Mailing List Archive

Another driver for v6?
According to
http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
Windows 7 will have a cool feature called DirectAccess that "requires
deploying IPv6 and IPsec". I know nothing more of this feature than is
in the article, but if accurate it may create a client-centric demand
for v6, i.e., desirable new functionality that isn't available on v4.

Of course, Windows 7 will have to ship first, and then get deployed in
the enterprise...

--Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Another driver for v6? [ In reply to ]
On 29/10/2008, at 3:40 PM, Steven M. Bellovin wrote:

> According to
> http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
> Windows 7 will have a cool feature called DirectAccess that "requires
> deploying IPv6 and IPsec". I know nothing more of this feature than
> is
> in the article, but if accurate it may create a client-centric demand
> for v6, i.e., desirable new functionality that isn't available on v4.
>
> Of course, Windows 7 will have to ship first, and then get deployed in
> the enterprise...


Thanks, Teredo.

Interesting point, IPSEC is really useful in IPv6, especially
transport mode opportunistic encryption/authentication. But, that
requires (in my understanding) keys in DNS, which really needs a
secure DNS infrastructure to be, well, secure...

stir stir stir

Notice the DNSSEC support at the end of page one and beginning of page
two.

--
Nathan Ward
Re: Another driver for v6? [ In reply to ]
Nathan Ward wrote:
> On 29/10/2008, at 3:40 PM, Steven M. Bellovin wrote:
>
>> According to
>> http://www.nytimes.com/external/idg/2008/10/28/28idg-10-best-feature.html
>> Windows 7 will have a cool feature called DirectAccess that "requires
>> deploying IPv6 and IPsec". ...
>
>
> Thanks, Teredo.
>
> Interesting point, IPSEC is really useful in IPv6, especially transport
> mode opportunistic encryption/authentication. But, that requires (in my
> understanding) keys in DNS, which really needs a secure DNS
> infrastructure to be, well, secure...
>
> ...

The new UDP-based RTMFP protocol that just shipped in Flash Player 10
will automatically use IPv6 for both client-server (to Flash Media
Server) and direct Flash Player-to-Flash Player communication if there
is a working IPv6 path between the endpoints and it is at least as fast
or faster than the IPv4 path latency-wise. (Not that there are many of
those these days... but as they start to exist, you'll start seeing the
traffic on them) It is also encrypted and (in some cases) authenticated.

Matthew Kaufman
matthew@eeph.com
http://www.matthew.at
Re: Another driver for v6? [ In reply to ]
On Tue, 28 Oct 2008, Steven M. Bellovin wrote:

> Windows 7 will have a cool feature called DirectAccess that "requires
> deploying IPv6 and IPsec". I know nothing more of this feature than is
> in the article, but if accurate it may create a client-centric demand
> for v6, i.e., desirable new functionality that isn't available on v4.

Microsoft has been at at least two events I've attended and done
presentations about a strategy that sounds like what you're talking about.

They claim they will deploy IPv6 in their worldwide enterprise network, do
away with central based enterprise firewalls and do host-to-host
IPv6+IPSEC, Active Directory based certificates for authentication.

They indicate this as a strategy to do away with VPN clients, so in order
to reach your work resources from home you'd need to have some kind of
IPv6 connectivity, tunneled or not. You'd then connect to all resources
using IPv6 totally transparently to you. All security would be host based.

I am quite impressed by this strategy as it re-implements the end-to-end
principle of the Internet that most of us appreciate. I also bought their
claim about much improved security and their 5 year long track of no
remote exploits like Slammer, when they had to release their emergency
patch for that RPC based remote exploit the other week, which kind of
broke their streak... :P

Let's hope they can sell this to all the enterprise guys, as I am very
tired of all the problems caused by multiple layers of NATs and PAT.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
> They claim they will deploy IPv6 in their worldwide enterprise network, do
> away with central based enterprise firewalls and do host-to-host
> IPv6+IPSEC, Active Directory based certificates for authentication.

That's why we end up breaking end to end, to cover up for stuff that
exposes more than people are comfortable with

> All security would be host based.

Right, the last thing to trust based on experience so far

First they need to get rid of all the bots and other
malware before hosts can be trusted.

> as I am very tired of all the problems caused by multiple
> layers of NATs and PAT.

Likewise but more because people keep designing stuff to try and force
others to get rid of them, ignoring why they have them.

brandon
Re: Another driver for v6? [ In reply to ]
Brandon Butterworth wrote:
>> as I am very tired of all the problems caused by multiple
>> layers of NATs and PAT.
>
> Likewise but more because people keep designing stuff to try and force
> others to get rid of them, ignoring why they have them.

A false sense of security? The belief that hiding behind a single IP might
disguise how many hosts you have, which in turn might provide some form of
hidden security?

Inside the network, host to host security is what should be. This can assist in
some protection against bots that do make it to the network, or internal
maliciousness. Security from within has always been overlooked by many, and yet
it is the employees who provide the largest security risk.

