Re: IPv6 Deployment for the LAN
It's certainly encouraging to see how there is such consensus among NANOG on IPv6 deployment. :-) Recent exchanges seem to be getting a little personal, so we might want to take a step back and breath. I don't think adding default gateway support to DHCPv6 will have much of an impact, but I'm OK with people trying to get it implemented. Another tool in the box. I just wouldn't hold your breath waiting for it. I think the better approach is to take a firm stand on security and make RA gaurd and DHCPv6 snooping expected for network devices. These problems will still exist if default gateway options for DHCPv6 get implemented. As for RA taking down a network quickly, well, it can be restored quickly too. The fact that RA is actually responsive can be a benefit in some situations. Hopefully if anything has come out of this thread its that both stateless and stateful configuration have a place in IPv6, and that there is still work to be done before IPv6 is really ready for the enterprise LAN. Others may have their specific requests from vendors, but here are mine: 1. Include DHCPv6 client functionality as part of any IPv6 implementation. 2. Support RA-gaurd and DHCPv6 snooping in L2 network infrastructure. A lot of the frustration seems to come from Windows ICS acting as an IPv6 router. I think everyone here has been after Microsoft to either remove ICS or make it more difficult to enable at one point or another. While a rogue RA can come from anywhere, Windows is usually the guilty party. I would argue that since NAT is not a component of IPv6, no host should be implementing ICS-like functionality for IPv6. It's unlikely that there would be a situation on an IPv6 network that a host needed to share it's IPv6 address to get others online. Just my thoughts. Maybe someone from Microsoft who can do something about it lurks on this list. -- Ray Soucy Communications Specialist +1 (207) 561-3526 Communications and Network Services University of Maine System http://www.maine.edu/
Ray Soucy wrote:
Others may have their specific requests from vendors, but here are mine:
1. Include DHCPv6 client functionality as part of any IPv6 implementation. 2. Support RA-gaurd and DHCPv6 snooping in L2 network infrastructure.
I can agree with that. I would also add that there is plenty of work that can be done to DHCP, such as adding full route support, multiple gateways with preference and even transitioning from a binary only protocol.
A lot of the frustration seems to come from Windows ICS acting as an IPv6 router. I think everyone here has been after Microsoft to either remove ICS or make it more difficult to enable at one point or another. While a rogue RA can come from anywhere, Windows is usually the guilty party. I would argue that since NAT is not a component of IPv6,
NAT wasnt a component of IPv4 until it was already had widespread adoption. I remain completely unconvinced that people will not continue to perceive value in PAT6 between their private and their public subnets. And of course, different forms of NAT are almost certainly required to try to make ipv4 and ipv6 interoperate for as long as people need it to.
no host should be implementing ICS-like functionality for IPv6. It's unlikely that there would be a situation on an IPv6 network that a host needed to share it's IPv6 address to get others online.
Just my thoughts. Maybe someone from Microsoft who can do something about it lurks on this list.
Good luck. Joe
On Oct 22, 2009, at 4:27 PM, Joe Maimon wrote:
Ray Soucy wrote:
Others may have their specific requests from vendors, but here are mine: 1. Include DHCPv6 client functionality as part of any IPv6 implementation. 2. Support RA-gaurd and DHCPv6 snooping in L2 network infrastructure.
I can agree with that.
I would also add that there is plenty of work that can be done to DHCP, such as adding full route support, multiple gateways with preference and even transitioning from a binary only protocol.
A lot of the frustration seems to come from Windows ICS acting as an IPv6 router. I think everyone here has been after Microsoft to either remove ICS or make it more difficult to enable at one point or another. While a rogue RA can come from anywhere, Windows is usually the guilty party. I would argue that since NAT is not a component of IPv6,
NAT wasnt a component of IPv4 until it was already had widespread adoption. I remain completely unconvinced that people will not continue to perceive value in PAT6 between their private and their public subnets.
