[ppml] IPv6 flawed?
Ted Mittelstaedt
tedm at ipinc.net
Mon Sep 17 14:51:41 EDT 2007
>-----Original Message-----
>From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On Behalf Of
>michael.dillon at bt.com
>Sent: Monday, September 17, 2007 11:15 AM
>To: ppml at arin.net
>Subject: Re: [ppml] IPv6 flawed?
>
>
>
>> Firewalls are common and plentiful in that WAN/LAN all run by
>> these different fiefdoms and they all use large access lists
>> with hard-coded host numbers in them. There is really not
>> one single person - in my humble opinion - who knows all
>> about all applications on the network and all servers and who
>> all is supposed to be using them. The typical MO to setup a
>> worker bee in the organization can involve discussions with
>> tens of different admins to get access to all the stuff the
>> person needs.
>
>And every single one of those devices needs to be CHANGED in order to
>convert it to IPv6. At the time of conversion (or preferably during the
>audit preceding conversion) it makes sense to try and get some control
>over these ACLs to facilitate renumbering.
>
I agree. However I think you missed the part where I said that the
network is organized - a misuse of the term organized if I ever
heard of one - into a set of fiefdoms, and the powers that be
like it that way.
What this means is that UNLESS the board of directors empowers
the CIO to tell every last group in the organization that they
are going to do it this way or the highway, then a conversion is
simply going to muck it up worse than it is now. You think it is
bad when 2 IPv4 networks use back-to-back NAT to communicate within
that org - just wait til you have 2 fiefdoms switched to IPv6
and a fiefdom that is used to connect the 2 that refuses to
switch to IPv6, and the 2 IPv6 fiefdoms now want to send IPv6
to each other.
I very strongly suspect with LHS that if they ever had to go
to IPv6 to get internet connectivity, that they will just put in
proxies. I fully expect that their internal net will be IPv4
long after most companies have switched. Forunately, my doctor
doesen't work in that company. ;-)
>Of course, one solution is to not convert certain devices to IPv6 but
>just live with the IPv4 stuff that works. When those networks become
>isolated IPv4 islands in an IPv6 network, it will never again be
>necessary to renumber the IPv4 interfaces.
>
>> For the people that talk about IPv6 renumbering like you just
>> flip a switch and change the prefix in the router, may I
>> humbly suggest you are out of your fricking mind.
>
>The people who tell you to renumber this way, also point out how they
>planned and prepared from the time they were first installing their
>network. The real lesson, is not that IPv6 networks can be renumbered at
>a flick of a switch, but that building renumberability in from the
>start, makes it very easy to do. Also, note that IPv6 requires two
>switch flicks. One to turn on the new prefix, and the other to turn off
>the old prefix after a delay of days or weeks.
>
>During those interim weeks, you could probably renumber the firewalls
>one by one.
>
At least half the firewalls simply aren't even required. They exist
for political reasons - to justify someone's position in the company.
A doctor group in that company may have their own IT group because
they always had one, or because they are primma-donnas who think the
normal desktop support people aren't fast enough, or because they
think it's a badge of status like a marked parking spot, or because
they think they make so much money for the company that they can
do what they want, and they just like sticking it to authority.
And I couldn't renumber those firewalls because I would have to
convince every admin in charge of them that renumbering was necessary -
and if they didn't understand IPv6 they likely would not do it.
Seriously, if LHS came to me and asked me to organize a renumber I
would not do it unless I got 20 million bucks up front that would
be forfeited to me if they did not uphold their end of the contract -
and I would have written in to the contract that I could tell
any IT person or user in the company that they had to follow my
IT guidelines or figure out how to do their jobs without benefit
of connectivity to the network. No, on second thought, make that
200 million bucks. It would have to be large enough to be
noticed by the stockholders. 20 million is pocket change for that
company.
Without that kind of big stick, that network could not ever be
organized. Even the CEO
and chairman of the board of that company don't have that big of
a stick.
>IPv6 is *NOT* just IPv4 with more bits. It works differently and
>seemingly small differences have larger knock-on effects.
>
For companies like LHS that are 2 steps away from network anarchy,
IPv6 will come just like all other network upgrades on that network
come - in bits and pieces, here and there on their network. It will
not be organized. But it will serve to perpetuate the beaucracy
and the people who have manufactured positions in that org for
themselves will continue to have their positions.
Ted
More information about the ARIN-PPML
mailing list