Re: IPv6 end user addressing
Hi, The CPE we're providing to our customers from Billion (78xxN/NL, 74xxNX etc) and AVM (Fritz!Box 7290 and 7390) that have IPv6 code do have IPv6 stateful firewalls. Our requirement was that, as much as possible that the IPv4 and IPv6 outcome should be similar (with obvious exceptions around NAT). Without IPv6 having a firewall in the CPE it'd be a difficult thing to convince people to do. And here I'm speaking about normal customers. The people who've taken up our IPv6 service so far are not typical customers but people who are, well, fairly switched on to this stuff. So we had to look beyond the initial desires of our customers to what the general population would want. (ie. someone who's regularly attending IETF meetings typically has a different outlook on what they want in a CPE vs what my Dad wants). MMC On 14/08/2011, at 5:49 AM, Carlos Martinez-Cagnazzo wrote: You are assuming (as many, many people do) that public addresses equal no firewall, and that IPv6 CPEs will have no stateful firewalling. The thing is, just as they have a stateful firewall now for IPv4 they will have one for IPv6 as well. The fact that your addressing is public (or let's say, routeable) does not make a difference. Again, it is not the NAT layer of your IPv4 CPE that protects you, it's the stateful firewall. regards Carlos On Thu, Aug 11, 2011 at 2:52 PM, Greg Ihnen os10ru...@gmail.commailto:os10ru...@gmail.com wrote: On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote: On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.orgmailto:nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.commailto:o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? Owen I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. But I predict the coming of IPv6 to the home in a big way will have unintended consequences. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Greg -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net = -- Matthew Moyle-Croft Peering Manager
Re: IPv6 end user addressing
You are assuming (as many, many people do) that public addresses equal no firewall, and that IPv6 CPEs will have no stateful firewalling. The thing is, just as they have a stateful firewall now for IPv4 they will have one for IPv6 as well. The fact that your addressing is public (or let's say, routeable) does not make a difference. Again, it is not the NAT layer of your IPv4 CPE that protects you, it's the stateful firewall. regards Carlos On Thu, Aug 11, 2011 at 2:52 PM, Greg Ihnen os10ru...@gmail.com wrote: On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote: On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? Owen I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. But I predict the coming of IPv6 to the home in a big way will have unintended consequences. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Greg -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =
Re: IPv6 end user addressing
On Thu, Aug 11, 2011 at 05:49:03PM -0430, Greg Ihnen wrote: What standards? The RFID tag on the milk carton will, essentially, replace the bar code once RFID tags become cheap enough. It'll be like an uber-barcode with a bunch more information. For keeping track of how much, cheap sensitive pressure transducers will know by the position of the RFID tag combined with the weight of the thing at that location in the refrigerator. There's no new standard required. The technology to do this exists today. The integration and mainstream acceptance is still years, if not decades off, but, IPv6 should last for decades, so, if we don't plan for at least the things we can see coming today and already know feasible ways to implement, we're doomed for the other unexpected things we don't see coming. What reads the RFID's and the pressure sensors? What server or application receives this data and deals with it according to the user's desires? How does that data or the information and alerts this system would generate get to the user's devices? There has to be a device in the home or a server somewhere for a service the home owner subscribes to which keeps an inventory of all these things and acts on it. Do you really think it's going to be common place for people to have this kind of technology and more importantly use it? And why do you think the fridge manufacturers will get it right in cheaply-made consumer-grade products, when it's not being done right in muh pricier automated self-check-out checkstands? I avoid self-check-out checkstands because they fail in one way or another so damnably often. My last encounter had the software failing to realize that a package of 100 nuts and 100 screws weighed a significan amount; the result was that for each such package I tried to check out, I had to have someone from the store come over, log in, do something, and log out again. Five times total. *Not* satisfactory. I don't expect that the fridge makers will do any better. -- Mike Andrews, W5EGO mi...@mikea.ath.cx Tired old sysadmin
Re: IPv6 end user addressing
And why do you think the fridge manufacturers will get it right in cheaply-made consumer-grade products, when it's not being done right in muh pricier automated self-check-out checkstands? I avoid self-check-out checkstands because they fail in one way or another so damnably often. My last encounter had the software failing to realize that a package of 100 nuts and 100 screws weighed a significan amount; the result was that for each such package I tried to check out, I had to have someone from the store come over, log in, do something, and log out again. Five times total. *Not* satisfactory. I don't expect that the fridge makers will do any better. That doesn't sound like a software problem. All the automated self-serve stands I've seen use weight as a primary factor, but this requires that the data on the acceptable weight-range be properly encoded in its database. When that happens, a 5 pound box of hardware with the UPC 0-12345-67890-1 will scan fine as long as it's within the listed acceptable weight range for the product, like maybe 4.9-5.1 pounds. Hey but you don't mind going over to the register manned by a clerk and letting him/her scan your purchases, now, do you? Because THAT was a total train wreck when it first came out. The early systems never really panned out, and many stores who invested early on in the technology found themselves reinvesting in newer technology within a decade. Those that didn't tended to suffer as they coped with limits inherent in the systems. Customers were distrusting of the technology; some stores handed out markers so that customers could write the prices of the items on the items so that they could verify their receipts later. Problems were so common that many states implemented laws about scanner accuracy. But today, thirty years later, this stuff mostly Just All Works Right. Actually it worked pretty well even fifteen years ago. Consumer technologies may change faster. For example, it wasn't that long ago that we were keeping a written grocery list on the fridge. Today, it's all electronic. The kids can scan(!!!) an item that we need, and it magically forwards to my phone and my wife's phone, and we can even shop cooperatively in a store with realtime updates of the list. The technology isn't 100% perfect, but it's way awesomely better than a paper list. It'd be nice to be able to query the fridge to see what's in it. So I don't expect that the fridge makers will do better ... this year, or next. But in five or ten years? Yeah, maybe, probably even. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: IPv6 end user addressing
On 8/11/2011 6:09 PM, Owen DeLong wrote: On Aug 11, 2011, at 2:53 PM, Scott Helms wrote: On 8/11/2011 5:28 PM, Owen DeLong wrote: You're talking about the front end residential gateway that you manage. I'm talking about the various gateways and things you might not yet expect to provide gateways that residential end users will deploy on their own within their environments. The question I asked you is why should I as the service provider deploy routers rather than bridges as CPE gear for residential customers. If you didn't understand the question or didn't want to address that specific questions that's fine, but you certainly didn't answer that question. I think i did below. However, in my region of the world, most service providers don't provide the CPE and most customers are BYOB. Are you not CONUS? I thought I specified North American market, if not that was my intent, and in NA the service providers do supply in excess of 95% of all CPE. (Keep in mind that the term CPE is actually a little dangerous since telcos use it one way and cable providers another, in this case I am referring to the access device that provides the PHY translation from the access network (DSL, DOCSIS, FTTx, wireless, etc) and that device, which can be a router or a bridge, is almost always provided by the service provider.) My entire question is really should that device be a router in the future in your opinion. Of course, in order for the ISP to properly support these things in the home, the ISP needs to terminate some form of IPv6 on some form of CPE head-end router in the home to which he will (statically or otherwise) route the /48 whether it is statically assigned or configured via DHCPv6-PD. What is a CPE head-end router? That seems like an oxymoron. Where would such an animal live, in the home or the head end/central office? Who is responsible for purchasing it and managing it in your mind? In the home and the consumer is responsible. The fact that you utterly want to avoid the concept of topology in the home shows me that you really aren't understanding where things already are in many homes and where they are going in the future. ISP-CPE Head End Router-Multiple additional routers and other deivces some of which have additional routers and or topology behind them. I'm not avoiding anything, the term CPE head end router is oxymoronic and AFAIK isn't an industry term at all. I simply want to understand where in the physical network this theoretical device lives and who owns it. If its a customer premise device then you shouldn't describe it as having anything to do with the head end, since that's the other side (often a long way away) of the connection. Some definitions of the above pseudo-diagram already exist in many people's homes (and I am including Joe six-pack in this) today. Lots of users string wired and wireless routers together in multiple layers with and without NAT in various (and often creative albeit not necessarily constructive) ways within their homes. Today, all of that is hidden from you because their CPE head end router (the one that talks to your supplied bridge in most cases) NATs it all behind one address. In the future, it will be semi-visible in that you'll see the additional addresses, but, you still won't have to do anything about it because it's routed and all you have to do is deliver the /48 instead of delivering the /128 (equivalent of the /32 you deliver today). Well, that's not really true. Given the complexities of firewalls and allowed access the requirements for service providers to manage that for most home users is going to increase rather than stay the same or decrease. That's kind of the point of TR-069 and the related suite (TR-098 especially). -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
On 8/11/2011 1:34 PM, Owen DeLong wrote: On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLongo...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? But they'll still be operated by end users that are so smart, that when they get e-mail from serv...@usps.gov that says that FedEx couldn't deliver a package (that they're not expecting) to them they click on the password protected UPS tracking.zip file and manage to run the .exe file that is supposed to allow them to get the package delivered. -- Dave
Re: IPv6 end user addressing
On Thu, Aug 11, 2011 at 01:52:10PM +1200, Brian E Carpenter wrote: Well, we know that the human population will stabilise somewhere below ten billion by around 2050. The current unicast space provides for about How about the machine population? How about self-replicating systems? How about geography-based address allocation, to go away with global routing tables? How about InterPlaNet, such as LEO routers, solar power satellites, controlling industrial production on the Moon and elsewhere? I don't expect IPv6 will last much longer than IPv4. And that's probably a good thing. 15 trillion /48s. Let's assume that the RIRs and ISPs retain their current level of engineering common sense - i.e. the address space will begin to be really full when there are about 25% of those /48s being routed... that makes 3.75 trillion /48s routed for ten billion people, or 375 /48s per man, woman and child. (Or about 25 million /64s if you prefer.) At that point, IANA would have to release unicast space other than 2000::/3 and we could start again with a new allocation policy. I am *really* not worried about this. Other stuff, such as BGP4, will break irrevocably long before this. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
Re: IPv6 end user addressing
On Aug 10, 2011, at 8:29 PM, Joel Jaeggli wrote: On Aug 10, 2011, at 6:52 PM, Brian E Carpenter wrote: On 2011-08-11 12:45, james machado wrote: what is the life expectancy of IPv6? It won't live forever and we can't reasonably expect it too. I understand we don't want run out of addresses in the next 10-40 years but what about 100? 200? 300? We will run out and our decedents will go through re-numbering again. The question becomes what is the life expectancy of IPv6 and does the allocation plan make a reasonable attempt to run out of addresses around the end of the expected life of IPv6. Well, we know that the human population will stabilise somewhere below ten billion by around 2050. The current unicast space provides for about 15 trillion /48s. Let's assume that the RIRs and ISPs retain their current level of engineering common sense - i.e. the address space will begin to be really full when there are about 25% of those /48s being routed... that makes 3.75 trillion /48s routed for ten billion people, or 375 /48s per man, woman and child. (Or about 25 million /64s if you prefer.) It's not the humans that are going to soak up the address space, so it seems a little misguided to count up the humans a reference for the bounding properties on growth. That said I think 2000::/3 will last long enough, that we shouldn't be out rewriting policy anytime soon. I disagree. I think current policy in several RIRs (APNIC, especially) is far too conservative and that we do need to rewrite it. That's why I submitted prop-090 which has taken the feedback I received into account and become prop-098. Owen
RE: IPv6 end user addressing
Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Jamie
RE: IPv6 end user addressing
This same Vendor C wants us to upgrade our 7206VXR's to ASR1K's just so we have the (hopefully working) IPv6 features in IOS-XE that are broken in 12.x. Frank -Original Message- From: Mark Newton [mailto:new...@internode.com.au] Sent: Wednesday, August 10, 2011 10:12 PM To: Cameron Byrne Cc: NANOG Subject: Re: IPv6 end user addressing On 11/08/2011, at 12:30 PM, Cameron Byrne wrote: Finally a useful post in this thread. Good work on the deployment of real ipv6! Thanks. And thanks to Vendor-C for helping us through it. The IPv6 Broadband featureset on the ASR platform starting from IOS-XR 3.1 is a vast improvement on its predecessors. Biggest hassle with IPv6 in production right now: DNS support is woefully undercooked. I don't think anyone has put anywhere near as much effort into making it fluid, user-friendly, and automated. Simple questions like, How are reverse mappings supposed to work when you can't predict an end-user's address? have no good answer. If any systems folks want a nice meaty problem domain to focus their efforts on, DNS would be da shiznit. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? Owen
Re: IPv6 end user addressing
And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? One could argue that routing and access control is even less of a core business feature for pantry and refrigerator manufacturers than it is for Linksys. So I wouldn't rule this out - but I'm definitely in the sceptical camp. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: IPv6 end user addressing
On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote: On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? Owen I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. But I predict the coming of IPv6 to the home in a big way will have unintended consequences. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Greg
Re: IPv6 end user addressing
Once upon a time, Owen DeLong o...@delong.com said: Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? That's highly doubtful, especially when Linksys is the best networking equipment the average person will buy (at Best Buy, Wal-Mart, etc.). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: IPv6 end user addressing
On Aug 11, 2011, at 10:41 AM, sth...@nethelp.no wrote: And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? One could argue that routing and access control is even less of a core business feature for pantry and refrigerator manufacturers than it is for Linksys. So I wouldn't rule this out - but I'm definitely in the sceptical camp. Steinar Haug, Nethelp consulting, sth...@nethelp.no Let's face it... CPE security needs are going to be radically different and consumer expectations are going to rise quickly in this area with IPv6. I suspect both refrigerator/pantry makers _AND_ Linksys et. al. will be forced to adapt. Owen
Re: IPv6 end user addressing
On Thu, Aug 11, 2011 at 10:52 AM, Greg Ihnen os10ru...@gmail.com wrote: On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote: On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? Owen I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. But I predict the coming of IPv6 to the home in a big way will have unintended consequences. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Greg +1 I think this is currently the biggest hole in IPV6 adoption. We need a drop in firewall appliance along the lines of IPCOP for IPV6. This type of closed unless tinkered with protection would encourage people to try it out and not be too scared to move forward. This is a huge opportunity for some Company/Open Source Developers Group to grab a huge chucnk of an emerging market... hint hint :) cheers Jeff
Re: IPv6 end user addressing
On 08/11/2011 11:18 AM, Owen DeLong wrote: On Aug 11, 2011, at 10:41 AM, sth...@nethelp.no wrote: And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? One could argue that routing and access control is even less of a core business feature for pantry and refrigerator manufacturers than it is for Linksys. So I wouldn't rule this out - but I'm definitely in the sceptical camp. Steinar Haug, Nethelp consulting, sth...@nethelp.no Let's face it... CPE security needs are going to be radically different and consumer expectations are going to rise quickly in this area with IPv6. I suspect both refrigerator/pantry makers _AND_ Linksys et. al. will be forced to adapt. Radically? How so? I have little confidence that the urge to do as little as possible about security is going to change just because of IPv6. The goal of router manufacturers is to turn a profit, not save the world. Mike
Re: IPv6 end user addressing
Owen, The fact that you're immediately going to routing means you don't understand the problem. The costs I'm talking about don't have anything to do with routing or any of the core gear and everything to do with the pieces at the customer premise. Routers cost more to purchase than bridges because there is more complexity (silicon software). Routers also cost more to manage for a service provider in almost all cases for residential customers. There are reasons to deploy routing CPE in some cases (the use cases are increasing with IP video in DOCSIS systems) but they are still very nascent. On 8/10/2011 7:24 PM, Owen DeLong wrote: I'm pretty sure that I understand those things reasonably well. I'm quite certain that it doesn't cost an ISP significantly more to deploy /48s than /56s as addresses don't have much of a cost and there is little or no difficulty in obtaining large allocations for ISPs that have lots of residential users. The difference between handing a user's CPE a /56 and a /48 will not make for significant difference in support costs, either, other than the possible additional costs of the phone calls when users start to discover that /56s were not enough. Owen On Aug 10, 2011, at 11:43 AM, Scott Helms wrote: Tim, Hence the might. I worry when people start throwing around terms like routing in the home that they don't understand the complexities of balancing the massive CPE installed base, technical features, end user support, ease of installation managemenet, and (perhaps most importantly) the economics of mass adoption. This one of the choices that made DSL deployments more complex and expensive than DOCSIS cable deployments which in turn caused the CEO of ATT to say their entire DSL network is obsolete. http://goo.gl/exwqu On 8/10/2011 12:57 PM, Tim Chown wrote: On 10 Aug 2011, at 16:11, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. Well, there is some new effort on this in the homenet WG in IETF. For snooping IPv6 multicast it's MLD snooping rather than IGMP. We use it in our enterprise since we have multiple multicast video channels in use. Tim On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
