Addressing plan exercise for our IPv6 course
owen at delong.com
Fri Jul 30 04:07:10 CDT 2010
On Jul 30, 2010, at 1:13 AM, Matthew Walster wrote:
> On 30 July 2010 08:32, Jeroen Massar <jeroen at unfix.org> wrote:
>> On 2010-07-30 09:27, Matthew Walster wrote:
>>> On 29 July 2010 18:08, Leo Vegoda <leo.vegoda at icann.org> wrote:
>>>> There's a good chance that in the long run multi-subnet home networks will become the norm.
>>> With all due respect, I can't see it. Why would a home user need
>>> multiple subnets?
>> * Wireless
>> * Wired
>> * DMZ
>> Those three I see a lot at various people's places.
> I have *never* seen those three security zones separated outside of a
> business or the house of a nerd who runs his own Linux distro
> (Smoothwall etc). Furthermore, you're then pushing all that traffic
> into a $30 router which almost guaranteed will be underpowered.
If you'd like to come by my house, we can arrange that. I don't
run linux on anything except one server. It doesn't do any routing.
The routers that provide security boundaries are:
1. Juniper SRX-100
2. Apple Airport Extreme
> Look at it this way: When I signed up at tunnelbroker.net, I received
> a /64. I was happy, and I went about my business. I wanted to have a
> play with something a bit bigger, I pressed "Assign /48" and it was
> ready to go in under a second. That's how it *should* work, or at
> least, in my opinion.
That's certainly one way to do it. However, I'm not sure it's how we
would do it if we were starting today knowing what we know now.
It does add a certain amount of complexity to our address planning
and to our systems to make it work that way. IMHO, that complexity
>> Also note that you should stop thinking of "today", think about what
>> might be possible in 10, 20, 30, 40, 50 years...
> I'm not thinking of today, I'm thinking about the people who use these
> services. They don't know about networking, they don't know about
> security apart from "install this virus checker". Most of them will
> laboriously transfer files from system to system using a USB drive (or
> floppy disk!) even though there's a big flashing icon on their desktop
> saying "put files here and they'll magically appear on your other
> machine". These people don't know and don't *care* about networks.
> They care about the service they get. That isn't going to change in 50
First, your assumption that their knowledge level remains constant
is absurd, so, in that statement you are thinking only of today.
10 years ago, most of those users wouldn't know what a web
site was. Most of the do today. Just 10 years ago, most of them
didn't know what email was. Most of them use email on a daily
Second, with DHCP-PD and likely future CPE products, they will
be able to simply connect pre-defined security zones to the right
ports on the CPE based on the port labels. There will likely be
a reasonable default security policy pre-installed for each zone.
Even my parents could handle plugging things like TiVo, the
stereo, etc. into ports labeled "Home Entertainment" while
plugging the Kids computers into "Nanny" ports and their own
computers into "General Access" ports.
It's not significantly harder than the current need to get the LAN
and WAN ports right on today's CPE.
> If you genuinely think that regular residential users need multiple
> subnets to create a zoned config... You're wrong. It *will* piss them
> off, even if transparent. It's not just because of the speed (which as
> you say, will improve over time) it's because suddenly their wired-in
> Xbox in front of the TV just won't talk to the wireless Xbox their
> mate just brought round to have a play with. If you say that's down to
> education, you've entirely missed the point.
Why wouldn't they be able to talk to each other? You make assumptions
about the future implementations of CPE there that I don't think are
entirely accurate. I don't even see a reason to expect that wireless
devices wouldn't be able to register for an appropriate security zone
by device type in some implementations.
Alternatively, the wired Xbox may need to initiate the connection to
the wireless, or, vice-versa depending on implementation, but, I would
expect CPE vendors to be able to solve that problem in the future.
More information about the NANOG