What's the problem with independent address space for every entity (company, family, enterprise) which wants it? Big routing tables? Is RT of 1,000,000 routes BIG? I do not think so. Memory is cheap, modern routing schemas like CEF are effective. How many entities do we have on earth? It was a problem, but it IS NOT ANYMORE. IPSec - see all ISAKMP schema and IPSEC security associations, and see IPSec incompatibilities. Compare with SSL (works out-of-the-box in 99.999% cases, and allows both, full and hard security with root certificates etc, or simple security based on _ok, I trust you first time, then we can work_. Why MS uses PPTP? Because it is much more practuical vs IPSec. IPv4 was strong because it was designed by practical people and not so much by commiteets., IPv6 was designed by commiteets mainly. Do you know, that 'camel is horse designed by commiteet'? ----- Original Message ----- From: "Mohacsi Janos" <mohacsi@niif.hu> To: "Alexei Roudnev" <alex@relcom.net> Cc: "Daniel Golding" <dgolding@burtongroup.com>; "Scott McGrath" <mcgrath@fas.harvard.edu>; "David Conrad" <david.conrad@nominum.com>; <nanog@merit.edu> Sent: Thursday, July 07, 2005 1:08 AM Subject: Re: OMB: IPv6 by June 2008
On Wed, 6 Jul 2005, Alexei Roudnev wrote:
IPv6 is an excellent example of _second system_ (do you remember book, written by Brooks many years ago?) Happu engineers put all their crazy
ideas
together into the second version of first 9succesfull) thing, and they wonder why it do not work properly. OS/360 is one example, IPv6 will be another.
But I think IPv6 will one day a primary system.
IPv6 address allocation schema is terrible (who decided to use SP
dependent
spaces?), security is terrible (who designed IPSec protocol?) and so so on.
If you can propose better solution to not to blow up routing table with large number of entries you can speak at IETF v6ops.
What is the problem with IPSec?
Unfortunately, it can fail only if something else will be created, which
do
not looks so.
Regards,
Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98
----- Original Message ----- From: "Daniel Golding" <dgolding@burtongroup.com> To: "Scott McGrath" <mcgrath@fas.harvard.edu>; "David Conrad" <david.conrad@nominum.com> Cc: <nanog@merit.edu> Sent: Wednesday, July 06, 2005 8:58 AM Subject: Re: OMB: IPv6 by June 2008
There is an element of fear-mongering in this discussion - that's why
many
of us react poorly to the idea of IPv6. How so?
- We are running out of IPv4 space! - We are falling behind <#insert scary group to reinforce fear of Other>! - We are not on the technical cutting edge!
Fear is a convenient motivator when facts are lacking. I've read the above three reasons, all of which are provable incorrect or simple fear mongering, repeatedly. The assertions that we are falling behind the Chinese or Japanese are weak echoes of past fears.
The market is our friend. Attempts to claim that technology trumps the market end badly - anyone remember 2001? The market sees little value in v6 right now. The market likes NAT and multihoming, even if many of us don't.
Attempts to regulate IPv6 into use are as foolish as the use of fear-based marketing. The gain is simply not worth the investment required.
- Daniel Golding
On 7/6/05 11:41 AM, "Scott McGrath" <mcgrath@fas.harvard.edu> wrote:
You do make some good points as IPv6 does not address routing
scalability
or multi-homing which would indeed make a contribution to lower OPEX and be easier to 'sell' to the financial people.
As I read the spec it makes multi-homing more difficult since you are
expected to receive space only from your SP there will be no 'portable assignments' as we know them today. If my reading of the spec is incorrect someone please point me in the right direction.
IPv6's hex based nature is really a joy to work with IPv6 definitely fails the human factors part of the equation.
Scott C. McGrath
On Wed, 6 Jul 2005, David Conrad wrote:
On Jul 6, 2005, at 7:57 AM, Scott McGrath wrote:
IPv6 would have been adopted much sooner if the protocol had been written as an extension of IPv4 and in this case it could have slid in under the accounting departments radar since new equipment and applications would not be needed.
IPv6 would have been adopted much sooner if it had solved a problem that caused significant numbers of end users or large scale ISPs real pain. If IPv6 had actually addressed one or more of routing scalability, multi-homing, or transparent renumbering all the hand wringing about how the Asians and Europeans are going to overtake the US would not occur. Instead, IPv6 dealt with a problem that, for the most part, does not immediately affect the US market but which (arguably) does affect the other regions. I guess you can, if you like, blame it on the accountants...
