Re: IPv6 like OSI is far more complex than necessary
There has to be a temperature at which flash sublimation occurs without combustion. Every hydrocarbon has one...
5291 posts • joined 31 May 2010
There has to be a temperature at which flash sublimation occurs without combustion. Every hydrocarbon has one...
You could try sublimation. I mean, then the engineer would expand to fill his container, but he'd be a fluid, and theoretically pourable.
"If you were stuck in the desert, would you rather see a horse or a camel approaching?
The analogy with IPv6 is perhaps not so bad."
If I'm an enterprise with virtually unlimited resources, IPv6, with all it's foibles seems a great solution to the IP address exhaustion problem.
If I'm the other 80% of companies on earth, or virtually every consumer on earth, then I'd far rather the IPv6 with Network Prefix Translation solution because that solves the problems I'll face in the most economic and simple fashion. I don't care about the needs of enterprises or software developers or the problems they face.
Most of the world uses horses to get things done and they work just fine. A camel is great in the desert, but doesn't have the power or capability of a horse in virtually any other situation.
The world uses IPv4 with NAT today and they can game, use VoIP, and every single other application that IPv6 end-to-end religious nutters whinge about just fine. The horse plows the feild and ensure their family is fed.
Along comes a camel salesman saying we all need to shoot our horses and implement IPv6 without Network Prefix Translation because camels are better in the desert. The English farmer peers through the sheeting rain at the camel salesman and asks that one important question:
"why should I?"
The think IPv6 purists don't get is that there is an alternative to IPv6 + religion. That alternative is IPv6 - religion. We can have all the benefits of IPv6's address space and the benefits of Network Prefix Translation by just telling the camel vendor he's batshit fucking bananas and driving him - and his camel religion - into the sea.
Your solution is exactly the one I griped about. It is absolutely reliant on DNS to function correctly, and requires tossing out any application that can't handle on the fly readdressing or multiple IPs. You either end up facing a single point of failure in DNS or significant expense redoing virtually every single fucking application on your network.
Worse than that, your solution isn't just regular "preserve end-to-end at all costs", you're touting DHCPv6 as the means to salvation here too! Unbelievable!
Maybe what you've got there will work, once every single device out there supports IPv6 in a manner that complies with the RFCs in question. AND when we've all abandoned our millions of dollars worth of investment in existing applications and recoded everything to suit the New Black.
But, being honest now, when are you expecting that to occur? How many days/weeks/months/years/decades from now will we be at the point that there are no more non-compliant devices and no legacy applications that can't deal with your preferred solution for multihoming?
In addition to the above, please detail for me exactly how your proposed solution provides superior value for dollar and return on investment versus deploying Network Prefix Translation, bearing in mind that - as a business owner - I please the value of the ideological purity of the end to end model at exactly $0.
Size your solution to the 80% of businesses on the planet: 50 to 250 users. Work in that for the next 20 years these companies will be running workloads on site that they will want to host to the rest of the world in a redundant fashion. Assume that these companies are not American, so they won't be using ISPs that will allow BGP on SMB accounts, and they won't be comfortable using the public cloud for everything.
So go ahead and bottom line it for me. Where is the business case for the solution you propose? And - in dollars and cents - show me how it will benefit me versus Network Prefix Transation? Make your case well enough and I'll publish it with commentary as an article.
Otherwise, you're just a bag of hot air, espousing dogma and presenting no real-world solutions.
And IPv6 works very well for the places it was designed: Academia, test labs and enterprises with more money than small nations.
It should also be noted that the Camel is ill suited - and non-present - in the majority of the world, where the Horse was the animal that prospered...and ultimately diversified to fill a great many horse-shaped ecological niches. (Though we could get into a good debate about three-toed versus two-toed ungulates here...)
For $150, I can buy two of the things and keep a spare on the shelf with an identical config. Worst case scenario, turf the dead one and plonk in the replacement.
