[arin-discuss] Trying to Understand IPV6

Matthew S. Crocker matthew at crocker.com
Mon Sep 13 17:05:15 EDT 2010 

----- Original Message -----

> From: "Mike Lieberman" <mike at netwright.net>
> To: "Matthew S. Crocker" <matthew at crocker.com>
> Cc: arin-discuss at arin.net
> Sent: Monday, September 13, 2010 4:52:01 PM
> Subject: RE: [arin-discuss] Trying to Understand IPV6
> 
> We run VoIP over NAT today and while there is a learning curve it is 
> manageable.

Yes it is manageable,  My Acme SD does a wonderful job gluing the RTP streams together.  With IPv6 endpoints we wouldn't need to hairpin the RTP streams.

> 
> Make a mistake in NAT'ed network and NAT will save you in-spite of
> yourself. 
> Make a mistake in Public IP and you are potentially sunk.
> 

Customers manage to find the viruses just fine on their own, even behind NAT.  I don't think IPv6 to the desktop is going to change that.

> As an advocate for the end user - even when it makes my job harder....
> NAT 
> isn't evil. Network Engineers who expect all consumers to be
> knowledgeable are 
> evil. We need to employ technologies that are safe even when used
> badly. 
> Public addresses on residences fails the test.
> 

Properly configured network devices with a centralized device management/config/firmware server could be a service a competent ISP would provide.  End users don't need to be knowledgeable if their provider does their job.

My end users don't manage their Phone config files or firmware, why would I have them manage their firewall?

> It's nice that some of you trust public institutions to always behave
> and do 
> right. 

AAAAH, so that is the real issue, you are afraid that 'Big Brother' will spy on your IPv6 enabled computer.  Do you really think that NAT stops that? Backdoors in your NAT router? Viruses that poke holes in your NAT router?  It is all possible and quite easily do-able.  NAT doesn't offer any real security.

> Do I offend you that you are in the aggregate in the extreme minority?

uh,  huh?

> 
> -----Original Message-----
> From: Matthew S. Crocker [mailto:matthew at crocker.com]
> Sent: Monday, September 13, 2010 2:44 PM
> To: Mike Lieberman
> Cc: arin-discuss at arin.net
> Subject: Re: [arin-discuss] Trying to Understand IPV6
> 
> 
> 
> In short because NAT is evil.  Customers don't normally have a clue
> what NAT 
> means or if it actually provides security or not.  A properly
> configured home 
> IPv6 appliance can provide the same levels of security without NAT.
> Stateful 
> packet inspection and real IPv6 addresses on all devices is far
> superior to 
> NATted IPv4
> 
> NAT is the bane of my existence as a VoIP provider.  If only my phones
> 
> supported IPv6...
> 
> -Matt
> 
> ----- Original Message -----
> 
> > From: "Mike Lieberman" <mike at netwright.net>
> > To: arin-discuss at arin.net
> > Sent: Monday, September 13, 2010 4:17:37 PM
> > Subject: Re: [arin-discuss] Trying to Understand IPV6
> >
> > I have been reading all these discussions (mostly silently) for a
> > long, long
> > time. I understand what a /48 is and a /56, /64 and /128. I
> understand
> > the
> > notation.
> >
> > Quite frankly what I don't get is why anyone thinks that consumers
> > want
> > public numbers inside their home/LANs.  Once my customers
> understood
> > the
> > benefit of hiding behind a NAT, they embraced it quite
> emphatically.
> >
> > Put a private residence on public IPv6? Sorry but that makes no
> sense.
> >
> >
> > Yes I agree that I don't know what people will need in 20 years.
> And
> > YES it
> > is nice that we will have address space in 20 years. But allocating
> a
> > /48 to
> > a home that today uses an IPv4 /30 with a private NAT seems beyond
> > humorous.
> > It just sounds insane. Using private addressing that home already
> > potentially has access thousands of subnets and millions of
> addresses.
> >
> >
> > RFC 4193 provides even more addresses for use with firewall/NAT
> > appliances.
> > Why does a home or business using RFC 4193 need a /48 or even a /56
> or
> > /64.
> >
> > Just because we have the numbers does not mean we should distribute
> > them.
> >
> >
> > _________________________
> > Mike Lieberman, President
> > Net Wright LLC
> > Tel: +1-307-857-4898
> > Fax: +1-307-857-4872
> >
> >
> > -----Original Message-----
> > From: arin-discuss-bounces at arin.net
> > [mailto:arin-discuss-bounces at arin.net]
> > On Behalf Of Dan White
> > Sent: Monday, September 13, 2010 1:28 PM
> > To: Tim Howe
> > Cc: arin-discuss at arin.net
> > Subject: SPAM: Re: [arin-discuss] Trying to Understand IPV6
> >
> > On 13/09/10 12:01 -0700, Tim Howe wrote:
> > >On Mon, 13 Sep 2010 19:32:33 +0100
> > ><michael.dillon at bt.com> wrote:
> > >
> > >> > If I assigned a customer say an IPV4 /21 in IPV6 this would
> > translate
> > >> > into a /56? If I'm not mistaken a /56 would translate into
> > something
> > >> > like 65,000 host addresses? That just seems like a lot of
> hosts
> > to me,
> > >>
> > >> Anyone in this position should simply assign a /48 to every
> > customer site
> > >> no matter how big or small. A one bedroom apartment gets a /48.
> A
> > manufacturing
> > >> plant with 5 buildings including a 4-story office block, gets a
> > /48.
> > >> No exceptions.
> > >
> > >	This is slightly different than I have been led to think...  It
> > >seems wise, when you know the customer has no intention of having
> > >multiple networks, to provide a /64.  Not because you fear wasting
> >
> > Consider a long range scenario for that customer. A scenario in
> which
> > they
> > may purchase networking equipment for multiple purposes in 5 or 10,
> or
> > 20
> > years that performs layer two separation between different
> functions
> > in
> > their network. E.g. Wifi, Bluetooth/USB, appliances, voice, video,
> > visitor
> > access, alarm system, automobiles, utilities, etc.
> >
> > I find it benefitial to consider that I probably don't know what a
> > customer's network will look like in 20 years, and a /48 per
> customer
> > is
> > probably wisest until we've gained more operational experience with
> > IPv6 in
> > our own network.
> >
> > -- 
> > Dan White
> > _______________________________________________
> > ARIN-Discuss
> > You are receiving this message because you are subscribed to
> > the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> > Unsubscribe or manage your mailing list subscription at:
> > http://lists.arin.net/mailman/listinfo/arin-discuss
> > Please contact info at arin.net if you experience any issues.
> > No virus found in this incoming message.
> > Checked by AVG - www.avg.com
> > Version: 9.0.851 / Virus Database: 271.1.1/3128 - Release Date:
> > 09/13/10
> > 00:35:00
> >
> > _______________________________________________
> > ARIN-Discuss
> > You are receiving this message because you are subscribed to
> > the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> > Unsubscribe or manage your mailing list subscription at:
> > http://lists.arin.net/mailman/listinfo/arin-discuss
> > Please contact info at arin.net if you experience any issues.
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.851 / Virus Database: 271.1.1/3128 - Release Date:
> 09/13/10 
> 00:35:00

More information about the ARIN-discuss mailing list