Re: turning on comcast v6
On 4 January 2014 06:06, Ricky Beam jfb...@gmail.com wrote: It'll **NEVER** be a default because it breaks too many clueless people's networks. Just like, surprise, DHCP guard isn't on by default in any gear I'm aware of. Spanning-tree portfast isn't on by default, and that breaks plenty of clueless people's networks with client DHCP timeouts. Just sayin'. I appreciate the view that IPv6 was designed in a certain way, partly to fix the problems and remove the kludges in IPv4; the reality is that IPv4 was wildly successful because it wasn't the proscriptive OSI. Whilst I would prefer not to see the mistakes of IPv4 repeated (especially NAT and RFC1918 addressing) trying to help people not shoot themselves in the foot will simply retard deployment and maybe result in even worse workarounds. Come on people - Postel's Law applies, let's be liberal in what we accept into the protocol design too. If users want DHCP served default gateway, fine. Nobody's forcing you to enable it on your network if you don't want to. Aled
Re: turning on comcast v6
On Jan 5, 2014, at 11:44 PM, valdis.kletni...@vt.edu wrote: If Joe Home User has a rogue device spewing RA's, he probably has a bigger problem than just not having RA Guard enabled. He either has a badly misconfigured router (and one that's disobeying the mandate to not RA if you don't have an uplink), or he has a compromised malicious host. In either case, he's got bigger fish to fry. mandate isn't the right description. http://tools.ietf.org/html/rfc6059 There is a ~3 year old _proposed standard_ for the behavior you describe. I have yet to see any compliant equipment at $LocalBigBox, but maybe I'm not purchasing the right gear. So yet again, the response I get to ra's are fragile is deploy this brand new band-aid that can't be purchased yet. Can we just have DHCPv6, please? How many dozens of technologies are we going to invent to try and avoid putting a default route in DHCP? -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
On Mon, 06 Jan 2014 09:44:32 -0600, Leo Bicknell said: mandate isn't the right description. http://tools.ietf.org/html/rfc6059 There is a ~3 year old _proposed standard_ for the behavior you describe. I'll make the case that if a router becomes unable to forward packets because it has lost its uplink or connection to another subnet (so it's now homed on only one subnet), that's a router-to-host transition. RFC2461, sections 6.2.4 and 6.2.5 discuss the case of a router becoming a host - and it includes thou shalt cease blabbing the RAs after a suitable amount of time. And that's a heck of a lot older than 3 years. pgpsRGivNv4uh.pgp Description: PGP signature
Re: turning on comcast v6
On 01/04/2014 05:42 AM, Baldur Norddahl wrote: On Sat, Jan 4, 2014 at 2:12 AM, Doug Barton do...@dougbarton.us wrote: If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? You would configure the client not to do RS, and to ignore any RAs that it receives. Simple. If you are going to modify the client, you can use any method you like, No, I can't, because the method I would like to use is not in the spec. including having the client simply use fe80:: or prefix:: as default gateway. You want a secure way to configure the clients. That sounds more like Secure NDP (SEND) than it sounds like DHCPv6 with default gateway. Thank you for the textbook illustration of the anything but DHCP! mindset I was referring to earlier. Doug
Re: turning on comcast v6
On Jan 6, 2014, at 10:37 , Doug Barton do...@dougbarton.us wrote: On 01/04/2014 05:42 AM, Baldur Norddahl wrote: On Sat, Jan 4, 2014 at 2:12 AM, Doug Barton do...@dougbarton.us wrote: If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? You would configure the client not to do RS, and to ignore any RAs that it receives. Simple. If you are going to modify the client, you can use any method you like, No, I can't, because the method I would like to use is not in the spec. Doesn't have to be... You can create any local DHCPv6 extension you like. That _IS_ in the spec. Owen
Re: turning on comcast v6
On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong o...@delong.com wrote: A router, yes. THE router, not unless the network is very stupidly put together. Like every win7 and win8 machine on the planet? (IPv6 is installed and enabled by default. Few places have IPv6 enabled on their LAN, so a single RA would, indeed, 0wn3z those machines instantly.) I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports. One cannot **GUESS** the security for a network. You must either *know* or *not know* what's on a port. What makes a port uplink (read: trusted)? The only way to know for sure, without creating surprises or exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard, root guard, etc., etc. works. That's the way port security works. And that's the way RA Guard WILL be done.
Re: turning on comcast v6
On Jan 6, 2014, at 12:57 , Ricky Beam jfb...@gmail.com wrote: On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong o...@delong.com wrote: A router, yes. THE router, not unless the network is very stupidly put together. Like every win7 and win8 machine on the planet? (IPv6 is installed and enabled by default. Few places have IPv6 enabled on their LAN, so a single RA would, indeed, 0wn3z those machines instantly.) The obvious solution to that is to install real IPv6 routers. I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports. One cannot **GUESS** the security for a network. You must either *know* or *not know* what's on a port. What makes a port uplink (read: trusted)? The only way to know for sure, without creating surprises or exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard, root guard, etc., etc. works. That's the way port security works. And that's the way RA Guard WILL be done. The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Owen
Re: turning on comcast v6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 1/6/2014 1:08 PM, Owen DeLong wrote: The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Some people do not want switches making IP address assignments. That's all. :-) - - ferg - -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLLHpMACgkQKJasdVTchbL6+gEApBli/t4RF4Eq3XroJkqrRmgn 9WYSy2ReVwo7Bx9l+PMA/16zyzwOgG4fdNc9zgt0A4Pb+dGpMBx8LkRY6Kj71F5t =J8uY -END PGP SIGNATURE-
Re: turning on comcast v6
On Jan 6, 2014, at 13:22 , Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 1/6/2014 1:08 PM, Owen DeLong wrote: The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Some people do not want switches making IP address assignments. That's all. :-) Huh??? I don't think I said anything even remotely like that. Owen
Re: turning on comcast v6
On Sat, 04 Jan 2014 10:10:24 -0600, Leo Bicknell said: What happens when Joe Home User buys a new Linksys and wants to plug it in to get a firmware update before installing it? Are we really supposed to expect that every Joe Homeowner understands RA Guard and configures it for their home network? If Joe Home User has a rogue device spewing RA's, he probably has a bigger problem than just not having RA Guard enabled. He either has a badly misconfigured router (and one that's disobeying the mandate to not RA if you don't have an uplink), or he has a compromised malicious host. In either case, he's got bigger fish to fry. pgpbssJ0KI3eY.pgp Description: PGP signature
Re: turning on comcast v6
On Sat, Jan 4, 2014 at 2:12 AM, Doug Barton do...@dougbarton.us wrote: If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? You would configure the client not to do RS, and to ignore any RAs that it receives. Simple. If you are going to modify the client, you can use any method you like, including having the client simply use fe80:: or prefix:: as default gateway. You want a secure way to configure the clients. That sounds more like Secure NDP (SEND) than it sounds like DHCPv6 with default gateway. Regards,
Re: turning on comcast v6
On Jan 3, 2014, at 7:52 PM, Owen DeLong o...@delong.com wrote: Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc. I count over a dozen ethernet switches in my home that do not have DHCP guard. Indeed, half of them do not have a management interface at all. Even my business class cable modem does not implement DHCP guard on it's integrated switch. I also don't know of a single device, from any vendor, that turns DHCP guard on by default. I'd appreciate pointers if there is one. I know a half dozen people sent some form of don't do that when I gave the example of plugging in a rogue router with my corporate scenario. Maybe in a corporate scenario that's plausible, there will be intelligent admins (ha!). What happens when Joe Home User buys a new Linksys and wants to plug it in to get a firmware update before installing it? Are we really supposed to expect that every Joe Homeowner understands RA Guard and configures it for their home network? -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: turning on comcast v6
For IPv6, you can become a/the router for a segment with the origination of a single packet. Instantly. That’s something you can never do with DHCPv4. A router, yes. THE router, not unless the network is very stupidly put together. Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc. It'll **NEVER** be a default because it breaks too many clueless people's networks. Just like, surprise, DHCP guard isn't on by default in any gear I'm aware of. I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports. Owen
Re: turning on comcast v6
On 01/02/2014 10:30 PM, TJ wrote: I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don't. Further, by far the common case is for network gear to _already_ be configured to avoid permitting hosts to act as DHCP servers unless they are supposed to be. It's rare to even find a network device that has RA Guard capabilities, never mind one that has them turned on. There is simply no good reason not to include default route in the configuration for DHCPv6, and it's long overdue. Doug
Re: turning on comcast v6
On Fri, Jan 3, 2014 at 9:40 AM, Doug Barton do...@dougbarton.us wrote: On 01/02/2014 10:30 PM, TJ wrote: I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don't. The IPv6 protocol does not give you such an ability (by accident - a hacker can steal your IPv4 network too with your completely unprotected network). There seems to be a lack of detailed understanding of the RFCs in this thread. Adding a new router to an already running network will add a second router to all clients. But no clients will actually switch to the new router unless the old one fails. That is the behavior specified in the RFC. Actual implementations might do something different, but that is hardly the fault of the protocol designer. Have anyone here actually tested this, or are we just making up stuff? Another person claimed that there would be 15 minuttes or more until the network was fixed, after removing a rogue router. That too is completely wrong. Every client will monitor the currently used router. If it stops responding for 30 seconds, the clients will switch to an alternative router. Also, routers are supposed to monitor their uplink. If the uplink is down, no RA should be sent on the downlinks and any current active prefixed should be withdrawn. Not all routers implement this, but at the least the CPEs are starting to do it correctly. This whole thread builds on the assumption that you are using equipment with either bad implementation or bad configuration. Blocking RA from client ports is just one simple ACL rule on the switch. Many vendors have a very simple option to enable it. You are not running a clean ship if you skip this, just the same as you are required to block DHCP servers from client ports. Regards Baldur
Re: turning on comcast v6
On 01/03/2014 01:15 AM, Baldur Norddahl wrote: On Fri, Jan 3, 2014 at 9:40 AM, Doug Barton do...@dougbarton.us wrote: On 01/02/2014 10:30 PM, TJ wrote: I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don't. The IPv6 protocol does not give you such an ability (by accident - a hacker can steal your IPv4 network too with your completely unprotected network). ... and yet most IPv4 networks are not completely unprotected. There seems to be a lack of detailed understanding of the RFCs in this thread. You can rest assured that I know them pretty well. Adding a new router to an already running network will add a second router to all clients. But no clients will actually switch to the new router unless the old one fails. ... which is simple to accomplish with a DOS, even if the clients implement the protocol correctly. That is the behavior specified in the RFC. Actual implementations might do something different, but that is hardly the fault of the protocol designer. Have anyone here actually tested this, or are we just making up stuff? It's been demonstrated several times at various venues, including at least 1 IETF meeting. Another person claimed that there would be 15 minuttes or more until the network was fixed, after removing a rogue router. That too is completely wrong. Every client will monitor the currently used router. If it stops responding for 30 seconds, the clients will switch to an alternative router. Again, you're assuming that the clients implement correctly, however I think this one is more common than not since this behavior has been prescribed long enough now. Also, routers are supposed to monitor their uplink. If the uplink is down, no RA should be sent on the downlinks and any current active prefixed should be withdrawn. Not all routers implement this, but at the least the CPEs are starting to do it correctly. This whole thread builds on the assumption that you are using equipment with either bad implementation or bad configuration. ... or old enough not to have the latest bells and whistles. And I would also argue that when it comes to IPv6 bad configuration is still more common than not. Blocking RA from client ports is just one simple ACL rule on the switch. If your switch has that code. Given that RA Guard is a fairly recent invention, I would argue that at minimum the common case is that any random network device does not. And you still haven't provided an argument about why the default route should not be added to DHCPv6. Doug
Re: turning on comcast v6
On Fri, Jan 03, 2014 at 12:40:42AM -0800, Doug Barton wrote: Further, by far the common case is for network gear to _already_ be configured to avoid permitting hosts to act as DHCP servers unless they are supposed to be. It's rare to even find a network device that has RA Guard capabilities, never mind one that has them turned on. Do devices commonly have DHCPv6 filtering capabilities? I would imagine they'd be about as common as RA guard, and if so, this is a moot argument. - Matt -- It fsck's the volume or it gets the format again. -- Don Quixote, in the Monastery
Re: turning on comcast v6
On Fri, Jan 3, 2014 at 10:24 AM, Doug Barton do...@dougbarton.us wrote: ... and yet most IPv4 networks are not completely unprotected. We are apparently talking about completely unprotected networks here. Otherwise there is simply no problem. You would be filtering RA and many other things, because that is best practice and required by many security standards besides. ... which is simple to accomplish with a DOS, even if the clients implement the protocol correctly. If we are on an unprotected network and we have evil intend, all is lost. The hacker can simply steal the traffic with a simple arp ping or a ton of other methods. The original claim was not evil intend, but that of an accident. But it still requires three mistakes: bad clients, bad routers and bad configuration. That is the behavior specified in the RFC. Actual implementations might do something different, but that is hardly the fault of the protocol designer. Have anyone here actually tested this, or are we just making up stuff? It's been demonstrated several times at various venues, including at least 1 IETF meeting. Doesn't work when I try it. The clients just keep using the old gateway and prefix. But I can't rule out there are bad clients out there, just that it does not happen on my network. Can you give any examples of bad clients? Another person claimed that there would be 15 minuttes or more until the network was fixed, after removing a rogue router. That too is completely wrong. Every client will monitor the currently used router. If it stops responding for 30 seconds, the clients will switch to an alternative router. Again, you're assuming that the clients implement correctly, however I think this one is more common than not since this behavior has been prescribed long enough now. This one is something that all major clients have correctly by now. It is a rather common use case for IPv6 after all. The user connects two gateways to his network and gets carefree automatic failover with a 30 seconds timer to detect failure. May not be good enough for your enterprise network, but sure is quite useful in the SOHO environment. And you still haven't provided an argument about why the default route should not be added to DHCPv6. I was not arguing that it didn't. Just that the perceived problem is not real. However, I might be inclined to believe that default route in DHCPv6 is a bad idea. It is a confusing concept, since we already no less than three methods (*) to discover default route and you want to add a fourth. This would be something that needs to be implemented in every client, and thus will not really be usable for at least a decade. By then everyone are used to RA. If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? By the arguments in this thread, you do not really want default route from RA, but instead some security mechanism, that would prevent the client from obtaining routes and prefixes in addition to the one you provided. That seems to be a completely different issue. (*) prefix::, fe80:: and the one you get from RA. Regards, Baldur
Re: turning on comcast v6
On Jan 3, 2014, at 12:30 AM, TJ trej...@gmail.com wrote: I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. Rogue RA's can take down statically IPv6'ed boxes. Rogue DHCP servers will never affect a statically configured IPv4 box. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
On Fri, Jan 3, 2014 at 4:09 PM, Leo Bicknell bickn...@ufp.org wrote: Rogue RA's can take down statically IPv6'ed boxes. Rogue DHCP servers will never affect a statically configured IPv4 box. I believe that that would depend on whether your configuration of a static IPv6 address on your box also disabled accepting RA. On LInux, I believe it is something like net.ipv6.conf.if.autoconf=0 and net.ipv6.conf.if.accept_ra=0 (could easily be typos there, doing it from memory). As with much else, your devops scripts/processes may need to change for IPv6 vs IPv4 (which is why, especially for enterprises, it is not as easy as just turning it on).
