On Mar 26, 2014, at 4:25 PM, Luke S. Crawford l...@prgmr.com wrote:
On 03/26/2014 03:49 PM, Matt Palmer wrote:
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks
like it mostly works, but privacy extensions seem
On Mar 26, 2014, at 5:50 PM, Chuck Anderson c...@wpi.edu wrote:
On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote:
My original comment and complaint, though, was in response to the
assertion that DHCPv6 is as
On Thu, Mar 27, 2014 at 6:17 AM, Owen DeLong o...@delong.com wrote:
It only takes a single entry if you do not store /128s but that /64. Yes,
RBL lookups do not currently know how to handle this, but there are a
couple of good proposals around on how to do it.
Then the spammers will grab
On 2014-03-26, Owen DeLong o...@delong.com sent:
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Admittedly, /48s are only 65,536 RBL entries per, but I still
think that address-based reputations are a losing battle in an
IPv6 world unless we provide some way for
On 03/26/2014 11:14 PM, Owen DeLong wrote:
Why not just use private VLAN layer 2 controls for the privacy you describe?
The technology I know of is what cisco calls 'protected ports' - My
understanding is that those simply mean you can't pass traffic to or
from other 'protected ports' - I
It might make sense to just give everyone their own vlan and their own /64;
that would, of course, bring its own problems and complexities (namely that
I've gotta have the capability to deal with more customers than I can have
native vlans - not impossible to get around, but significant
On March 26, 2014 at 22:17 o...@delong.com (Owen DeLong) wrote:
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Hang on, do spammers grab address blocks?
Ok, I'm sure it happens, this is not an existence proof.
But is that really a significant characterization of
On 3/27/2014 12:19 PM, Luke S. Crawford wrote:
This is a very common problem for dedicated hosting providers (and why
I give my dedicated hosts a vlan and a routed subnet, wasting IPv4.)
Implement what some DSL access providers do. Unnumbered interfaces with
/32 routing to the vlan. The
On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong o...@delong.com wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
block, has more than 18 quintillion addresses and there's not a computer on
the planet with enough memory (or probably not even enough disk space) to
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
block, has more than 18 quintillion addresses
and there�s not a computer on the planet with enough memory (or probably not
even enough disk space) to store that
block list.
Sometimes scale is everything. host-based
It only takes a single entry if you do not store /128s but that /64. Yes,
RBL lookups do not currently know how to handle this, but there are a
couple of good proposals around on how to do it.
Sigh. See previous note on wny aggregating on /64 won't work.
This would also reduce the risks from
On 3/26/2014 12:09 PM, John Levine wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block,
has more than 18 quintillion addresses
and there�s not a computer on the planet with enough memory (or probably not
even enough disk space) to store that
block list.
On 03/26/2014 01:09 PM, John Levine wrote:
Quite right. If I were a spammer or an ESP who wanted to listwash, I
could easily use a different IP addres for every single message I
sent. R's, John
Week before last I saw this in great detail, with nearly 100,000
messages sent to our users per day
John Levine jo...@iecc.com wrote:
If I were a spammer or an ESP who wanted to listwash, I could easily use
a different IP addres for every single message I sent.
Until mail servers start rate-limiting the number of different addresses
that are used :-) You can do something like the following
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a technology with the
potential to make my life less
On 3/26/2014 12:55 PM, Luke S. Crawford wrote:
However, DHCPv6 isn't anywhere near as useful for me, as someone who
normally deals with IPs that don't change, as DHCPv4 is.
My favorite is the RA thing. Years ago I decided that stupid DSLAMs were
better than smart ones, so I generally
On Wed, 26 Mar 2014, Luke S. Crawford wrote:
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a
If you can figure out how to store an address and a mask you can have any size
entry you want. Just like a routing table. This is not insurmountable.
Steven Naslund
Chicago IL
OTOH, a spammer with a single /64, pretty much the absolute minimum
IPv6 block, has more than 18 quintillion
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks
like it mostly works, but privacy extensions seem to be the default
in many places; outgoing IPv6 from those random addresses will trip
my BCP38 filters.
