[ppml] IPv6 flawed?
michael.dillon at bt.com
michael.dillon at bt.com
Mon Sep 17 14:15:11 EDT 2007
> Firewalls are common and plentiful in that WAN/LAN all run by
> these different fiefdoms and they all use large access lists
> with hard-coded host numbers in them. There is really not
> one single person - in my humble opinion - who knows all
> about all applications on the network and all servers and who
> all is supposed to be using them. The typical MO to setup a
> worker bee in the organization can involve discussions with
> tens of different admins to get access to all the stuff the
> person needs.
And every single one of those devices needs to be CHANGED in order to
convert it to IPv6. At the time of conversion (or preferably during the
audit preceding conversion) it makes sense to try and get some control
over these ACLs to facilitate renumbering.
Of course, one solution is to not convert certain devices to IPv6 but
just live with the IPv4 stuff that works. When those networks become
isolated IPv4 islands in an IPv6 network, it will never again be
necessary to renumber the IPv4 interfaces.
> For the people that talk about IPv6 renumbering like you just
> flip a switch and change the prefix in the router, may I
> humbly suggest you are out of your fricking mind.
The people who tell you to renumber this way, also point out how they
planned and prepared from the time they were first installing their
network. The real lesson, is not that IPv6 networks can be renumbered at
a flick of a switch, but that building renumberability in from the
start, makes it very easy to do. Also, note that IPv6 requires two
switch flicks. One to turn on the new prefix, and the other to turn off
the old prefix after a delay of days or weeks.
During those interim weeks, you could probably renumber the firewalls
one by one.
IPv6 is *NOT* just IPv4 with more bits. It works differently and
seemingly small differences have larger knock-on effects.
--Michael Dillon
More information about the ARIN-PPML
mailing list