Random thoughts on Slashdot

Date May 1, 2009

I wanted to make a quick reply to someone on slashdot who suggested adding a 5th octet to IP addresses rather than migrating to IPv6. I meant to write a really quick reply, but it got drawn out. I got done with it and thought that some of you might have thoughts on it:

Awesome idea. We'll give Google 1/8, The government can 2/8, IBM will get 3/8, etc etc etc

Same problem. The ipv6 is not a "bad" idea, it's just sort of like...imagine in 1950s if the phone company decided "we could go with area codes to subdivide numbers to prevent running out, or we could use letters AND numbers".

Can you imagine the upheaval?

In a lot of ways, that would have been even easier to deal with, because everyone's phone was owned by AT&T. New phones could have been issued without too much problem.

No, imagine it instead in the mid 1980s. Ma Bell doesn't own the phones any more, in fact there are tons of cheap phones available, cell phones are starting to come out, and there are still rotary AND push button phones.

That's more like what the IPv6 switch is like. Do you give the new people 2 numbers, so that grandma can still call them? How long is it before you stop accepting legacy phones that only have 10 dialing options? How the hell do you get DTMF to work with 36 numbers? Do we need area codes? It would be weird without them, but we don't really need them.

The equivalent of these questions are still being asked. Just a couple of months ago, there was a huge to-do about NAT and IPv6. "IPv6 is a world without NAT". The hell it is. My internal routers don't get publicly routable IP addresses, even if I have to NAT back to IPv4.

When the wrinkles get ironed out, we're going to wonder how we ever did without it. During the transition, it's going to be hell for everyone (with the possible exception of the clueless end user, who might have to buy a new router at most).

10 Responses to “Random thoughts on Slashdot”

  1. The ocean of noise said:

    I did think it strange that we would be in a world without NAT. Maybe there is something I'm missing, but like you I wouldn't want internal equipment to be 'publicly' facing. Maybe I'm missing something from the firewall aspect?

    Also, in setting up a home network, who would want to go through the hassle of obtaining IP addresses from some global authority?

  2. Stephen P. Schaefer said:

    Where can I go to understand IPv6 routing? BGP is apparently already so overloaded by /24 that many ISPs refuse to route any network smaller than /22; now all of a sudden they're supposed to route /80? I don't see the issue addressed in Wikipedia, aside from "tunnelling", which doesn't sound very different from NAT, and which leaves the IPv4 infrastructure and all its shortcomings in place. I'm obviously missing something fundamental.

  3. Matt said:

    @TOON (wow, great acronym)
    There are apparently a couple of "private" blocks reserved. I'm going to do more research.

    @Stephen
    That would make an excellent how-to blog entry, wouldn't it? Maybe I'll make it a point to learn it and write about it (which is the best way I've found to make sure that you understand something)

  4. Gary said:

    IP addresses are divided into octets for human consumption only. Machines treat them as unsigned ints.

    IPv4 addresses are 32 bits. Adding another octet would make them 36 bits.

    This would break all routers everywhere that have been designed to work with 32 bit IP's (think memory and routing protocols). It becomes the exact same problem as IPv6, except you've bought yourself another view years instead of (as per wikipedia) 2^52 addresses for every visible star.

  5. Matt said:

    @Gary

    Wouldn't it make it a 40 bit address?

    And yes, I completely agree with your summary. Totally not worth it for another octet.

  6. James said:

    Totally not worth it for another octet.An octet, an octet! My kingdom for an octet!

  7. Robert Sander said:

    NAT is not a security feature.

    Build your firewall(s) with decent rules and your internal equipment can have routable IP addresses.

    And for the routing: AFAIK routing in IPv6 is hierarchical. And the minimum you get from your upstream is a /64 or even a /48 block, so nobody routes at level /80.

  8. Matt said:

    @Robert

    No, NAT by itself is not a security feature. NAT combined with non-routable addresses does improve security in a large degree, however.

    I agree that proper firewall rules are a must, NAT/private IP or no.

    That's interesting about the network sizes. I'm really looking forward to learning more about IPv6. I put IPv6 Essentials on my O'Reilly bookshelf, so hopefully my knowledge will increase soon

  9. Robert Sander said:

    Yes, I do agree that NAT + firewall gives good security. I also use it (+ the fact that we would never get enough routable IPv4 addresses for our LAN).

    But just look at an application like Skype which happily bypasses NAT to establish P2P communication. They put many manhours into circumventing NATs because NAT is there.

  10. Matt said:

    @Robert

    Yes, skype is a great example of what very determined people can do to undermine network security.

    NAT definitely isn't a turnkey security solution. Like you mentioned earlier, technically it isn't a security solution at all, it's just part of a bigger piece of the puzzle. I don't think it's ever going to be easy, regardless of the underlying network technology.

    I just wanted to say thanks for your comments, and for reading the blog for so long. I really appreciate it, and I really appreciate people ccoming and disagreeing with me. It definitely keeps me learning. Thanks!

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*