On 11/26/19 12:13 AM, Sabri Berisha wrote:
----- On Nov 26, 2019, at 1:36 AM, Doug Barton dougb@dougbarton.us wrote:
I get that some people still don't like it, but the answer is IPv6. Or, folks can keep playing NAT games, etc. But one wonders at what point rolling out IPv6 costs less than all the fun you get with [CG]NAT.
When the MBAs start realizing the risk of not deploying it.
I have some inside knowledge about the IPv6 efforts of a large eyeball network.
For what it's worth, I have extensive experience in both eyeball and content networks.
In that particular case, the cost of deploying IPv6 internally is not simply configuring it on the network gear;
We're rehashing old ground here. Perhaps you weren't on the list the last N times this has come up. My short answer, I didn't say it would be easy, I said it is less expensive than the alternatives over time.
that has already been done. The cost of fully supporting IPv6 includes (but is probably not limited to):
- Support for deploying IPv6 across more than 20 different teams;
I don't understand how you're using "teams" here. For the most part you turn it on, and end-user systems pick up the RA and do the right thing. If you want something fancier, you can do that with DHCP, static addressing, etc. In other words, this works the exact same way that IPv4 does.
- Modifying old (ancient) internal code;
What code? IPv4 isn't going away on the inside, so what needs to be modified? If you're talking monitoring software, etc., if you're still using software that doesn't understand IPv6, you're way overdue for an upgrade already.
- Modifying old (ancient) database structures (think 16 character fields for IP addresses);
Either see above, or much more likely you'd be adding a field, not modifying the existing one.
- Upgrading/replacing load balancers and other legacy crap that only support IPv4 (yeah, they still exist);
If we're talking about an enterprise that is seriously still using stuff this old, it's more likely than not that IPv6 is the least of their worries. And I'm not being flippant or disrespectful here. For at least the last 10 years or so, and definitely in the last 5, all of the enterprise level network gear sold has had support for IPv6. So again, way overdue for an update, but if this is all you have available, then you likely have bigger fish to fry. (And feel free to save the obligatory, "My favorite network widget that I use in my 100% enterprise-class network does not support IPv6." Yes, I realize that there are exceptions, but they are the exceptions, not the rule.)
- Modifying the countless home-grown tools that automate firewalls etc;
Yes, this is actually a legitimate point.
- Auditing the PCI infrastructure to ensure it is still compliant after deploying IPv6;
Also legit, where it applies, although you also have the option of not deploying on the network with the PCI data. For internal-only things, it's great to have IPv6, and will become increasingly important as time goes on, but it's not required.
Execs have bonus targets. IPv6 is not yet important enough to become part of that bonus target: there is no ROI at this point.
That depends heavily on what enterprise you're talking about. The point I'm trying to make is that there IS an ROI here. For content providers it's the ability to create a stable network architecture across all of your sites, and connect directly to the many eyeballs that are already on IPv6 (cell networks, many ISPs, etc.). There is also the much harder to define ROI for future-proofing the network, but that's part of the master class. :) For eyeball networks the same stable network architecture argument applies. The immediate ROI is harder to define, but similar, in the sense that connect directly to the many content networks that have already deployed IPv6 and future-proofing are both relevant. Much harder for the eyeball networks to quantify are the savings related to NOT having to do [CG]NAT, etc. To create that slide you need an exec who truly understands the (rising over time) costs of twiddling around with the NATs, as well as the realistic costs involved in rolling out IPv6 balanced by the long term support. Then you also need an executive team and board that can understand those slides when they see them. But it's not all in vain. I'm on Spectrum here at home, and I have native IPv6 that "just worked" from the moment I plugged my router into my cable modem. So there are a non-trivial number of both eyeball and content networks that already get it. The value proposition obviously does exist, we just need more people in the right places with the right knowledge and experience to make it happen. Doug