re: Why IPv6 is a must?
Anthony Atkielski wrote: Keith writes: .and you can tell a lot about me by watching the temperature sensors at my house (http://www.cs.utk.edu/~moore/home_temp.html) Such as what? Well, for starters, he lists temperature in both F and C, so he's probably not an American. In fact, he lists C first, so it's almost certain that he's not 'Merkin. Also, the general locus of values for outside air temp would imply that it's damned cold outside, so he's probably somewhere rather closer to the North pole than I am. Another conclusion, probably related to this, is that he consistantly keeps his house significantly warmer than the outside, so he is likely to be a mammal, a bird, or a reptile. What else? Ah, yes investigating the periodic changes in outside temperature, it becomes clear that it is, in fact, on a daily cycle, but it's nothing like the skewed sine wave one would expect from a sun-driven heat system. It's more like a sawtooth waveform. Hmmm. The temperature is lowest in late morning, long after the sun would have started warming things up if his idea of outside involved things that the sun would warm, but then it skyrockets upward until late afternoon, whereupon it starts a slow drop back down. Perhaps Keith's outside air thermometer is _really_ outside, in full view of the sun, but on the west side of his house so the sun doesn't start cooking it until about 9 AM or so? This would explain the absurdly fast temperature rise that is both compressed, and delayed from normal daylight heating hours. See? Nothing more than a simple graph, and we have learned a great deal about this Keith character (and probably more about the rest of us). If his thermometers (and his thermostat) are available through the web, perhaps we could run some tests here What kind of experiments would we need to run, in order to tie this sub-thread back into the security discussion? -- : Unable to locate coffee. Operator halted.
Re: Why IPv6 is a must?
Actually, having access to such stats as amount of power used, coke consumed, late-night pizzas ordered from the Pentagon, or number of routine status messages transmitted from ships of a specific call sign, can reveal a surprising amount of detail. entirely agree. and you can tell a lot about me by watching the temperature sensors at my house (http://www.cs.utk.edu/~moore/home_temp.html) security is potentially important for any device or service, no matter how trivial it seems. and since you can't rely on network topology to provide security, security has to be implemented - at least partially - by the device itself. Keith
Re: Why IPv6 is a must?
Keith writes: entirely agree. and you can tell a lot about me by watching the temperature sensors at my house (http://www.cs.utk.edu/~moore/home_temp.html) Such as what? Your home heating system cycles frequently, but that's about it. I can't read the stuff in bright green.
Re: Why IPv6 is a must?
Such as what? that would be telling.
Re: Why IPv6 is a must?
3) new devices that plug into residential networks (mostly new) What stops the new devices from having v4 with NAT to translate between the internet and the house. nothing stops them, but if you want to access the devices from outside the house (and in many cases that's the point of such devices) then NAT gets in the way. Keith
Re: Why IPv6 is a must?
Rinka Singh wrote: Please can you help me understand how it gets in the way. As I understand these devices would: - accept (authenticated) commands - perhaps snmp (there's some thought of using sip proxy commands) format. - send status/traps (snmp again). Any NAT would be able to translate both ways - OK it would stumble if there was end-to-end encryption but a small device may not have encryption capability. It should be easy to add NAT (one would need a router, firewall, gateway/gatekeeper anyway). If the issue is only that of encryption then I accept your point. But perhaps I'm missing something. I'm looking for reasons why NAT/v4 cannot/will not address the needs of the new devices. If you have a few hundred devices in your house that need to act as peers (not clients) to devices outside, they need to be addressable. [we could have a digression on my choice of word, but I think it's beside the point.] If they are all hidden behind one IPv4 address, then a sub-addressing system is needed, and I'm not sure what you think it will be, unless you want to use a well-known port number for each device. It will just be *easier* to use IPv6 as the addressing scheme - initially via RFC 3056, I expect. It also solves the e2e encryption problem, as you say. Brian
Re: Why IPv6 is a must?
That's exactly why you want NAT/firewalling and other existing mechanisms. Red herring alert: firewalling and NAT are orthogonal. Many NATs include a firewall, but that's a market decision, not a technical necessity. These are devices that do not require global addressability. Think water meters. Utility companies would love to be able to stop sending out expensive humans just to read one dial at each customer each month. You *could* have a reverse proxy in your home NAT, but that gets harder to standardize; does customer X have a compatible NAT? is a harder question than does customer X have an IPv6 network?. Besides, if you've got an end-to-end connection to the meter, it's easier to verify that the customer isn't munging the data in order to reduce their bill. In fact they SHOULD NOT be globally addressable. Why not? If you've got proper security, you can make them available to the right people, and block them from the wrong people. /==\ |John Stracke |Principal Engineer| |[EMAIL PROTECTED] |Incentive Systems, Inc. | |http://www.incentivesystems.com|My opinions are my own. | |==| |News flash: Linux now implements RFC-1149, IP over Carrier| |Pigeon! | \==/
Re: Why IPv6 is a must?
IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address, not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. you appear to be confusing visibility with accessibility. No, that is exactly what I am not confusing. If a node only requires accessibility by a few specialized nodes (such as a water meter) then making it *visible* to more is just creating a security hole that has to be plugged. that's simply false. security and visibility are largely orthogonal. the fact that a resource is visible to the network simply means that it is potentially accessible, with appropriate credentials, by another party on the network. the common mistake is assuming that accessibility should have something to do with network topology, or more precisely, with source IP address. this works only for a limited subset of applications and user communities. while it might be reasonable to trust such mechanisms for limited-purpose networks, it's simply naive to insist that such mechanisms are generally applicable. Yes, the hole can be plugged easily. again, that's simply false. in general, if an application or an end-system has a security hole that allows access by unauthorized parties, you can't plug that hole by external means. you may be able to work around the problem using a firewall by exploiting network access patterns - for instance, if you know in advance that the only legitimate users of a resource are located within a particular subnet and you can ensure that the only traffic with that subnet's source address actually originated from within that subnet. but this is an exception, not a general rule. to insist that application security realms should be constrained to reflect network topologies is either to severely limit that kinds of applications that can be run or to make your network much more expensive than it needs to be. and this strategy doesn't hold up in a world in which the devices you use access those resources may be attached to the network via any of a variety of provider networks - and may also need to be able to access resources on multiple networks. folks aren't going to carry separate PDAs to access the office email, the baby cam at the day care center, and the home security system. they're going to carry a single PDA and expect it to authenticate to each, independently of their current location. I am merely pointing out that the opportunity to add more rules to an IPv6 firewall to plug a security hole that IPv6 created is *not* an argument for IPv6. IPv6 doesn't create any new security holes. to the extent that holes exist in applications (and of course they do) that are worked around by firewalls, it becomes necessary to apply the same filters for IPv6 that exist for IPv4. but the holes existed already. Further, NAT boxes are very friendly to meter-type devices. false. many such devices need to be accessible from outside the NAT. furthermore, meter-type devices are only one kind of application that would benefit from global addressibility. They can receive their IPv4 address via DHCP (eliminating the need to administer addresses) DHCP is orthogonal to NAT. You can have DHCP (for better or worse) without NAT. and then they can contact the collection server. The upper-layer protocols will identify the meter, which they would have done for authentication reasons anyway. true, but it's irrelevant to your argument - unless you were somehow presuming that the address would have been used for authentication. There are also a large number of solutions using L2 tunneling. not if you want them to work in arbitrary remote environments. My point remains, a globally meaningful address is something that should only be applied when it is useful for that endpoint to be globally addressable. you haven't said anything to support such an outrageous assertion. Keith p.s. of course there are some vulnerabilities that are introduced whenever you make a network accessible - these include the ability to exploit security holes on hosts, the ability to scan for potential targets, and the ability to attack the network itself. but to the extent that you can use firewalls to thwart such attacks, you can do so without NAT. about the only thing that NAT does for you is to hide an inside client host's source address as seen from the outside. so you could say it provides a measure of privacy. but it does this in a very inflexible way - it constrains all applications (regardless of their needs) on all hosts behind the NAT. and once you install a NAT, it's very difficult to fix the problems that the NATs caused.
Re: Why IPv6 is a must?
Caitlin Bestler wrote: IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address, not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. you appear to be confusing visibility with accessibility. No, that is exactly what I am not confusing. If a node only requires accessibility by a few specialized nodes (such as a water meter) then making it *visible* to more is just creating a security hole that has to be plugged. How do you control visibility? Authentication. How do you control accessibility? Authentication. What's the difference? Silently ignoring unauthenticated peers vs. replying go away. Limiting visibility does not make a service more secure. My point remains, a globally meaningful address is something that should only be applied when it is useful for that endpoint to be globally addressable. I have a hard time coming up with *any* service that should be restricted to local-only at all times. If you believe that authentication works, you may as well make everything world-visible. I do agree that firewalls can reduce the risk of exposing buggy service implementations to the world, e.g. risking buffer overflow attacks, etc. This has nothing to do with NATs, however, as others have already pointed out. Lars -- Lars Eggert [EMAIL PROTECTED] Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
Re: Why IPv6 is a must?
Devices that are meant to be local-use only can use local scope addresses. the whole concept of a local-use-only device is somewhat odd. how can the device manufacturer make assumptions about his customers' network topology? or about the placement of security threats relative to that topology? In addition, to get to an IPv6 node such as a water meter, you need to get the address right -- the whole 128 bits of it. If a device uses the privacy addresses of IPv6, then the low level 64 bits are essentially random. Getting to the device by some form of net-scan can prove to be very long, will plenty of opportunity for the network police to detect the attack. the nice thing about privacy addresses is that they can be used when appropriate for a device or application, and avoided when they're not appropriate. ideally this should happen on a per-application basis. Keith
Re: Why IPv6 is a must?
* * My point remains, a globally meaningful address is something that * should only be applied when it is useful for that endpoint to * be globally addressable. * That sounds like an appealing statement, but it hides the potential cost of giving up generality. Back when TCP/IP was young, the operating systems researchers in Computer Science departments had just found a new playpen -- distributed operating systems. They disdained TCP/IP, choosing to implement their OS mechanisms on bare Ethernets. Their statement was that a globally meaningful protocol is something that should be applied only when it is useful for the endpoints to be globally reachable. Since all their boxes were local, and for efficiency, they insisted on running directly over the link layer. (And BTW, there was only one link layer, Ethernet ;-)) We told them that the day would come when they would want the general connectivity of IP, but they were, as I said, disdainful. It took a few years for them the realize the error of their approach, but they did eventually. So there is a trade-off here. In general, I think one can say that the Internet has benefited hugely in the past from taking the approach of maximum flexibility whenever feasible. Bob Braden
RE: Why IPv6 is a must?
Caitlin Bestler wrote: My point remains, a globally meaningful address is something that should only be applied when it is useful for that endpoint to be globally addressable. This is your only valid point, and has nothing to do with NAT, Firewalls, or anything else on this thread today... There are cases where an application context calls for local scope addresses (like I may not want my light switch available outside the home), but that is exactly why IPv6 provides local link site scope addresses. If you have a device that is being used in a local scope application context, then it should not acquire a global scope prefix. At the same time there may be other applications sharing the wire that are global scope (like my son and I run independent web servers). For this context the global scope IPv6 addresses are exactly what is required, because sharing a port doesn't work. From my observations over time, the hardest thing for network technologists to wrap their heads around is the fact that with IPv6 nodes are capable of multiple addresses simultaneously, and those addresses have different scopes of applicability. It is a matter of local policy which addresses get used, so match the address scope to the use policy. In any case, stop saying that NAT is required to keep a node hidden, because it is not. Also by definition if a NAT is aware of the 'hidden' device, the device is no longer hidden from the world. Tony
Re: Why IPv6 is a must?
On Mon, 26 Nov 2001, Rinka Singh wrote: Any NAT would be able to translate both ways - OK it would stumble if there was end-to-end encryption but a small device may not have encryption capability. It should be easy to add NAT (one would need a router, firewall, gateway/gatekeeper anyway). Not as easy as one may initially imagine. Think of complicated application level protocols as H.323 which carry ip information in packets. Adding support to NAT gateways would involve integrating gatekeeper/H.323 proxies to routers. End-to-end encription is other area where NAT would be very difficult to implement. There are many examples of difficult to be accomplished with NAT tasks (like P2P networks) that could be easily solved by expanding the amount of available addresses (like IPv6). Not talking about the specific capabilities IPv6 integrates (AH, for example). I'm not saying that almost same things could be performed by clever NAT under IPv4, but let's use Occam's razor and follow the simplest way of implementing things... Regards, Flavio.
