Geoff on IPv4 Exhaustion

Doug Barton dougb at
Mon Nov 21 08:41:18 CET 2011

On 11/20/2011 22:11, Ted Mittelstaedt wrote:
> On 11/20/2011 8:13 PM, Doug Barton wrote:
>> On 11/20/2011 20:01, Erik Kline wrote:
>>>> For most sites that are using VPNs merely to connect internal networks
>>>> there won't be a need for them post-IPv6, because the internal networks
>>>> won't exist anymore.
>> I'm not sure I understand your perspective here, or what you're defining
>> as an "internal network." I can't imagine a future where every local
>> operator decides to open up every host on their network to the entire
>> Internet. There will always be a need for virtual networks between
>> remote offices of the same company for example, or between 2 companies
>> that have a joint project that requires sharing data.
> No, there really won't be.  The only time you really need a lan 2 lan
> VPN under IPv6 is if there is unencrypted sensitive data being passed
> from site to site and there is an opportunity for someone in between
> sites to tap into that data stream, or if one side of the connection
> isn't on a static IPv6 number and your not using an application (like
> https) that is secure.

I'm going to snip all the other examples you gave of scenarios where
VPNs are necessary. The need to encrypt traffic is just one of them.

> So, yes, I see plenty of scenarios where there is no need for a
> virtual network between remote sites.

I didn't say that they were mandatory. I said that they weren't going
away any time soon. We seem to agree on that.

>>> This is certainly an exciting opportunity for us, I think.  The return
>>> of end-to-end
>> There isn't going to be a "return to end-to-end." Users don't want it,
>> and it almost certainly is not a good idea even if they did.
> Your successors aren't going to think like that.  You only think
> like that because you are young and haven't been doing IT and
> networking support for very long, probably only since the very
> late 90's or early 2000's. 

You're wrong, but I'm not interested in a resume-measuring contest.

> You grew up in a networking world
> where NAT was standard and VPNs were standard and you do not have
> the scope to imagine it any other way.

I'll also ignore the implied insult here. Regardless of my lack of
experience, I have a vivid imagination. :)

Meanwhile, let's examine your premise a little closer. What percentage
of currently employed network administrators and IT executives grew up
in a world dominated by NAT? Given the complete failure of the "You
don't need NAT!" argument over the last 16 years or so, how successful
do you think that you and I are likely to be in persuading the
overwhelming majority of IT professionals who believe it to be
absolutely necessary.

> But I've been at this a lot longer and the fact is that the NAT+
> VPN paradigm was forced on us for reasons that had nothing to do with
> encryption and security and everything to do with routing, and
> to be perfectly honest, sheer laziness, because NAT allows bonehead
> administrators who know nothing about firewalling to at least
> have some sort of network protection.

I'm willing to agree to disagree with you on the genesis and utility of
NAT, but I do agree with you on the bonehead bit.

> But once end-to-end is available again, years from now when IPv4
> is disappearing, then we will see administrators who do understand
> firewalling begin to appear, and some will have the wherewithal
> to understand when to use VPNs and when not - and they won't when
> they aren't needed.  It has nothing to do with users.  Users just
> want things to work.

And who is going to train these people? The current generation who only
knows the current paradigms?

Doug (I did like the bit where you called me young though)


		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)

More information about the ipv6-ops mailing list