Stateful firewalls will not be going away entirely, but they can track state and
perform proxy services without performing address translation. It just scares
people because of their false belief that translating an address shows that
security is working. If stateful monitoring/proxying/limiting is not in working,
the address translation doesn't really matter.

NAT has had it's uses, but it's lazy and a false sense of overall security. I do
think Microsoft is crazy if they think the need for VPN will disappear, unless
they have another method for the stateful firewalls to snoop, monitor, and alter
the IPSEC host to host packets (which isn't entirely impossible).


Jack Bates
Re: Another driver for v6? [ In reply to ]
Mikael Abrahamsson wrote:
> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>

> They claim they will deploy IPv6 in their worldwide enterprise network,
> do away with central based enterprise firewalls and do host-to-host
> IPv6+IPSEC, Active Directory based certificates for authentication.

You know that windows 2000 was released with this functionality. Its
nothing new and it is not ipv6 specific.

Who is using it precisely?
Re: Another driver for v6? [ In reply to ]
On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:

>
>
> Mikael Abrahamsson wrote:
>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>
>> They claim they will deploy IPv6 in their worldwide enterprise
>> network, do away with central based enterprise firewalls and do
>> host-to-host IPv6+IPSEC, Active Directory based certificates for
>> authentication.
>
> You know that windows 2000 was released with this functionality. Its
> nothing new and it is not ipv6 specific.
>
> Who is using it precisely?

Microsoft, on 200,000 computers at the time of the paper below.

http://technet.microsoft.com/en-us/library/bb735174.aspx

We have a couple of departments using IPsec here and one more
seriously looking at it. (Mainly a matter of finding time to test and
implement.)

Plus there are at least a couple of other Universities.

http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1

https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1

And I see a City has been added to the list.

http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161



http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf


---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University
Re: Another driver for v6? [ In reply to ]
Kind of a side question but we have not implemented IPv6 in our network
yet, nor have we made any plans to do this in the near future. Our
management does not see a need for it as our customer base is not
requesting it at this time.

Does anyone see any benefits to beginning a small deployment of IPv6 now
even if its just for internal usage?

Bruce Curtis wrote:
>
> On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:
>
>>
>>
>> Mikael Abrahamsson wrote:
>>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>>
>>> They claim they will deploy IPv6 in their worldwide enterprise
>>> network, do away with central based enterprise firewalls and do
>>> host-to-host IPv6+IPSEC, Active Directory based certificates for
>>> authentication.
>>
>> You know that windows 2000 was released with this functionality. Its
>> nothing new and it is not ipv6 specific.
>>
>> Who is using it precisely?
>
> Microsoft, on 200,000 computers at the time of the paper below.
>
> http://technet.microsoft.com/en-us/library/bb735174.aspx
>
> We have a couple of departments using IPsec here and one more
> seriously looking at it. (Mainly a matter of finding time to test and
> implement.)
>
> Plus there are at least a couple of other Universities.
>
> http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1
>
>
> https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1
>
>
> And I see a City has been added to the list.
>
> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161
>
>
>
>
> http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf
>
>
> ---
> Bruce Curtis bruce.curtis@ndsu.edu
> Certified NetAnalyst II 701-231-8527
> North Dakota State University
>
>

--
Steve King

Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional
Re: Another driver for v6? [ In reply to ]
On 30/10/2008, at 11:32 AM, Steven King wrote:

> Kind of a side question but we have not implemented IPv6 in our
> network
> yet, nor have we made any plans to do this in the near future. Our
> management does not see a need for it as our customer base is not
> requesting it at this time.
>
> Does anyone see any benefits to beginning a small deployment of IPv6
> now
> even if its just for internal usage?

Do your customers ask for IPv4, or do they just connect to the
"Internet" as you tell them?
Your customers are never going to ask, unless they have some propeller-
head who wants to be on the latest "version of the Internet".

If you tell them that you're giving them IPv6 service, you'll find
they start using it, and they'll ask other providers for it when re-
evaluating their service providers, and decide to stick with you as
you're forward looking and all that stuff.

I'm so over this chicken/egg thing it's not even funny, just do it
already. Well, if you don't it's no problem I suppose, your users are
automatically tunnelling across you already.

If you're only thinking about doing a small IPv6 deployment now,
you're behind the curve.