You're talking about the front end residential gateway that you manage. I'm talking about the various gateways and things you might not yet expect to provide gateways that residential end users will deploy on their own within their environments. The fact that you are talking about an entirely different problem space than I am shows that it is you who does not understand either the problem I am describing or the solution space that is applicable. Of course, in order for the ISP to properly support these things in the home, the ISP needs to terminate some form of IPv6 on some form of CPE head-end router in the home to which he will (statically or otherwise) route the /48 whether it is statically assigned or configured via DHCPv6-PD. Owen On Aug 11, 2011, at 1:28 PM, Scott Helms wrote: Owen, The fact that you're immediately going to routing means you don't understand the problem. The costs I'm talking about don't have anything to do with routing or any of the core gear and everything to do with the pieces at the customer premise. Routers cost more to purchase than bridges because there is more complexity (silicon software). Routers also cost more to manage for a service provider in almost all cases for residential customers. There are reasons to deploy routing CPE in some cases (the use cases are increasing with IP video in DOCSIS systems) but they are still very nascent. On 8/10/2011 7:24 PM, Owen DeLong wrote: I'm pretty sure that I understand those things reasonably well. I'm quite certain that it doesn't cost an ISP significantly more to deploy /48s than /56s as addresses don't have much of a cost and there is little or no difficulty in obtaining large allocations for ISPs that have lots of residential users. The difference between handing a user's CPE a /56 and a /48 will not make for significant difference in support costs, either, other than the possible additional costs of the phone calls when users start to discover that /56s were not enough. Owen On Aug 10, 2011, at 11:43 AM, Scott Helms wrote: Tim, Hence the might. I worry when people start throwing around terms like routing in the home that they don't understand the complexities of balancing the massive CPE installed base, technical features, end user support, ease of installation managemenet, and (perhaps most importantly) the economics of mass adoption. This one of the choices that made DSL deployments more complex and expensive than DOCSIS cable deployments which in turn caused the CEO of ATT to say their entire DSL network is obsolete. http://goo.gl/exwqu On 8/10/2011 12:57 PM, Tim Chown wrote: On 10 Aug 2011, at 16:11, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. Well, there is some new effort on this in the homenet WG in IETF. For snooping IPv6 multicast it's MLD snooping rather than IGMP. We use it in our enterprise since we have multiple multicast video channels in use. Tim On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. What standards? The RFID tag on the milk carton will, essentially, replace the bar code once RFID tags become cheap enough. It'll be like an uber-barcode with a bunch more information. For keeping track of how much, cheap sensitive pressure transducers will know by the position of the RFID tag combined with the weight of the thing at that location in the refrigerator. There's no new standard required. The technology to do this exists today. The integration and mainstream acceptance is still years, if not decades off, but, IPv6 should last for decades, so, if we don't plan for at least the things we can see coming today and already know feasible ways to implement, we're doomed for the other unexpected things we don't see coming. But I predict the coming of IPv6 to the home in a big way will have unintended consequences. Definitely. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Sigh... Continuing to propagate this myth doesn't make it any more true than it was 10 years ago. NAT != Security End-to-End addressing != End-to-End connectivity It will not be long before the average residential IPv6 gateway comes with a default deny all inbound stateful firewall built in. Once you have that, your hosts are not exposed naked to everyone on the internet. In fact, they are no more exposed than with NAT with the key difference being that if you choose to expose one or more hosts, you have the option of deliberately doing so. Actually, I know for certain that most of the CPE manufacturers are participating in the effort to draft better security requirements for residential gateways as a current ID and hopefully an RFC soon. I believe, as a matter of fact, that this is a BIS document being intended as a more comprehensive improvement over the initial version. Owen
Re: IPv6 end user addressing
On 8/11/2011 5:28 PM, Owen DeLong wrote: You're talking about the front end residential gateway that you manage. I'm talking about the various gateways and things you might not yet expect to provide gateways that residential end users will deploy on their own within their environments. The question I asked you is why should I as the service provider deploy routers rather than bridges as CPE gear for residential customers. If you didn't understand the question or didn't want to address that specific questions that's fine, but you certainly didn't answer that question. Of course, in order for the ISP to properly support these things in the home, the ISP needs to terminate some form of IPv6 on some form of CPE head-end router in the home to which he will (statically or otherwise) route the /48 whether it is statically assigned or configured via DHCPv6-PD. What is a CPE head-end router? That seems like an oxymoron. Where would such an animal live, in the home or the head end/central office? Who is responsible for purchasing it and managing it in your mind? Owen On Aug 11, 2011, at 1:28 PM, Scott Helms wrote: Owen, The fact that you're immediately going to routing means you don't understand the problem. The costs I'm talking about don't have anything to do with routing or any of the core gear and everything to do with the pieces at the customer premise. Routers cost more to purchase than bridges because there is more complexity (silicon software). Routers also cost more to manage for a service provider in almost all cases for residential customers. There are reasons to deploy routing CPE in some cases (the use cases are increasing with IP video in DOCSIS systems) but they are still very nascent. On 8/10/2011 7:24 PM, Owen DeLong wrote: I'm pretty sure that I understand those things reasonably well. I'm quite certain that it doesn't cost an ISP significantly more to deploy /48s than /56s as addresses don't have much of a cost and there is little or no difficulty in obtaining large allocations for ISPs that have lots of residential users. The difference between handing a user's CPE a /56 and a /48 will not make for significant difference in support costs, either, other than the possible additional costs of the phone calls when users start to discover that /56s were not enough. Owen On Aug 10, 2011, at 11:43 AM, Scott Helms wrote: Tim, Hence the might. I worry when people start throwing around terms like routing in the home that they don't understand the complexities of balancing the massive CPE installed base, technical features, end user support, ease of installation managemenet, and (perhaps most importantly) the economics of mass adoption. This one of the choices that made DSL deployments more complex and expensive than DOCSIS cable deployments which in turn caused the CEO of ATT to say their entire DSL network is obsolete. http://goo.gl/exwqu On 8/10/2011 12:57 PM, Tim Chown wrote: On 10 Aug 2011, at 16:11, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. Well, there is some new effort on this in the homenet WG in IETF. For snooping IPv6 multicast it's MLD snooping rather than IGMP. We use it in our enterprise since we have multiple multicast video channels in use. Tim On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
Eugen, On 2011-08-11 21:53, Eugen Leitl wrote: On Thu, Aug 11, 2011 at 01:52:10PM +1200, Brian E Carpenter wrote: Well, we know that the human population will stabilise somewhere below ten billion by around 2050. The current unicast space provides for about How about the machine population? How about self-replicating systems? I think considering the size of such systems as a function of the size of the human population is quite reasonable, in terms of thinking about natural and economic limits to growth. How about geography-based address allocation, to go away with global routing tables? That is a whole discussion in itself, but in any case it surely won't be part of 2000::/3. Additionally, the number of prefixes needed for any reasonable geographic scheme is quite trivial compared to the trillions available. How about InterPlaNet, such as LEO routers, solar power satellites, controlling industrial production on the Moon and elsewhere? Probably also trivial numbers compared to 15 trillion /48s, but if not, again, we are not limited to 2000::/3 for ever. EOF for me on this sub-topic. Brian
Re: IPv6 end user addressing
On Aug 11, 2011, at 2:53 PM, Scott Helms wrote: On 8/11/2011 5:28 PM, Owen DeLong wrote: You're talking about the front end residential gateway that you manage. I'm talking about the various gateways and things you might not yet expect to provide gateways that residential end users will deploy on their own within their environments. The question I asked you is why should I as the service provider deploy routers rather than bridges as CPE gear for residential customers. If you didn't understand the question or didn't want to address that specific questions that's fine, but you certainly didn't answer that question. I think i did below. However, in my region of the world, most service providers don't provide the CPE and most customers are BYOB. Of course, in order for the ISP to properly support these things in the home, the ISP needs to terminate some form of IPv6 on some form of CPE head-end router in the home to which he will (statically or otherwise) route the /48 whether it is statically assigned or configured via DHCPv6-PD. What is a CPE head-end router? That seems like an oxymoron. Where would such an animal live, in the home or the head end/central office? Who is responsible for purchasing it and managing it in your mind? In the home and the consumer is responsible. The fact that you utterly want to avoid the concept of topology in the home shows me that you really aren't understanding where things already are in many homes and where they are going in the future. ISP-CPE Head End Router-Multiple additional routers and other deivces some of which have additional routers and or topology behind them. Some definitions of the above pseudo-diagram already exist in many people's homes (and I am including Joe six-pack in this) today. Lots of users string wired and wireless routers together in multiple layers with and without NAT in various (and often creative albeit not necessarily constructive) ways within their homes. Today, all of that is hidden from you because their CPE head end router (the one that talks to your supplied bridge in most cases) NATs it all behind one address. In the future, it will be semi-visible in that you'll see the additional addresses, but, you still won't have to do anything about it because it's routed and all you have to do is deliver the /48 instead of delivering the /128 (equivalent of the /32 you deliver today). Owen Owen On Aug 11, 2011, at 1:28 PM, Scott Helms wrote: Owen, The fact that you're immediately going to routing means you don't understand the problem. The costs I'm talking about don't have anything to do with routing or any of the core gear and everything to do with the pieces at the customer premise. Routers cost more to purchase than bridges because there is more complexity (silicon software). Routers also cost more to manage for a service provider in almost all cases for residential customers. There are reasons to deploy routing CPE in some cases (the use cases are increasing with IP video in DOCSIS systems) but they are still very nascent. On 8/10/2011 7:24 PM, Owen DeLong wrote: I'm pretty sure that I understand those things reasonably well. I'm quite certain that it doesn't cost an ISP significantly more to deploy /48s than /56s as addresses don't have much of a cost and there is little or no difficulty in obtaining large allocations for ISPs that have lots of residential users. The difference between handing a user's CPE a /56 and a /48 will not make for significant difference in support costs, either, other than the possible additional costs of the phone calls when users start to discover that /56s were not enough. Owen On Aug 10, 2011, at 11:43 AM, Scott Helms wrote: Tim, Hence the might. I worry when people start throwing around terms like routing in the home that they don't understand the complexities of balancing the massive CPE installed base, technical features, end user support, ease of installation managemenet, and (perhaps most importantly) the economics of mass adoption. This one of the choices that made DSL deployments more complex and expensive than DOCSIS cable deployments which in turn caused the CEO of ATT to say their entire DSL network is obsolete. http://goo.gl/exwqu On 8/10/2011 12:57 PM, Tim Chown wrote: On 10 Aug 2011, at 16:11, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. Well, there is some new effort on this in the homenet WG in IETF. For snooping IPv6 multicast it's MLD snooping rather than IGMP. We use it in our enterprise since we have multiple multicast video
Re: IPv6 end user addressing
On Aug 11, 2011, at 5:05 PM, Owen DeLong wrote: I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. What standards? The RFID tag on the milk carton will, essentially, replace the bar code once RFID tags become cheap enough. It'll be like an uber-barcode with a bunch more information. For keeping track of how much, cheap sensitive pressure transducers will know by the position of the RFID tag combined with the weight of the thing at that location in the refrigerator. There's no new standard required. The technology to do this exists today. The integration and mainstream acceptance is still years, if not decades off, but, IPv6 should last for decades, so, if we don't plan for at least the things we can see coming today and already know feasible ways to implement, we're doomed for the other unexpected things we don't see coming. What reads the RFID's and the pressure sensors? What server or application receives this data and deals with it according to the user's desires? How does that data or the information and alerts this system would generate get to the user's devices? There has to be a device in the home or a server somewhere for a service the home owner subscribes to which keeps an inventory of all these things and acts on it. Do you really think it's going to be common place for people to have this kind of technology and more importantly use it? I think the kitchen you foresee is the kind of dream kitchen the kind of people who imbed RFID chips in themselves so they can have a house that opens the doors and turns on the lights as they approach. You don't have a chip in you, do you? But I predict the coming of IPv6 to the home in a big way will have unintended consequences. Definitely. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Sigh... Continuing to propagate this myth doesn't make it any more true than it was 10 years ago. I'm sorry, what was the myth there? The public overall uses bad passwords and knowingly does not comply with security best practices? More connectivity is going to bring more problems and exploits? Those myths? NAT != Security End-to-End addressing != End-to-End connectivity It will not be long before the average residential IPv6 gateway comes with a default deny all inbound stateful firewall built in. Once you have that, your hosts are not exposed naked to everyone on the internet. In fact, they are no more exposed than with NAT with the key difference being that if you choose to expose one or more hosts, you have the option of deliberately doing so. We'll see. Actually, I know for certain that most of the CPE manufacturers are participating in the effort to draft better security requirements for residential gateways as a current ID and hopefully an RFC soon. I believe, as a matter of fact, that this is a BIS document being intended as a more comprehensive improvement over the initial version. Owen
Re: IPv6 end user addressing
On 11/08/2011, at 1:33 PM, Owen DeLong wrote: On Aug 10, 2011, at 7:45 PM, Mark Newton wrote: On 11/08/2011, at 8:42 AM, Owen DeLong wrote: I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. I see the lack of agreement on whether /48 or /56 or /60 is good for a home network to be a positive thing. As long as there's no firm consensus, router vendors will have to implement features which don't make silly hard-coded assumptions. Yes and no. In terms of potential innovations, if enough of the market chooses /60, they will hard code the assumption that they cannot count on more than a /60 being available into their development process regardless of what gets into the router. Sure, they won't be able to assume you can't get a /48, but, they also won't necessarily implement features that would take advantage of a /48. Abundance doesn't drive innovations. Scarcity does. IPv6 does not have a scarcity issue. I assert that IPv6 addressing is not going to now or ever do anything particularly innovative that can't be done better at other, more relevant, layers. The time for arguing about arbitrary things that make no difference to the end customers has passed. The navel gazing must cease and we must move forward on IPv6 to the home rather than continuing the confusion about this and other IPv6 arbitrary bit obsession stuff. We need to stop spending our time on rearranging the Titanic's deckchairs and get the profanity on with stopping the crashing into the iceberg by providing clear leadership on getting IPv6 to the masses to enable their APPLICATIONS and EXPERIENCE without the impending doom of IPv4 CGN. My name is Matthew, I HAVE given my customers the ability to get IPv6 and I don't give a flying one about the prefix length, I care about getting ANY prefix to the end users so they can use it and solve the issues at their end. I AM enabling innovation just by doing that. MMC
Re: IPv6 end user addressing
On Aug 11, 2011, at 5:08 PM, Matthew Moyle-Croft wrote: On 11/08/2011, at 1:33 PM, Owen DeLong wrote: On Aug 10, 2011, at 7:45 PM, Mark Newton wrote: On 11/08/2011, at 8:42 AM, Owen DeLong wrote: I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. I see the lack of agreement on whether /48 or /56 or /60 is good for a home network to be a positive thing. As long as there's no firm consensus, router vendors will have to implement features which don't make silly hard-coded assumptions. Yes and no. In terms of potential innovations, if enough of the market chooses /60, they will hard code the assumption that they cannot count on more than a /60 being available into their development process regardless of what gets into the router. Sure, they won't be able to assume you can't get a /48, but, they also won't necessarily implement features that would take advantage of a /48. Abundance doesn't drive innovations. Scarcity does. IPv6 does not have a scarcity issue. I assert that IPv6 addressing is not going to now or ever do anything particularly innovative that can't be done better at other, more relevant, layers. Abundance won't drive innovation, but, scarcity can block it. If enough providers limit their residential customers to /60s, then, that will become the defining limit to which vendors implement. The time for arguing about arbitrary things that make no difference to the end customers has passed. The navel gazing must cease and we must move forward on IPv6 to the home rather than continuing the confusion about this and other IPv6 arbitrary bit obsession stuff. On that I believe we are in complete agreement. Let's deploy IPv6 to end users and give them /48s and move on. We need to stop spending our time on rearranging the Titanic's deckchairs and get the profanity on with stopping the crashing into the iceberg by providing clear leadership on getting IPv6 to the masses to enable their APPLICATIONS and EXPERIENCE without the impending doom of IPv4 CGN. Again, no argument. My name is Matthew, I HAVE given my customers the ability to get IPv6 and I don't give a flying one about the prefix length, I care about getting ANY prefix to the end users so they can use it and solve the issues at their end. I AM enabling innovation just by doing that. My name is Owen. I work for an ISP that gives IPv6 to our customers and anyone else who cares to connect. We care about prefix length because we believe it will impact innovation for many years. Yes, getting something to end users is more important than how big of a prefix we give them. On that, MMC and I are in complete agreement. However, there are choices to be made in how we do it and giving out /48s costs virtually nothing and yields real potential benefits. There is no meaningful advantage to placing arbitrary limits below /48 on residential customers. Owen
Re: IPv6 end user addressing
