Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 02-26-2013, 10:15 AM   #26
mammador
Golden Member
 
Join Date: Dec 2010
Posts: 1,980
Default

Scanning as in those Android/iOS subnet scanners?

These are not so malicious though since network admins need sometimes to scan all available hosts.
__________________
me - i want standard knowledge....

them - :thumbsdown:

me - eh? everybody else got it...tough
mammador is offline   Reply With Quote
Old 02-26-2013, 10:19 AM   #27
Pheran
Diamond Member
 
Pheran's Avatar
 
Join Date: Apr 2001
Location: Pittsburgh, PA
Posts: 5,398
Default

Quote:
Originally Posted by mammador View Post
Scanning as in those Android/iOS subnet scanners?

These are not so malicious though since network admins need sometimes to scan all available hosts.
Err, no, not normally. I mean, you could run a scanner on Android or iOS but I'm talking much more common tools like nmap or other recon tools that will run on Windows/Linux/Mac.

Scanning all address space is no longer feasible in v6. There are other legitimate ways that admins can scan all hosts though, for example by using DHCP logs or ARP caches to identify them as they come online.
__________________
Main PC: Antec Solo II | Gigabyte GA-Z77-DS3H | Core i5 3450 | Crucial Ballistix 16GB DDR3 1600 | HIS IceQ 7870
Intel SSD 330 240G | 2x500GB HD RAID1 | Corsair TX650 Power Supply | Dell U2312HM


Heatware: Pheran
Pheran is offline   Reply With Quote
Old 02-26-2013, 11:39 AM   #28
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,656
Default

Quote:
Originally Posted by Pheran View Post
Err, no, not normally. I mean, you could run a scanner on Android or iOS but I'm talking much more common tools like nmap or other recon tools that will run on Windows/Linux/Mac.

Scanning all address space is no longer feasible in v6. There are other legitimate ways that admins can scan all hosts though, for example by using DHCP logs or ARP caches to identify them as they come online.
Well, considering that the neighbor discovery protocol pings the gateway of L2, the gateway will have a record of every single host on that subnet.

Also, there is nothing stating that you have to use /64s for client addresses.

Additionally, you can use a DHCP server to maintain which IP addresses are in use.

Forcing administrators to use good practices is a good idea, and maintaining compatibility for bad practices (I lost a device!) is a bad reason to stop progress.

IPv6 has flaws, but this is not one of them.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is offline   Reply With Quote
Old 02-26-2013, 12:03 PM   #29
Pheran
Diamond Member
 
Pheran's Avatar
 
Join Date: Apr 2001
Location: Pittsburgh, PA
Posts: 5,398
Default

Quote:
Originally Posted by drebo View Post
Well, considering that the neighbor discovery protocol pings the gateway of L2, the gateway will have a record of every single host on that subnet.

Also, there is nothing stating that you have to use /64s for client addresses.
Right, I should have said Neighbor Discovery, not ARP. Old habits die hard.

I don't understand what you mean by the second statement though.
__________________
Main PC: Antec Solo II | Gigabyte GA-Z77-DS3H | Core i5 3450 | Crucial Ballistix 16GB DDR3 1600 | HIS IceQ 7870
Intel SSD 330 240G | 2x500GB HD RAID1 | Corsair TX650 Power Supply | Dell U2312HM


Heatware: Pheran
Pheran is offline   Reply With Quote
Old 02-26-2013, 12:27 PM   #30
theevilsharpie
Platinum Member
 
Join Date: Nov 2009
Location: Southern California
Posts: 2,320
Default

Quote:
Originally Posted by drebo View Post
Also, there is nothing stating that you have to use /64s for client addresses.
Using a subnet length longer than /64 has a host of caveats and pitfalls (many described in Section B.2 of RFC 5375) which are a pain in the ass to deal with. And even if you do all the planning needed to avoid the known issues with a >/64 subnet, you still have to deal with the fact that many IP stacks consider a /64 the only valid operational network sze, and will malfunction if you use anything else.

So yes, you're right: you don't have to use a /64 for an interface. You'd just be a fool not to.
theevilsharpie is offline   Reply With Quote
Old 02-26-2013, 06:25 PM   #31
Red Squirrel
Lifer
 
Red Squirrel's Avatar
 
Join Date: May 2003
Location: Canada
Posts: 28,760
Default

Quote:
Originally Posted by Gryz View Post
There is this thing called DNS.
It allows you to use names, in stead of numbers.
My ISP allows its customers to configure a name for their home ip-address. So you can always use ssh, ftp, sftp, or whatever protocol you want to connect to your home machine(s). Via a static name. There is no need for static addresses. (Still, you don't want ip-addresses to change too often, because DNS takes some time to update (although this can be fixed by changing TTLs in advance)).
And somebody has to go and change all those records if the IPs change. What's your point? I'd hate having to go reedit all my DNS zones because I rebooted my modem and got another IP, or changed ISPs, etc.

