Date: Tue, 07 Aug 2001 17:47:07 -0400
From: "Aldrin Isaac" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
| In the current IPv6 addressing plan a [Sub-]TLA and all contained addressing | is
owned by an Internet transit service provider. This presents several
| problems. This provider may go out of business, adopt unacceptable business
| policies, get bought by a business rival (btw, this has happened to us),
| etc. If such things should happen to our [Sub-]TLA provider we stand a risk
| of having to change our addressing.
This was known when IPv6 was being developed. That is, that was the
deliberate plan - it is (currently anyway) the only way that we know how
to make the Internet routing system work. If you have an alternative,
there are lots of us who would be only too pleased to learn of it.
| I have not seen any effort on the part of these
| router and systems vendors to simplify the rapid change of addressing.
That's largely true (from what I have observed as well). It is a pity.
However, it is also expected - that is, why are they going to do any work
to change what they're currently selling, when everyone is simply content
to keep buying it.
And here, rather than pressure the vendors to change (and with a company
of your apparent size, which would also mean its likely large budget for
equipment) you're attempting to pressure the IETF to change the addressing
plan to make up for that. That's backwards. You should instead be
asking the vendors to support what you need.
| For us this means not only changing addresses on over 40,000 thousand
| interfaces,
IPv6 should make this much easier than it was with IPv4. The combination
of auto-config and router renumbering (and perhaps more to come) should
make this task entirely manageable. That's the plan anyway - if there's
anything missing to make it work, please let us know so that can be fixed.
| but also changing over 100,000 lines of distributed policies.
But this one is truly a pain to manage currently. But there's no real
reason why you should have a single IP address (v4 or v6) in such a database.
(That is, perhaps excepting a few well known addresses like 127.0.0.1).
That is, I've never yet heard of a policy which says "addresses that start
with a 10 are allowed in, because I like 10". Rather, the policy is
"addresses from company X are allowed in" - and then when one looks, one
sees that addresses from company X start with 10, and no-one else's do,
so what goes in the policy is "addresses that start with 10" - then the
router/filewall/whatever has to do less work, its vendor has to do less
work, and you have to do lots more work. And you're asking for that state
of affairs to continue?
The policies should be expressed in a form that actually expresses what
you want to say, and then should be being converted into something that the
packet forwarding engines can handle (which means, bit values of addresses).
As soon as that conversion gets to be automated, rather than done manually,
it becomes trivial to repeat it as frequently as is necessary to keep up
with any address changes - and what's more to automate that, so that it
all happens automatically, whenever addresses alter.
| Almost all of our 20000 customer networks use firewalls. Our addresses are
| configured into these firewalls.
Same there, they don't care about your address - they care about you.
They shouldn't be configuring your address anywhere. It is only the
primitive state of the existing tools that has led to this way of doing
things. Let's fix that, rather than assuming there is no other way.
| I am not sure if there is an IPv6 study group on the impact of changing
| addresses, or if anyone has published anything regarding this topic.
There was a working group that considered the issues. There needs to be
more work on this - it is an important topic.
| If anyone knows of where I can find information regarding this I would
| appreciate having it.
Look for the results that came from the pier working group (rfc1916
rfc2071 rfc2072), but don't expect too much.
| I hate to say this to everyone who's worked so hard on IPv6. The current
| IPv6 addressing schema is unusable by anyone except Internet providers
| trying to serve the household and small business market. It needs to be0
| redone to gain the support of large corporations.
It is well known that the current addressing plans are not what we would
really like to have. But no-one yet has been able to suggest anything better
that will actually work.
There have been other suggestions, the "best of the rest" is probably Tony
Hain's current suggestion for embedding locations in the address, so your
address says where you are geographically, and hence is unrelated to any
provider, etc. Similar things (with less analysis and detail) have been
suggested before. The problem with any of these kinds of schemes is that
to work properly, it requires particular connectivity - that is, it all
still reverts to topological addressing, but with the topology constrained
so addresses can be related to things other than which provider you happen
to be connected to. There's never been any reason to presume that any
kind of constrained net topology can ever be made to happen. Tony's draft
allows for that by simply giving everyone the choice - use either ISP
provided addresses, or connect to the constrained topology and get a
fixed address based upon your physical location. It might work, my guess
is that it won't.
Having said all of that, let me also say that I'm not sure that your
particular situation would be as bad as you make it seem to be.
That is, if the sites you're connecting are on the IPv6 internet already
then you should simply be able to use their IPv6 addresses from their
regular internet connectivity. Those might change occasionally, but
not all at once (ie: you're likely to have a continual stream of updates to
make, but only comparatively small ones - and nothing more difficult than
what happens due to new customers appearing, or old ones leaving).
If the sites don't have IPv6 connectivity, and you're running a private net
for your own internal purposes, then what do you care what the internet
addressing plan is like? Just invent your own, assign your own addresses
to the client sites, and you all use those. I kind of doubt that will
be the case though, it would be rather like the private phone systems, who
put in trunk lines to connect institutions to others assuming that the
people wouldn't also be connected to the PSTN - they will be, and so their
PSTN numbers can be (and are) used over the private lines - that makes things
simpler for everyone (even though there things need to be updated occasionally
when the PSTN numbers change).
There may be other options as well - is the NUSLA proposal ever gets into
implementations, then you could run things using site local addressing
everywhere, so you'd be completely immune to any global address changes.
That is, you'd essentially all just agree to keep your site local addresses
(which have a "which site am I" identifier in them with NUSLA) distinct
from each other, and then you could allow packets to pass between sites
using those addresses. You get a flat unroutable address space, but your
net is easily small enough that that isn't an issue.
kre
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
