From: David R Conrad <davidc@iij.ad.jp>
Yeah, there are 2^32 bits of address space, after all.
There are? I always thought there were 32 bits of address space, not 2^32, and the code that I wrote even worked... :)
After all, if we all do our jobs right, maybe someday we can make the firewalls go away....
If we all do our jobs right, it won't matter if someone uses 1597 space. Firewalls will never go away -- they're too useful.
Firewalls are a kludge; they're necessitated only by the lack of strong authentication in the stack. I daresay that if the current level of threat continues to escalate (to quote a friend, "it's a bad neighborhood out there"), I foresee that the need for Joe Everyman to run a firewall will diminish or disappear, and sooner - not later. Now, I won't dispute that there will be some places where either because of legacy systems in house or paranoia they continue to run a firewall. But the 95% solution will be in place, and if they previously chose to use 1597-style addresses, the 95% of the world who decided they didn't need firewalls anymore because of strong authentication will be forced to renumber. I am more than willing to admit that 1597 has its uses, and people who find rfcs 1597 and 1627 on their own, read them, and figure out whether they want to bear the risks and consequences should feel free to use the addresses. That *doesn't* mean, however, that it should be promoted or upgraded from "informational" to "recommended", and I no longer recommend it to "casual" IP users. The concept of globally unique addressing is simply far too powerful and far too useful for us to summarily and without further thought assert that firewalls are a fact of life that will be with us forever. ---Rob
Hi, Much as I like to debate RFC 1597 and Firewalls... That is not the topic of this thread. I was pointing out a useful (to me) hack to verify BGP peering and route generation w/o the need to "expose" routes that I might not be authoritative for. I would like to know if others think this was/is worthwhile? -- --bill
Yeah, there are 2^32 bits of address space, after all. There are? I always thought there were 32 bits of address space, not 2^32, and the code that I wrote even worked... :)
I was just following the trend for IP address sizes? Sigh. Never send mail to public lists when suffering from near terminal jetlag.
Now, I won't dispute that there will be some places where either because of legacy systems in house or paranoia they continue to run a firewall. But the 95% solution will be in place, and if they previously chose to use 1597-style addresses, the 95% of the world who decided they didn't need firewalls anymore because of strong authentication will be forced to renumber.
Ummm. Do you really think IPv4 will have enough security backfitted onto it to make 95% of the firewalls unnecessary? And before either IPv4 runout or IPv6 transition? And if so, would you stake your career (as a corporate security geek) on it?
I am more than willing to admit that 1597 has its uses, and people who find rfcs 1597 and 1627 on their own, read them, and figure out whether they want to bear the risks and consequences should feel free to use the addresses.
Agreed.
That *doesn't* mean, however, that it should be promoted or upgraded from "informational" to "recommended",
I don't think anyone is considering doing this.
The concept of globally unique addressing is simply far too powerful and far too useful for us to summarily and without further thought assert that firewalls are a fact of life that will be with us forever.
Firewalls act as a single point of entry and exit that can be secured for many reasons, not all having to do with protecting an internal network from the unpleasantries of networking life. One possible use would be to reduce the number of networks you have to have routed, which (depending on who your ISP is) could save significant amounts of money. Further, telling corporate security geeks to "not worry, this IPv* stack is secure" will most likely not be too effective, especially when people can turn the security off on their workstation (or will the IPv* stacks be unconfigurable?). In any event, to bring this more into NANOG (contrary to my previous assertion, my boss is insisting I go to the NANOG meeting), I was wondering if people felt a small 'discussion' regarding the RFC 1597/1627 swamp would be appropriate during the "CIDR/Aggregation/ Allocation Policies" discussion on Thursday? I'd be interested in hearing operators feelings regarding this issue, particularly since the IAB feels 1597 needs to be revised. Thanks, -drc
participants (3)
-
bmanning@ISI.EDU
-
David R Conrad
-
Robert E. Seastrom