using "reserved" IPv6 space
Owen DeLong
owen at delong.com
Mon Jul 16 15:43:00 UTC 2012
On Jul 16, 2012, at 8:11 AM, -Hammer- wrote:
> There are multiple issues here. I understand most folks on these threads are beyond me but I'm pretty sure I'm not the only person in this position.
>
> 1) (This one is currently a personal issue) I am still building up a true IPv6 skillset. Yes, I understand it for the most part but now is the time to apply it.
Frankly, IMHO, the best way to build up a truly useful IPv6 skill set is to start applying what you don't know and see what happens. For the most part, you will find that it is truly "96 more bits, no magic".
> 2) All the reading you do doesn't prepare you for application and the vendors aren't necessarily helping. Feature parity across platforms and vendors beyond just "interface x/x/x" and "ipv6 address fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to take what I understand and apply it beyond the basics I often see hurdles. Example? HSRP IPv6 global addressing on Cisco ASR platform. If it's working for you hit me offline. Example2? Any vendor product beyond a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN guys may be rolling deep in IPv6 but not everyone else. I just got an EA this morning from CheckPoint for NAT66. This should have been ready for prime time years ago. I guess the vendors weren't getting the push from the customers so there was no need to make an effort....
You probably meant 2001:db8:b1aa:b1aa::babe:1 ;-) (blah isn't hex and fe80::/10 is link local. 2001:db8::/16 is the example prefix)
For the most part, HSRP really isn't even necessary or useful in IPv6 since ND should take care of what HSRP did for IPv4.
I believe F5 has rolled out IPv6 in a subset of their products and that you need pretty recent versions to get IPv6 functionality from them. The ARIN Wiki (http://www.getipv6.info) may be a good source of information on various vendor statuses. Contribute what you know/find out there as well, please.
Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is being able to eliminate NAT. NAT was a necessary evil for IPv4 address conservation. It has no good use in IPv6.
> 3) When I'm not preoccupied attempting to digest the fundamentals I am well aware of the retooling of the brain that is required for this in a network design. Last year I reached out to Team Cymru and attempted to build an IPv6 router template to match their IPv4 template. It was a completely different animal. Ironically most of the STIGs and NSA reference garbage I used was ten years old but still applied. After going thru all those docs my brain hurt trying to orient my ACLs properly and go thru all the different attributes you want to block where and when. Then I spent some time trying to work our design schemas for our ARIN space with the WAN design team. What I'm trying to say is that Roberts comments are spot on. It is a very different way of thinking on a small scale and a large scale and you can't take your IPv4 logic and apply it. I've tried and it's just slowing me down.
Yes and no. If you have been doing IPv4 long enough to remember pre-NAT IPv4, then, you just need to remember some of the old ways of IPv4. If you have no recollection of IPv4 without NAT, then, you are correct, it is a huge paradigm shift to go back to the way the internet is supposed to have been before we ran out of addresses.
Owen
>
>
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
> On 7/15/2012 10:35 PM, Lee wrote:
>> On 7/14/12, Robert E. Seastrom <rs at seastrom.com> wrote:
>>> Actually, that's one of the most insightful meta-points I've seen on
>>> NANOG in a long time.
>>>
>>> There is a HUGE difference between IPv4 and IPv6 thinking. We've all
>>> been living in an austerity regime for so long that we've completely
>>> forgotten how to leave parsimony behind. Even those of us who worked
>>> at companies that were summarily handed a Class B when we mumbled
>>> something about "internal subnetting" have a really hard time
>>> remembering how to act when we suddenly don't have to answer for every
>>> single host address and can design a network to conserve other things
>>> (like our brain cells).
>> Suggestions?
>>
>> I feel like I should be able to do something really nice with an
>> absurdly large address space. But lack of imagination or whatever.. I
>> haven't come up with anything that really appeals to me.
>>
>> Thanks,
>> Lee
>>
>>
>>> -Hammer- <bhmccie at gmail.com> writes:
>>>
>>>> <bashes head against wall>
>>>>
>>>> Thank you all. It's not the protocol that hurts. It's rethinking the
>>>> culture/philosophy around it.
>>>>
>>>> -Hammer-
>>>>
>>>> On 7/14/12 3:20 PM, "Owen DeLong" <owen at delong.com> wrote:
>>>>
>>>>> They're a bad thing in IPv6.
>>>>>
>>>>> The only place for security through obscurity IMHO is a small round
>>>>> container that sits next to my desk.
>>>>>
>>>>> Besides, if you don't advertise it, a GUA prefix is just as obscure as a
>>>>> ULA prefix and provides a larger search space in which one has to hunt
>>>>> for it... Think /3 instead of /8.
>>>>>
>>>>> Owen
>>>>>
>>>>> On Jul 14, 2012, at 1:14 PM, -Hammer- wrote:
>>>>>
>>>>>> Guys,
>>>>>> The whole purpose of this is that they do NOT need to be global.
>>>>>> Security thru obscurity. It actually has a place in some worlds. Does
>>>>>> that
>>>>>> make sense? Or are such V4-centric approaches a bad thing in v6?
>>>>>>
>>>>>> On 7/13/12 8:41 PM, "Brandon Ross" <bross at pobox.com> wrote:
>>>>>>
>>>>>>> On Fri, 13 Jul 2012, Owen DeLong wrote:
>>>>>>>
>>>>>>>> On Jul 13, 2012, at 4:24 PM, Randy Bush wrote:
>>>>>>>>
>>>>>>>>> keep life simple. use global ipv6 space.
>>>>>>>>>
>>>>>>>>> randy
>>>>>>>> Though it is rare, this is one time when I absolutely agree with
>>>>>>>> Randy.
>>>>>>> It's even more rare for me to agree with Randy AND Owen at the same
>>>>>>> time.
>>>>>>>
>>>>>>> --
>>>>>>> Brandon Ross Yahoo & AIM:
>>>>>>> BrandonNRoss
>>>>>>> +1-404-635-6667 ICQ:
>>>>>>> 2269442
>>>>>>> Schedule a meeting: https://tungle.me/bross Skype:
>>>>>>> brandonross
>>>>>>>
>>>>>>
>>>
>
>
More information about the NANOG
mailing list