Re: turning on comcast v6
On 01/03/2014 04:01 AM, Baldur Norddahl wrote: On Fri, Jan 3, 2014 at 10:24 AM, Doug Barton do...@dougbarton.us wrote: And you still haven't provided an argument about why the default route should not be added to DHCPv6. I was not arguing that it didn't. Just that the perceived problem is not real. Your opinion is that rogue RAs are not a problem. I, and others, disagree with you on that; but since that's not really the problem I'm trying to solve we can agree to disagree. What I (and many, many others) have been saying for over a decade is that we need to have parity with DHCPv4 in DHCPv6 in order to allow organizations that like and use DHCP to use that as their exclusive method of configuring IPv6 clients. Often this is to match existing administrative boundaries, sometimes it's just a preference (one could even say prejudice) against SLAAC/RA, but regardless, that's what is needed. However, I might be inclined to believe that default route in DHCPv6 is a bad idea. It is a confusing concept, It's not confusing in any way. It matches the well known mechanism already in widespread use in DHCPv4. since we already no less than three methods (*) to discover default route and you want to add a fourth. The first 2 you mention are rarely used, and not even implemented in many, if not most clients. However the fact that there are so many ways to do it in IPv6 now is an example of the Anything but DHCP! mindset of the early IPng architects. This would be something that needs to be implemented in every client, and thus will not really be usable for at least a decade. Organizations that want this are prepared to do the work of making sure that their clients are upgraded, or wait to deploy IPv6 until it's available. For most existing organizations there is no urgency to deploy IPv6, their current infrastructure works for them. For those new organizations forced to deploy IPv6 they will be able to deploy new software that handles this option. ... and of course, the sooner we do it, the sooner it will be widely available. By then everyone are used to RA. It's been over a decade already, and not only have the security problems with RA not yet been solved in a robust way, people are not only not yet used to it, they are actively opposing it. Your optimism, while admirable, is misplaced here. If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? You would configure the client not to do RS, and to ignore any RAs that it receives. Simple. (*) prefix::, fe80:: and the one you get from RA. Doug
Re: turning on comcast v6
On Jan 3, 2014, at 12:40 AM, Doug Barton do...@dougbarton.us wrote: On 01/02/2014 10:30 PM, TJ wrote: I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don’t Not entirely true, actually… If you’re willing to work hard enough at it, most hosts can be “encouraged” to renew early. Further, by far the common case is for network gear to _already_ be configured to avoid permitting hosts to act as DHCP servers unless they are supposed to be. It's rare to even find a network device that has RA Guard capabilities, never mind one that has them turned on. Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc. There is simply no good reason not to include default route in the configuration for DHCPv6, and it's long overdue. As I’ve said before, if we’re going to bother doing it, we should just include RIO options, but otherwise, I agree with you. Owen
Re: turning on comcast v6
What DHCP attacks? Humor me... What DHCP attacks? - ferg On 1/3/2014 5:52 PM, Owen DeLong wrote: On Jan 3, 2014, at 12:40 AM, Doug Barton do...@dougbarton.us wrote: On 01/02/2014 10:30 PM, TJ wrote: I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don’t Not entirely true, actually… If you’re willing to work hard enough at it, most hosts can be “encouraged” to renew early. Further, by far the common case is for network gear to _already_ be configured to avoid permitting hosts to act as DHCP servers unless they are supposed to be. It's rare to even find a network device that has RA Guard capabilities, never mind one that has them turned on. Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc. There is simply no good reason not to include default route in the configuration for DHCPv6, and it's long overdue. As I’ve said before, if we’re going to bother doing it, we should just include RIO options, but otherwise, I agree with you. Owen -- Paul Ferguson PGP Public Key ID: 0x63546533
RE: turning on comcast v6
There is simply no good reason not to include default route in the configuration for DHCPv6, and it's long overdue. As I've said before, if we're going to bother doing it, we should just include RIO options, but otherwise, I agree with you. Are DHCPv6 and/or NDP extendible for other stuff? For example, in IPv4, Cisco uses DHCP option 150 for advertising Callmanager addresses in their IP Telephony networks. I've been out of the Cisco IPT side of stuff for awhile, but wondered how that has been tackled. And I think things like NTP addresses have been delivered in DHCP packets. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: turning on comcast v6
On Fri, 03 Jan 2014 20:52:25 -0500, Owen DeLong o...@delong.com wrote: Not entirely true, actually… If you’re willing to work hard enough at it, most hosts can be “encouraged” to renew early. Short of commandline access, no there isn't. (crashing or otherwise triggering a reboot, isn't a renew; that's a full broadcast restart) And RENEW isn't at issue as that's a unicast request directly with the original DHCP server. Simply turning up your own instance will do nothing there. (attempting to impersonate the real server isn't what were talking about.) For IPv6, you can become a/the router for a segment with the origination of a single packet. Instantly. That's something you can never do with DHCPv4. Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc. It'll **NEVER** be a default because it breaks too many clueless people's networks. Just like, surprise, DHCP guard isn't on by default in any gear I'm aware of.
Re: turning on comcast v6
On 12/30/2013 4:56 PM, Owen DeLong wrote: You can accomplish the same thing in IPv4…. Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her DHCP server takes over your network. Not nearly as fast as bad RAs do (as others have pointed out). Yes, you have to pay attention when you plug in a router just like you’d have to pay attention if you plugged in a DHCP server you were getting ready to recycle. But the ability to plug in a not-router and break things is oh so much greater. Incompetence in execution really isn’t the protocol’s fault. But it is the protocol designer's fault... and once shipped, the protocol's fault. There's all sorts of things that were known at the time IPv6 was designed that the designers failed to build solutions for. As an example, routers *could* be a lot smarter about sending RAs on a network where routers are already present, but that's not in the spec. Neither the ND DOS attack nor the need to protect against bogus RAs on every port of your switch but one (or rarely, two) are things that should have been a post-deployment surprise (to name just a couple pet peeves of mine... there's more design flaws that could have been easily avoided had enough people cared to do so). Matthew Kaufman
Re: turning on comcast v6
I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. And, regardless of the protocol in question, represent attacks which should be defended against. As is often (always?) the case, there are tradeoffs - and the pros and cons of those tradeoffs will be weighted differently by different parties. /TJ On Jan 3, 2014 12:00 AM, Matthew Kaufman matt...@matthew.at wrote: On 12/30/2013 4:56 PM, Owen DeLong wrote: You can accomplish the same thing in IPv4…. Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her DHCP server takes over your network. Not nearly as fast as bad RAs do (as others have pointed out). Yes, you have to pay attention when you plug in a router just like you’d have to pay attention if you plugged in a DHCP server you were getting ready to recycle. But the ability to plug in a not-router and break things is oh so much greater. Incompetence in execution really isn’t the protocol’s fault. But it is the protocol designer's fault... and once shipped, the protocol's fault. There's all sorts of things that were known at the time IPv6 was designed that the designers failed to build solutions for. As an example, routers *could* be a lot smarter about sending RAs on a network where routers are already present, but that's not in the spec. Neither the ND DOS attack nor the need to protect against bogus RAs on every port of your switch but one (or rarely, two) are things that should have been a post-deployment surprise (to name just a couple pet peeves of mine... there's more design flaws that could have been easily avoided had enough people cared to do so). Matthew Kaufman
Re: turning on comcast v6
Hi, On Thu, Jan 02, 2014 at 08:57:14PM -0800, Matthew Kaufman wrote: On 12/30/2013 4:56 PM, Owen DeLong wrote: You can accomplish the same thing in IPv4?. Plug in Sally?s PC with Internet Connection Sharing turned on and watch as her DHCP server takes over your network. for the record it should be noted that this particular issue was fixed by Microsoft a while ago (see http://support.microsoft.com/kb/2750841/en-us). best Enno Not nearly as fast as bad RAs do (as others have pointed out). Yes, you have to pay attention when you plug in a router just like you?d have to pay attention if you plugged in a DHCP server you were getting ready to recycle. But the ability to plug in a not-router and break things is oh so much greater. Incompetence in execution really isn?t the protocol?s fault. But it is the protocol designer's fault... and once shipped, the protocol's fault. There's all sorts of things that were known at the time IPv6 was designed that the designers failed to build solutions for. As an example, routers *could* be a lot smarter about sending RAs on a network where routers are already present, but that's not in the spec. Neither the ND DOS attack nor the need to protect against bogus RAs on every port of your switch but one (or rarely, two) are things that should have been a post-deployment surprise (to name just a couple pet peeves of mine... there's more design flaws that could have been easily avoided had enough people cared to do so). Matthew Kaufman -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de ===
Re: turning on comcast v6
The reason RIP isn't used to hand out routes is not based on age, or protocol design. It's based on the fact that we don't want host segment routes (usually only default) to be announcement based, because that leads to problems and uncomfortable meetings with VPs. DHCP will happily give out a correct gateway that can be managed using some FHRP, or not, and those few (new to the network) users can reboot once it's fixed. The key is it is controlled and can't be just hijacked at a moment's notice. All we've gained by switching to RA is a security hole that must be managed at the L2 level, and the ability to use a slower method of failover than FHRPs purely so we aren't reliant on a single ip address, and the vauge notion that somehow the network and the dhcp server could possibly get out of sync, and that's somehow a worse problem than losing the entire network randomly due to bad/inept actors and either a lack of security, or a security vulnerability. Personally I don't see the trade offs as beneficial, and you also lose the ability to differentiate gateways by host from central control (even though you'd rarely see this done as opposed to separate vlans). -Blake On Mon, Dec 30, 2013 at 10:40 PM, Victor Kuarsingh vic...@jvknet.comwrote: On Mon, Dec 30, 2013 at 6:31 PM, Leo Bicknell bickn...@ufp.org wrote: On Dec 30, 2013, at 4:37 PM, Victor Kuarsingh vic...@jvknet.com wrote: On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard l...@asgard.org wrote: The better question is are you using RIP or ICMP to set gateways in your network now? I disagree that that's a better question. I'm not using RIP because my hosts don't support it (at least, not without additional configuration), and it would be a very unusual configuration, adding weight and complexity for no benefit. RAs are the opposite. Not even sure how you would use ICMP to set a default gateway. Maybe there's a field I'm unaware of. [VK] The RIP comparison is somewhat confusing to me. I don't see how RIP is comparable in this context (I guess technically you can pass a default route in RIP, but as Lee mentions, the protocol is designed for a different purpose and requires configuration). There was a time, I'm going to roughly guess approximately 1987-1992, although I may be off by a year or two, that you needed to have lived through for this to make sense. You see, in that time the available IGP was, well, RIP. RIPv1. Routers, at least ones you could buy, did not have OSPF, EIGRP, or even in many cases EGP/BGP. They had RIPv1, and perhaps some bleeding edge Cisco's had IGRP. So almost every campus network ran RIPv1 [VK] Leo, I understand the case you mention, but I am not sure if this is a parallel to what the subject is on this thread. I would think we are talking - not about routers and servers here - but end hosts (PCs, tablets, home gateways, smart phones, media devices etc.) which would be the beneficiaries of the [DHCPv6] route option information. I still don't think that RIP's prevalence in 20+ year old network environments, and it's lack of use today, draws a comparison to the validity of using RAs. I get that it [RIP] may have been default on may historic boxes, so had similar effect on providing a default route, but the protocol's purpose was not intended to do that for all the hosts on a network (also a world where not all networks were IP as well). RA on the other had was specifically purposed to be used to provide this kind of information to all IPv6 stacks. So I still think we are talking about very different environments in protocol types, purpose and mixture of participating hosts/routers etc. regards, Victor K
Re: turning on comcast v6
On Tue, Dec 31, 2013 at 12:24 AM, Leo Bicknell bickn...@ufp.org wrote: Here's what you will soon find: 1) The IPv6 pings on both machines cease to work. That will not actually happen. An IPv6 router is only allowed to announce a prefix by RA if it has a working uplink. Nonetheless you are required to secure your network against rogue DHCP and RA servers on both IPv4 and IPv6. Aside from the obvious reasons why, we can keep to your example, except this time it is a home router used for a home office application with a build in DHCP server. You connect it to your office network and it promptly starts handing out DHCP replies... This is not a big issue, as any useful switch for an enterprise environment will have this functionality. It does mean that you can not keep using dumb non-ipv6 aware switches, but that would be true even if we did not have RA and had to rely on DHCP instead. Regards, Baldur
Re: turning on comcast v6
Now, boss man comes in and has a new office opening up. Go grab the r1 box out of the closet, you need to upgrade the code and reconfigure it. Cable it up to your PC with a serial port, open some some sort of terminal program so you can catch the boot and password recover it. Plug it's ethernet into your lan, as you're going to need to tftp down new config, and turn it on. Why are you putting a router that you know needs to be reconfigured onto a production network? This could backfire regardless of IPv6, since you could have a similar issue if the router was performing DHCP from a locally configured pool. If someone did this and complained to me I would tell them they just learned a lesson and now know better then to go connecting equipment with an existing configuration to a production network without doing a full review first.
Re: turning on comcast v6
On Dec 31, 2013, at 1:10 AM, Timothy Morizot tmori...@gmail.com wrote: I've been in the process of rolling out IPv6 (again this night) across a very large, highly conservative, and very bureaucratic enterprise. (Roughly 100K employees. More than 600 distinct site. Yada. Yada.) I've had no issues whatsoever implementing the IPv6 RA+DHCPv6 model alongside the IPv4 model. In fact, the IPv6 model has generally been much more straightforward and easy to implement. So I'm a large enterprise operator, not an ISP. Convince me. Because I don't see any need. And if I don't, I'm hard-pressed to see why the IETF would. Scott I haven't seen anyone in this thread argue that DHCPv6+RA doesn't work. So we'd all expect that you'd do just fine deploying that way for your large enterprise. The point is that there are some (And based on the thread here and over at IPv6-OPS, not just a couple) operators who wish or are required to do things differently. I remember thinking how stupid it was we had to either statically configure or run DHCPv6 (which a lot of clients didn't support) for the sole purpose of handing out name servers, then we finally got around to RFC6106. There were lots of people who just couldn't understand why you'd ever want your router handing out name servers/dns search lists. Sure DHCPv6 was/is the 'right' and 'clean' way to do it, but it shouldn't be required to make IPv6 functional. Clearly the IETF agreed, eventually. IMO, being able to hand out gateway information based on $criteria via DHCPv6 is a logical feature to ask for. Anyone asking for that isn't trying to tell you that RA is broken, that you're doing things wrong, or that their way of thinking is more important that yours. They're asking for it because they have a business need that would make their deployment of IPv6 easier. Which, IMO, should be the goal of these discussions. How do we make it so deploying IPv6 isn't a pain in the butt? No one is asking to change the world, they're asking for the ability to manage their IPv6 systems the same way they do IPv4. /Ryan signature.asc Description: Message signed with OpenPGP using GPGMail
RE: turning on comcast v6
(Yes this is a top post ... get over it) Thank you Leo for doing such a great job in this scenario of explaining why acronym familiarity has much more to do with people's entrenched positions, than the actual network manageability they claim to be worried about. The hyperbolic nonsense in replace every ethernet switch in your entire network with new hardware that supports RA Guard, and then deploy new configuration on every single port of every single device in your network. Please develop a capital justification plan for Mr MoneyBagsCEO for replacing every switch in your network so you can safely deploy IPv6. , clearly shows that it is the spooky acronym RA that is more important to focus on than reality.It also does a nice job of wrapping up the point about why an IPv6 rollout needs a long term plan with appropriate multi-year budgeting. ;) For starters, in the scenario described, you only need 1 port protected, and that is for the person that would be doing the configuration, so it is likely pointless. Do you really believe that dhcp messages picked up by the rogue router wouldn't end up answering with the wrong values and breaking both IPv4 IPv6? Next, do you really believe that DHCP Guard for an IPv4 aware switch will do anything when an IPv6 DHCP message goes by? Don't you have to replace every switch and reconfigure anyway? Or is rogue DHCP service a problem that goes away with IPv4? Why do people continue to insist that a cornerstone of their network security model is tied to an inherently insecure protocol that was never intended to be used as a security tool? ... but I digress ... There are two very different models for IPv6 address/information allocation, and each needs to be fully functional and independent of the other; period. Unfortunately there have been too many voices demanding a 'one size fits all' approach within the IETF, and we have gotten to the current situation where you need to deploy parts of both models to have a functional network. RFC 6106 is a half-baked concession from the 'dhcp is the only true way' crowd to allow home networks to be functional, but if you want anything more than DNS you have to return to the one-true-way, simply because getting consensus for a more generic dhcp-options container in the RA was not going to happen. The Routing Information DHCP option has been held hostage by those that might be described as a 'dhcp is broken by design' crowd, because many saw that as a bargaining point for consensus around a more feature rich RA. Both hard line positions preventing utility in the other model are wrong, but in the presence of a leadership mantra of one-size-fits-all, neither side was willing to allow complete independent functionality to the other. Making progress on the Routing Information option requires a clear scenario to justify it, because vast swamp of dhcp options that have ever been used in IPv4 are not brought forward without some current usage case. Lee was asking for that input, and while the scenario you paint below might be helped by that option, it presumes that every device on the network has additional configuration to ignore an errant RA sent from the router being configured simply because the network is supposed to using DHCP. The only devices I know of that attempt to ignore an RA are Samsung's Android image which do the stupid thing of configuring an address from the RA on the lan, but refuse to create a routing entry from it if there has ever been a route via the 4G radio. (that is fundamentally a platform bug because google lets them set the knobs that way instead of doing the right thing as a metric bias between the available routes for fall back when one or the other goes away) Ryan's different dhcp answers based on auth state is a use case, and if in widespread use as a way around 1X, it might get enough support by itself to carry the day. If there are other use cases which are not self-contradictory justifications of maintaining acronym familiarity, they will spread the support base and make it easier to get past the objections. This is not about which model is 'right', if anything limiting it is about minimizing the different ways people can hang themselves without realizing the risks beforehand. At the end of the day, the IETF's job is to document technologies so vendors can implement for consistent behavior in independently managed networks. Vendors will build whatever they are paid to build, but if you want generic COTS, then lots of people need to justify a specific behavior with some level of consistency to get that documented as the consensus approach. So far there have not been enough consistent scenarios to get an RI option passed. Tony -Original Message- From: Leo Bicknell [mailto:bickn...@ufp.org] Sent: Monday, December 30, 2013 3:25 PM To: Lee Howard Cc: Jamie Bowden; North American Network Operators' Group Subject: Re: turning on comcast v6 On Dec 30, 2013, at 2:49 PM, Lee Howard
Re: turning on comcast v6
On Dec 31, 2013, at 12:36 PM, Tony Hain alh-i...@tndh.net wrote: likely pointless. Do you really believe that dhcp messages picked up by the rogue router wouldn't end up answering with the wrong values and breaking both IPv4 IPv6? Next, do you really believe that DHCP Guard for an IPv4 aware switch will do anything when an IPv6 DHCP message goes by? Don't you have to replace every switch and reconfigure anyway? Or is rogue DHCP service a problem that goes away with IPv4? Why do people continue to insist that a cornerstone of their network security model is tied to an inherently insecure protocol that was never intended to be used as a security tool? ... but I digress … In the scenario I described, which I suggest is extremely common, the rogue router will not provide any DHCPv4 client with an address, ever. It is configured to forward to a DHCP sever, and based on the steps I suggested it has no route to reach it. It will forward the packet out its down uplink, and never get a reply. It is in fact 100% benign. Let me repeat, it's 100% benign, and will not affect any users, ever. Yes, if the router has a local DHCP server there would be an issue. But that's not actually very common, most of the people running DHCP want a central server and the logging that goes along with it. I'll admit my scenario was contrived, constructed to specifically show ONE aspect of the problem. It is not the only operational issue, but it is one that is easy for engineers to understand and replicate. However, it's also common. I know multiple people who shot themselves in the foot in this very way, with operational networks. It's not a theoretical problem, it's one that happens every day. Here's another problem that happens every day in data centers and offices. Someone accidentally bridges two VLAN's together for a few minutes by plugging in a cable to the wrong port, realizing it and then unplugging it. In an IPv4+DHCPv4 world the majority of the time the impact is, well, NONE. No hosts notice. Some switches compute a new spanning tree adjacency and some broadcast traffic goes where it shouldn't, but everything remains operational. Do the same with IPv6 and all of the hosts on one of the two VLAN's will instantly stop working. There are controlled environments, like a single tenant data center where a rogue DHCP server is simply not a security concern, but where a tech accidentally bridging VLAN's is a very real possibility. The fact of the matter is that the scale, scope, and impact from a rogue DHCP server is entirely different from a rogue RA server. IPv4+DHCP is operationally much more robust in the face of various scenarios, where as IPv6+RA pretty much always results in near instantaneous 100% failure. Unfortunately there have been too many voices demanding a 'one size fits all' approach within the IETF, and we have gotten to the current situation where you need to deploy parts of both models to have a functional network. RFC 6106 is a half-baked concession from the 'dhcp is the only true way' crowd to allow home networks to be functional, but if you want anything more than DNS you have to return to the one-true-way, simply because getting consensus for a more generic dhcp-options container in the RA was not going to happen. The Routing Information DHCP option has been held hostage by those that might be described as a 'dhcp is broken by design' crowd, because many saw that as a bargaining point for consensus around a more feature rich RA. Both hard line positions preventing utility in the other model are wrong, but in the presence of a leadership mantra of one-size-fits-all, neither side was willing to allow complete independent functionality to the other. I think you describe the IETF situation reasonably well. The internal bickering between the RA camp and the DHCP camp have largely prevented either one from producing something robust. Making progress on the Routing Information option requires a clear scenario to justify it, because vast swamp of dhcp options that have ever been used in IPv4 are not brought forward without some current usage case. Lee was asking for that input, and while the scenario you paint below might be helped by that option, it presumes that every device on the network has additional configuration to ignore an errant RA sent from the router being configured simply because the network is supposed to using DHCP. This is some extremely circular logic. We can't have DHCP until there are options in devices to ignore RA's. We can't have an option to ignore RA's in devices, because at the moment RA's are the only way to get a default route so it doesn't make sense. Someone has to go first, the other side will follow. I suggest it makes a lot more sense to get working DHCP, before pressuring end-user boxes to have an option or even default to ignoring RA's. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at
RE: turning on comcast v6
Ryan Harden wrote: ... IMO, being able to hand out gateway information based on $criteria via DHCPv6 is a logical feature to ask for. Anyone asking for that isn't trying to tell you that RA is broken, that you're doing things wrong, or that their way of thinking is more important that yours. They're asking for it because they have a business need that would make their deployment of IPv6 easier. Which, IMO, should be the goal of these discussions. How do we make it so deploying IPv6 isn't a pain in the butt? No one is asking to change the world, they're asking for the ability to manage their IPv6 systems the same way they do IPv4. As I said in the response to Leo, this issue has been raised before and couldn't get traction because the combination of a one-size-fits-all mantra from the leadership with concession such that the dhcp model would be self-contained, would have led to the end of the RA model. You are correct, neither way is better, and both need to operate independently or in combination, but getting there requires a clear use case, or many similar cases, to make progress. I believe you are correct in that many people do use the dhcp option to assign the router, but quantifying that is a very difficult task because that community rarely worries about driving standards to get their way. I find that most of this community finds innovative ways to reuse tools defined for a different purpose, but its close enough to accomplish the task at hand while avoiding the cost of getting a vendor to build something specific. That is all fine until the original backer of the tool goes a different direction, and ongoing evolution requires someone to justify its continued support. The scattered community has so many different corner-case uses it is hard to make a clear and quantified need for what the tool should become. The primary reason that this is even a discussion is that the decision was made long ago in the DHCP WG to avoid bringing forward unused baggage from the evolution of IPv4 and dhcp by not bringing any options forward until someone documented an ongoing use for it. That remains the only real requirement I am aware of for getting a dhcp option copied forward from IPv4 to IPv6; document a widespread use case. This one has had an artificial requirement of getting past the dhcp vs. RA model wars, but that would have been, and still is easy enough to beat down with sufficiently documented use. Documented use is where things fail, because we loop back to the point about the people using it don't participate in driving the process to demonstrate how widespread the use actually is, and what specific functionality is being used to make sure the new definition is sufficient. Lee asked the question about use cases, and you were the only one that offered one with substance. Compound that with the point that nobody else jumped in with a 'me too', and the case could be made that you are looking for a standard to be defined around your local deployment choices. Not to say your deployment is isolated, wrong, or shouldn't be considered best-practice, rather that it is hard to demonstrate consensus from a single voice. Besides documenting the use case, it will help to fight off objections by also documenting why this innovative use is deployed rather than another widely deployed choice (in the case you present, why not 802.1X?, not that it is better, just 'why not' ; and I personally consider pre-dated or inconsistent implementations at deployment as a perfect justification, but that is just my take). At the end of the day, if operators don't actively participate in the standards process, the outcome will not match their expectations. Tony
Re: turning on comcast v6
On Dec 31, 2013, at 2:16 PM, Tony Hain alh-i...@tndh.net wrote: Ryan Harden wrote: ... IMO, being able to hand out gateway information based on $criteria via DHCPv6 is a logical feature to ask for. Anyone asking for that isn't trying to tell you that RA is broken, that you're doing things wrong, or that their way of thinking is more important that yours. They're asking for it because they have a business need that would make their deployment of IPv6 easier. Which, IMO, should be the goal of these discussions. How do we make it so deploying IPv6 isn't a pain in the butt? No one is asking to change the world, they're asking for the ability to manage their IPv6 systems the same way they do IPv4. As I said in the response to Leo, this issue has been raised before and couldn't get traction because the combination of a one-size-fits-all mantra from the leadership with concession such that the dhcp model would be self-contained, would have led to the end of the RA model. You are correct, neither way is better, and both need to operate independently or in combination, but getting there requires a clear use case, or many similar cases, to make progress. I believe you are correct in that many people do use the dhcp option to assign the router, but quantifying that is a very difficult task because that community rarely worries about driving standards to get their way. I find that most of this community finds innovative ways to reuse tools defined for a different purpose, but its close enough to accomplish the task at hand while avoiding the cost of getting a vendor to build something specific. That is all fine until the original backer of the tool goes a different direction, and ongoing evolution requires someone to justify its continued support. The scattered community has so many different corner-case uses it is hard to make a clear and quantified need for what the tool should become. The primary reason that this is even a discussion is that the decision was made long ago in the DHCP WG to avoid bringing forward unused baggage from the evolution of IPv4 and dhcp by not bringing any options forward until someone documented an ongoing use for it. That remains the only real requirement I am aware of for getting a dhcp option copied forward from IPv4 to IPv6; document a widespread use case. This one has had an artificial requirement of getting past the dhcp vs. RA model wars, but that would have been, and still is easy enough to beat down with sufficiently documented use. Documented use is where things fail, because we loop back to the point about the people using it don't participate in driving the process to demonstrate how widespread the use actually is, and what specific functionality is being used to make sure the new definition is sufficient. Lee asked the question about use cases, and you were the only one that offered one with substance. Compound that with the point that nobody else jumped in with a 'me too', and the case could be made that you are looking for a standard to be defined around your local deployment choices. Not to say your deployment is isolated, wrong, or shouldn't be considered best-practice, rather that it is hard to demonstrate consensus from a single voice. Besides documenting the use case, it will help to fight off objections by also documenting why this innovative use is deployed rather than another widely deployed choice (in the case you present, why not 802.1X?, not that it is better, just 'why not' ; and I personally consider pre-dated or inconsistent implementations at deployment as a perfect justification, but that is just my take). At the end of the day, if operators don't actively participate in the standards process, the outcome will not match their expectations. Tony Couple things… It should be noted that I don't intend to use DHCPv6 to hand out gateway information. I expect DHCPv6+RA to continue to fulfill my needs. So any notion that I'm trying push anything to meet any local deployment choices can be stopped right there. However, I can understand that some places might and do want to deploy things in the scenario I outlined previously. Some would love to deploy IPv6 but are hamstrung by old processes or tools with stupid assumptions or dependencies. Are the processes stupid? yes, Should they be replaced? absolutely. Is explaining that you need to rebuild your processes and tools to support this IPv6 thing that a very small percentage of your customers have even heard of, let alone asked for easy or likely to get approved? no. I think you are absolutely correct in that the people who are stuck deploying with these scenarios don't participate in the standards process or even know where to start with getting their voice heard. I jumped into this conversation not because I have anything to lose or gain from it, but because I noticed the quick and deliberate efforts to brush it
Re: turning on comcast v6
On Dec 31, 2013, at 12:11 PM, Ryan Harden harde...@uchicago.edu wrote: On Dec 31, 2013, at 1:10 AM, Timothy Morizot tmori...@gmail.com wrote: I've been in the process of rolling out IPv6 (again this night) across a very large, highly conservative, and very bureaucratic enterprise. (Roughly 100K employees. More than 600 distinct site. Yada. Yada.) I've had no issues whatsoever implementing the IPv6 RA+DHCPv6 model alongside the IPv4 model. In fact, the IPv6 model has generally been much more straightforward and easy to implement. So I'm a large enterprise operator, not an ISP. Convince me. Because I don't see any need. And if I don't, I'm hard-pressed to see why the IETF would. Scott I haven't seen anyone in this thread argue that DHCPv6+RA doesn't work. So we'd all expect that you'd do just fine deploying that way for your large enterprise. The point is that there are some (And based on the thread here and over at IPv6-OPS, not just a couple) operators who wish or are required to do things differently. I remember thinking how stupid it was we had to either statically configure or run DHCPv6 (which a lot of clients didn't support) for the sole purpose of handing out name servers, then we finally got around to RFC6106. There were lots of people who just couldn't understand why you'd ever want your router handing out name servers/dns search lists. Sure DHCPv6 was/is the 'right' and 'clean' way to do it, but it shouldn't be required to make IPv6 functional. Clearly the IETF agreed, eventually. IMO, being able to hand out gateway information based on $criteria via DHCPv6 is a logical feature to ask for. Anyone asking for that isn't trying to tell you that RA is broken, that you're doing things wrong, or that their way of thinking is more important that yours. They're asking for it because they have a business need that would make their deployment of IPv6 easier. Which, IMO, should be the goal of these discussions. How do we make it so deploying IPv6 isn't a pain in the butt? No one is asking to change the world, they're asking for the ability to manage their IPv6 systems the same way they do IPv4. /Ryan Please note that Ryan’s “manage their IPv6 systems” really means “run their business”. In many organizations the routing network is managed by a different group with different business goals and procedures than end systems. Allowing flexibility for this, if it is not overwhelmingly costly, is a reasonable goal. On my part, I see adding a default route parameter to DHCPv6 about as earth shaking as adding a default NTP server list. In other words, cut the crap and do it so we can save NANOG electrons and get on with solving more important network problems. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