Re: Why IPv6 is a must?
Caitlin writes: That's exactly why you want NAT/firewalling and other existing mechanisms. These are devices that do not require global addressability. In fact they SHOULD NOT be globally addressable. That's exactly why you only need one telephone per family. These are people who don't need to be individually reachable. The head of the household can have one telephone, and he or she can just physically seek out whoever else in the family is wanted and put that person in front of the telephone. That's also exactly why you only need one telephone per business. These are employees who don't need to be individually reachable. The receptionist can have one telephone, and he or she can just physically bring any other employee who needs to be contacted to the phone in the reception area. IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address ... IPv6, like any other expansion of the address space, is ultimately not something that has to be justified, but simply something that cannot be avoided. Additionally, the mere need for a unique public address doesn't even necessarily justify IPv4. After all, we don't yet have four billion computers on the Internet. But because of convenient but space-wasteful allocation policies for the existing address space, we will appear to run out of addresses long before the actual theoretical address space is exhausted, unless we resort to allocating them sequentially until every slot is gone. The allocation for IPv6 will inevitably be far more space-wasteful than that for IPv4, human beings being the way they are, and so it will eventually be exhausted as well, as hard as it may be to believe that now. ... not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. Similar arguments were advanced against private telephone lines. The most consistent and serious error made by engineers in designing new systems is dramatic underestimation of the capacity that will ultimately be required.
Re: Why IPv6 is a must?
John Stracke writes: Utility companies would love to be able to stop sending out expensive humans just to read one dial at each customer each month. Where I live, they already have. The new meters are individually addressable and will report the consumption they record on demand from a central controller. They don't require any special wiring; I was told that they use the pipes of the water system to communicate with the controller--apparently the usable bandwidth of that channel is enough to allow the very limited communication required by the application. Of course, with low-cost IP dialtone or something similar, such a device could be connected to the Internet. I would not want it to be a device that could accept commands to turn off the water or some such, because of the danger of abuse, but certainly reporting the water consumption seems quite reasonable. One can imagine the same for soft-drink machines, copying machines, and all sorts of other appliances. Right now some of them already work in this way, except that, like the water meter, they rely on out-of-band communication methods (from the Internet point of view).
Re: Why IPv6 is a must?
Caitlin writes: If a node only requires accessibility by a few specialized nodes (such as a water meter) then making it *visible* to more is just creating a security hole that has to be plugged. Only if the information made thus available itself constitutes a security breach, which is not necessarily the case. Knowing how much water someone consumes or how many cans of Coke remain in a distributing machine would probably not be a security issue for most users, just as answering a ping on the Internet today is not considered to be a security breach by most people (and those who do consider it so can block it). My point remains, a globally meaningful address is something that should only be applied when it is useful for that endpoint to be globally addressable. Unfortunately, if no provision has been made for a global address in the first place, it may not be possible to put anything in place as quickly as required if the need arises, and for critical applications, this is not acceptable.
Re: Why IPv6 is a must?
Keith writes: the whole concept of a local-use-only device is somewhat odd. how can the device manufacturer make assumptions about his customers' network topology? Imagine where we would be if this assumption were made in the assignment of MAC addresses for Ethernet cards. The Net would be a much different and much more confusing place, if it existed at all.
Re: Why IPv6 is a must?
3) new devices that plug into residential networks (mostly new) What stops the new devices from having v4 with NAT to translate between the internet and the house. nothing stops them, but if you want to access the devices from outside the house (and in many cases that's the point of such devices) then NAT gets in the way. Keith That's exactly why you want NAT/firewalling and other existing mechanisms. These are devices that do not require global addressability. In fact they SHOULD NOT be globally addressable. IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address, not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. At times I suspect an administrative standard for uniquely referring to a private IP address is a specific private IP network would have been the only required improvement in global addressing.
Re: Why IPv6 is a must?
That's exactly why you want NAT/firewalling and other existing mechanisms. These are devices that do not require global addressability. In fact they SHOULD NOT be globally addressable. first, don't confuse NAT with firewalls.they have entirely separate functions which often happen to be provided in the same box. NAT provides very little additional security by itself, and you can implement any firewall function without doing address translation. second, firewalls are not a general-purpose security mechanism. at best they are a means of decreasing the effort required to analye potential security threats. they are not a substitute for implementing security at the end system. third, it seems quite presumptious for you to declare that someone else's device or application does not, or should not, require global addressability. in fact there are numerous cases where global addressability is desirable. the needs of the network are more diverse than your security model can accomodate. IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address, not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. you appear to be confusing visibility with accessibility. At times I suspect an administrative standard for uniquely referring to a private IP address is a specific private IP network would have been the only required improvement in global addressing. that's because you aren't bothering to consider the needs of applications. Keith
Re: Why IPv6 is a must?
IPv6 needs to be justified on the number of nodes that truly need a globally accessible public address, not by insisting on counting devices that should remain anonymous or under limited (and controlled) visibility. you appear to be confusing visibility with accessibility. No, that is exactly what I am not confusing. If a node only requires accessibility by a few specialized nodes (such as a water meter) then making it *visible* to more is just creating a security hole that has to be plugged. Yes, the hole can be plugged easily. I am merely pointing out that the opportunity to add more rules to an IPv6 firewall to plug a security hole that IPv6 created is *not* an argument for IPv6. Further, NAT boxes are very friendly to meter-type devices. They can receive their IPv4 address via DHCP (eliminating the need to administer addresses) and then they can contact the collection server. The upper-layer protocols will identify the meter, which they would have done for authentication reasons anyway. There are also a large number of solutions using L2 tunneling. My point remains, a globally meaningful address is something that should only be applied when it is useful for that endpoint to be globally addressable.
Re: Why IPv6 is a must?
