[134601] in North American Network Operators' Group
RE: IPv6 - real vs theoretical problems
daemon@ATHENA.MIT.EDU (Deepak Jain)
Fri Jan 7 15:31:41 2011
From: Deepak Jain <deepak@ai.net>
To: Owen DeLong <owen@delong.com>, Jima <nanog@jima.tk>
Date: Fri, 7 Jan 2011 15:29:32 -0500
In-Reply-To: <10FB3518-6470-4F14-963C-B3150FABE667@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > http://www.ietf.org/mail-archive/web/v6ops/current/msg06820.html
> >
> > Jima
>=20
Just skimming through the draft:=20
1) It is no longer recommended that /128s be given out. While there
may be some cases where assigning only a single address may be
justified, a site by definition implies multiple subnets and
multiple devices.
--- I never knew a site, by definition, has multiple subnets and devices.
A key principle for address management is that end sites always
be able to obtain a reasonable amount of address space for their
actual and planned usage, and over time ranges specified in
years rather than just months. In practice, that means at least
one /64, and in most cases significantly more. One particular
situation that must be avoided is having an end site feel
compelled to use IPv6-to-IPv6 Network Address Translation or
other burdensome address conservation techniques because it
could not get sufficient address space.
I think this is the real point everyone is trying to get at. They want IP6 =
to be the end of NAT. Got it. There are now years of security dogma that sa=
ys NAT is a good thing, in the 20+ years IP6 has been on the books, the dog=
ma went another way. This concept will take a long time to unwind. Somehow =
this is supposed to mesh with dynamic renumbering where we can move around =
between /48s without "too much burden" while wildly waving our hands at all=
the higher-level configs (DNS, Applications, firewalls, etc) that don't pl=
ay nicely with automatic renumbering.
There is some convoluted discussion about how they wanted their /48 policy =
to somehow encourage residential ISPs to give their users more IP space in =
the base offering. I'm not sure why or what purpose an addressing policy sh=
ould have to a business case. I see nothing motivating a residential ISP (e=
specially one providing CPE equipment) to change their current deployment s=
ystem one iota. And I'm pretty sure they are the ones MOST exposed to abuse=
s of this address space by the least technical user base. (side note, if I =
were a residential ISP I'd configure a /64 to my highly-controlled CPE rout=
er and issue /128s to each and every device that plugged in on the customer=
site, and only one per MAC and have a remotely configurable limit of say 5=
0 devices or whatever the mac table limit was. So I only have one route ent=
ry in my aggregation layer and if the customer blows his CPE router up, I'm=
still protected.)
Question - Whatever happened to the concept of a customer coming to their S=
P for more space? Why do we have to give them enough space for a decade of =
theoretical use when every week we could widen their subnet without causing=
any negative impact on them? No renumbering, etc. It's not considered a bu=
rden today, but under IP6 it is? Heck, since space is so plentiful, we can =
all set up gateways to do it automatically, but until routers get smarter, =
I don't see how all that dead routable space is a good thing. Customers ar=
e paying for and getting a service, a continuous relationship with some set=
of SPs. In that service they aren't getting a mathematical representation,=
they are getting usable IP space, but that doesn't mean that if they hop o=
ut of bed in the middle of the night and decide to allocate 5,000,000 uniqu=
e IPs the SP network should automatically accept it (based on today's curre=
nt technology).
BOGONS, IP hijacks and all the rest seem like the worse problem here and th=
e whole point of putting training wheels on these roll outs. Instead, it se=
ems we are systematically unwinding all the lessons learned from CIDR and g=
oing back to addresses being classful, interface links being massive space =
wasters and no one caring about addresses. That's fine, and probably an imp=
rovement, until the next round of attacks and then shortages occur. Once th=
e schools start teaching RFC3177, the hardcoded apps are sure to follow.
Deepak
