[ppml] IPv6 flawed?
tedm at ipinc.net
Mon Sep 17 15:51:15 EDT 2007
"Solved" and "eased" are two different things. This thread wasn't
about "solving" things as I recall.
Of course, I agree the proper way to fix a mess like I outlined
is to sweep it away and start over. I'd love to do that with a
lot of things. When my kid spits out some nasty phrase he
learned watching some movie or TV program of course I think it
would be better if it was just swept out of his vocabulary. But
the real world doesen't work that way as much as we want it to.
Legacy's operational problems won't be solved by IPv6 no matter
what we do to the protocol. I have full confidence that when they
do deploy IPv6 they will botch it. They will end up with an
IPv6 network that would be as difficult to renumber as their
current IPv4 network. Their admins know this, and so most likely
when they do renumber, they will not accept IPv6 addresses assigned
from a "local registry AKA ISP" They aren't completely stupid
after all, at least some of the admins there do know how screwed
they really are.
Most likely they will go with RFC 4193
addresses - assuming that RFC 4193 does in fact become a standard
instead of merely a proposal - and if it doesen't, why then as I
pointed out earlier, they will just use any old addresses out of
the IPv6 address space. To hell if its assigned to someone else
or not. Then they will go find some vendor who will cobble together
some proprietary NAT proxy solution for them.
So, getting back to the original point of the thread - what do you
want? I'm guessing you are of the camp that would look at Legacy
and say "screw them, they get what they deserve"
I am from the camp that has a bit more compassion. It is no skin off
my nose if RFC 4193 is standardized or not, or if IETF standardizes IPv6
NAT or not. It completely doesen't hurt or harm me if those standards
exist. So, because of this, and because the existence of those things
would help make life just a bit more bearable for the poor admins that
do have to work in an environment like LHS - I don't understand how
people like you can take such a cold attitude.
After all, these things like network protocols and suchlike are mere
devices, created to make life easier for us humans. When we start
worshipping the machine as more important than the human - which I
feel is at the base of these "network purity" religious wars - we lose
sight of what is important.
>From: Cort Buffington [mailto:cort at kanren.net]
>Sent: Monday, September 17, 2007 11:56 AM
>To: Ted Mittelstaedt
>Cc: michael.dillon at bt.com; ppml at arin.net
>Subject: Re: [ppml] IPv6 flawed?
>Concerning the example organization we're talking about (which is
>typical of the large healthcare networks we have encountered -- for
>some reason healthcare seems to really struggle): Their problems are
>organizational, not technical. They will not be solved with an
>network layer protocol.
>On Sep 17, 2007, at 1:51 PM, Ted Mittelstaedt wrote:
>>> -----Original Message-----
>>> From: ppml-bounces at arin.net [mailto:ppml-bounces at arin.net]On
>>> Behalf Of
>>> michael.dillon at bt.com
>>> Sent: Monday, September 17, 2007 11:15 AM
>>> To: ppml at arin.net
>>> Subject: Re: [ppml] IPv6 flawed?
>>>> Firewalls are common and plentiful in that WAN/LAN all run by
>>>> these different fiefdoms and they all use large access lists
>>>> with hard-coded host numbers in them. There is really not
>>>> one single person - in my humble opinion - who knows all
>>>> about all applications on the network and all servers and who
>>>> all is supposed to be using them. The typical MO to setup a
>>>> worker bee in the organization can involve discussions with
>>>> tens of different admins to get access to all the stuff the
>>>> person needs.
>>> And every single one of those devices needs to be CHANGED in order to
>>> convert it to IPv6. At the time of conversion (or preferably
>>> during the
>>> audit preceding conversion) it makes sense to try and get some
>>> over these ACLs to facilitate renumbering.
>> I agree. However I think you missed the part where I said that the
>> network is organized - a misuse of the term organized if I ever
>> heard of one - into a set of fiefdoms, and the powers that be
>> like it that way.
>> What this means is that UNLESS the board of directors empowers
>> the CIO to tell every last group in the organization that they
>> are going to do it this way or the highway, then a conversion is
>> simply going to muck it up worse than it is now. You think it is
>> bad when 2 IPv4 networks use back-to-back NAT to communicate within
>> that org - just wait til you have 2 fiefdoms switched to IPv6
>> and a fiefdom that is used to connect the 2 that refuses to
>> switch to IPv6, and the 2 IPv6 fiefdoms now want to send IPv6
>> to each other.
>> I very strongly suspect with LHS that if they ever had to go
>> to IPv6 to get internet connectivity, that they will just put in
>> proxies. I fully expect that their internal net will be IPv4
>> long after most companies have switched. Forunately, my doctor
>> doesen't work in that company. ;-)
>>> Of course, one solution is to not convert certain devices to IPv6 but
>>> just live with the IPv4 stuff that works. When those networks become
>>> isolated IPv4 islands in an IPv6 network, it will never again be
>>> necessary to renumber the IPv4 interfaces.
>>>> For the people that talk about IPv6 renumbering like you just
>>>> flip a switch and change the prefix in the router, may I
>>>> humbly suggest you are out of your fricking mind.
>>> The people who tell you to renumber this way, also point out how they
>>> planned and prepared from the time they were first installing their
>>> network. The real lesson, is not that IPv6 networks can be
>>> renumbered at
>>> a flick of a switch, but that building renumberability in from the
>>> start, makes it very easy to do. Also, note that IPv6 requires two
>>> switch flicks. One to turn on the new prefix, and the other to
>>> turn off
>>> the old prefix after a delay of days or weeks.
>>> During those interim weeks, you could probably renumber the firewalls
>>> one by one.
>> At least half the firewalls simply aren't even required. They exist
>> for political reasons - to justify someone's position in the company.
>> A doctor group in that company may have their own IT group because
>> they always had one, or because they are primma-donnas who think the
>> normal desktop support people aren't fast enough, or because they
>> think it's a badge of status like a marked parking spot, or because
>> they think they make so much money for the company that they can
>> do what they want, and they just like sticking it to authority.
>> And I couldn't renumber those firewalls because I would have to
>> convince every admin in charge of them that renumbering was
>> necessary -
>> and if they didn't understand IPv6 they likely would not do it.
>> Seriously, if LHS came to me and asked me to organize a renumber I
>> would not do it unless I got 20 million bucks up front that would
>> be forfeited to me if they did not uphold their end of the contract -
>> and I would have written in to the contract that I could tell
>> any IT person or user in the company that they had to follow my
>> IT guidelines or figure out how to do their jobs without benefit
>> of connectivity to the network. No, on second thought, make that
>> 200 million bucks. It would have to be large enough to be
>> noticed by the stockholders. 20 million is pocket change for that
>> Without that kind of big stick, that network could not ever be
>> organized. Even the CEO
>> and chairman of the board of that company don't have that big of
>> a stick.
>>> IPv6 is *NOT* just IPv4 with more bits. It works differently and
>>> seemingly small differences have larger knock-on effects.
>> For companies like LHS that are 2 steps away from network anarchy,
>> IPv6 will come just like all other network upgrades on that network
>> come - in bits and pieces, here and there on their network. It will
>> not be organized. But it will serve to perpetuate the beaucracy
>> and the people who have manufactured positions in that org for
>> themselves will continue to have their positions.
>> You are receiving this message because you are subscribed to the
>> ARIN Public Policy
>> Mailing List (PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/ppml Please contact the ARIN
>> Member Services
>> Help Desk at info at arin.net if you experience any issues.
>Assistant Director for Technical Services
>The Kansas Research and Education Network
>cort at kanren.net
>Office: +1-785-856-9800 x301
More information about the ARIN-PPML