[Nanog-futures] NewNOG has an Executive Director
I am pleased to announce that the NewNOG board has chosen Betty Burke to serve as our Interim Executive Director. The board's search committee conducted formal interviews with six finalists chosen from a field of sixteen applicants. Many of the applicants were well qualified for the position, but ultimately the full board unanimously decided that Betty is the best fit, given both her qualifications and history with the community. As Interim Executive Director, Betty will be responsible for managing the day-to-day operations of NewNOG as we navigate the transition into a self-sufficient organization, as well as working with the various committees on finance, fundraising, marketing, and other areas. Please join me in welcoming Betty to her new role in the NewNOG community. For the NewNOG board, Steve Feldman, chair ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: Is NAT can provide some kind of protection?
On 01/15/2011 02:01 AM, George Bonser wrote: From: William Herrin Sent: Friday, January 14, 2011 4:11 PM To: nanog@nanog.org Subject: Re: Is NAT can provide some kind of protection? On Fri, Jan 14, 2011 at 2:43 PM, Owen DeLong o...@delong.com wrote: Ah, but, the point here is that NAT actually serves as an enabling technology for part of the attack he is describing. I watch the movies too and I hang in suspense as the protagonist waits for the bad guy to make a network connection and then activates the phlebotinum that backhacks his tubes. And I know there are some real-life examples where giving a hacker a large file to download has kept him connected to a modem long enough to get a phone trace. But I haven't read of a _nonfiction_ example where the dynamic opening in a stateful firewall (NAT or otherwise) has directly provided the needed opening for an _active_ attack by a third party. Can you cite one? The extent to which NAT is a security hazard in my experience is that it simply makes it harder to find a compromised machine. Someone might inform us that they are seeing suspicious traffic that matches a virus profile from an IP address but the NAT makes it difficult to determine the actual source of the traffic. In that case NAT isn't, in and of itself, the enabling mechanism, but it does offer the compromised host some additional time to do its malicious work while it is being tracked down and eliminated. It also adds more work for providers when someone wants to know who was responsible for certain traffic at certain times. This is particularly true of NAT devices that get their outside IP by DHCP. Now they have to search their records and sort out who had that IP at that time and then associate that with a specific customer. Then at the customer location, there might be several more devices (or a neighbor connected over an unsecured wireless) and at that point there is no telling where the traffic came from. So NAT itself isn't a security threat, but it sure gives a real security threat a lot of woodwork in which to hide. G I'm a full supported for getting rid of NAT when deploying IPv6, but have to say the alternative is not all that great either. Because what do people want, they want privacy, so they use the IPv6 privacy extensions. Which are enabled by default on Windows when IPv6 is used on XP, Vista and 7. And now you have no idea who had that IPv6-address at some point in time. The solution to that problem is ? I guess the only solution is to have the IPv6 equivalant of arpwatch to log the MAC-addresses/IPv6- address combinations ? Or is their an other solution I'm missing.
Re: Is NAT can provide some kind of protection?
On 1/15/11 1:24 PM, Leen Besselink wrote: I'm a full supported for getting rid of NAT when deploying IPv6, but have to say the alternative is not all that great either. Because what do people want, they want privacy, so they use the IPv6 privacy extensions. Which are enabled by default on Windows when IPv6 is used on XP, Vista and 7. There aren't enough hosts on most subnets that privacy extensions actually buy you that much. sort of like have a bunch of hosts behind a single ip, a bunch of hosts behind a single /64 aren't really insured much in the way of privacy, facebook is going to know that it's you. And now you have no idea who had that IPv6-address at some point in time. The solution to that problem is ? I guess the only solution is to have the IPv6 equivalant of arpwatch to log the MAC-addresses/IPv6- address combinations ? Or is their an other solution I'm missing.
Re: Is NAT can provide some kind of protection?
On 01/15/2011 03:01 PM, Joel Jaeggli wrote: On 1/15/11 1:24 PM, Leen Besselink wrote: I'm a full supported for getting rid of NAT when deploying IPv6, but have to say the alternative is not all that great either. Because what do people want, they want privacy, so they use the IPv6 privacy extensions. Which are enabled by default on Windows when IPv6 is used on XP, Vista and 7. There aren't enough hosts on most subnets that privacy extensions actually buy you that much. sort of like have a bunch of hosts behind a single ip, a bunch of hosts behind a single /64 aren't really insured much in the way of privacy, facebook is going to know that it's you. Now this gets a bit a offtopic, but: If you already have a Facebook account, any site you visit which has Facebook Connect on it usually points directly at facebook.com for downloading the 'Facebook connect' image so the Facebook-cookies have already been sent to Facebook. Why would Facebook care about your IP-address ? And now you have no idea who had that IPv6-address at some point in time. The solution to that problem is ? I guess the only solution is to have the IPv6 equivalant of arpwatch to log the MAC-addresses/IPv6- address combinations ? Or is their an other solution I'm missing.
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 6:01 AM, Joel Jaeggli wrote: On 1/15/11 1:24 PM, Leen Besselink wrote: I'm a full supported for getting rid of NAT when deploying IPv6, but have to say the alternative is not all that great either. Because what do people want, they want privacy, so they use the IPv6 privacy extensions. Which are enabled by default on Windows when IPv6 is used on XP, Vista and 7. There aren't enough hosts on most subnets that privacy extensions actually buy you that much. sort of like have a bunch of hosts behind a single ip, a bunch of hosts behind a single /64 aren't really insured much in the way of privacy, facebook is going to know that it's you. Privacy extensions aren't intended to hide the location of the transaction. They are intended to prevent a given MAC address from being tracked across a variety of networks. All that they really solve is the problem of I disabled my cookies, but, the website still knows who I am no matter where I go. Owen
Re: INDOSAT Internet Network Provider NOC Contact
--- tdona...@vonmail.vonworldwide.com wrote: From: Tim Donahue tdona...@vonmail.vonworldwide.com Sorry for the noise, but I was wondering if anyone has a NOC or BGP knowledgeable contact with INDOSAT Internet Network Provider (AS4761). I have emailed the hostmaster@ email address listed in the WHOIS contact, and tried calling the phone number listed as well (disconnect message). They are announcing one of our prefixes and I am trying to find a contact in their company who can fix the announcement. - It seems that they were announcing more than just your prefix: - From: Aftab Siddiqui aftab.siddi...@gmail.com To: sa...@sanog.org Subject:[SANOG] ‘Hijack’ by AS4761 Date: Fri 01/14/11 09:50 PM Just got this news. Anyone in SA region felt anything? I assume many are using 8.8.8.8 these days. The last 24 hours AS4761, INDOSAT-INP-AP, started to originate a large number of new prefixes. A quick check show that AS4761 originated approximately 2800 new unique prefixes of 824 unique Autonomous systems. Complete story. http://bgpmon.net/blog/?p=400cpage=1#comment-1890 Regards, Aftab A. Siddiqui -- This is the SANOG (http://www.sanog.org/) mailing list. - scott
Re: Single AS Number for multiple prefixes in different country
Not to budge in here ... but I have always been curious of this type of setup, as in all my past BGP deployments its always been that all edges belong in the same ibgp peering group. Ryan, does the other edge(s) get confused when they see their same AS number in the path upon route determination from traffic sourced from another edge? Or are you doing some sort of BGP Confederation? I am progressing down the path (no pun intended) of deploying another edge in another location from which that 'remote' location will have it's own subnets to announce. But if I have a requirement not necessary having to announce the other subnets, I don't need to an expensive L2 back-haul between the two and do what is discussed here, no? -graham On 1/15/11 12:34 PM, Ryan Finnesey ryan.finne...@harrierinvestments.com wrote: We are doing this now and it is working well -Original Message- From: Harris Hui [mailto:harris@gmail.com] Sent: Friday, January 14, 2011 4:59 AM To: nanog@nanog.org Subject: Single AS Number for multiple prefixes in different country Hi, We have an AS Number AS2 and have 2 /24 subnets belongs to this AS Number. It is using in US and peering with US Service Providers now. We are going to deploy another site in Asia, can we use the same AS Number AS2 and have 2 other /24 subnets and peering with other Asia Service Providers? Will it affect the routing or BGP Path of our existing subnets in US? Please advise. Thanks Harris :-)
Re: Is NAT can provide some kind of protection?
