[ipv6hackers] IPv6 security (slides and training)

Doug Barton dougb at dougbarton.us
Fri Nov 11 23:40:16 CET 2011


On 11/11/2011 04:21, fred bovy wrote:
> I can see many good reason for an enterprise moving to IPv6

Please be clear here, so can I. My point is that those of us who have
already drunk the Kool-Aid traditionally don't understand those who are
reluctant to move, and more importantly WHY they are reluctant to move.
And the failure to understand is a major part of the reason why the
situation hasn't improved in the last 10 years.

> The new connected enterprises which don(t own a large IPv4 block of
> addresses will have no choice than deploying IPv6.

Why? Why not just do what most of them do now, IPv4 NAT on the internal
network, and a small block of IPv4 PA space on the border?

> So you will have two Internet, the old IPv4 internet with people who want
> to stick with IPv4 and the new connected with IPv6.
> 
> Do you think that even if we setup some translation between the IPv4 and
> the IPv6 wold, this will scale to provide seamless connectivity between
> the two Internet?

Yes. Will it be optimal? No. But it will cover most of the bell-shaped
curve, and people will "route around" the rest.

> I think that the IPv4 folks will quickly have problems communicating with
> their partners and customers running IPv6.

... which is one of the big motivations to not be a first-mover to IPv6
in the first place.

> Most of the applications on the Internet are Real-Time applications. Video
> is #1 but there is also VoIP, WebEX and more.
> Do you think that this will be OK with CGN, Double NAT?
> 
> This is for me a good reason.

Me too, and I think is going to be one of the things that actually
pushes people to move. But, unfortunately, I think that the failures
here will have to be experienced before the lessons are learned.

> Now you say that IPv6 is immature, untested! But IPv6 6BONE testing
> started in 1996!
> More than 15 years of tests.
> 
> What is enough for you? 20, 30 years of tests?

First, anything carrying less than 1% of Internet traffic is untested by
definition. And yes, immature ... ND flooding, lack of DHCP parity,
stupid ivory-tower debates about RA vs. DHCP, last minute fixes to
flowlabel, just-before-last-minute fixes to the route 0 problem ... I
could go on, but it would be much better to follow closely the work in
v6ops and 6man (which I know you're involved with to some extent, which
makes your assertion that IPv6 is "mature" that much harder to understand).

We don't do ourselves, or the Internet, any favors by continuing to
stick our heads in the sand and denying that the problems exist. There
are reasons why CGN is seen as a much more attractive alternative to
IPv6 (whether they are good or bad isn't relevant). If we can't
understand those reasons, we can't address them intelligently.


Doug

-- 

		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/




More information about the Ipv6hackers mailing list