[ale] Comcast linux...
Michael H. Warfield
mhw at wittsend.com
Tue Jan 6 23:24:22 EST 2004
On Tue, Jan 06, 2004 at 05:48:58PM -0500, Mike Murphy wrote:
> speaking as someone with about 200 servers to worry about: IPv6
> *shudder*. If the network goons around here understood the term "phased
> rollout", maybe I'd be less scared.
Hmmm... You must have missed my "Brave New World of IPv6" at either
AUUG a few months ago or ALE-NE in December. IPv6 is actually easier to
roll out (much TOO easy from some viewpoints) than IPv4. If you've got
IPv4, you can have IPv6. In fact, you've already got an ENTIRE IPv6
NETWORK assigned to you of 65,536 subnets each of which as 16 billion billion
host addresses (2002:{IPv4_Addr}::/48).
A recent Networld headline proclaimed "IPv6 Fears Unfounded".
Hmmm... Wrong view... The fears they were referring to were fears that
it would be difficult, time consuming, and costly plus require a boat
load of upgrades and such. None of which is true. You can get IPv6 for
free damn near anywhere you can pull in IPv4. The real fear is that most
administrators don't realize this. It's actually easy and cheaper to
provide IPv6 than it is to prevent IPv6. And if you don't provide it
or prevent it, it will be there. You just won't realize that there is a
fully routable, globally addressable, protocol on your network which you
don't know about about or understand. Now THERE is something to FEAR!
> No, I wasn't questioning TCP per se, but pointing out that its not
> always the best tool for the job. Sometimes a nice hammer is overkill,
> when a good rock will do ;).
In this case, it would be impossible. Think about dhcp. Think
about how it works. You can't get to the point of establishing a TCP
connect because you don't have an address at that point. You have to
send out a broadcast and look for the return. UDP is usable. TCP can't
even get a SYN out.
IPv6 gets even MORE amusing with it's STATELESS autoconfiguration.
Node powers up and sends out a link level neighbor discovery and then
a router discover. Router response with the PREFIX of that subnet and
the router address and lifetime. Node takes the prefix and munges it with
it's own autoconfigured EUI address and out pops an IPv6 host address. To
get beyond that with things like DNS and other services, you're back to
statefull autoconfiguration (DHCP6) to provide those objects.
> Truth is, most "native" UDP apps' modern incarnations also work just
> fine (er at least mostly fine) using TCP, since for most things, its
> what's in the packets/datagrams that matter anyway. However, as Bob
> pointed out, there can be a performance impact (and as Chris just
> pointed out, who cares if the app is broadcast based anyway).
Yes, but not relevent for dhcp.
> One good modern example of TCP connection assurance vs. UDP efficiency
> can be seen in the most cutting edge of programming challenges: network
> gaming. Most of the modern FPS engines, for instance, use UDP to send
> updates from server to client. In many respects, this is the only way
> for clients to keep up without lag, and if the client has to ask for a
> packet to be retransmitted, its likely that the data in that packet is
> already outdated, so why bother?
> Mike
> Berlin Brown wrote:
> >I hope you are not questioning tcp. I have never really thought about
> >the overhead or the implications whether udp or tcp is out dated. But,
> >imagine the overhaul in changing applications to some newer protocol.
> >Plus, is ipv6 tcp better than ipv4. It looks like it is easy to enable
> >on my freebsd system, but scared to.
IPv6 is incredibly easy to enable. But, why not?
Yes, there are many reasons why IPv6 is better than IPv4. IMNSHO,
just the fact that it is effectively unscanable and things like MS-Blaster
and Welchia have no chance of propagating over it (even if they recognized
it) makes it well worth while. All of my ssh connections to all of my
exposed sites are only globally accessible over IPv6. No IPv4 connectivity
to ssh on any of my hosts, even at my colo site (who doesn't "support" IPv6).
And I can get to them from anywhere on the internet (even behind NAT devices)
and none of them can be brute-force scanned for. They aren't hidden, you
can ssh to a machine name, but the worms and 'scan'n'sploiters can't scan
for them.
> >And then again, what is Internet 2?
Internet 2 is a separate topology and backbone. Connects a bunch
of universities and government sites. Very fat pipes. You need IPv6 to
take advantage of some of it's cababilities.
:
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
More information about the Ale
mailing list