Erik Nordmark writes:
| A locator by definition must describe a precise location within
| a network, such that any router will be able to forward traffic
| towards that network using only the information in locator.
|
| Towards the network/link or towards the node?
Sorry, imprecise wording kills, right? :-)
the second network should be host or link or attachment point.
towards does not mean all the way to. i could have written
to the next router believed to be closer to the the {host,link,AP}.
In a routing sense, perhaps abstractly, the link or AP is a single
node in the network, rather than a thing behind which lots of hosts live.
Sean.
Re: Why IPv6 is a must?
A locator by definition must describe a precise location within a network, such that any router will be able to forward traffic towards that network using only the information in locator. Sean, Towards the network/link or towards the node? In 8+8 the top 8 bytes are just the locator for the *link* - not the node. Thus in 8+8 the locator for a node is composed of the locator for the link plus the identifier of the node. Thus depending on the detailed definition this may or may not be viewed as cleanly separating identifier and locator. Erik
RE: Why IPv6 is a must?
the locator MUST change with a change in location. It must change: eventually. For short duration changes you have Mobile IP. For changes that have longer time horizon you have host renumbering, which by the design of v6 is now fairly trivial. Seems like this base might be adequately covered, no? unfortunately, variable-length addresses are not supported by IPv6. The good news here is that IPV6 picked worst case length viz the original CLNS addressing design when you factor out length, AFI and country codes, so you are covered. The biggest reasons to have variable length addresses is: 1) so you can have short packets!, and 2) because 2**128 is not enough hosts! We gave up on (1) and (2) is just another opportunity for NATs and Proxies in the 22nd century. I suspect the addressing plan for the Internet will go through it's bumps and grinds. Again, the good news here is that IPv6 has plenty of addressing bits for routing so that people can screw up and recover, something that IPv4 no longer has. Sean. Cheers, peterf
RE: Why IPv6 is a must?
Peter Ford writes: | It must change: eventually. For short duration changes you have | Mobile IP. For changes that have longer time horizon you have host | renumbering, which by the design of v6 is now fairly trivial. Seems | like this base might be adequately covered, no?=20 I would love a demonstration of a painless renumbering of a large IPv6 site over various timescales using these or other mechanisms which might be brought forward onto the IETF standards track, and would personally try to help get a successful demonstrator some good press attention. Perhaps you know of some organization that could use some of that from a Mac-wielding BSD nerd who votes in the European Union? Small qualifier: large should be something like MIT[v4] (which has not renumbered out of 18/8[v4], for example), rather than the largest IPv6 sites in existence today, which I bet are somewhat smaller. Sean.
RE: Why IPv6 is a must?
I disagree with Keith on some basic assumptions. IPv6 is not a software upgrade in its' dominant mode. IPv6 was done with the belief that the raw number of systems will grow huge enough that 2**32 is not enough. There was this CIDR thing created to solve this other problem. In terms of raw numbers, IPv6 deployment will take the form of hardware purchases for IPv6 nodes that do not exist today: 1) Cell phones (historically 2 yr replacement cycle) 2) PCs with IPv6 installed (less than 5 yr replacement cycle) 3) new devices that plug into residential networks (mostly new) We should note IPv6 has been planned, products have been built and deployment will occur. It is being driven by people who have a vested interest in having a solution to the address run-out problem. (good news in the last 10 years is that Internet has gotten really good at deploying HTTP proxies, something we did not really bet on back in 1991/1992. This is going to aid transition immensely as we move forward). I concur that the routing guys have some work in front of them. May I suggest people take a closer look at hierarchical routing, combined provider and geographic hierarchies, and adult supervision? Regards, peter
Re: Why IPv6 is a must?
Keith Moore wrote: somebody needs to define an alternative to midcom that uses IPv6 prefixes to name the addressing realms, and an algorithm to map (prefix name + NATted IPv4 address) into an IPv6 address. nobody says you have to actually be willing to route traffic to those IPv6 addresses, but you could use them in midcom as unambiguous host names for pinhole specification, and you could use them in network management. and if/when you did decide to actually route IPv6 traffic, management would be considerably simplified by being able to use the same addresses. And of course, the 6to4 prefix can be used exactly this way, with no need to go to a registry for an IPv6 prefix. Brian Keith From: Perry E. Metzger [EMAIL PROTECTED] To: Keith Moore [EMAIL PROTECTED] Cc: Tony Hain [EMAIL PROTECTED], [EMAIL PROTECTED], Hans Kruse [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Why IPv6 is a must? Keith Moore [EMAIL PROTECTED] writes: I don't see a killer IPv6-based business app as likely, I think I know one. Network management and administration. There is no way in some of today's deeply NATed v4 networks to do adequate network management -- monitoring is especially hard. Overlaying a v6 network with a real address space over the NAT mess is easy, and results in being able to actually get to all the nodes being managed.
RE: Why IPv6 is a must?
Peter Ford post ROAD writes: | I concur that the routing guys have some work in front of them. May I | suggest people take a closer look at hierarchical routing, combined | provider and geographic hierarchies, and adult supervision? All of these have been well-studied with IPv4. Unfortunately, there is no known (to the IETF) way of preserving hierarchy in the absence of host renumbering (of locator-part), careful use of multiple locators by hosts, or NAT, which is a way a middle-box can spoof one of the previous two options. The problem of maintaining hierarchical routing is identical with ANY way of describing a device in ANY network: the locator MUST change with a change in location. Keeping the location independent of the identity of a device makes this task much easier, especially when a minimal number of things running on the host have to know about the location at all. (i.e., it's great if the host doesn't need to know its location at all, at any time, thus allowing in-flight mutations of the locator at will as the network changes shape -- the host should not reject packets meant for itself (identity) just because they have been sent to a surprising (to the host) location). There are alternatives to a complete separation of identity and location, but most of them result in NAT-like localization of identity (i.e., identity is not end-to-end) or things like UUCP bang paths or vaguely CLNS-style names, and unfortunately, variable-length addresses are not supported by IPv6. Sean.
Re: Why IPv6 is a must?
