Mailing List Archive

Another driver for v6?
According to
http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
Windows 7 will have a cool feature called DirectAccess that "requires
deploying IPv6 and IPsec". I know nothing more of this feature than is
in the article, but if accurate it may create a client-centric demand
for v6, i.e., desirable new functionality that isn't available on v4.

Of course, Windows 7 will have to ship first, and then get deployed in
the enterprise...

--Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Another driver for v6? [ In reply to ]
On 29/10/2008, at 3:40 PM, Steven M. Bellovin wrote:

> According to
> http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
> Windows 7 will have a cool feature called DirectAccess that "requires
> deploying IPv6 and IPsec". I know nothing more of this feature than
> is
> in the article, but if accurate it may create a client-centric demand
> for v6, i.e., desirable new functionality that isn't available on v4.
>
> Of course, Windows 7 will have to ship first, and then get deployed in
> the enterprise...


Thanks, Teredo.

Interesting point, IPSEC is really useful in IPv6, especially
transport mode opportunistic encryption/authentication. But, that
requires (in my understanding) keys in DNS, which really needs a
secure DNS infrastructure to be, well, secure...

stir stir stir

Notice the DNSSEC support at the end of page one and beginning of page
two.

--
Nathan Ward
Re: Another driver for v6? [ In reply to ]
Nathan Ward wrote:
> On 29/10/2008, at 3:40 PM, Steven M. Bellovin wrote:
>
>> According to
>> http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
>> Windows 7 will have a cool feature called DirectAccess that "requires
>> deploying IPv6 and IPsec". ...
>
>
> Thanks, Teredo.
>
> Interesting point, IPSEC is really useful in IPv6, especially transport
> mode opportunistic encryption/authentication. But, that requires (in my
> understanding) keys in DNS, which really needs a secure DNS
> infrastructure to be, well, secure...
>
> ...

The new UDP-based RTMFP protocol that just shipped in Flash Player 10
will automatically use IPv6 for both client-server (to Flash Media
Server) and direct Flash Player-to-Flash Player communication if there
is a working IPv6 path between the endpoints and it is at least as fast
or faster than the IPv4 path latency-wise. (Not that there are many of
those these days... but as they start to exist, you'll start seeing the
traffic on them) It is also encrypted and (in some cases) authenticated.

Matthew Kaufman
matthew@eeph.com
http://www.matthew.at
Re: Another driver for v6? [ In reply to ]
On Tue, 28 Oct 2008, Steven M. Bellovin wrote:

> Windows 7 will have a cool feature called DirectAccess that "requires
> deploying IPv6 and IPsec". I know nothing more of this feature than is
> in the article, but if accurate it may create a client-centric demand
> for v6, i.e., desirable new functionality that isn't available on v4.

Microsoft has been at at least two events I've attended and done
presentations about a strategy that sounds like what you're talking about.

They claim they will deploy IPv6 in their worldwide enterprise network, do
away with central based enterprise firewalls and do host-to-host
IPv6+IPSEC, Active Directory based certificates for authentication.

They indicate this as a strategy to do away with VPN clients, so in order
to reach your work resources from home you'd need to have some kind of
IPv6 connectivity, tunneled or not. You'd then connect to all resources
using IPv6 totally transparently to you. All security would be host based.

I am quite impressed by this strategy as it re-implements the end-to-end
principle of the Internet that most of us appreciate. I also bought their
claim about much improved security and their 5 year long track of no
remote exploits like Slammer, when they had to release their emergency
patch for that RPC based remote exploit the other week, which kind of
broke their streak... :P

Let's hope they can sell this to all the enterprise guys, as I am very
tired of all the problems caused by multiple layers of NATs and PAT.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
> They claim they will deploy IPv6 in their worldwide enterprise network, do
> away with central based enterprise firewalls and do host-to-host
> IPv6+IPSEC, Active Directory based certificates for authentication.

That's why we end up breaking end to end, to cover up for stuff that
exposes more than people are comfortable with

> All security would be host based.

Right, the last thing to trust based on experience so far

First they need to get rid of all the bots and other
malware before hosts can be trusted.

> as I am very tired of all the problems caused by multiple
> layers of NATs and PAT.

Likewise but more because people keep designing stuff to try and force
others to get rid of them, ignoring why they have them.

brandon
Re: Another driver for v6? [ In reply to ]
Brandon Butterworth wrote:
>> as I am very tired of all the problems caused by multiple
>> layers of NATs and PAT.
>
> Likewise but more because people keep designing stuff to try and force
> others to get rid of them, ignoring why they have them.

A false sense of security? The belief that hiding behind a single IP might
disguise how many hosts you have, which in turn might provide some form of
hidden security?

Inside the network, host to host security is what should be. This can assist in
some protection against bots that do make it to the network, or internal
maliciousness. Security from within has always been overlooked by many, and yet
it is the employees who provide the largest security risk.

Stateful firewalls will not be going away entirely, but they can track state and
perform proxy services without performing address translation. It just scares
people because of their false belief that translating an address shows that
security is working. If stateful monitoring/proxying/limiting is not in working,
the address translation doesn't really matter.

NAT has had it's uses, but it's lazy and a false sense of overall security. I do
think Microsoft is crazy if they think the need for VPN will disappear, unless
they have another method for the stateful firewalls to snoop, monitor, and alter
the IPSEC host to host packets (which isn't entirely impossible).


Jack Bates
Re: Another driver for v6? [ In reply to ]
Mikael Abrahamsson wrote:
> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>

> They claim they will deploy IPv6 in their worldwide enterprise network,
> do away with central based enterprise firewalls and do host-to-host
> IPv6+IPSEC, Active Directory based certificates for authentication.

You know that windows 2000 was released with this functionality. Its
nothing new and it is not ipv6 specific.

Who is using it precisely?
Re: Another driver for v6? [ In reply to ]
On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:

>
>
> Mikael Abrahamsson wrote:
>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>
>> They claim they will deploy IPv6 in their worldwide enterprise
>> network, do away with central based enterprise firewalls and do
>> host-to-host IPv6+IPSEC, Active Directory based certificates for
>> authentication.
>
> You know that windows 2000 was released with this functionality. Its
> nothing new and it is not ipv6 specific.
>
> Who is using it precisely?

Microsoft, on 200,000 computers at the time of the paper below.

http://technet.microsoft.com/en-us/library/bb735174.aspx

We have a couple of departments using IPsec here and one more
seriously looking at it. (Mainly a matter of finding time to test and
implement.)

Plus there are at least a couple of other Universities.

http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1

https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1

And I see a City has been added to the list.

http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161



http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf


---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University
Re: Another driver for v6? [ In reply to ]
Kind of a side question but we have not implemented IPv6 in our network
yet, nor have we made any plans to do this in the near future. Our
management does not see a need for it as our customer base is not
requesting it at this time.

Does anyone see any benefits to beginning a small deployment of IPv6 now
even if its just for internal usage?

Bruce Curtis wrote:
>
> On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:
>
>>
>>
>> Mikael Abrahamsson wrote:
>>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>>
>>> They claim they will deploy IPv6 in their worldwide enterprise
>>> network, do away with central based enterprise firewalls and do
>>> host-to-host IPv6+IPSEC, Active Directory based certificates for
>>> authentication.
>>
>> You know that windows 2000 was released with this functionality. Its
>> nothing new and it is not ipv6 specific.
>>
>> Who is using it precisely?
>
> Microsoft, on 200,000 computers at the time of the paper below.
>
> http://technet.microsoft.com/en-us/library/bb735174.aspx
>
> We have a couple of departments using IPsec here and one more
> seriously looking at it. (Mainly a matter of finding time to test and
> implement.)
>
> Plus there are at least a couple of other Universities.
>
> http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1
>
>
> https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1
>
>
> And I see a City has been added to the list.
>
> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161
>
>
>
>
> http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf
>
>
> ---
> Bruce Curtis bruce.curtis@ndsu.edu
> Certified NetAnalyst II 701-231-8527
> North Dakota State University
>
>

--
Steve King

Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional
Re: Another driver for v6? [ In reply to ]
On 30/10/2008, at 11:32 AM, Steven King wrote:

> Kind of a side question but we have not implemented IPv6 in our
> network
> yet, nor have we made any plans to do this in the near future. Our
> management does not see a need for it as our customer base is not
> requesting it at this time.
>
> Does anyone see any benefits to beginning a small deployment of IPv6
> now
> even if its just for internal usage?

Do your customers ask for IPv4, or do they just connect to the
"Internet" as you tell them?
Your customers are never going to ask, unless they have some propeller-
head who wants to be on the latest "version of the Internet".

If you tell them that you're giving them IPv6 service, you'll find
they start using it, and they'll ask other providers for it when re-
evaluating their service providers, and decide to stick with you as
you're forward looking and all that stuff.

I'm so over this chicken/egg thing it's not even funny, just do it
already. Well, if you don't it's no problem I suppose, your users are
automatically tunnelling across you already.

If you're only thinking about doing a small IPv6 deployment now,
you're behind the curve.

--
Nathan Ward
Re: Another driver for v6? [ In reply to ]
question - "beginning a small deployment of IPv6 now
even if its just for internal usage"


Sure! there are plenty of reasons .........most obvious one is to feel confortable about ipv6




--- On Wed, 10/29/08, Steven King <sking@kingrst.com> wrote:

> From: Steven King <sking@kingrst.com>
> Subject: Re: Another driver for v6?
> To: "Bruce Curtis" <bruce.curtis@ndsu.edu>
> Cc: nanog@nanog.org
> Date: Wednesday, October 29, 2008, 11:32 PM
> Kind of a side question but we have not implemented IPv6 in
> our network
> yet, nor have we made any plans to do this in the near
> future. Our
> management does not see a need for it as our customer base
> is not
> requesting it at this time.
>
> Does anyone see any benefits to beginning a small
> deployment of IPv6 now
> even if its just for internal usage?
>
> Bruce Curtis wrote:
> >
> > On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:
> >
> >>
> >>
> >> Mikael Abrahamsson wrote:
> >>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
> >>
> >>> They claim they will deploy IPv6 in their
> worldwide enterprise
> >>> network, do away with central based enterprise
> firewalls and do
> >>> host-to-host IPv6+IPSEC, Active Directory
> based certificates for
> >>> authentication.
> >>
> >> You know that windows 2000 was released with this
> functionality. Its
> >> nothing new and it is not ipv6 specific.
> >>
> >> Who is using it precisely?
> >
> > Microsoft, on 200,000 computers at the time of the
> paper below.
> >
> >
> http://technet.microsoft.com/en-us/library/bb735174.aspx
> >
> > We have a couple of departments using IPsec here and
> one more
> > seriously looking at it. (Mainly a matter of finding
> time to test and
> > implement.)
> >
> > Plus there are at least a couple of other
> Universities.
> >
> >
> http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1
> >
> >
> >
> https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1
> >
> >
> > And I see a City has been added to the list.
> >
> >
> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161
> >
> >
> >
> >
> >
> http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf
> >
> >
> > ---
> > Bruce Curtis
> bruce.curtis@ndsu.edu
> > Certified NetAnalyst II 701-231-8527
> > North Dakota State University
> >
> >
>
> --
> Steve King
>
> Cisco Certified Network Associate
> CompTIA Linux+ Certified Professional
> CompTIA A+ Certified Professional
Re: Another driver for v6? [ In reply to ]
I personally agree with that. Now only if I can convince our management
to start work on that.

isabel dias wrote:
> question - "beginning a small deployment of IPv6 now
> even if its just for internal usage"
>
>
> Sure! there are plenty of reasons .........most obvious one is to feel confortable about ipv6
>
>
>
>
> --- On Wed, 10/29/08, Steven King <sking@kingrst.com> wrote:
>
>
>> From: Steven King <sking@kingrst.com>
>> Subject: Re: Another driver for v6?
>> To: "Bruce Curtis" <bruce.curtis@ndsu.edu>
>> Cc: nanog@nanog.org
>> Date: Wednesday, October 29, 2008, 11:32 PM
>> Kind of a side question but we have not implemented IPv6 in
>> our network
>> yet, nor have we made any plans to do this in the near
>> future. Our
>> management does not see a need for it as our customer base
>> is not
>> requesting it at this time.
>>
>> Does anyone see any benefits to beginning a small
>> deployment of IPv6 now
>> even if its just for internal usage?
>>
>> Bruce Curtis wrote:
>>
>>> On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:
>>>
>>>
>>>> Mikael Abrahamsson wrote:
>>>>
>>>>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>>>>>
>>>>> They claim they will deploy IPv6 in their
>>>>>
>> worldwide enterprise
>>
>>>>> network, do away with central based enterprise
>>>>>
>> firewalls and do
>>
>>>>> host-to-host IPv6+IPSEC, Active Directory
>>>>>
>> based certificates for
>>
>>>>> authentication.
>>>>>
>>>> You know that windows 2000 was released with this
>>>>
>> functionality. Its
>>
>>>> nothing new and it is not ipv6 specific.
>>>>
>>>> Who is using it precisely?
>>>>
>>> Microsoft, on 200,000 computers at the time of the
>>>
>> paper below.
>>
>>>
>>>
>> http://technet.microsoft.com/en-us/library/bb735174.aspx
>>
>>> We have a couple of departments using IPsec here and
>>>
>> one more
>>
>>> seriously looking at it. (Mainly a matter of finding
>>>
>> time to test and
>>
>>> implement.)
>>>
>>> Plus there are at least a couple of other
>>>
>> Universities.
>>
>>>
>> http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1
>>
>>>
>>>
>> https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1
>>
>>> And I see a City has been added to the list.
>>>
>>>
>>>
>> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161
>>
>>>
>>>
>>>
>>>
>> http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf
>>
>>> ---
>>> Bruce Curtis
>>>
>> bruce.curtis@ndsu.edu
>>
>>> Certified NetAnalyst II 701-231-8527
>>> North Dakota State University
>>>
>>>
>>>
>> --
>> Steve King
>>
>> Cisco Certified Network Associate
>> CompTIA Linux+ Certified Professional
>> CompTIA A+ Certified Professional
>>
>
>
>
>

--
Steve King

Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional
Re: Another driver for v6? [ In reply to ]
On 30/10/2008, at 11:48 AM, Steven King wrote:

> I personally agree with that. Now only if I can convince our
> management
> to start work on that.
>
> isabel dias wrote:
>> question - "beginning a small deployment of IPv6 now
>> even if its just for internal usage"
>>
>>
>> Sure! there are plenty of reasons .........most obvious one is to
>> feel confortable about ipv6
>>


Another related good reason is so that in 18 months when they decide
they need it done last week, contractors like myself don't charge you
through the nose to implement it because management wouldn't let you
guys skill up on a test network now. That makes it a monetary thing,
something they understand better perhaps..

Yep, this post is going against my best instincts.

--
Nathan Ward
Re: Another driver for v6? [ In reply to ]
On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
> Does anyone see any benefits to beginning a small deployment of IPv6 now
> even if its just for internal usage?

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At
this point, I'd say people are still trying to figure out how clients
will migrate to IPv6. Which seems like a pretty bad time to still be
trying to figure that out, but ohwell.


It is at this time more a question of strategic positioning. The
kind of thing your boss should be thinking about.

Switching your management network to IPv6 single-stack frees up
IPv4 addresses (depending on how big your management network is)
to use in customer-facing areas, which gives your network longer
legs in the projected IPv4 address shortfall. If you get really
pressed, you can tunnel your IPv4 network over an IPv6-only backbone,
giving you another handful of precious moneymaking IPv4 addresses.

Having your backbone and servers AAAA'd (even on separate FQDN's),
tested, and ready to go puts you ahead of the curve if clients start
rolling out (you can just move your AAAA's around).

Starting now on collecting IPv6 peering wherever you peer puts you
ahead of the curve in the quality of your network's connectedness,
again presuming this IPv6 thing takes off.

And of course you need to "run your own dog food" on internal LANs
before you start telling customers these IPv6 address thingies are
useful.


IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
On Wed, 29 Oct 2008 16:29:40 -0700
"David W. Hankins" <David_Hankins@isc.org> wrote:

> On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
> > Does anyone see any benefits to beginning a small deployment of
> > IPv6 now even if its just for internal usage?
>
> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
> for example Google's choice to put its AAAA on a separate FQDN). At
> this point, I'd say people are still trying to figure out how clients
> will migrate to IPv6. Which seems like a pretty bad time to still be
> trying to figure that out, but ohwell.
>
Once, after hearing Vint Cerf give a cheerleading talk for v6, I asked
why google.com didn't have a AAAA record. He just groaned -- but of
course I knew the answer just as well as he did.
>
> It is at this time more a question of strategic positioning. The
> kind of thing your boss should be thinking about.
>
> Switching your management network to IPv6 single-stack frees up
> IPv4 addresses (depending on how big your management network is)
> to use in customer-facing areas, which gives your network longer
> legs in the projected IPv4 address shortfall. If you get really
> pressed, you can tunnel your IPv4 network over an IPv6-only backbone,
> giving you another handful of precious moneymaking IPv4 addresses.
>
> Having your backbone and servers AAAA'd (even on separate FQDN's),
> tested, and ready to go puts you ahead of the curve if clients start
> rolling out (you can just move your AAAA's around).
>
> Starting now on collecting IPv6 peering wherever you peer puts you
> ahead of the curve in the quality of your network's connectedness,
> again presuming this IPv6 thing takes off.
>
> And of course you need to "run your own dog food" on internal LANs
> before you start telling customers these IPv6 address thingies are
> useful.
>
>
> IPv6: It's kind of like storing dry food in preparation for the
> apocalypse.
>
I'd rate the probability of v6 as rather higher...

More seriously -- you need to get experience with it, and you need to
at least understand where your internal support systems and databases
have v4-only wired in. I'm not saying that substantial, real-world
demand for v6 is imminent or even certain (although frankly, I regard
it as more likely than not). I am saying that the probability of it is
high enough that preparation is simply ordinary prudence.

I posted the story link because for the first time since v6 was real,
there's a *feature* that people will want that relies on it. Never
mind lots of addresses; you can't easily sell that to management. But
something that will make security management easier and cheaper -- you
may be able to avoid triangle routing, with the consequent need for
bigger pipes -- is a story they'll understand. You want to be ready to
serve those customers.


--Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Another driver for v6? [ In reply to ]
On Wed, 29 Oct 2008, David W. Hankins wrote:

> On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
>> Does anyone see any benefits to beginning a small deployment of IPv6 now
>> even if its just for internal usage?
>
> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
> for example Google's choice to put its AAAA on a separate FQDN). At

Could you please elaborate on this point? My data presented
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
that there are very very few (the longer I collected the data, the better
the ratio got) who cannot properly fetch a resource that has A/AAAA.

> this point, I'd say people are still trying to figure out how clients
> will migrate to IPv6. Which seems like a pretty bad time to still be
> trying to figure that out, but ohwell.

6to4 and Teredo traffic is increasing very rapidly, so that seems to be
one path taken right now:

<http://ipv6.tele2.net/mrtg/total.html>

(We have all our IPv6 related stats and info on <http://ipv6.tele2.net/>)

But yes, how to get native to residential users is still not hammered out.

> And of course you need to "run your own dog food" on internal LANs
> before you start telling customers these IPv6 address thingies are
> useful.

Quite, I think OSS/BSS is going to be a bigger challenge than actually
moving the IPv6 packets.

> IPv6: It's kind of like storing dry food in preparation for the
> apocalypse.

If you actually KNOW the apocalypse is coming (but not when), this is
correct.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
Mikael Abrahamsson wrote:
> But yes, how to get native to residential users is still not hammered
> out.
It's been an issuing weighing our our minds for a while. We've gone
dual stack but getting it into the last mile (ADSL) is quite hard and
running a tunnel server is ugly.

Main issue is BRAS support from our vendor as well as ADSL CPE under
US$100 (eg. not Cisco 8xx series).
> Quite, I think OSS/BSS is going to be a bigger challenge than actually
> moving the IPv6 packets.
Moving packets is pretty easy. We went to dual stack in the core in
just a couple of months for a network spanning 3 continents. Getting
our customer management systems and BRASes talking IPv6 is going to take
a lot longer. Getting our systems group to IPv6 enable resolvers, dns
etc is also taking longer than it should.

MMC
RE: Another driver for v6? [ In reply to ]
> Does anyone see any benefits to beginning a small deployment
> of IPv6 now even if its just for internal usage?

According to <http://www.getipv6.info/index.php/First_Steps_for_ISPs>
you should deploy some IPv6 transition technology to make sure that
your network does not cause problems for the growing number of your
customers who are already using IPv6.

Of course, getting up to speed on IPv6 is also a worthy goal
especially since it enables you to move much more quickly if
IPv6 takes off suddenly.

