Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-10 Thread Dustin Melancon
Hey Eric, I did not see anyone else post this, but the NANOG BCOP (Best Current Operating Practices) group has released the following document to help guide new IPv6 allocation plans which you and others may find helpful: http://bcop.nanog.org/images/6/62/BCOP-IPv6_Subnetting.pdf Another useful d

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-08 Thread David Barak
> On Jan 30, 2015, at 9:49 PM, Owen DeLong wrote: > > >> On Jan 30, 2015, at 18:07 , William Herrin wrote: >> How about this: when Verizon starts decommissioning its IPv4 >> infrastructure on the basis that IPv6 is widespread enough to no >> longer require the expense of dual-stack, IPv6 will

RE: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-06 Thread Crawford, Scott
On Jan 30, 2015, at 07:37 , Owen DeLong wrote: > /48 for all customer sites is not at all unreasonable and is fully supported > by ARIN policy. >Where Bill is correct is that some customers may have more than one site. The >official >policy definition of a site is a single building or structur

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-01 Thread Tore Anderson
Hi Baldur, * Baldur Norddahl > On 1 February 2015 at 20:10, Tore Anderson wrote: > > > - Tunneling moves the original layer-4 header into another > > encapsulation layer, so e.g. an ACL attempting to match an IPv6 > > HTTP packet using something like "next-header tcp, dst port 80" > > wi

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-01 Thread Baldur Norddahl
On 1 February 2015 at 20:10, Tore Anderson wrote: > - Tunneling moves the original layer-4 header into another > encapsulation layer, so e.g. an ACL attempting to match an IPv6 HTTP > packet using something like "next-header tcp, dst port 80" will not > work. With translation, it will. > B

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-01 Thread Tore Anderson
* William Herrin > T-Mobile uses something called 464XLAT. Don't let the "translation" > part fool you: it's a tunnel. IPv4 in one side, IPv4 out the other. 464XLAT is not a tunnel. Protocol translation is substantially different from tunneling. With tunneling, the original layer-3 header is kept

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-01 Thread Owen DeLong
> Worse, IPv6's promises are falling one by one. You saw an example in > this thread: Eric wants to break up his announcements for traffic > engineering purposes because, as it turns out, one announcement per > ISP isn't actually enough, Registry practices aren't the primary > drivers behind routi

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-01 Thread William Herrin
On Fri, Jan 30, 2015 at 3:23 PM, Tore Anderson wrote: > Kabel Deutschland, T-Mobile USA, and Facebook are examples of companies > who have already or are in the process of moving their network > infrastructure to IPv6-only. Without going bust. Hi Tore, T-Mobile uses something called 464XLAT. Don

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-02-01 Thread Baldur Norddahl
Den 30/01/2015 21.23 skrev "Tore Anderson" : > Kabel Deutschland, T-Mobile USA, and Facebook are examples of companies > who have already or are in the process of moving their network > infrastructure to IPv6-only. Without going bust. Assuming larger service providers are using MPLS in some form,

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-31 Thread joel jaeggli
On 1/30/15 8:29 AM, Justin M. Streiner wrote: > On Fri, 30 Jan 2015, Eric Louie wrote: > >> It also sounds like the Internet (aka the upstream/Tier 1 carriers) don't >> want me to advertise anything longer than my /32 into BGPv6. Is that >> true? >> (I'm getting that from the spamming comments ma

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread William Herrin
On Fri, Jan 30, 2015 at 9:48 PM, wrote: > On Fri, 30 Jan 2015 21:07:25 -0500, William Herrin said: > >> How about this: when Verizon starts decommissioning its IPv4 >> infrastructure on the basis that IPv6 is widespread enough to no >> longer require the expense of dual-stack, IPv6 will have achi