On Aug 11, 2011 5:25 PM, Owen DeLong o...@delong.com wrote: On Aug 11, 2011, at 5:08 PM, Matthew Moyle-Croft wrote: On 11/08/2011, at 1:33 PM, Owen DeLong wrote: On Aug 10, 2011, at 7:45 PM, Mark Newton wrote: On 11/08/2011, at 8:42 AM, Owen DeLong wrote: I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. I see the lack of agreement on whether /48 or /56 or /60 is good for a home network to be a positive thing. As long as there's no firm consensus, router vendors will have to implement features which don't make silly hard-coded assumptions. Yes and no. In terms of potential innovations, if enough of the market chooses /60, they will hard code the assumption that they cannot count on more than a /60 being available into their development process regardless of what gets into the router. Sure, they won't be able to assume you can't get a /48, but, they also won't necessarily implement features that would take advantage of a /48. Abundance doesn't drive innovations. Scarcity does. IPv6 does not have a scarcity issue. I assert that IPv6 addressing is not going to now or ever do anything particularly innovative that can't be done better at other, more relevant, layers. Abundance won't drive innovation, but, scarcity can block it. If enough providers limit their residential customers to /60s, then, that will become the defining limit to which vendors implement. The time for arguing about arbitrary things that make no difference to the end customers has passed. The navel gazing must cease and we must move forward on IPv6 to the home rather than continuing the confusion about this and other IPv6 arbitrary bit obsession stuff. On that I believe we are in complete agreement. Let's deploy IPv6 to end users and give them /48s and move on. We need to stop spending our time on rearranging the Titanic's deckchairs and get the profanity on with stopping the crashing into the iceberg by providing clear leadership on getting IPv6 to the masses to enable their APPLICATIONS and EXPERIENCE without the impending doom of IPv4 CGN. Again, no argument. My name is Matthew, I HAVE given my customers the ability to get IPv6 and I don't give a flying one about the prefix length, I care about getting ANY prefix to the end users so they can use it and solve the issues at their end. I AM enabling innovation just by doing that. My name is Owen. I work for an ISP that gives IPv6 to our customers and anyone else who cares to connect. We care about prefix length because we believe it will impact innovation for many years. Yes, getting something to end users is more important than how big of a prefix we give them. On that, MMC and I are in complete agreement. However, there are choices to be made in how we do it and giving out /48s costs virtually nothing and yields real potential benefits. There is no meaningful advantage to placing arbitrary limits below /48 on residential customers. I agree that this debate is confusing people and will not be solved here. Let's move on to a more productive topic. There is more than one way to deploy ipv6. Do what's right for your own users and network. Cb Owen
Re: IPv6 end user addressing
On 12/08/2011, at 7:23 AM, Scott Helms wrote: The question I asked you is why should I as the service provider deploy routers rather than bridges as CPE gear for residential customers. As a service provider, you don't want to burn an expensive TCAM slot to make IPv6 ND work for every device a customer places on their LAN. As a service provider, it's better to burn one TCAM slot per customer for the prefix you route to them, and leave adjacency relationships within their home to them. Think of MAC address table size limits on switches. Similar problem. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On Monday 08 Aug 2011 22:00:52 Owen DeLong wrote: On Aug 8, 2011, at 7:12 AM, Mohacsi Janos wrote: On Mon, 8 Aug 2011, valdis.kletni...@vt.edu wrote: On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said: - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service You don't want to make the assumption that just because Joe Sixpack doesn't know what a subnet is, that Joe Sixpack's CPE doesn't know either. And remember that if it's 3 hops from one end of Joe Sixpack's internal net to the other, you're gonna burn a few bits to support heirarchical routing so you don't need a routing protocol. So if Joe's exterior-facing CPU gets handed a /56 by the provider, and it hands each device it sees a /60 in case it's a device that routes too, it can only support 14 devices. And if one of the more exactly 16 routing devices. You don't have to count the all 0 and all 1 as reserved maybe each deeice can see /57 or /58 or /59 depending of capabilities your devices I think daisy chaining of CPE routers is bad idea - as probably done in several IPv4 home networks. Why would you build several hierarchy into you network if it is unnecessary? I can see things like wanting to have an entertainment systems network that is fronted by a router with additional networks for each entertainment system fronted by their own router, segmentation of various appliance networks with possibly an appliance front-end router, etc. There are lots of possibilities we haven't thought of here yet. Limiting end-users to /56 or worse will only stifle the innovation that will help us identify the possibilities. For this, if no other reason, (and I cite the limitations under which we have begun to frame our assumptions about how the internet works as a result of NAT as an example), I think we should avoid preserving this cultural conditioning in IPv6. Owen Thinking about the CPE thread, isn't this a case for bridging as a feature in end-user devices? If Joe's media-centre box etc would bridge its downstream ports to the upstream port, the devices on them could just get an address, whether by DHCPv6 from the CPE router's delegation or by SLAAC, and then register in local DNS or more likely do multicast- DNS so they could find each other. And then it really doesn't matter; everything gets its address, nothing is NATted, every address is mapped to a meaningful hostname. Perhaps you'd need more aggregation and routing in the glorious one-IP- per-nanite-and-Facebook-fridges future, but that's for another day once we've got fusion and a rational system of government out of the way:-) Joe's network as described isn't big enough or clever enough to need multiple routers. It's just a small LAN and it's only Joe's weirdness in using a $500 Roku as a $5 hank of cat5e and a $20 4-port switch that prevents it from being so. Not all problems should be solved by routing - but a list full of router people is inherently likely to try to solve all its problems with more routers and routing. -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them signature.asc Description: This is a digitally signed message part.
Re: IPv6 end user addressing
Thinking about the CPE thread, isn't this a case for bridging as a feature in end-user devices? If Joe's media-centre box etc would bridge its downstream ports to the upstream port, the devices on them could just get an address, whether by DHCPv6 from the CPE router's delegation or by SLAAC, and then register in local DNS or more likely do multicast- DNS so they could find each other. Why do I want my kid's network seeing all the multicast packets that are streaming the adult video from the player to the TV and the Amp in the master bedroom? Why do I want my appliance network's multicast packets getting tossed around on the guest wireless? Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. And then it really doesn't matter; everything gets its address, nothing is NATted, every address is mapped to a meaningful hostname. This assumption that an entire household should be a single broadcast (or multicast) domain is fundamentally broken and needs to change going forward. Perhaps you'd need more aggregation and routing in the glorious one-IP- per-nanite-and-Facebook-fridges future, but that's for another day once we've got fusion and a rational system of government out of the way:-) Joe's network as described isn't big enough or clever enough to need multiple routers. It's just a small LAN and it's only Joe's weirdness in using a $500 Roku as a $5 hank of cat5e and a $20 4-port switch that prevents it from being so. I think that the nanites and fridges that talk to other kitchen storage systems will actually happen well before fusion or rational government. Just because what you describe of today's situation is an accurate picture of today does not mean it is how we should plan IPv6. Remember, we don't want to have to replan IPv6 or switch to yet another numbering system for several years, if not decades. In case you hadn't noticed, doing so at today's scale is hard. Imagine what it will be like next time. Not all problems should be solved by routing - but a list full of router people is inherently likely to try to solve all its problems with more routers and routing. There are reasons to route and reasons to switch. I don't consider myself a router person, but, I do consider myself a network engineer, so, I try to use the right tool for the right job. In the case of LAN isolation which I can see several desirable applications for in a home, I think routing is a better choice than switching. Remember, the multicast scopes in IPv6 are interface, link, and larger. There's no scope in between everything on this interface and everything on this link. (link == layer 3 network). Owen
Re: IPv6 end user addressing
On 2011-08-10 15:02 , Owen DeLong wrote: [..] Why do I want my appliance network's multicast packets getting tossed around on the guest wireless? Even wikipedia knows the answer to that: http://en.wikipedia.org/wiki/IGMP_snooping which is the first hit for IGMP snooping, which is generally a feature that is present in the better (and thus more expensive) switching gear (and thus probably not present in every home, but those homes probably also don't care about that). Granted, routing is the better and more appropriate way to isolate these kind of packets and definitely more appropriate for broadcast nastyness (mDNS is such a nice one there too...). That said, /56 or /48 to the home should be what is happening. The whole point of settling on a single prefix btw is so that networks can at least keep the same numbering plan when they switch from one PA prefix to another. Greets, Jeroen PS: the more power to your kids if they can sniff the network for your 'adult content', decode it, and then actually watch it (though if they are technically inclined actually not too difficult, but heck, is that not where crypto comes into play, as when they can pull that off on your kiddienetwork they can also just plug something into the kiddie-'adult content'-network and sniff it off there... something with 802.1x comes to mind to solve that step.
Re: IPv6 end user addressing
On Wednesday 10 Aug 2011 14:57:54 Jeroen Massar wrote: PS: the more power to your kids if they can sniff the network for your 'adult content', decode it, and then actually watch it Indeed; I'd be more interested in making sure that, say, you can efficiently multicast the live footy to two different screens in the house, and things work automatically so they get used. I think we're operating on radically different Bayesian priors here and I wonder if a European/American issue is involved. (PS, can you buy a switch that will do production grade IPv6, i.e. with things like RA guard, and not do IGMP-snooping?) -- The only thing worse than e-mail disclaimers...is people who send e-mail to lists complaining about them signature.asc Description: This is a digitally signed message part.
Re: IPv6 end user addressing
Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
On 10 Aug 2011, at 16:11, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. Well, there is some new effort on this in the homenet WG in IETF. For snooping IPv6 multicast it's MLD snooping rather than IGMP. We use it in our enterprise since we have multiple multicast video channels in use. Tim On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
On Aug 10, 2011, at 6:57 AM, Jeroen Massar wrote: On 2011-08-10 15:02 , Owen DeLong wrote: [..] Why do I want my appliance network's multicast packets getting tossed around on the guest wireless? Even wikipedia knows the answer to that: http://en.wikipedia.org/wiki/IGMP_snooping which is the first hit for IGMP snooping, which is generally a feature that is present in the better (and thus more expensive) switching gear (and thus probably not present in every home, but those homes probably also don't care about that). That would be the answer to why I DON'T want that happening, but, why would I WANT it to happen when, as you said, the better and more appropriate solution is to route. Unless you have some benefit to offer from NOT Routing, I stand by my statement. Granted, routing is the better and more appropriate way to isolate these kind of packets and definitely more appropriate for broadcast nastyness (mDNS is such a nice one there too...). That said, /56 or /48 to the home should be what is happening. That said, /48 to the home should be what is happening, and /56 is a better compromise than anything smaller. The whole point of settling on a single prefix btw is so that networks can at least keep the same numbering plan when they switch from one PA prefix to another. That would be nice as well, but, unfortunately, it is obvious at this point that some ISPs will unfortunately refuse to give home users /48s. Greets, Jeroen PS: the more power to your kids if they can sniff the network for your 'adult content', decode it, and then actually watch it (though if they are technically inclined actually not too difficult, but heck, is that not where crypto comes into play, as when they can pull that off on your kiddienetwork they can also just plug something into the kiddie-'adult content'-network and sniff it off there... something with 802.1x comes to mind to solve that step. The chances of the average amplifier and television supporting that level of encryption in a way that the hypothetical kids in this situation would be unable to decrypt a stream that does work between the source and the television and amplifier are pretty slim IMHO. Heck, I can't even get any one of those devices to speak IPv6 yet, let alone all of them and with cryptography to boot. Owen
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 6:55 AM, Alexander Harrowell a.harrow...@gmail.com wrote: Thinking about the CPE thread, isn't this a case for bridging as a feature in end-user devices? If Joe's media-centre box etc would bridge its downstream ports to the upstream port, the devices on them could just get an address, whether by DHCPv6 from the CPE router's delegation or by SLAAC, and then register in local DNS or more likely do multicast- DNS so they could find each other. This would require the ISP gateway to have IPv6 ND entries for all of the end-user's devices. If that is only a few devices, like the typical SOHO LAN today, that's probably fine. It is not fine if I purchase some IPv6-connected nanobots. Given today's routers, it is probably not even fine if the average SOHO goes from 1 state entry to just 20 or 30. I have about 20 devices in my home that use the Internet -- TVs, DVRs, VoIP telephones, printer, mobile phones with Wi-Fi, a couple of video game consoles, etc. I imagine that is not atypical these days. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 2:03 PM, Owen DeLong o...@delong.com wrote: That said, /48 to the home should be what is happening, and /56 is a better compromise than anything smaller. Is hierarchical routing within the SOHO network the reason you believe /48 is useful? You don't really imagine that end-users will require more than 2^8 subnets, but that they will want several levels of very simple, nibble-aligned routers within their network? This is perhaps a good discussion to have. I, for one, see CPE vendors still shipping products without IPv6 support at all, let alone any mechanism for creating an address or routing hierarchy within the home without the end-user configuring it himself. I am not aware of any automatic means to do this, or even any working group trying to produce that feature. Is it true that there is no existing work on this? If that is the case, why would we not try to steer any such future work in such a way that it can manage to do what the end-user wants without requiring a /48 in their home? -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: IPv6 end user addressing
Tim, Hence the might. I worry when people start throwing around terms like routing in the home that they don't understand the complexities of balancing the massive CPE installed base, technical features, end user support, ease of installation managemenet, and (perhaps most importantly) the economics of mass adoption. This one of the choices that made DSL deployments more complex and expensive than DOCSIS cable deployments which in turn caused the CEO of ATT to say their entire DSL network is obsolete. http://goo.gl/exwqu On 8/10/2011 12:57 PM, Tim Chown wrote: On 10 Aug 2011, at 16:11, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. Well, there is some new effort on this in the homenet WG in IETF. For snooping IPv6 multicast it's MLD snooping rather than IGMP. We use it in our enterprise since we have multiple multicast video channels in use. Tim On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
There is some deployable technology that allows some aspects of this today. Yes, it's in its infancy. Small prefix limitations will guarantee it never sees the light of day just as NAT precluded many useful innovations from getting deployed. Layer 3 isolation is only isolation by agreement if the hosts have some way to get on the same physical or logical LAN layer 2 segment. Otherwise, layer 3 isolation is as effective as any firewall. Layer 2 isolation, OTOH, is both harder to administer and no more effective than layer 3. If you can bypass layer 3 by connecting to the same LAN segment, chances are you can bypass layer 2 by making that LAN segment one which doesn't go through the enforcement switch between the two devices in question. Owen On Aug 10, 2011, at 8:11 AM, Scott Helms wrote: Neither of these are true, though in the future we _might_ have deployable technology that allows for automated routing setup (though I very seriously doubt it) in the home. Layer 2 isolation is both easier and more reliable than attempting it at layer 3 which is isolation by agreement, i.e. it doesn't really exist. On 8/10/2011 9:02 AM, Owen DeLong wrote: Bridging eliminates the multicast isolation that you get from routing. This is not a case for bridging, it's a case for making it possible to do real routing in the home and we now have the space and the technology to actually do it in a meaningful and sufficiently automatic way as to be applicable to Joe 6-Mac. -- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 http://twitter.com/kscotthelms
Re: IPv6 end user addressing
On Aug 10, 2011, at 11:17 AM, Jeff Wheeler wrote: On Wed, Aug 10, 2011 at 2:03 PM, Owen DeLong o...@delong.com wrote: That said, /48 to the home should be what is happening, and /56 is a better compromise than anything smaller. Is hierarchical routing within the SOHO network the reason you believe /48 is useful? You don't really imagine that end-users will require more than 2^8 subnets, but that they will want several levels of very simple, nibble-aligned routers within their network? Not necessarily nibble aligned, but, multiple bits per level, yes. This is perhaps a good discussion to have. I, for one, see CPE vendors still shipping products without IPv6 support at all, let alone any mechanism for creating an address or routing hierarchy within the home without the end-user configuring it himself. I am not aware of any automatic means to do this, or even any working group trying to produce that feature. If we are stingy in address allocations, it will stifle such innovations as the vendors tend to develop to the lowest common denominator. If we make the allocations available, innovative ideas will make use of them. Is it true that there is no existing work on this? If that is the case, why would we not try to steer any such future work in such a way that it can manage to do what the end-user wants without requiring a /48 in their home? No, it is not true. I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. Have we learned nothing from the way NAT shaped the (lack of) innovation in the home? Owen
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 7:12 PM, Owen DeLong o...@delong.com wrote: Is it true that there is no existing work on this? If that is the case, why would we not try to steer any such future work in such a way that it can manage to do what the end-user wants without requiring a /48 in their home? No, it is not true. Can you give any example of a product, or on-going work? I have read two posts from you today saying that something either exists already, or is being worked on. I haven't read this anywhere else. I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. Have we learned nothing from the way NAT shaped the (lack of) innovation in the home? I am afraid we may not have learned from exhausting IPv4. If I may use the Hurricane Electric tunnel broker as an example again, supposing that is an independent service with no relation to your hosting, transit, etc. operations, it can justify a /24 allocation immediately under 2011-3, without even relying on growth projections. That's a middle ground figure that we can all live with, but it is based on you serving (at this moment) only 8000 tunnels at your busiest tunnel gateway. If your tunnel gateways could serve 12,288 + 1 users each, then your /24 justification grows to a /20. So you would have a pretty significant chunk of the available IPv6 address space for a fairly small number of end-users -- about 72,543 at present. It isn't hard to do some arithmetic and guess that if every household in the world had IPv6 connectivity from a relatively low-density service like the above example, we would still only burn through about 3% of the IPv6 address space on end-users (nothing said about server farms, etc. here) but what does bother me is that the typical end-user today has one, single IP address; and now we will be issuing them 2^16 subnets; yet it is not too hard to imagine a future where the global IPv6 address pool becomes constrained due to service-provider inefficiency. I would like to have innovations in SOHO devices, too; who knows what these may be. But I fear we may repeat the mistake that caused NAT to be a necessity in IPv4 -- exhausting address space -- by foolishly assuming that every household is going to need twenty-four orders of magnitude more public addresses than it has today. That is what these practices do -- they literally give end-users twenty-four orders of magnitude more addresses, while it is easy to imagine that we will come within one order of magnitude of running completely out of IPv6 addresses for issuing to service providers. I didn't know what the digit 1 followed by twenty-four zeroes was called. I had to look it up. So our end-users will be receiving about one-Septillion addresses to use in their home, but no one seems to be asking what future technology we may be harming by possibly constraining the global address pool. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: IPv6 end user addressing
