On Thu, 28 Jun 2007 13:27:15 -0400 John Curran <jcurran@mail.com> wrote:
At 10:16 AM -0700 6/28/07, Randy Bush wrote:
Interoperability is achieved by having public facing servers reachable via IPv4 and IPv6.
that may be what it looks like from the view of an address allocator.
but if you actually have to deliver data from servers you need a path where data from/in both protocols is supported on every link of the chain that goes all the way to every bit of back end data in your system. and if one link in that chain is missing, <sound of glib idea imploding>.
Randy,
Organizations need to have IPv6 on their DMZ servers.
ISP's needs to provide IPv6 to these organizations, either directly or via tunnel.
It's actually rather simple.
Randy is right. It's very simple from 30,000 feet; it's a lot messier in detail if done at scale. I'll give just example, using your suggestion of converting DMZ: how do you keep your firewall rules consistent between v4 and v6 addresses and prefixes? This involves vendor technology (the firewall box), communication with your ISP (handling prefix changes), local technology (you do have a change control process for firewall rules, right, and perhaps a database of machines and addresses?), and training. It may also involve upgrading some of the servers because of the rapid changes in v6 support. (I'll cite a personal example: I upgraded the OS on a machine of mine recently, and found that my mailing lists weren't working. Why? Because the version of Postfix had been changed to one with v6 support, and I had to specify v6 loopback addresses in some mysterious place.) That's not to say this is an excuse for delay. Converting is going to get harder when you acquire more gear, not easier. Planning and back-end conversions (i.e., ISP databases that hold customer IP address ranges) should have been done years ago. It's now become urgent; I'm glad people are finally starting to take it seriously. (Metanote: IPv6 is far from the best possible design. Given all of the constraints, including the political ones, it may be, as Bjarne Stroustrup said of C++, the best design possible. Whatever -- it exists as a reasonably stable design; starting over would cost us 15 more years that we just don't have.) --Steve Bellovin, http://www.cs.columbia.edu/~smb