Re: Another driver for v6?
On Fri, 31 Oct 2008, HRH Sven Olaf Prinz von CyberBunker-Kamphuis MP wrote: ever heard of the concept open market ipv4 address space delegations will just move from the rirs to places like ebay, problem solved. Are you willing to pay premium to get global IPv4 address? Are you willing to pay non-dynamic global IPv4 addresses for your servers? most of it is unused anyway (milnet, amateur radio ranges, etc) Did you consider operational consequences? No prefix allocation database? No routing database? Address collisions? Fighting for announcing more specifics to use your allocated addresses? Regards, Janos Mohacsi
Re: Another driver for v6?
i'm slightly worried about feeding trolls here but it's sunday here. HRH Sven Olaf Prinz von CyberBunker-Kamphuis MP [EMAIL PROTECTED] writes: ever heard of the concept open market ipv4 address space delegations will just move from the rirs to places like ebay, problem solved. most of it is unused anyway (milnet, amateur radio ranges, etc) the human, as a species in the animal kingdom, is known to be the kind of animal who fouls its own nest and overruns its habitat. the idea of a tipping point, whether it be for CO2 in the atmosphere or polar ice shelves or explosively deaggregated IPv4 routing tables, does not occur in the minds of individual decision makers. instead it's left to us chicken little types, and the only way the individual decision makers ever make their decisions on the basis of tipping points is if some kind of governance makes them do so. -- Paul Vixie
Re: Another driver for v6?
* David W. Hankins It is almost lunacy to deploy IPv6 in a customer-facing sense (note for example Google's choice to put its on a separate FQDN). At this point, I'd say people are still trying to figure out how clients will migrate to IPv6. Which seems like a pretty bad time to still be trying to figure that out, but ohwell. Google has been testing this a bit on their main pages. Select quotes from the presentation of their results: 0.238% of users have useful IPv6 connectivity (and prefer IPv6) 0.09% of users have broken IPv6 connectivity The summary disagrees with you about the «almost lunacy» part: It's not that broken - ~0.09% clients lost, ~150ms extra latency - don't believe the FUD The slides are here, they're worth a look in my opinion: http://rosie.ripe.net/ripe/meetings/ripe-57/presentations/uploads/Thursday/Plenary 14:00/upl/Colitti-Global_IPv6_statistics_-_Measuring_the_current_state_of_IPv6_for_ordinary_users.xD5A.pdf Best regards, -- Tore Anderson
Re: Another driver for v6?
On Thu, Oct 30, 2008 at 03:55:01PM +, Andy Davidson wrote: Do you think that industry should be working to some kind of well supported / worldwide flag day when lots of popular resources add v6 records at the same time ? This is a sound evolutionary tactic lemmings use. =) But I'll take you one step simpler; get the industry to choose a day where it will no longer be acceptable to treat IPv6 like an experimental project. Sometime last year would have been great. If you can do that, then the RRset changes would come naturally afterwards. -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. HankinsIf you don't do it right the first time, Software Engineeryou'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins pgpXVKGKfRJn2.pgp Description: PGP signature
Re: Another driver for v6?
On Fri, Oct 31, 2008 at 10:41:01AM -0600, Mike Lewinski wrote: This is a sound evolutionary tactic lemmings use. =) I know this is way OT, but I can't let it pass. The lemming suicide myth was created by a very questionable Walt Disney documentary: This is also way OT, but I was actually thinking more of Lemmings(TM), the video game, as I am not really very familiar with rodents. We've already got sixxs and hurricane electric set as tunnel lemmings, we can get through the IPv4 address shortfall by setting a variety of other ISP's to explode and build bridges... The only thing to iron out is: Who gets to be (golden) parachute lemmings? -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. HankinsIf you don't do it right the first time, Software Engineeryou'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins pgpuH5pHYbmyp.pgp Description: PGP signature
Re: Another driver for v6?
David W. Hankins wrote: On Fri, Oct 31, 2008 at 10:41:01AM -0600, Mike Lewinski wrote: This is a sound evolutionary tactic lemmings use. =) I know this is way OT, but I can't let it pass. The lemming suicide myth was created by a very questionable Walt Disney documentary: This is also way OT, but I was actually thinking more of Lemmings(TM), the video game, as I am not really very familiar with rodents. We've already got sixxs and hurricane electric set as tunnel lemmings, we can get through the IPv4 address shortfall by setting a variety of other ISP's to explode and build bridges... For the end-users who use those services, I am pretty sure it is more the user playing the game (aka the services providing guidance), than being the lemmings who just keep on running and commit suicide (aka the networks who are not moving, getting experience and doing something). Greets, Jeroen (Who still ranks Lemmings(tm) as one of the top games ever, simple and way too much fun, Amiga Lemmings X-mas special anyone? :) ) signature.asc Description: OpenPGP digital signature
Re: Another driver for v6?
ever heard of the concept open market ipv4 address space delegations will just move from the rirs to places like ebay, problem solved. most of it is unused anyway (milnet, amateur radio ranges, etc) -- HRH Sven Olaf Prinz von CyberBunker-Kamphuis, MP. Minister of Telecommunications, Republic CyberBunker. Phone: +49/163-4405069 Phone: +49/30-36731425 Skype: CB3ROB MSN: [EMAIL PROTECTED] C.V.: http://www.linkedin.com/in/cb3rob Confidential: Please be advised that the information contained in this email message, including all attached documents or files, is privileged and confidential and is intended only for the use of the individual or individuals addressed. Any other use, dissemination, distribution or copying of this communication is strictly prohibited. On Fri, 31 Oct 2008, Jeroen Massar wrote: David W. Hankins wrote: On Fri, Oct 31, 2008 at 10:41:01AM -0600, Mike Lewinski wrote: This is a sound evolutionary tactic lemmings use. =) I know this is way OT, but I can't let it pass. The lemming suicide myth was created by a very questionable Walt Disney documentary: This is also way OT, but I was actually thinking more of Lemmings(TM), the video game, as I am not really very familiar with rodents. We've already got sixxs and hurricane electric set as tunnel lemmings, we can get through the IPv4 address shortfall by setting a variety of other ISP's to explode and build bridges... For the end-users who use those services, I am pretty sure it is more the user playing the game (aka the services providing guidance), than being the lemmings who just keep on running and commit suicide (aka the networks who are not moving, getting experience and doing something). Greets, Jeroen (Who still ranks Lemmings(tm) as one of the top games ever, simple and way too much fun, Amiga Lemmings X-mas special anyone? :) )
Re: Another driver for v6?
On Wed, 29 Oct 2008, David W. Hankins wrote: On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote: Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? It is almost lunacy to deploy IPv6 in a customer-facing sense (note for example Google's choice to put its on a separate FQDN). At Could you please elaborate on this point? My data presented http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html indicates that there are very very few (the longer I collected the data, the better the ratio got) who cannot properly fetch a resource that has A/. this point, I'd say people are still trying to figure out how clients will migrate to IPv6. Which seems like a pretty bad time to still be trying to figure that out, but ohwell. 6to4 and Teredo traffic is increasing very rapidly, so that seems to be one path taken right now: http://ipv6.tele2.net/mrtg/total.html (We have all our IPv6 related stats and info on http://ipv6.tele2.net/) But yes, how to get native to residential users is still not hammered out. And of course you need to run your own dog food on internal LANs before you start telling customers these IPv6 address thingies are useful. Quite, I think OSS/BSS is going to be a bigger challenge than actually moving the IPv6 packets. IPv6: It's kind of like storing dry food in preparation for the apocalypse. If you actually KNOW the apocalypse is coming (but not when), this is correct. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: Another driver for v6?
Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? According to http://www.getipv6.info/index.php/First_Steps_for_ISPs you should deploy some IPv6 transition technology to make sure that your network does not cause problems for the growing number of your customers who are already using IPv6. Of course, getting up to speed on IPv6 is also a worthy goal especially since it enables you to move much more quickly if IPv6 takes off suddenly. --Michael Dillon
Re: Another driver for v6?
On 30/10/08 07:10, Mikael Abrahamsson wrote: On Wed, 29 Oct 2008, David W. Hankins wrote: On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote: Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? It is almost lunacy to deploy IPv6 in a customer-facing sense (note for example Google's choice to put its on a separate FQDN). At Could you please elaborate on this point? My data presented http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html indicates that there are very very few (the longer I collected the data, the better the ratio got) who cannot properly fetch a resource that has A/. Your stats (which are very interesting btw, thanks for doing the work) suggest that the number of clients that would make use of the record for a dual-stack service is about the same as the number of clients that would fail in the event that both A and were present. That's not exactly an incentive to content providers is it? IPv6: It's kind of like storing dry food in preparation for the apocalypse. If you actually KNOW the apocalypse is coming (but not when), this is correct. The end is nigh - http://penrose.uk6x.com/ Mat
RE: Another driver for v6?
