[ale] Looking for advise on domain names and other info wrt local network.

[Forsaken]

On Aug 11, 2008, at 2:00 PM, Michael B. Trausch wrote:

>> And sure, the internet was designed to be end to end. ipv4 was also
>> designed to be classful. Do you think that was a good idea too? The
>> wasteful allocation of the ip4 space before the implementation of  
>> CIDR
>> is mostly responsible for the ip crunch that we're in right now.
>
> No, I think that things can be altered.  Never did I argue that the
> Internet should have remained classful, or that DNS was a useless  
> crock.
> I fail to see how you connect "NAT seriously ought to go away  
> because it
> is a bad feature that breaks the philosophy behind open end-to-end
> network communication" with "So, features on the network stack are  
> bad?"

The connection was along the lines of countering your arguement that  
NAT goes against how the internet was designed. I was merely pointing  
out that there are a few other things that have been developed that  
were either not within the design parameters or totally changing the  
design parameters, and yet they're deemed essential for operation. So  
opposing something on the basis that it's not how things were designed  
just doesn't sit well with me.

> I have a problem with NAT because it breaks end-to-end  
> communication.  I
> have a problem with proposed "features" that actually take usable
> features away from the network stack, too.

Let's be frank, end-to-end communication has been broken, on purpose,  
for awhile. For most enterprise class networks, you do not *want* end- 
to-end communication between your network nodes and the internet  
(There are enough Windows zombies out there already, aye?) In my  
honest opinion, the design of end-to-end connectivity got tossed by  
the wayside when firewalls became the norm. Having a machine or  
machines interposed between the two end points that specifically  
decide what traffic is or isn't allowed to cross the link is a pretty  
big boot on the neck of end-to-end connectivity. I've always equated a  
firewall to trying to have a raunchy phone conversation with your  
girlfriend when or both of your parents are listening in on the line.  
The results aren't always what you'd like.

> The change from class-based routing to CIDR was a good move.  It was
> sound and required no breakage of networking functionality already
> present in the stack.

No, it just broke some routing protocols and required them to be re- 
worked. No big deal. ;)

> Again, that becomes totally unnecessary with the style of link-local
> addressing present in IPv6, and without the confusion of having  
> network
> nodes that have the same address on two separate network segments
> cross-NATted from each other would have.

Yeah, I know, but I don't think the folks with RFC1918 networks are  
going to negotiate a changeover to ipv6 before one acquires the other  
to make their network consolidation easier. And yes, this is a very  
very real benefit of NAT, mergers and acquisitions happen all the time.

I think the main issue here is the fact that we look at things from  
two totally different viewpoints. You've already changed over to ip6  
and are anxious for everyone else to follow suit, whereas I look at  
things from the viewpoint of what I have to deal with at work every  
day. I'll give you absolutely no dispute that ip6 solves quite a few  
problems. But unfortunately, it's not as simple as logging into my  
routers, typing

config t
ip 6 enable

And having everything magically work. So sure, having to NAT your  
acquisitions traffic because they're using the same local range  
becomes unnecessary in ip6. But the amount of private companies  
running ip6 aren't exactly pre-dominant. So your point is germane from  
an academic standpoint, but from an every day one, it sounds alot like  
the guy in the back saying 'I told you so' to his peers (when it's  
probably management who shot the ip6 conversion down in the first  
place) instead of pitching in to help with the consolidation

> IPSec (VPN), SIP (VoIP), and FTP all need special helpers (as do other
> protocols) to properly get around NAT.  Commodity routers do FTP.   
> None
> can do IPSec, which is why it's generally tunneled within UDP.  SIP
> isn't handled by any commodity NAT appliance that I am aware of,  
> either,
> which is why things like third-party application layer gateways are
> required to get NATted SIP devices to talk to each other.

That depends on what you consider a commodity router. I picked up some  
3640's fully loaded with ram and flash for quite cheap, and have them  
deployed at the edge and core of my home network, so FTP and IPSec  
aren't issues, though I haven't tried SIP yet.

Honestly, the fact that the wal-mart routers don't support the work- 
arounds isn't NAT's fault. It's Belkin's, and Netgear's, and Cisco's  
for trying to be cheap by assuming the folks who are going to buy  
those routers won't have any need to get the advanced protocols around  
NAT.

> It's going to have to happen relatively soon, within the next five to
> ten years at the absolute latest, unless there are even more drastic
> measures deployed into the world for managing the scarcity of IPv4
> addresses.  The switchover, though, is more of a catch-22 situation  
> than
> anything else:  It can't be widely deployed until it's widely used,  
> and
> it won't be widely used until it's widely deployed.  The only real
> option, then, is to build new networks---networks installed
> _today_---for IPv6, and use IPv4 on them for backwards compatibility
> until the IPv4 portions of the network can be turned off and disabled.
> I don't think that IPv4 can be removed from the network stack in the
> next five years, because there will still be people switching over.   
> But
> the IPv6 Internet will start becoming larger very soon.  Tunnels may  
> be
> all that is available now, but Comcast is already using IPv6  
> internally
> for the management of some of their CPE as of May 2007 [1].