In message capwatbj0kgzabcjugvbce3_njawmdu3azqli3jqv4zp6ivx...@mail.gmail.com , Jeff Wheeler writes: On Wed, Aug 10, 2011 at 7:12 PM, Owen DeLong o...@delong.com wrote: Is it true that there is no existing work on this? =A0If that is the case, why would we not try to steer any such future work in such a way that it can manage to do what the end-user wants without requiring a /48 in their home? No, it is not true. Can you give any example of a product, or on-going work? I have read two posts from you today saying that something either exists already, or is being worked on. I haven't read this anywhere else. I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. Have we learned nothing from the way NAT shaped the (lack of) innovation in the home? I am afraid we may not have learned from exhausting IPv4. If I may use the Hurricane Electric tunnel broker as an example again, supposing that is an independent service with no relation to your hosting, transit, etc. operations, it can justify a /24 allocation immediately under 2011-3, without even relying on growth projections. That's a middle ground figure that we can all live with, but it is based on you serving (at this moment) only 8000 tunnels at your busiest tunnel gateway. If your tunnel gateways could serve 12,288 + 1 users each, then your /24 justification grows to a /20. So you would have a pretty significant chunk of the available IPv6 address space for a fairly small number of end-users -- about 72,543 at present. It isn't hard to do some arithmetic and guess that if every household in the world had IPv6 connectivity from a relatively low-density service like the above example, we would still only burn through about 3% of the IPv6 address space on end-users (nothing said about server farms, etc. here) but what does bother me is that the typical end-user today has one, single IP address; and now we will be issuing them 2^16 subnets; yet it is not too hard to imagine a future where the global IPv6 address pool becomes constrained due to service-provider inefficiency. No. A typical user has 10 to 20 addresses NAT'd to one public address. My household has * game consoles * laptops * desktops * cell phones * voip phones * printers all connected to the net. It doesn't yet have a media server but otherwise it is pretty typical. Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Just about anything with fireware in it will eventually connect to the net. The typical household already has 1 or 2 subnets. I would like to have innovations in SOHO devices, too; who knows what these may be. But I fear we may repeat the mistake that caused NAT to be a necessity in IPv4 -- exhausting address space -- by foolishly assuming that every household is going to need twenty-four orders of magnitude more public addresses than it has today. That is what these practices do -- they literally give end-users twenty-four orders of magnitude more addresses, while it is easy to imagine that we will come within one order of magnitude of running completely out of IPv6 addresses for issuing to service providers. Housholds can get as much internal addressing as they need today and as many nets as they need today with RFC1918. 10/8 broken up into to /24 is equivalent to a /48 broken up into /64s. A /56 is equivalent to 192.168/16 broken up into its class C's. I didn't know what the digit 1 followed by twenty-four zeroes was called. I had to look it up. So our end-users will be receiving about one-Septillion addresses to use in their home, but no one seems to be asking what future technology we may be harming by possibly constraining the global address pool. There was a concious decision made a decade and a half ago to got to 128 bits instead of 64 bits and give each subnet 64 bits so we would never have to worry about the size of a subnet again. IPv6 is about managing networks not managing addresses. --=20 Jeff S Wheeler j...@inconcepts.biz Sr Network Operator=A0 /=A0 Innovative Network Concepts -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: IPv6 end user addressing
It isn't hard to do some arithmetic and guess that if every household in the world had IPv6 connectivity from a relatively low-density service like the above example, we would still only burn through about 3% of the IPv6 address space on end-users (nothing said about server farms, etc. here) but what does bother me is that the typical end-user today has one, single IP address; and now we will be issuing them 2^16 subnets; yet it is not too hard to imagine a future where the global IPv6 address pool becomes constrained due to service-provider inefficiency. what is the life expectancy of IPv6? It won't live forever and we can't reasonably expect it too. I understand we don't want run out of addresses in the next 10-40 years but what about 100? 200? 300? We will run out and our decedents will go through re-numbering again. The question becomes what is the life expectancy of IPv6 and does the allocation plan make a reasonable attempt to run out of addresses around the end of the expected life of IPv6. Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts james
Re: IPv6 end user addressing
In message CADVasu5qev5gUX_oQ=LyJ2JZom=vf5s56kgeq4byeq20gd7...@mail.gmail.com , james machado writes: It isn't hard to do some arithmetic and guess that if every household in the world had IPv6 connectivity from a relatively low-density service like the above example, we would still only burn through about 3% of the IPv6 address space on end-users (nothing said about server farms, etc. here) but what does bother me is that the typical end-user today has one, single IP address; and now we will be issuing them 2^16 subnets; yet it is not too hard to imagine a future where the global IPv6 address pool becomes constrained due to service-provider inefficiency. what is the life expectancy of IPv6? It won't live forever and we can't reasonably expect it too. I understand we don't want run out of addresses in the next 10-40 years but what about 100? 200? 300? We will run out and our decedents will go through re-numbering again. The question becomes what is the life expectancy of IPv6 and does the allocation plan make a reasonable attempt to run out of addresses around the end of the expected life of IPv6. It really depends on whether the RIR's recover and, importantly, reallocate address space that is not being paid for or not. If they do this should last for the forseeable future. It would also be my recommendation that RIR's start doing this immediately, if they are not already doing so, so that there is no expectation that you can use address space forever without paying for it. Jeff S Wheeler j...@inconcepts.biz Sr Network Operator=A0 /=A0 Innovative Network Concepts james -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 8:40 PM, Mark Andrews ma...@isc.org wrote: No. A typical user has 10 to 20 addresses NAT'd to one public address. I'd say this is fair. Amazingly enough, it all basically works right with one IP address today. It will certainly be nice to have the option to give all these devices public IP addresses, or even have a few public subnets; but it does require more imagination than any of us have demonstrated to figure out how any end-user will need more than 2^8 subnets. That's still assuming that device-makers won't decide they need to be able to operate with subnets of arbitrary size, rather than fixed-size /64 subnets. There was a concious decision made a decade and a half ago to got to 128 bits instead of 64 bits and give each subnet 64 bits so we would never have to worry about the size of a subnet again. IPv6 is about managing networks not managing addresses. Thanks for the explanation of how to subnet IPv4 networks and use RFC1918. I hope most readers are already familiar with these concepts. You should note that IPv6 was not, in fact, originally envisioned with /64 subnets; that figure was to be /80 or /96. In the mid-1990s, it was believed that dramatically increasing the number of bits available for ISP routing flexibility was very beneficial, as well as making access subnets so big that they should never need to grow. Then SLAAC came along. Except SLAAC doesn't do necessary things that DHCPv6 does, and the cost of implementing things like DHCPv6 in very small, inexpensive devices has gone down dramatically. I am amazed that so few imagine we might, in within the lifetime of IPv6, like to have more bits of address space for routing structure within ISP networks; but these people do think that end-users need 1.2e+24 addresses for the devices they'll have in their home. I don't have to use my imagination to think of ways that additional bits on the network address side would have been advantageous -- all I need is my memory. In the 90s, it was suggested that a growing number of dual-homed networks cluttering the DFZ could be handled more efficiently by setting aside certain address space for customers who dual-homed to pairs of the largest ISPs. The customer routes would then not need to be carried by anyone except those two ISPs, who are earning money from the customer. This never happened for a variety of good reasons, but most of the technical reasons would have gone away with the adoption of IPv6, as it was envisioned in the mid-90s. There seems to be a lot of imagination being used for SOHO networks, and none on the ISP side. What a shame that is. Owen, I do agree with the point you made off-list, that if huge mistakes are made now and the IPv6 address space is consumed more rapidly than the community is comfortable with, there should be plenty of opportunity to fix that down the road. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: IPv6 end user addressing
Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. The refrigerator will have not only the necessary RFID sensors, but, multiple pressure transducers capable of recognizing not only that there is a carton of milk in the refrigerator, but, how much milk is remaining. You'll be able to scan a QR code in the grocery store that links to a recipe for something you thought would be good for dinner, pass the ingredient list to the web server in the refrigerator and get back a nearly instant reply containing the relevant inventory list and a list of items you need to buy to complete the recipe. Just about anything with fireware in it will eventually connect to the net. I think you meant firmware, and, I'd say that a lot of things (cans, jars, milk cartons, etc.) that don't currently connect to the net will actually form IP adjacencies in the future. The typical household already has 1 or 2 subnets. Or even more in some cases (LAN, WLAN, WLAN Guest, DMZ for example). I would like to have innovations in SOHO devices, too; who knows what these may be. But I fear we may repeat the mistake that caused NAT to be a necessity in IPv4 -- exhausting address space -- by foolishly assuming that every household is going to need twenty-four orders of magnitude more public addresses than it has today. That is what these practices do -- they literally give end-users twenty-four orders of magnitude more addresses, while it is easy to imagine that we will come within one order of magnitude of running completely out of IPv6 addresses for issuing to service providers. Housholds can get as much internal addressing as they need today and as many nets as they need today with RFC1918. 10/8 broken up into to /24 is equivalent to a /48 broken up into /64s. A /56 is equivalent to 192.168/16 broken up into its class C's. Good point. I didn't know what the digit 1 followed by twenty-four zeroes was called. I had to look it up. So our end-users will be receiving about one-Septillion addresses to use in their home, but no one seems to be asking what future technology we may be harming by possibly constraining the global address pool. There was a concious decision made a decade and a half ago to got to 128 bits instead of 64 bits and give each subnet 64 bits so we would never have to worry about the size of a subnet again. IPv6 is about managing networks not managing addresses. Yep. Owen
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 2:17 PM, Jeff Wheeler j...@inconcepts.biz wrote: On Wed, Aug 10, 2011 at 2:03 PM, Owen DeLong o...@delong.com wrote: That said, /48 to the home should be what is happening, and /56 is a better compromise than anything smaller. You don't really imagine that end-users will require more than 2^8 subnets, but that they will want several levels of very simple, nibble-aligned routers within their network? Hi Jeff, In Owen's world, the refrigerator, toaster and microwave each request a /64 from the GE Home Appliance Controller, those /64's being necessary to address each appliance's internal button, light and sensor networks. To accommodate all of these appliances, the HAC has acquired a /59 for all the home appliances from the Home Automation System (HAS) which also has its own LAN and supplied a big block to the furnace and a smaller block to the security system. So, the HAS needed a /58 which it got from the Linksys Home Router. The Sony Home Entertainment Network (HEN) Controller also needed a /58 from the Home Router to accommodate the Playstation 5's need for a /62 (one /64 for its internal network, another for the PSN VPN and a third for the peripherals network). The Ultra-NES 512 only needed one /64, but the amplifier insisted on a /60 so it could delegate /64's to the cassette tape deck, cd player, mp3 player, etc. The Ford Home Automotive Network (HAN) also grabbed a block from which to delegate /62's to the three parked cars. Because you know: you need separate networks in each car for the life safety systems, the non-safety systems and the entertainment systems. I mean really, why wouldn't the life safety system in a car dynamically acquire its globally-addressable IPv6 addresses from the customer's cheap home Internet equipment? So they'll each need their /64's which means the car as a whole needs a /62. But the HAN only needed a /60 for for all of it since there were only 3 cars. Now, the Windows 9 PC sat on the /64 PC LAN directly connected to the Home Router, but it needed an additional /64 for its virtual machine network hosting the Windows XP VM needed to run older software. And the wireless LAN only ended up consuming a single /64. But after the two /58's, that meant the Home Router needed a full /56 from the Internet Router. Finally, the Internet Router connects two networks... the customer's web server DMZ (/64) and the home router (/56). So after you figure in the HAC, the HAN, the HAS, the HEN and all the other connections you need at least a /55... which doesn't fit in a /56 but does fit in a /48. Qed. * Now, in Bill's world, the appliances don't expose their internals. When they employ any form of IP networking inside, which they generally don't, they use fe80 link-local addresses inside or maybe a ULA prefix. So even you have a Smart Fridge within the time span that you care about for today's home user IPv6 assignments, it occupies a single public address on your home's flat /64. Ditto the game consoles and tape decks. With maybe two other /64's: one for servers and one for the wireless LAN. And that /62 need easily fits in your /56 assignment. Regards, Bill Herrin * I say this with trepidation. A quarter century ago I used a similar reductio ad absurdum with a friend who suggested making every road a toll road. Back out of the driveway. Pay the toll. Turn on to main. Pay the toll. Left on 15th. Pay the toll. Wouldn't you know, E-Z Pass came along and brought it to the edge of possible. Then again, possible doesn't necessarily mean advisable. -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: IPv6 end user addressing
On 2011-08-11 12:45, james machado wrote: what is the life expectancy of IPv6? It won't live forever and we can't reasonably expect it too. I understand we don't want run out of addresses in the next 10-40 years but what about 100? 200? 300? We will run out and our decedents will go through re-numbering again. The question becomes what is the life expectancy of IPv6 and does the allocation plan make a reasonable attempt to run out of addresses around the end of the expected life of IPv6. Well, we know that the human population will stabilise somewhere below ten billion by around 2050. The current unicast space provides for about 15 trillion /48s. Let's assume that the RIRs and ISPs retain their current level of engineering common sense - i.e. the address space will begin to be really full when there are about 25% of those /48s being routed... that makes 3.75 trillion /48s routed for ten billion people, or 375 /48s per man, woman and child. (Or about 25 million /64s if you prefer.) At that point, IANA would have to release unicast space other than 2000::/3 and we could start again with a new allocation policy. I am *really* not worried about this. Other stuff, such as BGP4, will break irrevocably long before this. Brian
Re: IPv6 end user addressing
I don't have to use my imagination to think of ways that additional bits on the network address side would have been advantageous -- all I need is my memory. In the 90s, it was suggested that a growing number of dual-homed networks cluttering the DFZ could be handled more efficiently by setting aside certain address space for customers who dual-homed to pairs of the largest ISPs. The customer routes would then not need to be carried by anyone except those two ISPs, who are earning money from the customer. This never happened for a variety of good reasons, but most of the technical reasons would have gone away with the adoption of IPv6, as it was envisioned in the mid-90s. I think that can still be very realistically achieved within the existing available address space. There seems to be a lot of imagination being used for SOHO networks, and none on the ISP side. What a shame that is. I disagree. Owen, I do agree with the point you made off-list, that if huge mistakes are made now and the IPv6 address space is consumed more rapidly than the community is comfortable with, there should be plenty of opportunity to fix that down the road. Precisely, so, let's risk a small chance of a mistake here now so that we don't cut off innovation so early. Owen
Re: IPv6 end user addressing
On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. Owen
Re: IPv6 end user addressing
On Aug 10, 2011, at 6:43 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 2:17 PM, Jeff Wheeler j...@inconcepts.biz wrote: On Wed, Aug 10, 2011 at 2:03 PM, Owen DeLong o...@delong.com wrote: That said, /48 to the home should be what is happening, and /56 is a better compromise than anything smaller. You don't really imagine that end-users will require more than 2^8 subnets, but that they will want several levels of very simple, nibble-aligned routers within their network? Hi Jeff, In Owen's world, the refrigerator, toaster and microwave each request a /64 from the GE Home Appliance Controller, those /64's being necessary to address each appliance's internal button, light and sensor networks. To accommodate all of these appliances, the HAC has acquired a /59 for all the home appliances from the Home Automation System (HAS) which also has its own LAN and supplied a big block to the furnace and a smaller block to the security system. So, the HAS needed a /58 which it got from the Linksys Home Router. The Sony Home Entertainment Network (HEN) Controller also needed a /58 from the Home Router to accommodate the Playstation 5's need for a /62 (one /64 for its internal network, another for the PSN VPN and a third for the peripherals network). The Ultra-NES 512 only needed one /64, but the amplifier insisted on a /60 so it could delegate /64's to the cassette tape deck, cd player, mp3 player, etc. The Ford Home Automotive Network (HAN) also grabbed a block from which to delegate /62's to the three parked cars. Because you know: you need separate networks in each car for the life safety systems, the non-safety systems and the entertainment systems. I mean really, why wouldn't the life safety system in a car dynamically acquire its globally-addressable IPv6 addresses from the customer's cheap home Internet equipment? So they'll each need their /64's which means the car as a whole needs a /62. But the HAN only needed a /60 for for all of it since there were only 3 cars. Now, the Windows 9 PC sat on the /64 PC LAN directly connected to the Home Router, but it needed an additional /64 for its virtual machine network hosting the Windows XP VM needed to run older software. And the wireless LAN only ended up consuming a single /64. But after the two /58's, that meant the Home Router needed a full /56 from the Internet Router. Finally, the Internet Router connects two networks... the customer's web server DMZ (/64) and the home router (/56). So after you figure in the HAC, the HAN, the HAS, the HEN and all the other connections you need at least a /55... which doesn't fit in a /56 but does fit in a /48. Qed. * Thanks... An excellent write up, even if it was intended tongue in cheek. However, you left out the need for addressing for the RFID tags that will end up on most groceries, etc. Now, in Bill's world, the appliances don't expose their internals. When they employ any form of IP networking inside, which they generally don't, they use fe80 link-local addresses inside or maybe a ULA prefix. So even you have a Smart Fridge within the time span that you care about for today's home user IPv6 assignments, it occupies a single public address on your home's flat /64. Ditto the game consoles and tape decks. With maybe two other /64's: one for servers and one for the wireless LAN. And that /62 need easily fits in your /56 assignment. I'm glad I live in Owen's world and not Bill's. I think my appliance vendors will make much cooler and more useful products than yours. Owen
Re: IPv6 end user addressing
On Wed, Aug 10, 2011 at 8:56 PM, Owen DeLong o...@delong.com wrote: I'm glad I live in Owen's world and not Bill's. I think my appliance vendors will make much cooler and more useful products than yours. In Owen's world the fridge and pantry would know what they have, the amounts, and possibly location. The recipe book would be able to check what is in the fridge and pantry and tell if you need to buy more. It could then set the oven to the correct temperature when you reach the correct step in the recipe. Yes, all that could be done with servers on the pantry and fridge, but then there would be different implementations of each protocol and incompatibilities between the fridge, pantry, recipe book, and oven.
