[AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

Nathanael Bettridge nathanael at prodigy.com.au
Thu Nov 6 12:28:17 EST 2014


Yes. "I like and regularly use networks which keep concentrations of state on the edge."

When the solution calls for handling state on the edge then yeah. When the solution works better on the end hosts do it there. 
No point ruling out whole classes of useful solutions for ideological reasons.  And heck stateful firewalling at the edge would need most of that state anyway.

Sometimes, given the choice between throwing a couple dozen x86 cores and ram at handling state in the core to solve a problem vs months of work fundamentally changing the network to suit that single solution (and breaking others) then I'll throw the hardware at it.

I have plenty of setups that don't involve micromanaging ports and addresses and are more or less stateless. Others do a lot of state and rewriting in the core. I like having tools available to let me do what I need to do rather than fighting against ideologically caused issues. And how is micromanaging ports on a firewall fundamentally different to doing it with NAT thrown in?

As for DoS - sometimes handling state in the core lets me improve immediate availability at the cost of a risk of availability in the event of a DoS. Balancing act.

Basically - I get it some people don't like IPv6 NAT on their networks. Fine. Don't use it.
Don't begrudge me my IPv6 NAT though.

Nathanael Bettridge
Prodigy Communications Pty Ltd
Mobile: +61 (0)4 1048 0170
Office: +61 (0)2 8214 8920
Fax:    +61 (0)2 9427 4203
Email:  nathanael at prodigy.com.au
Web:    www.prodigy.com.au 



-----Original Message-----
From: Mark Newton [mailto:newton at atdot.dotat.org] 
Sent: Thursday, 6 November 2014 11:05 AM
To: Nathanael Bettridge
Cc: Jonathan Thorpe; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "


On Nov 6, 2014, at 9:12 AM, Nathanael Bettridge <nathanael at prodigy.com.au> wrote:

> I like and regularly use the ability to remap ports between disparate machines or to different ports transparently, without having to use a port proxy.
> I like and regularly use the ability to present an arbitrary number of addresses as one to another network, or map between different address structures.
	
I like and regularly use networks which keep concentrations of state on the edge.

(why do you even care about ports? Oh, substandard application architecture which forces you to micromanage 16 bit numbers. Never mind, carry on.)

> These are really handy tools to have to solve problems.

They're also really handy tools to turn yourself into a DoS-magnet.

An important plank of security is "availability."  You're reducing that every time you put another bit of state in your core. These people who claim that NAT is helping their security seem to have a somewhat more limited view of "security" than the commonly accepted one that network professionals strive to attain.

  - mark




More information about the AusNOG mailing list