Most corporate environments don’t mandate DNS, and certainly don’t put a firewall between every segment. Shane
On Apr 30, 2026, at 7:05 PM, Jamie Thain via NANOG <nanog@lists.nanog.org> wrote:
Richard,
Wolfy did write about but he didn't ask me any details.
64 Bit headroom -- IPv8 is not headroom, it is about adding an AREA code to 32 bit addressing, its not 64 bit at all. So to put it in perspective rather than enough ip address for every atom in the solar system there is only enough for ever square cm on the planet to have 4 ip address.
DNS + WHOis Validation is meant to increase north south security. You cannot get to an ip address that doesn't have whois, and dns in strict mode. Of course you can turn that off.
VPN survive functions... Zone Server doesn't track who opened what and when. It doesn't track the DNS lookups it tracks performance, and errors. How ever every corporate fw tracks this.
Rate Limits turn Zone Server into a single point of failure... except for you can have as many zone servers as you need to be reliable. They come in pairs anyways. Its like losing your DNS server.
Rate Elevation inside a company requires you to sign into the corporate networks, that way guests can't harm you.
No Flag day is true, you can start with one card, and one router somewhere on the internet and grow from there.
Wolfy thinks that policy egress isn't already being managed in firewalls.
Oauth2 is being used as an authorization and configuration policy replacing clear-text RADIUS.
The draft doesn't violate RFC 7258 as already your work is monitoring you. And at home your in control of your own Zone Server, Zone Server doesn't log packets, just errors
*The draft assumes unlimited data storage and doesn’t care.* No it doesn't we only report errors, and performance every five minutes and accounting where required the third A of a radius server. A 1000 person company would be less than a 100G per month. 2 years on a single drive.
it doesn't log, dns, or flow, thats all a different device called SIEM or a FW, or a NetFlow none of which NetLog does.
*Mandatory identity binding eliminates hardware anonymity by default.* OAuth2 JWT binds to the device at the NIC level before any user interaction
This is true, it is built for corporate, the network card is usually following a person around, its built so you can roam from network to network.
*The anonymity eliminated is at the layer hardest to restore.* Me thinks wolfy has never looked at a fortigate log, it correlates, MAC address, last ip, every flow, the last logged in, logged in to what networks, all in a handy dandy report manager.
*Device-to-traffic attribution becomes a database query, not an investigation.*Me thinks wolfy has never reviewed online firewall logging.
*NIC firmware rate limits make the network unusable without Zone Server permission.*
This is the broadcast rate so unathenticated users can't DDOS
*This architecture is fail-closed, and that can kill people.*
Each network segment can be dns-only and have no other restrictions and you need DNS to get from ipv4 to ipv8 there is no other way in the eco system.
*IPv8 is fundamentally incompatible with real-time operating systems *
IPv8 is 100% ipv4 compatible at the segment level, use IPv4 if you don't want the overhead of IPv8.
*All of the stuff about blocking*Its like wolfy has never admined a modern day firewall, you can do all that stuff already.
Enough said.
On Thu, Apr 30, 2026 at 5:18 PM Rich Kulawiec via NANOG < nanog@lists.nanog.org> wrote:
When this was floated on various IETF mailing lists, someone took the time to write:
We Need to Talk About the IPv8 Draft - wolfy https://substack.com/home/post/p-194315405
---rsk _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QD6JBVII...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TUSOARZ2...