Re: IPv6 end user addressing
On 11/08/2011, at 8:42 AM, Owen DeLong wrote: I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. I see the lack of agreement on whether /48 or /56 or /60 is good for a home network to be a positive thing. As long as there's no firm consensus, router vendors will have to implement features which don't make silly hard-coded assumptions. Innovation will still happen, features will still be implemented, we'll still climb out of the NAT morass. But we'll do it with CPE that allows for a richer spectrum of variation than we would if we just said, Dammit, /48 for everyone. It's all good. At this stage of the game, any amount of moving forward is better than staying where we are. (which reminds me: http://www.internode.on.net/news/2011/08/238.php It ain't that hard) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 12:04 PM, Philip Dorr wrote: On Wed, Aug 10, 2011 at 8:56 PM, Owen DeLong o...@delong.com wrote: I'm glad I live in Owen's world and not Bill's. I think my appliance vendors will make much cooler and more useful products than yours. In Owen's world the fridge and pantry would know what they have, the amounts, and possibly location. The recipe book would be able to check what is in the fridge and pantry and tell if you need to buy more. It could then set the oven to the correct temperature when you reach the correct step in the recipe. The wine cellar will know how much you drank last night, and communicate with the life-critical systems in the car to prevent engine start while you're over the limit. When the home BMS network notices that the flow sensor on the shower hasn't started at the usual time the next morning, it'll play an IVR out of your home PBX network to tell the boss you're too hungover to come to work. Owen's world has built in automated protection to help you through the fact that IPv6 subnetting will turn you to drink :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On Aug 10, 2011 7:45 PM, Mark Newton new...@internode.com.au wrote: On 11/08/2011, at 8:42 AM, Owen DeLong wrote: I suppose that limiting enough households to too small an allocation will have that effect. I would rather we steer the internet deployment towards liberal enough allocations to avoid such disability for the future. I see the lack of agreement on whether /48 or /56 or /60 is good for a home network to be a positive thing. As long as there's no firm consensus, router vendors will have to implement features which don't make silly hard-coded assumptions. Innovation will still happen, features will still be implemented, we'll still climb out of the NAT morass. But we'll do it with CPE that allows for a richer spectrum of variation than we would if we just said, Dammit, /48 for everyone. It's all good. At this stage of the game, any amount of moving forward is better than staying where we are. (which reminds me: http://www.internode.on.net/news/2011/08/238.php It ain't that hard) Finally a useful post in this thread. Good work on the deployment of real ipv6! Cb - mark -- Mark Newton Email: new...@internode.com.au(W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 12:30 PM, Cameron Byrne wrote: Finally a useful post in this thread. Good work on the deployment of real ipv6! Thanks. And thanks to Vendor-C for helping us through it. The IPv6 Broadband featureset on the ASR platform starting from IOS-XR 3.1 is a vast improvement on its predecessors. Biggest hassle with IPv6 in production right now: DNS support is woefully undercooked. I don't think anyone has put anywhere near as much effort into making it fluid, user-friendly, and automated. Simple questions like, How are reverse mappings supposed to work when you can't predict an end-user's address? have no good answer. If any systems folks want a nice meaty problem domain to focus their efforts on, DNS would be da shiznit. - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 11/08/2011, at 12:41 PM, Mark Newton wrote: On 11/08/2011, at 12:30 PM, Cameron Byrne wrote: Finally a useful post in this thread. Good work on the deployment of real ipv6! Thanks. And thanks to Vendor-C for helping us through it. The IPv6 Broadband featureset on the ASR platform starting from IOS-XR 3.1 is a vast improvement on its predecessors. Oops. s/XR/XE/ - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On 8/10/2011 8:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLongo...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) I can't believe no one has made a joke yet about a kernel. Sorry for the bad joke, -Michael Regards, Bill Herrin
Re: IPv6 end user addressing
On 11/08/2011, at 1:33 PM, Owen DeLong wrote: Yes and no. In terms of potential innovations, if enough of the market chooses /60, they will hard code the assumption that they cannot count on more than a /60 being available into their development process regardless of what gets into the router. Sure, they won't be able to assume you can't get a /48, but, they also won't necessarily implement features that would take advantage of a /48. They will on their premium high price point CPE and/or service provider offerings. It'll be a product differentiator. If enough customers are attracted to it, it'll win. If they aren't, it'll lose. The process of invention and innovation will happen anyway. We're not really talking about that here, we're talking about post-innovation marketing. Maybe ISP#2 in Australia will launch onto the market with /48's for everyone, and we'll respond competitively. Dunno. Whatever, it's all kinda arbitrary really. Not worth arguing about, and certainly not worth delaying implementation until you finish debating the right answer. Perhaps far more than most of you wanted to know about navigation, but, at least worth considering when we think that all forward movement is good forward movement. The 1-in-60 rule I learned during my pilots license training is a lot easier to explain, without diagrams and with no need for trigonometry. Another useful judgement call when you're flying is to understand that as long as you know where you are and where you want to be, any forward progress whatsoever is a positive when there's a growing thunderstorm behind you :-) - mark -- Mark Newton Email: new...@internode.com.au (W) Network Engineer Email: new...@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 Network Man - Anagram of Mark Newton Mobile: +61-416-202-223
Re: IPv6 end user addressing
On Aug 10, 2011, at 6:52 PM, Brian E Carpenter wrote: On 2011-08-11 12:45, james machado wrote: what is the life expectancy of IPv6? It won't live forever and we can't reasonably expect it too. I understand we don't want run out of addresses in the next 10-40 years but what about 100? 200? 300? We will run out and our decedents will go through re-numbering again. The question becomes what is the life expectancy of IPv6 and does the allocation plan make a reasonable attempt to run out of addresses around the end of the expected life of IPv6. Well, we know that the human population will stabilise somewhere below ten billion by around 2050. The current unicast space provides for about 15 trillion /48s. Let's assume that the RIRs and ISPs retain their current level of engineering common sense - i.e. the address space will begin to be really full when there are about 25% of those /48s being routed... that makes 3.75 trillion /48s routed for ten billion people, or 375 /48s per man, woman and child. (Or about 25 million /64s if you prefer.) It's not the humans that are going to soak up the address space, so it seems a little misguided to count up the humans a reference for the bounding properties on growth. That said I think 2000::/3 will last long enough, that we shouldn't be out rewriting policy anytime soon. At that point, IANA would have to release unicast space other than 2000::/3 and we could start again with a new allocation policy. I am *really* not worried about this. Other stuff, such as BGP4, will break irrevocably long before this. We have a few problems to solve along the way. Running the current network is hard enough as it is. Brian
Re: IPv6 end user addressing
On Aug 8, 2011, at 5:14 PM, Owen DeLong wrote: I'm sure there will be platforms that end up on both sides of this question. I know of no asic in a switch that claims to support ipv6 that does it this way... That would tend to place you at a competitive disadvantage to broadcom/marvell/fulcrum/juniper/cisco if you implemented it that way... it's easier I imagine to simply reduce the size of the fib... given that switches routinely have to forward to neighbors on /126 or /127 prefix links I think that would be something of a mistake. YES: We made a less expensive box by cutting the width of the TCAM required in half NO: We spared no expense and passed the costs (and a nice profit margin) on to you so that you can do whatever you like in IPv6 at wire speed. I'm sure the market will chose products from both sides of the line for the same reasons. Owen On Aug 8, 2011, at 4:34 PM, Randy Carpenter wrote: I heard at one time that hardware manufacturers were likely to route in hardware only down to a /64, and that any smaller subnets would be subject to the slow path as ASICs were being designed with 64-bit address tables. I have no idea of the validity of that claim. Does anyone have any concrete evidence for or against this argument? If true, it would make /64s even more attractive. -Randy - Original Message - we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). - nobody wants to use dynamic ips on -servers- or -router links- anyway i -really- can't see why people don't just use subnets with just the required number of addresses. take one /64 (for /64's sake ;), split it up into subnets which each have the required number of addresses (lets say you have 2-4 addresses for each bgp/router link, so you simply split it up into subnets that size) etc. no need to use /64 for -everything- at all, just because it fits (ethernet) mac addresses (as if ethernet will be around longer than ipv6 ha-ha, someone will come up with something faster tomorrow and then its bye bye ethernet, the 10ge variant is getting slow, and the 100ge variant is not even standardized yet, and trunking is a bottleneck ;) we don't use /24's for -everything- on ipv4 now do we :P (oh wait, there once was a time where we did.. due to another retarded semi-automatic configuration thingy, called RIP , which also only seemed to understand /24 or bigger ;) -- Greetings, Sven Olaf Kamphuis, CB3ROB Ltd. Co. KG = Address: Koloniestrasse 34 VAT Tax ID: DE267268209 D-13359 Registration:HRA 42834 B BERLINPhone: +31/(0)87-8747479 Germany GSM: +49/(0)152-26410799 RIPE:CBSK1-RIPEe-Mail: s...@cb3rob.net = penpen C3P0, der elektrische Westerwelle http://www.facebook.com/cb3rob = Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Mon, 8 Aug 2011, Owen DeLong wrote: On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization
Re: IPv6 end user addressing
It's at least true of how some of the Cisco platforms cope with IPv6 access lists. Owen On Aug 8, 2011, at 11:54 PM, Joel Jaeggli wrote: On Aug 8, 2011, at 5:14 PM, Owen DeLong wrote: I'm sure there will be platforms that end up on both sides of this question. I know of no asic in a switch that claims to support ipv6 that does it this way... That would tend to place you at a competitive disadvantage to broadcom/marvell/fulcrum/juniper/cisco if you implemented it that way... it's easier I imagine to simply reduce the size of the fib... given that switches routinely have to forward to neighbors on /126 or /127 prefix links I think that would be something of a mistake. YES: We made a less expensive box by cutting the width of the TCAM required in half NO: We spared no expense and passed the costs (and a nice profit margin) on to you so that you can do whatever you like in IPv6 at wire speed. I'm sure the market will chose products from both sides of the line for the same reasons. Owen On Aug 8, 2011, at 4:34 PM, Randy Carpenter wrote: I heard at one time that hardware manufacturers were likely to route in hardware only down to a /64, and that any smaller subnets would be subject to the slow path as ASICs were being designed with 64-bit address tables. I have no idea of the validity of that claim. Does anyone have any concrete evidence for or against this argument? If true, it would make /64s even more attractive. -Randy - Original Message - we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). - nobody wants to use dynamic ips on -servers- or -router links- anyway i -really- can't see why people don't just use subnets with just the required number of addresses. take one /64 (for /64's sake ;), split it up into subnets which each have the required number of addresses (lets say you have 2-4 addresses for each bgp/router link, so you simply split it up into subnets that size) etc. no need to use /64 for -everything- at all, just because it fits (ethernet) mac addresses (as if ethernet will be around longer than ipv6 ha-ha, someone will come up with something faster tomorrow and then its bye bye ethernet, the 10ge variant is getting slow, and the 100ge variant is not even standardized yet, and trunking is a bottleneck ;) we don't use /24's for -everything- on ipv4 now do we :P (oh wait, there once was a time where we did.. due to another retarded semi-automatic configuration thingy, called RIP , which also only seemed to understand /24 or bigger ;) -- Greetings, Sven Olaf Kamphuis, CB3ROB Ltd. Co. KG = Address: Koloniestrasse 34 VAT Tax ID: DE267268209 D-13359 Registration:HRA 42834 B BERLINPhone: +31/(0)87-8747479 Germany GSM: +49/(0)152-26410799 RIPE:CBSK1-RIPEe-Mail: s...@cb3rob.net = penpen C3P0, der elektrische Westerwelle http://www.facebook.com/cb3rob = Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Mon, 8 Aug 2011, Owen DeLong wrote: On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has
Re: IPv6 end user addressing
Silly confidentiality notices are usually enforced by silly corporate IT departments and cannot be removed by mere mortal employees. They are an unavoidable part of life, like Outlook top posting and spam. Alternatively, if your corporate email imposes stupid policies and / or a stupid email client (note: it's possible to quote properly and not top-post with Outlook, it's just hard work), don't subscribe to mailing lists from your corporate email. Of all the mailing list communities, I'd expect this one not to struggle very much with arranging an alternative... Regards, Tim.
