[arin-discuss] Trying to Understand IPV6

Michael K. Smith - Adhost mksmith at adhost.com
Mon Sep 13 17:02:29 EDT 2010


> -----Original Message-----
> From: arin-discuss-bounces at arin.net [mailto:arin-discuss-
> bounces at arin.net] On Behalf Of Mike Lieberman
> Sent: Monday, September 13, 2010 1:18 PM
> To: arin-discuss at arin.net
> Subject: Re: [arin-discuss] Trying to Understand IPV6
> 
> I have been reading all these discussions (mostly silently) for a
long, long
> time. I understand what a /48 is and a /56, /64 and /128. I understand
the
> notation.
> 
> Quite frankly what I don't get is why anyone thinks that consumers
want
> public numbers inside their home/LANs.  Once my customers understood
> the
> benefit of hiding behind a NAT, they embraced it quite emphatically.
> 
> Put a private residence on public IPv6? Sorry but that makes no sense.

Why not have valid addresses all the way through?   There is nothing
that a stateful firewall does now that it cannot do without the NAT
component.  We've all been told that NAT adds security but it's not the
NAT that does that, it's the firewall (and there are arguments there as
well, but that's another thread).  NAT obfuscates internal hosts and
allows you to overload internal addresses onto a scarce outside resource
- the IPv4 address(es) you have from your upstream.  With IPv6 we don't
*have* to NAT.   But, if you want to NAT, you still can.  We actually
have one scenario where we NAT from one /64 of our ARIN-assigned space
to multiple /64's of our ARIN-assigned space to use the load-balancing
functionality of PF.   

At the end of the day, they're just addresses.  Inside, outside,
whatever.  If you want to have a virtual wall between some inside and
outside resource at Layer 3, you can.  Given that some huge percentage
of miscreant traffic uses exploits at Layer 7, I just don't see that it
buys you much.
> 
> Yes I agree that I don't know what people will need in 20 years. And
YES it
> is nice that we will have address space in 20 years. But allocating a
/48 to
> a home that today uses an IPv4 /30 with a private NAT seems beyond
> humorous.
> It just sounds insane. Using private addressing that home already
> potentially has access thousands of subnets and millions of addresses.
> 
> RFC 4193 provides even more addresses for use with firewall/NAT
> appliances.
> Why does a home or business using RFC 4193 need a /48 or even a /56 or
/64.
> 
> Just because we have the numbers does not mean we should distribute
> them.
> 
It's a paradigm shift, to be sure.  But, the concept of 1:1 mapping of
an address to a "thing" (be it a server, toaster, etc.) is one that is
specific to IPv4.  If you want to apply IPv4 concepts to your IPv6
network then you certainly can, although you have to be careful because
some implementations may not be agreeable to a prefix longer than a /64,
and all of the auto-configuration stuff goes out the window as well.

I'm hoping for a day where every device in my house that has power has
an address that provides some useful function to me - primarily in cost
savings.  Hopefully we'll get there during my lifetime.  But, if we
continue fighting IPv6 based upon its differences from IPv4, then it
probably won't.

Regards,

Mike



More information about the ARIN-discuss mailing list