--
Nathan Ward
Re: Another driver for v6? [ In reply to ]
question - "beginning a small deployment of IPv6 now
even if its just for internal usage"


Sure! there are plenty of reasons .........most obvious one is to feel confortable about ipv6




--- On Wed, 10/29/08, Steven King <sking@kingrst.com> wrote:

> From: Steven King <sking@kingrst.com>
> Subject: Re: Another driver for v6?
> To: "Bruce Curtis" <bruce.curtis@ndsu.edu>
> Cc: nanog@nanog.org
> Date: Wednesday, October 29, 2008, 11:32 PM
> Kind of a side question but we have not implemented IPv6 in
> our network
> yet, nor have we made any plans to do this in the near
> future. Our
> management does not see a need for it as our customer base
> is not
> requesting it at this time.
>
> Does anyone see any benefits to beginning a small
> deployment of IPv6 now
> even if its just for internal usage?
>
> Bruce Curtis wrote:
> >
> > On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:
> >
> >>
> >>
> >> Mikael Abrahamsson wrote:
> >>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
> >>
> >>> They claim they will deploy IPv6 in their
> worldwide enterprise
> >>> network, do away with central based enterprise
> firewalls and do
> >>> host-to-host IPv6+IPSEC, Active Directory
> based certificates for
> >>> authentication.
> >>
> >> You know that windows 2000 was released with this
> functionality. Its
> >> nothing new and it is not ipv6 specific.
> >>
> >> Who is using it precisely?
> >
> > Microsoft, on 200,000 computers at the time of the
> paper below.
> >
> >
> http://technet.microsoft.com/en-us/library/bb735174.aspx
> >
> > We have a couple of departments using IPsec here and
> one more
> > seriously looking at it. (Mainly a matter of finding
> time to test and
> > implement.)
> >
> > Plus there are at least a couple of other
> Universities.
> >
> >
> http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1
> >
> >
> >
> https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1
> >
> >
> > And I see a City has been added to the list.
> >
> >
> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161
> >
> >
> >
> >
> >
> http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf
> >
> >
> > ---
> > Bruce Curtis
> bruce.curtis@ndsu.edu
> > Certified NetAnalyst II 701-231-8527
> > North Dakota State University
> >
> >
>
> --
> Steve King
>
> Cisco Certified Network Associate
> CompTIA Linux+ Certified Professional
> CompTIA A+ Certified Professional
Re: Another driver for v6? [ In reply to ]
I personally agree with that. Now only if I can convince our management
to start work on that.

isabel dias wrote:
> question - "beginning a small deployment of IPv6 now
> even if its just for internal usage"
>
>
> Sure! there are plenty of reasons .........most obvious one is to feel confortable about ipv6
>
>
>
>
> --- On Wed, 10/29/08, Steven King <sking@kingrst.com> wrote:
>
>
>> From: Steven King <sking@kingrst.com>
>> Subject: Re: Another driver for v6?
>> To: "Bruce Curtis" <bruce.curtis@ndsu.edu>
>> Cc: nanog@nanog.org
>> Date: Wednesday, October 29, 2008, 11:32 PM
>> Kind of a side question but we have not implemented IPv6 in
>> our network
>> yet, nor have we made any plans to do this in the near
>> future. Our
>> management does not see a need for it as our customer base
>> is not
>> requesting it at this time.
>>
>> Does anyone see any benefits to beginning a small
>> deployment of IPv6 now
>> even if its just for internal usage?
>>
>> Bruce Curtis wrote:
>>
>>> On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote:
>>>
>>>
>>>> Mikael Abrahamsson wrote:
>>>>
>>>>> On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
>>>>>
>>>>> They claim they will deploy IPv6 in their
>>>>>
>> worldwide enterprise
>>
>>>>> network, do away with central based enterprise
>>>>>
>> firewalls and do
>>
>>>>> host-to-host IPv6+IPSEC, Active Directory
>>>>>
>> based certificates for
>>
>>>>> authentication.
>>>>>
>>>> You know that windows 2000 was released with this
>>>>
>> functionality. Its
>>
>>>> nothing new and it is not ipv6 specific.
>>>>
>>>> Who is using it precisely?
>>>>
>>> Microsoft, on 200,000 computers at the time of the
>>>
>> paper below.
>>
>>>
>>>
>> http://technet.microsoft.com/en-us/library/bb735174.aspx
>>
>>> We have a couple of departments using IPsec here and
>>>
>> one more
>>
>>> seriously looking at it. (Mainly a matter of finding
>>>
>> time to test and
>>
>>> implement.)
>>>
>>> Plus there are at least a couple of other
>>>
>> Universities.
>>
>>>
>> http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258&LanguageID=1
>>
>>>
>>>
>> https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205&LanguageID=1
>>
>>> And I see a City has been added to the list.
>>>
>>>
>>>
>> http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000161
>>
>>>
>>>
>>>
>>>
>> http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf
>>
>>> ---
>>> Bruce Curtis
>>>
>> bruce.curtis@ndsu.edu
>>
>>> Certified NetAnalyst II 701-231-8527
>>> North Dakota State University
>>>
>>>
>>>
>> --
>> Steve King
>>
>> Cisco Certified Network Associate
>> CompTIA Linux+ Certified Professional
>> CompTIA A+ Certified Professional
>>
>
>
>
>

--
Steve King

Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional
Re: Another driver for v6? [ In reply to ]
On 30/10/2008, at 11:48 AM, Steven King wrote:

> I personally agree with that. Now only if I can convince our
> management
> to start work on that.
>
> isabel dias wrote:
>> question - "beginning a small deployment of IPv6 now
>> even if its just for internal usage"
>>
>>
>> Sure! there are plenty of reasons .........most obvious one is to
>> feel confortable about ipv6
>>


Another related good reason is so that in 18 months when they decide
they need it done last week, contractors like myself don't charge you
through the nose to implement it because management wouldn't let you
guys skill up on a test network now. That makes it a monetary thing,
something they understand better perhaps..

