[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: stable addressing

To: "Fleischman, Eric" <eric.fleischman@boeing.com>
Subject: Re: stable addressing
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 20 Apr 2004 09:55:49 +0200
Cc: Multi6 List <multi6@ops.ietf.org>
In-reply-to: <5B58696DB20B9140AD20E0685C573A6402992FB7@xch-nw-09.nw.nos.boeing.com>
References: <5B58696DB20B9140AD20E0685C573A6402992FB7@xch-nw-09.nw.nos.boeing.com>

Eric,

I'm disappointed that you bring up the N-word in the very same thread I started in order to find a way to make it possible to use stable addressing in a clean way.

On 20-apr-04, at 1:35, Fleischman, Eric wrote:

For whatever it's worth, my Boeing coworkers and I currently expect to maintain a Boeing-unique address space in IPv6 (such as we currently have for IPv4)

If you are in fact acting as an ISP you should be able to get a /32 just like any other ISP. If you plan to assign address space to 200 "customers" in the next two years you qualify. However, having one large address block isn't always advantageous to enterprises, as this also means that you may receive traffic for locatioon A in location B and vice versa. I know there are people who want their own block and then announce more specifics in different locations but I'm afraid that's not exactly in line with our plans to keep the size of the global routing table manageable.

On the other hand, in support of your posting, we also don't want outsiders to know about our internal networks. We currently plan to handle this by deploying NATs for IPv6, such as we currently do for IPv4 (i.e., like many other Fortune 100 companies, we use NATs for security, not for addresses).

Expect things to break if you do. In IPv4 software vendors are forced to add NAT workarounds to their products because NAT is very widespread in v4, but it's unlikely it will be in v6 as well, so I imagine there won't be many NAT workarounds for IPv6.

While I doubt if our security people are willing to discard the use of NATs as a security mechanism,

Think about it this way: if you have 100 boxes in a /24, it takes an atttacker with a dial-up connection all of two seconds to find them. If you have 100 boxes in a /64, it takes takes an attacker with 10 Gbps nearly a year to scan just the 48-bit MAC address derived addresses, and about 20000 years to scan all the RFC 3041 addresses. I suggest your security people learn a few new tricks for IPv6 rather than keep doing what they're doing today with 96 extra bits.

Follow-Ups:
- Re: stable addressing
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>

References:
- RE: stable addressing
  - From: "Fleischman, Eric" <eric.fleischman@boeing.com>

Prev by Date: RE: stable addressing
Next by Date: RE: stable addressing
Previous by thread: RE: stable addressing
Next by thread: Re: stable addressing
Index(es):
- Date
- Thread