And if for some reason it's the ISP that now takes care of DNS, then that means I lose complete control of my DNS? No thanks. I rather have 100% control of my own PRIVATE network.

I think it will be a matter of time till at least a 1:1 type NAT is introduced to alleviate this problem, it may not be called NAT, but it will do something similar.
__________________
~Red Squirrel~
486dx2 @66Mhz turbo, 8MB ram, 512MB HDD, sound blaster 16 + 2x cdrom, Trident 1MB video card @ 640*480, 56k high speed modem.
Red Squirrel is online now   Reply With Quote
Old 02-26-2013, 07:04 PM   #32
theevilsharpie
Platinum Member
 
Join Date: Nov 2009
Location: Southern California
Posts: 2,320
Default

Your prefix is not going to change if you reboot your modem. Your prefix will change if you switch ISPs, but that would happen with IPv4 as well.
theevilsharpie is offline   Reply With Quote
Old 02-26-2013, 07:39 PM   #33
drebo
Diamond Member
 
Join Date: Feb 2006
Posts: 6,656
Default

Quote:
Originally Posted by Red Squirrel View Post
And somebody has to go and change all those records if the IPs change. What's your point? I'd hate having to go reedit all my DNS zones because I rebooted my modem and got another IP, or changed ISPs, etc.

And if for some reason it's the ISP that now takes care of DNS, then that means I lose complete control of my DNS? No thanks. I rather have 100% control of my own PRIVATE network.

I think it will be a matter of time till at least a 1:1 type NAT is introduced to alleviate this problem, it may not be called NAT, but it will do something similar.
If you're using DHCP (and even if you're not in some cases), DNS updates itself.

Anyone can run their own DNS server for forward lookups.
__________________
"All men are not created equal, and if you believe they are, there's something seriously wrong with you. Some men are destined for greatness. Most aren't. End of story." - Jose Canseco
drebo is offline   Reply With Quote
Old 02-26-2013, 08:02 PM   #34
Mir96TA
Golden Member
 
Join Date: Oct 2002
Location: Delta Quadrant
Posts: 1,655
Talking

Quote:
Originally Posted by Red Squirrel View Post
And somebody has to go and change all those records if the IPs change. What's your point? I'd hate having to go reedit all my DNS zones because I rebooted my modem and got another IP, or changed ISPs, etc.

And if for some reason it's the ISP that now takes care of DNS, then that means I lose complete control of my DNS? No thanks. I rather have 100% control of my own PRIVATE network.

I think it will be a matter of time till at least a 1:1 type NAT is introduced to alleviate this problem, it may not be called NAT, but it will do something similar.
Seems like you don't how IPV6 address asigment is ?
There will be No NAT and NAT 1:1 really doesn't give ya lot.
What is the point of using NAT in IPV6 unless you doing NAT PT (Tunneling).
Nat has served it purpose...... Its going to die like IGRP and hopefully RIP will die alone too
Mir96TA is offline   Reply With Quote
Old 02-26-2013, 08:57 PM   #35
Red Squirrel
Lifer
 
Red Squirrel's Avatar
 
Join Date: May 2003
Location: Canada
Posts: 28,760
Default

Quote:
Originally Posted by drebo View Post
If you're using DHCP (and even if you're not in some cases), DNS updates itself.

Anyone can run their own DNS server for forward lookups.
Ok I don't think you understand what I'm saying.

Say you are a company, you have many local servers like mail.local, files.local, etc... pointing to specific IPs of servers on your network. These are LOCAL servers, while they may have some level of Internet access, they are local to only your network because they have private data. With NAT, it's simple, you assign a 10.x.x.x IP, set it up in your local DNS server, setup the reverse lookups, and within local DHCP everyone's DNS is set to the local one. You are in total control.

If there is no NAT, that means all these local IPs are actually public, and out of your control. That means if the range changes, you need to go in your DNS and change all your servers. Now imagine a company with like 20,000 servers. Of course you can pay for a static, but there's still the issue of if you switch ISPs, or have multiple ISPs as backups.
__________________
~Red Squirrel~
486dx2 @66Mhz turbo, 8MB ram, 512MB HDD, sound blaster 16 + 2x cdrom, Trident 1MB video card @ 640*480, 56k high speed modem.

Last edited by Red Squirrel; 02-26-2013 at 09:02 PM.
Red Squirrel is online now   Reply With Quote
Old 02-26-2013, 09:56 PM   #36
mammador
Golden Member
 
Join Date: Dec 2010
Posts: 1,980
Default

Quote:
Originally Posted by Red Squirrel View Post
Ok I don't think you understand what I'm saying.

