Re: IPv6 uptake (was: The Reg does 240/4)

[Stephen Satchell <list () satchell net>]

On 2/15/24 9:40 PM, Justin Streiner wrote:
> The Internet edge and core portion of deploying IPv6 - dual-stack or
> otherwise - is fairly easy. I led efforts to do this at a large .edu
> starting in 2010/11.  The biggest hurdles are/were/might still be:
> 1. Coming up with a good address plan that will do what you want and scale
> as needed.  It should also be flexible enough to accommodate re-writes if
> you think of something that needs to be added/changed down the road 🙂

Several of the resources and books I picked up over the past five years 
discuss this.  At the leaf level, coming up with a address plan is easy. 
 For example, I define two subnets:  one for public access, one for LAN 
use.  Each subnet has 64K addresses, far more than I need.  The firewall 
protects the LANnet

> 2. For providers who run older kit, v6 support might still be a bit dodgy.
> You might also run into things like TCAM exhaustion, neighbor table
> exhaustion, etc.  The point at which box X tips over is often not well
> defined and depends on your use case and configuration.

Above my use level as a leaf node.  It may explain part of the situation 
I have with my upstream ISP...but I think the problem is more related to 
account management and not a technical one.

> 3. The last time I checked, v6 support in firewalls and other middle-mile
> devices was still poor.  Hopefully that has gotten better in the last 6-7
> years.  My current day job doesn't have me touching firewalls, so I haven't
> kept up on developments here.  I recall coming up with a base firewall
> ruleset for Cisco ASAs to balance security with the functionality v6 needs
> to work correctly.  Hopefully firewall vendors have gotten better about
> building templates to handle some of the heavy lifting.

In Linux, there have been significant advances in firewall support. 
Part of that support was in the kernel, part was in the tools.  The 
advent of NFT (NFTABLES) further improves things.  My replacement 
firewall design is to use YAML to define the rules; a Python driver 
converts the data into rules to implement the policy.

Can't speak for others.  By the way, instead of improving IPTABLES to 
handle IPv6, the community build IP6TABLES to support IPv6.  I was told 
that all I needed to do with my BASH-implemented firewall driver was to 
add IP6TABLE commands to the existing IPTABLES rules.  I would have done 
that if my upstream provider wasn't so IPv6-hostile.  I think that would 
have been a mistake.

> 4. Getting people to unlearn the "NAT=Security" mindset that we were forced
> to accept in the v4 world.

That was EASY for me to unlearn.  With IPv4, I never had the luxury of 
subnetting large swaths of addresses.  With IPv6, that's easy, even in 
home networks.

....................

That said, I'm thinking about giving up completely on IPv6 -- too many 
hurdles put in the way by my 800-pound-gorilla ISP.  I'm too old to 
fight the battle any more; the ROI isn't worth the effort.  I'll be dead 
before the lack of IPv6 connectivity becomes a personal problem.