Re: [fw-wiz] IPv6



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Administrative nightmare aside, I agree it's possible and possibly
sustainable, perhaps while some governments heed Darren's advice and
mandates implementation:-)

It certainly seems like the majority of organizations are relying on
this to prove true.

Problems will only grow as some networks evolve from

"only IPv4" to
"v4 and v6, prefer v4" to
"v4 and v6, prefer v6" to
"only v6" (not in my lifetime or perhaps my childrens')

And I'm not only talking about routing/reachability here. Some of these
problems are currently seen in DNS implementations (stub and resolver
handling of responses) and servers (what people include in their zone
files and how OSs work, see this thread for a sample
http://www.tunnelbroker.net/forums/index.php?topic=747.0).

I am also not convinced that some 11th hour 59th minute "change of
heart" won't occur, and someone will convince the community of an
alternative course. A surprising number of class A's could be returned
to the allocation pool (Interop just returned one). Perhaps we'd do
better with Moskowitz's Host ID in the prolonged NAT'd world you
envision. I don't know enough about how this works to assert this but
Bob would. But I'm not certain that we really need to have statistically
publicly unique addresses for every device and RFID enable container,
either. This could prove to be the lazy path forward.

I say "lazy path forward" because at this point IPv6 is nearly 2 decades
old and arguably has less of a foothold than ISDN after the same time
span. Almost all of what was considered "innovation" is either enfolded
into IPv4 or proven to be less useful than imagined. I suspect a fair
number of right-thinking people are asking "is this the best we can do?
are we really only doing this because we are running out of addresses?"
I worry that we'll *only* get a bigger address space out of this
migration and that is a tragedy.

Sorry if I've rambled...

On 1/6/2011 7:00 PM, Paul Melson wrote:
On Thursday, January 6, 2011, Dave Piscitello <dave@corecom.

If ever the phrase "living on borrowed time" applied to the Internet, it
might be now. Many organizations are approaching a time when they may
have to accept a weaker security deployment in order to add systems
because they won't be able to obtain IPv4 addresses.

Nah, RFC1918 reserved address spaces and NAT ensure ridiculous levels
of internal scalability. It's an ugly administrative nightmare, but
very much possible. And with the right public-facing services
infrastructure, it's possible to obscure tens of thousands of servers
behind a single IPv4 address. As an industry, we have yet to plumb
the true depths of IP address space management. And until we do,
where's the incentive to push for v6 adoption?

PaulM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNJyIDAAoJEDa3DI8IpP3/F2EH/0uWNekOd+M+MYRI84MS2bQv
d75B6JJm0bBp+1HRTgz+LZerExhHOftbX9eS9pwAI8Dem3mUPsxzL8a3dtkHlJU4
IkJniBlzXx+JY8mSaPOG1wE9MH4JwkoaNxx9ry5fffOBkLXG36fwRQtMsQrM9fox
i354w9EKx+iRWxk0xiF3k2SL3Xl0Z0rzblO00pCz2Tu1FuqlYZKuvJB6QTJmJFPe
90zw0UTnKApGNi02b6mGGSEvueset8DQb34EPivQ4geCLGOv1GbVnvjurTGFbeXj
zYwCvI223+kd8h1ZNCQ504zwU//h0Lr9CNKipqX5nWJq7Xw1R5rya4GdejVC6Fg=
=tqPI
-----END PGP SIGNATURE-----
begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards