I think Michel is basically correct here. And I think that
draft-hain-templin-ipv6-limitedrange-02.txt should be
read at this point.
Brian
Michel Py wrote:
>
> James,
>
> > James Kempf wrote:
> > One of the things I'd like to see is a list of why people
> > use scoped addresses (RFC 1918) in IPv4.
>
> I have some text about this, see below.
>
> Note: in the text below, the reason I state that some reasons are
> actually non-reasons is because the motive behind the use of scoped
> addresses (RFC1918) is _not_ their scoping but some other property of
> RFC1918 addresses or because the motive is a by-product of some other
> thing that results in RFC1918 addresses being used.
>
> Non-reason #1: "lots of addresses for free".
> --------------------------------------------
> This is why people have moved to NAT, not why people have moved to
> RFC1918; the multiplication of addresses is a feature of NAT, and the
> use of RFC1918 in this situation is only a by-product of the use of NAT
> because it just happens that RFC1918 addresses are the best choice to
> put behind NAT (compared to hijacking a random prefix).
>
> It is generally believed that if we do see IPv6 NAT, it will not be
> because of address scarcity nor because ISPs would charge for a /48.
> Similar to the reason "lots of addresses for free" is not why people use
> RFC1918 (NAT is the reason), price, scarcity or unavailability of IPv6
> PA addresses is likely not why people would want to use IPv6 scoped
> addresses.
>
> Non-reason #2: Cheap alternative to PI/portable addresses.
> ----------------------------------------------------------
> I have _tons_ of customers that have no problem whatsoever obtaining
> enough PA addresses for their needs. They won't get extra ones, but they
> will get enough. Although it is true that for the home market obtaining
> more than one static address is some extra money that could be spent on
> something else, it is a non-existent issue for businesses; PA addresses
> are typically good enough for home use.
>
> For small businesses that get low grade connectivity such as DSL, $20/mo
> or $50/mo to get a /27 or a /26 is insignificant. For larger business
> that get T1 and above connectivity, enough PA IPv4 addresses are
> typically part of the deal with the ISP.
>
> So for businesses there are enough addresses, but these addresses are
> not PI. In this situation, people use RFC1918 addresses because they are
> portable, not because they are scoped. Here again the real reason is
> NAT. The main driving force behind this is cost of renumbering is so
> high that it offsets by far the annoyances of NAT; besides most
> enterprises use a combination of public and private addresses.
> Conservation of address space is here nothing more than an added bonus
> of NAT, because businesses might not request as many public addresses as
> they would have if they were not using NAT.
>
> Security/isolation/defense-in-depth.
> ------------------------------------
> This is a non-reason for the home market and a valid one for the
> business/enterprise.
>
> For the home market: besides having more addresses (described above)
> what the home user likes is the security provided by RFC1918 addresses.
> Why do RFC1918 addresses provide security? Because they are not publicly
> routable, so using those mandates NAT, which does provide a basic
> firewall.
>
> In this case, scoping == not-publicly-routable. So, the home market uses
> RFC1918 not because of their scope but because of the property they have
> being not-publicly-routable, which means NAT, which means basic
> firewall. Security could be provided with a non-NAT firewall, but since
> NAT is already there because the home user wants multiple addresses and
> the cheapest available firewall is a NAT box anyway, NAT it is.
>
> For the business/enterprise is where scoping comes to a use. In this
> case, scoping != not-publicly-routable. There are perfectly valid uses
> for publicly routable but nevertheless scoped addresses. In this
> environment, the use of RFC1918 addresses provides both a fail-safe
> against firewall/access-list SNAFUs, and a supplemental annoyance for
> hackers. None of these are miracles, but are part of defense-in-depth
> strategies and are palatable to the taste of the experienced enterprise
> operators that do not like to have all the eggs in the same basket.
> Also, network administrators like the comfort of this big 10/8 block.
>
> In short: why do people use scoped (RFC1918) addresses?
> -------------------------------------------------------
> Home users:
> It has nothing to do with scoping and everything to do with NAT. The
> home user wants a) more addresses for free and b) a basic firewall, both
> of which are features of NAT not scoping. Usage of RFC1918 address is
> only a by-product of NAT.
>
> Business/enterprise:
> Part of it has nothing to do with scoping either. The #1 reason behind
> using RFC1918 in a business environment is independence from the ISP /
> easy renumbering.
> The other part of it is where scoping takes place: automatic/fail-safe
> access control (to be used in combination with manually configured
> security) and an extra annoyance for the hacker (needs to tunnel out on
> top of hacking).
>
> How does this apply to IPv6?
>
> Home users:
> The number of address is solved. What is left to provide is a basic
> firewall.
> This brings the question whether or not this basic firewall should be a
> feature of scoping or not. IMHO, these are two different topics, and
> home usage does not care about scoping.
>
> Business/enterprise:
> There is a need for scoping that is currently not fulfilled. This is the
> same concept as IPv4 RFC1918 address, except that the reason for
> non-global-routability should be the scoping mechanism opposed to
> ambiguity for IPv4.
>
> Note that there also is a need for a PI equivalent that is not fulfilled
> either and the lack of it leads us directly to NATv6.
>
> > Clearly, NATs are popular in IPv4 for reasons other than lack
> > of address space, and simply condemning them as evil or even
> > arguing against them without understanding why people want
> > them isn't likely to result in a usable technical solution,
> > and probably won't persuade people to stop using them anyway.
>
> Indeed; I hope the analysis above helps to clarify this.
>
> Michel.
>
> _______________________________________________
> Saad mailing list
> Saad@ietf.org
> https://www1.ietf.org/mailman/listinfo/saad
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter
Distinguished Engineer, Internet Standards & Technology, IBM
NEW ADDRESS <brc@zurich.ibm.com> PLEASE UPDATE ADDRESS BOOK
_______________________________________________
Saad mailing list
Saad@ietf.org
https://www1.ietf.org/mailman/listinfo/saad