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Owen DeLong
> On Jan 30, 2015, at 18:07 , William Herrin wrote: > > On Fri, Jan 30, 2015 at 8:44 PM, Owen DeLong wrote: >> I guess it depends on your definition of ubiquitous, but to me, when a >> protocol >> has the majority of the deployed addresses, I think it counts for this >> purpose. > > LOL, Owe

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Valdis . Kletnieks
On Fri, 30 Jan 2015 21:07:25 -0500, William Herrin said: > How about this: when Verizon starts decommissioning its IPv4 > infrastructure on the basis that IPv6 is widespread enough to no > longer require the expense of dual-stack, IPv6 will have achieved > ubiquity. Using that logic, what does Ve

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread William Herrin
On Fri, Jan 30, 2015 at 8:44 PM, Owen DeLong wrote: > I guess it depends on your definition of ubiquitous, but to me, when a > protocol > has the majority of the deployed addresses, I think it counts for this > purpose. LOL, Owen, IPv6 had that with the first /64 ethernet LAN it was used on. H

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Owen DeLong
> On Jan 30, 2015, at 09:39 , William Herrin wrote: > > On Fri, Jan 30, 2015 at 11:44 AM, Tore Anderson wrote: >> * William Herrin >> >>> Plan on dual-stacking any network which requires >>> access to IPv4 resources such as the public Internet. >> >> For many folks, that's easier said than do

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Owen DeLong
> On Jan 30, 2015, at 07:51 , William Herrin wrote: > > On Thu, Jan 29, 2015 at 6:28 PM, Eric Louie wrote: >> I'm putting together my first IPv6 allocation plan. The general layout: >> /48 for customers universally and uniformly > > Hi Eric, > > Good luck with that. Personally, I'd be inclin

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Owen DeLong
> On Jan 30, 2015, at 07:12 , Karsten Elfenbein > wrote: > > Hi, > > 2015-01-30 0:28 GMT+01:00 Eric Louie : >> I'm putting together my first IPv6 allocation plan. The general layout: >> /48 for customers universally and uniformly >> /38 for larger regions on an even (/37) boundary >> /39 for

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Eric Louie
And, we're in sort of the same predicament - I have no choice on the current infrastructure but to run IPv4. IPv6 is a service we would like to start to offer to new customers in this current infrastructure. And to existing customers who believe that they have the need for IPv6 and have the equip

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Baldur Norddahl
We are talking about different things. If your business is servers, do whatever you want. If you are in the business of selling internet, which quite a few are on this mailinglist, you need to be dual stack. We are dual stack towards our customers. On our internal network we are single stack - ipv

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Justin M. Streiner
On Fri, 30 Jan 2015, Eric Louie wrote: If you assign a customer IPv6 space only, a translation mechanism is needed to allow that customer to reach Internet destinations that only speak IPv4 today. There's no way around that. What IPv6 to IPv4 translation mechanisms are available for networks

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Fred Baker (fred)
> On Jan 29, 2015, at 3:28 PM, Eric Louie wrote: > > If I have to do 6-to-4 conversion, is there any way to do that with > multiple diverse ISP connections, or am I "restricted" to using one > entry/exit point? (If that's true, do I need to allocate a separate block > of addresses that would be

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Karsten Elfenbein
Hi, I would not recommend to run any nat over protocol versions for clients as you would need to break DNSsec. The clients creating connections should run dual-stack or dual-stack lite. The only useful thing for service providers would be to proxy/nat lets say an incoming IPv6 connection to still

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Eric Louie
On Fri, Jan 30, 2015 at 8:29 AM, Justin M. Streiner wrote: > On Fri, 30 Jan 2015, Eric Louie wrote: > > It also sounds like the Internet (aka the upstream/Tier 1 carriers) don't >> want me to advertise anything longer than my /32 into BGPv6. Is that >> true? >> (I'm getting that from the spammi

