Re: IPv6 end user addressing
On 12/08/2011, at 7:23 AM, Scott Helms wrote: The question I asked you is why should I as the service provider deploy routers rather than bridges as CPE gear for residential customers. As a service provider, you don't want to burn an expensive TCAM slot to make IPv6 ND work for every device a customer places on their LAN. As a service provider, it's better to burn one TCAM slot per customer for the prefix you route to them, and leave adjacency relationships within their home to them. Think of MAC address table size limits on switches. Similar problem. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 8:42 AM, Owen DeLong wrote: I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. I see the lack of agreement on whether /48 or /56 or /60 is good for a home network to be a positive thing. As long as there's no firm consensus, router vendors will have to implement features which don't make silly hard-coded assumptions. Innovation will still happen, features will still be implemented, we'll still climb out of the NAT morass. But we'll do it with CPE that allows for a richer spectrum of variation than we would if we just said, Dammit, /48 for everyone. It's all good. At this stage of the game, any amount of moving forward is better than staying where we are. (which reminds me: http://www.internode.on.net/news/2011/08/238.php It ain't that hard) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 12:04 PM, Philip Dorr wrote: On Wed, Aug 10, 2011 at 8:56 PM, Owen DeLong o...@delong.com wrote: I'm glad I live in Owen's world and not Bill's. I think my appliance vendors will make much cooler and more useful products than yours. In Owen's world the fridge and pantry would know what they have, the amounts, and possibly location. The recipe book would be able to check what is in the fridge and pantry and tell if you need to buy more. It could then set the oven to the correct temperature when you reach the correct step in the recipe. The wine cellar will know how much you drank last night, and communicate with the life-critical systems in the car to prevent engine start while you're over the limit. When the home BMS network notices that the flow sensor on the shower hasn't started at the usual time the next morning, it'll play an IVR out of your home PBX network to tell the boss you're too hungover to come to work. Owen's world has built in automated protection to help you through the fact that IPv6 subnetting will turn you to drink :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 12:30 PM, Cameron Byrne wrote: Finally a useful post in this thread. Good work on the deployment of real ipv6! Thanks. And thanks to Vendor-C for helping us through it. The IPv6 Broadband featureset on the ASR platform starting from IOS-XR 3.1 is a vast improvement on its predecessors. Biggest hassle with IPv6 in production right now: DNS support is woefully undercooked. I don't think anyone has put anywhere near as much effort into making it fluid, user-friendly, and automated. Simple questions like, How are reverse mappings supposed to work when you can't predict an end-user's address? have no good answer. If any systems folks want a nice meaty problem domain to focus their efforts on, DNS would be da shiznit. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 12:41 PM, Mark Newton wrote: On 11/08/2011, at 12:30 PM, Cameron Byrne wrote: Finally a useful post in this thread. Good work on the deployment of real ipv6! Thanks. And thanks to Vendor-C for helping us through it. The IPv6 Broadband featureset on the ASR platform starting from IOS-XR 3.1 is a vast improvement on its predecessors. Oops. s/XR/XE/ - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 1:33 PM, Owen DeLong wrote: Yes and no. In terms of potential innovations, if enough of the market chooses /60, they will hard code the assumption that they cannot count on more than a /60 being available into their development process regardless of what gets into the router. Sure, they won't be able to assume you can't get a /48, but, they also won't necessarily implement features that would take advantage of a /48. They will on their premium high price point CPE and/or service provider offerings. It'll be a product differentiator. If enough customers are attracted to it, it'll win. If they aren't, it'll lose. The process of invention and innovation will happen anyway. We're not really talking about that here, we're talking about post-innovation marketing. Maybe ISP#2 in Australia will launch onto the market with /48's for everyone, and we'll respond competitively. Dunno. Whatever, it's all kinda arbitrary really. Not worth arguing about, and certainly not worth delaying implementation until you finish debating the right answer. Perhaps far more than most of you wanted to know about navigation, but, at least worth considering when we think that all forward movement is good forward movement. The 1-in-60 rule I learned during my pilots license training is a lot easier to explain, without diagrams and with no need for trigonometry. Another useful judgement call when you're flying is to understand that as long as you know where you are and where you want to be, any forward progress whatsoever is a positive when there's a growing thunderstorm behind you :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: dynamic or static IPv6 prefixes to residential customers
