nanog mailing list archives
Re: Lazy network operators
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Fri, 16 Apr 2004 14:38:59 +0200
On 16-apr-04, at 8:47, Paul Vixie wrote:
preventing DDoS and IP source address forgery each also break what theIAB calls "the end-to-end model".
How so?
I was thinking of RFC 1958:
An end-to-end protocol design should not rely on the maintenance of state (i.e. information about the state of the end-to-end communication) inside the network.
While this is given as an argument in favour of datagrams (vs. circuits)as the best transport model, any stateful NAT or firewall violates it,any router or loadbalancer flow-quota violates it, and pretty much anythingthat can be done to protect against DDoS violates it.
To quote Steve Deering: there is good state and there is bad state. State that is created by looking at the actual communication and then recreated when it's lost isn't necessarily evil. (Although I agree that when this stuff is taken too far it breaks e2e, for instance a Pix that will happily chop off part of a DNS packet when it decides said packet is too long.)
(dunno if you heard, but in spite of 128 bits of address space, the enterprise user community is now asking for IPv6 NAT.)
I hadn't, pointer please?
<http://www.acu.rl.ac.uk/msn2003/Talks/TimChown.pdf> comes to mind.
Ok, you won't hear me say that Tim doesn't know what he's talking about... But this can mean all kinds of things, ranging from "everyone will use NAT with IPv6" to "there is probably a misguided soul or two who will try this".
but moreso the folks looking at deployment who absolutely don't want another IPv4-like lockin, where provider-assigned addresses mean a huge renumberingeffort in order to change upstreams, and the expectation that globally routeable address blocks will not be available, or will not be cost effective, for enterprise or small-ISP use.
Yes, this is a problem. I'm not sure NAT is the solution, though. I mean, if you're going to use NAT, why switch to IPv6 in the first place?
nowadays ietf is working onwhat they call NAT-PT as a "transition" strategy, with a new set of heads stuffed into the same old sand, whereby the designers think that networkowners are only going to use it until the ipv6 transition is complete.
Unless I'm very much mistaken, this transition mechanism translates from IPv6 to IPv4 and vice versa, NOT from IPv6 to IPv6.
it's still quite astounding tome that when we finish deploying ipv6 we'll still have provider assigned addresses that customers are afraid to use beyond the edge of their campus, and we'll still have the age-old tension between "i could get global routingfor that address block" and "i could qualify with my RIR to obtain that address block (and afford the fees)".
IETF multi6 wg is working on this problem. Hopefully it's possible to come up with something that offers both scalability and functionality, as current PI and PA paradigms each only offer one.
Current thread:
- Re: Lazy network operators - NOT, (continued)
- Re: Lazy network operators - NOT Matt Hess (Apr 18)
- Re: Lazy network operators - NOT Alexei Roudnev (Apr 18)
- Re: Lazy network operators Michael . Dillon (Apr 14)
- Re: Lazy network operators Joel Jaeggli (Apr 14)
- Re: Lazy network operators Paul Vixie (Apr 14)
- Re: Lazy network operators Iljitsch van Beijnum (Apr 15)
- Re: Lazy network operators Paul Vixie (Apr 15)
- Re: Lazy network operators Pekka Savola (Apr 16)
- Re: Lazy network operators Paul Vixie (Apr 16)
- Re: Lazy network operators Niels Bakker (Apr 16)
- Re: Lazy network operators Iljitsch van Beijnum (Apr 16)
- Re: Lazy network operators Paul Vixie (Apr 16)
- Re: Lazy network operators Petri Helenius (Apr 16)
- Re: Lazy network operators Iljitsch van Beijnum (Apr 16)
- Re: Lazy network operators Petri Helenius (Apr 16)
- Re: Lazy network operators Paul Jakma (Apr 17)
- Re: Lazy network operators Paul Vixie (Apr 17)
- Re: Lazy network operators Kurt Erik Lindqvist (Apr 20)