Say you are a company, you have many local servers like mail.local, files.local, etc... pointing to specific IPs of servers on your network. These are LOCAL servers, while they may have some level of Internet access, they are local to only your network because they have private data. With NAT, it's simple, you assign a 10.x.x.x IP, set it up in your local DNS server, setup the reverse lookups, and within local DHCP everyone's DNS is set to the local one. You are in total control.

If there is no NAT, that means all these local IPs are actually public, and out of your control. That means if the range changes, you need to go in your DNS and change all your servers. Now imagine a company with like 20,000 servers. Of course you can pay for a static, but there's still the issue of if you switch ISPs, or have multiple ISPs as backups.
I don't think it would work that way. Regional and global registries would give ISPs a unique header (/32 addresses), and all organisations will have a /48 address. To my knowledge, this will remain fixed, unless the registries change the address assignments. It's likely that ISPs in an effort not to piss off their customers wouldn't change their address assignment readily, or will inform customers of changes to ensure swift changing.
__________________
me - i want standard knowledge....

them - :thumbsdown:

me - eh? everybody else got it...tough
mammador is offline   Reply With Quote
Old 02-26-2013, 10:02 PM   #37
Red Squirrel
Lifer
 
Red Squirrel's Avatar
 
Join Date: May 2003
Location: Canada
Posts: 28,760
Default

Quote:
Originally Posted by mammador View Post
I don't think it would work that way. Regional and global registries would give ISPs a unique header (/32 addresses), and all organisations will have a /48 address. To my knowledge, this will remain fixed, unless the registries change the address assignments. It's likely that ISPs in an effort not to piss off their customers wouldn't change their address assignment readily, or will inform customers of changes to ensure swift changing.
So the standard would be that everyone gets a static? I suppose that could still work, but even then, the thought of not being in full control is kinda scary. I guess if it changes it would only be the range, so really in DNS you'd only be changing the first half octets right? Guess that could always be scripted if that happens.
__________________
~Red Squirrel~
486dx2 @66Mhz turbo, 8MB ram, 512MB HDD, sound blaster 16 + 2x cdrom, Trident 1MB video card @ 640*480, 56k high speed modem.
Red Squirrel is online now   Reply With Quote
Old 02-26-2013, 10:16 PM   #38
Pheran
Diamond Member
 
Pheran's Avatar
 
Join Date: Apr 2001
Location: Pittsburgh, PA
Posts: 5,398
Default

This whole renumbering discussion is completely irrelevant for enterprises. Large companies get address allocations that are theirs. They run BGP with their providers and those addresses are never going to change regardless of what ISP they use (usually they have more than one). This is true in v4 and v6. In v6, the typical enterprise would receive a /48 allocation, meaning they have enough space to run 65 thousand /64 subnets.
__________________
Main PC: Antec Solo II | Gigabyte GA-Z77-DS3H | Core i5 3450 | Crucial Ballistix 16GB DDR3 1600 | HIS IceQ 7870
Intel SSD 330 240G | 2x500GB HD RAID1 | Corsair TX650 Power Supply | Dell U2312HM


Heatware: Pheran
Pheran is offline   Reply With Quote
Old 02-26-2013, 10:35 PM   #39
Red Squirrel
Lifer
 
Red Squirrel's Avatar
 
Join Date: May 2003
Location: Canada
Posts: 28,760
Default

Well I'm talking smaller who can't afford the fancy stuff like actually owning IP blocks. Ex: a school district.
__________________
~Red Squirrel~
486dx2 @66Mhz turbo, 8MB ram, 512MB HDD, sound blaster 16 + 2x cdrom, Trident 1MB video card @ 640*480, 56k high speed modem.
Red Squirrel is online now   Reply With Quote
Old 02-27-2013, 03:05 AM   #40
theevilsharpie
Platinum Member
 
Join Date: Nov 2009
Location: Southern California
Posts: 2,320
Default

Quote:
Originally Posted by Red Squirrel View Post
Say you are a company, you have many local servers like mail.local, files.local, etc... pointing to specific IPs of servers on your network. These are LOCAL servers, while they may have some level of Internet access, they are local to only your network because they have private data. With NAT, it's simple, you assign a 10.x.x.x IP, set it up in your local DNS server, setup the reverse lookups, and within local DHCP everyone's DNS is set to the local one. You are in total control.
You can achieve the same thing in IPv6 with ULA addresses.
theevilsharpie is offline   Reply With Quote
Old 02-27-2013, 06:56 AM   #41
Gryz
Senior Member
 
Gryz's Avatar
 
Join Date: Aug 2010
Posts: 461
Default

Even if you are a small company, all ISPs will give you a prefix which won't change.

IP addresses that constantly change are a thing of the past. Dynamic IP addresses were used for dial-in. Because a dial-in customer would connect on a different spot to the ISP network all the time. (Depending on which terminal-server would accept their connection). A fixed address has no point, when your location in the network changes all the time. Also, dialup customers will not be constantly connected to the network. Only a small portion of the time. So it makes sense to re-use addresses.

Then we got cable and ADSL. For individual customers, home users. Those systems hand out addresses to customers via DHCP. With a little extra configuration, you can make sure that the same customer will use the same ip-address all the time. For some reason, some ISPs didn't care, and let their DHCP give different ip addresses to the same customer when they rebooted their system. I don't know why. In my country (nl), I've only seen ISPs give the same ip address to customers over time. I think I've had the same ip address since I first bought my ADSL connection. I'm pretty sure I have the same ip address for 10 years now. I can understand why ISPs will tell their individual customers they won't be guaranteed the same ip address over time. Because it would make it hard/impossible for them to renumber. But usually you want fixed ip address. For troubleshooting, for logging, for eavesdropping, for security.

Now for bigger customers, this is different. Bigger customers don't get 1 ip address. They get a range (prefix). And the ISP needs to set up a route to that prefix too. So the ISP can't change the prefix at random, without having to make changes to their routing. (I'm sure there are routers who can automate that). But generally, a customer that gets a prefix, will get a fixed prefix that doesn't randomly change.

The next question is: what should that prefix be ?
There are a number of options.

1) Provider-aggregatable address space. You get a chunk out of the prefix of your ISP. This means your ISP needs to advertise only 1 prefix to the Internet. However, there are 2 downsides.
a) When you change ISP, you need to give up your addresses. You need to renumber to a prefix given by your new ISP. This can be some work. Transition to a new ISP might not be seamless.
b) You can't easily multi-home to another ISP. If you do that, your second ISP needs to advertise your prefix. This injects yet another route into the global Internet. Worse, because this prefix is more specific than the prefix of your first ISP, your first ISP now needs to also advertise your more specific prefix.
Not an ideal solution.

2) Provider-independent address space. You get your own prefix from a registry. I'm not sure how expensive this is. But it sure is more hassle. The benefit is that you won't need to give up your addresses when you move to another ISP. But for multi-homing, you still need both your ISPs to advertise your own prefix. For the Internet-at-large, this isn't any better. (It might be worse even, because if you don't multi-home, the Internet sees an extra (non-aggregated) route.

You might all think that the problem of multi-homing is not much of an issue. That is because you don't feel the downsides. You just advertise an extra route into the global Internet. No big deal. However, it is a problem for people who try to make the Internet work: the tier-1 ISPs that carry all routes. And the vendors who have to make the equipment that makes this all work.

Currently the core of the Internet carries 445k prefixes. That's a lot. Old fashioned class-full routing had 2 million "networks" (ABC thingies). With CIDR that number should have dropped significantly. But because of bad aggregation, we are now into a situation where all the trouble of CIDR saves us only a factor 4 in size. Very disappointing. And with the Internet still growing, and need for multihoming increasing, that number will only go up.

Why is the size of the global routing table a problem ?
High-end routers use expensive memory (tcam) to store forwarding tables. More prefixes means we need more tcam. Making routers more expensive than they should.
When things change, you want your routing to react quickly. Updates need to be sent, received and parsed. New routes need to be computed. Routing tables and forwarding tables need to be updated. This takes time. More prefixes means slower convergence.

So what would be a solution ?
Use private address space for your internal network. (You can think of other solutions for your public servers, like co-locating your webservers off-site). Now on the edge routers to your providers, use NAT to rewrite addresses to an ip address that is within the prefix of the ISP via which the packet is going.
Result: a) when you change ISPs, you only need to change the prefix(es) on your NAT box. b) when you are multi-homed, you don't need to inject an extra prefix into the global routing table.

The downsize is: when one of your ISPs fails, traffic will go via the other ISP, and the ip addresses of those packets will change. That means TCP connections will be reset. Your users will need to login again, or set up a new connection. That's a short disruption, but at least they are still connected to the Internet.

If we could change the architecture of IPv6 to take this into account, we would have a perfect solution. Separate the fuctions of locator (address) and identifier. TCP and other layer-4+ protocols use the identifier part for their TCP checksums, for authentication, etc. And the locator part can change (via NAT or other means) as much as is necessary to make sure packets get to their destination. Lots of people have though about these solutions. LISP and ILNP are two technologies that have been implemented and that are working (although not perfect). They are extra complex, because they work without changing the host-stack. If the host stacks would be aware of locator/identifier separation, things would become a lot simpler.

Of course, if you just look at what this means for you, as an individual, or as a company, all this is extra complication that has no value to you. But if you look at it from a larger perspective, you see that address-rewriting could be a very good solution for the future. Something IPv6 should have had from the start.


Mmmm. I need to learn to write less ....

Last edited by Gryz; 02-27-2013 at 11:59 AM.
Gryz is online now   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:36 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.