On 03/08/2011, at 1:20 PM, Jima wrote: Alas, I will maintain that any household that multi-homes at this stage is, indeed, abnormal. I'll go out on a limb and suggest that most people loathe their telcos with an undying venomous passion, and can think of nothing worse than dealing with any more of them than they do now. Widespread multihoming might be technically pure, but I reckon most customers would rather eat their firstborns than take up the option. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 and RDNS
On 19/05/2011, at 8:00 PM, Rodolfo (kix) wrote: Hi! what is the status of the reverse DNS in IPv6? Rhymes with muster duck. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Mac OS X 10.7, still no DHCPv6
On 01/03/2011, at 1:23 AM, Brian Johnson wrote: Can someone explain what exactly the security threat is? If I see two IPv6 addresses which share the same 64 bit suffix, I can be reasonably certain that they both correspond to the same device because they'll both be generated by the same MAC address. Your IPv6 address has thereby become a token I can use to track your whereabouts, which is the kind of thing that privacy advocates often find upsetting. RFC4941 should be (but generally isn't) enabled by default. Having said that, implementation of RFC4941 is lossy. On MacOS, long-held TCP sessions time-out when a new privacy suffix is generated and the old one ages out. I'd have thought that a better outcome would be for old addresses to continue working until their refcount drops to zero. If you are going to say that knowing the MAC address of the end device allows the bad guy to know what type of equipment you have and as such to attempt known compromises for said equipment, then please just don't reply. :) It's not about that; there are already plenty of other attack vectors that can be used to find out someone's IP address, such as web-bugs, logfiles behind phishing and malware distribution websites, etc. The new attack vector which SLAAC with EUI64 creates is one of trackability. I can't passively accumulate IPv4 logs which tell me which ISPs you've used, which cities you're in, which WiFi hotspots you've used, which companies you've worked at, which websites you've visited, etc. I can accumulate logs which tell me which IP addresses have done those things, but I can't (for example) correlate them to your personal smartphone. I can with IPv6. That's new, and (to my mind) threatening. We've not even begun to consider the attack vectors that'll open up. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Weekend Gedankenexperiment - The Kill Switch
On 04/02/2011, at 2:13 PM, Jay Ashworth wrote: An armed FBI special agent shows up at your facility and tells your ranking manager to shut down the Internet. Turn off the room lights, salute, and shout, Mission Accomplished. The FBI dude with the gun won't know the difference. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Weekend Gedankenexperiment - The Kill Switch
On 04/02/2011, at 3:43 PM, Paul Ferguson wrote: On Thu, Feb 3, 2011 at 9:09 PM, Mark Newton new...@internode.com.au wrote: On 04/02/2011, at 2:13 PM, Jay Ashworth wrote: An armed FBI special agent shows up at your facility and tells your ranking manager to shut down the Internet. Turn off the room lights, salute, and shout, Mission Accomplished. The FBI dude with the gun won't know the difference. No. The correct answer is that in the U.S., if the Agent in question has a valid subpoena or N.S.L., you must comply. Subpoenas and NSLs are used to gather information, not to shut down telcos. They're just an enforceable request for records. Considering that politicians in the US have suggested that they need kill switch legislation passed before they can do it, and further considering that kill switch legislation doesn't currently exist, what lawful means do you anticipate an FBI special agent to rely on in making such a request? I'm not actually in the US. In a question arising from the Egypt demonstrations earlier this week, Australia's Communications Minister said he didn't think the law as written at the moment provided the government with the lawful ability to shut down telecommunications services. http://delimiter.com.au/2011/02/03/no-internet-kill-switch-for-australia-says-conroy/ - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Pointer for documentation on actually delivering IPv6
On 06/12/2010, at 6:54 AM, Bill Fehring wrote: Apparently that has it's own problems right now actually: http://blog.ioshints.info/2010/10/dhcpv6-relaying-another-trouble-spot.html In our deployment mode, the CEs are running PPP sessions to the BRAS, so they know when it reboots and can respond accordingly. Layer 3 access networks could conceivably have an issue here, though. It's almost as if everyone ought to have been working on this a decade ago so that we'd have a workable solution by now! :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Recommendation in Australia for ISPs to force user security?
On 23/06/2010, at 4:00 AM, Gadi Evron wrote: http://www.zdnet.com.au/make-zombie-code-mandatory-govt-report-339304001.htm A government report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected. security Observation: The more someone uses the prefix cyber, the less they know what they're talking about. (glares meaningfully at a coterie of cyberterrorism consultants) Belinda Neal's committee is in the process of being pilloried by just about everyone who knows how to spell TCP/IP. The whole thing is a complete embarrassment: Last year we were all confronted with the spectacle of her ridiculous clutch of MPs wasting the time of the security experts invited to testify by quizzing them about movie plot threats. Now we get a proposal to move cybersecurity regulation to ACMA, the same Government body which licenses spectrum; and controlfreaky suggestions about mandatory industry codes imposed on ISPs. It's rampant screaming idiocy, the Dunning-Krueger effect in full motion. I'd suggest that almost none of it will go anywhere at all, if not for the fact that Belinda Neal's entire political party seems to share her mastery of of the issue. ObNOG: Botnets are bad, n'kay? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Rate of growth on IPv6 not fast enough?
On 20/04/2010, at 1:28 PM, Mark Andrews wrote: Changing from a public IP address to a private IP address is a big change in the conditions of the contract. People do select ISP's on the basis of whether they will get a public IP address or a private IP address. Seems to me your objection is based on whether or not the customer gets a public address vs a private address. There's no need for NAT pools to be RFC1918. Pretty sure everyone is going to get a public address of some form... it just won't necessarily be globally unique to them. As for jurisdictional issues: This particular Australian ISP amended its TC document to give us the discretion of providing LSN addresses about two years ago. Will we need to? Perhaps not. But if we do, the TC's are already worked out. Looking ahead in time and forecasting future risks is one of the things businesses are supposed to do, right? Regards, - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space
On 24/03/2010, at 4:10 AM, Christopher Morrow wrote: it seems to me that we'll have widespread ipv4 for +10 years at least, How many 10 year old pieces of kit do you have on your network? Ten years ago we were routing appletalk and IPX. Still doing that now? Ten years ago companies were still selling ISDN routers which still insisted on classful addressing. Got any of them left on the network? I'd expect that v4 will still exist in legacy form behind firewalls, but I think its deprecation on the public internet will happen a lot faster than anyone expects. I agree that v6 deployments seem to be getting better/faster/stronger... I think that's good news, but we'll still be paying the v4 piper for a while. Only until v4 becomes more expensive (using whatever metric matters to you) than v6. After you pass that tipping point, v4 deployment will stop dead. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space
On 24/03/2010, at 1:46 PM, bmann...@vacation.karoshi.com wrote: tell me Mark, when will you turn off -all- IPv4 in your network? I don't imagine there'll be a date as such; We'll just enable IPv6 versions of the services you've mentioned on equipment which supports it, and note that over time the number of systems still using v6 to perform those functions diminishes. simple switching of datagrams over non-v4 transport is trivial. th OM behnd running production is a slightly longer path and the legal requirements these days didn't exisit a decade ago. Chris was optimistic at 10+ years. There seems to be an assumption that continuing to run v4 on a v6 internet will be free, or at least cheap. I don't think it will be. I think it'll rapidly become horrendously expensive in operational support terms, and that we'll all see significant pressure from our CFOs and CTOs to get rid of it well before the ten-year estimate expires. ... and if we don't, our customers will. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space - the lie
On 07/03/2010, at 4:37 PM, Owen DeLong wrote: I expect that once we all work out that we can use SP-NAT to turn dynamic IPv4 addresses into shared dynamic IPv4 addresses, we'll have enough spare IPv4 addresses for much of the foreseeable future. Ew... The more I hear people say this, the more I am _REALLY_ glad I am unlikely to have to live behind such an environment. I cannot imagine that this will provide anything remotely resembling a good user experience, To whom? My mom doesn't care, and isn't likely to ever notice. Gamers might care, but their gaming platforms are likely to be among the first to transition when the rubber meets the road, so they won't be significantly affected. P2P users already don't care because their apps use v6 already. You and I won't care, because we'll have v6 access to everything we need too. Content owners will care a fair bit at the beginning but less as time goes on, and more of their eyeballs become v6-enabled. There'll