On 2011-07-18 00:23, Ed W wrote:
Hi
Hi,
Also, how would you imagine readressing such network one day, when you
decide to change your ISP?
Aha. This is a statement that you don't believe PI space will become
easier to access when requesting IPV6 space?
IPv6 PI for everyone? Forget about it, we would shortly hit 1M or even
10M+ IPv6 prefixes and this way make BGP unreliable.
There seems to be sufficient space for PI to become the norm to hand
out. However, the current state of routing appears to struggle with
IPV4 taken to the limit, and so there seems to be understandable
reluctance to actually fix all the issues we have with IPV4 since some
facets of the solution kill current routing hardware..?
Mobile phone numbers are now interchangeable between phone companies in
under 24 hours in the UK. Lets hope that PI space allocations become
the norm under IPv6..?
You must not compare PSTN with IP this way. How many GSM operators are
there in UK with own network prefix? 50? 100? Now: compare it to BGP
AS'es. How long you need to wait to initiate a call. Finally, how many
calls do you make per second? ;)
BTW: phone numbers are interchangeable not only in UK and not only
mobile. ;)
Without NAT (and BTW without working and complete L3 security in
switches) no one will consider IPv6 seriously nor dare to implement it
in production. Of course NAT does not provide security but it provides a
real and useful privacy, opposite to annoying randomness.
It's not clear to me that NAT solves L3 security any better than a
non-nat firewall?
Sorry, english is not my native language, maybe I was not clear enough.
By L3 security in switches I meant:
- DHCPv6-snooping, like dhcp-snooping in IPv4, which protects your
network from unauthorized dhcp-servers. Just think of someone enabling
connection sharing in windows, grrr!
- ND-protect, like arp-protect in IPv4 - there is no ARP for IPv6
- "ipv6 source-lockdown", like "ip source-lockdown" [1]) to protect
from arp/ip spoofings/takeovers.
Such mechanisms are standard for enterprise and nowadays even soho edge
switches, but only for IPv4.
However, as IPv6 is totally different to IPv6, you also need many
additional mechanisms. For example, several IPv6 stacks are vulnerable
to RA DoS attack (google: "vulnerable ra ipv6"), and you would like to
filter unauthorized routers anyway.
But this little offtopic to Netfilter. ;)
[1] HP Procurve terminology.
Best regards,
Krzysztof Olędzki
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
