[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: stable addressing
You don't need NAT just a good firewall which you will need with NAT
anyway.
/jim
> -----Original Message-----
> From: owner-multi6@ops.ietf.org
> [mailto:owner-multi6@ops.ietf.org] On Behalf Of Fleischman, Eric
> Sent: Monday, April 19, 2004 7:35 PM
> To: Brian E Carpenter; Iljitsch van Beijnum
> Cc: Multi6 List
> Subject: RE: stable addressing
>
> Brian,
>
> For whatever it's worth, my Boeing coworkers and I currently
> expect to maintain a Boeing-unique address space in IPv6
> (such as we currently have for IPv4) which will not change
> regardless of who our ISP may or may not be. I would be very
> surprised if other Fortune 100 companies do not take a
> similar stance since we view this stance to be entirely
> logical: i.e., it is a refusal to be "taken hostage" by ISPs.
>
> On the other hand, in support of your posting, we also don't
> want outsiders to know about our internal networks. We
> currently plan to handle this by deploying NATs for IPv6,
> such as we currently do for IPv4 (i.e., like many other
> Fortune 100 companies, we use NATs for security, not for
> addresses). While I doubt if our security people are willing
> to discard the use of NATs as a security mechanism, perhaps a
> heavy dose of the logic found within your posting below would
> cure them of that position (but I somehow doubt it)?
>
> --Eric
>
> -----Original Message-----
> From: Brian E Carpenter [mailto:brc@zurich.ibm.com]
> Sent: Friday, April 16, 2004 7:26 AM
> To: Iljitsch van Beijnum
> Cc: Multi6 List
> Subject: Re: stable addressing
>
>
> Iljitsch,
>
> > Things are different however for class 4. Here, renumbering
> is not a
> > realistic option. Even if renumbering the actual network
> > infrastructure were to be doable, changing the associated
> filters and
> > related security setups is too much work to undertake at
> regular intervals.
>
> I would dispute this. All that changes is the /48 prefix, and
> the normal case in IPv6 is to be running with several of
> those simultaneously on any large site. Actually the filters
> and internal routing setup will need to treat the top 48 bits
> as don't care bits. So it seems to me that relatively simple
> operational procedures can deal with prefix changes.
>
> Nevertheless, I assume that all large enterprises will choose
> to use a draft-ietf-ipv6-unique-local-addr-03.txt prefix for
> internal traffic and some VPN uses. For external traffic I
> assume they will use ISP-delegated prefxes, which is where
> multi6 comes in.
>
> Brian
>
> Iljitsch van Beijnum wrote:
> >
> > As a result of discussions elsewhere, my concern about lack
> of stable
> > addresses in IPv6 has increased once again. Let me first
> define four
> > fairly typical classes of future IPv6 users:
> >
> > 1. single homed users
> > 2. "basement multihomers": (very) small networks with two
> uplinks 3.
> > content providers: lots of traffic, but not very many network
> > components 4. enterprises: lots of subnets, lots of network
> components
> >
> > If we consider NOID-like solutions with DNS names and PA addresses
> > only and no longer-lived identifiers or addresses, this should work
> > quite well for classes 1, 2 and 3, as the amount of equipment that
> > must be reconfigured when a new ISP is connected is
> relatively small.
> >
> > Things are different however for class 4. Here, renumbering
> is not a
> > realistic option. Even if renumbering the actual network
> > infrastructure were to be doable, changing the associated
> filters and
> > related security setups is too much work to undertake at
> regular intervals.
> >
> > So how do we solve this? I'm assuming NAT is not an option. One way
> > would be to create address space that isn't regularly routable, but
> > can be automatically tunneled/aliased over regular PA space. The
> > disadvantage here is that tunnel/aliasing setup must happen
> prior to
> > session establishement, which isn't all that great for incoming
> > sessions towards these types of addresses, but presumably most
> > sessions will either be outgoing or part of a longer-term
> > meta-sessions so this shouldn't be as big a problem as with
> classes 2
> > and 3. Another problem here would be that even if the correspondent
> > for the class 4 user doesn't actually multihome, they must still
> > support the mechanisms in order to set up and use the
> tunnel. Again,
> > this might be a disadvantage we're willing to swallow as
> the type of
> > communication for class 4 is presumably limited to a subset
> of the full internet.
> >
> > (Obviously an enterprise with lots of internal stuff but
> also highly
> > visible stuff (think Cisco with their huge internal nework and also
> > huge web presence) could use stable addressing for most of
> its network
> > and PA/NOID for the most visible parts.)
> >
> > Another side effect would be the need for a registry of some kind
> > where the initial mapping information can be found in order
> to create
> > tunneling/aliasing state.
>
> --
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - Brian E Carpenter Distinguished Engineer, Internet
> Standards & Technology, IBM
>
>
>
>