It is almost lunacy to deploy IPv6 in a customer-facing sense (note for example Google's choice to put its on a separate FQDN). If you're going to use emotionally charged language then don't shoot yourself in the foot by using such an illogical and contrary example. Google is a very big network-oriented company and they have indeed deployed IPv6 in a customer-facing sense. To follow in their footsteps is not lunacy. They have shown that when you have a large distributed load-sharing platform, it is perfectly safe to deploy IPv6 as an alternate service entry point, in the same way that they have mail.google.com and docs.google as separate service entry points. Most people who are urging ISPs to deploy IPv6 are not telling them to do stupid things like run out and add records to all their domain names. We are telling people to trial and test IPv6 in the lab, and then roll out specific targeted IPv6 services like a 6to4 relay. Above all, don't be a lunatic, and do educate yourself and your staff before you make a move. IPv6 deployment is not a greenfield deployment so you have to weave it into the fabric of your own unique network architecture. That requires understanding of IPv6 which you can only get by trying it out yourself in your lab environment. At this point, I'd say people are still trying to figure out how clients will migrate to IPv6. That is a pretty dumb thing to do. Clients have already migrated to IPv6 years ago using the technology given to them by Apple, Microsoft and the free UNIXes. Job 1 is to support those clients. Job 2 is to figure out how you can deploy IPv6 at your network edge in such a way that you can grow the edge without consuming IPv4 addresses. For many small and mid-size ISPs, Job 2 does not involve anything to do with the customer's modem device because you don't have the kind of relationship with modem vendors to influence their product development. So focus on your own network edge, not on your customers' network edges. It is at this time more a question of strategic positioning. The kind of thing your boss should be thinking about. Bosses really appreciate well-reasoned white papers with a clear and straightforward management summary on the first page. Do you have the information and understanding of IPv6 in order to write such a white paper? Switching your management network to IPv6 single-stack This may actually be the last and toughest thing that ISPs do because of the variety of software and stuff in the management network. --Michael Dillon
Re: Another driver for v6?
On Thu, 30 Oct 2008, Matthew Ford wrote: Your stats (which are very interesting btw, thanks for doing the work) suggest that the number of clients that would make use of the record for a dual-stack service is about the same as the number of clients that would fail in the event that both A and were present. That's not exactly an incentive to content providers is it? The last couple of days the ratio went down to less than 0.3% who would potentially get in trouble (factor is most likely less as the measurement method penalises later objects). But yes, there is absolutely no upside to deploying IPv6 for content providers in the short term. It's like Y2K, there was NO upside to fixing it until December 31 1999. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Another driver for v6?
On 30 Oct 2008, at 15:47, David W. Hankins wrote: If someone can't reach the hypothetical A/ www.google.com RRset, you've just increased your support costs. My network is slow. Are you using IPv4 or IPv6? Netscape. Do you think that industry should be working to some kind of well supported / worldwide flag day when lots of popular resources add v6 records at the same time ? In the same way that in the UK, appliance manufacturers have been educating people about the analogue terrestrial TV switchoff by 2012, do you think that we should be advocating a 'internet PLUS day' some time in (date plucked from the air) 2014 ? -a
RE: Another driver for v6?
In the same way that in the UK, appliance manufacturers have been educating people about the analogue terrestrial TV switchoff by 2012, do you think that we should be advocating a 'internet PLUS day' some time in (date plucked from the air) 2014 ? Actually, the Internet PLUS day should be tied to some other event, say the London 2012 Olympics. That would be a kind of launch event for a lot of people to make IPv6 services available. Then, a few years after this, we could have an Internet version 4 eulogy event and get a lot of ISPs to shut off legacy IPv4 services. That would have to be 2016 or later and it wouldn't be like the analog TV shutoff, because it would not be a 100% shutoff. I think that technical people underestimate the impact that this type of an event can provide. While we want to avoid being forced into a flag-day switchover, that does not mean that a flag day is all bad. We could have the Internet PLUS flag day in order to raise awareness and give ISPs a target to shoot for. --Michael Dillon
Re: Another driver for v6?
[EMAIL PROTECTED] wrote: I think that technical people underestimate the impact that this type of an event can provide. While we want to avoid being forced into a flag-day switchover, that does not mean that a flag day is all bad. We could have the Internet PLUS flag day in order to raise awareness and give ISPs a target to shoot for. This new internet is brought to you by Pepsi: the choice a new version! or maybe IPv6 tastes good, like an Internet should or, oh never mind :) Mike --Michael Dillon
Re: Another driver for v6?