The problem of maintaining hierarchical routing is identical with ANY way of describing a device in ANY network: the locator MUST change with a change in location. perhaps, but the locator doesn't have to be exposed in the address. if you expose the locator in the address then every time the location changes you have to somehow inform all parties that are using that location that there's a new location for that address. at present our locators are AS numbers. they are not exposed in the address or to hosts; instead there is a mapping function from address prefixes to AS numbers that is maintained by routers. if we change the system to use a different kind of locator we still need stable addresses, we still have to maintain the mapping function from addresses to locators, and we still need that mapping function to be current and reliable. what we are arguing about is the appropriate granularity of the mapping function, and the appropriate place to maintain that mapping. Keith
Re: Why IPv6 is a must?
I disagree with Keith on some basic assumptions. IPv6 is not a software upgrade in its' dominant mode. actually, I think we do agree. *existing* systems can migrate to IPv6 with a software upgrade, and it's important to have a story for existing systems.. but my guess is that the vast majority of IPv6 systems in the long run will not be general-purpose computers (existing or new), but fixed-function appliances that will ship with IPv6 built-in. Keith
Re: Why IPv6 is a must?
| at present our locators are AS numbers. No, Keith, they are not. The AS number does not describe a location in any sort of topology. It is simply a representation of a set of routers with the same routing policy, that should not receive via eBGP NLRI which have originated from or passed through said routers. The AS number is otherwise completely meaningless, although the AS path itself is a funny sort of non-scalar metric. (See the work of Ahuja and Labovitz for details on that). A locator by definition must describe a precise location within a network, such that any router will be able to forward traffic towards that network using only the information in locator. In IPv4, the locator *is* the IPv4 address, independent of what inter- or intra-domain routing system is being used. | if we change the system to use a different kind of locator we still | need stable addresses, we still have to maintain the mapping | function from addresses to locators, and we still need that mapping | function to be current and reliable. End-to-end/globally-unique identifiers are very convenient indeed. However, identifiers and locators are different. There is no reason to overload them, and it's a bad habit. It's also a bad habit to think that locators need to be end-to-end or globally (rather than contextually) unique. | what we are arguing about is the appropriate granularity of the | mapping function, and the appropriate place to maintain that mapping. No, we are not arguing about that, but these are indeed issues. Sean.
Re: Why IPv6 is a must?
| at present our locators are AS numbers. No, Keith, they are not. The AS number does not describe a location in any sort of topology. It is simply a representation of a set of routers with the same routing policy, that should not receive via eBGP NLRI which have originated from or passed through said routers. The AS number is otherwise completely meaningless, although the AS path itself is a funny sort of non-scalar metric. (See the work of Ahuja and Labovitz for details on that). A locator by definition must describe a precise location within a network, such that any router will be able to forward traffic towards that network using only the information in locator. In IPv4, the locator *is* the IPv4 address, independent of what inter- or intra-domain routing system is being used. thanks for the clarification. I don't pretend to be a routing expert; I just get into these discussions in an effort to keep the proposed solutions for routing scalability problems from harming applications. but if AS#s aren't usable as locators, it seems like it should be possible to use BGP to advertise mappings from IP address prefixes to some other kind of locator, and to base route computations on *those* locators rather than on address prefixes. that would allow routers to effectively aggregate routes for dissimilar prefixes, at least for the purpose of route computations. (even if the forwarding table still had to be indexed by address prefix) | if we change the system to use a different kind of locator we still | need stable addresses, we still have to maintain the mapping | function from addresses to locators, and we still need that mapping | function to be current and reliable. End-to-end/globally-unique identifiers are very convenient indeed. However, identifiers and locators are different. There is no reason to overload them, and it's a bad habit. there are plenty of reasons why they are overloaded, it's just that folks tend to overloook those reasons because they are focusing on a single problem. some of them are outlined in another message that I sent to the IETF list today. It's also a bad habit to think that locators need to be end-to-end or globally (rather than contextually) unique. they don't have to be. it's just that if the locators are context-specific then you can only use them for routing within the context in which they're valid. (and you want to make really sure they don't get confused with locators from other contexts) | what we are arguing about is the appropriate granularity of the | mapping function, and the appropriate place to maintain that mapping. No, we are not arguing about that, but these are indeed issues. I think that's the fundamental issue - at least, given the other constraints on the problem that seem to be imposed. Keith
Re: Why IPv6 is a must?
Note that to some degree, for some people, in some topologies, MPLS does exactly what you suggest. It provides a modest size space of identifiers (which are local, an advantage) which can be used for forwarding by many devices. For some situations, all the large table processing can be moved to the network edge. Unfortunately, the utilization and application is rather more complex. But this kind of system does have many scaling advantages in that for most parts of the system the locator is indeed a separate and manageable piece of information. Signalled systems also have the advantage that the setup can use large tables that are NOT in the fast path and therefore can tolerate worse scaling behaviors. Of course, such systems also introduce interesting limtations and problems. For example, scaling the number of paths that are setup can be a new and interesting way to choke. Yours, Joel M. Halpern At 06:46 PM 11/12/01 -0500, Keith Moore wrote: | at present our locators are AS numbers. No, Keith, they are not. The AS number does not describe a location in any sort of topology. It is simply a representation of a set of routers with the same routing policy, that should not receive via eBGP NLRI which have originated from or passed through said routers. The AS number is otherwise completely meaningless, although the AS path itself is a funny sort of non-scalar metric. (See the work of Ahuja and Labovitz for details on that). A locator by definition must describe a precise location within a network, such that any router will be able to forward traffic towards that network using only the information in locator. In IPv4, the locator *is* the IPv4 address, independent of what inter- or intra-domain routing system is being used. thanks for the clarification. I don't pretend to be a routing expert; I just get into these discussions in an effort to keep the proposed solutions for routing scalability problems from harming applications. but if AS#s aren't usable as locators, it seems like it should be possible to use BGP to advertise mappings from IP address prefixes to some other kind of locator, and to base route computations on *those* locators rather than on address prefixes. that would allow routers to effectively aggregate routes for dissimilar prefixes, at least for the purpose of route computations. (even if the forwarding table still had to be indexed by address prefix) | if we change the system to use a different kind of locator we still | need stable addresses, we still have to maintain the mapping | function from addresses to locators, and we still need that mapping | function to be current and reliable. End-to-end/globally-unique identifiers are very convenient indeed. However, identifiers and locators are different. There is no reason to overload them, and it's a bad habit. there are plenty of reasons why they are overloaded, it's just that folks tend to overloook those reasons because they are focusing on a single problem. some of them are outlined in another message that I sent to the IETF list today. It's also a bad habit to think that locators need to be end-to-end or globally (rather than contextually) unique. they don't have to be. it's just that if the locators are context-specific then you can only use them for routing within the context in which they're valid. (and you want to make really sure they don't get confused with locators from other contexts) | what we are arguing about is the appropriate granularity of the | mapping function, and the appropriate place to maintain that mapping. No, we are not arguing about that, but these are indeed issues. I think that's the fundamental issue - at least, given the other constraints on the problem that seem to be imposed. Keith
Re: Why IPv6 is a must?