Besides which, those $150 dual-WAN routers are somewhere in the neighborhood of 20th generation technology at this point. They are at the point of "it's virtually impossible for even a junior admin to fuck this up, because guides to programing or at least configuring your own from open source components are fucking everywhere."
I still do encounter IPv6 router advertisement daemons with multiple bugs. They aren't anywhere near as baked yet.
Because my sources say that the way the DPI widget works is thusly:
1) Streams enter DPI widget
2) Widget determines where various protocols will go
3) packets are vomited into appropriate route.
If the DPI widget - or some intermediate chunk - is "full" thanks to 512Kday, then it is entirely possible for one specific protocol not to work while all the others do. (Thanks, "traffic management"!) Of course, I don't have "official" confirmation of this, but it was laid out for me in such a manner that it seemed entirely plausible that both issues had a single cause.
" kind of weird that it took el reg over 24 hrs to write about it? If you had people contacting you for 12 hrs it would of been nice to see an article earlier :)"
Deeply sorry. I was busy dealing with the fallout of it for my clients and at the same time hadn't slept in two days because I'm trying to get this booth demo built before it has to ship to 'Frisco. To be perfectly honest with you I felt that it was just plain easier to send feelers out to people smarter than me to verify my assumptions than to try to force my sleep-deprived brain through the mental gymnastics of working out all the details myself.
I'll try harder next time.
No, if you really want to know what we - the people- want, look up Network Prefix Translation.
Full bore overloaded NAPT is - and let me get the proper invective to hand here - "fucking clownshoes". There's absolutely zero rational requirement for it in IPv6. It shouldn't be used. Period.
What there is a requirement for is network prefix translation. This is a very simple 1:1 mapping of an internal address space system to one or more external IPv6 subnets. This allows for instant renumbering, ISP fail-over and more without breaking end-to-end irreparably.
Is end-to-end, that sacred holy of holies broken? Yes. Is it broken in a meaningful manner? No. The 1:1 relationship means that we can easily code around it.
Whether you like it or not, network prefix translation is the natrual compromise and it will be what is implemented on a large scale. Get used to it. There's no room for dogma in IT. Only actual solutions.
You can still "traffic manage", even if you aren't peering into the sessions. It's still rude.
I don't disagree with any particular point, but there are some problems that are out of the techies' hands:
1) IPv6 is asstastic for anyone excepting weathy enterprises and backbone providers that don't have the sorts of concerns faces by the under-1000 seat crowd.
2) "The business" is generally not ready or willing to invest in replace what works just fine today with a more expensive thing that will hopefully prepare us for the future.
3) Pretty much everyone who isn't already wedded to IPv6 is really just hoping that the ivory tower types will capitulate, we'll get our IPv6 NAT and nobody will have to actually change how they do things.
As for "it's a little late to keep banging on about the problems" I heartily disagree. I've been banging that drum for the better part of a decade, and so have many others. The issue here is simple: do we - the majority - accept the dogmatic implementation of IPv6, or do we tell the ivory tower types what to go do with themselves and implement a NATed version, with all the benefits - and downsides - that it entails.
That war is emphatically not over yet. It will be decided by hardware and software availability as well as adoption and general practice. Not by RFCs and snarky internet disdain. All the powerpoint slides and wringing of hands in the world won't make people believers, nor will it make them behave how you want them to.
So we're all sitting here staying at eachother across the neutral zone, waiting for someone else to make the first move. Meanwhile, ISPs are dragging their feet, as are consumer gadget vendors.
...and the Ivory Tower types offer nothing but dogma...and no solutions.
Your comment is itself evidence of how intractable this issue has become. I raise real world issues that don't have practicable solutions for the majority of businesses and individuals and you all but accuse me of going out of my way to lay on the rails and withhold "progress". As though I am somehow not doing my "civic duty" by encouraging people to bite down on the dogma and take one for Uncle Sam.
Well, I don't know about you, but even if I were inclined to close my eyes and thinking of England on this, my ISPs don't even offer me things like "BGP for SMB accounts" that would allow me to solve the problems in the dogmatic fashion. Nor do my apps support on-the-fly renumbering.
So what are the solutions? Hmm? And why should we all just ignore them in the spirit of camaraderie? It seems to me it's a hell of a lot easier to punch the prickly ponces in the paunch and do the One Thing They Decry.
They aren't My People, so I'm down with that. You?
So your solution to the tried, tested and true $150 dual-WAN IPv4 NAT box is a new, expensive solution that requires:
1) Someone to know how to configure it (because SMB versions don't exist)
2) The router advertisement daemon never to fail
3) All applications to be able to cope with renumbering on the fly with zero errors
4) DNS to work without flaw in order to cope with the renumbering
5) BGP advertisement and management so that anything I'm hosting locally can be accessed form the net.
And to top it off you threw in a "supply and demand" argument which is an ivory tower way of fobbing the problem off as belonging to someone else, without solving any of the issues to hand.
So you have no solutions. Only dogma. What you demand that everyone use to suit your religion is demonstrably worse for this very critical use case than what went before, but we are expected to just suck it up without complaint...why exactly?
I believe my inclination is not "kowtow to the brethren" but say "up yer jacksie" and just use NAT anyways.
Wibbly wobble wubble. SOLUTIONS, jacksie-baby. Not dogma. Can you handle it?
Edit: additional bonus points for SLAAC, which makes the entire infrastructure absolutely reliant on DNS, most likely under the asinine premise that DNS will always work in a "real man"'s setup. That's grand. No chance of managing and maintaining your infrastructure when the DNS goes down, or the stupid router robot eats it's own face.
Pay no attention to the daemon behind the curtain! Practical implementation concerns are "just details" anyways, hmm?
I still don't see a viable solution for renumbering/WAN redundancy. I see lots of dogma. I see no solutions.
Or do you want to trot out how none of that is your problem, and it's up to everyone else to pay (and pay and pay and pay) to meet your religious requirements one more time?
I prefer concrete, affordable, and currently applicable solutions. Ones that work for the 99%, without dismissing the needs of the 99% as "irrelevant".
Nyet. There are so many fiddly little agreements, so many stupid little routes put in for political and financial reasons that the basis of routing on which the internet was founded - get the fucking packet there in the most efficient manner possible - seems to no longer apply. At least not for everyone, and certainly not all of the time.
I'm investigating exactly that. The big question then is "why do we have some sites where all protocols work except a specific few?"
I suppose it's possible that, for example, RDP (and not just to 3389, but all RDP!) is being sent to a DPI system and that hitting the 512K limit has screwed up routing for that protocol. I'll buy that as a possibility, but doing DPI on RDP sessions is really, really rude. I wonder if this didn't have some sort of cascade effect on DPI systems beyond just the basic routing issue.
Aha, but what good is cloud computing if the network to gain you access is down?
Rogers, Bell and Telus are fine...but anything that would transit the Shaw network due to routing or peering is pretty much blackholed. Which means the Canadian internet is pretty much borked.
"Not to mention that Chrome is spyware by design."
So is windows.
Now excuse me, I need to search for my private documents on my local network, but have that all reported to Microsoft along with my username, e-mail address and password so that they can include Bing results.
Who the fuck are Honey Boo-boo and Duck Dynasty?
"I'd say if more than 10 distinct accounts are Googling a name in any given day then its probably someone famous."
By that barometer I'm famous. Which is rather obviously untrue. I think your metrics need revising.
You're absolutely right. I apologise to the cholera victims.
All individuals who who refuse to understand the effects of peer pressure on the vulnerable should get cholera ans shit themselves to death.
You are welcome.
Yeah. There is. The fact that you pollute the internet with that level of disrespect for human beings.
Subchannel MAC NAT! DUN DUN DUN...