Your
On 03/26/2014 03:49 PM, Matt Palmer wrote:
On Wed, Mar 26, 2014 at 10:55:03AM -0700, Luke S. Crawford wrote:
There are many ways to skin this cat; stateless autoconfig looks
like it mostly works, but privacy extensions seem to be the default
in many places; outgoing IPv6 from those random
On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote:
My original comment and complaint, though, was in response to the
assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6
does not fill the role that DHCPv4 fills, if you care about tying an IP to
a MAC and you want
On Wed, Mar 26, 2014 at 06:52:53PM -0500, Timothy Morizot wrote:
On Mar 26, 2014 6:27 PM, Luke S. Crawford l...@prgmr.com wrote:
My original comment and complaint, though, was in response to the
assertion that DHCPv6 is as robust as DHCPv4. My point is that DHCPv6
does not fill the role
On Mar 26, 2014, at 3:18 AM, Matthias Leisi matth...@leisi.net wrote:
On Wed, Mar 26, 2014 at 6:31 AM, Owen DeLong o...@delong.com wrote:
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6
block, has more than 18 quintillion addresses and there's not a computer on
On Mar 26, 2014, at 10:55 AM, Luke S. Crawford l...@prgmr.com wrote:
On 03/24/2014 06:18 PM, Owen DeLong wrote:
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT,
On Mar 24, 2014, at 8:52 PM, George Herbert george.herb...@gmail.com wrote:
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong o...@delong.com wrote:
On Mar 24, 2014, at 9:21 AM, William Herrin b...@herrin.us wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com
In message 7b6af6e9-905a-4d14-b54f-8f244afcf...@delong.com, Owen DeLong write
s:
On Mar 24, 2014, at 8:52 PM, George Herbert george.herb...@gmail.com
wrote:
On Mon, Mar 24, 2014 at 8:02 PM, Owen DeLong o...@delong.com wrote:
On Mar 24, 2014, at 9:21 AM, William Herrin
On Mar 24, 2014, at 10:12 PM, Alexander Lopez alex.lo...@opsys.com wrote:
On Mar 24, 2014, at 9:36 AM, Alexander Lopez alex.lo...@opsys.com
wrote:
not to mention the cost in readdressing your entire network when you
change an upstream provider.
Nat was a fix to a problem of lack of
On Mon, Mar 24, 2014 at 9:12 PM, Bob Evans b...@fiberinternetcenter.comwrote:
Thus far, IPv6 has been the Field of Dreams those of us who have
built it, we know they have not yet come (the IPv6 customers). That's
all this discussion is really about is when will they come.
I know the
On Sun, Mar 23, 2014 at 10:07 PM, Naslund, Steve snasl...@medline.comwrote:
As far as printers being a more dangerous attack vector than computers, I
definitely don't buy that argument. It does not change in v4 or v6.
Printers are not merely attack vectors; they are targets.
It only makes
On 3/24/14 2:38 PM, William Herrin b...@herrin.us wrote:
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard l...@asgard.org wrote:
On 3/24/14 1:37 PM, William Herrin b...@herrin.us wrote:
That would be one of those details on which smart people disagree.
In this case, I think you're wrong. Modern NAT
On Tue, 25 Mar 2014 16:31:17 +1100, Mark Andrews said:
My bet is the number needing more that a single /64 will exceed the number
needing just a /64. Most phones really need two /64 for tethering and
currently there are lots of kludges to work around only one being available.
As a data
On 3/24/14 10:17 PM, Naslund, Steve snasl...@medline.com wrote:
I can easily answer that one as a holder of v4 space at a commercial
entity. The end user does not feel any compelling reason to move to ipv6
if they have enough v4 space.
I can't give my employer a solid business case of why
On 3/24/14 9:12 PM, Bob Evans b...@fiberinternetcenter.com wrote:
I agree with one thing herein
In order for IPv6 to truly work, everyone needs to be moving towards
IPv6.
Yep, chicken and the egg. I agree. We built an IPv6 native network - no
tunneling - no customers to speak of ...
It is late and I am just rambling, but even with DHCP(4and6) changing IP
networks is not a trivial thing. Not hard, but it will require a lot more
planning than what many do today of simply changing the WAN IP address
and some records in the DNS (if needed)
We tried:
Bob Evans
CTO
On 3/24/14 9:12 PM, Bob Evans b...@fiberinternetcenter.com wrote:
I agree with one thing herein
In order for IPv6 to truly work, everyone needs to be moving towards
IPv6.
Yep, chicken and the egg. I agree. We built an IPv6 native network - no
tunneling - no customers to
Look at it this way. If I see an attack coming from behind your NAT,
I'm gonna deny all traffic coming from your NAT block until you assure
me you have it fixed because I have no way of knowing which host it is
coming from. Now your whole network is unreachable. If you have a
On 03/24/2014 09:39 PM, Paul Ferguson wrote:
I'll leave it as an exercise for the remainder of... everywhere to
figure out why there is resistance to v6 migration, and it isn't just
because people can't be bothered.
I'm sure there are numerous enterprises in the same shape I am in, with
On Tue, 25 Mar 2014 09:55:21 -0400, Lee Howard said:
Some of us have quite a few IPv6 customers:
http://www.worldipv6launch.org/measurements/
And we see significant traffic from those users. :-)
I'm actually glad to see that we're no longer on the first page
of that list. ;)
IPv6 adds an entirely new aspect to it.
Well, if you mean the entirely new aspect is a list of hex addresses instead
of dotted decimal addresses I guess so. I personally would rather have a
list of actual end system addresses than a list of addresses that represent a
mail server and
Thus far, IPv6 has been the Field of Dreams those of us who have
built it, we know they have not yet come (the IPv6 customers). That's
all this discussion is really about is when will they come.
Some of us have quite a few IPv6 customers:
On Sun, 23 Mar 2014 16:21:50 -0700, Paul Ferguson said:
On the other hand, there are beaucoup enterprise networks unwilling to
consider to moving to v6 until there are management, control,
administrative, and security issues addressed.
The problem is that for many of those enterprises, the
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
When speaking of IPv6 deployment, I routinely hear about
host security. I feel like it should be stated that this
is *in no way* an IPv6 issue. May the device be ULA,
LLA, GUA or RFC1918-addressed, the device is at risk
anyway.
On Sunday, March 23, 2014 11:02:13 PM Mark Andrews wrote:
Actually all you have stated in that printer vendors need
to clean up their act and not that one shouldn't expect
to be able to expose a printer to the world. It isn't
hard to do this correctly. It also does not cost much
on a per
On Monday, March 24, 2014 01:15:27 AM Mark Andrews wrote:
And there you go putting stricter requirements on
printers that you don't put on laptop, servers. None of
us would put any machines on the net if they had to meet
your printer's requirements.
Because, at the very least, a laptop or
On Monday, March 24, 2014 01:37:52 AM Timothy Morizot wrote:
Yes. As I said, same general sorts of risks for the most
part as in IPv4. Details differ, but same general types.
My point was that it's mostly FUD to wave the flag of
scary new security weaknesses with no mitigations in
IPv6. It's
On Monday, March 24, 2014 02:41:00 AM Timothy Morizot wrote:
The original assertion was that there are unaddressed
security weaknesses in IPv6 itself preventing its
adoption. At least that's the way I read it. And that
assertion is mostly FUD.
The risks have less to do with IPv6, and more to
On Mon, 2014-03-24 at 08:38 +0200, Mark Tinka wrote:
In an ideal IPv6 world, all hosts have GUA's, and in this
case, host security becomes a bigger problem, because now
the host is directly accessible without a NAT66 in between
(we hope).
The mantras from my training courses: Addressable
On Monday, March 24, 2014 09:00:46 AM Karl Auer wrote:
The mantras from my training courses: Addressable is not
the same as accessible; routable is not the same as
routed.
Just because you give every host a globally routable
address doesn't mean you have to route them. Just
because you
Additional support on my feeling of DO and IPv6, is DO's stance of
directly not even allowing IPv6 tunnels to HE, SiXXs, or any of the
other providers by specifically teliing them not to allow connections
from your IPv4 address space.
Say *what*?
I've got HE tunnels into DO, purely because
On Mon, Mar 24, 2014 at 1:51 AM, Mark Tinka mark.ti...@seacom.mu wrote:
On Monday, March 24, 2014 01:37:52 AM Timothy Morizot wrote:
Yes. As I said, same general sorts of risks for the most
part as in IPv4. Details differ, but same general types.
My point was that it's mostly FUD to wave
On Mon, Mar 24, 2014 at 1:38 AM, Mark Tinka mark.ti...@seacom.mu wrote:
On Sunday, March 23, 2014 09:35:31 PM Denis Fondras wrote:
When speaking of IPv6 deployment, I routinely hear about
host security. I feel like it should be stated that this
is *in no way* an IPv6 issue. May the device
On 24/03/2014 06:47, Mark Tinka wrote:
Because, at the very least, a laptop or server can run a
stateless packet filter to keep out pokes at ports that may
be running by default, but have no business being queried
over the network.
once upon a time, they didn't have host firewalls or
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote:
Addressable is not the same as
accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then you
have
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote:
I am not sure I agree with the basic premise here. NAT or Private
addressing does not equal security.
Hi Steve,
It is your privilege to believe this and to practice it in the
networks you operate.
Many of the
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush ra...@psg.com wrote:
don't believe for a moment that v6 to v4 protocol translation is any less
ugly than CGN.
it can be stateless
You're smarter than that.
-Bill
--
William D. Herrin her...@dirtside.com b...@herrin.us
3005
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote:
Addressable is not the same as
accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_.
If it is inaccessible,
On Monday, March 24, 2014 02:42:07 PM Timothy Morizot wrote:
While I don't really disagree with that statement, I'm
not entirely sure what CPE firewalls and home devices
have to do with enterprise deployments, the topic I was
discussing. We've been actively working this for the
past three
On Monday, March 24, 2014 02:56:13 PM Timothy Morizot wrote:
NAT traversal is and has long been fairly trivial. NAT
and RFC1918 provides no meaningful host protection
whatsoever and never has. The only thing that limits
direct access to internal networks is a stateful
firewall. (Well, IPS
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote:
Addressable is not the same as
accessible; routable is not the same as routed.
Indeed. However, all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then
. ..
Original message
From: William Herrin
Date:03/24/2014 12:27 PM (GMT-05:00)
To: Naslund, Steve
Cc: NANOG list
Subject: Re: misunderstanding scale
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote:
I am not sure I agree with the basic premise here. NAT
On Monday, March 24, 2014 06:02:11 PM Nick Hilliard wrote:
once upon a time, they didn't have host firewalls or
packet filters, which was why we ended up with:
https://isc.sans.edu/diary/Survival+Time+on+the+Internet/
4721
:-).
Mark.
signature.asc
Description: This is a digitally signed
-
From: William Herrin [mailto:b...@herrin.us]
Sent: Monday, March 24, 2014 11:21 AM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: misunderstanding scale
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote:
Addressable is not the same as
accessible; routable is not the same
even comes out of the box blocking inbound connections by
default.
Steve
-Original Message-
From: Mark Tinka [mailto:mark.ti...@seacom.mu]
Sent: Monday, March 24, 2014 11:35 AM
To: Timothy Morizot
Cc: NANOG list
Subject: Re: misunderstanding scale
Don't disagree with you there.
I'm
On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote:
I am not sure I agree with the basic premise here. NAT or Private
addressing does not equal security.
Many of the folks you would have deploy IPv6
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas m...@mtcc.com wrote:
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote:
Addressable is not the same as
accessible; routable is not the same as routed.
Indeed. However, all
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco jgr...@ns.sol.net wrote:
all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then you
have four layers of security. If it is merely inaccessible and
unrouted you have two.
Time to give
On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore patr...@ianai.net wrote:
On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote:
Some folks WANT to segregate their networks from the Internet via a
general-protocol transparent proxy. They've had this capability with
IPv4 for 20
Hi Mike,
You can either press the big red button and fire the nukes or you
can't, so what difference how many layers of security are involved
with the Football?
I say this with the utmost respect, but you must understand the
principle of defense in depth in order to make competent
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco jgr...@ns.sol.net wrote:
all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then you
have four layers of security. If it is merely inaccessible and
unrouted you have two.
Time to
On Mar 24, 2014, at 5:05 PM, Patrick W. Gilmore patr...@ianai.net wrote:
On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote:
On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com
wrote:
I am not sure I agree with the basic premise here. NAT or Private
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco jgr...@ns.sol.net wrote:
I say this with the utmost respect, but you must understand the
principle of defense in depth in order to make competent security
decisions for your organization. Smart people disagree on the details
but the principle is not
, March 24, 2014 12:34 PM
To: Naslund, Steve
Subject: Re: misunderstanding scale
On 3/24/2014 12:53 PM, Naslund, Steve wrote:
If they have a stateful IPv6 firewall (which they should and which most
firewall vendors support), they already have what they need to prevent their
internal systems from
On Mar 24, 2014, at 13:17 , William Herrin b...@herrin.us wrote:
On Mon, Mar 24, 2014 at 1:05 PM, Patrick W. Gilmore patr...@ianai.net wrote:
On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote:
Some folks WANT to segregate their networks from the Internet via a
general-protocol
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the
same time as they're absorbing a new network protocol with which
they're yet unskilled? Does that make sense to you from a
risk-management standpoint?
The problem is
On 3/24/14 1:37 PM, William Herrin b...@herrin.us wrote:
On Mon, Mar 24, 2014 at 9:25 AM, Joe Greco jgr...@ns.sol.net wrote:
I say this with the utmost respect, but you must understand the
principle of defense in depth in order to make competent security
decisions for your organization.
On Mon, Mar 24, 2014 at 11:36 AM, Alexander Lopez alex.lo...@opsys.comwrote:
not to mention the cost in readdressing your entire network when you
change an upstream provider.
Nat was a fix to a problem of lack of addresses, however, the use of
private address space 10/8, 192.168/16 has
On Mon, Mar 24, 2014 at 2:23 PM, Lee Howard l...@asgard.org wrote:
On 3/24/14 1:37 PM, William Herrin b...@herrin.us wrote:
That would be one of those details on which smart people disagree.
In this case, I think you're wrong. Modern NAT superseded the
transparent proxies and bastion hosts of the
On Mon, Mar 24, 2014 at 8:25 AM, Joe Greco jgr...@ns.sol.net wrote:
Bill Herrin wrote:
I say this with the utmost respect, but you must understand the
principle of defense in depth in order to make competent security
decisions for your organization. Smart people disagree on the details
On Mon, Mar 24, 2014 at 12:37 PM, William Herrin b...@herrin.us wrote:
What sort of traction are you getting from that argument when you
speak with enterprise security folks?
Actually, I never even had to make the argument in our enterprise. Our
cybersecurity organization already knew that
it involves two layers of heterogeneous firewalls (protecting multiple
^
Ugh. Knew I was forgetting something.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one
I doubt that many residential customers will be readdressing their networks
except for us geeks. Most of them are going to be using CPE that grabs an
address via DHCP for the WAN interface and then does an IPv6 DHCP PD with the
/64 it gets from the service provider. The customer sees nothing
* William Herrin
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush ra...@psg.com wrote:
don't believe for a moment that v6 to v4 protocol translation is any less
ugly than CGN.
it can be stateless
You're smarter than that.
https://tools.ietf.org/html/rfc6145
@nanog.org
Subject: Re: misunderstanding scale
On Mon, Mar 24, 2014 at 8:31 AM, Joe Greco jgr...@ns.sol.net wrote:
all successful security is about _defense in depth_.
If it is inaccessible, unrouted, unroutable and unaddressable then
you have four layers of security. If it is merely inaccessible
On 3/24/14 10:08 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 12:28 PM, Michael Thomas m...@mtcc.com wrote:
On 03/24/2014 09:20 AM, William Herrin wrote:
On Mon, Mar 24, 2014 at 3:00 AM, Karl Auer ka...@biplane.com.au wrote:
Addressable is not the same as
accessible; routable is not the
https://tools.ietf.org/html/rfc6145
https://tools.ietf.org/html/draft-ietf-softwire-map-t-05
https://tools.ietf.org/html/draft-anderson-siit-dc-00
derived from 6346
randy
On 3/24/14 10:37 AM, valdis.kletni...@vt.edu wrote:
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the
same time as they're absorbing a new network protocol with which
they're yet unskilled? Does that make sense to you
On Mon, Mar 24, 2014 at 2:56 PM, Tore Anderson t...@fud.no wrote:
* William Herrin
On Sat, Mar 22, 2014 at 8:19 PM, Randy Bush ra...@psg.com wrote:
don't believe for a moment that v6 to v4 protocol translation is any less
ugly than CGN.
it can be stateless
You're smarter than that.
And all those IPv4 addresses for the 1:1 translation required by the
stateless version are coming from where exactly?
maybe you should read the documents
On Mon, Mar 24, 2014 at 1:37 PM, valdis.kletni...@vt.edu wrote:
On Mon, 24 Mar 2014 13:13:43 -0400, William Herrin said:
You'd expect folks to give up two layers of security at exactly the
same time as they're absorbing a new network protocol with which
they're yet unskilled? Does that make
On Mon, Mar 24, 2014 at 6:46 PM, Randy Bush ra...@psg.com wrote:
And all those IPv4 addresses for the 1:1 translation required by the
stateless version are coming from where exactly?
maybe you should read the documents
I did. They were abstruse beyond even the normal level for RFCs but I
made
You propose stateless NAT64 as an viable alternative to CGN.
where do i do that?
The question stands: where are you planning to get the extra IPv4
addresses for the static 1:1 mapping?
maybe look at the +P in A+P
randy
On Mon, Mar 24, 2014 at 7:37 PM, Randy Bush ra...@psg.com wrote:
You propose stateless NAT64 as an viable alternative to CGN.
where do i do that?
Nick Hilliard: don't believe for a moment that v6 to v4 protocol
translation is any less
ugly than CGN.
Your reply (verbosity added for clarity):
You propose stateless NAT64 as an viable alternative to CGN.
^^^
where do i do that?
Nick Hilliard
ahh. i see your error. i am not nick hilliard. he's the cute one.
Your reply (verbosity added for clarity): [Sure it is! Unlike where
folks solve their problem with CGN, v6 to v4
FYI He tells everyone they¹re cute. Don¹t buy his tricks, he doesn¹t call
back the next morning.
;)
Ps. Take it easy on each other. It¹s the beginning of spring.. Head
outside.. Go have a beer.. Smoke a joint.. What I am getting at is.. It¹s
possible you guys should relax and realize that in the
In order for IPv6 to truly work, everyone needs to be moving towards IPv6.
Maintaining dual protocols for the entire internet is problematic, wasteful,
and horribly
inefficient at best. Bottom line, the internet outgrew IPv4 almost 30 years ago
and
we’ve been using various hacks like NAT as a
Let’s assume, for a moment, that there are 32 /8s out there that could be
reclaimed.
Let’s further assume that renumbering out of a /8 takes, on average, about 18
months.
(That’s moving almost 1,000,000 customers per month on average, potentially).
Even if we got all 32 /8 equivalents back
On Mar 22, 2014, at 10:16 AM, Nick Hilliard n...@foobar.org wrote:
On 22/03/2014 16:29, Doug Barton wrote:
It is a mistake to believe that the only reason to add IPv6 to your network
is size. Adding IPv6 to your network _now_ is the right decision because at
some point in the not-too-distant
To: Timothy Morizot
Cc: NANOG list
Subject: Re: misunderstanding scale
Don't disagree with you there.
I'm saying many an enterprise (small and large) as well as homes operate this
way. There is a lot of unlearning to do.
The whole issue is that a number of enterprises may only feel safe
IPv4 has already been trading around $10/address.
So the prices quoted a while back don’t make much sense to me.
Further, could you please quantify “vast”? How many /8 equivalents in
a “vast number”?
Until they ran out, APNIC was issuing approximately 1.5 /8s per month.
How long, exactly, do
On Mar 22, 2014, at 12:36 PM, William Herrin b...@herrin.us wrote:
On Sat, Mar 22, 2014 at 11:54 AM, Justin M. Streiner
strei...@cluebyfour.org wrote:
On Sat, 22 Mar 2014, William Herrin wrote:
On Sat, Mar 22, 2014 at 10:33 AM, Justin M. Streiner
strei...@cluebyfour.org wrote:
All of
1 - 100 of 195 matches
Mail list logo