People may perceive value, but, I truly hope that they won't be able to obtain the "functionality". It's just a very bad idea that does terrible things to the network. NAT/PAT was a necessary evil in IPv4 to extend the lifetime of the addressing until IPv6 could be almost ready. It should be allowed to die with IPv4.
And of course, different forms of NAT are almost certainly required to try to make ipv4 and ipv6 interoperate for as long as people need it to.
Sort of, but, yeah. That's OK. Unfortunate, but, OK. I actually think that now that we have a transfer market policy, IPv4 will probably die much faster than it would have otherwise. Owen
Owen DeLong wrote:
On Oct 22, 2009, at 4:27 PM, Joe Maimon wrote:
NAT wasnt a component of IPv4 until it was already had widespread adoption. I remain completely unconvinced that people will not continue to perceive value in PAT6 between their private and their public subnets.
People may perceive value, but, I truly hope that they won't be able to obtain the "functionality". It's just a very bad idea that does terrible things to the network. NAT/PAT was a necessary evil in IPv4 to extend the lifetime of the addressing until IPv6 could be almost ready. It should be allowed to die with IPv4.
I have had the privilege of seeing quite a few different organizations networks up close and personal, from small to very large, networks and organizations. I can recall two, both in academia, that used global unique to the desktop, firewalled of course. I can think of another two who chose to use public ASN and BGP because of input I was part of. Neither obtained PI space. Neither used global unique addresses anywhere near an internal server or desktop. Most of the rest use private space exclusively internal and different chunks of public space from different providers, from /24 - /28. For redundancy and load balancing, the tool of choice is natting load balancers or just plain nat with ecmp. Some even used private ASN (or provider ASN) to get their internet service with some degree of redundancy, but still just some chunks of PA /25 or so. I dont think IPv6 has much to offer these companies. I dont think encouraging all of them to get an ASN and PI /48 is that great an idea for both network operators and these organizations and I highly doubt that PA ipv6 has any real attraction to them at all. Depletion wont have any real affect on them at all. Perhaps it means they wont be able to get /25 or /26, but they most likely will have no issues lighting up new connectivity with a /28 or /29. Should they need native access to IPv6 content/endpoints, they would probably choose to use another nat functionality at the external points in their network. Only if there was no other way to do it would they consider lighting up guIPv6 to the desktop. And they would be quite unhappy about it. Many of these companies have explicit security policies concerning this. Many of these network architects have explicit preferences concerning this. Naturally there are probably many other end user organizations who wont fit in these lines, but my experience suggests that there are large percentages who will. I truly think it is way too early to decide and predict that IPv6 will not ever have widespread use of IPv6 PAT to IPv6
And of course, different forms of NAT are almost certainly required to try to make ipv4 and ipv6 interoperate for as long as people need it to.
Sort of, but, yeah. That's OK. Unfortunate, but, OK.
I actually think that now that we have a transfer market policy, IPv4 will probably die much faster than it would have otherwise.
Owen
Depletion wont ring a death knell for any end user with existing connectivity. What it will do is cause providers to start harvesting the fat in their networks. Some providers who will choose to implement private ipv4 along with IPv6 rollouts are likely to have very large amounts of that fat. Other companies with large amounts of fat probably exist as well, from the companies who had the habit of assigning /26 to every leased line customer back in the day to the hosters who handed out /24 like candy. What is a residential cable or DSL company who replaced millions of subscribers guIPv4 address with dual stack (lite?) private ipv4 and guIPv6 going to do with the all that IPv4? Will they cutover to new models that arent guIPv4 centric by attrition or quicker? I believe there will be strong pressure to monetize IPv4 addresses, both for internal customer use and perhaps to transfer it to other organizations. This is not necessarily a bad thing. People who want it will pay for it and those who do not will not. This will likely result in the identification of more IPv4 fat to be harvested. The really nice side effect would hopefully be to provide economic incentive to IPv6 as an alternative to pricey IPv4, which could provide enough acceleration to ipv6 demands to reach a tipover point sooner, rather then later. So in that sense, you could be right. Joe
participants (3)
-
Joe Maimon
-
Owen DeLong
-
Ray Soucy