Re: Nat

[Mark Andrews]

We already have CPE vendors shipping with "guest" ssids.  These
require a seperate /64 and are usually treated as external to the
home network.  With IPv4 you grab a seperate chunck of rfc1918 space
and nat that as well as the main chuck of space.  For IPv6 you need
multiple /64s from the ISP.  A single /64 is not enough.  This is
all done with a point and click interface.

If you are a ISP that supplies a single /64 then you really should
stop showing your lack of clue to all and sundry by supplying
multiple /64s.

If you are a ISP that doesn't supply IPv6 at all then you really
are not doing your job as a ISP.

Mark

In message <4102d692-a315-4c38-a2cb-54f96999e...@lboro.ac.uk>, Alan Buxey write
s:
> I'm surprised that noone of the home wifi router folk haven't cornered the ma
> rket on that one in terms of client separation.  Most people don't need the d
> evices to talk to each other so by default all ports on different VLANs .. 19
> 2.168.0-8.x etc
> 
> Internet of things security out of the box. Web interface to change port memb
> ership for those that DO need inter device access
> 
> Or maybe there are such defaults out there from some suppliers i'm not famili
> ar with? :)
> 
> alan
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Nat

[Owen DeLong]

> On Dec 20, 2015, at 08:57 , Mike Hammett  wrote:
> 
> There's nothing that can really be done about it now and I certainly wasn't 
> able to participate when these things were decided. 
> 
> However, keeping back 64 bits for the host was a stupid move from the 
> beginning. We're reserving 64 bits for what's currently a 48 bit number. You 
> can use every single MAC address whereas IPS are lost to subnetting and other 
> such things. I could have seen maybe holding back 56 bits for the host if for 
> some reason we need to replace the current system of MAC addresses at some 
> point before IPv6 is replaced. 

That’s not what happened. What happened was that we added 64 bits to the 
address space (the original thought was a 64 bit address space) in order to 
allow for simplified host autoconf based on EUI-64 addresses. It did seem like 
a good idea at the time.

At the time, IEEE had realized that they were running out of EUI-48 addresses 
and had decided that the next generation would be EUI-64 and in fact, if you 
look at newer interfaces (e.g. firewire) you will see that they do, in fact, 
ship with EUI-64 addresses baked in. Given that IEEE had already decided on 
EUI-64 as the way forward for “MAC” addresses, it seems to me that 64 bits 
makes more sense than 56.

> There may be address space to support it, but is there nimble boundary space 
> for it?

I think you mean nibble-boundary space for it and the answer is yes.

> The idea that there's a possible need for more than 4 bits worth of subnets 
> in a home is simply ludicrous and we have people advocating 16 bits worth of 
> subnets. How does that compare to the entire IPv4 Internet? 

I have more than 16 subnets in my house, so I can cite at least one house with 
need for more than 4 bits just in a hand-coded network.

Considering the future possibilities for automated topological hierarchies 
using DHCP-PD with dynamic joining and pruning routers, I think 8 bits is 
simply not enough to allow for the kind of flexibility we’d like to give to 
developers, so 16 bits seems like a reasonable compromise.

> There is little that can be done about much of this now, but at least we can 
> label some of these past decisions as ridiculous and hopefully a lesson for 
> next time. 


TL;DR version: Below is a detailed explanation of why giving a /48 to every 
residence is harmless and just makes sense.

If you find that adequate, stop here. If you are still skeptical, read on…

Except that the decisions weren’t ridiculous. They not only made sense then, 
but for the most part, if you consider a bigger picture and a wider longer-term 
view than just what we are experiencing today, they make even more sense.

First, unlike the 100 gallon or 10,000 gallon fuel tank analogy, extra bits 
added to the address space come at a near zero cost, so adding them if there’s 
any potential use is what I would classify as a no-brainer. At the time IPv6 
was developed, 64-bit processors were beginning to be deployed and there was no 
expectation that we’d see 128-bit processors. As such, 128 bit addresses were 
cheap and easily implementable in anticipated hardware and feasible in existing 
hardware, so 128-bits made a lot of sense from that perspective.

From the 64-bits we were considering, adding another 64 bits so that we could 
do EUI-based addressing also made a lot of sense. 48-bits didn’t make much 
sense because we already knew that IEEE was looking at moving from 48-bits to 
64-bits for EUI addresses. A very simple mechanism for translating EUI-48 into 
a valid unique EUI-64 address was already documented by IEEE (Add an FF suffix 
to the OUI portion and an EE Prefix to the ESI portion, and ensure that the 
Locally Generated bit is 1). As such, a locally generated 02:a9:3e:8c:7f:1d 
address becomes 02:a9:3e:ff:ee:8c:7f:1d while a registered address 
ac:87:a3:23:45:67 would become ae:87:a3:ff:fe:23:45:67.

