[ 2-in-1, before I hit the 'too many flames posted' threshold ;) ] Roland Dobbins wrote:
On Jan 22, 2007, at 10:49 AM, Jeroen Massar wrote:
But which address space do you put in the network behind the VPN?
RFC1918!? Oh, already using that on the DSL link to where you are VPN'ing in from..... oopsy ;)
Actually, NBD, because you can handle that with a VPN client which does a virtual adaptor-type of deal and overlapping address space doesn't matter, because once you're in the tunnel, you're not sending/receiving outside of the tunnel. Port-forwarding and NAT (ugly, but people do it) can apply, too.
How do you handle 192.168.1.1 talking to 192.168.1.1, oh I do mean a different one. Or do you double-reverse-ultra-NAT the packets !? :) One doesn't want to solve problems that way. That is only seen as creating problems. Good for a consultants wallet, but not good for the companies using it and neither good for the programmer who had to work around it in all his applications.
That is the case for globally unique addresses and the reason why banks that use RFC1918 don't like it when they need to merge etc etc etc...
Sure, and then you get into double-NATting and who redistributes what routes into who's IGP and all that kind of jazz (it's a big problem on extranet-type connections, too). To be clear, all I was saying is that the subsidiary point that there are things which don't belong on the global Internet is a valid one
One can perfectly request address space from any of the RIR's and never ever announce or connect it to the internet. One can even give that as a reason "I require globally unique address space" and you will receive it from the RIR in question. One doesn't need to use globally unique address space in the "Internet", it is perfectly valid to use it as a disconnected means. Simple example which nicely works: 9.0.0.0/8 That network is definitely used, but not to be found on the Internet. Also, how many military and bank networks are announced on the Internet? If they are announced, they most likely are nicely firewalled away or actually disconnected in all means possible from the Internet and just used as a nice virus trap, as those silly virusses do scan them :)
and entirely separate from any discussions of universal uniqueness in terms of address-space, as there are (ugly, non-scalable, brittle, but available) ways to work around such problems, in many cases.
You actually mean that you love to create all kinds of weird solutions to solve a problem that could have easily be avoided in the first place!? I don't think I would like to have your job doing those dirty things. With IPv6 and ULA's especially those mistakes fortunately won't happen that quickly any more. Saves you, me, and a load of other people a lot of headaches. Maybe you won't be able to consult for them any more and make quite some money off them, well that is too bad. And now for some asbestos action: short summary: a) use global addresses for everything, b) use proper acl's), c) toys exist that some people clearly don't know about yet ;) No further technical content below, except for a reply to a flame. (But don't miss out on the pdf mentioned for the toys ;) Jim Shankland wrote:
In response to my saying:
I'd love to hear the business case for why my home electrical meter needs to be directly IP-addressable from an Internet cafe in Lagos.
"Jay R. Ashworth" <jra@baylink.com> responds, concisely:
It doesn't, and it shouldn't. That does *not* mean it should not have a globally unique ( != globally routable) IP address.
and Jeroen Massar <jeroen@unfix.org> presents several hypothetical scenarios.
Are you trying to say that I make things up? Neat, lets counter that: http://www.sixxs.net/presentations/SwiNOG11-DeployingIPv6.pdf (yes, I know large slideset, unfortunately alexandria.paf.se where the pix came from is not available anymore and I can't find another source) Slides 50-57 show some nice toys which you can get in the Asian region already. This is thus far from "hypothetical". Note the IPv6 address on that hydro controller's LCD, it can be used to water your plants. Yes, indeed, when that show was happening, it was globally addressable, just like the camera and all the other toys there. And yes, I gave the plant water using telnet :) That you don't have it, That you didn't see it yet, doesn't mean it does not exist.
Note that the original goal was for electrical companies to monitor electrical meters. Jeroen brings up backyard mini-nuke plants, seeing how much the power plug in the garden is being used, etc. These may all be desirable goals, but they represent considerable mission creep from the originally stated goal.
What is your point with writing this section? Trying to explain that it does not conform to your exact wishes? Or do you just want to type my name a couple of times to practice it? I know it is as difficult to pronounce as to type it ;) Dunno what I should read in it, it doesn't have any technical content or arguments for any of your points.
None of Jeroen's applications requires end-to-end, packet-level access to the individual devices in Jeroen's future (I assume) home.
Using a my name twice in a sentence, I must be important to target. Actually those applications DO require end-to-end, just like anything else. How else would you address them otherwise? If they are not addressable, how do you communicate with it?
