Re: using "reserved" IPv6 space

[-Hammer- <bhmccie () gmail com>]

There are multiple issues here. I understand most folks on these threads 
are beyond me but I'm pretty sure I'm not the only person in this position.

1) (This one is currently a personal issue) I am still building up a 
true IPv6 skillset. Yes, I understand it for the most part but now is 
the time to apply it.

2) All the reading you do doesn't prepare you for application and the 
vendors aren't necessarily helping. Feature parity across platforms and 
vendors beyond just "interface x/x/x" and "ipv6 address 
fe80:blah:blah::babe:1" seems to seriously be lacking. When I try to 
take what I understand and apply it beyond the basics I often see 
hurdles.  Example? HSRP IPv6 global addressing on Cisco ASR platform. If 
it's working for you hit me offline. Example2? Any vendor product beyond 
a router or switch. CheckPoint FW? F5 LB? Netscaler LB or AF? The WAN 
guys may be rolling deep in IPv6 but not everyone else. I just got an EA 
this morning from CheckPoint for NAT66. This should have been ready for 
prime time years ago. I guess the vendors weren't getting the push from 
the customers so there was no need to make an effort....

3) When I'm not preoccupied attempting to digest the fundamentals I am 
well aware of the retooling of the brain that is required for this in a 
network design. Last year I reached out to Team Cymru and attempted to 
build an IPv6 router template to match their IPv4 template. It was a 
completely different animal. Ironically most of the STIGs and NSA 
reference garbage I used was ten years old but still applied. After 
going thru all those docs my brain hurt trying to orient my ACLs 
properly and go thru all the different attributes you want to block 
where and when. Then I spent some time trying to work our design schemas 
for our ARIN space with the WAN design team. What I'm trying to say is 
that Roberts comments are spot on. It is a very different way of 
thinking on a small scale and a large scale and you can't take your IPv4 
logic and apply it. I've tried and it's just slowing me down.


-Hammer-

"I was a normal American nerd"
-Jack Herer

On 7/15/2012 10:35 PM, Lee wrote:
> On 7/14/12, Robert E. Seastrom <rs () seastrom com> wrote:
> > Actually, that's one of the most insightful meta-points I've seen on
> > NANOG in a long time.
> >
> > There is a HUGE difference between IPv4 and IPv6 thinking.  We've all
> > been living in an austerity regime for so long that we've completely
> > forgotten how to leave parsimony behind.  Even those of us who worked
> > at companies that were summarily handed a Class B when we mumbled
> > something about "internal subnetting" have a really hard time
> > remembering how to act when we suddenly don't have to answer for every
> > single host address and can design a network to conserve other things
> > (like our brain cells).
> Suggestions?
>
> I feel like I should be able to do something really nice with an
> absurdly large address space.  But lack of imagination or whatever.. I
> haven't come up with anything that really appeals to me.
>
> Thanks,
> Lee
>
>
> > -Hammer- <bhmccie () gmail com> writes:
> >
> > > <bashes head against wall>
> > >
> > > Thank you all. It's not the protocol that hurts. It's rethinking the
> > > culture/philosophy around it.
> > >
> > > -Hammer-
> > >
> > > On 7/14/12 3:20 PM, "Owen DeLong" <owen () delong com> wrote:
> > >
> > > > They're a bad thing in IPv6.
> > > >
> > > > The only place for security through obscurity IMHO is a small round
> > > > container that sits next to my desk.
> > > >
> > > > Besides, if you don't advertise it, a GUA prefix is just as obscure as a
> > > > ULA prefix and provides a larger search space in which one has to hunt
> > > > for it... Think /3 instead of /8.
> > > >
> > > > Owen
> > > >
> > > > On Jul 14, 2012, at 1:14 PM, -Hammer- wrote:
> > > >
> > > > > Guys,
> > > > >     The whole purpose of this is that they do NOT need to be global.
> > > > > Security thru obscurity. It actually has a place in some worlds. Does
> > > > > that
> > > > > make sense? Or are such V4-centric approaches a bad thing in v6?
> > > > >
> > > > > On 7/13/12 8:41 PM, "Brandon Ross" <bross () pobox com> wrote:
> > > > >
> > > > > > On Fri, 13 Jul 2012, Owen DeLong wrote:
> > > > > >
> > > > > > > On Jul 13, 2012, at 4:24 PM, Randy Bush wrote:
> > > > > > >
> > > > > > > > keep life simple.  use global ipv6 space.
> > > > > > > >
> > > > > > > > randy
> > > > > > > Though it is rare, this is one time when I absolutely agree with
> > > > > > > Randy.
> > > > > > It's even more rare for me to agree with Randy AND Owen at the same
> > > > > > time.
> > > > > >
> > > > > > --
> > > > > > Brandon Ross                                      Yahoo & AIM:
> > > > > > BrandonNRoss
> > > > > > +1-404-635-6667                                                ICQ:
> > > > > > 2269442
> > > > > > Schedule a meeting:  https://tungle.me/bross             Skype:
> > > > > > brandonross