The BGP TCP MD5 password mechanism (RFC 2385) is very useful to protect BGP sessions from attempts at unpleasantness by third parties. However, it is rather simplistic. One of the flaws is that there are no provisions for changing the password. In the old days, setting a new password for a neighbor would cause Cisco routers to tear down and reestablish the BGP session. Today, the session survives if the password or key is changed at more or less the same time at both ends. This requires a good deal of coordination. I must say that I can't remember anyone asking me to change an existing BGP password. But the security people insist that it's important to do this regularly, for instance, when employees leave. I think they have a different appreciation of the sensitivity of this key than those of us working in operations.
Anyway, Steve Bellovin, a well-known member of the IETF, has written this "internet draft" and submitted it for publication as an RFC:
http://www.ietf.org/internet-drafts/draft-bellovin-keyroll2385-03.txt (will be deleted after 6 months)
What he proposes is that a router can have more than one active key so it's possible for one end to change keys and the other end to go along with this without the need to coordinate the password change very closely. Unfortunately, it's still possible to configure the wrong key, or forget to change the key after agreeing to do so, and then the BGP session will go down at some point, probably conveniently in the middle of the night. See my posting to the IETF discussion list for details.
Well, progress isn't always progress, I guess. If you have any opinions on the matter, email me.
Permalink - posted 2006-09-30
Last week, ARIN, the organization in charge of distributing IP addresses in North America, changed its IPv6 address policy so it's now possible to get Provider Independent (PI) IPv6 address space.
According to the ARIN Number Resource Policy Manual:
This is both good news, and bad news. The good news is that if (in the ARIN region) you are currently connected to two or more ISPs for IPv4, you can now do this in much the same way with IPv6. Since IPv6 routing is almost identical to IPv4 routing, all of this should be fairly easy.
However, since both the routing protocols (including BGP) and the rules for getting address space are now mostly the same, this means that in the future, IPv6 routing will suffer from the same problems that have been plaguing IPv4 inter-domain routing: a "global routing table" that is much larger than necessary, requiring network operators to invest in bigger routers and causing unnecessary instability. It also means that multihoming (the practice of connecting to two or more ISPs) will never be possible for truly large numbers of internet users.
The Internet Engineering Task Force has been working on alternative ways to gain multihoming benefits in the multi6 and shim6 working groups. But the ARIN constituents decided not to wait for the completion of this work, which will likely have the effect that the shim6 mechanisms won't be adopted widely or quickly when they become available. One reason cited for moving ahead with a known problematic solution for multihoming was the statement by some organizations that they wouldn't adopt IPv6 in the absence of a multihoming solution. Prediction: they won't implement IPv6 with multihoming anytime soon either.
And unfortunately ARIN (and the other RIRs) still claim that you can filter out any IPv6 prefixes longer than /32 even though they give out micro allocations and now PI blocks that are longer than that, mostly /48. See my article from nearly three years ago.
Permalink - posted 2006-09-05
Some people, such as D.J. Bernstein in his The IPv6 mess article and Todd Underwood in his Bashing IPv6 at TelecomNEXT blog post argue that the IETF made a critical mistake when creating IPv6 by not making the protocol "compatible" with IPv4. What they mean is that a system that only runs IPv6 can't communicate with a system that only runs IPv4. That indeed seems like a significant oversight: without this, it's necessary to run parallel networks for a long time, and there must be a significant amount of logic to determine which of the two protocols can and should be used for a particular communication session. The alternative seems so easy: just reserve some space for the 32-bit IPv4 address space somewhere in the enormous 128-bit IPv6 address space. For instance, IPv4 addresses could be expressed as IPv6 addresses where the first 96 bits are zero.
This way, an IPv6 host host with address 0:0:0:0:0:0:c000:201 (which we are allowed to write down as ::192.0.2.1) can communicate with an IPv4 host with address 10.0.0.1 as long as somewhere along the way, there is a router or gateway that takes the IPv6 packet and transforms it into an IPv4 packet or the other way around, a fairly simple process. At the same time, our IPv6 host with address ::192.0.2.1 can communicate with another IPv6 host that has 3ffe:2500:310:4::1 (well, for the rest of today, at least...) as per IPv6 conventions.
But... The problems start when 3ffe:2500:310:4::1 wants to communicate with 10.0.0.1. When the IPv6 packet arrives at the IPv6-to-IPv4 gateway, the 3ffe:2500:310:4::1 IPv6 address can't be translated into a 32-bit IPv4 address without loss of information. So hosts with "real" IPv6 addresses can't communicate with IPv4 hosts. Even worse, there is no way to determine whether a given IPv4-compatible address belongs to an IPv4 host or an IPv6 host. It gets really bad when a host can do IPv6, but it doesn't have IPv6 connectivity to the rest of the internet.
The solution is to forget IPv4 compatible addresses for IPv6 hosts. If an IPv6 hosts is going to get an IPv4 address in the first place, it's much simpler to let the IPv6 host generate IPv4 packets where appropriate. So such a host would simply have an IPv6 address to communicate over IPv6 and an IPv4 address to communicate over IPv4.
Communication between IPv6-only and IPv4-only hosts can be accomplished using a gateway as outlined above, with the addition of NAT functionality to allow multiple IPv6 hosts behind a gateway to share the gateway's IPv4 address. This is called NAT-PT (Network Address Translation - Protocol Translation) and it has the same downsides of regular NAT in that IPv6 hosts can connect to IPv4 servers, but not the other way around. So IPv6 is more compatible with IPv4 than many people think.
Todd Underwood concludes that "IPv6 is dead, and I think pretty much everyone already knows it" and "I guess that's just about enough time for the stubborn IPv6 camp to admit they're wrong and for all of us to come together and make something that we can easily migrate to." It continues to amaze me in what a hurry people are to declare defeat. I think Todd and others who think along the same lines massively underestimate the amount of time and effort a project like this takes. It's debatable at what point IPv6 was (or will be) mature enough to replace IPv4, but I don't think anyone can seriously maintain that it reached this point before 2002. So that's at least 7 years between publication of the first RFCs and barely adequate. By extension, any new effort won't be ready before 2013. I also fail to see what the critical difference between IPv6 and any new protocol could be: obviously, it has to stay fairly close to the IP we know to avoid unnecessary complications (which IPv6 does, for the most part at least) and even more obviously, it must support longer addresses (which IPv6 certainly does). So how would the new protocol be so much better to warrant the effort?
Permalink - posted 2006-06-06
I wanted to write something about 32-bit AS numbers. But Geoff Huston pretty much said it all.
Note however, that at the time of this writing 33580 AS numbers have been assigned by the RIRs. So there are still nearly 31000 available in the IANA global pool and in the RIR's pools combined. The 32-bit AS number capability should show up in routers fairly soon. It turns out that for routing protocols the IETF has more strict rules about publishing RFCs: there must be two interoperating implementations before the RFC may be published. This makes no sense whatsoever (but has that stopped the IETF before?) because this means there is no long-term document for these implementers to work off of, as the drafts (the stage before something becomes an RFC) are removed after 6 months.
The 32-bit AS number draft (called "as4bytes", which is strange as the IETF never uses "byte" but rather "octet", after all 25 years ago there were computers that used "bytes" that weren't 8 bits). As I was saying, the 32-bit AS number draft has been around since at least the year 2000, but it couldn't progress because of the two implementations rule. Turns out that Juniper and Redback actually did implement the draft without telling anyone. When this was discovered the RFC publication process was put into motion. I'm interested to see how long it takes for the RFC to become available.
Permalink - posted 2005-12-11
From time to time, I like to go to news.google.com and type "ipv6". This way I get to read interesting articles such as Mad as Hell XII: IPv6. However, there are also sometimes stories that get important facts wrong, such as CIO Today's IPv6: Time Is Still Not Right article.
They don't think IPv6 is very useful at this point, they don't take the US government IPv6 position very seriously and they think NAT is actually a good idea because it hides addresses. So far so good: those are all opinions.
I'm not even going to mention the whole "other countries suffer from address scarcity" thing, which is thoroughly debunked elsewhere.
The part that really annoyed me is:
However, this feature isn't exactly free. Quadrupling the address space dramatically increases the bandwidth required to transport each packet. Sending a 64-byte message, for instance, requires 250 percent more bandwidth in IPv6 than in IPv4.
It seems like they're saying a packet with 64 data bytes will be 3.5 times as large in IPv6 as it is in IPv4. But even if we generously assume they meant that the overhead is 2.5 times as large, they're wrong. An IPv6 header is twice as big as an IPv4 header: 40 rather than 20 bytes. But in the real world, there is other overhead as well: TCP (20 bytes) or UDP (8 bytes) as well as ethernet, which has 18 visible and 20 invisible bytes of overhead. So an IPv4 packet with 64 data bytes uses up at least 64 (data) + 20 (IP) + 8 (UDP) + 38 (ethernet) bytes or 130 bytes worth of ethernet bandwidth. (That's 103% overhead.)The same 64 bytes of data on the same ethernet but now using IPv6 takes up 150 bytes of bandwidth, which is 15.4% more than its IPv4 counterpart. The average size of packet on the internet is around 500 bytes. 20 extra bytes means an additional overhead of 4%. Yes, the extra bandwidth use is annoying, but it's a far cry from "250 percent more bandwidth".
For low-speed links there shouldn't be an issue as the IPv6 header can be compressed, just like the IPv4 header. (However, I'm not sure if this is actually implemented in available products at the moment.)
Permalink - posted 2005-08-30
According to news reports, the US federal government is adopting IPv6 within the next three years.
However, the reactions are as expected. On the NANOG list, the 1990s efforts by the US federal government to get OSI networking off the ground (see GOSIP) were brought up to underscore the assumption that this effort would fail as well.
As always, the discussion on Slashdot quickly deteriorated to the level of "NAT is good enough" and "We don't need that many addresses anyway".
Makes you wonder what a modern Thomas Edison would do. Give up after the first try and stick with gas light, I expect. (Edison tried thousands of different materials as filaments in light bulbs before he found something that was reliable enough to be useful.)
To be fair, others on the NANOG list pointed out important differences between OSI/GOSIP and IPv6 that make this effort very different.
Permalink - posted 2005-07-04