Note that to some degree, for some people, in some topologies, MPLS does exactly what you suggest. yes, indeed. of course, the devil is in the details. having a separate pseudo-header with routing locator, for use by the routing system seems like a useful approach (though not the only possible approach). OTOH, based on what I've heard I've formed the impression that there are scaling limitations with the way that MPLS tends to be used. Keith
Re: Why IPv6 is a must?
Tony, Keith, Keith Moore wrote: The real requirement is in the other order; when a desireable app becomes available that works over IPv6 but fails over NAT. This will cause people to upgrade their OS to Solaris 8, or XP, etc. This is more likely to be a peer-to-peer game than any business app. I don't see a killer IPv6-based business app as likely, but IPv6 does seem like a good way to solve some of the problems that NATs cause for communications between private v4 networks. It won't be a single app that causes businesses to shift, it will be the ability to run whatever protocols the businesses want to use to talk to each other. Hold on just a minute. Business applications are moving away from limited client/server models towards synchronous or asynchronous exchanges between systems that are sometimes clients and sometimes servers. I don't want to rant at length here, but peer-to-peer business apps are absolutely what we need for IPv6. Brian
Re: Why IPv6 is a must?
somebody needs to define an alternative to midcom that uses IPv6 prefixes to name the addressing realms, and an algorithm to map (prefix name + NATted IPv4 address) into an IPv6 address. nobody says you have to actually be willing to route traffic to those IPv6 addresses, but you could use them in midcom as unambiguous host names for pinhole specification, and you could use them in network management. and if/when you did decide to actually route IPv6 traffic, management would be considerably simplified by being able to use the same addresses. Keith From: Perry E. Metzger [EMAIL PROTECTED] To: Keith Moore [EMAIL PROTECTED] Cc: Tony Hain [EMAIL PROTECTED], [EMAIL PROTECTED], Hans Kruse [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Why IPv6 is a must? Keith Moore [EMAIL PROTECTED] writes: I don't see a killer IPv6-based business app as likely, I think I know one. Network management and administration. There is no way in some of today's deeply NATed v4 networks to do adequate network management -- monitoring is especially hard. Overlaying a v6 network with a real address space over the NAT mess is easy, and results in being able to actually get to all the nodes being managed.
Re: Why IPv6 is a must?
I don't see a killer IPv6-based business app as likely, but IPv6 does seem like a good way to solve some of the problems that NATs cause for communications between private v4 networks. It won't be a single app that causes businesses to shift, it will be the ability to run whatever protocols the businesses want to use to talk to each other. Hold on just a minute. Business applications are moving away from limited client/server models towards synchronous or asynchronous exchanges between systems that are sometimes clients and sometimes servers. I don't want to rant at length here, but peer-to-peer business apps are absolutely what we need for IPv6. I think we're in strong agreement. I was only pointing out that the incentive for businesses to move to IPv6 might not be one or two well-known apps that everybody uses, but a more general need to use peer-to-peer communications between businesses. Keith
Re: Why IPv6 is a must?
Keith Moore [EMAIL PROTECTED] writes: I don't see a killer IPv6-based business app as likely, I think I know one. Network management and administration. There is no way in some of today's deeply NATed v4 networks to do adequate network management -- monitoring is especially hard. Overlaying a v6 network with a real address space over the NAT mess is easy, and results in being able to actually get to all the nodes being managed. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/
RE: Why IPv6 is a must?
Valdis.Kletnieks wrote: That big database server on that big Sun E10K is not going to be doing stuff over IPv6 until you upgrade to Solaris 8, and drag Oracle along kicking and screaming. Actually the real problem is the Oracle's of the world. And let's be honest here - at the low end, if you're a Microsoft user, unless you're technically skilled enough to install the developer toolkit and roll your own, you're not doing IPv6 until you upgrade to Windows XP - which means you also get to buy a Norton upgrade, a this upgrade, a that upgrade. Even installing XP gets you nothing without the applications making the appropriate API calls. The real requirement is in the other order; when a desireable app becomes available that works over IPv6 but fails over NAT. This will cause people to upgrade their OS to Solaris 8, or XP, etc. This is more likely to be a peer-to-peer game than any business app. Tony
Re: Why IPv6 is a must?
The real requirement is in the other order; when a desireable app becomes available that works over IPv6 but fails over NAT. This will cause people to upgrade their OS to Solaris 8, or XP, etc. This is more likely to be a peer-to-peer game than any business app. I don't see a killer IPv6-based business app as likely, but IPv6 does seem like a good way to solve some of the problems that NATs cause for communications between private v4 networks. It won't be a single app that causes businesses to shift, it will be the ability to run whatever protocols the businesses want to use to talk to each other.
Re: Why IPv6 is a must?
That's right today. Another 5 years later you would be singing a different tune. - scalability, better bandwidth management (a.k.a QOS), mobile devices, internet appliances will nail v4 down - UMTS will add some spice to the pot. I agree a user cannot do much unless the ISPs and Org routers/switches deploy v6. But that's not too far away as more sophisticated uses come up. Incidentally, have you tried running apps like ftp over IPsec or L2TP/PPTP over NAT. Rinka. - Original Message - From: J. Noel Chiappa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 18, 2001 12:38 AM Subject: RE: Why IPv6 is a must? From: TOMSON ERIC [EMAIL PROTECTED] do you really think that the IETF people (et al.) built IPv6 without a preliminary good consideration? There are a lot of people in the IETF who think exactly that, actually. (This message coming to you via the NAT box I bought in the hole-in-the-wall computer store in the little strip mall right down the street, here in Podunksville. Just for grins, I should have asked them if they had any IPv6... I wonder what the ratio of NAT sales volume is to IPv6, and how much profit people have made off the former, as opposed to the latter. Not that I like NAT, I don't.) Noel
RE: Why IPv6 is a must?
