Search This Blog

Tuesday, January 11, 2011

firewall-wizards Digest, Vol 55, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 (Dave Piscitello)
2. Re: IPv6 (Martin Barry)
3. Re: IPv6 (Marcus J. Ranum)
4. Re: IPv6 (Marcus J. Ranum)
5. Re: IPv6 (Paul Melson)
6. Re: IPv6 (Marcus J. Ranum)


----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Jan 2011 14:28:04 -0500
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] IPv6
To: Paul Melson <pmelson@gmail.com>
Cc: 'Firewall Wizards Security Mailing List'
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4D2B5DC4.50406@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The discussion thread thus far is a microcosm of all the discussions
I've seen. Paraphrasing a bit...

"Force vendors to provide implementations through regulatory means.

"Reclaiming IPv4 numbers forestalls the inevitable so stop whining
and do IPv6"

"I'm not happy with what you claim is inevitable and have LOTS better
ways to spend my IT dollars. You folks skin your knuckles on the frozen
engine. Call me when you've got it running smoothly and safely. I'll NAT
until you call."

Paul also adds an important additional factor. Spend money now on IPv6
and get nothing, or on DNSSEC and get *some things*, or on a secure mail
infrastructure, or securing mobile devices, or ...

I suppose if you force vendors in 2011 by regulatory caveat you can
force businesses in 2012. Sad...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNK13EAAoJEDa3DI8IpP3/Mt4IAKVlqNAHkpTuCZ9uUNDnenSE
Ux7ByLUrZj25aUEO4covM/xpvo7nRLhqvRsicacamXyaIvGwDUN/BLw9b8SkKrlU
9HOIYggUKaQ7kgcH3NDIDvzAgkRbvYrhm6c0bx6+W8dVcqx4B1QPvwXBTCfcZwsp
Y6nnMpghnFrpusAgtEUAwud37MOpCzTb+CQGNbK8BR2RD9iCOBRuuROX1WBtt5mG
Uz+j0aTKwz/xR0yCbRTxKoR7x+jlsKOqqBAV1kxP6ZLRCCQMaWwKIEul/imJ0k91
EQlfpDrpDhZMNnyyY8GB5tz+p3RDIW52QMQdMaz7nOwLZwmWgInQVxYT+qKAhis=
=mWwg
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110110/6eb895a8/attachment-0001.bin>

------------------------------

Message: 2
Date: Sat, 8 Jan 2011 17:42:49 +0100
From: Martin Barry <marty@supine.com>
Subject: Re: [fw-wiz] IPv6
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20110108164248.GA22496@merboo.mamista.net>
Content-Type: text/plain; charset=us-ascii

$quoted_author = "Dave Piscitello" ;
>
> I am also not convinced that some 11th hour 59th minute "change of
> heart" won't occur, and someone will convince the community of an
> alternative course. A surprising number of class A's could be returned
> to the allocation pool (Interop just returned one).

Not that old chestnut!

Each /8 returned would put off IPv4 exhaustion by only about 1 month.

Time and effort would be better spent moving to IPv6.

cheers
Marty


------------------------------

Message: 3
Date: Fri, 07 Jan 2011 18:31:35 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4D27A257.7060906@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dave Piscitello wrote:
> I am also not convinced that some 11th hour 59th minute "change of
> heart" won't occur, and someone will convince the community of an
> alternative course.

Back a long time ago, in the shrouded mists of yesteryear,
some of us asked "why not just double the address size, left-fill
with zeroes, bump the version number, and rock on?"

The answer, at that time (as screeched by the standards
pukes) was "that's IMPOSSIBLE!!" Impossible because backbone
routers would need "gigabytes of RAM to hold routing tables!"
and route lookups would be prohibitively expensive. That was
back in, around, '92 or so, if I recall correctly. Nowadays
it's not like "gigabytes of RAM" would be such a big deal,
but spanning tree and cidr block routing actually solved that
problem, anyhow. In other words, it's not "IMPOSSIBLE" at
all. It's just that there is such a huge emotional and now
technological and financial investment in making IPv6 work,
that the powers that be are not seriously contemplating any
alternatives.

I used to joke (but I was serious) about how if I was a
crazy multimillionaire (I'm not, BTW) I'd brand it
"Mega-IP" hire a bunch of geeks to start submitting
patches for it into open source projects, lobby a couple
router vendors and firewall vendors to adopt it as a
field-expedient Mega-quick and convenient solution, and
I'm guessing IPv6 would be RIP in under a year. I'd do
that because that's just the kind of mean, cynical
bastard I am, some mornings - and it'd be nice to see
the address space problem solved quickly, like it could
have been in 1992, back when it would have taken a couple
of months rather than years of bullshitting around. But
if someone did that, what would the standards bodies have
to do, to keep them busy?

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com
(This posting is not an official opinion of Tenable)


------------------------------

Message: 4
Date: Fri, 07 Jan 2011 18:45:45 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4D27A5A9.7070401@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Darren Reed wrote:
> That is the point of why it needs to be someone like the US Government
> and/or DoD saying "be available by IPv6 or you will get no work."

The problem with that theory is that the government and DoD and
whatnot don't even write the specs anymore. They're written by
contractors, for other contractors. No contractor with 1/2 of a
brain is going to specify something that makes them do extra
work that won't make them money, or that means making their
problem harder if there are kludgy workarounds.

That's the polite and reasoned response. :)
The alternate response would be "Bwaaahaahaaaaaa!! ADA.
C2 by 92! FDDI to the desktop. Credibility gap? No, that's
a credibility ABYSS."

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com
(This posting is solely the opinion of Marcus J. Ranum.
Do not take internally. Do not expose to open flame. Do
not treat as investment advice. Don't even read it.)


------------------------------

Message: 5
Date: Mon, 10 Jan 2011 06:36:03 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] IPv6
To: <dave@corecom.com>
Cc: 'Firewall Wizards Security Mailing List'
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000301cbb0ba$912f4170$b38dc450$@com>
Content-Type: text/plain; charset="us-ascii"

> I say "lazy path forward" because at this point IPv6 is nearly 2 decades
old and arguably > has less of a foothold than ISDN after the same time
span.

Hehe! I just recycled some ISDN gear this year while thinking, "what a
shame." But it's a good lesson in technology paradigms and standards
adoption.


> Almost all of what was considered "innovation" is either enfolded into
IPv4 or proven to > be less useful than imagined. I suspect a fair number of
right-thinking people are asking > "is this the best we can do? are we
really only doing this because we are running out of > addresses?" I worry
that we'll *only* get a bigger address space out of this migration
> and that is a tragedy.

The cost-reward appraisal I've made of IPv6 is that it's not worth it right
now. Of all of the problems I need to solve at a networking level, the
number of available public addresses isn't even a Top 20 issue. I'm far
more likely to spend that kind of time and money and tolerate that level of
pain in order to migrate to DNSSEC or TSCP Secure Email as they solve
problems I don't have effective toolsets for managing today. And their
adoption rates seem to be similar to IPv6. :-)

PaulM


------------------------------

Message: 6
Date: Tue, 11 Jan 2011 01:37:58 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4D2BFAC6.7040703@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dave Piscitello wrote:
> I suppose if you force vendors in 2011 by regulatory caveat you can
> force businesses in 2012. Sad...

Dave, you've got to *seriously* ask yourself "what good is this
standard?" if you've got to think of ways to *FORCE* people to
adopt it. I mean, really. Doesn't that say everything that
needs to be said?

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 55, Issue 5
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)