[154894] in North American Network Operators' Group
Re: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Jul 16 11:47:06 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <50042F34.5080007@gmail.com>
Date: Mon, 16 Jul 2012 08:43:00 -0700
To: -Hammer- <bhmccie@gmail.com>
Cc: Brandon Ross <bross@pobox.com>, nanog@nanog.org,
"Robert E. Seastrom" <rs@seastrom.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 16, 2012, at 8:11 AM, -Hammer- wrote:
> There are multiple issues here. I understand most folks on these =
threads are beyond me but I'm pretty sure I'm not the only person in =
this position.
>=20
> 1) (This one is currently a personal issue) I am still building up a =
true IPv6 skillset. Yes, I understand it for the most part but now is =
the time to apply it.
Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is =
to start applying what you don't know and see what happens. For the most =
part, you will find that it is truly "96 more bits, no magic".
> 2) All the reading you do doesn't prepare you for application and the =
vendors aren't necessarily helping. Feature parity across platforms and =
vendors beyond just "interface x/x/x" and "ipv6 address =
fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to =
take what I understand and apply it beyond the basics I often see =
hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If =
it's working for you hit me offline. Example2? Any vendor product beyond =
a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN =
guys may be rolling deep in IPv6 but not everyone else. I just got an EA =
this morning from CheckPoint for NAT66. This should have been ready for =
prime time years ago. I guess the vendors weren't getting the push from =
the customers so there was no need to make an effort....
You probably meant 2001:db8:b1aa:b1aa::babe:1 ;-) (blah isn't hex and =
fe80::/10 is link local. 2001:db8::/16 is the example prefix)
For the most part, HSRP really isn't even necessary or useful in IPv6 =
since ND should take care of what HSRP did for IPv4.
I believe F5 has rolled out IPv6 in a subset of their products and that =
you need pretty recent versions to get IPv6 functionality from them. The =
ARIN Wiki (http://www.getipv6.info) may be a good source of information =
on various vendor statuses. Contribute what you know/find out there as =
well, please.
Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is =
being able to eliminate NAT. NAT was a necessary evil for IPv4 address =
conservation. It has no good use in IPv6.
> 3) When I'm not preoccupied attempting to digest the fundamentals I am =
well aware of the retooling of the brain that is required for this in a =
network design. Last year I reached out to Team Cymru and attempted to =
build an IPv6 router template to match their IPv4 template. It was a =
completely different animal. Ironically most of the STIGs and NSA =
reference garbage I used was ten years old but still applied. After =
going thru all those docs my brain hurt trying to orient my ACLs =
properly and go thru all the different attributes you want to block =
where and when. Then I spent some time trying to work our design schemas =
for our ARIN space with the WAN design team. What I'm trying to say is =
that Roberts comments are spot on. It is a very different way of =
thinking on a small scale and a large scale and you can't take your IPv4 =
logic and apply it. I've tried and it's just slowing me down.
Yes and no. If you have been doing IPv4 long enough to remember pre-NAT =
IPv4, then, you just need to remember some of the old ways of IPv4. If =
you have no recollection of IPv4 without NAT, then, you are correct, it =
is a huge paradigm shift to go back to the way the internet is supposed =
to have been before we ran out of addresses.
Owen
>=20
>=20
> -Hammer-
>=20
> "I was a normal American nerd"
> -Jack Herer
>=20
> On 7/15/2012 10:35 PM, Lee wrote:
>> On 7/14/12, Robert E. Seastrom <rs@seastrom.com> wrote:
>>> Actually, that's one of the most insightful meta-points I've seen on
>>> NANOG in a long time.
>>>=20
>>> There is a HUGE difference between IPv4 and IPv6 thinking. We've =
all
>>> been living in an austerity regime for so long that we've completely
>>> forgotten how to leave parsimony behind. Even those of us who =
worked
>>> at companies that were summarily handed a Class B when we mumbled
>>> something about "internal subnetting" have a really hard time
>>> remembering how to act when we suddenly don't have to answer for =
every
>>> single host address and can design a network to conserve other =
things
>>> (like our brain cells).
>> Suggestions?
>>=20
>> I feel like I should be able to do something really nice with an
>> absurdly large address space. But lack of imagination or whatever.. =
I
>> haven't come up with anything that really appeals to me.
>>=20
>> Thanks,
>> Lee
>>=20
>>=20
>>> -Hammer- <bhmccie@gmail.com> writes:
>>>=20
>>>> <bashes head against wall>
>>>>=20
>>>> Thank you all. It's not the protocol that hurts. It's rethinking =
the
>>>> culture/philosophy around it.
>>>>=20
>>>> -Hammer-
>>>>=20
>>>> On 7/14/12 3:20 PM, "Owen DeLong" <owen@delong.com> wrote:
>>>>=20
>>>>> They're a bad thing in IPv6.
>>>>>=20
>>>>> The only place for security through obscurity IMHO is a small =
round
>>>>> container that sits next to my desk.
>>>>>=20
>>>>> Besides, if you don't advertise it, a GUA prefix is just as =
obscure as a
>>>>> ULA prefix and provides a larger search space in which one has to =
hunt
>>>>> for it... Think /3 instead of /8.
>>>>>=20
>>>>> Owen
>>>>>=20
>>>>> On Jul 14, 2012, at 1:14 PM, -Hammer- wrote:
>>>>>=20
>>>>>> Guys,
>>>>>> The whole purpose of this is that they do NOT need to be =
global.
>>>>>> Security thru obscurity. It actually has a place in some worlds. =
Does
>>>>>> that
>>>>>> make sense? Or are such V4-centric approaches a bad thing in v6?
>>>>>>=20
>>>>>> On 7/13/12 8:41 PM, "Brandon Ross" <bross@pobox.com> wrote:
>>>>>>=20
>>>>>>> On Fri, 13 Jul 2012, Owen DeLong wrote:
>>>>>>>=20
>>>>>>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote:
>>>>>>>>=20
>>>>>>>>> keep life simple. use global ipv6 space.
>>>>>>>>>=20
>>>>>>>>> randy
>>>>>>>> Though it is rare, this is one time when I absolutely agree =
with
>>>>>>>> Randy.
>>>>>>> It's even more rare for me to agree with Randy AND Owen at the =
same
>>>>>>> time.
>>>>>>>=20
>>>>>>> --
>>>>>>> Brandon Ross Yahoo & AIM:
>>>>>>> BrandonNRoss
>>>>>>> +1-404-635-6667 =
ICQ:
>>>>>>> 2269442
>>>>>>> Schedule a meeting: https://tungle.me/bross Skype:
>>>>>>> brandonross
>>>>>>>=20
>>>>>>=20
>>>=20
>=20
>=20