[cue wailing and gnashing of teeth]
"No it says even with lots of automation as found in IBM's Fishkill fab (been there, pretty impressive) making chips in the first world (which IBM does more than most) is not really competitive with 3rd world child and slave labor still. Can thank Congress (at least in US) partially for that."
Yeah, those human rights are such a drag...
You do realize you aren't the 1%, right? And that without all that nasty "interference" to enshrine human rights in law and then enforce it, you'd be tasting the whip too...
Maybe, maybe not. They'll need storage facilities. And...why not make more than one GigaFactory? If the tech is gelled...
"What is a reasonable time? Every circumstance may vary, but I'd have thought 99.9% of people check and clear their messages at least once per week. Most people are several times per day."
I delete my "Junk E-mail" and "Deleted Items" folders about once a year. I have rules that filter lots of incoming mail directly into "Deleted Items". I can easily receive something unsolicited and have it stick around for ages.
How often does a normal person purge their temp folders? And you and I both know that I can do all of the above and still get the data back a year later if I wanted. The law is an anti-intellectual law designed to root out dissidents and make them hangable.
"* obviously from the safety of a disposable, unregistered cell phone purchased with cash."
I don't know how it works where you're from, but buying burners has several barriers here:
1) Most shops won't sell a burner without a credit card. Cops don't like it unless they can trace who bought the burner.
2) Most places that sell disposable credit cards require a debit or credit card transaction for the same reasons.
3) Virtually every place that sells either burner cell phones or disposable credit cards has video - and often audio - surveillance.
In order to completely "wash" all traces of the purchase you should go through a few steps:
1) Buy everything in disposable credit cards.
2) Case joints that sell disposable credit cards so that you can ensure they won't be able to track you.
3) Use a mule, but never the same mule twice. (Always incorporate a backup plan!)
4) Consider buying a handful of "high value" disposable cards then using them to buy multiple low value ones at different locations. Additional buffer helps.
5) Do not invest any of your now anonymous ephemeral money into a burner with contactless payment options. You do not want any correlation of your purchases with the phone number, because if they can put your purchases and your number in the same place at the same time, they will pull your image from a camera. Tower triangulation is not accurate enough for this. Keep the phone simple. Basic voice and data. No GPS.
6) Don't use bitcoin; it's trackable. Some altcoins aren't. Do your reserach.
7) Use anonymouse credit cards to purchase hosted/colocated server space in foreign countries in order to do your online shopping/hacking/talking to journalistic sources/posting dissenting views against your government/etc.
8) There are a number of shipping forwarding companies if you want to buy things online. With a little bit of work you can even find storage facilities or virtual office providers that will accept deliveries on your behalf. Better if they are located in a neighboring town, and if you get at them using some transportation method (taxi/lyft/etc) that doesn't take your picture/record your voice/etc. Don't let them track your plates, don't ever take your cell phone to the storage facility. Never associate you with that location, or the whole thing unravels.
I could go on and on, but you get the idea.
Our society has become one which actively hunts dissidents. Even if all you want to do is establish a reasonably secure means to express a dissenting opinion online, you should probably consider much or all of the above.
How did we let it get this bad?
"And who determines a person's ability to recover a file?"
It's a terrifying law. You're actually punished for being smart. I can build a scanning tunneling microscope from parts lying around my home. In theory, I could wed that to a Raspberry Pi and - presuming I could obtain or construct stepping motors/gearing with a fine enough range - I could recover files directly from a wide variety of platters.
I can also remove the controller chip from a flash drive and replace it with something that would allow me raw access to the cells. That would allow me to pull a cell-by-cell image of the drive - something that's virtually impossible with a controller in the way - and then most likely find the deleted images in "spare" cells waiting for new writes.
So, unless I throw away ever computer storage device I own and never use electronic communications again I would vulnerable. "Extreme pornography" ends up in my spam on a semiregular basis and absolutely shows up during internet searches...usually for things so completely unrelated it's baffling.
If I lived in the UK, the knowledge inside my head would be illegal. The country has actually managed to codify thought crime.
What. The. Fuck.
I don't know about you lot, but I actually have real world friends. If I could monitor the tank, I could ask one of the many friends I have living in the city to pop in if there's a problem. It doesn't need to change parameters. Just monitor and report. (Well, I would like it to automatically top of the tanks and feed the blighters, but you don't need "internet connected" for that.)
You lot act like you don't actually have real, live human friends. Like it's "all tech" or "all people".
We live in a world of both people and technology. You should consider mixing and matching.
I have an alarm clock that leaps of the table and drives across the room to make me chase it. So yeah. Technology can help, even with hard problems.
@ amanfromMars 1 cease this coherence immediately. It's disconcerting.
"I would not, however, be caught dead with a goatee."
Noone here accused you of having taste... :P
I don't generally swear, or even write long comments, due to passion. I do it to achieve a very selective, targeted effect in the reader. There have only been - to my knowledge - about 10 comments where I have "snapped", and truly just core dumped my emotions without some form of careful linguistic selection.
That said, I don't see anything in this thread worthy of a good riposte. People are pretty tame, even the trolls. It's like a quiet Saturday night on the lake, in forum form.
Aye. And not just you. Lots of people take pills, even when they are young, for a variety of ailments. Do you know how hard it is for someone with ADHD to remember to take their meds in the morning?
And what about something that took your blood pressure before dispensing a dose of stimulant (again, common for ADHD folks) so that it knew when it was safe, and when not?
A pill box that could track what Alzheimer's (or, for that matter others) patients took, and then either report that back to the doctor, or at least track it in aggregate to help us design better pills?
Something that tracks what we eat, and when, as well as what pills we take - and when - so that we can correlate symptoms for various things with these sorts of events and are better able to detect patterns? (For example, this would be really useful in helping to diagnose Celiac patients, IBS and a few other things.)
Hell, a toilet with an automated excretion analyser to help determine things like "are my organs shutting down" or "do I have a gall bladder infection", etc.
There are a lot of possibilities. Not all have to be internet connected. Some are better if they are.
But that was really my point in the article. It's not going to be "selling billions of units of an individual product" so much as "selling millions or tens of millions of an individual product" to meet niches.
Is there no room for optimism at all? Life is all dour? We will die alone and unremembered after a brief period of despair and suffering that was our lives?
How sad. :(
Actually, no, you're just an idiot.
If you have actually read my arguments you'd know damned well that I'm anti everything unless and until something has proven it's value to me and to my clients. As soon as it has stopped being of value, I'm against it. Value is calculated in many ways: monetary value, trustworthiness and enablement.
I have just as openly pooped on Linux and Apple as I have Microsoft. And I have praised Microsoft, Linux and Apple as well. I am not "pro" anything (except Ninite). You, however, very clearly are. And to you, anyone who doesn't agree with your prejudices must obviously be biased.
So piss off. I don't have time for those who can't separate "disagrees with my view on who is worthy of worship" from bias. You are irrelevant and you are annoying.
"Be honest with yourself, Trevor. You know have a freetard Linux agenda and you will never be satisfied until you get your way."
You're an idiot.
Actually, it is considered by most experts to be an important part of defense in depth. It eliminates 80%+ of the attacks in a single move. The rest of the attacks then must be dealt with by other means...but it would prevent the current crisis, as the existing malware only looks at default ports.
Sometimes, obfuscation is all that's required. Other times, you need more. But don't discount the value of obfuscation when so many attackers are just plain lazy.
I think if you put the management interface of any device onto the internet you're nothing more than a lesson waiting to be taught to others. So to be entirely fair, when asked, I vehemently advise against it, be they Synology or not.
Naked admin: just say no!
"Isn't it a conflict of interest for Trevor to report on Synology while touting their gear to his own customers? Obviously he wouldn't want them to go bust. What exactly is his interest in the company?"
