The Choice: IPv4 Exhaustion or Transition to IPv6
Steven M. Bellovin
smb at cs.columbia.edu
Thu Jun 28 18:44:39 UTC 2007
On Thu, 28 Jun 2007 13:27:15 -0400
John Curran <jcurran at mail.com> wrote:
> At 10:16 AM -0700 6/28/07, Randy Bush wrote:
> > > Interoperability is achieved by having public facing
> >> servers reachable via IPv4 and IPv6.
> >that may be what it looks like from the view of an address allocator.
> >but if you actually have to deliver data from servers you need a path
> >where data from/in both protocols is supported on every link of the
> >chain that goes all the way to every bit of back end data in your
> >system. and if one link in that chain is missing, <sound of glib
> Organizations need to have IPv6 on their DMZ servers.
> ISP's needs to provide IPv6 to these organizations, either
> directly or via tunnel.
> It's actually rather simple.
Randy is right. It's very simple from 30,000 feet; it's a lot messier
in detail if done at scale. I'll give just example, using your
suggestion of converting DMZ: how do you keep your firewall rules
consistent between v4 and v6 addresses and prefixes? This involves
vendor technology (the firewall box), communication with your ISP
(handling prefix changes), local technology (you do have a change
control process for firewall rules, right, and perhaps a database of
machines and addresses?), and training. It may also involve upgrading
some of the servers because of the rapid changes in v6 support. (I'll
cite a personal example: I upgraded the OS on a machine of mine
recently, and found that my mailing lists weren't working. Why?
Because the version of Postfix had been changed to one with v6 support,
and I had to specify v6 loopback addresses in some mysterious place.)
That's not to say this is an excuse for delay. Converting is going to
get harder when you acquire more gear, not easier. Planning and
back-end conversions (i.e., ISP databases that hold customer IP
address ranges) should have been done years ago. It's now become
urgent; I'm glad people are finally starting to take it seriously.
(Metanote: IPv6 is far from the best possible design. Given all of
the constraints, including the political ones, it may be, as Bjarne
Stroustrup said of C++, the best design possible. Whatever -- it
exists as a reasonably stable design; starting over would cost us 15
more years that we just don't have.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG