From: Owen DeLong (no email)
Date: Mon Jun 04 2007 - 12:05:51 EDT
>> In fact, and call me crazy, but I can't help but wonder how many
>> enterprises
>> out there will see IPv6 and its concept of "real IPs for all
>> machines,
>> internal and external!" and respond with "Hell No."
>>
That's an education problem. There's no security gain from not
having real
IPs on machines. Any belief that there is results from a lack of
understanding.
>> Anyone got any numbers for that? I'm happy to admit I don't. :)
>
Nope.
>
> Hence the discussion of site-local (dead), ula, ula-c etc.
>
Site-Local sort of provided that, but, as pointed out, dead.
ULA-random sort of provides it, except that ULA-random only provides
likely uniqueness and so really is the worst of both problems.
There's not
enough guarantee of collision to really prevent it from getting
routed, and,
there's not enough of a guarantee of uniqueness to make organizations
worried about such things comfortable with it.
ULA-C is just Provider-Independent Real addresses with a label stuck
on them that says "These aren't the droids you're looking for, move
along".
Really, the only thing that distinguishes ULA-C from PI is mindset and
router configuration. The former is known to vary in unpredictable
manners.
The latter is known to vary with the application of $$$.
> However widespread use of private address space in ipv4 costs people
> huge amounts of money when you have to merge the business processes of
> two or more large enterprise networks.
>
Yep. Hence the v6 concept of real addresses everywhere. People seem to
have forgotten that private addresses and NAT were a hack designed to
cope with a situation that v6 is supposed to actually solve. I admit
v6 does
not completely solve the problem (at least not yet), but, it solves
enough of
it that we shouldn't be clinging to the v4 hacks that got us by as we
move to
v6.
Owen
|
|
|