Yep, this post is going against my best instincts.

--
Nathan Ward
Re: Another driver for v6? [ In reply to ]
On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
> Does anyone see any benefits to beginning a small deployment of IPv6 now
> even if its just for internal usage?

It is almost lunacy to deploy IPv6 in a customer-facing sense (note
for example Google's choice to put its AAAA on a separate FQDN). At
this point, I'd say people are still trying to figure out how clients
will migrate to IPv6. Which seems like a pretty bad time to still be
trying to figure that out, but ohwell.


It is at this time more a question of strategic positioning. The
kind of thing your boss should be thinking about.

Switching your management network to IPv6 single-stack frees up
IPv4 addresses (depending on how big your management network is)
to use in customer-facing areas, which gives your network longer
legs in the projected IPv4 address shortfall. If you get really
pressed, you can tunnel your IPv4 network over an IPv6-only backbone,
giving you another handful of precious moneymaking IPv4 addresses.

Having your backbone and servers AAAA'd (even on separate FQDN's),
tested, and ready to go puts you ahead of the curve if clients start
rolling out (you can just move your AAAA's around).

Starting now on collecting IPv6 peering wherever you peer puts you
ahead of the curve in the quality of your network's connectedness,
again presuming this IPv6 thing takes off.

And of course you need to "run your own dog food" on internal LANs
before you start telling customers these IPv6 address thingies are
useful.


IPv6: It's kind of like storing dry food in preparation for the
apocalypse.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
On Wed, 29 Oct 2008 16:29:40 -0700
"David W. Hankins" <David_Hankins@isc.org> wrote:

> On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
> > Does anyone see any benefits to beginning a small deployment of
> > IPv6 now even if its just for internal usage?
>
> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
> for example Google's choice to put its AAAA on a separate FQDN). At
> this point, I'd say people are still trying to figure out how clients
> will migrate to IPv6. Which seems like a pretty bad time to still be
> trying to figure that out, but ohwell.
>
Once, after hearing Vint Cerf give a cheerleading talk for v6, I asked
why google.com didn't have a AAAA record. He just groaned -- but of
course I knew the answer just as well as he did.
>
> It is at this time more a question of strategic positioning. The
> kind of thing your boss should be thinking about.
>
> Switching your management network to IPv6 single-stack frees up
> IPv4 addresses (depending on how big your management network is)
> to use in customer-facing areas, which gives your network longer
> legs in the projected IPv4 address shortfall. If you get really
> pressed, you can tunnel your IPv4 network over an IPv6-only backbone,
> giving you another handful of precious moneymaking IPv4 addresses.
>
> Having your backbone and servers AAAA'd (even on separate FQDN's),
> tested, and ready to go puts you ahead of the curve if clients start
> rolling out (you can just move your AAAA's around).
>
> Starting now on collecting IPv6 peering wherever you peer puts you
> ahead of the curve in the quality of your network's connectedness,
> again presuming this IPv6 thing takes off.
>
> And of course you need to "run your own dog food" on internal LANs
> before you start telling customers these IPv6 address thingies are
> useful.
>
>
> IPv6: It's kind of like storing dry food in preparation for the
> apocalypse.
>
I'd rate the probability of v6 as rather higher...

More seriously -- you need to get experience with it, and you need to
at least understand where your internal support systems and databases
have v4-only wired in. I'm not saying that substantial, real-world
demand for v6 is imminent or even certain (although frankly, I regard
it as more likely than not). I am saying that the probability of it is
high enough that preparation is simply ordinary prudence.

I posted the story link because for the first time since v6 was real,
there's a *feature* that people will want that relies on it. Never
mind lots of addresses; you can't easily sell that to management. But
something that will make security management easier and cheaper -- you
may be able to avoid triangle routing, with the consequent need for
bigger pipes -- is a story they'll understand. You want to be ready to
serve those customers.


--Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Another driver for v6? [ In reply to ]
On Wed, 29 Oct 2008, David W. Hankins wrote:

> On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
>> Does anyone see any benefits to beginning a small deployment of IPv6 now
>> even if its just for internal usage?
>
> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
> for example Google's choice to put its AAAA on a separate FQDN). At

Could you please elaborate on this point? My data presented
<http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
that there are very very few (the longer I collected the data, the better
the ratio got) who cannot properly fetch a resource that has A/AAAA.

> this point, I'd say people are still trying to figure out how clients
> will migrate to IPv6. Which seems like a pretty bad time to still be
> trying to figure that out, but ohwell.

