Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 22 Aug 2007 21:56:57 -0700
David Lang wrote:
On Wed, 22 Aug 2007, Darren Reed wrote:Marcus J. Ranum wrote:Dave Piscitello wrote:I suppose I should begin by answering "why the interest in IPv6?" question. Simply put, we are running out of IPv4 addresses (yeah, I know, the Sky is Falling, NAT will save us forever...). Based on current consumption rates, some folks speculate that the remaining addresses not yet distributed by IANA will be exhausted by 2009.This prediction was made before, if I recall correctly. In 1994. Except that we were going to run out, uh, in 1999. Yes, the sky is falling, but it appears to be falling fairly slowly and gently. :) Perhaps something better than IPv6 will still come along. You know, like what a few of us suggested back in 1992 - namely doubling the address size, left-filling with zeroes, and bumping the version number? ;).. It's not just this, people today want to deploy/build large scale IP networks where 10/8 isn't enough, not to mention giving those addresses visibility to the Internet.who has 4B machines?, or assume that you gave each machine a /30 subnet, who has 1B machines?
I said 10/8, not 0/32. 10/8 is only 16M addresses. How many mobile phones are there connected to (say) AT&T's phone network? More than 16M. If AT&T wanted to be able to address each phone individually on their internal network at any given point in time? And then what about say one of the Chinese carriers with another 30M phones? How do you fit those into an already crowded Internet address space with only 32 bits of addressing available to you?
the claim that 10/8 isn't big enough is makeing large assumptions about how you allocate the addresses.
Yes and no. If you think about it, 16,000,000 isn't really a lot. At 4B, that's barely enough for 1 per person for some value of "yesterday". If you said everyone on the planet was entitled to a /24, then you need over 40 bits in the address space, and that's just flat allocation.
as for makeing those machines visable on the Internet, I'd ask why they need to be directly visable. something on this scale is probably not _really_ needing everyone else on the Internet to connect on arbatrary ports, and once you start defining what traffic you need you can define ways to get to them with that traffic without needing to have the machines directly visable (also contrary to what the IPV6 pushers say)
Even if they don't need to be directly visible on the Internet, they may need to be (or it is desirable for it to be possible) visible inside some other network. People design networks according to various needs. As corporations grow and the world connected to the network grows, so to will the demands placed on IPv4 addresses. While there will always be refusniks that want to believe that IPv4 can't d it, the reality is it is closing close to the end of its useful life in terms of address space. Having to put everything behind NATs sucks for end host visibility. Move with the time, accept that IPv6 will become reality, shout and scream a little if that helps. But we are getting to a point where the amount of engineering required to keep IPv4 going is becoming more than its worth so accepting that, however much it hurts, is probably worth your while. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: New to Cisco PIX/ ASA, (continued)
- Re: New to Cisco PIX/ ASA Jason (Aug 22)
- CSA Question Carric Dooley (Aug 21)
- IPv6 support in firewalls Dave Piscitello (Aug 21)
- Re: IPv6 support in firewalls ArkanoiD (Aug 22)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
- Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- Re: IPv6 support in firewalls Darren Reed (Aug 22)
- Message not available
- Re: IPv6 support in firewalls Darren Reed (Aug 23)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
- Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)