be bits of the internet that transition very, very quickly to dual-stack or straight-out IPv6, and there'll be other bits which won't. The impact of what I've suggested will be quarantined to that latter category. And frankly I can't see why anyone should be expected to invest engineering time and cost into solving a problem that only exists because the people who are causing it (by not transitioning to v6) expect everyone else to clean up their mess (by providing painless transition tools). To put it another way: The very last IPv4-only Internet user won't have any serious expectation that the rest of the world owes him/her an easy ride. So why should the last five of them, or the last 1000 of them, or even the last billion of them? There'll be a sliding scale of care-factor, and my guess is that it won't take very long to get to the bottom of it, and that the significant bulk of the transition will happen faster than anyone expects. or, even close to the current degraded user experience most people tolerate behind their current NAT devices. Sucks to be them. They'd better upgrade then, hadn't they? If I have half a million residential subscribers and I can get ten subscribers onto each NATted IPv4 addresses, then I only need 50,000 addresses to service them. Yet I have half a million addresses *right now*, which I won't be giving back to my RIR. So that turns into 450,000 saleable addresses for premium customers after the SP-NAT box is turned on, right? Interesting way of thinking about it. I suspect that rather than pay your premium prices, the customers you just degraded in order to charge them more for the service they had will look to your competitors for better service. My competitors will have the same problem with the same array of available solutions with the same mixtures of cost, benefit and care-factor. Odds are that they'll probably make many of the same decisions. Sorry, perhaps I'm missing something here, but is there a general expectation that the v4-v6 transition is going to be an easy ride for everyone? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space
On 06/03/2010, at 1:06 AM, David Conrad wrote: Mark, On Mar 4, 2010, at 11:46 PM, Mark Newton wrote: On 05/03/2010, at 2:50 PM, David Conrad wrote: When the IPv4 free pool is exhausted, I have a sneaking suspicion you'll quickly find that reclaiming pretty much any IPv4 space will quickly become worth the effort. Only to the extent that the cost of IPv6 migration exceeds the cost of recovering space. You're remembering to include the cost of migrating both sides, for all combinations of sides interested in communicating, right? In some cases, that cost for one of those sides will be quite high. Yes, but I only need to pay the cost of my side. There's sure to be an upper-bound on the cost of v4 space, limited by the magnitude of effort required to do whatever you want to do without v4. The interesting question is at what point _can_ you do what you want without IPv4. It seems obvious that that point will be after the IPv4 free pool is exhausted, and as such, allocated-but-not-efficiently-used addresses will likely become worth the effort to reclaim. That isn't a likely outcome, though. We'll never need to do without IPv4, it'll always be available, just in a SP-NATted form which doesn't work very well. Continuing to put up with that state of affairs comes with its own set of costs and obstacles which need to be weighed up against the cost of migrating to dual-stack (unicast global IPv6 + SPNAT IPv4) to extract yourself from the IPv4 tar-baby. Not migrating will be increasingly expensive over time, the costs of migrating will diminish, each individual operator will reach their own point when staying where they are is more expensive than getting with the program. And most of the participants on this mailing list will probably reach that point sooner than they think. My mom will probably never see a need to move beyond IPv4. But her next door neighbor with the bittorrent client and WoW habit probably will, and any content provider who's interested in having a relationship with their eyeballs which isn't intermediated by bollocky SPNAT boxes probably will too. Horses for courses. What I do know is that this migrating to IPv6 is expensive so nobody wants to do it, is a canard that's been trotted out for most of the last decade as a justification for doing nothing. As an ISP that's running dual-stack right now, I can tell you from personal experience that the cost impact is grossly overstated, and under the circumstances is probably better off ignored. Just sayin'. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space - the lie
On 06/03/2010, at 1:10 AM, Dan White wrote: On 05/03/10 12:39 +, bmann...@vacation.karoshi.com wrote: I *wholeheartedly* agree with Owen's assessment. Even spending time trying to calculate a rebuttal to his numbers is better spent moving toward dual-stack ;) Nice. Steve er... what part of dual-stack didn't you understand? dual-stack consumes exactly the same number of v4 and v6 addresses. I would expect the number of v6 addresses assigned to a host to be a multiple of the number of v4 addresses, depending on the type of host. That's because you haven't done it yet. When you start doing it, you'll see that the number of v6 addresses assigned to a host will bear almost no relationship whatsoever to any metrics you've previously used to allocated IPv4 addresses. Or, dual stack today. When you've run out of IPv4 addresses for new end users, set them up an IPv6 HTTP proxy, SMTP relay and DNS resolver and/or charge a premium for IPv4 addresses when you start to sweat. I expect that once we all work out that we can use SP-NAT to turn dynamic IPv4 addresses into shared dynamic IPv4 addresses, we'll have enough spare IPv4 addresses for much of the foreseeable future. If I have half a million residential subscribers and I can get ten subscribers onto each NATted IPv4 addresses, then I only need 50,000 addresses to service them. Yet I have half a million addresses *right now*, which I won't be giving back to my RIR. So that turns into 450,000 saleable addresses for premium customers after the SP-NAT box is turned on, right? Problem solved :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space
On 05/03/2010, at 12:25 PM, Owen DeLong wrote: The most we could achieve would be to extend IPv4 freepool lifespan by roughly 26 days. Given the amount of effort sqeezing useful addresses out of such a conversion would require, I proffer that such effort is better spent moving towards IPv6 dual stack on your networks. ... and, unstated behind that, is the observation that pretty much any proposed effort to squeeze more time out of IPv4 will inevitably have the same answer :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IP4 Space
On 05/03/2010, at 2:50 PM, David Conrad wrote: When the IPv4 free pool is exhausted, I have a sneaking suspicion you'll quickly find that reclaiming pretty much any IPv4 space will quickly become worth the effort. Only to the extent that the cost of IPv6 migration exceeds the cost of recovering space. There's sure to be an upper-bound on the cost of v4 space, limited by the magnitude of effort required to do whatever you want to do without v4. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 15/12/2009, at 11:19 PM, Joakim Aronius wrote: So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...) Hasn't essentially every ISP on the planet been doing that for years, only without the disclaimer? It's not like we're talking about creating UPnP from whole cloth. We're discussing a replacement of like-for-like, updating existing capabilities to support IPv6. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 13/12/2009, at 10:10 AM, Frank Bulk wrote: While the support burden will be raised, I think the network needs to be dual-stack from end-to-end if SPs want to keep middle-boxes out. But for those who really do run out of IPv4 addresses, I'm not sure how middle-boxes can be avoided. Kind of hard to tell customer n+1 that they can only visit the IPv6 part of the web. Perhaps new customers will have to use a service provider's CGN and share IPv4 addresses until enough of the internet is dual-stack. The most likely outcome I can see is that customers on services which feature dynamic IPv4 addresses (mostly residential) will end up behind a CGN on a dual stack service. I fully expect the CGN to suck mightily, mitigated somewhat by the fact that the customer would also happen to have a non-NATted IPv6 address if they upgrade their CPE to take advantage of it. Despite the suckage, as long as email, web and VoIP keeps working I think most residential customers wouldn't notice the CGN imposition at all. The act of putting those customers behind a CGN would immediately free up enough IPv4 addresses that the ISP concerned would have a virtually limitless supply for fixed-IP business-grade services -- virtually limitless in the sense that there'd be enough to feed those services with new addresses for however much time it takes to complete an IPv6 transition. How long will that take? I don't think it'll be anywhere near as long as most people appear to be expecting. Sure, there'll be a large installed base of printers and home entertainment devices running legacy IPv4-only software, but by and large they either don't need Internet access at all or are quite happy talking to the world through NAT, and can be mostly ignored for the purpose of a discussion about transition durations (in the same way that we ignored all the HP JetDirect cards when we talked about how long it took to turn the Internet classless). I reckon CGNs will be so bad, with so many bugs and so much support overhead that service providers and customers alike will want to move past them as quickly as humanly possible, and the whole transition will be all done and dusted in a few years from their implementation. It's going to be a total and absolute disaster, and the only way out of it will be to move forward. Of course, all of this is predicated on the notion that CGNs will actually exist. As far as I can tell they're all vapourware at the moment. If there's one thing I've learned from all of this it's that roadmap announcements aren't worth anything, and that if the vendors ever do actually manage to get around to shipping something it'll be so poorly thought out that it's impractical to use in a service provider environment until version 2 -- which, in the case of CGN, will be too late. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 14/12/2009, at 9:38 AM, Frank Bulk wrote: I hope you're right. I really hope that there's this phenomenal transition in 2011 of content from 0.1% IPv6-accessible to 99% IPv6-accessible. Forget content, they're just along for the ride. When most service providers have eye-wateringly shite CGNs acting as intermediaries between eyeballs and content, the content providers will be motivated to move to v6 even if only as a means of damage control. And not even by node count, but by percentage of traffic. And pain is one way to get there. Every few months I think of the number of truck rolls we'll need to do to swap out DSL modems and SOHO routers with their IPv6 equivalents. Ah, that's something we don't have. Our customers own their own (which has its own slew of problems: I can't make them upgrade, and if I tell them they'll have to spend a hundred bucks to restore the functionality I broke for them last week I'll have a revolt on my hands...) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 11/12/2009, at 1:14 PM, Owen DeLong wrote: You don't need UPnP if you'r not doing NAT. You kinda do if you're using a stateful firewall with a deny everything that shouldn't be accepted policy. UPnP (or something like it) would have to tell the firewall what should be accepted. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 11/12/2009, at 11:56 PM, Simon Perreault wrote: We *know* that if a worm puts up a popup that says Enable port 33493 on your firewall for naked pics of.. that port 33493 will get opened anyhow, so we may as well automate the process and save everybody the effort. Not if the victim doesn't have rights on the firewall (e.g. enterprise). Would you be using Consumer Grade - IPV6 Enabled Router Firewalls in the enterprise? 'cos if you would, I think I might have entered the wrong thread :) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 12/12/2009, at 12:11 AM, Simon Perreault wrote: We have thus come to the conclusion that there shouldn't be a NAT-like firewall in IPv6 home routers. Eh? What does NAT have to do with anything? We already know that IPv6 residential firewalls won't do NAT, so why bring it into this discussion at all? Some of us are trying to formulate and offer real-life IPv6 services to our marketplaces before IPv4 runs out, and the vendors simply aren't interested in being there to help us out. Pointless distractions about orthogonal issues that don't matter (e.g., NAT) don't help at all. FWIW, I asked Fred Baker about this at the IPv6 Forum meeting in Australia this week. He'd just handled another question about the memory requirements required for burgeoning routing table growth by saying that if routers need extra RAM then routers with extra RAM will appear on the market, because if you're prepared to pay money for it, we'll try to sell it to you. So I asked, I'm prepared to pay money for IPv6-capable ADSL2+ CPE. Are you prepared to sell it to me? and he said, Yes, just not with our firmware. Which I thought was a bit of a cop-out, given that it was one of our customers who developed the IPv6 openwrt support in the first place, with zero support from Fred's employer, after we'd spent two years hassling them about their lack of action. ... and this is in the same week when, in the context of IPv6, someone else asked me how many units of their gear we'd ship (Zero. You don't have a product with the features we need so we'll use one of your competitors instead. Lets revisit this when you're prepared to have a conversation that doesn't include `lack of market demand' as a reason for not doing it.) Argh. Disillusionment, much? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 12/12/2009, at 4:15 PM, Roger Marquis wrote: Is there a natophobe in the house who thinks there shouldn't be stateful inspection in IPv6? If not then could you explain what overhead NAT requires that stateful inspection hasn't already taken care of? I handwave past all that by pointing out (as you have) that stateful inspection is just a subset of NAT, where the inside address and the outside address happen to be the same. (in the same way that the SHIM6 middleware boxes which were proposed but never built were /also/ just subsets of NAT, with the translation rules controlled by the SHIM6 protocol layers on the hosts... but we weren't allowed to call them NAT gateways, because IPv6 isn't supposed to have any NAT in it :) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 22:46, TJ trej...@gmail.com wrote: From: Mark Newton [mailto:new...@internode.com.au] On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. FWIW - The (Cisco) Linksys 610N does (and perhaps others do?) the same amount of IPv6 the Airport Extreme does - 6to4, SLAAC - out of the box, by default. In fact, I am not sure you can turn it off .. Yep -- which is worse than useless in the presence of a service provider that's already offering dual-stack service. Here! Have a v6 address. We'll even give you a moderately large prefix if you run a DHCPv6-PD client... Oh, what? You're going to ignore all that and use a 6to4 gateway and pessimize the v6 routing decisions we've made? And live in one /64 even though every man and his dog reckons service providers ought to be handing out /56's or / 48's? Gee, glad we went to the effort... Sadly the easiest way for residential subscribers to get IPv6 on PPPoE in 2009 is to put their CPE into bridge mode and run the PPPoE client on a PC. The vendors have really dropped the ball on this. (glares at Cisco/Linksys) - mark
