[6bone] (long) came across this article any opinions??

Chuck Yerkes chuck+6bone@snew.com
Wed, 12 Mar 2003 15:07:13 -0500


> I'll stick with IPv4 for now, thank you
> By CHUCK YOKE
> Network World, 03/13/00 

had this been written THIS week, not three years ago, this would be my reply
(and yes, I wrote this before catching that "00" among all the 3s).

I'm Bcc mr yoke out of basic courtesy and perhaps a chance
for him to revisit the issue some time.  We're really running out
of IPv4; china is active (if mainly spam), the net's growth
hasn't slowed in absolute numbers.

Posted for opinion mongering on the 6bone mail list, I'll
not avoid the temptation...
------------------------------------------

Network World...
Articles for managers of people running Microsoft networks.  They
often have a fear of alternatives and look for rationalizations
and Network World helps them keep that justified.  If it's not from
MS, it should be questioned deeply.  (I wish their "web" site
actually contained more working HTML.  I'm sure it's lovely on IE,
but that does not a web site make.  Microsoft sites are tiresome.)

They seem to reprint Microsoft Press releases and lost huge
credibility with me when they described Exchange as a cost competitor
to a Unix box running POP with Eudora (or $FestivalOfOptions).
Ever try to not use OutBreak with your Exchange server? My peer
hated our chosen ZMail (our standard POP client), so we gave him
another of 30 clients.  No pain to our staff at all).  I've moved
clients from 30 high maintainance (7-8 admins) boxes running Exchange
and the support machines it needs to a 4CPU box running IMAP with
a front end allowing a secretary to add users and 1/2 of an admin
to run the machine.  Oh, it was Unix, so not to be trusted.
(in the meantime, those 7 admins are doing other stuff to make
their network a better place, not wasting their time banging their
heads against the cabinets and the server gets rebooted every 6-8
months as a matter of course).


> I'll stick with IPv4 for now, thank you
> By CHUCK YOKE
> Network World, 03/13/00 

> I don't get it. Maybe it's because I'm over 40 and the brain cells
> are dying, but there are many things happening today in the world
> of technology that I just don't understand.
>
> Take IPv6, for example. I just don't get it. Why in the world
> would I be interested in investing the time, money and effort it
> is going to take to convert my IPv4 networks to IPv6?
>
> At one time I was very interested in IPv6. It was going to solve
> many of my network problems. The extended address space would
> spare me from having to create and maintain a variable-length,
> bit-level subnet addressing scheme.  The built-in authentication
> and security would let me sleep better at night, knowing that only
> secure and authenticated packets were entering my networks. The
> quality of service (QoS) would enable me to fully integrate my
> voice and data over IP.
>
> But then a crisis happened - I ran out of time. I needed IPv6 two
> years ago, and it wasn't there. And I couldn't wait any longer.
> So I did what everyone else in the world was doing: I integrated
> a variety of IPv4-based products and services into my network.

Unlike many Network World managers who lived in proprietary networks
until it was clear that they didn't really scale or interoperate,
many of my peers had been using IPv4 based products and services
in our networks throughout the 80s.

I suspect Mr Yoke's peers or readers were the ones who wondered what
those "@" and "!" things in my business cards' email address meant in
1990.  "Oh, we have email too!", they'd exclaim.  [Yes, but you haven't
been tossing mail around from your network through random networks to
its destination at a place you have no direct relationship with.  You
can send mail to your cubicle neighbor]

I suspect Mr Yoke's readers were the ones who said, "So we could use
this 'internet' stuff *inside* our networks?  Golly.  We'll call it
the 'Intranet'."  No, we'll call it "the network".  It's inter-
when there's more than one.

> My address needs were met by migrating my network to an RFC
> 1918-compliant unregistered IP address.

it would appear, Mr Yoke hasn't gone through merging networks that
both use the same RFC1918 networks.  (I now tend towards a personally
owned, unrouted Class C to avoid that).  Managing two NAT boxes
facing each other while you redo lots of machines and configurations
that use addresses rather than names is an experience to be avoided.

I also recall an article where he suggest using other addresses
like 5/8 (5.0.0.0)and 7/8.  The CEO of a client once pulled me aside
and asked why, every time he browsed to his alma mater, he got a
web page on some local Oracle server we'd setup to show statuses.
I had to explain that his network guys had just made up addresses
and it turned out that the oracle server had the same address as
his school's web server.  And no, we can't fix it quite yet.
Grabbing address is bad.   You don't know if China might get 5.


