Re: IPv6 standard?
2009-09-17 12:16:52
a standard does not deployment make. There are networks still
running DECNETpV, Chaosnet, X.25, and even XNS. If there ever
is a time when IPv4 -not- running somewhere, it is likely to be
after 2038 - there is no "pure" IPv4 today and it is doubtful there
will ever be a "pure" IPv6 Internet.
--bill
On Thu, Sep 17, 2009 at 09:29:52AM -0400, Steve Crocker wrote:
There are hundreds of millions of IPv4 computers and perhaps millions
of individual IPv4 transport networks, large and small.
Here are some useful points along the way from pure IPv4 to pure IPv6.
A. Every new computer is able to talk IPv6
B. Every transport is able to talk IPv6, i.e. every network from tier
1 ISPs down through wifi hot spots and every internal corporate network
C. Every major service, e.g. Google, CNN, Amazon, is reachable via IPv6
D. Every new computer is not able to talk IPv4
E. A substantial number of transports are unable to talk IPv4
F. A substantial number of major services are not directly accessible
via IPv4 (but, of course, will be accessible via gateways)
I haven't included supporting details like DNS and gateways between
IPv4 and IPv6.
We're basically at A. Give some thought to the dates you'd assign to
B through F. Feel free to disagree that these are significant steps
along the path, but if you do disagree, please propose other
reasonable and measurable mark points.
I didn't include the bitter end of this process, i.e. the complete
disappearances of IPv4. If we get through steps A through F, the rest
won't matter much.
I have trouble believing this will all happen in less than 20 years.
I do not have trouble imagining it might take much longer.
I don't have any stake in the outcome. It's fine with me if it
happens faster. However, the mechanisms for interoperability between
IPv4 and IPv6 are still being worked out and the products to do the
work, i.e. application gateways, are not yet plentiful. Moreover,
even when the first products appear, there's a long maturation cycle.
As one example, two years ago the ICANN Security and Stability
Advisory Committee (SSAC) looked at the products in the security area
-- firewalls, etc. -- to see whether the feature sets for IPv6 were
the same as for IPv4. The good news was the products did actually
support IPv6. The bad news was the feature sets were noticeably poorer.
Our report, SAC 021, http://www.icann.org/committees/security/
sac021.pdf , concluded with:
IP version 6 (IPv6) transport is not broadly supported by commercial
firewalls. On average,
less than one in three products support IPv6 transport and security
features. Support among
the firewall market share leaders improves this figure somewhat.
Support for IPv6 transport and security services is available from
commercial firewalls for
all market segments, however, availability of advanced security
features is lagging in
SOHO and SMB segments and strongest in the LE/SP segment.
Overall, relatively little support for IPv6 transport and security
features exists. However,
some form of traffic inspection, event logging, and IP Security
(IPsecv6) are commonly
available among products that support IPv6 transport and security
services.
Internet firewalls are the most widely employed infrastructure
security technology today.
With nearly two decades of deployment and evolution, firewalls are
also the most mature
security technology used in the Internet. They are, however, one of
many security
technologies commonly used by Internet-enabled and security-aware
organizations to
mitigate Internet attacks and threats. This survey cannot
definitively answer the question,
"Can an organization that uses IPv6 transport enforce a security
policy at a firewall that is
commensurate to a policy currently supported when IPv4 transport is
used?" The survey
results do suggest that an organization that adopts IPv6 today may
not be able duplicate
IPv4 security feature and policy support.
The observations and conclusions in this report are based on
collected survey results.
Future studies should consider additional and deeper analyses of
security technology
availability for IPv6. Such analyses are best performed by
certification laboratories and
security assessment teams. Before attempting further testing and
analysis, the community
must alter the perception among technology vendors in general (and
security vendors
specifically) that the market is too small to justify IPv6 product
development.
The situation is probably better now, but I would guess there's still
some distance to go.
Imagine the decision process for the CIO or network architect of a
medium or large company. A security policy exists and it's
implemented with a collection of commercial products -- firewalls,
routers, intrusion detection systems, etc. -- all configured and
managed to support the company's security policy. Further imagine the
both the transport and the individual devices are all capable of
supporting and using IPv6. How quickly will the CIO or network
architect decide that it's time to switch everyone over to IPv6?
Among other things, he will likely want to make sure he can continue
to implement the company's security policy. As of two years ago, he
couldn't buy products that would function at the same level.
IPv6 is definitely necessary and we should all do everything we can to
move in that direction. I'm just noting that even when IPv6 is widely
available and in broad use, there will be a long tail before IPv4
fades from the scene.
Steve
On Sep 17, 2009, at 2:36 AM, Olivier MJ Crepin-Leblond wrote:
"Steve Crocker" <steve(_at_)shinkuro(_dot_)com> wrote:
We're some distance away from deprecating IPv4. Maybe 20 years,
maybe 50 years. For a very long time, IPv6 and IPv4 will co-exist.
I know you wrote those figures to be provocative, Steve. :-)
I mean, 50 years? That's like saying "computers will still run on
valves in 50 years' time" in 1950.
Of course this is a matter of appreciation, and frankly, does it
really matter how long IPv4 will be around?
Let's worry at the future, not the past.
Kindest regards,
Olivier
--
Olivier MJ Cr?pin-Leblond, PhD
http://www.gih.com/ocl.html
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: IPv6 standard?, (continued)
- RE: IPv6 standard?, Dave Nelson
- Re: IPv6 standard?, IETF Member Dave Aronson
- Re: IPv6 standard?, Eliot Lear
- Re: IPv6 standard?, Steve Crocker
- Re: IPv6 standard?, Olivier MJ Crepin-Leblond
- Re: IPv6 standard?, Steve Crocker
- Re: IPv6 standard?, Eliot Lear
- Re: IPv6 standard?, Jeff McAdams
- Re: IPv6 standard?, Gordon Lennox
- Re: IPv6 standard?, Arnt Gulbrandsen
- Re: IPv6 standard?,
Bill Manning <=
- Re: IPv6 standard?, Dean Willis
- RE: IPv6 standard?, Tony Hain
- Re: IPv6 standard?, Steve Crocker
- Re: IPv6 standard?, Doug Ewell
- Re: IPv6 standard?, Eliot Lear
- Re: IPv6 standard?, Arnt Gulbrandsen
- RE: IPv6 standard?, Tony Hain
- Re: IPv6 standard?, Masataka Ohta
- RE: IPv6 standard?, Tony Hain
- Re: IPv6 standard?, Masataka Ohta
|
|
|