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 12:45 PM, Matthew Moyle-Croft wrote: Come on CPE vendors - most of your run Linux in your CPEs these days. How hard is it to make it work? Someone got an image working for us with OpenWRT in his spare time in a week, surely you CPE vendors can cobble something together for people to try out in a real piece of ADSL CPE I can buy at a shop? The fact that someone got OpenWRT working in less than a week of spare time makes it totally clear why the commercial vendors haven't done anything: They're just simply not interested, nothing more, nothing less. There's obviously no technical barrier whatsoever (otherwise, again, OpenWRT wouldn't work). If it can be done in a week of developer time there's barely even an economic barrier. It's just disinterest. Linksys, being owned by the world's largest router vendor and being confronted with actual independently-developed working code for their hardware platforms, have the least excuse out of any of them. Years and years of talk, and no customer-visible action whatsoever. What an exceptionally ordinary performance. See you in Melbourne next week, Fred :) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 12:53 PM, Mehmet Akcin wrote: Would you consider Juniper SSG5 as a Consumer Grade router? Depends. Can I get one at Frys for $69.95 and set it up with a web browser? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 9:51 AM, Dave Temkin wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. Apple seems to have ideological objections to DHCPv6, so at the moment there's little hope at all that prefix delegation will work on any of their CPE products. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On 03/12/2009, at 3:26 PM, Owen DeLong wrote: You're correct, out of the box there aren't many. The first couple that come to mind are the Apple Airport Express and Airport Extreme, but I don't believe Linksys/Netgear/etc. have support out of the box. The Apple products do 6to4 out of the box, but don't support v6 natively. What do you mean they don't support v6 native? I am running my Time Capsule in v6 native. Okay, let me rephrase that. I can't run a PPPoE client on an Airport Express which will give me native dual-stack Internet access. Yes, I can talk to the Airport Express with v6, no debate there. And yes, if it sees an RA message it'll configure itself with the appropriate prefix EUI64 itself an address. But unless there's some configuration knob I haven't found, off-LAN v6 access requires either some other v6-capable CPE to act as the interface to the service provider, or it runs over 6to4. True none of the apple products support DHCPv6. I think there is some hope Apple will come around on this issue. Currently the Snow Leopard kernel panics if you turn on the net.inet6.ip6.accept_rtadv sysctl and start a PPPoE session which negotiates IP6CP. (I have a bug open with them, and I'm confident that it'll be fixed... but c'mon...!) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: ISP customer assignments
On 13/10/2009, at 2:02 PM, Scott Morris wrote: I happen to train people at CCIE level. I also happen to do consulting, implementation, and design work. In my training environment, there are all sorts of re-thinking of what/how things are being taught even within the confines of comparison to a lab environment. Does the CCNA exam still ask questions about RIP and classful addressing? Just askin' :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Telstra issues
On 03/09/2009, at 2:52 PM, Andrew Parnell wrote: I saw the wierest thing earlier this evening where one of our two / 24 routes in sydney disappeared from the internet - from both our telstra and verizon connections. The only explanation i could come up with was that Australia had been somehow bizarrely severed from the internet. Anybody else happen to also run a network in Australia who saw something strange today? We run one which isn't connected to Telstra :-) There are media reports this morning of major outages in Telstra's domestic network. http://www.australianit.news.com.au/story/0,24897,26021106-15306,00.html - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: Important New Requirement for IPv4 Requests [re impacting revenue]
