[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: stable addressing
I'm disappointed that you bring up the N-word in the very same thread I
started in order to find a way to make it possible to use stable
addressing in a clean way.
On 20-apr-04, at 1:35, Fleischman, Eric wrote:
For whatever it's worth, my Boeing coworkers and I currently expect to
maintain a Boeing-unique address space in IPv6 (such as we currently
have for IPv4)
If you are in fact acting as an ISP you should be able to get a /32
just like any other ISP. If you plan to assign address space to 200
"customers" in the next two years you qualify. However, having one
large address block isn't always advantageous to enterprises, as this
also means that you may receive traffic for locatioon A in location B
and vice versa. I know there are people who want their own block and
then announce more specifics in different locations but I'm afraid
that's not exactly in line with our plans to keep the size of the
global routing table manageable.
On the other hand, in support of your posting, we also don't want
outsiders to know about our internal networks. We currently plan to
handle this by deploying NATs for IPv6, such as we currently do for
IPv4 (i.e., like many other Fortune 100 companies, we use NATs for
security, not for addresses).
Expect things to break if you do. In IPv4 software vendors are forced
to add NAT workarounds to their products because NAT is very widespread
in v4, but it's unlikely it will be in v6 as well, so I imagine there
won't be many NAT workarounds for IPv6.
While I doubt if our security people are willing to discard the use of
NATs as a security mechanism,
Think about it this way: if you have 100 boxes in a /24, it takes an
atttacker with a dial-up connection all of two seconds to find them. If
you have 100 boxes in a /64, it takes takes an attacker with 10 Gbps
nearly a year to scan just the 48-bit MAC address derived addresses,
and about 20000 years to scan all the RFC 3041 addresses. I suggest
your security people learn a few new tricks for IPv6 rather than keep
doing what they're doing today with 96 extra bits.