I'd imagine Comcast would have to, they're still working on the  
consolidation of their network, and from what I've heard and seen from  
my own service, they're having issue. At the rate they buy people, I  
can just imagine what a balancing act it is to keep it all working.

As far as the adoption relatively soon.... I think five years is  
highly optimistic. Ten years may be a little more likely. Basically,  
ip6 isn't going to get implemented until the ip4 space runs out. And  
when that happens, the companies who are holding on to large swaths of  
unused blocks are going to make a killing, as the demand for new IP  
blocks reaches an all time high. Finally, when it reaches a point  
where it'd be more cost effective to adopt ip6 than continue buying  
ip4 blocks, that's when ip6 will start seeing widespread adoption.

> It certainly is, for now.
>
> But it's not going to go away any faster if it's looked at as "good
> enough," which is the viewpoint shared amongst most people that aren't
> even aware of its existence.  Non-technical people will say "Don't fix
> it, because it ain't broke," when really they have no clue.  Yes, it
> works _today_, but it will _not_ work in the very near future when all
> the addresses have been gobbled up.  The biggest problem is that those
> who know very little and are in charge of things like networked
> applications and operating systems and the like have dragged their  
> feet
> for far too long.  The free operating systems have had solid support  
> for
> IPv6 for a (comparatively) very long time; same with many networked
> servers/clients in free software.  Why is it taking so long for  
> everyone
> else to have the readiness and actually have that readiness deployed?
> Why haven't appliances already switched to running dual-stack network
> layer software, and made it so that ISPs can flip the switch and  
> things
> will work?

That's a pretty easy question to answer: Money.

Right now, there's no need to screw with the status quo. (from the  
viewpoint of the folks who are making the money). So you keep selling  
what you're selling, let the panic begin, then announce that you have  
this wonderful new fully ip6 supportive product so you can sell them  
the same thing again.

The cynic in me believes the Tier 1's are just waiting until they've  
decided they can't bleed the turnip anymore before they decide 'Ok,  
time to go to ip6'.

Last year, O'Reilly put out a wonderful book called Network Warrior  
(for anyone who's new to the network field, I suggest picking it up...  
it's a wonderful brain dump of a guy who's been doing network admin  
for a very long time, and full of useful little tricks). It is my  
sincere belief that the chapter on dealing with upper management  
should be required reading for anyone who works in a corporate IT  
environment, whether you're involved with netops or not.

In that chapter, he tosses around a few maxim's, the first of which  
has stuck with me ever since I read it -

Network designs are based on Politics, Money, and The Right Way To Do  
It - in that order.

That one sentence is a perfectly succinct  explanation of why the  
adoption of ip6 has been so slow, and why it'll be a bit slower in  
coming.

> In any event, the whole thing that started this is that I am waiting
> until I can have a proper network setup before I actually host
> everything of my own.  When IPv6 is deployed, we'll see what happens  
> in
> terms of how they hand out address space.  It's my hope that ISPs will
> give /64s out, since those yield the smallest possible node address in
> IPv6.

I'm actually trying to get the folks at work to put in a request for  
an ip6 allocation so I can play with it on our sandbox segment. We're  
already eating up a /18 and a couple /20's, but I'd at least like to  
get to work on an ip6 implementation so we can do it right when the  
time comes.

> I'd absolutely _hate_ to be double-NATed.  One NAT---the router
> that I have here---I can work around.  Two?  One here, and one at the
> ISP?  That's much harder to work around.  Of course, that'd be one way
> that the ISP could save money, using one NAT at each node.  But it'd  
> not
> be worth it.

That's actually my biggest worry. If Comcast ever starts handing out  
RFC 1918's via dhcp instead of real IP's, I'll move to another  
provider in a heartbeat. I think Bellsouth started that crap down in  
Florida at one point, but the outcry caused them to reconsider.

> As things stand today, there are 38 /8 blocks that are unallocated  
> [2].
> The estimates that I have seen estimate the exhaustion of the IPv4
> address space in anywhere from two years to four years, depending on  
> the
> level of allocation that the exhaustion is being estimated for.

Oh, you should subscribe to the NANOG mailing list. The predictions  
are much more dire than that :)

>  It's
> time for ISPs to saddle up and get ready to deploy, and work with
> vendors to ensure that the hardware being sold will work properly.

Honestly, you can't blame the vendors for this one (at least not in  
their enterprise hardware). Cisco and Juniper have had ip6 support for  
a very long time now, so they did their part. The ISP's need to be  
yelling at their peers and the people they purchase transit from to  
get the ball in motion, those are the folks who are really holding the  
show up.

> There will almost certainly be a period of chaos that everyone will
> remember during the transition, but that's life, and life cannot  
> always
> be made nice and insulated.

Honestly, I think it'll be like Y2K. All the unnecessary build up and  
then .... poof. One day your dhcp lease will refresh and you'll have  
an ip6 IP instead of ip4 and things will just work.
>