--Michael Dillon
Re: Another driver for v6? [ In reply to ]
On 30/10/08 07:10, Mikael Abrahamsson wrote:
> On Wed, 29 Oct 2008, David W. Hankins wrote:
>
>> On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
>>> Does anyone see any benefits to beginning a small deployment of IPv6 now
>>> even if its just for internal usage?
>>
>> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
>> for example Google's choice to put its AAAA on a separate FQDN). At
>
> Could you please elaborate on this point? My data presented
> <http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
> that there are very very few (the longer I collected the data, the
> better the ratio got) who cannot properly fetch a resource that has A/AAAA.

Your stats (which are very interesting btw, thanks for doing the work)
suggest that the number of clients that would make use of the AAAA
record for a dual-stack service is about the same as the number of
clients that would fail in the event that both A and AAAA were present.
That's not exactly an incentive to content providers is it?

>> IPv6: It's kind of like storing dry food in preparation for the
>> apocalypse.
>
> If you actually KNOW the apocalypse is coming (but not when), this is
> correct.

The end is nigh - http://penrose.uk6x.com/


Mat
RE: Another driver for v6? [ In reply to ]
> It is almost lunacy to deploy IPv6 in a customer-facing sense
> (note for example Google's choice to put its AAAA on a
> separate FQDN).

If you're going to use emotionally charged language then
don't shoot yourself in the foot by using such an
illogical and contrary example.

Google is a very big network-oriented company and they
have indeed deployed IPv6 in a customer-facing sense.
To follow in their footsteps is not lunacy.
They have shown that when you have a large distributed
load-sharing platform, it is perfectly safe to deploy
IPv6 as an alternate service entry point, in the same
way that they have mail.google.com and docs.google as
separate service entry points.

Most people who are urging ISPs to deploy IPv6 are not
telling them to do stupid things like run out and add
AAAA records to all their domain names. We are telling
people to trial and test IPv6 in the lab, and then roll
out specific targeted IPv6 services like a 6to4 relay.
Above all, don't be a lunatic, and do educate yourself
and your staff before you make a move. IPv6 deployment
is not a greenfield deployment so you have to weave it
into the fabric of your own unique network architecture.
That requires understanding of IPv6 which you can only
get by trying it out yourself in your lab environment.

> At this point, I'd say people are still
> trying to figure out how clients will migrate to IPv6.

That is a pretty dumb thing to do. Clients have already
migrated to IPv6 years ago using the technology given
to them by Apple, Microsoft and the free UNIXes.
Job 1 is to support those clients. Job 2 is to figure
out how you can deploy IPv6 at your network edge in
such a way that you can grow the edge without consuming
IPv4 addresses. For many small and mid-size ISPs, Job 2
does not involve anything to do with the customer's "modem"
device because you don't have the kind of relationship
with "modem" vendors to influence their product development.
So focus on your own network edge, not on your customers'
network edges.

> It is at this time more a question of strategic positioning.
> The kind of thing your boss should be thinking about.

Bosses really appreciate well-reasoned white papers with
a clear and straightforward management summary on the first
page. Do you have the information and understanding of IPv6
in order to write such a white paper?

> Switching your management network to IPv6 single-stack

This may actually be the last and toughest thing that ISPs
do because of the variety of software and stuff in the
management network.

--Michael Dillon
Re: Another driver for v6? [ In reply to ]
On Thu, 30 Oct 2008, Matthew Ford wrote:

> Your stats (which are very interesting btw, thanks for doing the work)
> suggest that the number of clients that would make use of the AAAA
> record for a dual-stack service is about the same as the number of
> clients that would fail in the event that both A and AAAA were present.
> That's not exactly an incentive to content providers is it?

The last couple of days the ratio went down to less than 0.3% who would
potentially get in trouble (factor is most likely less as the measurement
method penalises later objects).

But yes, there is absolutely no upside to deploying IPv6 for content
providers in the short term. It's like Y2K, there was NO upside to fixing
it until December 31 1999.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
On Thu, Oct 30, 2008 at 08:10:26AM +0100, Mikael Abrahamsson wrote:
> On Wed, 29 Oct 2008, David W. Hankins wrote:
>> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
>> for example Google's choice to put its AAAA on a separate FQDN). At
>
> Could you please elaborate on this point? My data presented
> <http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
> that there are very very few (the longer I collected the data, the better
> the ratio got) who cannot properly fetch a resource that has A/AAAA.