On Thu, 30 Oct 2008, David W. Hankins wrote: I don't know how to ask this question without sounding mean, but did the graph spike out of zero, or did you start collecting two months ago? It spiked out of zero as we put up our 6to4 and teredo relays approx two months ago. I don't know where the traffic was before, probably at other peoples 6to4 relays. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Another driver for v6?
On Thu, 30 Oct 2008 15:55:01 -, Andy Davidson said: In the same way that in the UK, appliance manufacturers have been educating people about the analogue terrestrial TV switchoff by 2012, Is your side of the pond any more ready than our side is for next Febuary's drop-dead cutoff? pgpEwSKfUqIER.pgp Description: PGP signature
Re: Another driver for v6?
On Tue, 28 Oct 2008, Steven M. Bellovin wrote: Windows 7 will have a cool feature called DirectAccess that requires deploying IPv6 and IPsec. I know nothing more of this feature than is in the article, but if accurate it may create a client-centric demand for v6, i.e., desirable new functionality that isn't available on v4. Microsoft has been at at least two events I've attended and done presentations about a strategy that sounds like what you're talking about. They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. They indicate this as a strategy to do away with VPN clients, so in order to reach your work resources from home you'd need to have some kind of IPv6 connectivity, tunneled or not. You'd then connect to all resources using IPv6 totally transparently to you. All security would be host based. I am quite impressed by this strategy as it re-implements the end-to-end principle of the Internet that most of us appreciate. I also bought their claim about much improved security and their 5 year long track of no remote exploits like Slammer, when they had to release their emergency patch for that RPC based remote exploit the other week, which kind of broke their streak... :P Let's hope they can sell this to all the enterprise guys, as I am very tired of all the problems caused by multiple layers of NATs and PAT. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Another driver for v6?
They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. That's why we end up breaking end to end, to cover up for stuff that exposes more than people are comfortable with All security would be host based. Right, the last thing to trust based on experience so far First they need to get rid of all the bots and other malware before hosts can be trusted. as I am very tired of all the problems caused by multiple layers of NATs and PAT. Likewise but more because people keep designing stuff to try and force others to get rid of them, ignoring why they have them. brandon
Re: Another driver for v6?
Brandon Butterworth wrote: as I am very tired of all the problems caused by multiple layers of NATs and PAT. Likewise but more because people keep designing stuff to try and force others to get rid of them, ignoring why they have them. A false sense of security? The belief that hiding behind a single IP might disguise how many hosts you have, which in turn might provide some form of hidden security? Inside the network, host to host security is what should be. This can assist in some protection against bots that do make it to the network, or internal maliciousness. Security from within has always been overlooked by many, and yet it is the employees who provide the largest security risk. Stateful firewalls will not be going away entirely, but they can track state and perform proxy services without performing address translation. It just scares people because of their false belief that translating an address shows that security is working. If stateful monitoring/proxying/limiting is not in working, the address translation doesn't really matter. NAT has had it's uses, but it's lazy and a false sense of overall security. I do think Microsoft is crazy if they think the need for VPN will disappear, unless they have another method for the stateful firewalls to snoop, monitor, and alter the IPSEC host to host packets (which isn't entirely impossible). Jack Bates
Re: Another driver for v6?
Mikael Abrahamsson wrote: On Tue, 28 Oct 2008, Steven M. Bellovin wrote: They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. You know that windows 2000 was released with this functionality. Its nothing new and it is not ipv6 specific. Who is using it precisely?
Re: Another driver for v6?
On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote: Mikael Abrahamsson wrote: On Tue, 28 Oct 2008, Steven M. Bellovin wrote: They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. You know that windows 2000 was released with this functionality. Its nothing new and it is not ipv6 specific. Who is using it precisely? Microsoft, on 200,000 computers at the time of the paper below. http://technet.microsoft.com/en-us/library/bb735174.aspx We have a couple of departments using IPsec here and one more seriously looking at it. (Mainly a matter of finding time to test and implement.) Plus there are at least a couple of other Universities. http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258LanguageID=1 https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205LanguageID=1 And I see a City has been added to the list. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=400161 http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University
Re: Another driver for v6?