The justification for 16 bits of subnetting is a little more pie-in-the-sky, 
I’ll grant you, but given a 64-bit network numbering space, there’s really no 
disadvantage to giving out /48s and very little (or no) advantage to giving out 
smaller chunks to end-sites, regardless of their residential or commercial 
nature.

Let’s assume that ISPs come in essentially 3 flavors. MEGA (The Verizons, 
AT, Comcasts, etc. of the world) having more than 5 million customers, LARGE 
(having between 100,000and 5 million customers) and SMALL (having fewer than 
100,000 customers).

Let’s assume the worst possible splits and add 1 nibble to the minimum needed 
for each ISP and another nibble for overhead.

Further, let’s assume that 7 billion people on earth all live in individual 
households and that each of them runs their own small business bringing the 
total customer base worldwide to 14 billion.

If everyone subscribes to a MEGA and each MEGA serves 5 million customers, we 
need 2,800 MEGA ISPs. Each of those will need 5,000,000 /48s which would 

Re: Nat

[Mark Andrews]

In message , Tony Fin
ch writes:
> Alan Buxey  wrote:
> 
> > Most people don't need the devices to talk to each other
> 
> A lot of home networking uses mDNS - partitioning off devices will break
> things like printing and chromecast and using your phone as a remote
> control for your media players, etc. ad nauseam.

But with a little help from the router it still works.
 
> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/
> Northwest Fitzroy, Sole, Lundy, Fastnet, Irish Sea, Shannon: Mainly
> southwesterly 6 to gale 8, occasionally severe gale 9. Rough or very rough,
> becoming very rough or high, except in Irish Sea. Occasional rain. Moderate o
> r
> poor, occasionally good.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Nat

[Owen DeLong]

Not quite true…

"What happens when we have to make an incompatible change to the fundamental 
packet header?” is the real challenge.

It happens that in the case of IPv4, we didn’t hit that particular wall until 
we needed a larger address.

In IPv6, it will probably be something related to the ability to scale the 
number of routing destinations if I had to guess, but it’s so far in the future 
that predicting it now is somewhere between highly suspect and utterly 
impossible.

There will be a next time… There is _ALWAYS_ a next time with any human system. 
We always end up changing how we use things and then needing to adapt those 
things to those changes. That’s not a bad thing. Hopefully we will learn some 
lessons from this process and make the next transition somewhat less painful. 
However, most of those lessons are behavioral and judging by our progress on 
climate change, I’m not convinced we’ve learned anything at all about 
addressing problems before they reach crisis status.


Owen
> 
> I’m only going to say one more thing on this subject because this is 
> essentially a side bar that has very little to do with the subject matter of 
> the OP.  
> 
> If we hadn’t run out of address space we’d still be trying to fix IPv4.  The 
> numbers don’t lie.  It’s not very likely that we’re going to be space 
> constrained on the IPv6 Internet like we are on the IPv4 internet.  Nobody is 
> going to want to repeat the pain of the last 17 years of trying to convince 
> people to run IPv6.
> 
> Just about every technical challenge with the underlying protocol stack is 
> fixable.  Except for one: what happens when we run out addresses.  For all of 
> its flaws, IPv6 addresses this one particular issue quite well.
> 
> 

Re: Nat

[Scott Weeks]

--- ja...@puck.nether.net wrote:
From: Jared Mauch 

I'd love to hear from people on what they perceive and 
the real barriers they have seen with regards to IPv6 
in your environment. 
---

In the enterprise; managers that don't (and don't want to)
understand and say things like "present a business plan and
we might consider it.  In the mean time I need everyone to 
focus on ."  The things a 
netgeek has to put up with when (s)he doesn't want to move.

scott

Re: IPv4 subnets for lease?

[Martin Hannigan]

On Thu, Dec 17, 2015 at 9:31 PM, Nick Ellermann 
wrote:

> We have customers asking to lease IP space for BGP transit with us and
> other peers. But they are struggling to get at a minimum even a Class C,
> even though they have their own ASN. We don't have large amounts of free
> IPv4 space to lease out to a single customer in most cases anymore. Hope to
> at least introduce these customers to some contacts that may be able to
> help.
> Do we know of any reputable sources that are leasing or selling IPv4
> subnets as small as a /24 to satisfy their diversity needs? Thanks!
>
>

I'm going to stay focused on your question.

There are many methods to obtain additional IPv4 address space.

o You can still use an RIR and get a last /22 in the RIPE region provided
you follow their rules, and no, you do not have to be in Europe.

Read carefully:

 https://www.ripe.net/participate/policies/proposals/2013-03

o You can use a marketplace where buyers and sellers live in harmony to
conduct buy and sell (bid, offer) transactions. I find the folks at Addrex
very knowledgeable www.addrex.net

o You can use a auction site. The folks at Hilco Streambank seem to be able
to keep theirs running at www.ipv4auctions.com

The above are not endorsements. There are many others. Some are credible.
Some are interesting. YMMV.

This thread will now self-destruct.

Best,

-M<

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

[Stephane Bortzmeyer]

On Fri, Dec 18, 2015 at 09:28:11AM +0100,
 Stephane Bortzmeyer  wrote 
 a message of 6 lines which said:

> http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554

The password for the first backdoor (the one regarding telnet/SSH
access) has been published recently:

https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor

Shodan finds 26000 ScreenOS machines reachable from the Internet. It
will be a small botnet :-)

Re: Nat

[Mark Tinka]

On 21/Dec/15 07:22, Jason Baugher wrote:

>
> >From a service provider perspective, I feel we have 2 choices. The first is
> to spend a lot of time trying to educate our customers on how networks work
> and how to manage theirs. Personally, I'd rather have my fingernails pulled
> out. The second, and I feel much less likely to fail, is to spend time
> developing technology and service offerings to give our customers the easy,
> spoon-fed experience they're looking for - and charge them for it
> accordingly.

+1.

Car manufacturers gave us ABS, instead of lengthy manuals about how to
brake effectively in the wet.

Mark.

Re: Nat

[Matthew Newton]

Hi,

On Sat, Dec 19, 2015 at 03:03:18PM +0100, Sander Steffann wrote:
> > The mix of having to do this crazy thing of gateway announcements
> > from one place, DNS from somewhere else, possibly auto-assigning
> > addresses from a router, but maybe getting them over DHCPv6. It's
> > just confusing and unnecessary and IMHO isn't helpful for
> > persuading people to move to IPv6. Especially when everyone
> > already understands DHCP in the v4 world.
> 
> Have you ever tried to deploy IPv6 (even if only in a lab
> environment)? I have worked with several companies (ISP and
> enterprise) and once they stop thinking "I want to do everything
> in IPv6 in exactly the same way as I have always done in IPv4"
> and actually look at the features that IPv6 provides them they
> are usually much happier with IPv6 than they were with IPv4.

I've been running IPv6 for over 10 years. RAs and SLAAC. Doesn't
affect my previous comment. :)

IPv6 should by all means recommend certain technologies that are
"better" in an idealogical world. Not having one small feature
that makes it harder for people to deploy (for whatever the
reason) does't help the cause.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

Re: Nat

[A . L . M . Buxey]

Hi,

> > > persuading people to move to IPv6. Especially when everyone
> > > already understands DHCP in the v4 world.



> > enterprise) and once they stop thinking "I want to do everything
> > in IPv6 in exactly the same way as I have always done in IPv4"

exactly.

as my thoughts often gather at any IPv6 deployment event I go to

"stop trying to shape IPv6 into your IPv4 model"


yes, there are annoyances...like older routers/clients not supporting
extensions to allow DNS/NTP etc from being fed in SLAAC...and clients
only supporting SLAAC and not DHCPv6 etc etc  but if you just SLAAC/DHCPv6
into your dual-stack environment then silly clients still get things via 
DHCPv4and you start getting IPv6 connectivity...and then work through
the NEXT part.

more effort should be spent on eg address management and network topology.
the client stuff is easy

THEN we get to the stuff we should be looking at and expending more effort
on... not 'how do I deploy IPv6?' but 'how do i switch off IPv4?'  ;-)

hopefully 2016 will be the year when more sites have IPv6-only networks 
on their enterprise networks with eg 464XLAT etc 

alan

Re: Nat

[Mike Hammett]

It simply is not common and will not become common. Not everyone is a network 
engineer. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


- Original Message -

From: "Keith Medcalf"  
To: nanog@nanog.org 
Sent: Sunday, December 20, 2015 10:06:26 PM 
Subject: RE: Nat 


You can lead a horse to water, but you cannot make it drink. If people choose 
to be the authors of their own misfortunes, that is their choice. I know a good 
many folks who are not members of NANOG yet have multiple separate L2 and L3 
networks to keep the "crap" isolated. 

