[6bone] Is minimum allocation /64 now?

Jeroen Massar jeroen@unfix.org
Sat, 25 Oct 2003 13:34:14 +0200

Previous message: [6bone] Is minimum allocation /64 now?
Next message: [6bone] Is minimum allocation /64 now?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Jørgen Hovland [mailto:jorgen@hovland.cx] wrote:

> >From: "Jeroen Massar" <jeroen@unfix.org>
> > Dan Reeder [mailto:dan@reeder.name] wrote:
> >
> > > I think you've misinterpreted his comments Jeroen
> >
> > 1 user, not 1 endsite, not 1 ptp tunnel.
> > If it where a "enduser product" there would be going
> > a /48 to that enduser.
> >
> > > To me it merely meant a /126 ("single user endpoint") as a
> > > means to reach a customer's /48 or /64 prefix.
> 
> Yes. P2P/Single user: A media used by only 1 machine (+ the remote).

Thus users will do NAT as it is cheaper for most of them than
buying a 'premium' service with "more IP's". Still they will
be using more bandwidth than the one single user and thus they
will cost you more money while paying the "single user" price.
Economics 101 :)

> My intentions are not to restrict the customer from recieving 
> a /64 for the LAN behind the P2P link, but to hand out a /64 per
> machine or device that should never have more than 1 machine. 
> That's why I asked if we need to use ip filter in the future.

That changes the idea, as it is a normal PtP link, thus either:
 - 2x /128
 - something between 64 and 126
 - 1x /64, but:
   - only route the /128 to the otherside
   - filter out the rest of the IP's.

For SixXS setup we do the route /128 trick btw...

> > That simply is requiring the user to NAT and not giving
> > them full internet access. NAT as 'security' is bullshit
> > If you want to give them 'security' then offer a standard
> > firewalling service like many ISP's do. And of course if
> > you do offer it also offer the option to turn it off for
> > the clued people.
> 
> You got to be joking?  NAT adds security.

Thank you for entering the hall of shame.
NAT adds obscurity, nothing to do with security.

> We do not even need to discuss that.
> "Standard firewalling" means NAT for very many.

That could be that normal people think that, tech folks should not.
Last time I checked 6bone@isi.edu was a technical kind of list...

> In almost all cases when a customer of ours ask for  firewall,
> thats what they get from us because thats what they meant.

Then educate your customers, the same thing saying that a NAT
box is a router, it is, kinda, but it really isn't when using
the correct terminology.

Or are you going to sell them a IPv6 NAT service when what
they really want is a firewall ? (aka a port and content blocker)

> I'm not saying that NAT is good, but thats what the majority 
> use where I come from.

That's unfortunatly where most people come from indeed.
And it has to stop. Not educating and/or correcting people
keeps them thinking that it is just that.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/

iQA/AwUBP5pftimqKFIzPnwjEQJ0XwCfarrqFkPS8WRxI2Vfua34oyD4GPwAn3Pr
FURIgLtDUQGzLWyyidlp0Zbn
=MrUG
-----END PGP SIGNATURE-----

Previous message: [6bone] Is minimum allocation /64 now?
Next message: [6bone] Is minimum allocation /64 now?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]