Huh? I've been running PPTP over NAT for years - I'm doing it right now. But it would be great if the ISPs began to migrate; tools (e.g. tunneling) are available to allow them to do so even if their upstreams lag. -Original Message- From: Rinka Singh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 06, 2001 5:50 AM To: J. Noel Chiappa; [EMAIL PROTECTED] Subject: Re: Why IPv6 is a must? That's right today. Another 5 years later you would be singing a different tune. - scalability, better bandwidth management (a.k.a QOS), mobile devices, internet appliances will nail v4 down - UMTS will add some spice to the pot. I agree a user cannot do much unless the ISPs and Org routers/switches deploy v6. But that's not too far away as more sophisticated uses come up. Incidentally, have you tried running apps like ftp over IPsec or L2TP/PPTP over NAT. Rinka.
Re: Why IPv6 is a must?
The discrepancy in opinions below seems to me to point towards the deployment path for IPv6. Corporate users and those with very large address space needs (wireless handhelds) will deploy IPv6 and in effect pay for the engineering cost of building IPv6 into operating systems and network elements. Once the costs come down, home users, small businesses, and their ISPs will follow. (Note that I do think IPv6 is inevitable and that is a Good Thing; I also think that it is unrealistic to expect the low-end/cost-driven user to jump into the conversion; telling them their (temporary) solution is evil does not make them move any faster). --On Monday, November 05, 2001 14:40 -0500 Thomas Narten [EMAIL PROTECTED] wrote: J. Noel Chiappa [EMAIL PROTECTED] writes: (This message coming to you via the NAT box I bought in the hole-in-the-wall computer store in the little strip mall right down the street, here in Podunksville. Lucky you. If I had a NAT box at home, and I tried to connect to my corporate network through it, I would quickly learn two things: 1) It doesn't work (it's an IPsec based solution) 2) If I then called the Help Desk, their response would be we don't support that configuration. YMMV. Thomas Hans Kruse, Associate Professor J. Warren McClure School of Communication Systems Management Ohio University, Athens, OH, 45701 740-593-4891 voice, 740-593-4889 fax
Re: Why IPv6 is a must?
On Tue, 06 Nov 2001 09:37:45 EST, Hans Kruse [EMAIL PROTECTED] said: The discrepancy in opinions below seems to me to point towards the deployment path for IPv6. Corporate users and those with very large address space needs (wireless handhelds) will deploy IPv6 and in effect pay for the engineering cost of building IPv6 into operating systems and network elements. Once the costs come down, home users, small businesses, and their ISPs will follow. Actually, the engineering cost of building IPv6 into operating systems is already essentially paid. The cost of building it into routers and the like is paid. The vendors are all (basically) IPv6-ready. What has NOT been paid is the deployment cost, which has several very distinct components. First is the cost of obtaining a release of your operating system that supports IPv6 (which can vary anywhere from free to low-cost to exhorbitant, depending on your vendor's business model, and whether you're already running an IPv6-capable version for other reasons). Second is the cost of installing that release - which can get complicated if this forces an upgrade of third-party software such as a database system. This has several components - additional licensing costs for new releases of add-on software, downtime costs, testing costs, and all the other little things like that. And add another 1% for each time you ask yourself Will this upgrade unexpectedly hose something in a totally non-obvious way?. (Note - none of the money so far has anything to do with IPv6 directly) Third is the cost of actually configuring and enabling IPv6 - getting an record assigned, the DNS set up, testing, and getting the software to use an IPv6 connection. This is usually the cheap part once you get past the first two. Note that in the current state of the world, those first two are usually the big part of the expense, and THOSE costs are *NOT* going to come down anytime soon. That big database server on that big Sun E10K is not going to be doing stuff over IPv6 until you upgrade to Solaris 8, and drag Oracle along kicking and screaming. And let's be honest here - at the low end, if you're a Microsoft user, unless you're technically skilled enough to install the developer toolkit and roll your own, you're not doing IPv6 until you upgrade to Windows XP - which means you also get to buy a Norton upgrade, a this upgrade, a that upgrade. The cost is *NOT* in deploying IPv6. The cost is getting to a configuration that is *able* to run IPv6. Valdis Kletnieks Operating Systems Analyst Virginia Tech
Re: Why IPv6 is a must?
J. Noel Chiappa [EMAIL PROTECTED] writes: From: TOMSON ERIC [EMAIL PROTECTED] do you really think that the IETF people (et al.) built IPv6 without a preliminary good consideration? There are a lot of people in the IETF who think exactly that, actually. And there are a lot of other people that don't. (This message coming to you via the NAT box I bought in the hole-in-the-wall computer store in the little strip mall right down the street, here in Podunksville. Lucky you. If I had a NAT box at home, and I tried to connect to my corporate network through it, I would quickly learn two things: 1) It doesn't work (it's an IPsec based solution) 2) If I then called the Help Desk, their response would be we don't support that configuration. YMMV. Thomas
Re: Why IPv6 is a must?
- Original Message - From: Keith Moore [EMAIL PROTECTED] let's see. everyone acknowledges that NATs are easier to deploy than IPv6, Deployment of IPv6 (as defined by purists) may take a long time or never happen. The usage of IPv6 technology to deploy more rational solutions is happening now. This is similar to the way Unix deployment was slowed in the late 70s by people (selling to the market) solutions such as DOS. There does not appear to be much of a market for people interested in 128-bit native IPv6 connections. There is a large market for people willing to divide those 128 bits into a 64-bit field for the existing IPv4 Internet and a 64-bit field for their new persistent addresses. ISPs do not want to face renumbering. ISPs also do not want to be held hostage by the ICANN/IETF/ARIN/RIPE/APNIC tax collectors. After all, why use a Free Operating System like Linux or FreeBSD and then pay $25,000 every year to rent IPv6 addresses ? IPv8 Address Space is free for the taking, to the pioneers that want it. This is similar to land homesteaded by early pioneers in the U.S. Jim Fleming http://www.in-addr.info 3:219 INFO http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt
QOS [was Re: Why IPv6 is a must?]