6to4 and Teredo traffic is increasing very rapidly, so that seems to be
one path taken right now:

<http://ipv6.tele2.net/mrtg/total.html>

(We have all our IPv6 related stats and info on <http://ipv6.tele2.net/>)

But yes, how to get native to residential users is still not hammered out.

> And of course you need to "run your own dog food" on internal LANs
> before you start telling customers these IPv6 address thingies are
> useful.

Quite, I think OSS/BSS is going to be a bigger challenge than actually
moving the IPv6 packets.

> IPv6: It's kind of like storing dry food in preparation for the
> apocalypse.

If you actually KNOW the apocalypse is coming (but not when), this is
correct.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
Mikael Abrahamsson wrote:
> But yes, how to get native to residential users is still not hammered
> out.
It's been an issuing weighing our our minds for a while. We've gone
dual stack but getting it into the last mile (ADSL) is quite hard and
running a tunnel server is ugly.

Main issue is BRAS support from our vendor as well as ADSL CPE under
US$100 (eg. not Cisco 8xx series).
> Quite, I think OSS/BSS is going to be a bigger challenge than actually
> moving the IPv6 packets.
Moving packets is pretty easy. We went to dual stack in the core in
just a couple of months for a network spanning 3 continents. Getting
our customer management systems and BRASes talking IPv6 is going to take
a lot longer. Getting our systems group to IPv6 enable resolvers, dns
etc is also taking longer than it should.

MMC
RE: Another driver for v6? [ In reply to ]
> Does anyone see any benefits to beginning a small deployment
> of IPv6 now even if its just for internal usage?

According to <http://www.getipv6.info/index.php/First_Steps_for_ISPs>
you should deploy some IPv6 transition technology to make sure that
your network does not cause problems for the growing number of your
customers who are already using IPv6.

Of course, getting up to speed on IPv6 is also a worthy goal
especially since it enables you to move much more quickly if
IPv6 takes off suddenly.

--Michael Dillon
Re: Another driver for v6? [ In reply to ]
On 30/10/08 07:10, Mikael Abrahamsson wrote:
> On Wed, 29 Oct 2008, David W. Hankins wrote:
>
>> On Wed, Oct 29, 2008 at 06:32:31PM -0400, Steven King wrote:
>>> Does anyone see any benefits to beginning a small deployment of IPv6 now
>>> even if its just for internal usage?
>>
>> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
>> for example Google's choice to put its AAAA on a separate FQDN). At
>
> Could you please elaborate on this point? My data presented
> <http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
> that there are very very few (the longer I collected the data, the
> better the ratio got) who cannot properly fetch a resource that has A/AAAA.

Your stats (which are very interesting btw, thanks for doing the work)
suggest that the number of clients that would make use of the AAAA
record for a dual-stack service is about the same as the number of
clients that would fail in the event that both A and AAAA were present.
That's not exactly an incentive to content providers is it?

>> IPv6: It's kind of like storing dry food in preparation for the
>> apocalypse.
>
> If you actually KNOW the apocalypse is coming (but not when), this is
> correct.

The end is nigh - http://penrose.uk6x.com/


Mat
RE: Another driver for v6? [ In reply to ]
> It is almost lunacy to deploy IPv6 in a customer-facing sense
> (note for example Google's choice to put its AAAA on a
> separate FQDN).

If you're going to use emotionally charged language then
don't shoot yourself in the foot by using such an
illogical and contrary example.

Google is a very big network-oriented company and they
have indeed deployed IPv6 in a customer-facing sense.
To follow in their footsteps is not lunacy.
They have shown that when you have a large distributed
load-sharing platform, it is perfectly safe to deploy
IPv6 as an alternate service entry point, in the same
way that they have mail.google.com and docs.google as
separate service entry points.

Most people who are urging ISPs to deploy IPv6 are not
telling them to do stupid things like run out and add
AAAA records to all their domain names. We are telling
people to trial and test IPv6 in the lab, and then roll
out specific targeted IPv6 services like a 6to4 relay.
Above all, don't be a lunatic, and do educate yourself
and your staff before you make a move. IPv6 deployment
is not a greenfield deployment so you have to weave it
into the fabric of your own unique network architecture.
That requires understanding of IPv6 which you can only
get by trying it out yourself in your lab environment.

> At this point, I'd say people are still
> trying to figure out how clients will migrate to IPv6.

That is a pretty dumb thing to do. Clients have already
migrated to IPv6 years ago using the technology given
to them by Apple, Microsoft and the free UNIXes.
Job 1 is to support those clients. Job 2 is to figure
out how you can deploy IPv6 at your network edge in
such a way that you can grow the edge without consuming
IPv4 addresses. For many small and mid-size ISPs, Job 2
does not involve anything to do with the customer's "modem"
device because you don't have the kind of relationship
with "modem" vendors to influence their product development.
So focus on your own network edge, not on your customers'
network edges.

> It is at this time more a question of strategic positioning.
> The kind of thing your boss should be thinking about.

Bosses really appreciate well-reasoned white papers with
a clear and straightforward management summary on the first
page. Do you have the information and understanding of IPv6
in order to write such a white paper?

> Switching your management network to IPv6 single-stack

This may actually be the last and toughest thing that ISPs
do because of the variety of software and stuff in the
management network.

--Michael Dillon
Re: Another driver for v6? [ In reply to ]
On Thu, 30 Oct 2008, Matthew Ford wrote:

> Your stats (which are very interesting btw, thanks for doing the work)
> suggest that the number of clients that would make use of the AAAA
> record for a dual-stack service is about the same as the number of
> clients that would fail in the event that both A and AAAA were present.
> That's not exactly an incentive to content providers is it?

The last couple of days the ratio went down to less than 0.3% who would
potentially get in trouble (factor is most likely less as the measurement
method penalises later objects).

But yes, there is absolutely no upside to deploying IPv6 for content
providers in the short term. It's like Y2K, there was NO upside to fixing
it until December 31 1999.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
On Thu, Oct 30, 2008 at 08:10:26AM +0100, Mikael Abrahamsson wrote:
> On Wed, 29 Oct 2008, David W. Hankins wrote:
>> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
>> for example Google's choice to put its AAAA on a separate FQDN). At
>
> Could you please elaborate on this point? My data presented
> <http://www.ops.ietf.org/lists/v6ops/v6ops.2008/msg01582.html> indicates
> that there are very very few (the longer I collected the data, the better
> the ratio got) who cannot properly fetch a resource that has A/AAAA.

I'm sorry I led you down the wrong ferret hole. The issue isn't
directly the involvement of a A/AAAA mixed RRsets. The issue is that
such dual placement complicates debugging and operations.

If someone can't reach www.google.com now, you know that it is either
a DNS or IPv4 issue. It is very straightforward.

If someone can't reach the hypothetical A/AAAA www.google.com RRset,
you've just increased your support costs. "My network is slow."
"Are you using IPv4 or IPv6?" "Netscape."

This costs you something, but doesn't gain anything.

Nevermind that IPv6 often breaks at some networks, and no one at
the remote network seems to care to fix it. It is someone's
experiment.

I'm recommending a variety of caution which is to go ahead and deploy
your initial/experimental IPv6 on separate FQDN's, so that you can
easily migrate your AAAA's onto "production names" when there is an
advantage to doing so, and in the meantime you aren't breaking
anything for the rest of the planet.

>> will migrate to IPv6. Which seems like a pretty bad time to still be
>> trying to figure that out, but ohwell.
>
> 6to4 and Teredo traffic is increasing very rapidly, so that seems to be one
> path taken right now:
>
> <http://ipv6.tele2.net/mrtg/total.html>

I don't know how to ask this question without sounding mean, but did
the graph spike out of zero, or did you start collecting two months
ago?


Both Teredo and 6to4 strike me as a kind of network operations
"terrorism." That is, the clients that engage in this automatically.

It proposes precisely the same support-cost-increase problem for the
ISP ("My network is slow." "Are you using IPv4 or IPv6?" "Netscape."),
and it's not clear to me how an ISP can "opt out".

So it's kind of like these OS manufacturers are sending ISP's a little
message; spend your support costs, or we'll spend them for you.

I'm not sure that's productive overall.

>> IPv6: It's kind of like storing dry food in preparation for the
>> apocalypse.
>
> If you actually KNOW the apocalypse is coming (but not when), this is
> correct.

I think everyone knows the IPv4 shortfall is coming. I do not think
the world's view of the consequences is consistent yet.

So I don't think it matters; it's prudent to get a defensible position
today.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
On 30 Oct 2008, at 15:47, David W. Hankins wrote:

> If someone can't reach the hypothetical A/AAAA www.google.com RRset,
> you've just increased your support costs. "My network is slow."
> "Are you using IPv4 or IPv6?" "Netscape."

Do you think that industry should be working to some kind of well
supported / worldwide flag day when lots of popular resources add v6
records at the same time ?

In the same way that in the UK, appliance manufacturers have been
educating people about the analogue terrestrial TV switchoff by 2012,
do you think that we should be advocating a 'internet PLUS day' some
time in (date plucked from the air) 2014 ?

-a
RE: Another driver for v6? [ In reply to ]
> In the same way that in the UK, appliance manufacturers have
> been educating people about the analogue terrestrial TV
> switchoff by 2012, do you think that we should be advocating
> a 'internet PLUS day' some time in (date plucked from the air) 2014 ?

Actually, the Internet PLUS day should be tied to some other event,
say the London 2012 Olympics. That would be a kind of launch event
for a lot of people to make IPv6 services available. Then, a few years
after this, we could have an Internet version 4 eulogy event and
get a lot of ISPs to shut off legacy IPv4 services. That would have
to be 2016 or later and it wouldn't be like the analog TV shutoff,
because it would not be a 100% shutoff.

