NIST IPv6 document

Thu Jan 6 06:01:42 UTC 2011

> From: Joe Greco <jgreco at ns.sol.net>
> Date: Wed, 5 Jan 2011 21:27:14 -0600 (CST)
> 
> > 
> > On Wed, Jan 5, 2011 at 8:57 PM, Joe Greco <jgreco at ns.sol.net> wrote:
> > >> > This is a much smaller issue with IPv4 ARP, because routers generally
> > >> > have very generous hardware ARP tables in comparison to the typical
> > >> > size of an IPv4 subnet.
> > >>
> > >> no it isn't, if you've ever had your juniper router become unavailable
> > >> because the arp policer caused it to start ignoring updates, or seen
> > >> systems become unavailable due to an arp storm you'd know that you can
> > >> abuse arp on a rather small subnet.
> > >
> > > It may also be worth noting that "typical size of an IPv4 subnet" is
> > > a bit of a red herring; a v4 router that's responsible for /16 of
> > > directly attached /24's is still able to run into some serious issues.
> > 
> > It is uncommon for publicly-addressed LANs to be this large.  The
> > reason is simple: relatively few sites still have such an excess of
> > IPv4 addresses that they can use them in such a sparsely-populated
> > manner. 
> 
> Who said anything about sparsely populated?  A typical hosting
> provider might well fit such a general picture.
> 
> > Those that do have had twenty years of operational experience
> > with generation after generation of hardware and software, and they
> > have had every opportunity to fully understand the problem (or
> > redesign the relevant portion of their network.)
> 
> No they haven't.  I can think of relatively few networks that
> have survived twenty years, and the ones that I can think of are
> mostly .edu.  Those of us who have been operating IP networks for
> that length of time probably see both the flaws in IPv4 and IPv6.
> 
> > In addition, there is not (any longer) a "standard," and a group of
> > mindless zealots, telling the world that at /16 on your LAN is the
> > only right way to do it.  This is, in fact, the case with IPv6
> > deployments, and will drive what customers demand.
> 
> The concepts behind IPv4 classful addressing were flawed, but not
> unrealistic given the history.  Various pressures existed to force
> the development of CIDR.  It's not clear that those same pressures
> will force IPv6 to develop smaller networks - but other pressures
> *might*.  I've yet to hear convincing reasons as to why they
> *should*.
> 
> > To understand the problem, you must first realize that myopic
> > standards-bodies have created it, and either the standards must
> > change, operators must explain to their customers why they are not
> > following the standards, or equipment vendors must provide additional
> > knobs to provide a mitigation mechanism that is an acceptable
> > compromise.  Do the advantages of sparse subnets out-weigh the known
> > security detriments, even if good compromise-mechanisms are provided
> > by equipment vendors?
> 
> Quite frankly, as an interested party, I've been following all this
> for many years, and I am having a little trouble figuring out what
> you mean by the "known security detriments" in this context.
> 
> > "Security by obscurity" is an oft-touted advantage of IPv6 sparse
> > subnets.  We all know that anyone with a paypal account can buy a list
> > of a few hundred million email addresses for next to nothing.  How
> > long until that is the case with lists of recently-active IPv6 hosts?
> 
> Personally, I expect to see IPv6 privacy extensions become commonly
> used; it's a fairly comprehensive answer to that issue.
> 
> > What portion of attack vectors really depend on scanning hosts that
> > aren't easily found in the DNS, as opposed to vectors depending on a
> > browser click, email attachment, or by simply hammering away at
> > "www.*.com" with common PHP script vulnerabilities?
> 
> I see people scanning our IP space *all* *the* *time*.
> 
> > How many people think that massively-sparse-subnets are going to save
> > them money? 
> 
> If it saves me from creeps trawling through our IP space, that's a
> savings.
> 
> > Where will these cost-efficiencies come from?  Why can't
> > you gain that advantage by provisioning, say, 10 times as large a
> > subnet as you think you need, instead of seventy-quadrillion times as
> > large? 
> 
> Because at ten times as large, they can still trawl.
> 
> > Is anyone really going to put their Windows Updates off and
> > save money because they are comfortable that their hosts can't be
> > found by random scanning?  Is stateless auto-configuration that big a
> > win vs DHCP?
> > 
> > Yes, I should have participated in the process in the 1990s.  However,
> > just because the bed is already made doesn't mean I am willing to lay
> > my customers in it.  These problems can still be fixed before IPv6 is
> > ubiquitous and mission-critical.  The easiest fix is to reset the /64
> > mentality which standards-zealots are clinging to.
> 
> Think you missed that particular boat a long time ago.
> 
> The next ship will be departing in a hundred years or so, advance 
> registration for the IPv7 design committee are available over there.

Sorry, but IPv7 has come and gone. It was assigned to the TUBA proposal,
basically replacing IP with CLNP. IPv8 has also been assigned. (Don't ask
as it involved he who must not be named.)

I am amazed at the number of folks who seem to think that there is time to
change IPv6 is ANY significant way. Indeed, the ship has failed. If you
r network is not well along in getting ready for IPv6, you are probably
well on you way to being out of business.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751