[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cpe simple security and the opportunity cost of stateful packet filters

To: v6ops@ops.ietf.org
Subject: Re: cpe simple security and the opportunity cost of stateful packet filters
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
Date: Wed, 25 Jul 2007 09:39:19 +0900 (JST)
In-reply-to: Your message of "Tue, 24 Jul 2007 19:20:09 -0500" <E0921733-6F62-4D3A-A22A-25BB5CCA7DE5@apple.com>
References: <E0921733-6F62-4D3A-A22A-25BB5CCA7DE5@apple.com>

> P2P applications already very difficult for average Internet users to  
> participate effectively in such networks due to the stateful  
> filtering in IPv4/NAT gateways, and services like UPnP IGD and NAT- 
> PMP don't repair all the damage.  If these packet filters are allowed  
> to become ubiquitous in IPv6, then my fear is that the most likely  
> applications that would otherwise be able to deliver that content  
> you'd like to access, with or without any whizzy new router  
> advertisement parameters, will never be developed for IPv6 where they  
> might be simple enough for average users to operate.  All the user  
> complexity created by IPv4/NAT stateful filters will have been  
> duplicated in the IPv6 stateful filters.

> If we are not careful, IPv6 may be saddled with all the b0rkenneff  
> that IPv4/NAT plagues us with today, without any measurable benefit  
> beyond merely addressing the burdensomely high and rapidly increasing  
> cost of public IP addresses.  We are setting up a vicious circle.

	yup, you have some points.

	i'm very hopeful in the following way of thinking:

	- normal users do not really care what is underlying technology.
	  in fact, famous Japanese magazine, Hanako, had "the Internet for
	  newbies" feature without single mention of IPv4 address.

	- operators and implementers can reduce administration costs by using
	  IPv6, because of vast amount of available address space, and because
	  of this, fewer administration costs.  of course, to achieve this,
	  you need some knowledge to avoid unneeded admin costs people are
	  paying with IPv4 and NAT.
	  for instance, if you try to deploy all-IP cellphone network, you
	  would need a gigantic NAT box that supports SIP NAT with
	  failover/redundancy if you pick IPv4.  if you pick IPv6, you do not
	  need that.
	  i have been trying to promote this idea here, maybe i should keep my
	  mouth shut and charge money for my recipe ;-)

	- normal user do care about overall cost of operation and would like
	  to have fewer support calls/cableguys come to home, so they would
	  pick ipv6-based services with less costs, IF IT IS DESGINED WELL.

	and more importantly,

	- because the population with IPv6 connectivity will gradually
	  increase, you can start small with your IPv6 service.  you do not
	  have to have giant load balancer like your IPv4 service today.
	  you just need to prepare for growth in the near future.
	  for instance, with IIJ IPv6 connectivity service (started 1999)
	  all the support calls are diverted to small number of IIJ people
	  if it contains the word "IPv6".  the important thing is for call
	  center people to be able to handle IPv6 questions, and divert it
	  to appropriate people.

	am i being too optimistic?  i guess not.

itojun

References:
- cpe simple security and the opportunity cost of stateful packet filters
  - From: james woodyatt <jhw@apple.com>

Prev by Date: cpe simple security and the opportunity cost of stateful packet filters
Next by Date: Re: Distributing site-wide RFC 3484 policy
Previous by thread: cpe simple security and the opportunity cost of stateful packet filters
Next by thread: Re: [69ATTENDEES] DHCP
Index(es):
- Date
- Thread