Re: IPv6 end user addressing
Once upon a time, Jimmy Hess mysi...@gmail.com said: If you must not have someone plugging into your server LAN without permission, you turn unused ports off, or preferably, place them in a VLAN island with no topological connection to anything. That's about what I do; unused ports are in a different VLAN. I have a separate LAN for notebooks, etc. that has DHCP (and will have a v6 /64 when I get v6 to that point). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: IPv6 end user addressing
On Tue, 09 Aug 2011 11:24:03 +1200, Jonathon Exley said: Silly confidentiality notices are usually enforced by silly corporate IT departments and cannot be removed by mere mortal employees. They are an unavoidable part of life, like Outlook top posting and spam. They may all three be things that we continually receive from clueless netizens. However, it is not at all difficult for anybody clued enough to get subscribed to NANOG to find ways to avoid inflicting all three on the rest of us. pgpgSTYWyhxo0.pgp Description: PGP signature
Re: IPv6 end user addressing
On Fri, 5 Aug 2011, Brian Mengel wrote: In reviewing IPv6 end user allocation policies, I can find little agreement on what prefix length is appropriate for residential end users. /64 and /56 seem to be the favorite candidates, with /56 being slightly preferred. I am most curious as to why a /60 prefix is not considered when trying to address this problem. It provides 16 /64 subnetworks, which seems like an adequate amount for an end user. Does anyone have opinions on the BCP for end user addressing in IPv6? For business customers I would give /48 and home users who might have 1-2 subnet I would give /56 or /60. Reasons: - Business customers night grow where you have to provide bigger amount of subnet - allow space for future extension - - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service Just my 2 cents Best Regards, Janos Mohacsi
Re: IPv6 end user addressing
On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said: - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service You don't want to make the assumption that just because Joe Sixpack doesn't know what a subnet is, that Joe Sixpack's CPE doesn't know either. And remember that if it's 3 hops from one end of Joe Sixpack's internal net to the other, you're gonna burn a few bits to support heirarchical routing so you don't need a routing protocol. So if Joe's exterior-facing CPU gets handed a /56 by the provider, and it hands each device it sees a /60 in case it's a device that routes too, it can only support 14 devices. And if one of the things that got handed a /60 is a wireless access point or something, it's only going to be able to support 15 or so subnets. So a simple topology of only a half dozen devices can burn up 8 bits of subnet addressing real fast. Yes, you can conserve bits by being more clever, but then you probably need an IGP of some sort pgp3hzjjr0ugC.pgp Description: PGP signature
Re: IPv6 end user addressing
On Mon, 8 Aug 2011, valdis.kletni...@vt.edu wrote: On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said: - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service You don't want to make the assumption that just because Joe Sixpack doesn't know what a subnet is, that Joe Sixpack's CPE doesn't know either. And remember that if it's 3 hops from one end of Joe Sixpack's internal net to the other, you're gonna burn a few bits to support heirarchical routing so you don't need a routing protocol. So if Joe's exterior-facing CPU gets handed a /56 by the provider, and it hands each device it sees a /60 in case it's a device that routes too, it can only support 14 devices. And if one of the more exactly 16 routing devices. You don't have to count the all 0 and all 1 as reserved maybe each deeice can see /57 or /58 or /59 depending of capabilities your devices I think daisy chaining of CPE routers is bad idea - as probably done in several IPv4 home networks. Why would you build several hierarchy into you network if it is unnecessary? Best Regards, Janos Mohacsi
Re: IPv6 end user addressing
In message 174561.1312807...@turing-police.cc.vt.edu, valdis.kletni...@vt.edu writes: --==_Exmh_1312807411_38980P Content-Type: text/plain; charset=us-ascii On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said: - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service You don't want to make the assumption that just because Joe Sixpack doesn't know what a subnet is, that Joe Sixpack's CPE doesn't know either. And remember that if it's 3 hops from one end of Joe Sixpack's internal net t o the other, you're gonna burn a few bits to support heirarchical routing so yo u don't need a routing protocol. So if Joe's exterior-facing CPU gets handed a /56 by the provider, and it hands each device it sees a /60 in case it's a device that routes too, it can only support 14 devices. And if one of the things that got handed a /60 is a wireless access point or something, it's on ly going to be able to support 15 or so subnets. So a simple topology of only a half dozen devices can burn up 8 bits of subnet addressing real fast. Yes, yo u can conserve bits by being more clever, but then you probably need an IGP of some sort Which is why CPE devices shouldn't do heirarchical assignment by default. PD supports multiple upstream requests. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: IPv6 end user addressing
On Mon, 08 Aug 2011 16:12:00 +0200, Mohacsi Janos said: You don't have to count the all 0 and all 1 as reserved maybe each deeice can see /57 or /58 or /59 depending of capabilities your devices As I said further down the note - you can conserve bits but then it gets more complicated. You don't want to go to a static subdivide whatever you got 16 ways if you can, you have to get more clever. Sure, that one device may only need a /61 right now because there's only 3 devices behind it. So the upstream bridge allocates the first /61 to that device, and allocates the next /63 to the next device that comes online. Then somebody adds a 4th device to that first router and now it needs a /60, but you can't just expand the allocation to a /60 because somebody is in the way. Somebody's gonna have to renumber. Or you can just say I can support 16 devices so I need 4 bits of space. Or you can bite the bullet and do something more clever. I think daisy chaining of CPE routers is bad idea - as probably done in several IPv4 home networks. Why would you build several hierarchy into you network if it is unnecessary? Because we're talking Joe Sixpack here - and he can't *spell* hierarchy. All he knows is that he's got one box that his cable company sent him, then he plugged his wireless access point into the cable company box, then he plugged all the stuff in the media center into a box and connected that box to the cable company box (He couldn't plug it all into the cable company box because that only had 4 RJ45's, and one got used for the wireless, and he's got 9(*) things in the media center that have RJ45s). You're at 2 levels of heirarchy already. Now if he decides to get lazy and not run a cable to the upstairs bedroom he wants to use as a home office, and gets another box that's really similar to the on in his media center except it will do wirelesss, he just added a third level of heirarchy. And I don't think that's an at all unreasonable scenario. Feel free to redesign that network to get rid of one level, let me know what you ended up doing. Oh, and explain it in terms Joe Sixpack can understand. ;) (*) Yes, 9 isn't at all unreasonable - I know plenty of people that have a Wii, a PS/2, a PS/3, an XBox, a TV that will talk to the Internet, a DVR that wants to talk to the Internet, and a PC. That's 7 already. On Tue, 09 Aug 2011 00:18:57 +1000, Mark Andrews said: In message 174561.1312807...@turing-police.cc.vt.edu, valdis.kletni...@vt.edu half dozen devices can burn up 8 bits of subnet addressing real fast. Yes, you can conserve bits by being more clever, but then you probably need an IGP of some sort Which is why CPE devices shouldn't do heirarchical assignment by default. PD supports multiple upstream requests. As I said - you can conserve bits using PD or similar, but then you need a routing solution - you can use PD to hand out prefixes, but then you still need routing. Consider the case above - the wireless box asks for a prefix delegation, then the media center box asks for one. Then the home office asks for one - and now you need to make sure there's a way for the stuff behind the media center box to know that to get to the printer that''s hanging off the home office box, it has to route to the wireless box. Anybody got gear that can do that and is ready for Joe Sixpack? pgpDE2rtvOZrO.pgp Description: PGP signature
Re: IPv6 end user addressing
On Aug 7, 2011, at 12:00 PM, Jeff Wheeler wrote: On Sat, Aug 6, 2011 at 7:26 PM, Owen DeLong o...@delong.com wrote: Well, you aren't actually doing this on your network today. If you practiced what you are preaching, you would not be carrying aggregate routes to your tunnel broker gateways across your whole backbone. Yes we would. No, if you actually had a hierarchical addressing scheme, you would issue tunnel broker customer /64s from the same aggregate prefix that is used for their /48s. You'd then summarize at your ABRs so the entire POP need only inject one route for customer addressing into the backbone. Of course, this is not what you do today, and not because of limited RIR allocation policies -- but because you simply did not design your network with such route aggregation in mind. You are, once again, conflating two related, but, not identical terms. A hierarchical addressing scheme is NOT a hierarchical routing structure and vice versa. Yes, a hierarchical routing scheme requires a hierarchical addressing scheme, but, a hierarchical addressing scheme does NOT require a hierarchical routing scheme. We have a hierarchical addressing scheme. The fact that you dont' like our idea of having two parallel hierarchies for two different addressing structures is also getting in the way here. For us, using parallel similar hierarchies for the /64 and /48 prefix blocks works quite well and produces certain scaling advantages in our system. As to the details of how our IGP works. I'm not going to debate that with you because it is an internal matter and not really part of this discussion. If you want to talk in the abstract about good ways to structure routing, I'm happy to do that. However, it's a different (though related as described above) subject from hierarchical addressing. Those are artifacts of a small allocation (/32) from a prior RIR policy. The fact that those things haven't worked out so well for us was one of the motivations behind developing policy 2011-3. There was nothing stopping you from using one /48 out of the /37s you use to issue customer /48 networks for issuing the default /64 blocks your tunnel broker hands out. I was talking about the fact we were using /37s. We have actually recognized significant advantages from using different prefix blocks to assign /48s and /64s in the environment and I don't expect us to change that practice even when we do get enough address space to build out the hierarchy the way we want. Those advantages, however, may well be unique to our tunnelbroker structure and may not be applicable to other networks. We give a minimum /48 per customer with the small exception that customers who only want one subnet get a /64. You assign a /64 by default. Yes, customers can click a button and get themselves a /48 instantly, but let's tell the truth when talking about your current defaults -- customers are assigned a /64, not a /48. We assign a /64 by default only to tunnelbroker customers and to customers without routers in our datacenters. I believe all others default to a /48 per site. I told the truth... We give a minimum /48 per customer with the small exception that customers who only want one subnet get a /64. If you didn't want only one subnet, presumably you would click the button to get your instant /48. We do have a hierarchical addressing plan. I said nothing about routing, but, we certainly could implement hierarchical routing if we arrived at a point where it was advantageous because we have designed for it. How have you designed for it? You already missed easy opportunities to inject fewer routes into your backbone, simply by using different aggregate prefixes for customer /64s vs /48s. You are correct... With present hind-sight, we could have designed things in such a way that we could have cut the number of aggregates to be injected into the backbone from 50 to 25. Assuming that our network doubles in size every year for the next 4 years, that would take us to a total of 800 routes that could be 400. OTOH, since we get some other advantages from this relatively small increment in prefixes, I think we'll probably stick with the architecture we have for the advantages it offers in other areas. Reducing prefix count is not the only consideration in running a network. However, requesting more than a /32 is perfectly reasonable. In the ARIN region, policy 2011-3. My read of that policy, and please correct me if I misunderstand, is that it recognizes only a two-level hierarchy. This would mean that an ISP could use some bits to represent a geographic region, a POP, or an aggregation router / address pool, but it does not grant them justification to reserve bits for all these purposes. While that's theoretically true, the combination of 25% minfree , nibble boundaries, and equal sized allocations for all POPs based on your largest one allows for that in practical terms in
Re: IPv6 end user addressing
On Aug 7, 2011, at 3:09 PM, Jonathon Exley wrote: This has probably been said before, but it makes me uncomfortable to think of everybody in the world being given /48 subnets by default. All of a sudden that wide expanse of 2^128 IP addresses shrinks to 2^48 sites. Sure that's still 65535 times more than 2^32 IPv4 addresses, but wouldn't it be wise to apply some conservatism now to allow the IPv6 address space to last for many more years? After all, there are only 4 bits of IP version field so the basic packet format won't last forever. Let's look at this realistically. In 30+ years of internet development, giving IP addresses to lots of things besides just single sites, we still haven't completely used up the 32 bit space. This includes reserving 1/16th of it for unknown purposes that are never to be. 65,536 times enough space for all the sites we deployed in 30+ years will more than likely outlast the lifetime of the protocol, so, yeah, I'm OK with giving every end-site in the world (note an end-site is not a person, it's a building, structure, or tenant in a multi-tenant building or structure). Owen P.S. Jonathon: If anything in your email was confidential, too bad. You posted it to a public list. Silly notice at the bottom to that effect removed. smime.p7s Description: S/MIME cryptographic signature
Re: IPv6 end user addressing
On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization efficiency within ISP networks and individual aggregation router pools. That is foolish. We can all pull out a calculator and figure that 2000::/3 has space for 35 trillion /48 networks. That isn't how they will be assigned or routed. The effect of 2011-3 is that an out-sized ISP like ATT has every justification for deciding to allocate 24 bits worth of subnet ID for their largest POP, say, one that happens to terminate layer-3 services for all customers in an entire state. They then have policy support for allocating the same sized subnet for every other POP, no matter how small. After all, the RIR policy permits them to obtain additional allocations as soon as one POP subnet has become full. So now you have a huge ISP with a few huge POPs, and a lot of small ones, justified in assigning the same size aggregate prefix, suitable for 2^24 subnets, to all those small POPs as well. How many layer-3 POPs might this huge ISP have? Any number. It could be every central office with some kind of layer-3 customer aggregation router. It could even be every road-side hut for FTTH services. Perhaps they will decide to address ten thousand POPs this way. Now the nibble-aligned language in the policy permits them to round up from 10,000 POPs to 16 bits worth of address space for POP ID. So ATT is quite justified in requesting: 48 (customer subnet length) - 24 (largest POP subnet ID size) - 16 (POP ID) == a /8 subnet for themselves. Right up until you read: 6.5.3 (d): If an LIR has already reached a /12 or more, ARIN will allocate a single additional /12 rather than continue expanding nibble boundaries. As you can see, there is a safety valve in the policy at /12 for just this reason. Now you can see how this policy, and addressing scheme, is utterly brain-dead. It really does put you (and me, and everyone else) in real danger of exhausting the IPv6 address space. All it takes is a few out-sized ISPs, with one large POP each and a bunch of smaller ones, applying for the maximum amount of address space permitted them under 2011-3. Even by your calculations, it would take 256 such outsized ISPs without a safety valve. With the safety valve that is built into the policy at /12, it would take 4,096 such ISPs. I do not believe that there are more than about 20 such ISPs world wide at this time and would put the foreseeable likely maximum at less than 100 due to the need for customers to support such outsized ISPs and the limited base that would have to be divided among them. Owen smime.p7s Description: S/MIME cryptographic signature
Re: IPv6 end user addressing
On Aug 8, 2011, at 1:15 AM, Mohacsi Janos wrote: On Fri, 5 Aug 2011, Brian Mengel wrote: In reviewing IPv6 end user allocation policies, I can find little agreement on what prefix length is appropriate for residential end users. /64 and /56 seem to be the favorite candidates, with /56 being slightly preferred. I am most curious as to why a /60 prefix is not considered when trying to address this problem. It provides 16 /64 subnetworks, which seems like an adequate amount for an end user. Does anyone have opinions on the BCP for end user addressing in IPv6? For business customers I would give /48 and home users who might have 1-2 subnet I would give /56 or /60. Reasons: - Business customers night grow where you have to provide bigger amount of subnet - allow space for future extension - - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service…. This utterly ignores the reality of DHCPv6, DHCP-PD, and technologies currently being developed for rational automatic hierarchies of topology. Owen smime.p7s Description: S/MIME cryptographic signature
Re: IPv6 end user addressing