Please note that Ryan’s “manage their IPv6 systems” really means “run their business”. In many organizations the routing network is managed by a different group with different business goals and procedures than end systems. Allowing flexibility for this, if it is not overwhelmingly costly, is a reasonable goal. I guess in that case, one must ask one's self whether setting the default (or any other) route entries in the host routing tables qualifies as a end system issue or a routing network issue. My inclination is to think that it really is a routing network issue more than a end system issue, but I can see some valid arguments in either direction. It seems to me that no matter what solution one uses to deliver the default route information to the end system's routing table, this is an area which will inherently require cooperation and interaction between the group that manages the end systems and the group that manages the routers. I have yet to see an environment where this can be avoided in IPv4 and I wouldn't expect it to work out particularly well in IPv6, though I think we can come closer to having it work by having the network group control the prefix assignment and routing information delivered to the hosts than we could otherwise. On my part, I see adding a default route parameter to DHCPv6 about as earth shaking as adding a default NTP server list. In other words, cut the crap and do it so we can save NANOG electrons and get on with solving more important network problems. Personally, I'd hate to see us waste the effort on such a half-assed measure. If we're going to add routing information to DHCPv6, then I think it should be roughly equivalent to what is contained in an RIO within an RA (Prefix, Mask, Next Hop, Metric). (Though in the case of RA, the Next Hop is implicitly the router providing the RIO, obviously in DHCPv6, it would have to be explicit) With such an option added to DHCPv6, then default router could simply be one case, but the flexibility for more complex routing situations to be addressed would also exist. Owen
Re: turning on comcast v6
From: Matthew Petach mpet...@netflight.com Date: Saturday, December 21, 2013 10:55 PM To: Lee Howard l...@asgard.org Cc: Jamie Bowden ja...@photon.com, Owen DeLong o...@delong.com, m...@kenweb.org m...@kenweb.org, nanog@nanog.org nanog@nanog.org So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? default route information via DHCPv6. That's what I'm still waiting for. Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Lee Matt
Re: turning on comcast v6
On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Why must the people who want it justify to _you_? This is fundamental part I've not gotten about the IPv6 crowd. IPv4 got to where it is by letting people extend it and develop new protocols and solutions. DHCP did not exist when IPv4 was created, it was tacked on later. Now people want to tack something on to IPv6 to make it more useful to them. Why do they need to explain it to you, if it doesn't affect your deployments at all? Some of us think the model where a DHCP server knows the subnet and hands out a default gateway provides operational advantages. It's an opinion. And the current IPv6 crowds view that not having a default route and relaying on RA's is better is also an opinion. We've spent years of wasted bits and oxygen on ONE STUPID FIELD IN DHCP. Put it in their, and let the market sort it out, unless you can justify some dire harm from doing so. What is more important fast IPv6 adoption or belittling people who want to deploy it in some slightly different way than you did? -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: turning on comcast v6
You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? this is actually a non-trivial barrier to enterprise deployment and the ietf has been in stubborn denial for years. when an it department has been using dhcp since 2000, do not tell them they have to change to the true religion. fighting with the customer, thoubgh the ipv6 way, is not generally a path to success. randy
Re: turning on comcast v6
On Tue, 24 Dec 2013, Lee Howard wrote: I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? default route information via DHCPv6. That's what I'm still waiting for. Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? DHCPv6 + RA works for that, but still, that really should have been part of the protocol from day one. I see no good reason for it not to be in there. I suspect that will eventually be fixed, but it will be a long time before the majority of DHCPv6 client and server implementations are upgraded to support it. jms
Re: turning on comcast v6
On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: default route information via DHCPv6. That's what I'm still waiting for. Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Lee There are many places that wish to severely restrict or even block RA. Implementations of Captive Portal/NetReg/Bump in the wire auth/etc like to do redirection based on MAC. Many are doing this with very short DHCP leases that hand out different name servers and/or gateways until you properly auth via $method. You might be able to do this with something like RADVD, but when you have systems that have been doing this for IPv4 for years, there’s little interest (read: budget) in rewriting everything for IPv6. 'Rewrite all of your tools and change your long standing business practices’ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn’t fit into the “IPv6 way,” but bean counters don’t care much for that when you have to ask for developer time to rewrite everything. Disclaimer: I don’t condone said methods and trickery mentioned above, just pointing out their use. /Ryan
Re: turning on comcast v6
On 12/30/13 11:19 AM, Leo Bicknell bickn...@ufp.org wrote: On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Why must the people who want it justify to _you_? They don't; they have to justify it to the DHC WG at IETF, in order to generate consensus. This is fundamental part I've not gotten about the IPv6 crowd. IPv4 got to where it is by letting people extend it and develop new protocols and solutions. DHCP did not exist when IPv4 was created, it was tacked on later. Now people want to tack something on to IPv6 to make it more useful to them. Why do they need to explain it to you, if it doesn't affect your deployments at all? You can provision your network any way you like. If you want to create a custom version of DHCP (or your own provisioning protocol), that's fine. There doesn't seem to be consensus that default gateway in DHCP is a good idea. There's running code for how to change this. Some of us think the model where a DHCP server knows the subnet and hands out a default gateway provides operational advantages. It's an opinion. And the current IPv6 crowds view that not having a default route and relaying on RA's is better is also an opinion. We've spent years of wasted bits and oxygen on ONE STUPID FIELD IN DHCP. Put it in their, and let the market sort it out, unless you can justify some dire harm from doing so. I don't like the let many flowers bloom model of protocol development. You end up with a lot of cruft in protocols. Successful protocols tend not to have that (at least, when they become successful). I don't know if it will do harm (though it's easy to imagine DHCP not aligning with default gateways in modern, more mobile networks). But if the barrier for adding fields is Eh, it probably won't cause dire harm then we would have pretty messy protocols. What is more important fast IPv6 adoption or belittling people who want to deploy it in some slightly different way than you did? Did I belittle anybody? I apologize if I did that. It certainly was not my intent. I'm trying to understand a point of view. Lee -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: turning on comcast v6
On 12/30/13 1:04 PM, Ryan Harden harde...@uchicago.edu wrote: On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: default route information via DHCPv6. That's what I'm still waiting for. Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Lee There are many places that wish to severely restrict or even block RA. Implementations of Captive Portal/NetReg/Bump in the wire auth/etc like to do redirection based on MAC. Many are doing this with very short DHCP leases that hand out different name servers and/or gateways until you properly auth via $method. You might be able to do this with something like RADVD, but when you have systems that have been doing this for IPv4 for years, there¹s little interest (read: budget) in rewriting everything for IPv6. Thank you very much for presenting an actual use case. Seems like a dot1x kind of application, where the host is in a temporary VLAN until authenticated (etc.), right? Same use case, different network solution. 'Rewrite all of your tools and change your long standing business practices¹ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn¹t fit into the ³IPv6 way,² but bean counters don¹t care much for that when you have to ask for developer time to rewrite everything. Well, the tools have to be rewritten to support IPv6 fields, sockets, and structures anyway. However, there's a difference between, Make sure you call IP family agnostic libraries and increase field sizes, then let it run and Rebuild your network security. DHCP+RA just works in most networks; this is a use case where it could be made to work, but only by changing the network. As for why not add it? my answer is that if it's needed, we should add it. If it's not needed, we should not add it. I want default gateway in DHCPv6 does not answer the question of whether it's needed, which is why I asked why. Disclaimer: I don¹t condone said methods and trickery mentioned above, just pointing out their use. Will consider more. Lee /Ryan
Re: turning on comcast v6
On Dec 30, 2013, at 12:58 PM, Lee Howard l...@asgard.org wrote: 'Rewrite all of your tools and change your long standing business practices¹ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn¹t fit into the ³IPv6 way,² but bean counters don¹t care much for that when you have to ask for developer time to rewrite everything. Well, the tools have to be rewritten to support IPv6 fields, sockets, and structures anyway. However, there's a difference between, Make sure you call IP family agnostic libraries and increase field sizes, then let it run and Rebuild your network security. DHCP+RA just works in most networks; this is a use case where it could be made to work, but only by changing the network. Updating tools to add a box for IPv6 fields and tweaking the backend to generate a config file for DHCPv6 which is very similar to DHCP(for v4) is a lot different/easier than having to rewrite and/or split your backend to generate output in a completely different format. However, I'm not as familiar with RADVD as I am with isc-dhcpd so that might be a bad argument. And you don't have to support IPv6 from top to bottom to roll out IPv6 to users. So rewriting for socket support isn't necessary day one. You can route IPv6 for users so they can reach the IPv6 world quickly, then add local services as time/money allows. The biggest driver for IPv6 will be external resources available only via IPv6, not local. (Of course this is from the point of view where your business' primary service isn't outward facing resources.) I'm sure DHCP+RA works for most, but there are IPv4 shops who swear by fully dynamic DHCP, some who do DHCP-Reservations, and some who go static only. Just like some shops are EIGRP, some OSPF, and some ISIS. IMO IPv6 needs to be flexible enough to handle the fact that not everyone builds identical architectures nor do they have the exact same needs. Being able to use DHCPv6+RA, RA only, or DHCPv6 only should all be viable options. Forcing everyone down the same path will just lead to stupid proprietary solutions to a problem that shouldn't exist in the first place. /Ryan signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
The better question is are you using RIP or ICMP to set gateways in your network now? If you don't use those now, why is RA a better solution in ipv6? -Blake On Mon, Dec 30, 2013 at 1:20 PM, Ryan Harden harde...@uchicago.edu wrote: On Dec 30, 2013, at 12:58 PM, Lee Howard l...@asgard.org wrote: 'Rewrite all of your tools and change your long standing business practices¹ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn¹t fit into the ³IPv6 way,² but bean counters don¹t care much for that when you have to ask for developer time to rewrite everything. Well, the tools have to be rewritten to support IPv6 fields, sockets, and structures anyway. However, there's a difference between, Make sure you call IP family agnostic libraries and increase field sizes, then let it run and Rebuild your network security. DHCP+RA just works in most networks; this is a use case where it could be made to work, but only by changing the network. Updating tools to add a box for IPv6 fields and tweaking the backend to generate a config file for DHCPv6 which is very similar to DHCP(for v4) is a lot different/easier than having to rewrite and/or split your backend to generate output in a completely different format. However, I'm not as familiar with RADVD as I am with isc-dhcpd so that might be a bad argument. And you don't have to support IPv6 from top to bottom to roll out IPv6 to users. So rewriting for socket support isn't necessary day one. You can route IPv6 for users so they can reach the IPv6 world quickly, then add local services as time/money allows. The biggest driver for IPv6 will be external resources available only via IPv6, not local. (Of course this is from the point of view where your business' primary service isn't outward facing resources.) I'm sure DHCP+RA works for most, but there are IPv4 shops who swear by fully dynamic DHCP, some who do DHCP-Reservations, and some who go static only. Just like some shops are EIGRP, some OSPF, and some ISIS. IMO IPv6 needs to be flexible enough to handle the fact that not everyone builds identical architectures nor do they have the exact same needs. Being able to use DHCPv6+RA, RA only, or DHCPv6 only should all be viable options. Forcing everyone down the same path will just lead to stupid proprietary solutions to a problem that shouldn't exist in the first place. /Ryan
Re: turning on comcast v6
On 12/30/13 2:20 PM, Ryan Harden harde...@uchicago.edu wrote: On Dec 30, 2013, at 12:58 PM, Lee Howard l...@asgard.org wrote: 'Rewrite all of your tools and change your long standing business practices¹ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn¹t fit into the ³IPv6 way,² but bean counters don¹t care much for that when you have to ask for developer time to rewrite everything. Well, the tools have to be rewritten to support IPv6 fields, sockets, and structures anyway. However, there's a difference between, Make sure you call IP family agnostic libraries and increase field sizes, then let it run and Rebuild your network security. DHCP+RA just works in most networks; this is a use case where it could be made to work, but only by changing the network. Updating tools to add a box for IPv6 fields and tweaking the backend to generate a config file for DHCPv6 which is very similar to DHCP(for v4) is a lot different/easier than having to rewrite and/or split your backend to generate output in a completely different format. However, I'm not as familiar with RADVD as I am with isc-dhcpd so that might be a bad argument. And you don't have to support IPv6 from top to bottom to roll out IPv6 to users. So rewriting for socket support isn't necessary day one. You can route IPv6 for users so they can reach the IPv6 world quickly, then add local services as time/money allows. The biggest driver for IPv6 will be external resources available only via IPv6, not local. (Of course this is from the point of view where your business' primary service isn't outward facing resources.) I agree with you on the above, I just didn't say so very well. I'm sure DHCP+RA works for most, but there are IPv4 shops who swear by fully dynamic DHCP, some who do DHCP-Reservations, and some who go static only. Just like some shops are EIGRP, some OSPF, and some ISIS. IMO IPv6 needs to be flexible enough to handle the fact that not everyone builds identical architectures nor do they have the exact same needs. Being able to use DHCPv6+RA, RA only, or DHCPv6 only should all be viable options. Forcing everyone down the same path will just lead to stupid proprietary solutions to a problem that shouldn't exist in the first place. All of those cases work just as well with DHCP+RA. Only in cases where a router on a subnet is not the correct gateway is RA a problem, AFAIK. You gave one example where that's the case. Another would be where there are two gateways for the same network segment, which don't share an IP address, and you want DHCP to tell hosts which one they should use (rather than, say, manual configuration or GPO). DHCP and RAs do different things. DHCP does host configuration. Router Advertisements advertise routers. When you have both, you can leave off a field in DHCP, and rely on the network to route the packets. Turning off RAs and putting that information into DHCP for each subnet you manage means additional work. It's not a lot of work, admittedly. Lee /Ryan
Re: turning on comcast v6
I'm not really an advocate for or against DHCP or RAs. I really just want to understand what feature is missing. From: Blake Dunlap iki...@gmail.com Date: Monday, December 30, 2013 3:19 PM To: Ryan Harden harde...@uchicago.edu Cc: Lee Howard l...@asgard.org, Jamie Bowden ja...@photon.com, nanog@nanog.org nanog@nanog.org Subject: Re: turning on comcast v6 The better question is are you using RIP or ICMP to set gateways in your network now? I disagree that that's a better question. I'm not using RIP because my hosts don't support it (at least, not without additional configuration), and it would be a very unusual configuration, adding weight and complexity for no benefit. RAs are the opposite. Not even sure how you would use ICMP to set a default gateway. Maybe there's a field I'm unaware of. If you don't use those now, why is RA a better solution in ipv6? It's built into the fundamentals of IPv6, using the Neighbor Discovery Protocol. It's supported in every stack. It's the default mode of operation. To turn it off, you have to disable part, but not all, of NDP. (Do you also turn off RSs on all hosts?) There could be better solutions; I would like to understand how they are better. Again, in your network, you can do whatever you want. If you want something different standardized, then you need consensus here: https://www.ietf.org/mailman/listinfo/dhcwg Lee
Re: turning on comcast v6
On Dec 30, 2013, at 8:19 AM, Leo Bicknell bickn...@ufp.org wrote: On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Why must the people who want it justify to _you_? In a consensus process, it is not unusual or uncommon for the group to expect a justification for a topic seeking consensus. This is fundamental part I've not gotten about the IPv6 crowd. IPv4 got to where it is by letting people extend it and develop new protocols and solutions. DHCP did not exist when IPv4 was created, it was tacked on later. Now people want to tack something on to IPv6 to make it more useful to them. Why do they need to explain it to you, if it doesn't affect your deployments at all? To the best of my knowledge, those same questions have been asked about all of the IPv4 protocols in the IETF development process, too. If he wants to just go mod his DHCP daemons, he’s welcome to do that. If he wants IETF consensus around a change to the DHCP protocol, then it’s not at all unreasonable for him to have to justify that position to the IETF. Some of us think the model where a DHCP server knows the subnet and hands out a default gateway provides operational advantages. It's an opinion. And the current IPv6 crowds view that not having a default route and relaying on RA's is better is also an opinion. Sure, but here’s where you break down… The current situation isn’t attributable to “the current IPv6 crowd” (whoever that is), it’s the current IETF consensus position. Changing that IETF consensus position is a matter of going through the IETF process and getting a new consensus. That requires justifying your position and convincing enough people willing to actively participate in the working group process of that position. I like to think that I would be part of almost any valid definition of “the current IPv6 crowd”. While I do think that RAs are a better mechanism for most situations, I also support the inclusion of information equivalent to RIOs in DHCP options. We've spent years of wasted bits and oxygen on ONE STUPID FIELD IN DHCP. Put it in their, and let the market sort it out, unless you can justify some dire harm from doing so. It shouldn’t be one stupid field, even if we do put it in. It should be an additional option for providing zero or more RIOs. What is more important fast IPv6 adoption or belittling people who want to deploy it in some slightly different way than you did? I do not think it is legitimate to say that asking for justification for a position is belittling. Owen
