[180415] in North American Network Operators' Group
Re: AWS Elastic IP architecture
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jun 2 05:39:52 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <556D35DF.8080901@matthew.at>
Date: Tue, 2 Jun 2015 10:35:39 +0100
To: Matthew Kaufman <matthew@matthew.at>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Jun 2, 2015, at 5:49 AM, Matthew Kaufman <matthew@matthew.at> =
wrote:
>=20
> On 6/1/2015 6:32 PM, Mark Andrews wrote:
>> In message =
<CAL9jLaaQUP1UzoKag3Kuq8a5bMcB2q6Yg=3DB_=3D1fFWxRN6K-bNA@mail.gmail.com
>>> , Christopher Morrow writes:
>>> On Mon, Jun 1, 2015 at 9:02 PM, Ca By <cb.list6@gmail.com> wrote:
>>>>=20
>>>> On Monday, June 1, 2015, Mark Andrews <marka@isc.org> wrote:
>>>>>=20
>>>>> In message
>>>>> =
<CAL9jLaYXCdfViHbUPx-=3Drs4vSx5mFECpfuE8b7VQ+Au2hCXpMQ@mail.gmail.com>
>>>>> , Christopher Morrow writes:
>>>>>> So... I don't really see any of the above arguments for v6 in a =
vm
>>>>>> setup to really hold water in the short term at least. I think =
for
>>>>>> sure you'll want v6 for public services 'soon' (arguably like 10 =
yrs
>>>>>> ago so you'd get practice and operational experience and ...) but =
for
>>>>>> the rest sure it's 'nice', and 'cute', but really not required =
for
>>>>>> operations (unless you have v6 only customers)
>>>>> Everyone has effectively IPv6-only customers today. IPv6 native +
>>>>> CGN only works for services. Similarly DS-Lite and 464XLAT.
>>> ok, and for the example of 'put my service in the cloud' ... the
>>> service is still accessible over ipv4 right?
>> It depends on what you are trying to do. Having something in the
>> cloud manage something at home. You can't reach the home over IPv4
>> more and more these days as. IPv6 is the escape path for that but
>> you need both ends to be able to speak IPv6.
>=20
> ...and for firewalls to not exist. Since they do, absolutely all the =
techniques required to "reach something at home" over IPv4 are required =
for IPv6. This is on the "great myths of the advantages of IPv6" list.
IPv4 with NAT, you can open one host at home to remote access, or, in =
some cases, you can select different hosts by using the port number in =
lieu of the host name/address.
IPv6 =97 I add a permit statement to the firewall to allow the traffic =
in to each host/group of hosts that I want and I am done.
I do not see the above as being equal effort or as yielding equal =
results.
As such, I=92d say that your statement gets added to the great myths of =
Matthew Kauffman rather than there being any myth about this being an =
IPv6 advantage.
I can assure you that it is MUCH easier for me to remote-manage my =
mother=92s machines over their IPv6 addresses than to get to them over =
IPv4.
I live in California and have native dual-stack without NAT. She lives =
in Texas and has native dual-stack with NAT for her IPv4.
> IPv6 has exactly one benefit... there's more addresses. It comes with =
a whole lot of new pain points, and probably a bunch of security =
nightmare still waiting to be discovered. And it for sure isn't free.
IPv6 comes with at least one design-advantage =97 More addresses.
However, more addresses, especially on the scale IPv6 delivers them =
comes with MANY benefits:
1. Simplified addressing
2. Better aggregation
3. Direct access where permitted
4. Elimination of NAT and its security flaws and =
disadvantages
5. Simplified topologies
6. Better sunbathing
7. Better network planning with sparse allocations
8. Simpler application code
9. Reduced complexity in:
Proxies
Applications
Firewalls
Logging
Monitoring
Audit
Intrusion Detection
Intrusion Prevention
DDoS mitigation
10. The ability to write software with hope of your codebase =
working for the next 10 years or more.
I=92m sure there are other benefits as well, but this gives you at least =
10.
There are those that would argue that other design advantages include:
1. Fixed length simplified header
2. Stateless Address Autoconfiguration
3. Mobile IP
4. A much cleaner implementation of IPSEC
I=92m sure there are more, but this is a quick list off the top of my =
head.
Owen