On Aug 8, 2011, at 5:43 AM, valdis.kletni...@vt.edu wrote: On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said: - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service You don't want to make the assumption that just because Joe Sixpack doesn't know what a subnet is, that Joe Sixpack's CPE doesn't know either. And remember that if it's 3 hops from one end of Joe Sixpack's internal net to the other, you're gonna burn a few bits to support heirarchical routing so you don't need a routing protocol. So if Joe's exterior-facing CPU gets handed a /56 by the provider, and it hands each device it sees a /60 in case it's a device that routes too, it can only support 14 devices. And if one of the things that got handed a /60 is a wireless access point or something, it's only going to be able to support 15 or so subnets. So a simple topology of only a half dozen devices can burn up 8 bits of subnet addressing real fast. Yes, you can conserve bits by being more clever, but then you probably need an IGP of some sort YOu lost a /60 somewhere in there… I understand 1 /60 for the primary device. You accounted for 14 /60s to other subordinate devices. Presumably the /64(s) that connect the other subordinate devices to the primary router are from within that first /60, so, where did the 16th /60 go? Finally, for things that are building automatic hierarchical topologies, it seems only sane to me that they would implement some form of OSPF to facilitate the routing. There's no reason that can't be equally automated. Owen smime.p7s Description: S/MIME cryptographic signature
Re: IPv6 end user addressing
On Aug 8, 2011, at 7:12 AM, Mohacsi Janos wrote: On Mon, 8 Aug 2011, valdis.kletni...@vt.edu wrote: On Mon, 08 Aug 2011 10:15:17 +0200, Mohacsi Janos said: - Home users - they usually don't know what is subnet. Setting up different subnets in their SOHO router can be difficult. Usually the simple 1 subnet for every device is enough for them. Separating some devices into a separate subnets is usually enough for the most sophisticated home users. If not then he can opt for business service You don't want to make the assumption that just because Joe Sixpack doesn't know what a subnet is, that Joe Sixpack's CPE doesn't know either. And remember that if it's 3 hops from one end of Joe Sixpack's internal net to the other, you're gonna burn a few bits to support heirarchical routing so you don't need a routing protocol. So if Joe's exterior-facing CPU gets handed a /56 by the provider, and it hands each device it sees a /60 in case it's a device that routes too, it can only support 14 devices. And if one of the more exactly 16 routing devices. You don't have to count the all 0 and all 1 as reserved maybe each deeice can see /57 or /58 or /59 depending of capabilities your devices I think daisy chaining of CPE routers is bad idea - as probably done in several IPv4 home networks. Why would you build several hierarchy into you network if it is unnecessary? I can see things like wanting to have an entertainment systems network that is fronted by a router with additional networks for each entertainment system fronted by their own router, segmentation of various appliance networks with possibly an appliance front-end router, etc. There are lots of possibilities we haven't thought of here yet. Limiting end-users to /56 or worse will only stifle the innovation that will help us identify the possibilities. For this, if no other reason, (and I cite the limitations under which we have begun to frame our assumptions about how the internet works as a result of NAT as an example), I think we should avoid preserving this cultural conditioning in IPv6. Owen smime.p7s Description: S/MIME cryptographic signature
Re: IPv6 end user addressing
we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). - nobody wants to use dynamic ips on -servers- or -router links- anyway i -really- can't see why people don't just use subnets with just the required number of addresses. take one /64 (for /64's sake ;), split it up into subnets which each have the required number of addresses (lets say you have 2-4 addresses for each bgp/router link, so you simply split it up into subnets that size) etc. no need to use /64 for -everything- at all, just because it fits (ethernet) mac addresses (as if ethernet will be around longer than ipv6 ha-ha, someone will come up with something faster tomorrow and then its bye bye ethernet, the 10ge variant is getting slow, and the 100ge variant is not even standardized yet, and trunking is a bottleneck ;) we don't use /24's for -everything- on ipv4 now do we :P (oh wait, there once was a time where we did.. due to another retarded semi-automatic configuration thingy, called RIP , which also only seemed to understand /24 or bigger ;) -- Greetings, Sven Olaf Kamphuis, CB3ROB Ltd. Co. KG = Address: Koloniestrasse 34 VAT Tax ID: DE267268209 D-13359 Registration:HRA 42834 B BERLINPhone: +31/(0)87-8747479 Germany GSM: +49/(0)152-26410799 RIPE:CBSK1-RIPEe-Mail: s...@cb3rob.net = penpen C3P0, der elektrische Westerwelle http://www.facebook.com/cb3rob = Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Mon, 8 Aug 2011, Owen DeLong wrote: On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization efficiency within ISP networks and individual aggregation router pools. That is foolish. We can all pull out a calculator and figure that 2000::/3 has space for 35 trillion /48 networks. That isn't how they will be assigned or routed. The effect of 2011-3 is that an out-sized ISP like ATT has every justification for deciding to allocate 24 bits worth of subnet ID for their largest POP, say, one that happens to terminate layer-3 services for all customers in an entire state. They then have policy support for allocating the same sized subnet for every other POP, no matter how small. After all, the RIR policy permits them to obtain additional allocations as soon as one POP subnet has become full. So now you have a huge ISP with a few huge POPs, and a lot of small ones, justified in assigning the same size aggregate prefix, suitable for 2^24 subnets, to all those small POPs as well. How many layer-3 POPs might this huge ISP have? Any number. It could be every central office with some kind of layer-3 customer aggregation router. It could even be every road-side hut for FTTH services. Perhaps they will decide to address ten thousand POPs this way. Now the nibble-aligned language in the policy permits them to round up from 10,000 POPs to 16 bits worth of address space for POP ID. So ATT is quite justified in requesting: 48 (customer subnet length) - 24 (largest POP subnet ID size) - 16 (POP ID) == a /8 subnet for themselves. Right up until you read: 6.5.3
RE: IPv6 end user addressing
Silly confidentiality notices are usually enforced by silly corporate IT departments and cannot be removed by mere mortal employees. They are an unavoidable part of life, like Outlook top posting and spam. Jonathon. -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Tuesday, 9 August 2011 8:26 a.m. To: Jonathon Exley Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing [snip] P.S. Jonathon: If anything in your email was confidential, too bad. You posted it to a public list. Silly notice at the bottom to that effect removed. This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used,copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
Re: IPv6 end user addressing
On Mon, Aug 8, 2011 at 6:52 PM, Sven Olaf Kamphuis s...@cb3rob.net wrote: we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). - nobody wants to use dynamic ips on -servers- or -router links- anyway i -really- can't see why people don't just use subnets with just the required number of addresses. Hi Sven, Stateless autoconfiguration (which is NOT dynamic IP addresses; the IP address is static but tied to the ethernet card) does not work unless the subnet mask is exactly /64. Even on a server lan you'll occasionally want to plug in a PC for diagnostics without having to poke in an IP address by hand. There are some great reasons to use a /112s or even smaller blocks for some applications. Use them that way, sure. But IMHO it's short-sighted to _assign_ address blocks at that size -- it means the person downstream has to come back to you and waste your time when they want to do anything else. And your choice delays them and wastes their time as well -- a fine customer service indeed. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: IPv6 end user addressing
I heard at one time that hardware manufacturers were likely to route in hardware only down to a /64, and that any smaller subnets would be subject to the slow path as ASICs were being designed with 64-bit address tables. I have no idea of the validity of that claim. Does anyone have any concrete evidence for or against this argument? If true, it would make /64s even more attractive. -Randy - Original Message - we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). - nobody wants to use dynamic ips on -servers- or -router links- anyway i -really- can't see why people don't just use subnets with just the required number of addresses. take one /64 (for /64's sake ;), split it up into subnets which each have the required number of addresses (lets say you have 2-4 addresses for each bgp/router link, so you simply split it up into subnets that size) etc. no need to use /64 for -everything- at all, just because it fits (ethernet) mac addresses (as if ethernet will be around longer than ipv6 ha-ha, someone will come up with something faster tomorrow and then its bye bye ethernet, the 10ge variant is getting slow, and the 100ge variant is not even standardized yet, and trunking is a bottleneck ;) we don't use /24's for -everything- on ipv4 now do we :P (oh wait, there once was a time where we did.. due to another retarded semi-automatic configuration thingy, called RIP , which also only seemed to understand /24 or bigger ;) -- Greetings, Sven Olaf Kamphuis, CB3ROB Ltd. Co. KG = Address: Koloniestrasse 34 VAT Tax ID: DE267268209 D-13359 Registration:HRA 42834 B BERLINPhone: +31/(0)87-8747479 Germany GSM: +49/(0)152-26410799 RIPE:CBSK1-RIPEe-Mail: s...@cb3rob.net = penpen C3P0, der elektrische Westerwelle http://www.facebook.com/cb3rob = Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Mon, 8 Aug 2011, Owen DeLong wrote: On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization efficiency within ISP networks and individual aggregation router pools. That is foolish. We can all pull out a calculator and figure that 2000::/3 has space for 35 trillion /48 networks. That isn't how they will be assigned or routed. The effect of 2011-3 is that an out-sized ISP like ATT has every justification for deciding to allocate 24 bits worth of subnet ID for their largest POP, say, one that happens to terminate layer-3 services for all customers in an entire state. They then have policy support for allocating the same sized subnet for every other POP, no matter how small. After all, the RIR policy permits them to obtain additional allocations as soon as one POP subnet has become full. So now you have a huge ISP with a few huge POPs, and a lot of small ones, justified in assigning the same size aggregate prefix, suitable for 2^24 subnets, to all
Re: IPv6 end user addressing
On Aug 8, 2011, at 3:52 PM, Sven Olaf Kamphuis wrote: we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). Sigh… Too big for what? - nobody wants to use dynamic ips on -servers- or -router links- anyway True… Guess what… Static addresses work in /64s as well. Better yet, your /64 will support adding troubleshooting equipment rapidly without having to hunt for an available address. i -really- can't see why people don't just use subnets with just the required number of addresses. Because we see real advantages to sparse addressing? Because it would make our lives unnecessarily more complicated? Because it will lead to additional human factors issues in most environments with more than a single administrator and likely even in cases where it is a single administrator? Because it reduces the potential for better automation? I'm sure there are more reasons, but, these are just a few that come to mind off the top of my head. take one /64 (for /64's sake ;), split it up into subnets which each have the required number of addresses (lets say you have 2-4 addresses for each bgp/router link, so you simply split it up into subnets that size) The point of this being? What do you gain by doing this? I've shown you at least a few things you lose. etc. no need to use /64 for -everything- at all, just because it fits (ethernet) mac addresses (as if ethernet will be around longer than ipv6 ha-ha, someone will come up with something faster tomorrow and then its bye bye ethernet, the 10ge variant is getting slow, and the 100ge variant is not even standardized yet, and trunking is a bottleneck ;) The /64 was chosen because it fits EUI-64 addresses. Ethernet MAC addresses are EUI-48. Examples of network technologies that use EUI-64 include Firewire, Zigbee, 6lowpan, etc. So this argument is rather specious and orthogonal to your supposed point. we don't use /24's for -everything- on ipv4 now do we :P Right.. We ran out of IPv4 and stopped doing that in order to artificially extend its life. (oh wait, there once was a time where we did.. due to another retarded semi-automatic configuration thingy, called RIP , which also only seemed to understand /24 or bigger ;) The issuance of /24s was _NOT_ driven by RIP. Rather, the architecture of RIP was driven by glassful addressing assumptions. There were many other reasons for classful addressing and it still retains some of those advantages. Owen Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. Guess you shouldn't have published it to a public list then. On Mon, 8 Aug 2011, Owen DeLong wrote: On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization efficiency within ISP networks and individual aggregation router pools. That is foolish. We can all pull out a calculator and figure that 2000::/3 has space for 35 trillion /48 networks. That isn't how they will be assigned or routed. The effect of 2011-3 is that an out-sized ISP like ATT has every justification for deciding to allocate 24 bits worth of subnet ID for their largest POP, say, one that happens to terminate layer-3 services for all customers in an entire state. They then have policy support for allocating the same sized subnet for every other POP, no matter how small. After all, the RIR policy permits them
Re: IPv6 end user addressing
I'm sure there will be platforms that end up on both sides of this question. YES: We made a less expensive box by cutting the width of the TCAM required in half. NO: We spared no expense and passed the costs (and a nice profit margin) on to you so that you can do whatever you like in IPv6 at wire speed. I'm sure the market will chose products from both sides of the line for the same reasons. Owen On Aug 8, 2011, at 4:34 PM, Randy Carpenter wrote: I heard at one time that hardware manufacturers were likely to route in hardware only down to a /64, and that any smaller subnets would be subject to the slow path as ASICs were being designed with 64-bit address tables. I have no idea of the validity of that claim. Does anyone have any concrete evidence for or against this argument? If true, it would make /64s even more attractive. -Randy - Original Message - we assign /112 per end user vlan (or server) at this moment... works perfectly fine (and thats even a bit too big). - nobody wants to use dynamic ips on -servers- or -router links- anyway i -really- can't see why people don't just use subnets with just the required number of addresses. take one /64 (for /64's sake ;), split it up into subnets which each have the required number of addresses (lets say you have 2-4 addresses for each bgp/router link, so you simply split it up into subnets that size) etc. no need to use /64 for -everything- at all, just because it fits (ethernet) mac addresses (as if ethernet will be around longer than ipv6 ha-ha, someone will come up with something faster tomorrow and then its bye bye ethernet, the 10ge variant is getting slow, and the 100ge variant is not even standardized yet, and trunking is a bottleneck ;) we don't use /24's for -everything- on ipv4 now do we :P (oh wait, there once was a time where we did.. due to another retarded semi-automatic configuration thingy, called RIP , which also only seemed to understand /24 or bigger ;) -- Greetings, Sven Olaf Kamphuis, CB3ROB Ltd. Co. KG = Address: Koloniestrasse 34 VAT Tax ID: DE267268209 D-13359 Registration:HRA 42834 B BERLINPhone: +31/(0)87-8747479 Germany GSM: +49/(0)152-26410799 RIPE:CBSK1-RIPEe-Mail: s...@cb3rob.net = penpen C3P0, der elektrische Westerwelle http://www.facebook.com/cb3rob = Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Mon, 8 Aug 2011, Owen DeLong wrote: On Aug 7, 2011, at 4:26 PM, Jeff Wheeler wrote: On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization efficiency within ISP networks and individual aggregation router pools. That is foolish. We can all pull out a calculator and figure that 2000::/3 has space for 35 trillion /48 networks. That isn't how they will be assigned or routed. The effect of 2011-3 is that an out-sized ISP like ATT has every justification for deciding to allocate 24 bits worth of subnet ID for their largest POP, say, one that happens to terminate layer-3 services for all customers in an
Re: IPv6 end user addressing
Hi Brian, From someone who's actually done this. - Our customer base is primarily PPP connected broadband users (variety of technologies, mostly ADSL). - We do a DYNAMIC /64 on the PPP interface so that people who terminate directly on a PC can get IPv6 without DHCPv6 PD. - In addition for the subnet assigned via DHCPv6 Prefix delegation which is STATIC as that's what customers have been asking for: In our trial phase we did /60s to customers - this worked just fine. I don't recall anyone actually saying I need more. (The /60 was the first nibble boundary and it allowed us to do some dumb things for allocation which didn't compromise the allocation strategy later). In production we've chosen a more conventional /56. At some point it becomes a little arbitrary. Our feeling is that at the point your have 256 /64s in production then ADSL is probably NOT what you need or want as a technology so we can do things differently for ethernet connected customers. We're getting there with support for customers bringing their own PI space. (For an idea of scale - we're tiny globally, but have around 250k customers across mainly Australia. We run our own global dualstack network). MMC On 06/08/2011, at 1:47 AM, Brian Mengel wrote: In reviewing IPv6 end user allocation policies, I can find little agreement on what prefix length is appropriate for residential end users. /64 and /56 seem to be the favorite candidates, with /56 being slightly preferred. I am most curious as to why a /60 prefix is not considered when trying to address this problem. It provides 16 /64 subnetworks, which seems like an adequate amount for an end user. Does anyone have opinions on the BCP for end user addressing in IPv6? -- Matthew Moyle-Croft Peering Manager and Team Lead - Commercial and DSLAMs Internode /Agile Level 5, 150 Grenfell Street, Adelaide, SA 5000 Australia Email: m...@internode.com.aumailto:m...@internode.com.auWeb: http://www.on.nethttp://www.on.net/ Direct: +61-8-8228-2909 Mobile: +61-419-900-366 Reception: +61-8-8228-2999Fax: +61-8-8235-6909
Re: IPv6 end user addressing
On Aug 8, 6:24 pm, Jonathon Exley jonathon.ex...@kordia.co.nz wrote: Silly confidentiality notices are usually enforced by silly corporate IT departments Oh, no, it's the *legal* department (or maybe HR) that is to blame. I actually had a guardhouse lawyer kick and scream about us not putting disclaimers on our emails. I told him, You do realize that email disclaimers have no legal standing, have never been successfully used in any litigation, do nothing to prevent loss of corporate assets, and actually increase our liability by outlining a corporate policy that may not be followed 100% internally by all employees, right? It took a long while and an embarrassing number of meetings with senior management, but we eventually put a stop to the whole thing.