Re: turning on comcast v6
On Dec 30, 2013, at 10:04 AM, Ryan Harden harde...@uchicago.edu wrote: On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: default route information via DHCPv6. That's what I'm still waiting for. Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Lee There are many places that wish to severely restrict or even block RA. Implementations of Captive Portal/NetReg/Bump in the wire auth/etc like to do redirection based on MAC. Many are doing this with very short DHCP leases that hand out different name servers and/or gateways until you properly auth via $method. You might be able to do this with something like RADVD, but when you have systems that have been doing this for IPv4 for years, there’s little interest (read: budget) in rewriting everything for IPv6. While I do not oppose the inclusion of Routing Information into DHCPv6, I have to say that this seems to be one of the weaker arguments. Please permit me to repeat your statement from an IPv6 perspective… Because many places have poorly thought out cruft that deals with deficiencies in IPv4 by doing stunts that won’t work in the current IPv6 implementation and because we don’t want to rewrite our cruft to take advantage of the cleaner solutions available for these problems in IPv6, we demand that you include the cruft from IPv4 into IPv6 in order to support this hackery. 'Rewrite all of your tools and change your long standing business practices’ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn’t fit into the “IPv6 way,” but bean counters don’t care much for that when you have to ask for developer time to rewrite everything. You have to rewrite all your tools to handle the bigger addresses anyway. While you’re at it, why not rewrite them to take advantage of cleaner solutions? Disclaimer: I don’t condone said methods and trickery mentioned above, just pointing out their use. So you’re defending a position you don’t share? Interesting tactic. Owen
Re: turning on comcast v6
On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard l...@asgard.org wrote: I'm not really an advocate for or against DHCP or RAs. I really just want to understand what feature is missing. From: Blake Dunlap iki...@gmail.com Date: Monday, December 30, 2013 3:19 PM To: Ryan Harden harde...@uchicago.edu Cc: Lee Howard l...@asgard.org, Jamie Bowden ja...@photon.com, nanog@nanog.org nanog@nanog.org Subject: Re: turning on comcast v6 The better question is are you using RIP or ICMP to set gateways in your network now? I disagree that that's a better question. I'm not using RIP because my hosts don't support it (at least, not without additional configuration), and it would be a very unusual configuration, adding weight and complexity for no benefit. RAs are the opposite. Not even sure how you would use ICMP to set a default gateway. Maybe there's a field I'm unaware of. [VK] The RIP comparison is somewhat confusing to me. I don't see how RIP is comparable in this context (I guess technically you can pass a default route in RIP, but as Lee mentions, the protocol is designed for a different purpose and requires configuration). I guess the ICMP reference fair as Neighbor Discovery is built on ICMP (which is a good thing in my opinion). Perhaps the reference here was to people not using RFC1256 in their networks? If you don't use those now, why is RA a better solution in ipv6? It's built into the fundamentals of IPv6, using the Neighbor Discovery Protocol. It's supported in every stack. It's the default mode of operation. To turn it off, you have to disable part, but not all, of NDP. (Do you also turn off RSs on all hosts?) [VK] Although I think there may be a valid case presented for an Option, I agree with Lee with the point that Neighbor Discovery is already built-in so it has operational benefits in that respect. There are many IPv6 deployments out there today in both ISPs and Enterprises, where ND/RAs are being used - this may or may not make RAs better then a potential DHCPv6 router option, but we know it (RA method) works in real networks using IPv6. As for a DHCPv6 router option case being made, if there a good reason and technical merit, that should be made to the DHC WG, or perhaps even made at a v6ops ops meeting and the advocate should make note of points made in draft-ietf-dhc-option-guidelineshttp://datatracker.ietf.org/doc/draft-ietf-dhc-option-guidelines/. Changes/updates to DHCPv6 have been made (as with RFC7083) when the problem can be stated with technical merit and people are willing to work on it. regards, Victor K
Re: turning on comcast v6
On Dec 30, 2013, at 3:43 PM, Owen DeLong o...@delong.com wrote: The current situation isn’t attributable to “the current IPv6 crowd” (whoever that is), it’s the current IETF consensus position. Changing that IETF consensus position is a matter of going through the IETF process and getting a new consensus. That requires justifying your position and convincing enough people willing to actively participate in the working group process of that position. Some of us tried to engage the IETF on this topic in multiple working groups. If you search the archives you'll find this topic has come up before. I would charitably describe the environment there as hostile to anyone who has not been inside the IEFT machine for the last 15 years. And that's assuming the working group is working, there are plenty inside the IEFT that are extremely dysfunctional even when the people on them agree. It's not enough to tell a bunch of enterprise people who have never dealt with the IETF before that they should go there are plead their case. Most do not know how, and the few who try find themselves berated by that community for being ignorant of the way things should be. What the enterprise folks need is IPv6 champions, like yourself, like Lee, to user stand their use case that even if you don't end up deploying it on your own network you will show up at the IETF, or at least participate on the IETF mailing lists and help them get what they need, so IPv6 deployment can proceed apace. If you really don't think there is harm, help them go get what they (think they?) need. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
On Dec 30, 2013, at 2:49 PM, Lee Howard l...@asgard.org wrote: I'm not really an advocate for or against DHCP or RAs. I really just want to understand what feature is missing. I encourage you to try this simple experiment in your lab, because this happens all day long on corporate networks around the world, and illustrates the differences quite nicely. While not a complete treatment of the operational differences, it's an important illustration. Configure up a simple network topology of three boxes representing a hub and spoke network: DHCP SVR | --lan--r1--wan--hubrtr--wan--r2--lan Number it up as expected for both protocols: wan links: IPv4 /30, IPv6 /64 lan links: IPv4 /24, IPv6 /64 Drop a DHCP server off the hubrtr, set r1 and r2 to forward DHCP requests to it. Verify a machine plugged into either of the LANs gets a fully functional network for both protocols. Now, take r1 turn it off, and stick it in a closet. You see, that office closed. Normal every day thing. Plug up two PC's to the remaining LAN off r2. This represents your desktop, and your neighbors desktop. Think Bob from accounting perhaps. Open two windows on each, one with an IPv4 ping, one with an IPv6 ping running. Now, boss man comes in and has a new office opening up. Go grab the r1 box out of the closet, you need to upgrade the code and reconfigure it. Cable it up to your PC with a serial port, open some some sort of terminal program so you can catch the boot and password recover it. Plug it's ethernet into your lan, as you're going to need to tftp down new config, and turn it on. Here's what you will soon find: 1) The IPv6 pings on both machines cease to work. 2) The IPv4 network continues to work just fine. Now, for even more fun, turn on another PC, say Sally from HR just rebooted her machine. It will come up in the same state, IPv6 not working, while IPv4 works just fine. Lastly, for extra credit, explain to Mr MoneyBagsCEO why Bob and Sally are now complaining to him that their network is down, again. Make sure you not only understand the technical nuances of why the problem above happened, but also how to explain them to a totally non-technical CEO. (Oh yeah, go ahead and unplug r1 to fix the problem, and observe how long until the pings start working again. I think it's 15 minutes, IIRC. For super-extra credit tell me how to make that time shorter for everyone on the LAN with Cisco or Juniper commands on r2.) I'll give you a hint on understanding this issue. The IETF's grand solution is to replace every ethernet switch in your entire network with new hardware that supports RA Guard, and then deploy new configuration on every single port of every single device in your network. Please develop a capital justification plan for Mr MoneyBagsCEO for replacing every switch in your network so you can safely deploy IPv6. Now do you understand why people just want to put the route in DHCPv6 and move on? It's not a feature that's different between the two, it's that operationally they have entirely different attack surfaces and failure modes. And yes, it involves people doing stupid things. However if the IETF is going to rely on smart people deploying networking devices we might as well give up and go home now. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
On Dec 30, 2013, at 4:37 PM, Victor Kuarsingh vic...@jvknet.com wrote: On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard l...@asgard.org wrote: The better question is are you using RIP or ICMP to set gateways in your network now? I disagree that that's a better question. I'm not using RIP because my hosts don't support it (at least, not without additional configuration), and it would be a very unusual configuration, adding weight and complexity for no benefit. RAs are the opposite. Not even sure how you would use ICMP to set a default gateway. Maybe there's a field I'm unaware of. [VK] The RIP comparison is somewhat confusing to me. I don't see how RIP is comparable in this context (I guess technically you can pass a default route in RIP, but as Lee mentions, the protocol is designed for a different purpose and requires configuration). There was a time, I'm going to roughly guess approximately 1987-1992, although I may be off by a year or two, that you needed to have lived through for this to make sense. You see, in that time the available IGP was, well, RIP. RIPv1. Routers, at least ones you could buy, did not have OSPF, EIGRP, or even in many cases EGP/BGP. They had RIPv1, and perhaps some bleeding edge Cisco's had IGRP. So almost every campus network ran RIPv1. This is also pre-CIDR, so remember every subnet had to have the same mask. For instance the University I went to had a /16, divided into entirely /22 networks for each LAN. The RIP config enabled it for the entire /16. Certain vendors, like Sun (who was popular at the time) shipped SunOS boxes with routed enabled by default, where they received a default route (if the admins filtered) or a full (local) table via RIPv1. In short, there was a time when getting a default route via RIP was in fact common. It was also the time of telnet, and rsh, decidedly pre SSL, ssh, or IPSEC. It was also a time when the Internet came under heavy, well, attack, by people who realized how soft and squishy it was. Injecting a route into RIP allowed you to hijack rsh sessions, for example. Lots of people who were admins at that time learned through personal pain and late night hacking that sending a dynamic route to a box via an unauthenticated protocol was a recipe for disaster. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
What the enterprise folks need is IPv6 champions, like yourself, like Lee, to user stand their use case that even if you don't end up deploying it on your own network you will show up at the IETF, or at least participate on the IETF mailing lists and help them get what they need, so IPv6 deployment can proceed apace. If you really don't think there is harm, help them go get what they (think they?) need. I don’t think there’s harm to including the option for RIO in DHCPv6. I think there is great harm in continuing the use case presented earlier. I have yet to see a use case from enterprise that actually requires RIO or default route in DHCPv6, and I have seen many many use cases. Most of them are, actually, better solved through education, so I tend to focus my efforts in that area. If you can find someone who wants to pay me to plead the enterprise cases to the IETF, I suppose I might be interested in that job if it came with the right offer, but for now, that’s not what I get paid to do. Owen
Re: turning on comcast v6
You can accomplish the same thing in IPv4…. Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her DHCP server takes over your network. Yes, you have to pay attention when you plug in a router just like you’d have to pay attention if you plugged in a DHCP server you were getting ready to recycle. Incompetence in execution really isn’t the protocol’s fault. Owen On Dec 30, 2013, at 3:24 PM, Leo Bicknell bickn...@ufp.org wrote: On Dec 30, 2013, at 2:49 PM, Lee Howard l...@asgard.org wrote: I'm not really an advocate for or against DHCP or RAs. I really just want to understand what feature is missing. I encourage you to try this simple experiment in your lab, because this happens all day long on corporate networks around the world, and illustrates the differences quite nicely. While not a complete treatment of the operational differences, it's an important illustration. Configure up a simple network topology of three boxes representing a hub and spoke network: DHCP SVR | --lan--r1--wan--hubrtr--wan--r2--lan Number it up as expected for both protocols: wan links: IPv4 /30, IPv6 /64 lan links: IPv4 /24, IPv6 /64 Drop a DHCP server off the hubrtr, set r1 and r2 to forward DHCP requests to it. Verify a machine plugged into either of the LANs gets a fully functional network for both protocols. Now, take r1 turn it off, and stick it in a closet. You see, that office closed. Normal every day thing. Plug up two PC's to the remaining LAN off r2. This represents your desktop, and your neighbors desktop. Think Bob from accounting perhaps. Open two windows on each, one with an IPv4 ping, one with an IPv6 ping running. Now, boss man comes in and has a new office opening up. Go grab the r1 box out of the closet, you need to upgrade the code and reconfigure it. Cable it up to your PC with a serial port, open some some sort of terminal program so you can catch the boot and password recover it. Plug it's ethernet into your lan, as you're going to need to tftp down new config, and turn it on. Here's what you will soon find: 1) The IPv6 pings on both machines cease to work. 2) The IPv4 network continues to work just fine. Now, for even more fun, turn on another PC, say Sally from HR just rebooted her machine. It will come up in the same state, IPv6 not working, while IPv4 works just fine. Lastly, for extra credit, explain to Mr MoneyBagsCEO why Bob and Sally are now complaining to him that their network is down, again. Make sure you not only understand the technical nuances of why the problem above happened, but also how to explain them to a totally non-technical CEO. (Oh yeah, go ahead and unplug r1 to fix the problem, and observe how long until the pings start working again. I think it's 15 minutes, IIRC. For super-extra credit tell me how to make that time shorter for everyone on the LAN with Cisco or Juniper commands on r2.) I'll give you a hint on understanding this issue. The IETF's grand solution is to replace every ethernet switch in your entire network with new hardware that supports RA Guard, and then deploy new configuration on every single port of every single device in your network. Please develop a capital justification plan for Mr MoneyBagsCEO for replacing every switch in your network so you can safely deploy IPv6. Now do you understand why people just want to put the route in DHCPv6 and move on? It's not a feature that's different between the two, it's that operationally they have entirely different attack surfaces and failure modes. And yes, it involves people doing stupid things. However if the IETF is going to rely on smart people deploying networking devices we might as well give up and go home now. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: turning on comcast v6
On Dec 30, 2013, at 7:51 PM, Owen DeLong o...@delong.com wrote: I have yet to see a use case from enterprise that actually requires RIO or default route in DHCPv6, and I have seen many many use cases. Most of them are, actually, better solved through education, so I tend to focus my efforts in that area. If you can find someone who wants to pay me to plead the enterprise cases to the IETF, I suppose I might be interested in that job if it came with the right offer, but for now, that’s not what I get paid to do. The kinky layer-2 stuff I've seen some places do tells me they won't be able to deploy IPv6 without it. I think the key here is feature parity and the whole 96 more bits no magic aspect. The option is low hanging fruit to solve a problem. Perhaps it's just a conceptual problem (eg: DHCPv4 gives me option #4. I should have a comparable option# in IPv6!). While I may not need option #37 (or folks may not use it), sending a RS in addition to DHCPv6 request is two steps in host configuration, whereas one should be able to suffice (perhaps). It's also about authorization though, I could get a RA back from the RS from an unexpected (rogue) device in the same way I could see a rogue DHCP response as well. I have logging on my DHCP server, but I don't have that capability from a RA/RS stance. One is central (but perhaps relayed), the other is local (and never relayed). Seems a lot of emails over something simple that's not much creep and just parity. (enjoy other great options here: http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml#options .. I need my quotes server for IPv6 via DHCPv6 too). - Jared
Re: turning on comcast v6
On Dec 30, 2013, at 6:56 PM, Owen DeLong o...@delong.com wrote: You can accomplish the same thing in IPv4…. Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her DHCP server takes over your network. No, the failure mode is still different. With IPv6 RA's, the rouge router breaks all hosts on the LAN with a single broadcast. With a rogue DHCP server no currently working clients will stop working. In fact many will do directed renews, and never notice said rogue server. It is only a freshly booted host that might be captured by a rogue DHCP server. In a corporate environment the difference between one user getting a rogue DHCP server, being down, and asking for troubleshooting, and taking out an entire department/floor/office is enormous. Yes, you have to pay attention when you plug in a router just like you’d have to pay attention if you plugged in a DHCP server you were getting ready to recycle. Incompetence in execution really isn’t the protocol’s fault. We can't work around incompetent admins. Even the best humans goof from time to time. What we can do is design protocols that are robust, or not in the face of stupidity and accident. I should tell you about the time rogue RA's took down a data center network because in the middle of the night the tech I was talking to couldn't tell if I said port fifteen or port fifty over the phone, and thus plugged the router into the wrong network taking down several hundred hosts. The IPv4 side was fine for the 30 seconds or so until we straightened it out. There's a reason why there's huge efforts to put RA guard in switches, and do cryptographic RA's. These are two admissions that the status quo does not work for many folks, but for some reason these two solutions get pushed over a simple DHCP router assignment option. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
On 12/30/2013 8:16 PM, Leo Bicknell wrote: There's a reason why there's huge efforts to put RA guard in switches, and do cryptographic RA's. These are two admissions that the status quo does not work for many folks, but for some reason these two solutions get pushed over a simple DHCP router assignment option. The more disturbing feature for those that have been there, done that, debugged the meltdown, and tried to avoid repeating the issue is the growing proliferation of automatic discovery/configuration... whether RA / SLAAC / mDNS / Bonjour / uPnP / (the list goes on...). There are too many opportunities for spoofing / MITM / self-propagating issues. Yes, DHCP is prone to similar issues, but better to focus on one service and one authoritative source to try to lock down than to try to protect the plethora of growing options to introduce issues from arbitrary sources. But as the market focus appears to continue to try to address the home / SOHO environment of naive users, the self-configuration nastiness continues to propagate. It may fit at home / SOHO, but not in the Enterprise, and certainly not in a university environment where you can't be as restrictive on a universal basis as you might like to be :( Jeff signature.asc Description: OpenPGP digital signature
Re: turning on comcast v6