Rgds, -drc
-- Daniel Golding Network and Telecommunications Strategies Burton Group
On 7-jul-2005, at 18:58, Alexei Roudnev wrote:
Is RT of 1,000,000 routes BIG?
We've had this discussion very many times. Both the maximum number of routes routers can hold at any time in the future and the number of prefixes people are going to inject at that time are unknown. This makes it impossible to guarantee that the former is higher than the latter.
Compare with SSL (works out-of-the-box in 99.999% cases, and allows both, full and hard security with root certificates etc, or simple security based on _ok, I trust you first time, then we can work_.
If I'm on the same shared medium as you I can kill your SSL session with one packet.
IPv4 was strong because it was designed by practical people and not so much by commiteets., IPv6 was designed by commiteets mainly. Do you know, that 'camel is horse designed by commiteet'?
So when is the last time you sent an ICMP source quench? Or set any of the low delay / high reliability / high throughput bits in the IP header?
----- Original Message -----
What am I, your janitor? Can't you throw your garbage in the trashcan?
On Thu, Jul 07, 2005 at 09:58:56AM -0700, Alexei Roudnev wrote:
What's the problem with independent address space for every entity (company, family, enterprise) which wants it? Big routing tables? Is RT of 1,000,000 routes BIG? I do not think so. Memory is cheap, modern routing schemas like CEF are effective. How many entities do we have on earth? It was a problem, but it IS NOT ANYMORE.
One of the problems that is frequently overlooked here is that while the size of the DFZ is more or less bounded (although not as meaningfully so for IPv6 as it is for IPv4), the dynamic nature of the routing table is not bounded. Add to this that the less aggregation you have, the more the DFZ is exposed to those dynamics. The point here being that the memory requirements of the DFZ table is just one of the dimensions that must be considered if we intend the network to scale. Dave
Alexei, On Jul 7, 2005, at 9:58 AM, Alexei Roudnev wrote:
What's the problem with independent address space for every entity (company, family, enterprise) which wants it?
It doesn't scale. Regardless of Moore's law, there are some fundamental physical limits that constrain technology.
How many entities do we have on earth?
Well, there are 6 billion people on the planet. Don't know how many companies or families. Don't know how many autonomous devices there will be (e.g., cars, planes, boats, ships, satellites, light bulbs, gastro-intestinal probes, etc. etc.).
It was a problem, but it IS NOT ANYMORE.
You're not thinking big enough.
IPSec - see all ISAKMP schema and IPSEC security associations, and see IPSec incompatibilities.
Any new protocol has initial interoperability problems when it is being developed by different people/teams.
Compare with SSL (works out-of-the-box in 99.999% cases, and allows both, full and hard security with root certificates etc, or simple security based on _ok, I trust you first time, then we can work_.
a) I suspect most SSL implementations derive out of the same code base. b) SSL has been around longer. c) SSLeay had lots of interoperability issues when it first came out.
Why MS uses PPTP? Because it is much more practuical vs IPSec.
MS uses PPTP because it meets their business requirements. The fact that it is more practical is a second order effect. Rgds, -drc
I don't want to get into an SSL vs. IPsec argument, but... David Conrad <david.conrad@nominum.com> writes:
Compare with SSL (works out-of-the-box in 99.999% cases, and allows both, full and hard security with root certificates etc, or simple security based on _ok, I trust you first time, then we can work_.
a) I suspect most SSL implementations derive out of the same code base.
I'd be surprised if this is correct. The three major SSL/TLS implementations by deployment are: 1. OpenSSL (used in Apache2, ApacheSSL, and mod_ssl) 2. Microsoft (used in IE and IIS) 3. Firefox/Mozilla (based on Netscape's NSS). These are all genetically distinct. In addition, there are at least three independent Java implementations (JSSE, PureTLS, SSLava). In addition, Terisa Systems (now Spyrus) independently implemented SSLv3 (though our v2 stack had some of Netscape's SSLref stack) and I believe that Consensus development did so as well. -Ekr
participants (6)
-
Alexei Roudnev -
David Conrad -
David Meyer -
Eric Rescorla -
Iljitsch van Beijnum -
Randy Bush