Re: IPv6 end user addressing
Once upon a time, William Herrin b...@herrin.us said: Stateless autoconfiguration (which is NOT dynamic IP addresses; the IP address is static but tied to the ethernet card) does not work unless the subnet mask is exactly /64. Even on a server lan you'll occasionally want to plug in a PC for diagnostics without having to poke in an IP address by hand. Actually, nobody should be plugging any random device into my server LANs, and I certainly don't want to encourage it by having it work (even if just for IPv6). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: IPv6 end user addressing
On Mon, Aug 8, 2011 at 11:43 PM, Chris Adams cmad...@hiwaay.net wrote: Once upon a time, William Herrin b...@herrin.us said: Even on a server lan you'll occasionally want to plug in a PC for diagnostics without having to poke in an IP address by hand. Actually, nobody should be plugging any random device into my server LANs, and I certainly don't want to encourage it by having it work (even if just for IPv6). When I send someone on site to do work for me, I don't want to have to prepare excessive instructions on how to connect their laptop to the local LAN. I want to say, This switch, this port and then move on to the actual work I sent them there to do. You're welcome to run your shop your way. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: IPv6 end user addressing
On Mon, Aug 8, 2011 at 10:43 PM, Chris Adams cmad...@hiwaay.net wrote: Even on a server lan you'll occasionally want to plug in a PC for diagnostics without having to poke in an IP address by hand. Actually, nobody should be plugging any random device into my server LANs, and I certainly don't want to encourage it by having it work (even if just for IPv6). If you must not have someone plugging into your server LAN without permission, you turn unused ports off, or preferably, place them in a VLAN island with no topological connection to anything. Because it's going to be easier to turn the port back on, than to give someone a 128-bit IP6 address, IPv6 netmask, IPv6 DNS servers, and IPv6 default gateway address set to manually key into their machine. If someone can get to a live port, assuming it's not protected by 802.1x port security or similar; IPv6 will just work for fe80:: network link-local connectivity, whether you deploy stateless auto-config or not, which is enough connectivity to find and mess with servers in the LAN. And probably enough connectivity to say that's too much connectivity, if the LAN is indeed restricted. Similar to how IPv4 has rfc3927, except IPv6 link local addresses get assigned, even to devices that have global IPv6 IPs, so the link local 'subnet' is active even on fully connected devices. Chris Adams cmad...@hiwaay.net Regards, -- -JH
RE: IPv6 end user addressing
-Original Message- From: William Herrin [mailto:b...@herrin.us] Sent: Tuesday, 9 August 2011 2:30 PM To: Chris Adams; nanog@nanog.org Subject: Re: IPv6 end user addressing When I send someone on site to do work for me, I don't want to have to prepare excessive instructions on how to connect their laptop to the local LAN. I want to say, This switch, this port and then move on to the actual work I sent them there to do. To be fair, if you're sending someone to site who isn't familiar with putting a static address on their laptop then you're probably doing things wrong to begin with. This line of argument isn't going to get us anywhere as for server networks, the benefits of using a /64 are not necessarily beneficial given the environment. You're welcome to run your shop your way. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: IPv6 end user addressing
When I send someone on site to do work for me, I don't want to have to prepare excessive instructions on how to connect their laptop to the local LAN. I want to say, This switch, this port and then move on to the actual work I sent them there to do. when i am allowed, i put up open wireless and dhcp. my job is to deliver packets. randy
Re: IPv6 end user addressing
On Aug 5, 2011, at 9:17 AM, Brian Mengel wrote: In reviewing IPv6 end user allocation policies, I can find little agreement on what prefix length is appropriate for residential end users. /64 and /56 seem to be the favorite candidates, with /56 being slightly preferred. I am most curious as to why a /60 prefix is not considered when trying to address this problem. It provides 16 /64 subnetworks, which seems like an adequate amount for an end user. Does anyone have opinions on the BCP for end user addressing in IPv6? When you have a device that delegates, e.g. a cpe taking it's assigned prefix, and delegating a fraction of it to a downstream device, you need enough bits that you can make them out, possibly more than once. if you want that to happen automatically you want enough bits that user-intervention is never (for small values of never) required in to subnet when connecting devices together... the homenet wg is exploring how devices in the home might address the issue of topology discovery in conjunction with delegation, which realistically home networks are going to have to do... https://www.ietf.org/mailman/listinfo/homenet
Re: IPv6 end user addressing
On Sat, Aug 6, 2011 at 7:26 PM, Owen DeLong o...@delong.com wrote: Well, you aren't actually doing this on your network today. If you practiced what you are preaching, you would not be carrying aggregate routes to your tunnel broker gateways across your whole backbone. Yes we would. No, if you actually had a hierarchical addressing scheme, you would issue tunnel broker customer /64s from the same aggregate prefix that is used for their /48s. You'd then summarize at your ABRs so the entire POP need only inject one route for customer addressing into the backbone. Of course, this is not what you do today, and not because of limited RIR allocation policies -- but because you simply did not design your network with such route aggregation in mind. Those are artifacts of a small allocation (/32) from a prior RIR policy. The fact that those things haven't worked out so well for us was one of the motivations behind developing policy 2011-3. There was nothing stopping you from using one /48 out of the /37s you use to issue customer /48 networks for issuing the default /64 blocks your tunnel broker hands out. We give a minimum /48 per customer with the small exception that customers who only want one subnet get a /64. You assign a /64 by default. Yes, customers can click a button and get themselves a /48 instantly, but let's tell the truth when talking about your current defaults -- customers are assigned a /64, not a /48. We do have a hierarchical addressing plan. I said nothing about routing, but, we certainly could implement hierarchical routing if we arrived at a point where it was advantageous because we have designed for it. How have you designed for it? You already missed easy opportunities to inject fewer routes into your backbone, simply by using different aggregate prefixes for customer /64s vs /48s. However, requesting more than a /32 is perfectly reasonable. In the ARIN region, policy 2011-3. My read of that policy, and please correct me if I misunderstand, is that it recognizes only a two-level hierarchy. This would mean that an ISP could use some bits to represent a geographic region, a POP, or an aggregation router / address pool, but it does not grant them justification to reserve bits for all these purposes. While that's theoretically true, the combination of 25% minfree , nibble boundaries, and equal sized allocations for all POPs based on your largest one allows for that in practical terms in most circumstances. I don't think it does allow for that. I think it requires you to have at least one POP prefix 75% full before you can get any additional space from the RIR, where 75% full means routed to customers, not reserved for aggregation router pools. This is not a hierarchy, it is simply a scheme to permit ISPs to bank on having at least one level of summarization in their addressing and routing scheme. 2011-3 does not provide for an additional level to summarize on the aggregation routers themselves. It should, but my read is that the authors have a very different opinion about what hierarchical addressing means than I do. It should provide for route aggregation on both the ABR and the aggregation router itself. ATT serves some entire states out of a single POP, as far as layer-3 termination is concerned. Are any of the states with populations larger than Philadelphia among them? Yes, for example, Indiana. Pretty much every state in the former Ameritech service territory. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
RE: IPv6 end user addressing
This has probably been said before, but it makes me uncomfortable to think of everybody in the world being given /48 subnets by default. All of a sudden that wide expanse of 2^128 IP addresses shrinks to 2^48 sites. Sure that's still 65535 times more than 2^32 IPv4 addresses, but wouldn't it be wise to apply some conservatism now to allow the IPv6 address space to last for many more years? After all, there are only 4 bits of IP version field so the basic packet format won't last forever. Jonathon This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used,copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
Re: IPv6 end user addressing
On Aug 7, 2011, at 3:09 PM, Jonathon Exley wrote: This has probably been said before, but it makes me uncomfortable to think of everybody in the world being given /48 subnets by default. All of a sudden that wide expanse of 2^128 IP addresses shrinks to 2^48 sites. Sure that's still 65535 times more than 2^32 IPv4 addresses, but wouldn't it be wise to apply some conservatism now to allow the IPv6 address space to last for many more years? 2000::/3 is 1/8th of the address range. There are other things worth conserving not just /48s like the ability aggregate your whole assignment. 3.5 * 10^13 is a lot of /48s, but it's likely not enough so we'll get to crack the seal on 4000::/3 eventually and so on. After all, there are only 4 bits of IP version field so the basic packet format won't last forever. Jonathon This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used,copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
Re: IPv6 end user addressing
Jonathon, On Aug 7, 2011, at 12:09 PM, Jonathon Exley wrote: This has probably been said before, Once or twice :-) but it makes me uncomfortable to think of everybody in the world being given /48 subnets by default. This isn't where the worry should be. Do the math. Right now, we're allocating something like 300,000,000 IPv4 addresses per year with a reasonable (handwave) percentage being used as NAT endpoints. If you cross your eyes sufficiently, that can look a bit like 300,000,000 networks being added per year. Translate that to IPv6 and /48s: There are 35,184,372,088,832 /48s in the format specifier currently defined for global unicast. For the sake of argument, let's increase the the 'network addition' rate by 3 orders of magnitude to 300,000,000,000 per year. At that rate, which is equivalent to allocating 42 /48s per person on the planet per year, the current format specifier will last about 100 years. And there are 7 more format specifiers. but wouldn't it be wise to apply some conservatism now to allow the IPv6 address space to last for many more years? The area to be more conservative is, perhaps unsurprisingly, in the network bureaucratic layer. I believe current allocation policy states an ISP gets a minimum of a /32 (allowing them to assign 65536 /48s), but if justified an ISP can get more. There have been allocations of all sorts of shorter prefixes, e.g., /19s, /18s, and even (much) shorter. An ISP that has received a /19 has the ability to allocate half a billion /48s. And of course, there are the same number of /19s, /18s, and even (much) shorter prefixes in IPv6 as there are in IPv4... After all, there are only 4 bits of IP version field so the basic packet format won't last forever. True. There is no finite resource poor policy making can't make scarce. Regards, -drc
Re: IPv6 end user addressing
In message capwatbjtpmdx-nzu8uphosy+97ygo4fknz5_esghsjp-an9...@mail.gmail.com , Jeff Wheeler writes: On Sat, Aug 6, 2011 at 7:26 PM, Owen DeLong o...@delong.com wrote: Well, you aren't actually doing this on your network today. =A0If you practiced what you are preaching, you would not be carrying aggregate routes to your tunnel broker gateways across your whole backbone. Yes we would. No, if you actually had a hierarchical addressing scheme, you would issue tunnel broker customer /64s from the same aggregate prefix that is used for their /48s. You'd then summarize at your ABRs so the entire POP need only inject one route for customer addressing into the backbone. Of course, this is not what you do today, and not because of limited RIR allocation policies -- but because you simply did not design your network with such route aggregation in mind. Those are artifacts of a small allocation (/32) from a prior RIR policy. The fact that those things haven't worked out so well for us was one of the motivations behind developing policy 2011-3. There was nothing stopping you from using one /48 out of the /37s you use to issue customer /48 networks for issuing the default /64 blocks your tunnel broker hands out. So you want HE to force all their clients to renumber. We give a minimum /48 per customer with the small exception that customers who only want one subnet get a /64. You assign a /64 by default. Yes, customers can click a button and get themselves a /48 instantly, but let's tell the truth when talking about your current defaults -- customers are assigned a /64, not a /48. The client can request a /48 or /64 as the initial allocation. We do have a hierarchical addressing plan. I said nothing about routing, but, we certainly could implement hierarchical routing if we arrived at a point where it was advantageous because we have designed for it. How have you designed for it? You already missed easy opportunities to inject fewer routes into your backbone, simply by using different aggregate prefixes for customer /64s vs /48s. However, requesting more than a /32 is perfectly reasonable. In the ARIN region, policy 2011-3. My read of that policy, and please correct me if I misunderstand, is that it recognizes only a two-level hierarchy. =A0This would mean that an ISP could use some bits to represent a geographic region, a POP, or an aggregation router / address pool, but it does not grant them justification to reserve bits for all these purposes. While that's theoretically true, the combination of 25% minfree , nibble boundaries, and equal sized allocations for all POPs based on your largest one allows for that in practical terms in most circumstances. I don't think it does allow for that. I think it requires you to have at least one POP prefix 75% full before you can get any additional space from the RIR, where 75% full means routed to customers, not reserved for aggregation router pools. This is not a hierarchy, it is simply a scheme to permit ISPs to bank on having at least one level of summarization in their addressing and routing scheme. 2011-3 does not provide for an additional level to summarize on the aggregation routers themselves. It should, but my read is that the authors have a very different opinion about what hierarchical addressing means than I do. It should provide for route aggregation on both the ABR and the aggregation router itself. ATT serves some entire states out of a single POP, as far as layer-3 termination is concerned. Are any of the states with populations larger than Philadelphia among them? Yes, for example, Indiana. Pretty much every state in the former Ameritech service territory. --=20 Jeff S Wheeler j...@inconcepts.biz Sr Network Operator=A0 /=A0 Innovative Network Concepts -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: IPv6 end user addressing
On Sun, Aug 7, 2011 at 6:58 PM, Mark Andrews ma...@isc.org wrote: So you want HE to force all their clients to renumber. No. I am simply pointing out that Owen exaggerated when he stated that he implements the following three practices together on his own networks: * hierarchical addressing * nibble-aligned addressing * /48 per access customer You can simply read the last few messages in this thread to learn that his recommendations on this list are not even practical for his network today, because as Owen himself says, they are not yet able to obtain additional RIR allocations. HE certainly operates a useful, high-profile tunnel-broker service which is IMO a very great asset to the Internet at-large; but if you spend a few minutes looking at the publicly available statistics on this service, they average only around 10,000 active tunnels across all their tunnel termination boxes combined. They have not implemented the policies recommended by Owen because, as he states, a /32 is not enough. Do I think the position he advocates will cause the eventual exhaustion of IPv6? Well, let's do an exercise: There has been some rather simplistic arithmetic posted today, 300m new subnets per year, etc. with zero consideration of address/subnet utilization efficiency within ISP networks and individual aggregation router pools. That is foolish. We can all pull out a calculator and figure that 2000::/3 has space for 35 trillion /48 networks. That isn't how they will be assigned or routed. The effect of 2011-3 is that an out-sized ISP like ATT has every justification for deciding to allocate 24 bits worth of subnet ID for their largest POP, say, one that happens to terminate layer-3 services for all customers in an entire state. They then have policy support for allocating the same sized subnet for every other POP, no matter how small. After all, the RIR policy permits them to obtain additional allocations as soon as one POP subnet has become full. So now you have a huge ISP with a few huge POPs, and a lot of small ones, justified in assigning the same size aggregate prefix, suitable for 2^24 subnets, to all those small POPs as well. How many layer-3 POPs might this huge ISP have? Any number. It could be every central office with some kind of layer-3 customer aggregation router. It could even be every road-side hut for FTTH services. Perhaps they will decide to address ten thousand POPs this way. Now the nibble-aligned language in the policy permits them to round up from 10,000 POPs to 16 bits worth of address space for POP ID. So ATT is quite justified in requesting: 48 (customer subnet length) - 24 (largest POP subnet ID size) - 16 (POP ID) == a /8 subnet for themselves. Now you can see how this policy, and addressing scheme, is utterly brain-dead. It really does put you (and me, and everyone else) in real danger of exhausting the IPv6 address space. All it takes is a few out-sized ISPs, with one large POP each and a bunch of smaller ones, applying for the maximum amount of address space permitted them under 2011-3. -- Jeff S Wheeler j...@inconcepts.biz Sr Network Operator / Innovative Network Concepts
Re: IPv6 end user addressing
ATT serves some entire states out of a single POP, as far as layer-3 termination is concerned. Are any of the states with populations larger than Philadelphia among them? Yes, for example, Indiana. Pretty much every state in the former Ameritech service territory. Does ATT seriously serve the entire state of Indiana from a single POP??? Sounds crazy to me. I have a few customers in Indiana that are small ILECs and they each have multiple (2-3) POPs even though they have no more than about 1,000 customers. -Randy
Re: IPv6 end user addressing
On Sun, 07 Aug 2011 20:47:48 EDT, Randy Carpenter said: Does ATT seriously serve the entire state of Indiana from a single POP??? Sounds crazy to me. It makes sense if they're managing to bill customers by the cable mile from their location to the POP. Imagine a POP in Terre Haute or Indianapolis and 1,500+ customers in the Gary area and another 1K in the South Bend and Fort Wayne areas... Of course, some other provider would get a clue and and offer the same price per mile your location to our POP - after putting a POP in Gary, South Bend, and Fort Wayne. :) pgp1Ex5J9sZBv.pgp Description: PGP signature
Re: IPv6 end user addressing
On Sun, Aug 07, 2011 at 09:45:31PM -0400, valdis.kletni...@vt.edu wrote: On Sun, 07 Aug 2011 20:47:48 EDT, Randy Carpenter said: Does ATT seriously serve the entire state of Indiana from a single POP??? Sounds crazy to me. It makes sense if they're managing to bill customers by the cable mile from their location to the POP. Imagine a POP in Terre Haute or Indianapolis and 1,500+ customers in the Gary area and another 1K in the South Bend and Fort Wayne areas... Of course, some other provider would get a clue and and offer the same price per mile your location to our POP - after putting a POP in Gary, South Bend, and Fort Wayne. :) ATT doesn't serve the entire state of Indiana from a single POP. The question at hand was how many POPs *with layer 3 service* they had. I don't know the answer to that question and don't claim that it is or is not one, but the TDM or L2 backhaul from the nearest POP to whatever other POP has the Layer 3 service isn't paid for by the customer. It's also not clear if they were talking about ATT the LEC (offering services like DSL) or ATT the IXC (offering things like business Internet service, V4VPN services, etc). If the latter, it's not at all surprising; legacy IXCs often have more POPs than POPs w/ Layer 3 services, and they backhaul L3 services over their legacy TDM and/or Layer 2 (ATM or FR) networks to a POP that has a router. This was a way for them to get IP service everywhere without installing routers everywhere; as the service took off, more POPs could be IP enabled to reduce the about of TDM (etc.) backhaul. But large legacy IXCs have a lot of POPs and, in general, still don't have routers (customer facing routers, anyway) in all of them. -- Brett