On Mon, Dec 30, 2013 at 6:31 PM, Leo Bicknell bickn...@ufp.org wrote: On Dec 30, 2013, at 4:37 PM, Victor Kuarsingh vic...@jvknet.com wrote: On Mon, Dec 30, 2013 at 3:49 PM, Lee Howard l...@asgard.org wrote: The better question is are you using RIP or ICMP to set gateways in your network now? I disagree that that's a better question. I'm not using RIP because my hosts don't support it (at least, not without additional configuration), and it would be a very unusual configuration, adding weight and complexity for no benefit. RAs are the opposite. Not even sure how you would use ICMP to set a default gateway. Maybe there's a field I'm unaware of. [VK] The RIP comparison is somewhat confusing to me. I don't see how RIP is comparable in this context (I guess technically you can pass a default route in RIP, but as Lee mentions, the protocol is designed for a different purpose and requires configuration). There was a time, I'm going to roughly guess approximately 1987-1992, although I may be off by a year or two, that you needed to have lived through for this to make sense. You see, in that time the available IGP was, well, RIP. RIPv1. Routers, at least ones you could buy, did not have OSPF, EIGRP, or even in many cases EGP/BGP. They had RIPv1, and perhaps some bleeding edge Cisco's had IGRP. So almost every campus network ran RIPv1 [VK] Leo, I understand the case you mention, but I am not sure if this is a parallel to what the subject is on this thread. I would think we are talking - not about routers and servers here - but end hosts (PCs, tablets, home gateways, smart phones, media devices etc.) which would be the beneficiaries of the [DHCPv6] route option information. I still don't think that RIP's prevalence in 20+ year old network environments, and it's lack of use today, draws a comparison to the validity of using RAs. I get that it [RIP] may have been default on may historic boxes, so had similar effect on providing a default route, but the protocol's purpose was not intended to do that for all the hosts on a network (also a world where not all networks were IP as well). RA on the other had was specifically purposed to be used to provide this kind of information to all IPv6 stacks. So I still think we are talking about very different environments in protocol types, purpose and mixture of participating hosts/routers etc. regards, Victor K
Re: turning on comcast v6
Leo, On Mon, Dec 30, 2013 at 6:24 PM, Leo Bicknell bickn...@ufp.org wrote: On Dec 30, 2013, at 2:49 PM, Lee Howard l...@asgard.org wrote: I'm not really an advocate for or against DHCP or RAs. I really just want to understand what feature is missing. I encourage you to try this simple experiment in your lab, because this happens all day long on corporate networks around the world, and illustrates the differences quite nicely. While not a complete treatment of the operational differences, it's an important illustration. Configure up a simple network topology of three boxes representing a hub and spoke network: DHCP SVR | --lan--r1--wan--hubrtr--wan--r2--lan . Here's what you will soon find: 1) The IPv6 pings on both machines cease to work. 2) The IPv4 network continues to work just fine. Yes, in this very specific case, you may get this result. However, this is a very specific case with very specific parameters and conditions. There are also many cases (again specific in nature) which would cause the IPv4 connection to have problems and not the IPv6 connection. As an example, say the failure is now over and we have running state with r1 and r2 as two potential routers out of the LAN to a common WAN for IPv4 and IPv6 connectivity. The DHCPv4 server provides only the address of the r2 router (original on that LAN). Both r1 and r2 provide RAs and the client works over r2 for IPv6 for now. r1 fails, the machines will lose IPv4 connectivity but IPv6 will keep working (as the hosts will detect r1 as unreachable and then use r2). There are a number of assumptions in this use case - but that's the point. One may say that without IPv4, perhaps we have a problem anyway (since I am sure many networks will have some level of dependance on IPv4 for a while) - but the designers of IPv6 will then say that the IPv6 protocol needs to be free from IPv4 baggage to truly succeed IPv4. I am not fighting against the case of the DHCPv6 option, but I am not sure if use cases like the one you mentioned will convince the right audiences that the option is needed. For reference, this concept has died on the vine before - draft-droms-dhc-dhcpv6-default-router-00 as an example. (where technical comments were made to diminish the technical value of using DHCPv6 as an option to provide default gateway information). We can also reference draft-ietf-mif-dhcpv6-route-option from the MIF working group. I think a new initiative to revive this concept will need to address the [negative] points from those previous experiences and contrast them to the operational benefits of having it available. I am willing to help out here, but we need some folks willing to put the use cases together which make a strong case (oh and they will need email stamina). regards, Victor K -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: turning on comcast v6
On Dec 30, 2013, at 9:29 PM, Victor Kuarsingh vic...@jvknet.com wrote: I think a new initiative to revive this concept will need to address the [negative] points from those previous experiences and contrast them to the operational benefits of having it available. I am willing to help out here, but we need some folks willing to put the use cases together which make a strong case (oh and they will need email stamina). Or, alternatively, operators who care about this and vendors who are interested in accepting money to implement what the operators want could get together and form, oh I dunno, the Internet DHCP Task Force, which could specify/implement the standard way of solving this particular problem... Regards, -drc signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
I've been in the process of rolling out IPv6 (again this night) across a very large, highly conservative, and very bureaucratic enterprise. (Roughly 100K employees. More than 600 distinct site. Yada. Yada.) I've had no issues whatsoever implementing the IPv6 RA+DHCPv6 model alongside the IPv4 model. In fact, the IPv6 model has generally been much more straightforward and easy to implement. So I'm a large enterprise operator, not an ISP. Convince me. Because I don't see any need. And if I don't, I'm hard-pressed to see why the IETF would. Scott On Mon, Dec 30, 2013 at 3:49 PM, Owen DeLong o...@delong.com wrote: On Dec 30, 2013, at 10:04 AM, Ryan Harden harde...@uchicago.edu wrote: On Dec 24, 2013, at 8:15 AM, Lee Howard l...@asgard.org wrote: default route information via DHCPv6. That's what I'm still waiting for. Why? You say, The protocol suite doesn't meet my needs; I need default gateway in DHCPv6. So the IETF WG must change for you to deploy IPv6. Why? Lee There are many places that wish to severely restrict or even block RA. Implementations of Captive Portal/NetReg/Bump in the wire auth/etc like to do redirection based on MAC. Many are doing this with very short DHCP leases that hand out different name servers and/or gateways until you properly auth via $method. You might be able to do this with something like RADVD, but when you have systems that have been doing this for IPv4 for years, there’s little interest (read: budget) in rewriting everything for IPv6. While I do not oppose the inclusion of Routing Information into DHCPv6, I have to say that this seems to be one of the weaker arguments. Please permit me to repeat your statement from an IPv6 perspective… Because many places have poorly thought out cruft that deals with deficiencies in IPv4 by doing stunts that won’t work in the current IPv6 implementation and because we don’t want to rewrite our cruft to take advantage of the cleaner solutions available for these problems in IPv6, we demand that you include the cruft from IPv4 into IPv6 in order to support this hackery. 'Rewrite all of your tools and change your long standing business practices’ is a very large barrier to entry to IPv6. If adding gateway as an optional field will help people get over that barrier, why not add it? Sure it doesn’t fit into the “IPv6 way,” but bean counters don’t care much for that when you have to ask for developer time to rewrite everything. You have to rewrite all your tools to handle the bigger addresses anyway. While you’re at it, why not rewrite them to take advantage of cleaner solutions? Disclaimer: I don’t condone said methods and trickery mentioned above, just pointing out their use. So you’re defending a position you don’t share? Interesting tactic. Owen
Re: turning on comcast v6
On Fri, Dec 20, 2013 at 5:25 AM, Lee Howard l...@asgard.org wrote: On 12/20/13 8:07 AM, Jamie Bowden ja...@photon.com wrote: Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. I have a question. Why does DHCP hand out router, net mask, broadcast address, etc. in IPv4; why don't we all just use RIP and be done with it? You don't have to like how enterprise networks are built, but you better acknowledge that they are their own animal that have their own needs and drivers, and telling them that the way their networks are built are wrong and they need to change their whole architecture, separation of service, security model, etc. to fit your idea of perfection isn't winning friends. You are, however, influencing people. Perhaps not in the manner you intended. So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? default route information via DHCPv6. That's what I'm still waiting for. Matt
RE: turning on comcast v6
From: Owen DeLong [mailto:o...@delong.com] I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. No, no, no, a thousand times no. I'm sure RA is great for small SOHO networks and for ISPs as a means to hand out resources, but in a corporate environment, we hate you. How many times do the IPv6 people have to hear that until DHCPv6 reaches feature parity with DCHPv4, IPv6 is dead to enterprise networks? Jamie
Re: turning on comcast v6
On 12/20/13 7:36 AM, Jamie Bowden ja...@photon.com wrote: From: Owen DeLong [mailto:o...@delong.com] I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. No, no, no, a thousand times no. I'm sure RA is great for small SOHO networks and for ISPs as a means to hand out resources, but in a corporate environment, we hate you. How many times do the IPv6 people have to hear that until DHCPv6 reaches feature parity with DCHPv4, IPv6 is dead to enterprise networks? Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. Lee Jamie
Re: turning on comcast v6
On 12/20/2013 12:30 AM, Owen DeLong wrote: I'd like to encourage people to use prefix-hint=::/48. The router should accept the /60 and deal with it, but it's better to have Comcast's logs show that you requested a proper full-size prefix. I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. From what I'm told add-default-route=yes is a hack by RouterOS developers to add a default route via the link local address you receive DHCP packets from. This will break of course if DHCP server != intended default gateway http://forum.mikrotik.com/viewtopic.php?f=2t=64595hilit=IA_PD In the case of Comcast (and anecdotally ISC DHCP) - You'll either need to wait out the the lease time (4 days) or ask Comcast to nicely clear out your /64 lease manually. Release/renew doesn't release your current DHCP lease. I was getting A /64 and /60 (/64 had a preference of 255) before Comcast removed the /64 lease manually. Is it somehow harmful to have both? Yeah.. RouterOS doesn't install both prefixes into the IPv6 pool used for assigning prefixes to your LAN interfaces. RouterOS is able to encapsulate sniffed packets into a TZSP container and forward them to a host of your choice. I was able to get a PCAP of my DHCPv6 packets between Comcast and I. There were two Advertise packets from Comcast (/64 followed by /60) and RouterOS only replied with (1) Request for the /64
RE: turning on comcast v6
From: Lee Howard [mailto:l...@asgard.org] On 12/20/13 7:36 AM, Jamie Bowden ja...@photon.com wrote: From: Owen DeLong [mailto:o...@delong.com] I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. No, no, no, a thousand times no. I'm sure RA is great for small SOHO networks and for ISPs as a means to hand out resources, but in a corporate environment, we hate you. How many times do the IPv6 people have to hear that until DHCPv6 reaches feature parity with DCHPv4, IPv6 is dead to enterprise networks? Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. I have a question. Why does DHCP hand out router, net mask, broadcast address, etc. in IPv4; why don't we all just use RIP and be done with it? You don't have to like how enterprise networks are built, but you better acknowledge that they are their own animal that have their own needs and drivers, and telling them that the way their networks are built are wrong and they need to change their whole architecture, separation of service, security model, etc. to fit your idea of perfection isn't winning friends. You are, however, influencing people. Perhaps not in the manner you intended. Jamie
Re: turning on comcast v6
On 12/20/13 8:07 AM, Jamie Bowden ja...@photon.com wrote: Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. I have a question. Why does DHCP hand out router, net mask, broadcast address, etc. in IPv4; why don't we all just use RIP and be done with it? You don't have to like how enterprise networks are built, but you better acknowledge that they are their own animal that have their own needs and drivers, and telling them that the way their networks are built are wrong and they need to change their whole architecture, separation of service, security model, etc. to fit your idea of perfection isn't winning friends. You are, however, influencing people. Perhaps not in the manner you intended. So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? There are business reasons to run IPv6. The fact that it's different than IPv4 is not a reason not to use it. Lee Jamie
RE: turning on comcast v6
With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 -Original Message- From: Lee Howard [mailto:l...@asgard.org] Sent: Friday, December 20, 2013 8:25 AM To: Jamie Bowden; Owen DeLong; m...@kenweb.org Cc: North American Network Operators' Group Subject: Re: turning on comcast v6 On 12/20/13 8:07 AM, Jamie Bowden ja...@photon.com wrote: Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. I have a question. Why does DHCP hand out router, net mask, broadcast address, etc. in IPv4; why don't we all just use RIP and be done with it? You don't have to like how enterprise networks are built, but you better acknowledge that they are their own animal that have their own needs and drivers, and telling them that the way their networks are built are wrong and they need to change their whole architecture, separation of service, security model, etc. to fit your idea of perfection isn't winning friends. You are, however, influencing people. Perhaps not in the manner you intended. So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? There are business reasons to run IPv6. The fact that it's different than IPv4 is not a reason not to use it. Lee Jamie
Re: turning on comcast v6
Thus spake Jamie Bowden (ja...@photon.com) on Fri, Dec 20, 2013 at 01:07:27PM +: From: Lee Howard [mailto:l...@asgard.org] On 12/20/13 7:36 AM, Jamie Bowden ja...@photon.com wrote: From: Owen DeLong [mailto:o...@delong.com] I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. No, no, no, a thousand times no. I'm sure RA is great for small SOHO networks and for ISPs as a means to hand out resources, but in a corporate environment, we hate you. How many times do the IPv6 people have to hear that until DHCPv6 reaches feature parity with DCHPv4, IPv6 is dead to enterprise networks? Strange, I have an enterprise network with some segments running ipv6 for over a decade ;-) Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. I have a question. Why does DHCP hand out router, net mask, broadcast address, etc. in IPv4; why don't we all just use RIP and be done with it? I think you mean IRDP/rfc1256. We used to run quite a bit of that, too. Dale
Re: turning on comcast v6
On Fri, 20 Dec 2013 12:36:38 +, Jamie Bowden said: How many times do the IPv6 people have to hear that until DHCPv6 reaches feature parity with DCHPv4, IPv6 is dead to enterprise networks? How many times do the IPv4 people have to hear that many sites are running IPv6 on enterprise networks, and maybe that whole DHCPv6 thing is not as big a deal as you think? pgpa5XxDtkTr4.pgp Description: PGP signature
Re: turning on comcast v6
On 12/20/2013 05:25 AM, Lee Howard wrote: So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? Rather obviously the protocol designers, since they are clearly out of touch with real-world requirements. RA/SLAAC was a clever idea 20 years ago, and still has value for its original intended purpose, putting dumb clients on the net. However in the time since IPng DHCP won the day. Enterprises have their own administrative structures that work with v4, and see no reason to have to change them to accommodate the lofty goals of the IPv6 luminati. Keep in mind that the vast majority of enterprises are happy with their v4 NATs, aren't affected by address exhaustion issues, and have no reason to move to v6. I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? Apples and cumquats. There are business reasons to run IPv6. The fact that it's different than IPv4 is not a reason not to use it. ... except that enterprises have been saying for over a decade that full-featured DHCP is a requirement before they will even look at v6. Not to mention the inherent insecurity of RA/SLAAC, which has yet to be robustly addressed. Yes, rogue DHCP servers are still possible, but the effects are more manageable and arguably easier to mitigate; not to mention the better security for this that is built into most modern networking gear already. Doug
Re: turning on comcast v6
On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote: With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. RA and VRRP are not mutually exclusive. What you can’t have (currently) is routing information distributed by a DHCP server which may or may not actually know anything about the routing environment to which it is sending such information. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. There’s no problem doing this in IPv6. You can easily statically address a system and you can easily turn off privacy addresses. You can even do that and still get your default router via RA or you can statically configure the default router address. As such, can someone please explain what is the actual missing or problematic requirement for the corporate world? Owen Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 -Original Message- From: Lee Howard [mailto:l...@asgard.org] Sent: Friday, December 20, 2013 8:25 AM To: Jamie Bowden; Owen DeLong; m...@kenweb.org Cc: North American Network Operators' Group Subject: Re: turning on comcast v6 On 12/20/13 8:07 AM, Jamie Bowden ja...@photon.com wrote: Parity isn't enough information; what features are missing? RA is part of IPv6, but you don't have to use SLAAC. I'd say it's the DHC people who need to hear it, not the IPv6 people, but YMMV. I have a question. Why does DHCP hand out router, net mask, broadcast address, etc. in IPv4; why don't we all just use RIP and be done with it? You don't have to like how enterprise networks are built, but you better acknowledge that they are their own animal that have their own needs and drivers, and telling them that the way their networks are built are wrong and they need to change their whole architecture, separation of service, security model, etc. to fit your idea of perfection isn't winning friends. You are, however, influencing people. Perhaps not in the manner you intended. So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? I used to run an enterprise network. It was very different from an ISP network. I didn't say, You're wrong! I said, What's missing? There are business reasons to run IPv6. The fact that it's different than IPv4 is not a reason not to use it. Lee Jamie
Re: turning on comcast v6
On Fri, 20 Dec 2013 15:16:57 -0500, Doug Barton do...@dougbarton.us wrote: On 12/20/2013 05:25 AM, Lee Howard wrote: So there's an interesting question. You suggest there's a disagreement between enterprise network operators and protocol designers. Who should change? Rather obviously the protocol designers, since they are clearly out of touch with real-world requirements. RA/SLAAC was a clever idea 20 years ago... Actually, it was long ago abandoned IPv4 technology... IPng didn't remember the horrible days of IPv4's ICMP Router Advertisement. (i.e. used SunOS 4, or understand *why* you touch /etc/notrouter during installation) IPv6 didn't have DHCP because the committee had a deep, genetic, hatred of DHCP. (rumor has it, saying D-H-C-P would get you removed from the WG. :-)) IPv6 is the poster child for everything that's wrong with Designed By Committee. (too much politics and too many personal agendas)
Re: turning on comcast v6
On Dec 20, 2013, at 3:23 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote: With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. RA and VRRP are not mutually exclusive. What you can’t have (currently) is routing information distributed by a DHCP server which may or may not actually know anything about the routing environment to which it is sending such information. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. There’s no problem doing this in IPv6. You can easily statically address a system and you can easily turn off privacy addresses. You can even do that and still get your default router via RA or you can statically configure the default router address. As such, can someone please explain what is the actual missing or problematic requirement for the corporate world? Owen Reality. Owen, not all OS and especially hardware appliances (dedicated NTP appliances, UPS cards, ILO), etc... will work with RA and static addresses. They just don't. Some OS's won't disable SLAAC unless you disable autoconf on the switch. When you do that, they loose the ability to pickup RA. Some will only work with link local gateway addresses, some will only work with link global gateway addresses. There is a lot of cruft out there in the enterprise world that claims IPv6 compatibility, but in the real world doesn't work consistently. Almost all can be made to work, but require custom configuration. Far too much work for many organizations to see value in deployment. In at least on IT department I know of, IPv6 is banned because the CIO read about one of the advantages of IPv6 is bringing back the p2p model of IP, and most corporate management has zero interest in having any p2p connectivity within their network. For our desktop environments (Windows 7 and RHEL6) we have two different configurations on the switches on separate VLANs using SLAAC with DHPCv6 and that works fine with RA announcing the NHRP. Other equipment, not so much.