I'm sorry I led you down the wrong ferret hole. The issue isn't
directly the involvement of a A/AAAA mixed RRsets. The issue is that
such dual placement complicates debugging and operations.

If someone can't reach www.google.com now, you know that it is either
a DNS or IPv4 issue. It is very straightforward.

If someone can't reach the hypothetical A/AAAA www.google.com RRset,
you've just increased your support costs. "My network is slow."
"Are you using IPv4 or IPv6?" "Netscape."

This costs you something, but doesn't gain anything.

Nevermind that IPv6 often breaks at some networks, and no one at
the remote network seems to care to fix it. It is someone's
experiment.

I'm recommending a variety of caution which is to go ahead and deploy
your initial/experimental IPv6 on separate FQDN's, so that you can
easily migrate your AAAA's onto "production names" when there is an
advantage to doing so, and in the meantime you aren't breaking
anything for the rest of the planet.

>> will migrate to IPv6. Which seems like a pretty bad time to still be
>> trying to figure that out, but ohwell.
>
> 6to4 and Teredo traffic is increasing very rapidly, so that seems to be one
> path taken right now:
>
> <http://ipv6.tele2.net/mrtg/total.html>

I don't know how to ask this question without sounding mean, but did
the graph spike out of zero, or did you start collecting two months
ago?


Both Teredo and 6to4 strike me as a kind of network operations
"terrorism." That is, the clients that engage in this automatically.

It proposes precisely the same support-cost-increase problem for the
ISP ("My network is slow." "Are you using IPv4 or IPv6?" "Netscape."),
and it's not clear to me how an ISP can "opt out".

So it's kind of like these OS manufacturers are sending ISP's a little
message; spend your support costs, or we'll spend them for you.

I'm not sure that's productive overall.

>> IPv6: It's kind of like storing dry food in preparation for the
>> apocalypse.
>
> If you actually KNOW the apocalypse is coming (but not when), this is
> correct.

I think everyone knows the IPv4 shortfall is coming. I do not think
the world's view of the consequences is consistent yet.

So I don't think it matters; it's prudent to get a defensible position
today.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
On 30 Oct 2008, at 15:47, David W. Hankins wrote:

> If someone can't reach the hypothetical A/AAAA www.google.com RRset,
> you've just increased your support costs. "My network is slow."
> "Are you using IPv4 or IPv6?" "Netscape."

Do you think that industry should be working to some kind of well
supported / worldwide flag day when lots of popular resources add v6
records at the same time ?

In the same way that in the UK, appliance manufacturers have been
educating people about the analogue terrestrial TV switchoff by 2012,
do you think that we should be advocating a 'internet PLUS day' some
time in (date plucked from the air) 2014 ?

-a
RE: Another driver for v6? [ In reply to ]
> In the same way that in the UK, appliance manufacturers have
> been educating people about the analogue terrestrial TV
> switchoff by 2012, do you think that we should be advocating
> a 'internet PLUS day' some time in (date plucked from the air) 2014 ?

Actually, the Internet PLUS day should be tied to some other event,
say the London 2012 Olympics. That would be a kind of launch event
for a lot of people to make IPv6 services available. Then, a few years
after this, we could have an Internet version 4 eulogy event and
get a lot of ISPs to shut off legacy IPv4 services. That would have
to be 2016 or later and it wouldn't be like the analog TV shutoff,
because it would not be a 100% shutoff.

I think that technical people underestimate the impact that this
type of an event can provide. While we want to avoid being forced
into a flag-day switchover, that does not mean that a flag day is
all bad. We could have the Internet PLUS flag day in order to
raise awareness and give ISPs a target to shoot for.

--Michael Dillon
Re: Another driver for v6? [ In reply to ]
michael.dillon@bt.com wrote:
> I think that technical people underestimate the impact that this
> type of an event can provide. While we want to avoid being forced
> into a flag-day switchover, that does not mean that a flag day is
> all bad. We could have the Internet PLUS flag day in order to
> raise awareness and give ISPs a target to shoot for.
>

"This new internet is brought to you by Pepsi: the choice a new version!"

or maybe

"IPv6 tastes good, like an Internet should"

or, oh never mind :)

Mike
> --Michael Dillon
>
>

1 2  View All