Rate of growth on IPv6 not fast enough?

Mark Smith nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Fri Apr 23 11:15:52 CDT 2010


On Thu, 22 Apr 2010 07:18:18 -0400
William Herrin <bill at herrin.us> wrote:

> On Wed, Apr 21, 2010 at 11:31 PM, Owen DeLong <owen at delong.com> wrote:
> > On Apr 21, 2010, at 3:26 PM, Roger Marquis wrote:
> >> William Herrin wrote:
> >>>> Not to take issue with either statement in particular, but I think there
> >>>> needs to be some consideration of what "fail" means.
> >>>
> >>> Fail means that an inexperienced admin drops a router in place of the
> >>> firewall to work around a priority problem while the senior engineer
> >>> is on vacation. With NAT protecting unroutable addresses, that failure
> >>> mode fails closed.
> >>
> >> In addition to fail-closed NAT also means:
> >>
> >>  * search engines and and connectivity providers cannot (easily)
> >>  differentiate and/or monitor your internal hosts, and
> >>
> > Right, because nobody has figured out Javascript and Cookies.
> 
> Having worked for comScore, I can tell you that having a fixed address
> in the lower 64 bits would make their jobs oh so much easier. Cookies
> and javascript are of very limited utility.
> 
> On the other hand, I could swear I've seen a draft where the PC picks
> up random unused addresses in the lower 64 for each new outbound
> connection for anonymity purposes. Even if there is no such draft, it
> wouldn't exactly be hard to implement. It won't take NAT to anonymize
> the PCs on a LAN with IPv6.
> 

Might be this -

"Transient addressing for related processes: Improved firewalling by
 using IPv6 and multiple addresses per host." by Peter M. Gleitz and
 Steven M. Bellovin (i.e. the Steven Bellovin who shows up on this
 list quite often)

http://www.cs.columbia.edu/~smb/papers/tarp.pdf

> 
> >>  * multiple routes do not have to be announced or otherwise accommodated
> >>  by internal re-addressing.
> >
> > I fail to see how NAT even affects this in a properly structured network.
> 
> That's your failure, not Roger's. As delivered, IPv6 is capable of
> dynamically assigning addresses from multiple subnets to a PC, but
> that's where the support for multiple-PA multihoming stops. PCs don't
> do so well at using more than one of those addresses at a time for
> outbound connections. As a number of vendors have done with IPv4, an
> IPv6 NAT box at the network border can spread outbound connections
> between multiply addressed upstream links.
> 
> 
> On Thu, Apr 22, 2010 at 2:10 AM, Franck Martin <franck at genius.com> wrote:
> > http://www.ipinc.net/IPv4.GIF
> > The energy that people are willing to spend to fix it (NAT, LSN),
> > rather than bite the bullet is amazing.
> 
> A friend of mine drives a 1976 Cadillac El Dorado. I asked him why
> once. He explained that even at 8 miles to the gallon and even after
> having to find 1970's parts for it, he can't get anything close to as
> luxurious a car from the more modern offerings at anything close to
> the comparatively small amount of money he spends.
> 
> The thing has plush leather seats that feel like sinking in to a comfy
> couch and an engine with more horsepower than my mustang gt. It isn't
> hard to see his point.
> 
> Regards,
> Bill Herrin
> 
> -- 
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
> 




More information about the NANOG mailing list