[EMAIL PROTECTED] wrote: ... The QoS field in the header suffers from the same basic issues as source-routing of packets - they try to modify the global handling of packets with insufficient knowledge of global conditions. Your text mainly refers to IntServ about which I make no comment. But the diffserv header field (formerly known as TOS in IPv4, known as Traffic Class in IPv6) is explicitly *not* global - it is meaningful per domain, and only makes sense in a domain that has been appropriately configured. See RFC 2474, 2475 and 3086 for more. Brian
Re: QOS [was Re: Why IPv6 is a must?]
- Original Message - From: Brian E Carpenter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 18, 2001 1:58 AM Subject: QOS [was Re: Why IPv6 is a must?] [EMAIL PROTECTED] wrote: ... The QoS field in the header suffers from the same basic issues as source-routing of packets - they try to modify the global handling of packets with insufficient knowledge of global conditions. Your text mainly refers to IntServ about which I make no comment. But the diffserv header field (formerly known as TOS in IPv4, known as Traffic Class in IPv6) is explicitly *not* global - it is meaningful per domain, and only makes sense in a domain that has been appropriately configured. See RFC 2474, 2475 and 3086 for more. The QoS field in IPv8 (formerly known as TOS in IPv4) is divided into two 4-bit fields. This expands the addressing of the existing IPv4 Internet by a factor of 16, with no change to the existing infrastructure. Those same 4 bits then carry over into IPv8 and IPv16 Addressing. The 2,048 address blocks freely allocated to IPv8 as shown below, are actually each much larger than the existing IPv4 address space, which needs to be replaced because of the poor management of the resource and the unfair allocation policies. Jim Fleming http://www.in-addr.info 3:219 INFO http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt
RE: Why IPv6 is a must?
(...) And finally : do you really think that the IETF people (et al.) built IPv6 without a preliminary good consideration? (...) ftp://ftp.ietf.cnri.reston.va.us/ietf-online-proceedings/94jul/presentations/bradner/pre.bradner.mankin.slides.txt
Why IPv6 is a must?
Everyone : I'd like to know why IPv6 is a must . We can use IPv4 tunnel to extend the address spaces. We can use IPsec with IPv4. We can use MPLS on the trunk of Internet to provide Qos. What the need of IPv6 . IPv6 is not compact with IPv4 . If pure IPv6 is used , all the node of IPv4 is disconnected of Internet. If IPv6 and IPv4 is used at same time . confuse is world wide . I think use IPv4 tunnul (IP_in_IP) can make an IP address space of 2^64, and IP_in_IP_in_IP can make an IP address space of 2^96.. In this way we can extend IP address space to any size that most fit the Internet's need . Lots of Internet user connect to Internet by proxy. IP_in_IP is no more than proxy. all the user knows the importy node of the road , so the address is naturally aggregatable. every node on the Internet can has it own old IPv4 address . nothing changed ! all the node of now a days Internet would be a proxy , a router or itself just as it likes. all the application is not need to changed signiphently , just configurate to support proxy. it seem nearly all the application support proxy. Certainly a little extend of the proxy is needed. All that is spuuorted by IPv4_in_IPv4 . Do we really need IPv6? __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
Why IPv6 is a must?
Everyone : I'd like to know why IPv6 is a must . We can use IPv4 tunnel to extend the address spaces. We can use IPsec with IPv4. We can use MPLS on the trunk of Internet to provide Qos. What the need of IPv6 . IPv6 is not compact with IPv4 . If pure IPv6 is used , all the node of IPv4 is disconnected of Internet. If IPv6 and IPv4 is used at same time . confuse is world wide . I think use IPv4 tunnul (IP_in_IP) can make an IP address space of 2^64, and IP_in_IP_in_IP can make an IP address space of 2^96.. In this way we can extend IP address space to any size that most fit the Internet's need . Lots of Internet user connect to Internet by proxy. IP_in_IP is no more than proxy. all the user knows the importy node of the road , so the address is naturally aggregatable. every node on the Internet can has it own old IPv4 address . nothing changed ! all the node of now a days Internet would be a proxy , a router or itself just as it likes. all the application is not need to changed signiphently , just configurate to support proxy. it seem nearly all the application support proxy. Certainly a little extend of the proxy is needed. All that is spuuorted by IPv4_in_IPv4 . Do we really need IPv6? __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
Why IPv6 is a must to more detail
If you look Internet of now as the main bone of the Internet of next generation , all the nodes of Internet as the gateway to other part of Internet. the Internet can have a address space of 2^32mutiply2^32, that is 2^64! But the IP address must not to be the same one, as the gateway can not recogenize where is the IP address mean. If the neighbor net has not the same IP address , just like the 10.*.*.* we use in intranet today . the two net can be easily recognixed. In this methord we can denote a node of now a day's Intranet as proxy ip address node's IP address in the Intranet. eg 202.118.48.1.10.100.141.80 . IP address1 IP address2. In the same way , we can expend the address space to any size. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
Re: Why IPv6 is a must to more detail
we can denote a node of now a day's Intranet as proxy ip address node's IP address in the Intranet. eg 202.118.48.1.10.100.141.80 Do you remember bang paths? That's what you're proposing. Deep pain. John Stracke Principal Engineer Incentive Systems, Inc. [EMAIL PROTECTED]
Re: Why IPv6 is a must to more detail
John Stracke wrote: we can denote a node of now a day's Intranet as proxy ip address node's IP address in the Intranet. eg 202.118.48.1.10.100.141.80 Do you remember bang paths? That's what you're proposing. Deep pain. Also poor man's routing in DECnet Phase IV. A real nuisance, and absolutely not a permanent solution. There were several proposals for effectively extending IPv4 addresses in 1992/1994 and they were all analysed in some detail: none of them really worked, which is why we started IPv6. RFC 1752 gives an overview of the final decision. Brian
