James Knott
Sebastian Freundt wrote:
Valid reasons? Sure: In Germany every network operator has to maintain a database of*all* connections from within this networks to the outside for 6 months, let me take your numbers from below: For a new outbound connection, I have the freedom to use the current epoch time (as in the original definition) makes up 32 bits, then the process id, 48 bits, then I have 16 bits to spare. Assume I just enumerate my connection, the first connection is 1, the second 2, and so on.
Many people and businesses currently use NAT to share a single IP address by more than one computer. The ISP only sees what is connected to them, and not what's behind the NAT. How does this differ from monitoring everything that passes through an IPv6 router?
There's several answers, from very low-level tech talk to legal issues. I pick a mixture, imagine someone `uses' (read forges) one of your addresses inside your /64 (choose a different prefix if you want, the idea is that /x is assigned to you in a bigger network /y (y < x)), say they use 2001:db8:0:0::4 and their `assigned' network is actually 2001:db8:0:1::/64, now since you insist that they must route ALL traffic inside your network, they will certainly route that address, and since you have no designated router in the 2001:db8:0:0 network (you haven't named one, there's no BGP entry either), they will start an ndp request if noone had used the 0::4 before. Imagine the box that you declared as your router (but the ISP doesn't know about that) is busy/slow/off, it doesn't send a negative reply fast enough, the other guy's router had already ack'd the ndp. Now, their MAC address is in the neighbourhood table, they can now constantly keep it updated by ping6ing the router (a unicast address of the router was in the ndp packet). Long story short, there's a host in `your' /64 you don't know about and there's nothing you can do about it. Now they start serving child porn (or think of something illegal in your country) with that address. Naturally, the ISP will be asked to block traffic to that host, you lose your connectivity, well you go to gaol in my country for that. How do you prove you're innocent? With the liberal setup you're suggesting and just monitoring what goes over the router it's impossible. With a NAT setup as in the v4 world it's entirely different, there is a *designated* host, and from the ISP's point of view, that's all their concerned about. Any forged traffic goes to *your* box and you can happily throw it away if you don't think it's yours. You seem to be quite confused about the concepts of IPv6, IPv6 is not the same as a 64bit version of v4 where you have another 64bit for your own personal use which happen to be globally routed. BTW, don't tell me to tell the network team to fix their network, we DID that to no avail, if you want to see it yourself, email me, I give you the name and details and instructions on how to set it up.
Another would be if they happen to be on a fragile end of the BGP tree and have to change their routes frequently, STP propagation might be fast, but to propagate a changed route if there's millions of entries in the arp table could take a while.
Routing tables are based on network, not individual host addresses. This means that the number of computers or addresses you use is irrelevant, so long as they all belong to your network or subnet.
That's incorrect. Many routing table implementations allow a short cut notation if you want to route a whole network, cisco IOS allows that, linux too. Apparently, if the ISP was in their right mind, they would just route the whole /64 if their hardware supports it. If not, well, you could use STP to generate routes, or you do it the hard way, as the NOC team in our university and enter them one by one, also entering the MAC address associated with the IP into the MAC filter. How would you do that?
So? What are you implying here? That all routers on the internet magically had a RAM update and now can hold billions of addresses? It's good to have plenty of space left for the future, but it's not wise to go and waste that space immediately, or calling setups that won't cope with what you imagine broken or wrong?
One of the advantages of IPv6 is that it reduces the size of routing tables. The tables contain only network addresses and are done in a hierarchical manner, so that the most significant bits are sorted first then lesser ones, as you get closer to the destination. You will not find individual computers in a routing table.
Nope, incorrect. Don't claim stuff you're not sure about, at least use phrases like `I think' or so, others may get a completely wrong impression if they read your postings. freundt@segen:pts/19:~> sudo ip -6 route add 2001:db8::1 dev aarnet freundt@segen:pts/19:~> ip -6 route show | grep db8 2001:db8::1 dev aarnet metric 1024 mtu 1472 advmss 1412 hoplimit 0 You can argue that it's a /128 network, ok. But I've actually seen hosts where there's thousands of entries like that. I think HE even provides (read/show-only) access to their BGP routers via telnet, you can see it yourself. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org