Re: using "reserved" IPv6 space

[Brett Frankenberger <rbf+nanog () panix com>]

On Sat, Jul 14, 2012 at 09:48:49PM -0400, Robert E. Seastrom wrote:
> Actually, that's one of the most insightful meta-points I've seen on
> NANOG in a long time.
>
> There is a HUGE difference between IPv4 and IPv6 thinking.  We've all
> been living in an austerity regime for so long that we've completely
> forgotten how to leave parsimony behind.  Even those of us who worked
> at companies that were summarily handed a Class B when we mumbled
> something about "internal subnetting" have a really hard time
> remembering how to act when we suddenly don't have to answer for every
> single host address and can design a network to conserve other things
> (like our brain cells).

Addresses no longer being scarce is a significant shift, but this
thread is about a lot more than that.  I didn't get the feeling that
the original poster was wanting to use non-global addresses on his
internal links because he was concerned about running out.  He also
wanted to do so for purposes of security.

And that's not a paradigm shift between v4 and v6.  Obscurity /
non-global address "magic" was pretend security in v4 and it's pretend
security in v6.  People who used RFC1918 space where they didn't need
global uniqueness in v4 often did so initially because of scarcity (and
were often making a completely reasonable decision in doing so), but
they then falsly imputed a security benefit to that.  

If we can leverage the v6 migraton to get out of the thinking that some
addresses are magically more secure than others, then that's probably a
win, but it's not a fundamental difference between v4 and v6.  It's not
that correct IPv4 thinking is "1918 is more secure" but the security
model of v6 is different.  1918 was never more secure.

     -- Brett