<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>Oh, for what it’s worth, I
see things like this:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>If there’s sufficient
consumer demand for IPv6, then … ISP’s will roll it out and
charge extra for the premium service. That’s the definition of “sufficient
consumer demand” in this case: the ISP’s see sufficient
demand, that they feel it’s in their own best interests to do something
about it.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>But evidently, that’s not
what’s happening.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Instead, if there’s
insufficient consumer demand… Then ISP’s will still want to
make money on it somehow. They wait around. They enable IPv6
everywhere, and when there is an opportunity for public perception of IPv4
starting to cost more, then they charge extra to use IPv4. It’s in
their best interest to make IPv6 wait till the last minute, so all the hulu’s
and facebooks (and your employer’s VPN) out there might still only offer
service via IPv4. The quieter things stay for now, the more profit they’re
able to extract from it.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>But they don’t want to be
caught with their pants down, so they’ll perform some regional test
rollouts. (Sound familiar?) Surely, the results of the present
Comcast / Verizon test regions are: “It works, but there’s no
DNS and that’s a showstopper.”<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Also, they know approximately
how long their routers last at peoples’ homes. So they’re
planning the slow and systematic upgrade strategy. I have good reason to
believe, for my house on FiOS, they only need to push out a firmware upgrade
when they want to. But a lot of people are still living on “the
shark fin” or similar devices. Old, archaic cable and DSL modems
that haven’t been replaced in a decade. The ISP’s want people
to get as much life out of these things as physically possible, to avoid the
upgrade expense.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>You will see the IPv6 DNS
problem solved before there’s any serious effort by ISP’s. It
may be DHCPv6, or RFC a,b,c,d. But there’s positively no way ISP’s
can charge extra for IPv4, as long as IPv6 is insufficient by itself. So
for now, they wait.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>You will see the Hurricane
Electric countdown reach zero. And then IPv4 will start to become more expensive.
And finally, things start moving.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Those are my predictions.
Booweeeewwwooooo…… In the year 2000. Magic.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> bblisa-bounces@bblisa.org
[mailto:bblisa-bounces@bblisa.org] <b>On Behalf Of </b>Edward Ned Harvey<br>
<b>Sent:</b> Thursday, May 13, 2010 8:25 AM<br>
<b>To:</b> bblisa@bblisa.org<br>
<b>Subject:</b> [BBLISA] Last night's IPv6 talk<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Even though I wasn’t the organizer last night, I want
to thank everyone who showed up and participated. I found it very
informative and interesting, and apparently so did many other people,
reluctantly getting up to go home after 9, for the sake of needing to go home *<b>some</b>*
time. ;-)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>There were several points of interest I thought were
valuable to stab a little deeper into:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Even as ISP’s roll out IPv6, they will not kill IPv4
anytime soon (not in the next 5 yrs.) So for now, that’s the
solution to the DNS problem. Apple, MS, etc have plenty of time to work
out the details of DNS deployment, DHCPv6 and so on. Someday, you might
have to pay extra to have IPv4 enabled on your network connection.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The references that I cited were: Running IPv6,
Iljitsch van Beijnum. It’s good for an understanding of IPv6, but
since it’s like 5 yrs old, it’s out-of-date in terms of configuring
IPv6 on your system. Fortunately, that doesn’t matter at all,
because nowadays, enabling IPv6 is trivial.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I could share it with anyone if they want, up to 2 weeks, if
you happen to have a kindle (or willing to use the mac or windows amazon kindle
reader). That should be enough to read the whole thing for all the
interesting parts. Also, I said it was $10. Sorry, my mistake,
it’s $35 to buy.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I mentioned NAT-PMP. <a
href="http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol">http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol</a><o:p></o:p></p>
<p class=MsoNormal>And I couldn’t remember the name of IGD. <a
href="http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol">http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol</a><o:p></o:p></p>
<p class=MsoNormal>These are protocols that allow a NAT IPv4 device to
communicate with the perimeter firewall, to auto-configure a hole through the
firewall, to enable inbound traffic, to support peer-to-peer traffic.
Today, these protocols are not widely built-in to firewalls. But some do
support it. Generally speaking, professional level security appliances
don’t support it, but hopefully that will become optional in the near
future (and controllable via system policy), because I feel it’s a very
valuable thing, to enable peer-to-peer video conferences for example.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The thing that’s nice about NAT-PMP and IGD is that
the client must explicitly request the hole opened at the perimeter firewall
before it’s allowed in. So this is an additional layer of security,
above just your software firewall. Obviously, nobody feels very
comfortable simply exposing all their internal IP’s to the
Internet. So this helps facilitate communications without sacrificing
security.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Today, if you want to do p2p, the recommendation would be
IPv4, with one of these. Most p2p apps support it (skype, bit torrent,
and many H323 or SIP clients, etc). The question that remains is whether
or not your perimeter firewall supports it.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Moving forward, if you have world routable IPv6 addresses,
there’s no need for NAT and hence no need for NAT-PMP or IGD.
However … As mentioned before, the only security that NAT offers
you is implicitly blocking inbound unknown traffic. Moving forward, the recommendation
would be to still enable the firewall to block inbound unknown traffic.
In which case, the recommendation would be to use IPv6, *<b>and</b>* NAT-PMP or
IGD, or the alternative du-jour.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Not previously mentioned, the other security that NAT offers
is internal network roadmap masking. That is, somebody outside has no way
of knowing your internal network topology or subnet ranges and possible router
hops. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Believe it or not, IPv6 can be NAT’d if you want
to. (Though implementation may be sparse or nonexistent right now.)
Many of the IETF idealists would scoff at that as being sacreligious and
defeating the purpose, but you can see how slowly things move when you’re
trying to be ideal. If striving for perfection, then critical components
(DNS, DHCP) get left out by the time you need to use them. So, just as
you can expect people to use DHCPv6 despite extremist objections, so you can
expect some organizations to do IPv6 NAT sometimes despite the extremist views
of individuals in the IETF. Specifically because they don’t want to
expose the internal network roadmap. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>One thing that’s cool is: If you do NAT your
IPv6, you have a very large number of external IP’s. So you could
do a one-to-one mapping of internal IP’s to external IP’s, instead
of the many-to-one mapping that’s generally used in IPv4. Thus, you
eliminate the p2p problems that IPv4 NAT has, and you’re still able to do
NAT.<o:p></o:p></p>
</div>
</div>
</body>
</html>