Re: IPv6 support in firewalls

[Darren Reed <darrenr () reed wattle id au>]

David Lang wrote:
> On Wed, 22 Aug 2007, Darren Reed wrote:
>
> > Marcus J. Ranum wrote:
> > > Dave Piscitello wrote:
> > > > I suppose I should begin by answering "why the interest in IPv6?"
> > > > question. Simply put, we are running out of IPv4 addresses (yeah, I
> > > > know, the Sky is Falling, NAT will save us forever...). Based on 
> > > > current
> > > >  consumption rates, some folks speculate that the remaining addresses
> > > > not yet distributed by IANA will be exhausted by 2009.
> > >
> > > This prediction was made before, if I recall correctly. In 1994. Except
> > > that we were going to run out, uh, in 1999.  Yes, the sky is 
> > > falling, but
> > > it appears to be falling fairly slowly and gently. :)
> > >
> > > Perhaps something better than IPv6 will still come along. You know,
> > > like what a few of us suggested back in 1992 - namely doubling
> > > the address size, left-filling with zeroes, and bumping the
> > > version number? ;)
> > ..
> >
> > It's not just this, people today want to deploy/build large scale IP
> > networks where 10/8 isn't enough, not to mention giving those
> > addresses visibility to the Internet.
>
> who has 4B machines?, or assume that you gave each machine a /30 
> subnet, who has 1B machines?

I said 10/8, not 0/32.
10/8 is only 16M addresses.
How many mobile phones are there connected to (say) AT&T's phone network?
More than 16M.  If AT&T wanted to be able to address each phone individually
on their internal network at any given point in time?
And then what about say one of the Chinese carriers with another 30M phones?
How do you fit those into an already crowded Internet address space with 
only
32 bits of addressing available to you?


> the claim that 10/8 isn't big enough is makeing large assumptions 
> about how you allocate the addresses.

Yes and no.  If you think about it, 16,000,000 isn't really a lot.

At 4B, that's barely enough for 1 per person for some value of "yesterday".
If you said everyone on the planet was entitled to a /24, then you need over
40 bits in the address space, and that's just flat allocation.


> as for makeing those machines visable on the Internet, I'd ask why 
> they need to be directly visable. something on this scale is probably 
> not _really_ needing everyone else on the Internet to connect on 
> arbatrary ports, and once you start defining what traffic you need you 
> can define ways to get to them with that traffic without needing to 
> have the machines directly visable (also contrary to what the IPV6 
> pushers say)

Even if they don't need to be directly visible on the Internet,
they may need to be (or it is desirable for it to be possible)
visible inside some other network.

People design networks according to various needs.
As corporations grow and the world connected to the network
grows, so to will the demands placed on IPv4 addresses.
While there will always be refusniks that want to believe that
IPv4 can't d it, the reality is it is closing close to the end of
its useful life in terms of address space.  Having to put everything
behind NATs sucks for end host visibility.

Move with the time, accept that IPv6 will become reality,
shout and scream a little if that helps.  But we are getting to
a point where the amount of engineering required to keep
IPv4 going is becoming more than its worth so accepting
that, however much it hurts, is probably worth your while.

Darren

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards