[ppml] ripe-55/presentations/bush-ipv6-transition.pdf

Bill Fumerola billf at powerset.com
Fri Oct 26 14:03:59 EDT 2007


"Keith W. Hare" <Keith at jcc.com> on 10/26/07 10:36 AM scribed thusly:
>> Then they should transition to IPv6, get a /48, and build their network
>> so that it can easily renumber if that /48 prefix changes. No more
> pain.
>
> This assumes that the technology actually exists to easily renumber if
> the /48 prefix changes.
>
> The pieces I have not yet seen are:
>
> -- Firewalls -- With IPv4, the firewall rules are built in terms of IP
> addresses. Will IPv6 firewalls do something similar or will there be a
> single place to specify a prefix?

with IPv4, firewall rules are built in terms of numbers and masks. with
IPv6, firewall rules are built in terms of numbers and masks. adding
transition rules for either is not hard. IPv6 tends to make this easier with
a larger probability there is a 1:1 mapping from old to new. IPv4
renumbering often comes prefix & subnet size changes which make 1:1 mapping
not always possible.

regardless, the technology has existed since 1977. it's called m4 (or cpp).

> -- Intrusion Detection & Network monitoring appliances -- is it (or will
> it be possible) to specify an IPv6 prefix someplace rather than
> embedding the entire IP address in rules?

see above, the technology has existed since 1977. it's called m4 (or cpp).

more advanced systems (like puppet[1]) can use ruby to generate/distribute
configuration files. you can even use languages like php to generate config
files if m4 or cpp is too low level.

> -- VPNs -- How do I change an IP on a VPN link if I don't control the
> other end?  What if I do control the other end, but it is remote?

no control of the remote: contact the person who does.
control of the remote: add new addressing, (re-)connect using new
addressing, remove old addressing.

if appropriate in your environment, using ULA-{C,L,U} for inside tunnel
addressing can also decrease the probability of having to renumber those
addresses down to limit(1/x, x->Inf).

> -- If /48 prefix changes, will my customers/vendors/etc. require another
> security audit?

there are lots of things that may or may not triggering an audit. if you
have to renumber from one PA space to another PA space, you're presumably
changing providers. that may bring about many things that trigger an audit
(e.g. new circuits, other changes configuration on gear, etc).

> I'm sceptical that the technology exists today to easily renumber a
> business network if a /48 prefix changes.

while you remain sceptical [sic], people who can template their
configurations and effectively manage their equipment will be passing by
those that can't (or don't).

there are plenty of things that make renumbering annoying, but it's not
rocket science nor is it impossible. anyone who has had to renumber V4 a few
times should have the scars and the vision to take advantage of the
improvements/features in IPv6-land that make renumbering easier there.

-- billf

1. http://reductivelabs.com/projects/puppet/




More information about the ARIN-PPML mailing list