On 22/04/2009, at 7:25 AM, Jo Rhett wrote: On Apr 21, 2009, at 2:42 PM, Shane Ronan wrote: Mr Curran, given the response you've seen from the group, and in particular the argument that most CEO's or Officers of firms will simply sign off on what they IT staff tells them (as they have little to no understanding of the situation), You really should go ask a CEO if he'd sign off on something that he doesn't understand. Really. I can assure you that your impression is wrong, and most CEOs don't prefer to be standing in court defending their actions. So who's going to have standing to drag them into court over false declarations to ARIN? Will ARIN be suing their members? Not likely. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: v6 DSL / Cable modems [was: Private use of non-RFC1918 IP space
On 10/02/2009, at 9:54 AM, Stephen Sprunk wrote: Yes, an ALG needs to understand the packet format to open pinholes -- but with NAT, it also needs to mangle the packets. A non-NAT firewall just examines the packets and then passes them on unmangled. Sure, but at the end of the day a non-NAT firewall is just a special case of NAT firewall where the inside and outside addresses happen to be the same. If I was a commodity consumer hardware manufacturer, that's how I'd handle the IPv6 firewalling problem, because that'd let me pass non-NAT'ed v6 packets and NAT'ed v4 packets through the same code paths, thereby enabling me to avoid reinventing the entire wheel (and an entire new set of bugs) to do v6 firewalling. DSL/Cable CPE is already full of v4 ALGs, and it's reasonable to expect that the only difference between those and the equivalent v6 ALGs will be the lack of v6 NAT. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: v6 DSL / Cable modems [was: Private use of non-RFC1918 IP space
On 10/02/2009, at 10:17 AM, Owen DeLong wrote: Sure, but at the end of the day a non-NAT firewall is just a special case of NAT firewall where the inside and outside addresses happen to be the same. Uh, that's a pretty twisted view. I would say that NAT is a special additional capability of the firewall which mangles the address(es) in the packet. I would not regard passing the address unmangled as a special case of mangling. You're passing a value judgement on NAT, using loaded terms like mangling and twisted. Fine, you don't like rewriting L3 addresses and L4 port numbers. Yep, I get that. Relevance? In terms of implementing the code, sure, the result is about the same, but, the key point here is that there really isn't a benefit to having that packet mangling code in IPv6. There is if you have a dual-stack device, your L4-and-above protocols are the same under v4 and v6, and you don't want to reinvent the ALG wheel. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: v6 DSL / Cable modems [was: Private use of non-RFC1918 IP space
On 10/02/2009, at 11:03 AM, Jack Bates wrote: There is if you have a dual-stack device, your L4-and-above protocols are the same under v4 and v6, and you don't want to reinvent the ALG wheel. ALG only fixes some problems, and it's not required for as much when address translations are not being performed. On a commodity consumer CPE device, the ALG code doubles as a stateful inspection engine. So it _is_ required when address translations are not being performed. Is security something that gets thought about now, or post-deployment? - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: spurring transition to ipv6 -- make it faster
On 15/10/2008, at 6:19 AM, Scott Doty wrote: Just wondering: what if we gave ipv6 traffic mucho priority over ipv4 traffic, then tell our user communities that ipv6 provides a better quality network experience, including (hopefully) faster page loads, lower video game pings? I think by the time we've put carrier NATs everywhere the users will notice that all by themselves, and we won't need to tell them anything. - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: interger to I P address
On 28/08/2008, at 8:38 AM, Randy Bush wrote: her at the apnic meeting, we are indulging for a bit into the deep topic of how ot textually represent 32-bit AS numbers. is it . or ? while we readily admit that a deep many year discussion of a dot is clearly a topic for the ietf, we do have to allocate these things, so actually need an answer. At AusNOG last week, it was pointed out that using a . in the middle of an AS number wrecks AS path regexes in RPSL. So those of us using IRR's have to go back and rewrite all our policies. And IRRToolSet needs to be updated, which is probably an even worse proposition :-) I'm strongly in favour of ASPLAIN. I reckon the people who advocate using dots because they think 32-bit ASNs up to 4 billion are too long to remember are probably getting old :-) - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: [NANOG] Microsoft.com PMTUD black hole?
On 07/05/2008, at 4:42 PM, Glen Turner wrote: Amazing. A fine case study of a person in customer contact undoing the work of millions of dollars in PR. I wouldn't worry too much about it, Glen. My observation is that the millions of dollars in PR isn't working very well either :-) - mark -- Mark Newton Email: [EMAIL PROTECTED] (W) Network Engineer Email: [EMAIL PROTECTED] (H) Internode Systems Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223 ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