> I now have IP addresses galore and can use a very simplistic
> subnet-masking scheme to segment and identify my networks by
> building and floor. My network technicians can tell from the second
> and third octet exactly where a device is located.

I can look at my IPv6 network addresses and see exactly where the
device is.  NAT is often unacceptable.  Working at places with
upwards of 80 legit Class Bs and 300 Class Cs, secured connections
needed to come into a large variety of systems making NAT an option
with close to zero managability.  With several connections to the
Internet, from several locations along with connections to partners
with whom we exchanged realtime data, you don't even want to ponder
NAT.  Ever try to get 80 Class B's after 1994?  Me neither.

Mr Yoke is clearly American.  America owns 75% of the address space.
I have a former boss who has an entire class B for his network of 8
machines (down from our company's 300 machines in 4 locations at
one time that got us the Class B in 1991).  Apple has a Class A that,
I imagine, isn't very densely populated given nearly 17 MILLION
addresses and, what? 3000 employees.

Japan has led research in IPv6 with Europe closely behind.  We don't
have the address space in IPv4 to cover most of the still unwired
Asian and African countries.  India and Africa are rapidly wiring;
China is joining the information age in fits and starts.

NAT has slowed the sucking up of address space, but we're rapidly
running out.  I'll enjoy his panic when he realized that his need
for new addresses for, say, another firewall is met with: "Oh, yeah,
we're almost out so we charge several thousand per year for 8 addresses."
Or even "Nope, all out.  Try later."  That's gonna be a fun day.

I've being deploying IPv6 in testing mode for a couple years. In
that time, Sun has come out with solid IPv6 in Solaris 8 (and now
9).  IBM's AIX, SGI's Irix, all the BSDs, Linux all have good IPv6
implementations (many thanks to work by the KAME institute in Japan).
Cisco's IOS now has IPv6 support, which was critical.  This has changed
since the article in spring of 2000.

Even MacOS X and Microsoft have IPv6!  Given Microsoft's aversion to
innovation, this must mean that IPv6 is becoming solid and ready for
mainstream.  I await their press release announcing their invention
of it.  (I expect their subtle alteration of IPv6 for the own ends.)


> For security, I chose a firewall with features that, when combined
> with the appropriate access control lists, ensure the integrity
> of both incoming and outgoing transmissions. I implemented a
> combination of Remote Authentication Dial-In User Service and
> Challenge Handshake Authentication Protocol to ensure that local,
> Internet-based and remote dial-in connections are granted only to
> authenticated users with the appropriate access levels. And for
> encrypting sensitive documents and files, I implemented PGP -
> inexpensive, easy and best of all, it works!

I fail to see what this has to do with either IPv6 or IPv4.  I suppose
PGP is cute if you want to handle key management and a lack of
infrastruture.  I prefer PKI using SSL with public keys kept in LDAP
directories.  But neither has anything to do with the network layer
- it's all application layer.

As I drive my downtown with a PDA (Zaurus) running 802.11b, I find
several otherwise "secure networks" with wireless APs running wide
open behind their firewalls.  The firewalls are dutifully watching
the doors.  That PC on the ethernet with the wireless left on is
holding open the windows for those who avoid front doors.  Don't drop
that basket, you'll need those eggs.

> My QoS needs were met by a combination of bigger pipes and faster
> equipment.  100Base-T and 1000Base-T Ethernet give me more than
> enough bandwidth, and the advances in Application Specific Integrated
> Circuit technology ensure that packet serialization delay is kept
> to a minimum. For the more stringent QoS I may need in the coming
> years, I have a plethora of IPv4-based choices, including policy-based
> networking, Differentiated Services, TCP rate shaping and the old
> standby, ATM.

I do like "My QoS needs were met by bigger pipes..."
Well yeah.  I'd like to have Internet2 connections to my work place
- multi-gigabit to Europe and around the country would be neat.
It would avoid problems of browser traffic slowing down other, more
important traffic.

But offering bigger pipes as a "solution" is like saying: "I needed
to better organize my closet, but instead moved into a place with a
couple extra rooms so i keep my clothes piled in there."

