North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The Choice: IPv4 Exhaustion or Transition to IPv6

  • From: Eliot Lear
  • Date: Mon Jul 02 03:32:28 2007
  • Authentication-results: ams-dkim-2; [email protected]; dkim=pass (s ig from cisco.com/amsdkim2001 verified; );
  • Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=778; t=1183361420; x=1184225420; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; [email protected]; z=From:=20Eliot=20Lear=20<[email protected]> |Subject:=20Re=3A=20The=20Choice=3A=20IPv4=20Exhaustion=20or=20Transition =20to=20IPv6 |Sender:=20; bh=nPqEOw3+tXfo/J+yQ0CXQGAGdkxOINboJDaRGW8AH28=; b=j3mVTGTalg0JHCkd3DrEbW2RzHaQ3+zg/E9ZM+3VROpK99mXLxtatvMVk14OpFNzrPiwxBgd 1DTP+jIF3WlUO7joTjluD0n2N4us5D8qYNZriNfSYR62XNcPF2RabGYl;

Steven M. Bellovin wrote: 
Randy is right.  It's very simple from 30,000 feet; it's a lot messier
in detail if done at scale.  I'll give just example, using your
suggestion of converting DMZ: how do you keep your firewall rules
consistent between v4 and v6 addresses and prefixes?

We actually cover some of this ground in RFC 4192, which talks about v6 renumbering. Also not fun, but v4 is somewhat less fun. This having been said, and as Simon has noted in a later message, you need to abstract addresses to make all of this stuff work smoothly. That has to happen both in the network management tools and within the operating system. I know that scares the hell out of some people but there is a high price being paid for not doing it.

Eliot