[AusNOG] IPv4 Exhaustion date changed to December.

Matthew Moyle-Croft mmc at internode.com.au
Tue Jun 22 16:27:43 EST 2010


On 22/06/2010, at 3:48 PM, Dobbins, Roland wrote:

> 
> On Jun 22, 2010, at 6:37 AM, Mark Andrews wrote:
> 
>> NAT vs encapsulation is about equal cost in the CPE device.
> 
> Yes - they both maintain an undesirable and extremely dangerous amount of state, making the devices and the networks/notes/users behind them considerably more vulnerable to either deliberate or inadvertent DDoS, due to state-table exhaustion.

Assuming we're talking about 6in4 tunneling (6to4, Terredo, 6rd etc) as far as encapsulation goes, how exactly does that maintain a lot of state?  

> 
> NAT and encapsulation are both evil things from the standpoint of opsec, not to mention complexity/troubleshooting, et. al.  

Encapsulation isn't evil -> we do it all the time -> TCP inside IP inside ethernet etc is all encapsulation.  We accept it as part of the seven layers of righteousness that we live within.

6rd is going to be a common mechanism going forward to get IPv6 to the edge quickly over infrastructure which takes too long to replace (or isn't viable).   Although native would be preferable, I'm unclear as to why in particular 6rd maintains "an extremely dangerous amount of state" and is evil?   

MMC


More information about the AusNOG mailing list