The hacks of bandwidth management boxes spewing "ICMP Source Quench"
packets to allow schools and businesses to have SOME non-Web traffic
reach them are Band-Aids (adding MORE boxes and more management
load) until true QOS solutions are available.

Pipes fill.  I'm glad Gigabit is "more than enough bandwidth" for Mr
Yoke.  On a LAN, it often may be, I'm looking forward to actually
getting 10Gb nets available in 2003.  My connections to the Internet
tend to be smaller than that, even after 3 years.  QoS is still needed.

> So here I am, manager of an IPv4-based network that works fine,
> is addressed in a logical and easy-to-maintain manner, is secure,
> and integrates my voice and data. I just don't see any need to
> convert my functional IPv4 network to IPv6.

A friend asked, in 2000: Why would I ever need IPv6? My offered
answer was "Hi, this is $CellPhone Company, we'd like 64 Class A
networks, please"

He offered that Cell phones don't need IP addresses, they are just
phones.  I recalled this as I browsed the web for directions on my
phone.  I recalled it as I attached it to my Mac in the the (moving)
car and got a pretty fast connection to get my mail which had the
address so I could use a map to get directions.  My bad habits of
forgetting to bring addresses is mitigated by IP over cell.

A packed Class A has enough addresses for the some of our states.
Got 50-some?  How about the rest of the world.  NAT works while I'm
one of 0.5% doing this.  But my computer phobic friends are getting
phones that do IM and take pictures and other non-realtime tasks.
Cell companies can write proprietary means to handle this, but they
were involved in laying the groundwork for IPv6.  It was the utility
companies who pushed for such a huge address space.  "Imagine an
address for every outlet."


Migration and deployment:
The neat thing is that my boxes have both IPv4 *and* IPv6 addresses.
As the tools I use became IPv6 aware, they use the IPv6 addresses.
The other tools just aren't aware of it and use IPv4.  It's invisible
to me as a user and as an administrator.

So migration can take place *over YEARS* with little to no pain.  And
I get to learn.

When I mounted a disk from a server, it took me some time to realized
it was mounted over IPv6 because the last OS upgrade now supported
it.  I just asked it to mount the file system.

And that's a goal.


As a subnet stops needing IPv4, I can turn IPv4 off.  Those data may
get turned into IPv4 at the edge of an IPv4 network - it's little
effort to setup, but going to IPv6 machines it stays in 6.  It's not
like that night in 1980 when NCP (Network Control Protocol) TCP's
predecessors) was turned off and TCP was turned on.  Large ISPs and
enterprises can bring it in slowly and methodically.

And that's a goal.


Well, your large ISP may be using it in their core of networks right
now.  At the edge, you see your old IPv4 stuff, but it may be going
from their router to the other side of their network, or even into
the target network over IPv6.  And you don't know.

And that's a goal.


This month, the IETF groups are meeting to plan on how to shut
down the "6bone" - an IPv6 tunnel faux-backbone - in a few years.
Why?  Because ISPs, largely not in the US, are offering IPv6.
It's available on most operating sytems offered since 2001.
It's here.


Why is it important to use now, before we *need* it?  Because then we
won't be caught unaware when we need it.  Experience in tools before
you have to use them is good.

Now, feel free to ignore it.  I made a good living in the 90's working
with IPX/SPX experts because I knew TCP/IP and how to run a Cisco
router and how to setup a network right.  I've made a good living
migrating networks using addresses that were "just made up" before
they attached to the Internet. I've helped merged companies that both
used 10/8 addresses (that's 10.x.x.x, RFC1918 addresses).  I'd be
happy to take your money when you suddenly find yourself rushing to
implement IPv6.

> I just don't see any need to convert my functional IPv4 network to IPv6.
Perhaps I can rephrase this as: "IPv4 is enough for us."

I'll put that up next to "nobody needs more than 640K" and other
visionary statements.  The list is near my Intel box that has to boot
into the first 8GB, because nobody would ever have more than 8
GigaBytes(!) of harddrive.  (3 disks in software raid give me 300GB
of files served without IPX or SMB or other proprietary protocols.
My machines that were never expected to run MS operating systems have
no problems with very large drives or lots of RAM.  Coincidence?)


chuck yerkes
chuck@2003.snew.com
Internet Consultant
IPv4 and IPv6 spoken here.