Kind of a side question but we have not implemented IPv6 in our network yet, nor have we made any plans to do this in the near future. Our management does not see a need for it as our customer base is not requesting it at this time. Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? Bruce Curtis wrote: On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote: Mikael Abrahamsson wrote: On Tue, 28 Oct 2008, Steven M. Bellovin wrote: They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. You know that windows 2000 was released with this functionality. Its nothing new and it is not ipv6 specific. Who is using it precisely? Microsoft, on 200,000 computers at the time of the paper below. http://technet.microsoft.com/en-us/library/bb735174.aspx We have a couple of departments using IPsec here and one more seriously looking at it. (Mainly a matter of finding time to test and implement.) Plus there are at least a couple of other Universities. http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258LanguageID=1 https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205LanguageID=1 And I see a City has been added to the list. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=400161 http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University -- Steve King Cisco Certified Network Associate CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional
Re: Another driver for v6?
On 30/10/2008, at 11:32 AM, Steven King wrote: Kind of a side question but we have not implemented IPv6 in our network yet, nor have we made any plans to do this in the near future. Our management does not see a need for it as our customer base is not requesting it at this time. Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? Do your customers ask for IPv4, or do they just connect to the Internet as you tell them? Your customers are never going to ask, unless they have some propeller- head who wants to be on the latest version of the Internet. If you tell them that you're giving them IPv6 service, you'll find they start using it, and they'll ask other providers for it when re- evaluating their service providers, and decide to stick with you as you're forward looking and all that stuff. I'm so over this chicken/egg thing it's not even funny, just do it already. Well, if you don't it's no problem I suppose, your users are automatically tunnelling across you already. If you're only thinking about doing a small IPv6 deployment now, you're behind the curve. -- Nathan Ward
Re: Another driver for v6?
question - beginning a small deployment of IPv6 now even if its just for internal usage Sure! there are plenty of reasons .most obvious one is to feel confortable about ipv6 --- On Wed, 10/29/08, Steven King [EMAIL PROTECTED] wrote: From: Steven King [EMAIL PROTECTED] Subject: Re: Another driver for v6? To: Bruce Curtis [EMAIL PROTECTED] Cc: nanog@nanog.org Date: Wednesday, October 29, 2008, 11:32 PM Kind of a side question but we have not implemented IPv6 in our network yet, nor have we made any plans to do this in the near future. Our management does not see a need for it as our customer base is not requesting it at this time. Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? Bruce Curtis wrote: On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote: Mikael Abrahamsson wrote: On Tue, 28 Oct 2008, Steven M. Bellovin wrote: They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. You know that windows 2000 was released with this functionality. Its nothing new and it is not ipv6 specific. Who is using it precisely? Microsoft, on 200,000 computers at the time of the paper below. http://technet.microsoft.com/en-us/library/bb735174.aspx We have a couple of departments using IPsec here and one more seriously looking at it. (Mainly a matter of finding time to test and implement.) Plus there are at least a couple of other Universities. http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258LanguageID=1 https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205LanguageID=1 And I see a City has been added to the list. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=400161 http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University -- Steve King Cisco Certified Network Associate CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional
Re: Another driver for v6?
I personally agree with that. Now only if I can convince our management to start work on that. isabel dias wrote: question - beginning a small deployment of IPv6 now even if its just for internal usage Sure! there are plenty of reasons .most obvious one is to feel confortable about ipv6 --- On Wed, 10/29/08, Steven King [EMAIL PROTECTED] wrote: From: Steven King [EMAIL PROTECTED] Subject: Re: Another driver for v6? To: Bruce Curtis [EMAIL PROTECTED] Cc: nanog@nanog.org Date: Wednesday, October 29, 2008, 11:32 PM Kind of a side question but we have not implemented IPv6 in our network yet, nor have we made any plans to do this in the near future. Our management does not see a need for it as our customer base is not requesting it at this time. Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? Bruce Curtis wrote: On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote: Mikael Abrahamsson wrote: On Tue, 28 Oct 2008, Steven M. Bellovin wrote: They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. You know that windows 2000 was released with this functionality. Its nothing new and it is not ipv6 specific. Who is using it precisely? Microsoft, on 200,000 computers at the time of the paper below. http://technet.microsoft.com/en-us/library/bb735174.aspx We have a couple of departments using IPsec here and one more seriously looking at it. (Mainly a matter of finding time to test and implement.) Plus there are at least a couple of other Universities. http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258LanguageID=1 https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205LanguageID=1 And I see a City has been added to the list. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=400161 http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University -- Steve King Cisco Certified Network Associate CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional -- Steve King Cisco Certified Network Associate CompTIA Linux+ Certified Professional CompTIA A+ Certified Professional
Re: Another driver for v6?
