[AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4. The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, " Latour said. "

Mark Andrews marka at isc.org
Thu Nov 6 15:12:45 EST 2014 

In message <429C4C9BB681C54C828A0B8B353DCE55135367AF at svr2012.pc.local>, Nathana
el Bettridge writes:
> Yes. "I like and regularly use networks which keep concentrations of
> state on the edge."
>
> When the solution calls for handling state on the edge then yeah. When
> the solution works better on the end hosts do it there.
> No point ruling out whole classes of useful solutions for ideological
> reasons.  And heck stateful firewalling at the edge would need most of
> that state anyway.
>
> Sometimes, given the choice between throwing a couple dozen x86 cores and
> ram at handling state in the core to solve a problem vs months of work
> fundamentally changing the network to suit that single solution (and
> breaking others) then I'll throw the hardware at it.
>
> I have plenty of setups that don't involve micromanaging ports and
> addresses and are more or less stateless. Others do a lot of state and
> rewriting in the core. I like having tools available to let me do what I
> need to do rather than fighting against ideologically caused issues. And
> how is micromanaging ports on a firewall fundamentally different to doing
> it with NAT thrown in?
>
> As for DoS - sometimes handling state in the core lets me improve
> immediate availability at the cost of a risk of availability in the event
> of a DoS. Balancing act.
>
> Basically - I get it some people don't like IPv6 NAT on their networks.
> Fine. Don't use it.
> Don't begrudge me my IPv6 NAT though.

We begrudge because it add costs to applications that we purchase
because they need to be made to work with a NAT in the middle.

We begrudge because it add costs to when we have debug connections
to your network.

We begrudge because it will make it harder to report and get corrected
security issues eminating from your network.

Multiple PA prefixes work today with a single border router as it
can manage the RA as seen by all the clients.  ULA + PA works today
which gives you stability across PA renumber events, PD lifetime
expiry etc.

Homenet is in the process of specifying multiple PA's from multiple
routers + ULA all automagically managed.  This is adding source +
destination address routing to the home CPE device.  Prefix delegation
within the home from multiple providers.  Topology discovery etc.

	ISP1 <-> CM <-> IR <-> IR <-> phone <-> ISP2
			 \     /
			    IR
			   /  \
CM cable modem 
IR interior router

Where you have PA addresses delegated using PD from both ISP1 and ISP2.

> Nathanael Bettridge
> Prodigy Communications Pty Ltd
> Mobile: +61 (0)4 1048 0170
> Office: +61 (0)2 8214 8920
> Fax:    +61 (0)2 9427 4203
> Email:  nathanael at prodigy.com.au
> Web:    www.prodigy.com.au
>
>
>
> -----Original Message-----
> From: Mark Newton [mailto:newton at atdot.dotat.org]
> Sent: Thursday, 6 November 2014 11:05 AM
> To: Nathanael Bettridge
> Cc: Jonathan Thorpe; ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] FW: [Ap-ipv6tf] official shutdown date for IPv4.
> The date he is pushing for is April 4, 2024. "IPv4 can't go on forever, "
> Latour said. "
>
>
> On Nov 6, 2014, at 9:12 AM, Nathanael Bettridge
> <nathanael at prodigy.com.au> wrote:
>
> > I like and regularly use the ability to remap ports between disparate
> machines or to different ports transparently, without having to use a
> port proxy.
> > I like and regularly use the ability to present an arbitrary number of
> addresses as one to another network, or map between different address
> structures.
> 	
> I like and regularly use networks which keep concentrations of state on
> the edge.
>
> (why do you even care about ports? Oh, substandard application
> architecture which forces you to micromanage 16 bit numbers. Never mind,
> carry on.)
>
> > These are really handy tools to have to solve problems.
>
> They're also really handy tools to turn yourself into a DoS-magnet.
>
> An important plank of security is "availability."  You're reducing that
> every time you put another bit of state in your core. These people who
> claim that NAT is helping their security seem to have a somewhat more
> limited view of "security" than the commonly accepted one that network
> professionals strive to attain.
>
>   - mark
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list