I am not entirely sure why it would be a conflict of interest to report on Synology while selling it to my customers. I sell Microsoft software and services to my customers too, and I tear them a new arse every other day. Any vendor is disposable, and - to be perfectly blunt - I don't make my living selling computers. I keep my hand it in because doing so allows me to keep a presence at the coalface of IT, making sure my skills stay sharp and that I have knowledge and experience relevant to the IT companies I report on.
What might represent a conflict of interest - but I honestly feel does not - is that i am currently engaged with Synology on a very narrow contract to provide them a VMworld booth demo. This demo consists of a Supermicro FatTwin server, A Supermicro Switch and a Synology RackStation all configured to run various workloads that stress the Synology storage. The contract is very narrowly defined, and I have no other role (such as ongoing consulting, etc) beyond that specific deliverable.
Given the voluminous red tape that is Synology's internal marketing spend processes, there is zero reason to believe I would get another contract from them. So, being frank, there is no incentive on my part to be nice to them. I have a fixed contract that says "I gets my money if I deliver the goods" and there's nothing in there about not pissing off the natives.
And I piss off the natives rather a lot. They weren't exactly happy I ran a pair of pieces that said, in essence, "Synology made mistakes and needs to reorganize themselves internally and spend a stonking huge pile of money to make things better in the long run."
I've never tried to hide who I am working with. You can always find out information about my open-ended engagements at http://www.trevorpott.com/about/ under "disclosure".
I don't list narrowly focused, fixed-deliverable contracts unless those contracts compel me to advocate on behalf of a client. Once more being blunt: I get so many jobs creating whitepapers, blogs, demo videos, booth demos and so forth that the fixed-deliverable stuff all blurs together. They don't make me any more or less happy about a company.
A great example is Microsoft. They gave me a free year of MSDN so that I would be able to have licences to write about their software. Didn't make me any more charitable towards them.
VMware ensures I have a suite of the latest licenses, if you read my writing over at SearchVMware, I don't exactly pull punches with them either...and the VMware licenses I get are enough to run my lab.
Bottom line: if there is ever something I - or any of the circle of professionals I trust to help me make these judgements - feel presents the possibility for conflict of interest, that will be listed in the disclosure section of my personal website for all to see.
In the meantime and betweentime, I will report on anything interesting I turn up - positive or negative - with as little personal bias as I am capable of demonstrating. I will also use and abuse any and all of my contacts within every vendor I can to advocate on behalf of "the little guy": the end customer, end user and the sub-1000 seat SMB.
As regards Synology, this means using all my connections there to try to get them to take a more serious approach to security. But I don't give Synology any more of a break than I would any other company.
Well, except Ninite. They get a free pass no matter what. But I'm allowed to be an unashamed fanboy of at least one company, aren't I?
"You could at least slap all of them equally for their incompetence over the years."
If your Synology doesn't have ports open to the net, you should be safe. But do run updates on the thing anyways. If your computer were ever infected in the future, and your Synology was left unpatched, it could be pwned at that point. Updating now will patch the hole.
"That's what makes you Special."
Shiny. Do I get a short yellow school bus? I could turn it into a testlab on wheels!
Aye, saw it. There are 384 work mails (down from 1021 when I woke up an hour ago) to go before I can start getting into the "El Reg" folder. I'll dig myself out eventually...
That AC is so far in the "RUN, DEAR $DEITY RUN!!!!!!!" part of the crazy/hot graph that a careful reexamination might be required. :)
@Steven Raith don't bother the Anonymous Coward you're talking to is a Microsoft marketing shill. Worse, it's not capable of rational thought. Just ignore it. Hopefully it'll do the world a favor by getting ebola and dying alone.
Microsoft is the world's premier supplier of Contempt as a Service. Their offerings are unmatched, whether you reside in Germany, the United States, China, or anywhere in between. Subscribe today!