I think that technical people underestimate the impact that this
type of an event can provide. While we want to avoid being forced
into a flag-day switchover, that does not mean that a flag day is
all bad. We could have the Internet PLUS flag day in order to
raise awareness and give ISPs a target to shoot for.

--Michael Dillon
Re: Another driver for v6? [ In reply to ]
michael.dillon@bt.com wrote:
> I think that technical people underestimate the impact that this
> type of an event can provide. While we want to avoid being forced
> into a flag-day switchover, that does not mean that a flag day is
> all bad. We could have the Internet PLUS flag day in order to
> raise awareness and give ISPs a target to shoot for.
>

"This new internet is brought to you by Pepsi: the choice a new version!"

or maybe

"IPv6 tastes good, like an Internet should"

or, oh never mind :)

Mike
> --Michael Dillon
>
>
Re: Another driver for v6? [ In reply to ]
On Thu, 30 Oct 2008, David W. Hankins wrote:

> I don't know how to ask this question without sounding mean, but did the
> graph spike out of zero, or did you start collecting two months ago?

It spiked out of zero as we put up our 6to4 and teredo relays approx two
months ago. I don't know where the traffic was before, probably at other
peoples 6to4 relays.

--
Mikael Abrahamsson email: swmike@swm.pp.se
Re: Another driver for v6? [ In reply to ]
On Thu, 30 Oct 2008 15:55:01 -0000, Andy Davidson said:

> In the same way that in the UK, appliance manufacturers have been
> educating people about the analogue terrestrial TV switchoff by 2012,

Is your side of the pond any more ready than our side is for next Febuary's
drop-dead cutoff?
Re: Another driver for v6? [ In reply to ]
* David W. Hankins

> It is almost lunacy to deploy IPv6 in a customer-facing sense (note
> for example Google's choice to put its AAAA on a separate FQDN). At
> this point, I'd say people are still trying to figure out how clients
> will migrate to IPv6. Which seems like a pretty bad time to still be
> trying to figure that out, but ohwell.

Google has been testing this a bit on their main pages. Select quotes
from the presentation of their results:

> 0.238% of users have useful IPv6 connectivity (and prefer IPv6)
> 0.09% of users have broken IPv6 connectivity

The summary disagrees with you about the «almost lunacy» part:

> It's not that broken
> - ~0.09% clients lost, ~150ms extra latency - don't believe the FUD

The slides are here, they're worth a look in my opinion:

http://rosie.ripe.net/ripe/meetings/ripe-57/presentations/uploads/Thursday/Plenary 14:00/upl/Colitti-Global_IPv6_statistics_-_Measuring_the_current_state_of_IPv6_for_ordinary_users.xD5A.pdf

Best regards,
--
Tore Anderson
Re: Another driver for v6? [ In reply to ]
Google's statistics are using themselves as the subject, a fixed point
in the network. It's hard to guarantee that subjective experience is
going to be equal across the entirety of the network, but let us
presume for the purpose of discussion that they are.

I think the point in the final analysis for customer-facing FQDN's is;

1) How much in USD is 0.09% loss of sales/customer-experience/etc?

2) What amount in USD is acceptable to lose, in order to gain IPv6's
advantages? Be sure to include recurring support costs, abuse, and
engineering manhours for the design and deployment.

Note that the second question is a subjective cost/value analysis,
and the typical operator may not find much value in IPv6 (today).

So again, in summary, I absolutely think every network needs to be
getting IPv6 into their workshops. You have to be prepared for what's
coming. I'm still recommending a variety of caution in that first
deployment on production systems.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
On Thu, Oct 30, 2008 at 03:55:01PM +0000, Andy Davidson wrote:
> Do you think that industry should be working to some kind of well supported
> / worldwide flag day when lots of popular resources add v6 records at the
> same time ?

This is a sound evolutionary tactic lemmings use. =)

But I'll take you one step simpler; get the industry to choose a day
where it will no longer be acceptable to treat IPv6 like an
experimental project. Sometime last year would have been great.

If you can do that, then the RRset changes would come naturally
afterwards.

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
David W. Hankins wrote:
> On Thu, Oct 30, 2008 at 03:55:01PM +0000, Andy Davidson wrote:
>> Do you think that industry should be working to some kind of well supported
>> / worldwide flag day when lots of popular resources add v6 records at the
>> same time ?
>
> This is a sound evolutionary tactic lemmings use. =)

I know this is way OT, but I can't let it pass. The lemming suicide myth
was created by a very questionable Walt Disney documentary:

http://www.wildlifenews.alaska.gov/index.cfm?adfg=wildlife_news.view_article&issue_id=6&articles_id=56
Re: Another driver for v6? [ In reply to ]
On Fri, Oct 31, 2008 at 10:41:01AM -0600, Mike Lewinski wrote:
>> This is a sound evolutionary tactic lemmings use. =)
>
> I know this is way OT, but I can't let it pass. The lemming suicide myth
> was created by a very questionable Walt Disney documentary:

This is also way OT, but I was actually thinking more of Lemmings(TM),
the video game, as I am not really very familiar with rodents.