Re: turning on comcast v6
On Dec 20, 2013, at 12:50 PM, Matthew Huff mh...@ox.com wrote: On Dec 20, 2013, at 3:23 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote: With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. RA and VRRP are not mutually exclusive. What you can’t have (currently) is routing information distributed by a DHCP server which may or may not actually know anything about the routing environment to which it is sending such information. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. There’s no problem doing this in IPv6. You can easily statically address a system and you can easily turn off privacy addresses. You can even do that and still get your default router via RA or you can statically configure the default router address. As such, can someone please explain what is the actual missing or problematic requirement for the corporate world? Owen Reality. Owen, not all OS and especially hardware appliances (dedicated NTP appliances, UPS cards, ILO), etc... will work with RA and static addresses. They just don't. Some OS's won't disable SLAAC unless you disable autoconf on the switch. When you Not all devices have working IPv6 stacks. OK, they’re broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. do that, they loose the ability to pickup RA. Some will only work with link local gateway addresses, some will only work with link global gateway addresses. There is a lot of cruft out there in the enterprise world that claims IPv6 Link Local gateway addresses are required functionality in IPv6. A device which requires a global gateway address is broken. See above. compatibility, but in the real world doesn't work consistently. Almost all can be made to work, but require custom configuration. Far too much work for many organizations to see value in deployment. In at least on IT department I know of, IPv6 is banned because the CIO read about one of the “advantages of IPv6 is bringing back the p2p model of IP, and most corporate management has zero interest in having any p2p connectivity within their network. IPv4 didn’t work perfectly in the beginning either. Enterprises spent many years getting vendors to correct issues with their iPv4 products and we’re just starting that process with IPv6. I’m asking what’s broken in the protocol design since that’s what the IETF can attempt to fix. For our desktop environments (Windows 7 and RHEL6) we have two different configurations on the switches on separate VLANs using SLAAC with DHPCv6 and that works fine with RA announcing the NHRP. Other equipment, not so much. Sounds like you need to contact the vendors for that other equipment and get them to fix their IPv6 implementations. Owen
Re: turning on comcast v6
On Fri, 20 Dec 2013 15:50:12 -0500, Matthew Huff said: There is a lot of cruft out there in the enterprise world that claims IPv6 compatibility, but in the real world doesn't work consistently. Almost all can be made to work, but require custom configuration. The exact same thing has been said about most IPv4 equipment, but I don't see anybody yelling to get rid of IPv4 because there's *still* wonky hardware out there all these decades after adoption. pgpOzh_sEknUP.pgp Description: PGP signature
Re: turning on comcast v6
Not all devices have working IPv6 stacks. OK, they’re broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. I don't know that this is a practical option... for say some systems I know that don't do v6 properly or at all, and which have buying cycles on the 10yr horizon, not 2yrs/etc. BUT... so what? you can do v4/v6 on the same LAN, right? just only use the v4 bits for those devices? I don't think 'eh, toss out your crap, buy new crap' is the right message to send. 'you can cohabitate, this isn't virginia' is though. -chris
Re: turning on comcast v6
In message CAL9jLaa=qkumlc7djtmru92f3tqcyp3ehr060nrcfkg-ho+...@mail.gmail.com, Christopher Morrow writes: Not all devices have working IPv6 stacks. OK, they're broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. I don't know that this is a practical option... for say some systems I know that don't do v6 properly or at all, and which have buying cycles on the 10yr horizon, not 2yrs/etc. And I hate to say it but people have been saying for over a decade. * request support IPv6 in the products you are purchasing. * test the IPv6 support. * report the bugs found so they can be fixed. This situation was foreseen. Too many people just left this for later and later is here now and the fixes will come too late for some. BUT... so what? you can do v4/v6 on the same LAN, right? just only use the v4 bits for those devices? I don't think 'eh, toss out your crap, buy new crap' is the right message to send. 'you can cohabitate, this isn't virginia' is though. -chris -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: turning on comcast v6
Owen, Have you ever worked in a corporate environment? Replacing equipment can be a 5-7 year window and has to be justified and budgeted. Replacing a piece of equipment because it's an incomplete IPv6 implementation (which has changed considerably as it has been deployed), isn't feasible. There are a lot of things that have changed as IPv6 has been deployed such as DHCPv6 (not even talking about setting default GW via DHCP, but things such as DNS servers, DNS domain name, etc). Not all vendors especially ones in niche markets can update the firmwares that often, and certainly not unless they have a business justification. On Dec 20, 2013, at 4:07 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 12:50 PM, Matthew Huff mh...@ox.com wrote: On Dec 20, 2013, at 3:23 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote: With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. RA and VRRP are not mutually exclusive. What you can’t have (currently) is routing information distributed by a DHCP server which may or may not actually know anything about the routing environment to which it is sending such information. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. There’s no problem doing this in IPv6. You can easily statically address a system and you can easily turn off privacy addresses. You can even do that and still get your default router via RA or you can statically configure the default router address. As such, can someone please explain what is the actual missing or problematic requirement for the corporate world? Owen Reality. Owen, not all OS and especially hardware appliances (dedicated NTP appliances, UPS cards, ILO), etc... will work with RA and static addresses. They just don't. Some OS's won't disable SLAAC unless you disable autoconf on the switch. When you Not all devices have working IPv6 stacks. OK, they’re broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. do that, they loose the ability to pickup RA. Some will only work with link local gateway addresses, some will only work with link global gateway addresses. There is a lot of cruft out there in the enterprise world that claims IPv6 Link Local gateway addresses are required functionality in IPv6. A device which requires a global gateway address is broken. See above. compatibility, but in the real world doesn't work consistently. Almost all can be made to work, but require custom configuration. Far too much work for many organizations to see value in deployment. In at least on IT department I know of, IPv6 is banned because the CIO read about one of the “advantages of IPv6 is bringing back the p2p model of IP, and most corporate management has zero interest in having any p2p connectivity within their network. IPv4 didn’t work perfectly in the beginning either. Enterprises spent many years getting vendors to correct issues with their iPv4 products and we’re just starting that process with IPv6. I’m asking what’s broken in the protocol design since that’s what the IETF can attempt to fix. For our desktop environments (Windows 7 and RHEL6) we have two different configurations on the switches on separate VLANs using SLAAC with DHPCv6 and that works fine with RA announcing the NHRP. Other equipment, not so much. Sounds like you need to contact the vendors for that other equipment and get them to fix their IPv6 implementations. Owen
Re: turning on comcast v6
You can request a fully working IPv6 implementation, but it's not going to stop a purchasing if it doesn't. If you are deciding between two vendors and one is better/cheaper and doesn't have IPv6 and you choose the other, it's likely you will be looking for another job. There is no strong justification for deploying IPv6 in a corporate enterprise currently. Corporate world is focused on the next quarter, not at a 10 year horizon. We decided to roll it out for a number of reasons. One, we had time this summer. Two, we figured it would highlight inherent issues already in our environment (it did, and we found a few doozies), and finally it was a good intellectual exercise. We have it running on all over our desktops, and most of our servers (some issues with license management software and other legacy software prevents us from deploying it on all servers) If we had an orderly shutdown of our IPv6 environment, there would be zero impact to the business. In fact, due to complexity issues, it would arguably we would arguably be better off without it. Perhaps in a few years things will be different. My bet is that even in 5 years, corporate adoption will be very small, maybe as low as 10%. On Dec 20, 2013, at 4:51 PM, Mark Andrews ma...@isc.org wrote: In message CAL9jLaa=qkumlc7djtmru92f3tqcyp3ehr060nrcfkg-ho+...@mail.gmail.com, Christopher Morrow writes: Not all devices have working IPv6 stacks. OK, they're broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. I don't know that this is a practical option... for say some systems I know that don't do v6 properly or at all, and which have buying cycles on the 10yr horizon, not 2yrs/etc. And I hate to say it but people have been saying for over a decade. * request support IPv6 in the products you are purchasing. * test the IPv6 support. * report the bugs found so they can be fixed. This situation was foreseen. Too many people just left this for later and later is here now and the fixes will come too late for some. BUT... so what? you can do v4/v6 on the same LAN, right? just only use the v4 bits for those devices? I don't think 'eh, toss out your crap, buy new crap' is the right message to send. 'you can cohabitate, this isn't virginia' is though. -chris -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: turning on comcast v6
On Dec 20, 2013, at 14:27 , Matthew Huff mh...@ox.com wrote: You can request a fully working IPv6 implementation, but it's not going to stop a purchasing if it doesn't. If you are deciding between two vendors and one is better/cheaper and doesn't have IPv6 and you choose the other, it's likely you will be looking for another job. There is no strong justification for deploying IPv6 in a corporate enterprise currently. Corporate world is focused on the next quarter, not at a 10 year horizon. Which is it? You need equipment that's right for the next 5-7 years, or, you need to focus on next quarter and not a 10 year horizon? We decided to roll it out for a number of reasons. One, we had time this summer. Two, we figured it would highlight inherent issues already in our environment (it did, and we found a few doozies), and finally it was a good intellectual exercise. We have it running on all over our desktops, and most of our servers (some issues with license management software and other legacy software prevents us from deploying it on all servers) This seems wise. Hopefully you're working with your vendors on getting those issues resolved. If we had an orderly shutdown of our IPv6 environment, there would be zero impact to the business. In fact, due to complexity issues, it would arguably we would arguably be better off without it. Perhaps in a few years things will be different. My bet is that even in 5 years, corporate adoption will be very small, maybe as low as 10%. Maybe... However, what do you plan to do when your employees don't have IPv4 connectivity at home any more? That's likely going to either go away or get a lot more expensive in about 5-7 years. That's not just my prediction... Lee Howard has some pretty good information to back it up. Check out his presentation from the Denver Inet in April of this year. Owen On Dec 20, 2013, at 4:51 PM, Mark Andrews ma...@isc.org wrote: In message CAL9jLaa=qkumlc7djtmru92f3tqcyp3ehr060nrcfkg-ho+...@mail.gmail.com, Christopher Morrow writes: Not all devices have working IPv6 stacks. OK, they're broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. I don't know that this is a practical option... for say some systems I know that don't do v6 properly or at all, and which have buying cycles on the 10yr horizon, not 2yrs/etc. And I hate to say it but people have been saying for over a decade. * request support IPv6 in the products you are purchasing. * test the IPv6 support. * report the bugs found so they can be fixed. This situation was foreseen. Too many people just left this for later and later is here now and the fixes will come too late for some. BUT... so what? you can do v4/v6 on the same LAN, right? just only use the v4 bits for those devices? I don't think 'eh, toss out your crap, buy new crap' is the right message to send. 'you can cohabitate, this isn't virginia' is though. -chris -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: turning on comcast v6
On Dec 20, 2013, at 14:16 , Matthew Huff mh...@ox.com wrote: Owen, Have you ever worked in a corporate environment? Replacing equipment can be a 5-7 year window and has to be justified and budgeted. Replacing a piece of equipment because it's an incomplete IPv6 implementation (which has changed considerably as it has been deployed), isn't feasible. There are a lot of things that have changed as IPv6 has been deployed such as DHCPv6 (not even talking about setting default GW via DHCP, but things such as DNS servers, DNS domain name, etc). Not all vendors especially ones in niche markets can update the firmwares that often, and certainly not unless they have a business justification. Yes, I have. We've been advocating that people look at the IPv6 capabilities they need from their vendors, test, report bugs, and insist on working IPv6 implementations for more than 10 years now. The DHCPv6 RFC (3315) was published in July, 2003. DHCPv6 has not actually changed all that significantly and the provisions for DHCPv6 in RAs were standardized around the same time as RFC-3315. The most recent significant change in RAs I can come up with is RFC-6106 which is 2010, but it's entirely optional and just adds DNS search string capabilities to RFC-5006 which goes back to September, 2007. So unless you have a change you can point to that is more recent than 2007, I think we've got the 5-7 year thing pretty well covered. Owen On Dec 20, 2013, at 4:07 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 12:50 PM, Matthew Huff mh...@ox.com wrote: On Dec 20, 2013, at 3:23 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote: With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. RA and VRRP are not mutually exclusive. What you can’t have (currently) is routing information distributed by a DHCP server which may or may not actually know anything about the routing environment to which it is sending such information. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. There’s no problem doing this in IPv6. You can easily statically address a system and you can easily turn off privacy addresses. You can even do that and still get your default router via RA or you can statically configure the default router address. As such, can someone please explain what is the actual missing or problematic requirement for the corporate world? Owen Reality. Owen, not all OS and especially hardware appliances (dedicated NTP appliances, UPS cards, ILO), etc... will work with RA and static addresses. They just don't. Some OS's won't disable SLAAC unless you disable autoconf on the switch. When you Not all devices have working IPv6 stacks. OK, they’re broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. do that, they loose the ability to pickup RA. Some will only work with link local gateway addresses, some will only work with link global gateway addresses. There is a lot of cruft out there in the enterprise world that claims IPv6 Link Local gateway addresses are required functionality in IPv6. A device which requires a global gateway address is broken. See above. compatibility, but in the real world doesn't work consistently. Almost all can be made to work, but require custom configuration. Far too much work for many organizations to see value in deployment. In at least on IT department I know of, IPv6 is banned because the CIO read about one of the “advantages of IPv6 is bringing back the p2p model of IP, and most corporate management has zero interest in having any p2p connectivity within their network. IPv4 didn’t work perfectly in the beginning either. Enterprises spent many years getting vendors to correct issues with their iPv4 products and we’re just starting that process with IPv6. I’m asking what’s broken in the protocol design since that’s what the IETF can attempt to fix. For our desktop environments (Windows 7 and RHEL6) we have two different configurations on the switches on separate VLANs using SLAAC with DHPCv6 and that works fine with RA announcing the NHRP. Other equipment, not so much. Sounds like you need to contact the vendors for that other equipment and get them to fix their IPv6 implementations. Owen
Re: turning on comcast v6
