On 03-Jul-24 03:12, John Levine wrote:
According to Dr. Neal Krawetz <ietf@xxxxxxxxxxxxxxxx>:
Every big corporation I've seen uses the same choke-point configuration:
- All outbound traffic goes through a very small number of IPv4 addresses for egress filter and incoming firewall protection.
- Every internal-only computer uses globally routable IPv4 addresses.
They *should* be using NAT!
An interesting argument, not totally ridiculous.
The way IPv6 is being allocated? Having "more addresses than IPv4" doesn't prevent the same misallocation problem. It just extends the time before we exhaust IPv6.
IPv6 was designed to be big enough that it doesn't matter. IANA has
been allocating space from 2000::/4 for the past 25 years, so far
given out masybe 2/3 to the RIRs. And 2000:/4 is only 1/16 of the
address space.
The biggest problems I'm seen that prevent IPv6 adoption:
- Complexity: IPv6 is more complicated than IPv4. If you go in with the "IPv6 is like IPv4" mentality, then the complexity will overwhelm you. I've seen way too many admins stick with IPv4
because IPv6 was too complicated.
- Startup time: With IPv4, you get your address, router, and subnet, and you're online. With IPv6, you still have to wait for neighbor discovery to complete. You might think everything is
configured correctly but see that it isn't working for the first few seconds (or minutes). When IPv6 isn't ready when you're ready, you assume it isn't working and fall back to IPv4 which is
immediately on.
Those are reasonable. I suppose you could speed things up with DHCPv6 but it seems to be fast enough as is for most purppses.
- Firewalls: That whole configuration issue, where corporations have everything route through a single egress filter/firewall service? IPv6 wants direct access and doesn't support NAT. (Is there
such a thing as NATv6? Does anyone use it?) This means that IPv6 has the potential of creating a security nightmare by giving internal-only systems bidirectional access to the internet. Even for
a residential service, my home IoT devices should never have their own direct connection to the internet. Without the correct configuration, IPv6 is much worse than UPnP.
There is NATv6 but it's not widely used. It is not hard to set up an
IPv6 firewall with the same kind of protection you normally get from
NAT. I've done it. But it's not ths same as NAT so I suppose it seems
harder.
I'm not really sure why, because the things a firewall has to look for are
very similar for IPv4 and IPv6. The only case where no-NAT is at a real
disadvantage is for topology hiding. There are enterprises that care
about that.
To me the main issues are that it's different, so it has a learning
curve, and for the vast majority of users IPv6 still offers no
practical benefit.
For operations within an enterprise, that's clearly true. For
public access outside the DMZ, being accessible via IPv6 will, I think,
be an increasing advantage as deployment of IPv6 at the consumer edge
continues to increase.
Brian
