North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: v6 subnet size for DSL & leased line customers
> Agreed. In fact, in any network large enough to matter, most modern > hardware forwards L2 and L3 at the same speed, so, there's essentially > no performance barrier. Except we're primarily discussing what are almost certain to be small networks here, so there's probably not even any significant concern about this. > OTOH, in many business netwoks I've seen, there is reason to segment > things into administrative boundaries, boundaries that result from media > conversion creating routed separation of segments, and, other topology > meets physical limitation issues. I find these to be at least as common > as the separation between Internal/External/DMZ. Yes, and just how many of those business networks actually involve more than a handful of networks with a DSL-class upstream connection? Let's not get confused here. I don't ever see large enterprises hanging off residential broadband Internet connections, and quite frankly, if they try, I'm not that concerned about how easy it is for them to manage. > > That /is/ a lack of imagination. ;-) Or, at least, reaching pretty > > far. > > The history of these sorts of devices has been, to date, one of > > trying to > > keep network configuration simple enough that an average user can use > > them. That implies a default mode of bridging will be available. > > You are ignoring the reality of the difference between IPv4 and IPv6. No, I'm not. > With DHCP6 prefix delegation, creating a hierarchical routed topology > becomes as simple (from the end user perspective) as the bridged > topology today, and, requires a lot less thinking ability on the device. > Especially when you consider the possibility of many such topologies > evolving in a situation that could create a loop and the fact that most > such existing devices implement bridging without spanning tree. I look at the practical realities. Let's look at the big IPv6 picture. It is unlikely that there will be wide acceptance of the ability to create ad-hoc routed topologies in many environments; controlled-access corporate environments certainly represent one such environment. That implies that the capability to do bridging (or, if you prefer, switching) will remain as a virtually mandatory option. Creating a hierarchical routed topology certainly seems and sounds nice, and in fact, I'm all in favor of it, but I don't actually expect that it's going to be the default. > I'm saying that bridges tend not to have access controls or at least not > adequate access controls except in a few (l2 firewall oddities like > Netscreen/PIX in Bridge mode) exceptional cases. The point here > is that in IPv6, you aren't "making people route things", You aren't? > the routing > topology will mostly handle itself automatically, although, Oh, you are, you're just pretending you aren't. I see. > people > may wish to intervene to design the security policy or at least have > the ability to modify it from the default. But that's pretty much something that we could and should want regardless. Honestly, how hard would it be, today, to build a little switch-widget that implemented access controls to various ports? And if you do that, does it matter if it's happening on a "router" or on a switch? (hint: answer is "it does not, really, though it may blow the minds of traditionalists.") > You are trying to apply strictly IPv4 thinking to IPv6, and, there are > some reasons that a significant paradigm shift is required. No, actually, I'm not really thinking IPv-anything. I'm thinking more in terms of network blobs and how they interrelate. I could just as easily say that you're applying traditionalist network design paradigms to next-generation networks, when in fact that may not be the right thing to do. > We will agree to disagree on this. Enforcing security policy within > a subnet is ugly at best and unreliable at worst. It makes > troubleshooting > harder. It makes security policy design more complex. It causes many > many more problems than it solves in my opinion. Your average home user isn't going to know about any of that. He's going to have his Netgear (or pick your $fav vendor) smartthing that either routes or switches at Layer 2 or Layer 3, depending. Ultimately, what /he/ is going to want to do is to see a little interface come up, that displays a little graphic view of his network, lets him click on a device, and set security policy. He'll want to be able to set "Vista PC" to access "Everything". He'll want to be able to set "Home Media Server" to access "Local Only". He'll want to be able to set "Vonage VoIP Adapter" to access "Specific Network Only." He isn't going to know or care about your "security policy design," he isn't going to be engaging in any serious "troubleshooting," and he's going to rely on the logic in the device to determine if the policy is even enforceable (which /can/ be determined). He isn't going to be concerned about, or even want to be concerned about, L2 vs L3 or where the firewalling takes place. He's going to expect his device to be smart enough to tell him what he needs to do, and whether the underlying network is one thing or another isn't a serious consideration. You simply have to realize that L2 and L3 aren't as different as you seem to think. You can actually consider them flip sides of a coin in many cases. > Actually, there is some guarantee that, in IPv6, you'll be able to do > that, > or, you will know that you could not. You will make a DHCP6 request > for a prefix delegation, and, you will receive it or be told no. So, as I said... > Most likely, that is how most such v6 gateways will function. /Possibly/. It would be much more likely to be that way if everyone was issued large CIDR blocks, every router was willing to delegate a prefix, and there was no call for bridging. > I think that bridges are less likely to be the norm in IPv6. I'm skeptical, but happy to be proven wrong someday. > > If we have significant customer-side routing of IPv6, then there's > > going > > to need to be some way to manage that. I guess that's RIPv6/ng. :-) > > Nope... DHCPv6 prefix delegation and Router discovery. We'll see. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.