Geoff on IPv4 Exhaustion
tedm at ipinc.net
Mon Nov 21 09:36:07 CET 2011
On 11/20/2011 11:41 PM, Doug Barton wrote:
> On 11/20/2011 22:11, Ted Mittelstaedt wrote:
>> On 11/20/2011 8:13 PM, Doug Barton wrote:
>>> On 11/20/2011 20:01, Erik Kline wrote:
>>>>> For most sites that are using VPNs merely to connect internal networks
>>>>> there won't be a need for them post-IPv6, because the internal networks
>>>>> won't exist anymore.
>>> I'm not sure I understand your perspective here, or what you're defining
>>> as an "internal network." I can't imagine a future where every local
>>> operator decides to open up every host on their network to the entire
>>> Internet. There will always be a need for virtual networks between
>>> remote offices of the same company for example, or between 2 companies
>>> that have a joint project that requires sharing data.
>> No, there really won't be. The only time you really need a lan 2 lan
>> VPN under IPv6 is if there is unencrypted sensitive data being passed
>> from site to site and there is an opportunity for someone in between
>> sites to tap into that data stream, or if one side of the connection
>> isn't on a static IPv6 number and your not using an application (like
>> https) that is secure.
> I'm going to snip all the other examples you gave of scenarios where
> VPNs are necessary. The need to encrypt traffic is just one of them.
>> So, yes, I see plenty of scenarios where there is no need for a
>> virtual network between remote sites.
> I didn't say that they were mandatory. I said that they weren't going
> away any time soon. We seem to agree on that.
>>>> This is certainly an exciting opportunity for us, I think. The return
>>>> of end-to-end
>>> There isn't going to be a "return to end-to-end." Users don't want it,
>>> and it almost certainly is not a good idea even if they did.
>> Your successors aren't going to think like that. You only think
>> like that because you are young and haven't been doing IT and
>> networking support for very long, probably only since the very
>> late 90's or early 2000's.
> You're wrong, but I'm not interested in a resume-measuring contest.
>> You grew up in a networking world
>> where NAT was standard and VPNs were standard and you do not have
>> the scope to imagine it any other way.
> I'll also ignore the implied insult here. Regardless of my lack of
> experience, I have a vivid imagination. :)
Good. Then you quit playing the devils advocate and I will too.
> Meanwhile, let's examine your premise a little closer. What percentage
> of currently employed network administrators and IT executives grew up
> in a world dominated by NAT?
NAT really appeared "commercially" when it showed up in Cisco IOS
version 11.2. Yes of course stuff like the PIX firewall and various
patchsets for BSD and Linux existed well before that, but IOS 11.2 came
out around '97/'98 as I recall. So, 13 years ago. When Cisco blessed
it a lot of orgs started using NAT.
Given the tremendous growth of the numbers of network administrators
and IT execs needed by industry I would guess that percentagewise the
number of IT people running around today who were working in IT prior
to 1998 is pretty small.
> Given the complete failure of the "You
> don't need NAT!" argument over the last 16 years or so, how successful
> do you think that you and I are likely to be in persuading the
> overwhelming majority of IT professionals who believe it to be
> absolutely necessary.
But the "you don't need NAT" argument over the last 16 years was always
bogus because what the "you don't need NAT" people were really saying
was "you don't need a lot of IP addresses"
In North America, ARIN formed in December 1997 and from that moment,
a price was attached to TCP/IP addresses. If an ISP had a corporate
customer who wanted, for example, a /19, that ISP would have to pay
ARIN thousands a year for it. Meaning the customer would have to pay
the ISP thousands for it.
But clearly, orgs DID need a LOT of IP addresses. Orgs were not
interested in paying large amounts for IP addressing and ISP's
absolutely didn't want to have them doing so, that would have put
the ISP at huge financial risk.
With IPv6 the RIR's are assigning enormous amounts of IPv6 to
any ISP that asks for any amount. They do not want the ISP to
have to come back to the RIR and ask for another assignment, ever.
Any customer who really wants a large amount of IPv6 from an ISP
can ask for it and if it's a commercial ISP and not some residential
DSL or Cable provider they will get it.
Thus, a huge financial incentive to deploying NAT is removed.
If the RIR system had based pricing on something other than the
amount of IP numbers in use, then I doubt that there would
have been as much interest in NAT. If ISP's could get as much
numbering as they wanted at no cost then many would have handed out
non-portable numbers like candy and many orgs would have used
public numbers internally.
Ironically the RIR's today are pushing IPv6, when the fact is that
they are the ones who caused IPv4 to be stretched out as long
as it was.
>> But I've been at this a lot longer and the fact is that the NAT+
>> VPN paradigm was forced on us for reasons that had nothing to do with
>> encryption and security and everything to do with routing, and
>> to be perfectly honest, sheer laziness, because NAT allows bonehead
>> administrators who know nothing about firewalling to at least
>> have some sort of network protection.
> I'm willing to agree to disagree with you on the genesis and utility of
> NAT, but I do agree with you on the bonehead bit.
>> But once end-to-end is available again, years from now when IPv4
>> is disappearing, then we will see administrators who do understand
>> firewalling begin to appear, and some will have the wherewithal
>> to understand when to use VPNs and when not - and they won't when
>> they aren't needed. It has nothing to do with users. Users just
>> want things to work.
> And who is going to train these people? The current generation who only
> knows the current paradigms?
You should have more faith in people's ability. Yes it will take a
long time to shift because we have a lot of mental inertia. But there
was a time not too long ago that people thought that Microsoft would
forever dominate the computer operating system market in the computer
industry. Today the fastest growing computer OS is Android and
Microsoft by every standard has utterly lost in that segment of the OS
market. Computers are becoming toasters and Windows isn't going to be
along for the ride.
The most common mistake people make in technology is assuming that
what we have today is going to be around forever. That is why when
you turn on Star Trek you see them running around corridors of ships
shooting aliens with hand phasers. Yet meanwhile military technology
has introduced robotics and in all likelihood the future wars will be
fought Terminator-style a-la Skynet.
Me, I'll put up a Terminatrix against a Borg any day.
> Doug (I did like the bit where you called me young though)
More information about the ipv6-ops