[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Fernando Gont fgont at si6networks.com
Tue Aug 28 18:01:14 CEST 2012 

Hi, Owen,

On 08/28/2012 11:33 AM, Owen DeLong wrote:
>>> I also believe there is tremendous benefit for innovation with IPv6.
>>
>> This has been claimed for ages -- yet we have not had a single killer
>> application.
> 
> You can't have a killer app for an internet that doesn't exist yet. 

And many people might argue that they won't put money for the alleged
*potential* for innovation.



>>> NAT has become a strangle hold choking off innovation.  
>>
>> At least half of the problems "introduced" by NATs are also introduced
>> by firewalls that "only allow return traffic"  -- So I don't necessarily
>> buy the "IPv6 fosters innovation" thing...
> 
> Except that the firewalls _CAN_ be told to pass what you want. There is
> no such possibility with NAT.

I doubt any regular home user will tell his home firewall to pass this
or that.



>>> no way.  Deploying IPv6 provides virtually limitless address space
>>> and makes it far easier for developers to come up with fantastic new
>>> applications.  
>>
>> Some might argue "gimme the IPv6 killer app, and I'll do the ipv6
>> roll-out if the app is good enough".
> 
> That's like saying "Give me the web and I'll consider rolling out IPv4."

Another way to see it is that the world got online because they had the
web -- as opposed to the world coming online just to se "what might happen".



>> Quoting Bertrand Russell:
>>
>> "When you are studying any matter, or considering any philosophy, ask
>> yourself only what are the facts and what is the truth that the facts
>> bear out. Never let yourself be diverted either by what you wish to
>> believe, or by what you think would have beneficent social effects if it
>> were believed. But look only, and solely, at what are the facts."
> 
> Yes... This applies very much to things you and Marc tend to say...

I'd argue that 99% of what I've said on the subject has been about
technical aspects of the protocol.



> Do not ignore the fact that we are running out of IPv4 addresses.
> Do not ignore the fact that no matter how problematic the security issues
[...]

The real reason for deploying v6 is that we are running out of v4
addresses -- that's enough of a reason, and nobody is arguing against that.



> Consider when evaluating IPv6 deployment, not only the facts of the
> security issues raised, but also the facts and implications and
> consequences of failing to deploy IPv6 in a timely manner.

These tends to vary from one case to another.



>> Most of the time I get the impression that IPv6 proponents essentially
>> try to squelch any discussions about IPv6
>> drawbacks/vulnerabilities/problems, yet they fail to support any efforts
>> in improving the current state of affairs.
> 
> I don't think you've ever seen me attempt to squelch such a discussion.
> I simply draw the line when you start saying that the drawbacks you
> have mentioned to date should be given enough weight to delay or
> avoid deploying IPv6 in general.

I never made such a claim -- fwiw, the decision of where and when to
deploy v6 varies from one case to another.



>> As a data-point, look at the lengthy discussions we have had about
>> RA-Guard, how trivial it is to evade current implementations, and
>> whether that makes the IPv6 world any worse (or not) than the IPv4 world.
> 
> Consider this... What fraction of IPv4 networks with DHCP run DHCP
> snooping? 

The you might also argue "what fraction of the end-user Internet runs
without a NAT" and argue in favour of IPv6 NAT, too...



> If you can show me that it is even 10%, then, you might
> have a real world case. My observation in the real world is that it is
> less than 5%. As such, I don't think that RA without RA Guard is
> necessarily much worse than the current deployed state of IPv4.

Agreed. Although the RAs might have implications on IPv4 in unexpected
ways...



>> Yet when there was time to support a proposal to fix RA-Guard (now
>> draft-ietf-v6ops-ra-guard-implementation), there were only a few folks
>> there...
> 
> It seems to be making its way forward.

Yes -- with the investment of way too much energy, way too many
discussions, and fewer people supporting it than I would have expected.


[....]
> I've never claimed there are no problems with IPv6. I have, however, claimed
> that the problems created by failing to deploy IPv6 in a timely manner
> massively outweigh the problems mentioned in IPv6 to date.

That varies from one case to another, and also varies depending whether
you mean "collective problems" to "individual problems". In some cases,
you need collective "help" for the benefits, while individual action for
the drawbacks.

Again, whether and where to deploy varies from one case to another --
and in all cases, should all cases, deployment should be done only after
proper training.

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list