Geoff on IPv4 Exhaustion

Ted Mittelstaedt tedm at ipinc.net
Mon Nov 21 07:11:25 CET 2011


On 11/20/2011 8:13 PM, Doug Barton wrote:
> On 11/20/2011 20:01, Erik Kline wrote:
>>> For most sites that are using VPNs merely to connect internal networks
>>> there won't be a need for them post-IPv6, because the internal networks
>>> won't exist anymore.
>
> I'm not sure I understand your perspective here, or what you're defining
> as an "internal network." I can't imagine a future where every local
> operator decides to open up every host on their network to the entire
> Internet. There will always be a need for virtual networks between
> remote offices of the same company for example, or between 2 companies
> that have a joint project that requires sharing data.
>

No, there really won't be.  The only time you really need a lan 2 lan 
VPN under IPv6 is if there is unencrypted sensitive data being passed 
from site to site and there is an opportunity for someone in between 
sites to tap into that data stream, or if one side of the connection
isn't on a static IPv6 number and your not using an application (like
https) that is secure.

If you have 2 LANS on different areas of the Internet then it is
extremely simple to put in a firewall at each site that locks down
access to only the other subnet.  In that case you would only need a
VPN if you were afraid of someone sniffing the traffic.  Let's say
for example that you have 2 sites in the same city and both were on
Comcast cable.  You run a traceroute between sites and see that
they have only 2 hops, entirely within Comcast's network.  Would you 
find it reasonable to believe that Comcast would allow random crackers
to access their routers to sniff your packets?  I would not, and I
would have no qualms about running SMB or NFS or some filesharing
protocol over such a link, outside of a VPN.  In the SMB situation
the NT-style userID/passwords are all encrypted anyway.

I deal with many smaller customers who are exactly in this situation.
Typical scenario is a 10 person office with a couple sales guys or
the owner working semi-regularly out of their homes, who come
into the office only occasionally.  The company pays for their
home office Internet connection already.  Quite often they have VoIP
phones at the remote home offices.  So getting the lowest latency is
pretty important and it is standard in this scenario to have all
the remotes use the same ISP as the mothership.  And it is much
easier on them to have a permanent lan 2 lan vpn setup between
their home/satellite office and the main office.  It would be
even easier to dispense entirely with the VPN device, particularly
at the remote office.  Quote a lot of broadband providers supply
combined cable/routers or dsl/routers that you have to jump through
hoops to get a vpn router running behind.  And in many cases the
only data run over the link is Terminal Server Client (RDP) and
that is already encrypted.  There is no point in encrypting it
twice.

So, yes, I see plenty of scenarios where there is no need for a
virtual network between remote sites.

>> This is certainly an exciting opportunity for us, I think.  The return
>> of end-to-end
>
> There isn't going to be a "return to end-to-end." Users don't want it,
> and it almost certainly is not a good idea even if they did.
>

Your successors aren't going to think like that.  You only think
like that because you are young and haven't been doing IT and
networking support for very long, probably only since the very
late 90's or early 2000's.  You grew up in a networking world
where NAT was standard and VPNs were standard and you do not have
the scope to imagine it any other way.

But I've been at this a lot longer and the fact is that the NAT+
VPN paradigm was forced on us for reasons that had nothing to do with 
encryption and security and everything to do with routing, and
to be perfectly honest, sheer laziness, because NAT allows bonehead
administrators who know nothing about firewalling to at least
have some sort of network protection.

But once end-to-end is available again, years from now when IPv4
is disappearing, then we will see administrators who do understand
firewalling begin to appear, and some will have the wherewithal
to understand when to use VPNs and when not - and they won't when
they aren't needed.  It has nothing to do with users.  Users just
want things to work.

Ted


>
>




More information about the ipv6-ops mailing list