Re: [fw-wiz] IPv6 support in firewalls



David Lang wrote:
On Wed, 22 Aug 2007, Darren Reed wrote:

Marcus J. Ranum wrote:
Dave Piscitello wrote:
I suppose I should begin by answering "why the interest in IPv6?"
question. Simply put, we are running out of IPv4 addresses (yeah, I
know, the Sky is Falling, NAT will save us forever...). Based on
current
consumption rates, some folks speculate that the remaining addresses
not yet distributed by IANA will be exhausted by 2009.

This prediction was made before, if I recall correctly. In 1994. Except
that we were going to run out, uh, in 1999. Yes, the sky is
falling, but
it appears to be falling fairly slowly and gently. :)

Perhaps something better than IPv6 will still come along. You know,
like what a few of us suggested back in 1992 - namely doubling
the address size, left-filling with zeroes, and bumping the
version number? ;)
..

It's not just this, people today want to deploy/build large scale IP
networks where 10/8 isn't enough, not to mention giving those
addresses visibility to the Internet.

who has 4B machines?, or assume that you gave each machine a /30
subnet, who has 1B machines?

I said 10/8, not 0/32.
10/8 is only 16M addresses.
How many mobile phones are there connected to (say) AT&T's phone network?
More than 16M. If AT&T wanted to be able to address each phone individually
on their internal network at any given point in time?
And then what about say one of the Chinese carriers with another 30M phones?
How do you fit those into an already crowded Internet address space with
only
32 bits of addressing available to you?


the claim that 10/8 isn't big enough is makeing large assumptions
about how you allocate the addresses.

Yes and no. If you think about it, 16,000,000 isn't really a lot.

At 4B, that's barely enough for 1 per person for some value of "yesterday".
If you said everyone on the planet was entitled to a /24, then you need over
40 bits in the address space, and that's just flat allocation.


as for makeing those machines visable on the Internet, I'd ask why
they need to be directly visable. something on this scale is probably
not _really_ needing everyone else on the Internet to connect on
arbatrary ports, and once you start defining what traffic you need you
can define ways to get to them with that traffic without needing to
have the machines directly visable (also contrary to what the IPV6
pushers say)

Even if they don't need to be directly visible on the Internet,
they may need to be (or it is desirable for it to be possible)
visible inside some other network.

People design networks according to various needs.
As corporations grow and the world connected to the network
grows, so to will the demands placed on IPv4 addresses.
While there will always be refusniks that want to believe that
IPv4 can't d it, the reality is it is closing close to the end of
its useful life in terms of address space. Having to put everything
behind NATs sucks for end host visibility.

Move with the time, accept that IPv6 will become reality,
shout and scream a little if that helps. But we are getting to
a point where the amount of engineering required to keep
IPv4 going is becoming more than its worth so accepting
that, however much it hurts, is probably worth your while.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Does IPv6 preclude use of a NAT gateway?
    ... the reason NAT works for IPv4 that I have been taught is the ... 192.168.xxx.xxx are illegal on the actual internet. ... 10.0.0.0/8 *is* a class A network. ...
    (Debian-User)
  • Re: Runaway Global Warming Possible!
    ... > Initially running IMP then NCP protocols, IPv4, the current network ... when people began to describe ARPAnet as the internet. ... Protocols Project Status Rep. ii. 36 We have made very little progress ...
    (sci.physics)
  • Re: Runaway Global Warming Possible!
    ... > Initially running IMP then NCP protocols, IPv4, the current network ... when people began to describe ARPAnet as the internet. ... Protocols Project Status Rep. ii. 36 We have made very little progress ...
    (sci.space.policy)
  • Re: Runaway Global Warming Possible!
    ... > Initially running IMP then NCP protocols, IPv4, the current network ... when people began to describe ARPAnet as the internet. ... Protocols Project Status Rep. ii. 36 We have made very little progress ...
    (sci.geo.geology)
  • Re: [Architecture discussion] IPv6 and best practices for DNS naming and the MX/SMTP problem
    ... enabling dual-stack in corporate networks. ... It's very TCP/IP generic but has also a lot to do with DNS so I hope it's not too offtopic. ... With the predictable IPv4 address depletion, ... Let's assume a simple network situation: ...
    (comp.protocols.dns.bind)