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Justin M. Streiner
On Fri, 30 Jan 2015, Eric Louie wrote: It also sounds like the Internet (aka the upstream/Tier 1 carriers) don't want me to advertise anything longer than my /32 into BGPv6. Is that true? (I'm getting that from the spamming comments made by others) Am I supposed to be asking ARIN for a /32 for

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Tore Anderson
* Baldur Norddahl > Single stacking on IPv6 is nice in theory. In practice it just doesn't work > yet. If you as an ISP tried to force all your customers to be IPv6 single > stack, you would go bust. Kabel Deutschland, T-Mobile USA, and Facebook are examples of companies who have already or are i

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Eric Louie
I'm just beginning to grasp the concepts of IPv6 operations here, so please pardon my seeming ignorance. If I'm reading properly, the best common practice (at least the original) was allocating a minimum /48 to customers, though I did see one that referenced a /56. If I do everything on nibble bo

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Baldur Norddahl
Single stacking on IPv6 is nice in theory. In practice it just doesn't work yet. If you as an ISP tried to force all your customers to be IPv6 single stack, you would go bust. Therefore the only option is dual stack. The IPv4 can be private address space with carrier NAT - but you will need to giv

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Tore Anderson
* Mel Beckman >Um, haven't you heard that we are out of IPv4 addresses? The point > of IPv6 is to expand address space so that the Internet can keep > growing. Maybe you don't want to grow with it, but most people do. > Eventually IPv4 will be dropped and the Internet will be IPv6-only. > Dual

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Rob Seastrom
Eric Louie writes: > I'm putting together my first IPv6 allocation plan. The general layout: > /48 for customers universally and uniformly > /38 for larger regions on an even (/37) boundary > /39 for smaller regions on an even (/38) boundary You really really really don't want to subnet on non

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread William Herrin
On Fri, Jan 30, 2015 at 11:44 AM, Tore Anderson wrote: > * William Herrin > >> Plan on dual-stacking any network which requires >> access to IPv4 resources such as the public Internet. > > For many folks, that's easier said than done. > > Think about it: If everyone could just dual-stack their net

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Mel Beckman
Tore, Um, haven't you heard that we are out of IPv4 addresses? The point of IPv6 is to expand address space so that the Internet can keep growing. Maybe you don't want to grow with it, but most people do. Eventually IPv4 will be dropped and the Internet will be IPv6-only. Dual-stack is just

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Justin M. Streiner
On Fri, 30 Jan 2015, Tore Anderson wrote: For many folks, that's easier said than done. Think about it: If everyone could just dual-stack their networks, they might as well single-stack them on IPv4 instead; there would be no point whatsoever in transitioning to IPv6 for anyone. I re-read thi

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Tore Anderson
* William Herrin > nat64/nat46 - allows an IPv6-only host to interact in limited ways > with IPv4-only hosts. Don't go down this rabbit hole. This will > probably be useful in the waning days of IPv4 when folks are > dismantling their IPv4 networks but for now the corner cases will > drive you nut

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread William Herrin
On Thu, Jan 29, 2015 at 6:28 PM, Eric Louie wrote: > I'm putting together my first IPv6 allocation plan. The general layout: > /48 for customers universally and uniformly Hi Eric, Good luck with that. Personally, I'd be inclined to think that some customers will (reasonably) want more than a /4

Re: IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Karsten Elfenbein
Hi, 2015-01-30 0:28 GMT+01:00 Eric Louie : > I'm putting together my first IPv6 allocation plan. The general layout: > /48 for customers universally and uniformly > /38 for larger regions on an even (/37) boundary > /39 for smaller regions on an even (/38) boundary > A few /48's for "internal use

IPv6 allocation plan, security, and 6-to-4 conversion

2015-01-30 Thread Eric Louie
I'm putting together my first IPv6 allocation plan. The general layout: /48 for customers universally and uniformly /38 for larger regions on an even (/37) boundary /39 for smaller regions on an even (/38) boundary A few /48's for "internal use" to allow us to monitor and maintain systems. For se