firewall-wizards January 2011 archive
Main Archive Page > Month Archives  > firewall-wizards archives
firewall-wizards: Re: [fw-wiz] IPv6

Re: [fw-wiz] IPv6

From: Dave Piscitello <dave_at_nospam>
Date: Fri Jan 07 2011 - 14:24:03 GMT
To: Paul Melson <>

Hash: SHA1

Hi Paul,

Administrative nightmare aside, I agree it's possible and possibly
sustainable, perhaps while some governments heed Darren's advice and
mandates implementation:-)

It certainly seems like the majority of organizations are relying on
this to prove true.

Problems will only grow as some networks evolve from

"only IPv4" to
"v4 and v6, prefer v4" to
"v4 and v6, prefer v6" to
"only v6" (not in my lifetime or perhaps my childrens')

And I'm not only talking about routing/reachability here. Some of these
problems are currently seen in DNS implementations (stub and resolver
handling of responses) and servers (what people include in their zone
files and how OSs work, see this thread for a sample

I am also not convinced that some 11th hour 59th minute "change of
heart" won't occur, and someone will convince the community of an
alternative course. A surprising number of class A's could be returned
to the allocation pool (Interop just returned one). Perhaps we'd do
better with Moskowitz's Host ID in the prolonged NAT'd world you
envision. I don't know enough about how this works to assert this but
Bob would. But I'm not certain that we really need to have statistically
publicly unique addresses for every device and RFID enable container,
either. This could prove to be the lazy path forward.

I say "lazy path forward" because at this point IPv6 is nearly 2 decades
old and arguably has less of a foothold than ISDN after the same time
span. Almost all of what was considered "innovation" is either enfolded
into IPv4 or proven to be less useful than imagined. I suspect a fair
number of right-thinking people are asking "is this the best we can do?
are we really only doing this because we are running out of addresses?"
I worry that we'll *only* get a bigger address space out of this
migration and that is a tragedy.

Sorry if I've rambled...

On 1/6/2011 7:00 PM, Paul Melson wrote:
> On Thursday, January 6, 2011, Dave Piscitello <dave@corecom.
>> If ever the phrase "living on borrowed time" applied to the Internet, it
>> might be now. Many organizations are approaching a time when they may
>> have to accept a weaker security deployment in order to add systems
>> because they won't be able to obtain IPv4 addresses.
> Nah, RFC1918 reserved address spaces and NAT ensure ridiculous levels
> of internal scalability. It's an ugly administrative nightmare, but
> very much possible. And with the right public-facing services
> infrastructure, it's possible to obscure tens of thousands of servers
> behind a single IPv4 address. As an industry, we have yet to plumb
> the true depths of IP address space management. And until we do,
> where's the incentive to push for v6 adoption?
> PaulM
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


firewall-wizards mailing list