On Fri, Dec 20, 2013 at 5:16 PM, Matthew Huff mh...@ox.com wrote: Owen, Have you ever worked in a corporate environment? Replacing equipment can be a 5-7 year window and has to be justified and budgeted. Replacing a piece of equipment because it's an incomplete IPv6 implementation (which has changed considerably as it has been deployed), isn't feasible. Not to put words in Owen's mouth, but let me explain how I interpret what he was saying: Vote with your feet. It's simple ... maybe you can't replace everything in your network that doesn't support IPv6, ( I wish we all had that kind of discretionary budgets) but you can still base purchasing decisions on IPv6 support, and by and large, that isn't happening. Enterprise purchasing just isn't driven by IPv6 features ... if anything, its a check box feature for vendors and ignored by decision makers. Until the enterprise says to the widget salesperson: i'm not buying this until and unless you truly commit to supporting IPv6 we're stuck where we are. We don't necessarily need you to replace everything in your network that doesn't support it today, we need you to not put a single thing in your network new, or used, that doesn't. Believe me, the vendors will get the message and suddenly even the legacy stuff will start to be fixed. Remember what a PITA it was to get novel to support IPv4? They didn't do it until they had to. -e There are a lot of things that have changed as IPv6 has been deployed such as DHCPv6 (not even talking about setting default GW via DHCP, but things such as DNS servers, DNS domain name, etc). Not all vendors especially ones in niche markets can update the firmwares that often, and certainly not unless they have a business justification. On Dec 20, 2013, at 4:07 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 12:50 PM, Matthew Huff mh...@ox.com wrote: On Dec 20, 2013, at 3:23 PM, Owen DeLong o...@delong.com wrote: On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote: With RA, what is the smallest interval failover will work? Compare that with NHRP such as HSRP, VRRP, etc with sub-second failover. RA and VRRP are not mutually exclusive. What you can’t have (currently) is routing information distributed by a DHCP server which may or may not actually know anything about the routing environment to which it is sending such information. In corporate networks most of the non-client systems will be statically addressed with privacy addresses turned off. This is for regulatory, audit, security and monitoring requirement. One of the many challenges of ipv6 in a corporate environment. There’s no problem doing this in IPv6. You can easily statically address a system and you can easily turn off privacy addresses. You can even do that and still get your default router via RA or you can statically configure the default router address. As such, can someone please explain what is the actual missing or problematic requirement for the corporate world? Owen Reality. Owen, not all OS and especially hardware appliances (dedicated NTP appliances, UPS cards, ILO), etc... will work with RA and static addresses. They just don't. Some OS's won't disable SLAAC unless you disable autoconf on the switch. When you Not all devices have working IPv6 stacks. OK, they’re broken, complain to the vendor and get them to fix their product or buy a working product from a different vendor. do that, they loose the ability to pickup RA. Some will only work with link local gateway addresses, some will only work with link global gateway addresses. There is a lot of cruft out there in the enterprise world that claims IPv6 Link Local gateway addresses are required functionality in IPv6. A device which requires a global gateway address is broken. See above. compatibility, but in the real world doesn't work consistently. Almost all can be made to work, but require custom configuration. Far too much work for many organizations to see value in deployment. In at least on IT department I know of, IPv6 is banned because the CIO read about one of the “advantages of IPv6 is bringing back the p2p model of IP, and most corporate management has zero interest in having any p2p connectivity within their network. IPv4 didn’t work perfectly in the beginning either. Enterprises spent many years getting vendors to correct issues with their iPv4 products and we’re just starting that process with IPv6. I’m asking what’s broken in the protocol design since that’s what the IETF can attempt to fix. For our desktop environments (Windows 7 and RHEL6) we have two different configurations on the switches on separate VLANs using SLAAC with DHPCv6 and that works fine with RA announcing the NHRP. Other equipment, not so much. Sounds like you need to contact the vendors for that other equipment and get them to fix their IPv6 implementations. Owen
Re: turning on comcast v6
I did an OK job of getting my Linksys E2100L working with Comcast v6 on OpenWRT. It is not officially supported on this platform per se, but a simple hack of the source for WRT160NL allows it to be built. Since I was already rolling my own firmware, I checked the box for 'ipv6' and got the attached result. It works out of the oven, as in I did absolutely no troubleshooting beyond booting and looking to see the ipv6 chicken. If anyone wants more details on exactly what I selected in the menuconfig let me know. login as: root root@192.168.0.1's password: BusyBox v1.19.4 (2013-11-11 17:20:10 EST) built-in shell (ash) Enter 'help' for a list of built-in commands. ___ __ | |.-.-.-.| | | |..| |_ | - || _ | -__| || | | || _|| _| |___|| __|_|__|__||||__| || |__| W I R E L E S S F R E E D O M - BARRIER BREAKER (Bleeding Edge, r38744) - * 1/2 oz Galliano Pour all ingredients into * 4 oz cold Coffeean irish coffee mug filled * 1 1/2 oz Dark Rum with crushed ice. Stir. * 2 tsp. Creme de Cacao - root@OpenWrt:~# opkg list 6relayd - 2013-10-21-ad00c3dd9ee42f172870708724858ab502b3a689 base-files - 147-r38744 busybox - 1.19.4-7 dnsmasq - 2.66-5 dropbear - 2013.59-1 firewall - 2013-10-23 ip6tables - 1.4.20-1 iptables - 1.4.20-1 iw - 3.10-1 jshn - 2013-10-30-a34c8f6918c291275ded2b6fd9b94ac91722ded2 kernel - 3.10.18-1-6127216e96a5793516c624e09001f8a2 kmod-ath - 3.10.18+2013-06-27-1 kmod-ath9k - 3.10.18+2013-06-27-1 kmod-ath9k-common - 3.10.18+2013-06-27-1 kmod-cfg80211 - 3.10.18+2013-06-27-1 kmod-crypto-aes - 3.10.18-1 kmod-crypto-arc4 - 3.10.18-1 kmod-crypto-core - 3.10.18-1 kmod-crypto-hash - 3.10.18-1 kmod-crypto-manager - 3.10.18-1 kmod-crypto-pcompress - 3.10.18-1 kmod-gpio-button-hotplug - 3.10.18-1 kmod-ip6tables - 3.10.18-1 kmod-ipt-conntrack - 3.10.18-1 kmod-ipt-core - 3.10.18-1 kmod-ipt-nat - 3.10.18-1 kmod-ipt-nathelper - 3.10.18-1 kmod-ipv6 - 3.10.18-1 kmod-leds-gpio - 3.10.18-1 kmod-ledtrig-default-on - 3.10.18-1 kmod-ledtrig-netdev - 3.10.18-1 kmod-ledtrig-timer - 3.10.18-1 kmod-ledtrig-usbdev - 3.10.18-1 kmod-lib-crc-ccitt - 3.10.18-1 kmod-mac80211 - 3.10.18+2013-06-27-1 kmod-nls-base - 3.10.18-1 kmod-ppp - 3.10.18-1 kmod-pppoe - 3.10.18-1 kmod-pppox - 3.10.18-1 kmod-slhc - 3.10.18-1 kmod-usb-core - 3.10.18-1 kmod-usb-ohci - 3.10.18-1 kmod-usb2 - 3.10.18-1 libblobmsg-json - 2013-10-30-a34c8f6918c291275ded2b6fd9b94ac91722ded2 libc - 0.9.33.2-1 libgcc - 4.6-linaro-1 libip4tc - 1.4.20-1 libip6tc - 1.4.20-1 libiwinfo - 47 libiwinfo-lua - 47 libjson-c - 0.11-2 libjson-script - 2013-10-30-a34c8f6918c291275ded2b6fd9b94ac91722ded2 liblua - 5.1.5-1 libnl-tiny - 0.1-3 libopenssl - 1.0.1e-2 libubox - 2013-10-30-a34c8f6918c291275ded2b6fd9b94ac91722ded2 libubus - 2013-11-07-8ea96670367e5dd23988b51ee4f0f790393effaf libubus-lua - 2013-11-07-8ea96670367e5dd23988b51ee4f0f790393effaf libuci - 2013-10-15.1-1 libuci-lua - 2013-10-15.1-1 libxtables - 1.4.20-1 lua - 5.1.5-1 luci - svn-r9934-1 luci-app-firewall - svn-r9934-1 luci-i18n-english - svn-r9934-1 luci-lib-core - svn-r9934-1 luci-lib-ipkg - svn-r9934-1 luci-lib-nixio - svn-r9934-1 luci-lib-sys - svn-r9934-1 luci-lib-web - svn-r9934-1 luci-mod-admin-core - svn-r9934-1 luci-mod-admin-full - svn-r9934-1 luci-proto-core - svn-r9934-1 luci-proto-ipv6 - svn-r9934-1 luci-proto-ppp - svn-r9934-1 luci-sgi-cgi - svn-r9934-1 luci-theme-base - svn-r9934-1 luci-theme-bootstrap - svn-r9934-1 mtd - 20 netifd - 2013-10-31-199723ed921160c029a0d15fa95914ddfcdc5cb9 odhcp6c - 2013-10-29-60c9e4d5a26f530e89ed6254e8c09380b50fac08 opkg - 618-6 ppp - 2.4.5-10 ppp-mod-pppoe - 2.4.5-10 procd - 2013-11-08-315f04d8b823adda96041c17f6672b7790376ccb-1 swconfig - 10 uboot-envtools - 2013.10-1 ubox - 2013-11-07.1-0588218d4bc58b0e099272338decbe4734f5678b-1 ubus - 2013-11-07-8ea96670367e5dd23988b51ee4f0f790393effaf ubusd - 2013-11-07-8ea96670367e5dd23988b51ee4f0f790393effaf uci - 2013-10-15.1-1 uhttpd - 2013-11-11-881d6102cf1f7bc6b54ab395c5e4addbfe1ed34c uhttpd-mod-ubus - 2013-11-11-881d6102cf1f7bc6b54ab395c5e4addbfe1ed34c wpad-mini - 20130807-1 zlib - 1.2.8-1 root@OpenWrt:~# ifconfig br-lanLink encap:Ethernet HWaddr 98:FC:11:XX:XX:XX inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: 2601:x::xxx::1/60 Scope:Global inet6 addr: fe80:::::/64 Scope:Link inet6 addr: fde1::::1/60 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1897 errors:0 dropped:0 overruns:0 frame:0 TX packets:1451 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:269454 (263.1 KiB) TX bytes:1019474 (995.5 KiB) eth0 Link
Re: turning on comcast v6
On 12/11/2013 10:23 PM, Rob Seastrom wrote: Eric Oosting eric.oost...@gmail.com writes: It brings a tear to my eye that it takes: 0) A long standing and well informed internet technologist; 1) specific, and potentially high end, CPE for the res; 2) specific and custom firmware, unsupported by CPE manufacturer ... or anyone; 3) hand installing several additional packages; 4) hand editing config files; 5) sysctl kernel flags; 6) several shout outs to friends and coworkers for assistance (resources many don't have access to); 7) oh, and probably hours and hours twiddling with it. just to get IPv6 to work correctly. Yea, that's TOTALLY reasonable. Pretty much works out of the box on Mikrotik RouterOS if you are secure enough in your geek cred to admit to running such stuff here in this august forum. -r FYI - DHCP-PD is now working better in RouterOS 6.5 Prefix length hints are now available (CLI) only. /ipv6 dhcp-client add add-default-route=yes interface=wan interface pool-name=dhcp-pd \ prefix-hint=::/60 In the case of Comcast (and anecdotally ISC DHCP) - You'll either need to wait out the the lease time (4 days) or ask Comcast to nicely clear out your /64 lease manually. Release/renew doesn't release your current DHCP lease. I was getting A /64 and /60 (/64 had a preference of 255) before Comcast removed the /64 lease manually.
Re: turning on comcast v6
In the case of Comcast (and anecdotally ISC DHCP) - You'll either need to wait out the the lease time (4 days) or ask Comcast to nicely clear out your /64 lease manually. Release/renew doesn't release your current DHCP lease. I was getting A /64 and /60 (/64 had a preference of 255) before Comcast removed the /64 lease manually. that's interesting.. I don't see anything except the /64... even when I ask via the pd sla-len hint for a 60, 62, 63 :(
Re: turning on comcast v6
FYI - DHCP-PD is now working better in RouterOS 6.5 Prefix length hints are now available (CLI) only. /ipv6 dhcp-client add add-default-route=yes interface=wan interface pool-name=dhcp-pd \ prefix-hint=::/60 I'd like to encourage people to use prefix-hint=::/48. The router should accept the /60 and deal with it, but it's better to have Comcast's logs show that you requested a proper full-size prefix. I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. In the case of Comcast (and anecdotally ISC DHCP) - You'll either need to wait out the the lease time (4 days) or ask Comcast to nicely clear out your /64 lease manually. Release/renew doesn't release your current DHCP lease. I was getting A /64 and /60 (/64 had a preference of 255) before Comcast removed the /64 lease manually. Is it somehow harmful to have both? Owen
Re: turning on comcast v6
On Fri, Dec 20, 2013 at 12:30 AM, Owen DeLong o...@delong.com wrote: FYI - DHCP-PD is now working better in RouterOS 6.5 Prefix length hints are now available (CLI) only. /ipv6 dhcp-client add add-default-route=yes interface=wan interface pool-name=dhcp-pd \ prefix-hint=::/60 I'd like to encourage people to use prefix-hint=::/48. The router should accept the /60 and deal with it, but it's better to have Comcast's logs show that you requested a proper full-size prefix. I'm almost afraid to ask about the phrase add-default-route=yes in the dhcp-client configuration. That seems wrong on the face of it since you should be getting your routing information from RA and not DHCP. I think if I ask (via wide-dhcpv6-server) for more than is going to be sent I don't get anything configured at all :( I'm pretty sure I get sent a /64 in the response packet, but I don't install that.. which leads to busted v6 configuration on my device. In the case of Comcast (and anecdotally ISC DHCP) - You'll either need to wait out the the lease time (4 days) or ask Comcast to nicely clear out your /64 lease manually. Release/renew doesn't release your current DHCP lease. I was getting A /64 and /60 (/64 had a preference of 255) before Comcast removed the /64 lease manually. Is it somehow harmful to have both? Owen
Re: turning on comcast v6
On Fri, Dec 20, 2013 at 5:42 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Dec 20, 2013 at 12:30 AM, Owen DeLong o...@delong.com wrote: I'd like to encourage people to use prefix-hint=::/48. ... I think if I ask (via wide-dhcpv6-server) for more than is going to be sent I don't get anything configured at all :( I'm pretty sure I get sent a /64 in the response packet, but I don't install that.. which leads to busted v6 configuration on my device. I concur (with the request a /48, get a /64, not a /60). At least that is how I recall it used to work (I have not tried for some time at this point, and while I know Comcast has changed things in the interim, I am pretty sure I do not want to wait for Comcast to time out a /64 if that is what I end up getting). If someone has better information, I am willing to consider a test. Gary
Re: turning on comcast v6
Kinkaid, Kyle(kkink...@usgs.gov)@Wed, Dec 11, 2013 at 11:46:56AM -0800: On Wed, Dec 11, 2013 at 11:18 AM, Owen DeLong o...@delong.com wrote: It doesn’t. You can get IPv6 working with off-the-shelf equipment if you choose to. Randy chose to use that particular hardware and software combination. I'm curious, do you know of a consumer-grade router which supports DHCPv6-PD? I have been making plans to put OpenWRT on my home router to get IPv6 and have found v6 support quite lacking. Most of the routers seem to like to focus on various transition technologies like 6to4 tunnels. I would love to go to NewEgg and get a home router for $50 (or even $100) that is ready to go. What's more surprising is even Cisco and Juniper have been lagging. The SRX only got DHCPv6-PD support in the last 6 months or so and I don't think the ASA has it yet. However, ISR routers like the 88x and 86x support it. So what it's worth, I'm on Comcast Business, using an ASUS RT-N66U router and a Motorola SB6141 modem. IPv6 Just Works on my network. I don't remember having to do anything strange to the router to make it work, and I'm certainly still running the default firmware. -- Bill Weiss
Re: turning on comcast v6
On Dec 11, 2013, at 10:23 PM, Rob Seastrom r...@seastrom.com wrote: Pretty much works out of the box on Mikrotik RouterOS if you are secure enough in your geek cred to admit to running such stuff here in this august forum. -r I run a few at home and even in an access role at an ISP I work for. They are a bit quirky but generally they work fairly well when configured and left alone. Ryan Wilkins
Re: turning on comcast v6
On Thu, Dec 12, 2013 at 7:55 AM, Ryan Wilkins r...@deadfrog.net wrote: They are a bit quirky but generally they work fairly well when configured and left alone. That describes most every router ever made :) -Steve
Re: turning on comcast v6
They are a bit quirky but generally they work fairly well when configured and left alone. That describes most every router ever made :) except those which burst into flame except those which ...
Re: turning on comcast v6
Randy Bush wrote: http://comcast6.net/ tells me that the local cmts is v6 enabled. my modem, a cisco dpc3008, is in the supported products list. so how do i turn the sucker on? randy after a lot of messing about with the massive help of Chris Adams and John Brzozowski, problem solved. see http://rtechblog.psg.com/ randy
Re: turning on comcast v6
On Wed, Dec 11, 2013 at 8:17 AM, Randy Bush ra...@psg.com wrote: Randy Bush wrote: http://comcast6.net/ tells me that the local cmts is v6 enabled. my modem, a cisco dpc3008, is in the supported products list. so how do i turn the sucker on? randy after a lot of messing about with the massive help of Chris Adams and John Brzozowski, problem solved. see http://rtechblog.psg.com/ It brings a tear to my eye that it takes: 0) A long standing and well informed internet technologist; 1) specific, and potentially high end, CPE for the res; 2) specific and custom firmware, unsupported by CPE manufacturer ... or anyone; 3) hand installing several additional packages; 4) hand editing config files; 5) sysctl kernel flags; 6) several shout outs to friends and coworkers for assistance (resources many don't have access to); 7) oh, and probably hours and hours twiddling with it. just to get IPv6 to work correctly. Yea, that's TOTALLY reasonable. -e randy
Re: turning on comcast v6
On 11/12/2013 15:11, Eric Oosting wrote: just to get IPv6 to work correctly. Yea, that's TOTALLY reasonable. Sounds a bit like configuring access layer ipv4 in the early 1990s. It took years of early production pain to turn it into a commodity product. Nick
Re: turning on comcast v6
On 12/11/2013 10:11 AM, Eric Oosting wrote: It brings a tear to my eye that it takes: 0) A long standing and well informed internet technologist; 1) specific, and potentially high end, CPE for the res; 2) specific and custom firmware, unsupported by CPE manufacturer ... or anyone; 3) hand installing several additional packages; 4) hand editing config files; 5) sysctl kernel flags; 6) several shout outs to friends and coworkers for assistance (resources many don't have access to); 7) oh, and probably hours and hours twiddling with it. just to get IPv6 to work correctly. Yea, that's TOTALLY reasonable. -e randy I wonder if he got any better than a /60 for his troubles... Andrew