On Jan 12, 2011, at 9:21 AM, George Bonser wrote: I'd eat a hat if a vendor didn't implement a PAT equivalent. It's demanded too much. There is money for it, so it will be there. Jack Yeah, I think you are right. But in really thinking about it, I wonder why. The whole point of PAT was address conservation. You don't need that with v6. All you need to do with v6 is basically have what amounts to a firewall in transparent mode in the line and doesn't let a packet in (except where explicitly configure to) unless it is associated with a packet that went out. PAT makes little sense to me for v6, but I suspect you are correct. In addition, we are putting the fire suit on each host in addition to the firewall. Kernel firewall rules on each host for the *nix boxen. Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: 1.) Allows you to redirect a privileged port (on UNIX) to a non-privileged port. For daemons that don't implement some form of privilege revoking after binding to a low port (and/or aren't allowed to run as root), this is very useful. It's much easier to have a firewall redirect than to implement robust privilege revoking. Example: PAT 25/tcp - 2525/tcp. 2.) Allows you to redirect multiple ports to a single one, to support legacy implementations. Suppose your application used to require separate ports for different types of requests, but now is able to multiplex them. The new daemon only listens on one port, but other applications may not have updated their configuration. Example: PAT 4443/tcp - 443/tcp PAT 8443/tcp - 443/tcp. Basically the idea is that implementing PAT for IPv6 allows smoother transition for apps that made use of it in IPv4, thus accelerating the adoption of IPv6. -- bk
Re: Is NAT can provide some kind of protection?
On Sat, Jan 15, 2011 at 4:16 PM, Brian Keefer ch...@smtps.net wrote: 1.) Allows you to redirect a privileged port (on UNIX) to a non-privileged port. For daemons that don't implement some form of privilege revoking after binding to a low port (and/or aren't allowed to run as root), this is very useful. It's much easier to have a firewall redirect than to implement robust privilege revoking. Example: PAT 25/tcp - 2525/tcp. There was a patch offered for the Linux kernel years ago that exported the network ports as a filesystem where you could set who could bind which port by changing the ownership and permissions on the files. I never understood why Linus rejected it. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: co-location and access to your server
On Jan 12, 2011, at 3:49 PM, david raistrick wrote: On Wed, 12 Jan 2011, Jeroen van Aart wrote: What is considered normal with regards to access to your co-located server(s)? Especially when you're just co-locating one or a few servers. For less than 1 rack, or specialty racks with lockable sections (1/2 or 1/3 or 1/4 racks with their own doors), I'd consider any physical access to simply be a plus. I wouldn't expect any at all. You're not paying for enough space to justify the costs involved in 24x7 independant access, and the risks to other customers gear. When you get a full rack+, or cage+, I'd expect unfettered 24x7 access since your gear should be seperated and secured from other folks gear. You would think so, wouldn't you? Many years ago I had a cage in 811 10th, with the usual pile 'o goodies in it... I have simple script (aka tail -f | grep -v ;-)) that I leave running in the background that tails syslog and only shows me interesting messages. One day I notice messages scrolling by, so I go see what is grumping about. Apparently the CF / PCMCIA card in one of the Cisco 7507s has just unmounted. No! Wait, it's back. Nope, gone again. Back. Gone! Back! Yay! It's back... Whoop, I lied, gone still gone... still gone... Bah, I figure that the card has just died and the appearing / disappearing trick was just the death rattle, so I take a wander over, and notice that it didn't just unmount, it's completely missing... I manage to get one of the security folk to pull the camera footage for around that time and I see some chappie wanding up and down the aisles, looking in though the mesh at everyone's toys. After the third or forth circuit past our cage he suddenly perks up and hustles off camera. He comes back 2 minutes later with a broom and proceeds to poke the handle through the mesh and bang on the back of the router. Eventually he manages to thwack the eject button hard enough and the flash drops onto the floor -- he wiggles it over, slides it under the edge of the cage, grins like a monkey and scampers back to his cage... I guess when you *really* needs some flash, you *really* needs some flash... W (I have also learnt the hard way not to use the edge of the cage as cable management...) Some specialty providers would be exceptions, of course (ie, I used to colo gear inside tv stations, satellite downlink stations, etc). Telecom colo (switch and network gear in a dedicated but shared space for providers providing service) would be an exception, of course. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 1:16 PM, Brian Keefer wrote: On Jan 12, 2011, at 9:21 AM, George Bonser wrote: I'd eat a hat if a vendor didn't implement a PAT equivalent. It's demanded too much. There is money for it, so it will be there. Jack Yeah, I think you are right. But in really thinking about it, I wonder why. The whole point of PAT was address conservation. You don't need that with v6. All you need to do with v6 is basically have what amounts to a firewall in transparent mode in the line and doesn't let a packet in (except where explicitly configure to) unless it is associated with a packet that went out. PAT makes little sense to me for v6, but I suspect you are correct. In addition, we are putting the fire suit on each host in addition to the firewall. Kernel firewall rules on each host for the *nix boxen. Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: 1.) Allows you to redirect a privileged port (on UNIX) to a non-privileged port. For daemons that don't implement some form of privilege revoking after binding to a low port (and/or aren't allowed to run as root), this is very useful. It's much easier to have a firewall redirect than to implement robust privilege revoking. Example: PAT 25/tcp - 2525/tcp. Actually, that's just port rewriting which is mostly harmless. PAT refers, instead, to a stateful translation which is most definitely not harmless. 2.) Allows you to redirect multiple ports to a single one, to support legacy implementations. Suppose your application used to require separate ports for different types of requests, but now is able to multiplex them. The new daemon only listens on one port, but other applications may not have updated their configuration. Example: PAT 4443/tcp - 443/tcp PAT 8443/tcp - 443/tcp. That's a pretty ugly situation, but, it would require a stateful mechanism to address it. I think it is much cleaner to have the daemon listen on the multiple ports. Basically the idea is that implementing PAT for IPv6 allows smoother transition for apps that made use of it in IPv4, thus accelerating the adoption of IPv6. I think the lack of IPv4 resources will soon serve as sufficient acceleration of IPv6 adoption. Owen
Re: Is NAT can provide some kind of protection?
I'm a full supported for getting rid of NAT when deploying IPv6, but have to say the alternative is not all that great either. Because what do people want, they want privacy, so they use the IPv6 privacy extensions. Which are enabled by default on Windows when IPv6 is used on XP, Vista and 7. And now you have no idea who had that IPv6-address at some point in time. The solution to that problem is ? I guess the only solution is to have the IPv6 equivalant of arpwatch to log the MAC-addresses/IPv6- address combinations ? Or is their an other solution I'm missing. You can solve this problem any of the ways you could solve it in IPv4. Either assign static addresses from DHCPv6, or assign static addresses by hand.
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. Since many residential users won't stand for an additional fee, pressure will be placed on CPE vendors to include v6 PAT in their devices. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 3:06 PM, Brandon Ross wrote: On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. Since many residential users won't stand for an additional fee, pressure will be placed on CPE vendors to include v6 PAT in their devices. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss I really doubt this will be the case in IPv6. The few service providers that try this will rapidly find their customers moving to service providers that do not. I know that Comcast is not planning to do this to their customers. I can't imagine too many ISPs that might even attempt to get away with treating their customers worse than Comcast does. Owen
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011, Owen DeLong wrote: I really doubt this will be the case in IPv6. I really hope you are right, because I don't want to see that either, however... Why do you suppose they did that before with IPv4? Sure you can make the argument NOW that v4 is in scarce supply, but 10 years ago it was still the case. Has Comcast actually come out and committed to allowing me to have as my IPs as I want on a consumer connection in the most basic, cheapest package? Has any other major provider? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011 18:06:06 -0500 (EST) Brandon Ross br...@pobox.com wrote: On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Since many residential users won't stand for an additional fee, pressure will be placed on CPE vendors to include v6 PAT in their devices. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On 1/15/11 3:24 PM, Brandon Ross wrote: On Sat, 15 Jan 2011, Owen DeLong wrote: I really doubt this will be the case in IPv6. I really hope you are right, because I don't want to see that either, however... Why do you suppose they did that before with IPv4? Sure you can make the argument NOW that v4 is in scarce supply, but 10 years ago it was still the case. Has Comcast actually come out and committed to allowing me to have as my IPs as I want on a consumer connection in the most basic, cheapest package? Has any other major provider? As a customer of Comcast, you can set up a tunnel to he.net and obtain your own prefix which then enables 18 x 10^18 IP addresses at no additional cost. See: http://tunnelbroker.net/ and http://www.comcast6.net/ -Doug
Re: Is NAT can provide some kind of protection?
On Sun, 16 Jan 2011, Mark Smith wrote: How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Huh? Who said anything about 100%? It would take only a single reasonably sized provider that has a monopoly in a particular area (tell me that doesn't happen) or a pair of them that have a duopoly (almost everywhere in the US) and you instantly have huge incentive for someone to write some v6 PAT code. Believe me, I'm the last person who wants to see this happen. It's a horrible, moronic, bone-headed situation. Unfortunately, I'm pretty sure it's going to happen because it's been the status quo for so long, and because some marketing dweeb will make the case that the provider is leaving revenue on the table because there will always be some customers who aren't clever enough to use NAT and will buy the upgraded 5 pack service. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Sat, Jan 15, 2011 at 06:24:01PM -0500, Brandon Ross wrote: On Sat, 15 Jan 2011, Owen DeLong wrote: I really doubt this will be the case in IPv6. I really hope you are right, because I don't want to see that either, however... Why do you suppose they did that before with IPv4? Sure you can make the argument NOW that v4 is in scarce supply, but 10 years ago it was still the case. The finest raisins of all: hysterical raisins. Widespread consumer internet access was dialup, with Trumpet or equivalent. The concept of home networks was, at best, for the uber, *uber* nerds (like most people on this list). The idea that an average home user would *ever* need more than one IP was ludicrous, so your basic dialup account provided one IP (although I recall being able to ask for more, for free, if I needed them). Then it became a value add to have more than one IP, and then NAT came along because the hackers at home had networks, and then the hackers at home went into IT and used consumer-grade ISPs, and so they deployed NAT in the enterprise, and then those people became the standards writers for PCI DSS... - Matt
RE: Is NAT can provide some kind of protection?
I hope the engineers in the organization will just tell their marketing folk that it's not possible to hand out just one IPv6 address. Our hardware doesn't support it. I think there's still room for ISPs to charge $10/month for a static prefix, though. And that's technically possible. Frank -Original Message- From: Mark Smith [mailto:na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org] Sent: Saturday, January 15, 2011 5:30 PM To: Brandon Ross Cc: NANOG list Subject: Re: Is NAT can provide some kind of protection? On Sat, 15 Jan 2011 18:06:06 -0500 (EST) Brandon Ross br...@pobox.com wrote: On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Since many residential users won't stand for an additional fee, pressure will be placed on CPE vendors to include v6 PAT in their devices. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: INDOSAT Internet Network Provider NOC Contact
Hi Try this: supp...@indosat.com Hope that help. Willy On Sat, Jan 15, 2011 at 6:09 AM, Tim Donahue tdona...@vonmail.vonworldwide.com wrote: Hi all, Sorry for the noise, but I was wondering if anyone has a NOC or BGP knowledgeable contact with INDOSAT Internet Network Provider (AS4761). I have emailed the hostmaster@ email address listed in the WHOIS contact, and tried calling the phone number listed as well (disconnect message). They are announcing one of our prefixes and I am trying to find a contact in their company who can fix the announcement. Tim
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 3:30 PM, Mark Smith wrote: On Sat, 15 Jan 2011 18:06:06 -0500 (EST) Brandon Ross br...@pobox.com wrote: On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? I've talked to a lot of them... None of the ones I've talked to have any plans to assign less than a /64 to an end-user. Hopefully the ones that are planning on less than a /48 will come to their senses. Owen
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 3:24 PM, Brandon Ross wrote: On Sat, 15 Jan 2011, Owen DeLong wrote: I really doubt this will be the case in IPv6. I really hope you are right, because I don't want to see that either, however... Why do you suppose they did that before with IPv4? Sure you can make the argument NOW that v4 is in scarce supply, but 10 years ago it was still the case. 1. IPv4 provided no convenient way for them to dynamically assign more than a /32. DHCPv6 allows for DHCP-PD. 2. IPv4 addresses were known to be scarce before most of the current residential ISPs even existed at least in their current form. 10 years ago, we knew that we had gone a decade beyond the point when we recognized that IPv4 would runout if we kept issuing addresses to consumers. Frankly, we didn't, at the time, expect NAT + single address assignments to buy us more than about 10 years and it came as a bit of a surprise when we still had a bunch of space left at that point. Has Comcast actually come out and committed to allowing me to have as my IPs as I want on a consumer connection in the most basic, cheapest package? Has any other major provider? No. But they have said that they are issuing prefixes and not host addresses. I doubt any ISP will commit to offering you as many IPs as you want on the most basic consumer grade service as I don't think any ISP would make that commitment on their top of the line business class service, either. However, I think you will see most ISPs offering at least /56s and hopefully /48s. Free.fr is giving out /60s, but, that's due to their limitations on their 6rd deployment and I suspect that when they migrate to native IPv6, they may use larger prefixes. I don't think there's too much to worry about providers handing out individual addresses in IPv6. It's too hard to maintain and it doesn't scale like it did in IPv4. I do think that we have to worry about things like /60s and /56s getting entrenched. I think it is unfortunate that IETF has backed off of the /48 standard in their recent update to 3177. I think that clarification that it is for an end-site would have been better. The use of /56s will hamper innovation and prevent vendors from bringing some cool things to the market. Owen
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 4:21 PM, Frank Bulk wrote: I hope the engineers in the organization will just tell their marketing folk that it's not possible to hand out just one IPv6 address. Our hardware doesn't support it. I think there's still room for ISPs to charge $10/month for a static prefix, though. And that's technically possible. Unfortunate, but, true. Fortunately, I don't have that problem. I got my addresses elsewhere for less. ($100/year from ARIN is less than $120/year from your ISP.) Owen Frank -Original Message- From: Mark Smith [mailto:na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org] Sent: Saturday, January 15, 2011 5:30 PM To: Brandon Ross Cc: NANOG list Subject: Re: Is NAT can provide some kind of protection? On Sat, 15 Jan 2011 18:06:06 -0500 (EST) Brandon Ross br...@pobox.com wrote: On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Since many residential users won't stand for an additional fee, pressure will be placed on CPE vendors to include v6 PAT in their devices. -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011 18:39:09 -0500 (EST) Brandon Ross br...@pobox.com wrote: On Sun, 16 Jan 2011, Mark Smith wrote: How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Huh? Who said anything about 100%? I think you did .. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. It would take only a single reasonably sized provider that has a monopoly in a particular area (tell me that doesn't happen) or a pair of them that have a duopoly (almost everywhere in the US) and you instantly have huge incentive for someone to write some v6 PAT code. And that will create a huge incentive for people to acquire larger amounts of address space via other mechanisms, such as 6to4, tunnels, changing to another provider etc. Believe me, I'm the last person who wants to see this happen. It's a horrible, moronic, bone-headed situation. Unfortunately, I'm pretty sure it's going to happen because it's been the status quo for so long, and because some marketing dweeb will make the case that the provider is leaving revenue on the table because there will always be some customers who aren't clever enough to use NAT and will buy the upgraded 5 pack service. I'm confident the opposite will happen. People on this list and similar ones usually understand the value of more than one public address for a home, and commonly enough have routed subnets to their homes, courtesy of their employer, and have probably also been burnt by NAT. They'll be the ones who tell their management this is how IPv6 is deployed. If they're ignored, they should then say, and this is how our competitors will be deploying IPv6. Even though customers may not completely understand what they're getting, if one provider has a marketing bullet point of 1 IPv6 address, and another has a marketing bullet point of Millions of IPv6 addresses, people will just assume more is better and go with the latter. There is no point pretending IPv6 addresses are expensive or trying to make them artificially so.
Re: Is NAT can provide some kind of protection?
On Sat, 15 Jan 2011 18:21:52 -0600 Frank Bulk frnk...@iname.com wrote: I hope the engineers in the organization will just tell their marketing folk that it's not possible to hand out just one IPv6 address. Our hardware doesn't support it. I think there's still room for ISPs to charge $10/month for a static prefix, though. And that's technically possible. I think it is important to define what static means. My definition is that no matter where the customer's network attachment point moves to, the customer retains the same addressing while they have a continued commercial relationship with the SP - in effect PI address space within the SPs network. There is a fairly significant cost to preserving that, a guaranteed route table slot. This is typically a business product offering. The only other alternative people seem to think there is is dynamic, where every time the customer reconnects they may get different addressing. This is the typical residential product offering. I think there is a useful middle point of stable addressing, where as long as their point of attachment (or point of service delivery - i.e. their home) doesn't change, a customer would continue to get the same addressing. This idea wasn't as useful or as applicable in IPv4, but would be quite beneficial in IPv6 when DHPCv6-PD is being used. It wouldn't be an assured address assignment, however the SP would endeavour to try to ensure the addressing stays stable over quite long periods of time. It's common enough for LNS/BRASes to do this anyway if the customer's connection lands on the same one. The trick is to expand this stability over the group of all LNS/BRASes that customers can attach to when they reconnect, such that is a SP designed behaviour, rather than an implementation behaviour of each individual LNS/BRAS. Regards, Mark.