On 30/10/2008, at 11:48 AM, Steven King wrote: I personally agree with that. Now only if I can convince our management to start work on that. isabel dias wrote: question - beginning a small deployment of IPv6 now even if its just for internal usage Sure! there are plenty of reasons .most obvious one is to feel confortable about ipv6 Another related good reason is so that in 18 months when they decide they need it done last week, contractors like myself don't charge you through the nose to implement it because management wouldn't let you guys skill up on a test network now. That makes it a monetary thing, something they understand better perhaps.. Yep, this post is going against my best instincts. -- Nathan Ward
Re: Another driver for v6?
On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote: Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? It is almost lunacy to deploy IPv6 in a customer-facing sense (note for example Google's choice to put its on a separate FQDN). At this point, I'd say people are still trying to figure out how clients will migrate to IPv6. Which seems like a pretty bad time to still be trying to figure that out, but ohwell. It is at this time more a question of strategic positioning. The kind of thing your boss should be thinking about. Switching your management network to IPv6 single-stack frees up IPv4 addresses (depending on how big your management network is) to use in customer-facing areas, which gives your network longer legs in the projected IPv4 address shortfall. If you get really pressed, you can tunnel your IPv4 network over an IPv6-only backbone, giving you another handful of precious moneymaking IPv4 addresses. Having your backbone and servers 'd (even on separate FQDN's), tested, and ready to go puts you ahead of the curve if clients start rolling out (you can just move your 's around). Starting now on collecting IPv6 peering wherever you peer puts you ahead of the curve in the quality of your network's connectedness, again presuming this IPv6 thing takes off. And of course you need to run your own dog food on internal LANs before you start telling customers these IPv6 address thingies are useful. IPv6: It's kind of like storing dry food in preparation for the apocalypse. -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. HankinsIf you don't do it right the first time, Software Engineeryou'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins pgp8GUAktjsmi.pgp Description: PGP signature
Re: Another driver for v6?
On Wed, 29 Oct 2008 16:29:40 -0700 David W. Hankins [EMAIL PROTECTED] wrote: On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote: Does anyone see any benefits to beginning a small deployment of IPv6 now even if its just for internal usage? It is almost lunacy to deploy IPv6 in a customer-facing sense (note for example Google's choice to put its on a separate FQDN). At this point, I'd say people are still trying to figure out how clients will migrate to IPv6. Which seems like a pretty bad time to still be trying to figure that out, but ohwell. Once, after hearing Vint Cerf give a cheerleading talk for v6, I asked why google.com didn't have a record. He just groaned -- but of course I knew the answer just as well as he did. It is at this time more a question of strategic positioning. The kind of thing your boss should be thinking about. Switching your management network to IPv6 single-stack frees up IPv4 addresses (depending on how big your management network is) to use in customer-facing areas, which gives your network longer legs in the projected IPv4 address shortfall. If you get really pressed, you can tunnel your IPv4 network over an IPv6-only backbone, giving you another handful of precious moneymaking IPv4 addresses. Having your backbone and servers 'd (even on separate FQDN's), tested, and ready to go puts you ahead of the curve if clients start rolling out (you can just move your 's around). Starting now on collecting IPv6 peering wherever you peer puts you ahead of the curve in the quality of your network's connectedness, again presuming this IPv6 thing takes off. And of course you need to run your own dog food on internal LANs before you start telling customers these IPv6 address thingies are useful. IPv6: It's kind of like storing dry food in preparation for the apocalypse. I'd rate the probability of v6 as rather higher... More seriously -- you need to get experience with it, and you need to at least understand where your internal support systems and databases have v4-only wired in. I'm not saying that substantial, real-world demand for v6 is imminent or even certain (although frankly, I regard it as more likely than not). I am saying that the probability of it is high enough that preparation is simply ordinary prudence. I posted the story link because for the first time since v6 was real, there's a *feature* that people will want that relies on it. Never mind lots of addresses; you can't easily sell that to management. But something that will make security management easier and cheaper -- you may be able to avoid triangle routing, with the consequent need for bigger pipes -- is a story they'll understand. You want to be ready to serve those customers. --Steve Bellovin, http://www.cs.columbia.edu/~smb signature.asc Description: PGP signature
