On Thu, Oct 10, 2002 at 06:36:33PM +0200, Iljitsch van Beijnum wrote:
So what then if someone runs a secure tunnel over wireless over a PPPoE over ADSL using mobile IPv6 that runs over a tunnel or two ad nauseum until the headers get bigger than 374 bytes? Then you'll have your problem right back. Might as well really solve it the first try.
This is a problem that would be solved by everyone being responsible and doing pmtud properly.
One of the problems is that there is no generally agreed on and widely available set of rules for this stuff. Setting the DF bit on all packets isn't good, but it works. Using RFC1918 space to number your tunnel routers isn't good, but it works. Filtering validating source addresses on ingress is good, but hey, it doesn't work!
I think we're starting to get at the heart of the problem but let me stick my neck out and say it: Registries (APNIC, ARIN, RIPE, usw) charge for ip addresses. be it via a lease/registration fee, it's a per-ip charge that ISPs must get via some means out of their subscribers. (Unless people don't care about money that is). Back in the "days", one could obtain ip addresses from Internic saying "i will not connect to internet", "i intend to connect at some later date in a year or two .. (or similar)", "i intend to connect now". People number out of 1918 space primarily for a few reasons, be them good or not: 1) Internal use 2) Cost involved.. nobody else needs to telnet to my p2p links but me, and i don't want to pay {regional_rir} for my internal use to reduce costs 3) "security" of not being a "publicly" accessible network. This can break many things, pmtu, multicast and various streaming (multi)media applications. With the past scare of "we'll be out of ip addresses by 199x" still fresh in some peoples memories, they in their good consience decided to also conserve ips via this method. The problem is not everyone today that considers themselves a network operator understands all the ramifications of their current practices, be they good or bad. Going into fantasy-land mode, if IPv6 addresses were instantly used by everyone, people could once again obtain ips that could be used for internal private use yet remain globally unique, therefore allowing tracking back of who is leaking their own internal sources.
Making a good list of best practices (and then have people widely implement them) might also go a long way towards showing concerned parties such as the US administration that the network community consists of responsible people that can work together for the common good.
I agree here, I personally think that numbering your internal links out of 1918 space is not an acceptable solution unless it's behind your "natted" network/firewall and does not leak out. Perhaps some of those that are the better/brighter out there want to start to write up a list of "networking best practices". Then test those "book smart" ccie/cne types with the information to insure they understand the ramifications. a few good whitepapers about these might be good to include or quiz folks on. i suspect there's only a handful of people that actually understand the complete end-to-end problem and all the ramifications involved as it is quite complicated.
But if the best reason we can come up with is ISIS, the IEEE will just keep laughing.
Why is the IEEE laughing?
The implication is that IEEE will not change the 802.x specs to allow larger [default] link-local mtu due to legacy interop issues. imagine your circa 1989 ne2000 card attempting to process a 4400 byte frame on your local lan. a lot of the "cheap" ethernet cards don't include enough buffering to handle such a large frame let alone the legacy issues involved.. and remember the enterprise networks have a far larger number of ethernet interfaces deployed than the entire internet combined * 100 at least. any change to the spec would obviously affect them also. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.