[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inevitability of PI

> In trying to formulate an answer to this it occurs
> to me that there's a better question to ask: if it
> is inevitable that we need PI space for
> disconnected networks, then do you concede that we
> will end up with (a) NAT's and (b) route growth
> (due to advertizing /48's) for people who decide
> to get and (ab)use them?

I don't see either of these results as inevitable.

I think that we can make rules that say "no NATs in IPv6" and
"advertisements of PI prefixes on the public Internet should be
filtered" and that those rules will have a useful effect. They might not
entirely prevent either practice, but they may make them rare enough
that they do not cause huge problems.

In the case of NATs, I believe users will be less eager to deploy
NATs in IPv6 because (a) the absence of NATs in IPv6 allows the Internet
to support new kinds of applications that will drive deployment and (b)
IPv6 gives users better ways to solve some problems (renumbering,
attachment of a home network) whereas in IPv4 NATs were the
best tools available.  That and there is a greater awareness of NAT
problems than there used to be.  IMHO the big wildcard is security-
whether users will realize that NATs actually provide very little
security benefit as compared to say, stateless firewalls (which
themselves provide only a marginal benefit). Just as with poorly-chosen
countermeasures against spam and terrorism, there's currently a
widespread belief that any countermeasure against network attack is
justified, no matter how little protection it provides and how much
damage to functionality it does. Eventually people will learn better,
but I don't know how long this will take.

In the case of advertising PI prefixes, I believe ISPs will understand
the wisdom of filtering them.  They might not start filtering them
immediately, but if routers get overloaded, the price of advertising a
PI prefix will increase rapidly.  It might become cheaper to buy
redundancy using PA prefixes than to buy it using PI prefixes.  (I
could even imagine allocating PA prefixes to small sets of ISPs, for use
by customers that get connectivity from more than one of them.)  And I
suspect that if we recommend it, and get buyin from network operators'
groups,  a substantial fraction of ISPs will filter PI prefix
advertisements from peers.  That and I'm convinced that it's possible to
"aggregate" non-adjacent prefixes for route computation purposes with
only small changes in BGP (which doesn't do much for router memory size
but does a lot for routing computation overhead).  So basically I think
there are lots of ways to solve this problem.

Of course, we do need to provide better solutions for scalable routing
renumbering, and multihoming.  We also need a better security
architecture.  My impression is that we are devoting too much energy
to freaking out, when there are important problems we need to be
working on.

In particular, we need to get ourselves out of the habit of crying "that
will lead to NAT" or "that will lead to route explosion" and using these
as excuses to stop investigating a solution path.   Of course these are
hazards that should be respected, and I think everyone here understands
that.  But none of us knows with anything resembling certainty what the
market will demand, and so treating either of these as the "kiss of
death" for an idea serves no purpose other than to prevent us from
investigating (and thus, failing to discover) potential solutions.

IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com