You can certainly argue that packet-level connectivity is better, easier to engineer, scales better, etc., etc.; but it is not *required*.
Thus you do actually agree with it, but just want a strange work around. I fully understand that selling middle boxes for all kinds of things is a lot of fun and can earn people lots of cash, but some people just want to stick with one protocol at a time please. Just an example, to keep it a bit technical and at least a bit on subject: using SNMP to monitor the power meters at all your customers. you can thus use cacti or any other standard tool you are using for doing this. Another nice example in this area is IPFIX, which is actually MADE for doing that. Oh note that I had a IPFIX meter for showing the amount of cans and other things dispensed from the vending machine, so yes, it already exists, it is not hypothetical. Or did you want to create a middlebox for that? How are you going to address those middle boxes from your computer?
In fact, there are sound engineering arguments against packet-level access: since we've dragged in the backyard nuke plant, consider what happens when everybody has a backyard mini-nuke, with control software written by Linksys, and it turns out that sending it a certain kind of malformed packet can cause it to melt down ....
Simple Hint: Firewall Next to that, as NANOG is a U.S. thing: Sue them. Also, if a malformed packet can cause a meltdown by that device, then I would not be surprised if the other way of accessing that device (the one you propose and have to come up with out of thin air) would also contain a similar bug when it would be implemented. At least the advantage of IP is that it has already been tested by a large amount of implementations and people around the world so that those kind of bugs are much less likely to occur in the first place. Has your newly addressing scheme been tested that well? As it is addressing, is it 32 or 128 bits? 64 bits you say, conforming to EUI-64 specs?
No matter. Reasonable people can disagree on the question of whether every networkable device benefits from being globally, uniquely addressable.
Indeed, because unreasonable people only think of themselves and don't see the broader scope of things and that tiny projects suddenly become large. But you will disagree with that, because you are reasonable. Now if you had a proper technical argument against I would become less unreasonable as then you had something to reason with against my proper technical arguments.
The burden on the proponents is higher than that: there are *costs* associated with such an architecture, and the proponents of globally unique addressing need to show not only that it has benefits, but that the benefits exceed the costs.
I agree with this completely, especially when you have to design, implement, and test a completely new addressing mechanism for addressing all those devices, build middle boxes, to let them actually talk to the users/tools/devices that want to communicate with them and a lot more, that will cost a lot of money. I did I misread your sentence there, sorry :) It will make companies happy of course, but will users be? Note that you can get sensors that speak IP for about 1 EUR each if it isn't less than that already.
Coming full circle, the original assertion was that IPv6 was required in order for electric companies to use IP to monitor US electric meters. That assertion is false, and no amount of hand-waving about backyard nuke plants will make it true.
As you are clearly targeting this email only on me and not on others; I never said that an electrical company would require IPv6. They can use IPv4 perfectly fine too. The problem with IPv4 though is that there are only 2^32 addresses and that is not enough for most companies that are in this business. As such using IPv6, which has a vastly larger addressing space, would simply solve that problem and still allow them to use their common IP tools that they already have invested in.
The history of IPv6 has been that it keeps receding into the future as people's use of IPv4 adapts enough to make the current benefit of switching to IPv6 smaller than the cost to do so.
You mean that your usage of the Internet has been limited more and more to a sandbox from which you are not able to communicate unless you use strange hacks? Sorry, but that really is your problem if you desire that. Quite some other people that use the Internet actually do want to communicate with other people and devices on the Internet without having to install all kinds of hacks to get over and out of their sandboxes. Doing it without the hacks makes that possible. IPv6 makes that possible. To make it clear: The main benefit of IPv6 is a large amount of addressable endpoints.
Perhaps after a decade or so, we're nearing the end of that road. Or perhaps, as F. Scott Fitzgerald once wrote about IPv6, it is: [..]
"Francis Scott Key Fitzgerald (September 24, 1896 – December 21, 1940)" Sorry, but fat chance that he wrote anything about IPv6 let alone IPv4. He did write a couple of great books though, and one can't avoid liking the music he made. Greets, Jeroen PS: Some people actually have a desire to look out for the next 100 years and what will be possible, they actually dream about cool toys, and freedom, especially freedom on the Internet and on the rest of the planet, restricting addressing is not freedom. PPS: try to find out which IPv6 address can be used to water the plants in my home :) [small hint: it is registered in DNS]