Re: Is NAT can provide some kind of protection?
On 01/15/2011 06:30 PM, Mark Smith wrote: On Sat, 15 Jan 2011 18:06:06 -0500 (EST) Brandon Rossbr...@pobox.com wrote: On Sat, 15 Jan 2011, Brian Keefer wrote: Actually there are a couple very compelling reasons why PAT will probably be implemented for IPv6: You are neglecting the most important reason, much to my own disdain. Service providers will continue to assign only a single IP address to residential users unless they pay an additional fee for additional addresses. How do you know - have you asked 100% of the service providers out there and they've said unanimously that they're only going to supply a single IPv6 address? Can we *please* stop this pointless thread? If not, at least I will inject a fact into this pointless thread with a factoid from Comcast's IPv6 trial, e.g. my address I know it is sooo terrible to have the gall to do such a treacherous thing as injecting actual information with counterexample, when such high velocity hand waving is in progress, but such it will be. - Jim jg@jg:~$ /sbin/ifconfig wlan0 wlan0 Link encap:Ethernet HWaddr 00:23:14:4e:3f:50 inet addr:192.168.1.118 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2001:55c:62e5:6320:223:14ff:fe4e:3f50/64 Scope:Global inet6 addr: fe80::223:14ff:fe4e:3f50/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2333470 errors:0 dropped:0 overruns:0 frame:0 TX packets:2117301 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2474359067 (2.4 GB) TX bytes:1296861717 (1.2 GB)
Re: Is NAT can provide some kind of protection?
On Jan 15, 2011, at 8:03 PM, Mark Smith wrote: On Sat, 15 Jan 2011 18:21:52 -0600 Frank Bulk frnk...@iname.com wrote: I hope the engineers in the organization will just tell their marketing folk that it's not possible to hand out just one IPv6 address. Our hardware doesn't support it. I think there's still room for ISPs to charge $10/month for a static prefix, though. And that's technically possible. I think it is important to define what static means. My definition is that no matter where the customer's network attachment point moves to, the customer retains the same addressing while they have a continued commercial relationship with the SP - in effect PI address space within the SPs network. There is a fairly significant cost to preserving that, a guaranteed route table slot. This is typically a business product offering. Uh, yeah, I think most SPs will only provide that as long as the customer is attached at the same POP or possibly in the same Region, whatever their aggregation zone happens to be. If you're going to have the customer tying up a slot in the routing table, there's not much benefit (from an SP perspective) vs. having them go get an AS and a PI Prefix. The only other alternative people seem to think there is is dynamic, where every time the customer reconnects they may get different addressing. This is the typical residential product offering. Well, there's static as long as the customer stays where they are or moves within the same access aggregation facility. That's relatively easy for the provider and solves 99.99% of the residential customer's problems with dynamic. I think there is a useful middle point of stable addressing, where as long as their point of attachment (or point of service delivery - i.e. their home) doesn't change, a customer would continue to get the same addressing. This idea wasn't as useful or as applicable in IPv4, Frankly, that's what I thought you meant by static at first. but would be quite beneficial in IPv6 when DHPCv6-PD is being used. It wouldn't be an assured address assignment, however the SP would endeavour to try to ensure the addressing stays stable over quite long periods of time. It's common enough for LNS/BRASes to do this anyway if Hmmm... Now your going away from your definition of stable to what I would call semi-sticky dynamic addressing. It's a darker shade of gray than stable, but, still reasonably usable. the customer's connection lands on the same one. The trick is to expand this stability over the group of all LNS/BRASes that customers can attach to when they reconnect, such that is a SP designed behaviour, rather than an implementation behaviour of each individual LNS/BRAS. You're making a rather large assumption here. Namely that all the world is DSL. Owen