North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: who gets a /32 [Re: IPV6 renumbering painless?]

  • From: Paul Vixie
  • Date: Mon Nov 29 12:05:46 2004

> > i have long wished for and sometimes needed a way to renumber a host
> > w/o killing or restarting its active tcp flows.  this isn't a
> > layering violation.  tcp should be able to know about
> > endpoint-renumber events.
>
> Unfortunately this sounds like a good target for people to mess up
> implementations and introduce huge security issues into TCP
> stacks. (along the theme of the one which started the recent MD5
> discussion)

of course.  and if endpoint-renumber were possible, it would also be
used in load-balancing handoffs (similar to the thing that goes under
the trade name "3TCP"), clustering, failover... plus things we havn't
even thought of yet.  of course there would be security problems, and
just knowing the current sequence numbers wouldn't be enough proof,
and there's an interesting question of whether both directions would
have to renumber at the same time.  this is a nec'y enabling technology
for so many things that calling it a layering violation is "outrageous."

> But obviously, implemeted properly that would be very useful.  The
> problem then becomes, how an ISP can signal a renumber.

as it turns out, there is no silver bullet -- no single thing that if
we could just to that then we'd be done, "roll credits."  same thing
for spam, as it turns out.  it's going to take a lot of little things,
which amounts to a lot of hard work by a lot of people, some of whom
won't even know eachother or about eachother's work, to get "ipng" done.
real time tcp session renumberability is on the list, but it's a big
list.

what i DON'T like is having the future of "ipng" decided in star
chambers where things like A6/DNAME can be killed without transparency
or accountability.