We've already got sixxs and hurricane electric set as tunnel lemmings,
we can get through the IPv4 address shortfall by setting a variety of
other ISP's to explode and build bridges...

The only thing to iron out is: Who gets to be (golden) parachute
lemmings?

--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Re: Another driver for v6? [ In reply to ]
David W. Hankins wrote:
> On Fri, Oct 31, 2008 at 10:41:01AM -0600, Mike Lewinski wrote:
>>> This is a sound evolutionary tactic lemmings use. =)
>> I know this is way OT, but I can't let it pass. The lemming suicide myth
>> was created by a very questionable Walt Disney documentary:
>
> This is also way OT, but I was actually thinking more of Lemmings(TM),
> the video game, as I am not really very familiar with rodents.
>
> We've already got sixxs and hurricane electric set as tunnel lemmings,
> we can get through the IPv4 address shortfall by setting a variety of
> other ISP's to explode and build bridges...

For the end-users who use those services, I am pretty sure it is more
the user playing the game (aka the services providing guidance), than
being the lemmings who just keep on running and commit suicide (aka the
networks who are not moving, getting experience and doing something).

Greets,
Jeroen
(Who still ranks Lemmings(tm) as one of the top games ever,
simple and way too much fun, Amiga Lemmings X-mas special anyone? :) )
Re: Another driver for v6? [ In reply to ]
ever heard of the concept "open market"

ipv4 address space delegations will just move from the rirs to places like
ebay, problem solved.

most of it is unused anyway (milnet, amateur radio ranges, etc)

--
HRH Sven Olaf Prinz von CyberBunker-Kamphuis, MP.

Minister of Telecommunications, Republic CyberBunker.

Phone: +49/163-4405069
Phone: +49/30-36731425
Skype: CB3ROB
MSN: sven@cb3rob.net
C.V.: http://www.linkedin.com/in/cb3rob

Confidential: Please be advised that the information contained in this
email message, including all attached documents or files, is privileged
and confidential and is intended only for the use of the individual or
individuals addressed. Any other use, dissemination, distribution or
copying of this communication is strictly prohibited.

On Fri, 31 Oct 2008, Jeroen Massar wrote:

> David W. Hankins wrote:
> > On Fri, Oct 31, 2008 at 10:41:01AM -0600, Mike Lewinski wrote:
> >>> This is a sound evolutionary tactic lemmings use. =)
> >> I know this is way OT, but I can't let it pass. The lemming suicide myth
> >> was created by a very questionable Walt Disney documentary:
> >
> > This is also way OT, but I was actually thinking more of Lemmings(TM),
> > the video game, as I am not really very familiar with rodents.
> >
> > We've already got sixxs and hurricane electric set as tunnel lemmings,
> > we can get through the IPv4 address shortfall by setting a variety of
> > other ISP's to explode and build bridges...
>
> For the end-users who use those services, I am pretty sure it is more
> the user playing the game (aka the services providing guidance), than
> being the lemmings who just keep on running and commit suicide (aka the
> networks who are not moving, getting experience and doing something).
>
> Greets,
> Jeroen
> (Who still ranks Lemmings(tm) as one of the top games ever,
> simple and way too much fun, Amiga Lemmings X-mas special anyone? :) )
>
>
Re: Another driver for v6? [ In reply to ]
On Fri, 31 Oct 2008, HRH Sven Olaf Prinz von CyberBunker-Kamphuis MP wrote:

> ever heard of the concept "open market"
>
> ipv4 address space delegations will just move from the rirs to places like
> ebay, problem solved.

Are you willing to pay premium to get global IPv4 address? Are you willing
to pay non-dynamic global IPv4 addresses for your servers?


>
> most of it is unused anyway (milnet, amateur radio ranges, etc)

Did you consider operational consequences? No prefix allocation database?
No routing database? Address collisions? Fighting for announcing more
specifics to use your allocated addresses?

Regards,
Janos Mohacsi
Re: Another driver for v6? [ In reply to ]
i'm slightly worried about feeding trolls here but it's sunday here.

HRH Sven Olaf Prinz von CyberBunker-Kamphuis MP <sven@cyberbunker.com>
writes:

> ever heard of the concept "open market"
>
> ipv4 address space delegations will just move from the rirs to places like
> ebay, problem solved.
>
> most of it is unused anyway (milnet, amateur radio ranges, etc)

the human, as a species in the animal kingdom, is known to be the kind of
animal who fouls its own nest and overruns its habitat. the idea of a
tipping point, whether it be for CO2 in the atmosphere or polar ice shelves
or explosively deaggregated IPv4 routing tables, does not occur in the
minds of individual decision makers. instead it's left to us "chicken
little" types, and the only way the individual decision makers ever make
their decisions on the basis of tipping points is if some kind of
"governance" makes them do so.
--
Paul Vixie