North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Lazy network operators
> > preventing DDoS and IP source address forgery each also break what the > > IAB calls "the end-to-end model". > > How so? I was thinking of RFC 1958: An end-to-end protocol design should not rely on the maintenance of state (i.e. information about the state of the end-to-end communication) inside the network. While this is given as an argument in favour of datagrams (vs. circuits) as the best transport model, any stateful NAT or firewall violates it, any router or loadbalancer flow-quota violates it, and pretty much anything that can be done to protect against DDoS violates it. I misspoke when I said that preventing IP source address forgery violates it. > > (dunno if you heard, but in spite of 128 bits of address space, the > > enterprise user community is now asking for IPv6 NAT.) > > I hadn't, pointer please? <http://www.acu.rl.ac.uk/msn2003/Talks/TimChown.pdf> comes to mind. but moreso the folks looking at deployment who absolutely don't want another IPv4-like lockin, where provider-assigned addresses mean a huge renumbering effort in order to change upstreams, and the expectation that globally routeable address blocks will not be available, or will not be cost effective, for enterprise or small-ISP use. nowadays ietf is working on what they call NAT-PT as a "transition" strategy, with a new set of heads stuffed into the same old sand, whereby the designers think that network owners are only going to use it until the ipv6 transition is complete. it ain't so. ipv4 CIDR was absolutely necessary to grow the internet, and the wayback designers who thought that 12 million class C nets could ever have been instantiated and routed were obviously not thinking about scale. but ipv4 CIDR also had the effect of making end users fear their provider- assigned IP addresses, and the real incentive for ipv4 NAT deployment wasn't a lack of ipv4 address space but rather a lack of interest in provider-assigned ("lockin") addressing. it's still quite astounding to me that when we finish deploying ipv6 we'll still have provider assigned addresses that customers are afraid to use beyond the edge of their campus, and we'll still have the age-old tension between "i could get global routing for that address block" and "i could qualify with my RIR to obtain that address block (and afford the fees)". anyway, there will absolutely be NAT in ipv6 enterprise networks, but the reason for it won't be a shortage of globally unique address space.