[ppml] *Spam?* Re: IPv6 flawed?

Kevin Kargel kkargel at polartel.com
Mon Sep 17 15:09:36 EDT 2007 

 Ted,
	I completely hear what you are saying, and I agree that the
situation not only exists but is just as drastic as you are saying.
This is not a unique situation, and exists with distressing frequency.
	Having stipulated that, bad network design should not be a
driver for protocol specification.  Rather, a good protocol
specification should be a leading factor to good network design.  People
involved in bad networks are just going to have to bite the expensive
bullets and get their house in order some time.  For many that time will
come at meltdown, as they will refuse to spend the money until they are
boken and a crisis exists.  
	I feel sorry for the admins who will have to untangle the can of
worms, but that does not give the WG the onus for protecting their
convoluted networks.

	While I admit I'm a meanie-butt (well, it's close to polite
language), we all need to remember that the migration to IPv6 from IPv4
is a conversion, not an upgrade.  We are not simply modifying an
existing network, we arecreating or installing a new network.  The IPv6
network may overlay, and in some fashion interoperate with the IPv4
network, but they will not be merged.  
	
	Due to the hard work and due diligence of the many amazing
people involved this will be a lot less painful than it could be, but
there will necessarily be some different network architectures in place
when the dust settles.

jmho
Kevin

> -----Original Message-----
> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net] On 
> Behalf Of Ted Mittelstaedt
> Sent: Monday, September 17, 2007 1:52 PM
> To: michael.dillon at bt.com; ppml at arin.net
> Subject: *Spam?* Re: [ppml] IPv6 flawed?
> 
> 
> 
> >-----Original Message-----
> >From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On 
> Behalf Of 
> >michael.dillon at bt.com
> >Sent: Monday, September 17, 2007 11:15 AM
> >To: ppml at arin.net
> >Subject: Re: [ppml] IPv6 flawed?
> >
> >
> >
> >> Firewalls are common and plentiful in that WAN/LAN all run 
> by these 
> >> different fiefdoms and they all use large access lists with 
> >> hard-coded host numbers in them.  There is really not one single 
> >> person - in my humble opinion - who knows all about all 
> applications 
> >> on the network and all servers and who all is supposed to be using 
> >> them.  The typical MO to setup a worker bee in the 
> organization can 
> >> involve discussions with tens of different admins to get access to 
> >> all the stuff the person needs.
> >
> >And every single one of those devices needs to be CHANGED in 
> order to 
> >convert it to IPv6. At the time of conversion (or preferably 
> during the 
> >audit preceding conversion) it makes sense to try and get 
> some control 
> >over these ACLs to facilitate renumbering.
> >
> 
> I agree.  However I think you missed the part where I said 
> that the network is organized - a misuse of the term 
> organized if I ever heard of one - into a set of fiefdoms, 
> and the powers that be like it that way.
> 
> What this means is that UNLESS the board of directors 
> empowers the CIO to tell every last group in the organization 
> that they are going to do it this way or the highway, then a 
> conversion is simply going to muck it up worse than it is 
> now.  You think it is bad when 2 IPv4 networks use 
> back-to-back NAT to communicate within that org - just wait 
> til you have 2 fiefdoms switched to IPv6 and a fiefdom that 
> is used to connect the 2 that refuses to switch to IPv6, and 
> the 2 IPv6 fiefdoms now want to send IPv6 to each other.
> 
> I very strongly suspect with LHS that if they ever had to go 
> to IPv6 to get internet connectivity, that they will just put 
> in proxies.  I fully expect that their internal net will be 
> IPv4 long after most companies have switched.  Forunately, my 
> doctor doesen't work in that company. ;-)
> 
> >Of course, one solution is to not convert certain devices to 
> IPv6 but 
> >just live with the IPv4 stuff that works. When those networks become 
> >isolated IPv4 islands in an IPv6 network, it will never again be 
> >necessary to renumber the IPv4 interfaces.
> >
> >> For the people that talk about IPv6 renumbering like you 
> just flip a 
> >> switch and change the prefix in the router, may I humbly 
> suggest you 
> >> are out of your fricking mind.
> >
> >The people who tell you to renumber this way, also point out 
> how they 
> >planned and prepared from the time they were first installing their 
> >network. The real lesson, is not that IPv6 networks can be 
> renumbered 
> >at a flick of a switch, but that building renumberability in 
> from the 
> >start, makes it very easy to do. Also, note that IPv6 requires two 
> >switch flicks. One to turn on the new prefix, and the other 
> to turn off 
> >the old prefix after a delay of days or weeks.
> >
> >During those interim weeks, you could probably renumber the 
> firewalls 
> >one by one.
> >
> 
> At least half the firewalls simply aren't even required.  
> They exist for political reasons - to justify someone's 
> position in the company.
> A doctor group in that company may have their own IT group 
> because they always had one, or because they are 
> primma-donnas who think the normal desktop support people 
> aren't fast enough, or because they think it's a badge of 
> status like a marked parking spot, or because they think they 
> make so much money for the company that they can do what they 
> want, and they just like sticking it to authority.
> And I couldn't renumber those firewalls because I would have 
> to convince every admin in charge of them that renumbering 
> was necessary - and if they didn't understand IPv6 they 
> likely would not do it.
> 
> Seriously, if LHS came to me and asked me to organize a 
> renumber I would not do it unless I got 20 million bucks up 
> front that would be forfeited to me if they did not uphold 
> their end of the contract - and I would have written in to 
> the contract that I could tell any IT person or user in the 
> company that they had to follow my IT guidelines or figure 
> out how to do their jobs without benefit of connectivity to 
> the network.  No, on second thought, make that 200 million 
> bucks.  It would have to be large enough to be noticed by the 
> stockholders.  20 million is pocket change for that company.
> 
> Without that kind of big stick, that network could not ever 
> be organized. Even the CEO and chairman of the board of that 
> company don't have that big of a stick.
> 
> >IPv6 is *NOT* just IPv4 with more bits. It works differently and 
> >seemingly small differences have larger knock-on effects.
> >
> 
> For companies like LHS that are 2 steps away from network anarchy,
> IPv6 will come just like all other network upgrades on that 
> network come - in bits and pieces, here and there on their 
> network.  It will not be organized.  But it will serve to 
> perpetuate the beaucracy and the people who have manufactured 
> positions in that org for themselves will continue to have 
> their positions.
> 
> Ted
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to 
> the ARIN Public Policy Mailing List (PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/ppml Please contact 
> the ARIN Member Services Help Desk at info at arin.net if you 
> experience any issues.
>

More information about the ARIN-PPML mailing list