> -Original Message- 
> From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On Behalf 
> Of Mike Hammett 
> Sent: Sunday, 20 December, 2015 20:37 
> Cc: North American Network Operators Group 
> Subject: Re: Nat 
> 
> We can't get people to use passwords judiciously (create them at all for 
> WiFi, change them, use more than one, etc.) and now you want them to 
> manage networks? 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> - Original Message - 
> 
> From: "Randy Fischer"  
> To: "Mike Hammett"  
> Cc: "North American Network Operators Group"  
> Sent: Sunday, December 20, 2015 9:34:16 PM 
> Subject: Re: Nat 
> 
> 
> 
> 
> 
> On Sun, Dec 20, 2015 at 10:15 PM, Mike Hammett < na...@ics-il.net > wrote: 
> 
> 
> Most people couldn't care less and just want the Internet on their device 
> to work. 
> 
> 
> 
> 
> Well, if the best practice for CPE routers included as a matter of course 
> the subnets "connected to internet", "local only (e.g. IoT)" and "guest 
> network", and if they just worked, then they wouldn't mind that either. 
> 
> 
> A friend of mine used to refer to this as 'refrigerator consciousness" - 
> he was a gearhead, so it was a pejorative. Instead, I think of it as a 
> design goal. 
> 
> 
> -Randy Fischer 
> 
> 
> 

RE: Nat

[Jon Lewis]

On Sun, 20 Dec 2015, Chuck Church wrote:


insist on "NAT/PAT != firewall".   Well, a router routing everything it sees
is even less of a firewall.  I'm really not trying to be argumentative here,
but I'm just having a hard time believing Joe Sixpack will be applying
business networking principals such as micro-segmenting to a home network
with 3 to 7 devices on it.  If anything, these complexities we keep


I'm not disagreeing, but as this came up recently in another forum, I 
think you'll find that most home networks have a couple times that number 
of networked devices...once you add up computers, phones, tablets, game 
consoles, TV's & other media devices, thermostats, cameras, security 
systems, you'll probably run out of fingers and toes counting them all in 
a typical home network.  The average home user wouldn't know what you were 
talking about though if you asked them if they wanted to put various 
device classes in different subnets.  They just want it all to work...and 
keeping it all working means providing at least a default level of 
security/filtering that prevents all of it from being directly accessed by 
remote scanners looking to exploit insecure systems.



adding/debating such as DHCP vs RA, prefix delegation, etc are only slowing
down the general deployment of IPv6.


From my perspective, ISP's not offering v6 is what's slowing down 

deployment.  My home cable provider still does not.

--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

RE: Nat

[Alan Buxey]

I'm surprised that noone of the home wifi router folk haven't cornered the 
market on that one in terms of client separation.  Most people don't need the 
devices to talk to each other so by default all ports on different VLANs .. 
192.168.0-8.x etc

Internet of things security out of the box. Web interface to change port 
membership for those that DO need inter device access

Or maybe there are such defaults out there from some suppliers i'm not familiar 
with? :)

alan

RE: Nat

[Scott Weeks]

--- chuckchu...@gmail.com wrote:
From: "Chuck Church" 

but I'm just having a hard time believing Joe Sixpack will be applying
business networking principals such as micro-segmenting to a home network
with 3 to 7 devices on it.  If anything, these complexities we keep



Won't the devices themselves begin to do that based on minimal
or no input from Joe?

scott

Re: [CVE-2015-7755] Backdoor in Juniper/ScreenOS

[Doug Barton]

https://www.schneier.com/blog/archives/2015/12/back_door_in_ju.html

Re: Nat

[John Levine]

In article <4102d692-a315-4c38-a2cb-54f96999e...@lboro.ac.uk> you write:
>I'm surprised that noone of the home wifi router folk haven't cornered the 
>market on that
>one in terms of client separation.  Most people don't need the devices to talk 
>to each
>other so by default all ports on different VLANs .. 192.168.0-8.x etc

Some of the cheap Linksys routers I've seen appear to be able to put different
addresses and different VLANs on the different ethernet ports.  I don't think
it could do multiple VLANs on the same port, and even if it could, you'd have
to be impressively obsessive to configure all the MAC addresses by hand.

RE: Nat

[Tony Finch]

Alan Buxey  wrote:

> Most people don't need the devices to talk to each other

A lot of home networking uses mDNS - partitioning off devices will break
things like printing and chromecast and using your phone as a remote
control for your media players, etc. ad nauseam.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Northwest Fitzroy, Sole, Lundy, Fastnet, Irish Sea, Shannon: Mainly
southwesterly 6 to gale 8, occasionally severe gale 9. Rough or very rough,
becoming very rough or high, except in Irish Sea. Occasional rain. Moderate or
poor, occasionally good.