[cap-talk] Fwd: Re: End to end encryption (was: network level ...)

Jed Donnelley jed at nersc.gov
Mon Jun 26 16:57:48 EDT 2006 

At 10:34 AM 6/26/2006, Mark Boolootian wrote:

> > I just thought I'd forward this to you for your thoughts.  In particular
> > I'd be interested in your view on my Catch-22 comment about IPv6
> > (and IPsec):
> >
> > IPv6 - Catch 22: IPv6 won't be useful until it's implemented everywhere,
> > and it won't be implemented everywhere until it's useful.
> >
> > and the response from Stephan Bevan regarding the push
> > from the US DoD.
>
>I don't agree.  I think both IPsec and IPv6 are already useful, though
>that is probably more true for IPv6 than it is for IPsec.  I think
>Stephen's observations regarding encrypted traffic are good.  If you
>take a look at netflow stats for Abilene (the Internet2 backbone), you'll
>find that SSH dominates encrypted traffic, followed by HTTPS and
>IPsec.  e.g.:
>
>   http://netflow.internet2.edu/weekly/20060501/#full_apps
>
>Lots of folks run IPsec-based VPN clients.

That seems like a pretty safe application, in some sense immune
to the Catch-22.   That is, you have to have the server side of your
VPN running where you want to connect to, and that can include
IPsec (and IPv6).  Namely, you don't need to be able to connect
everywhere (e.g. as with a Web browser) to make the VPN application
work.

I guess the test for me will be when people start browsing the Web
with IPv6.  That's where the challenge really seems to lie.  Even
for something like ssh, I could imagine people starting to use IPv6
and IPsec, since the only issue is whether you have IPv6 and
IPsec running <on all the systems where you have accounts>.

For Web access, however, where broad connectivity is vital,
it seems to me there are real challenges getting an IPv6
infrastructure into place.  Perhaps I should restate the Catch-22
in terms of Web access:

Web access Catch-22 for IPv6:  ISPs won't be able to sell any
IPv6 connectivity to the Internet until all the Internet services
are available through IPv6.  The services on the Internet won't
all be available through IPv6 until there are IPv6-only Web users
on the Internet.

>I have to admit to not
>paying a lot of attention to IPsec, so am generally ignorant of the issues
>surrounding widespread deployment.
>
>As for IPv6, it's being deployed elsewhere in the world at a faster
>clip than within the US, mostly driven by IPv4 address scarcity, I
>think.  Comcast is one of the first big adopters in this country
>and is in the intial phase of rolling out v6 to help with their
>addressing needs.  Alain Durand from Comcast gave a talk about their
>plans at the last NANOG:
>
>   http://www.nanog.org/mtg-0606/durand.html

and thence to: http://www.nanog.org/mtg-0606/pdf/alain-durand.pdf

>The video/audio from that talk will eventually show up there.

Interesting set of charts.  Do you know what "new services" he
might be referring to when he says:

"Be ready to offer our customers new services that
take advantage of IPv6"?

or what he means by "Comcast DNA" in the sentence:

"IPv6 will slowly penetrate Comcast DNA"?

Is he using DNA in a generic sense there or is that being used
as a technical term that I don't understand?


I think perhaps the key issue for me (r.e. Catch-22) shows up
in his chart on page 14 where he discussed the new Cable Modem
and notes that it will either have only IPv4 or only IPv6.  If this
is a cable modem like the one I have in my home, how could
he (Comcast) possibly induce me to buy/rent an IPv6-only cable
modem??!?  Perhaps they're going to provide a substantial
discount for IPv6-only service?

For me that's where push really comes to shove.  I can well imagine
that at some point it may be that there will be more IPv6 services
available on the Internet that aren't also available via IPv4 than there
are IPv4 services that aren't available through IPv6.  At that point
I think things will fall into place quite quickly and IPv4 will disappear
with alacrity.  However, how to get there is still a bit of a puzzle to
me.

Do you have any IPv6 enabled servers at UCSC?  Are there Web servers
at UCSC that can currently be browsed/accessed from an IPv6-only
workstation/user?

I guess it will be at least 5 years before there is an IPv6 "Web" and
likely over 10 years.  Particularly after reading the last of the charts
above, it seems that there is even still some infrastructure that needs
to get into place for IPv6.  To me it seems that even after all the
infrastructure is in place (e.g. all systems are dual stack from
the core routers up through the OS's AND applications) it will still
be difficult to get switched over.  I don't think the Comcast approach
of having cable modems with an IPv4 address or an IPv6 address
(not both) is a viable one for a transition.  I also don't understand
their reasoning.  If you are going to continue to have to have
IPv4 addresses in cable modems for some time, what's the problem
with also including an IPv6 address?  It seems to me the only
hope for a transition is to offer both services from the client
side as well as from the server side for some time.

What about the application level?  Are there applications around
(e.g. ssh, Web browsers?) that can interoperate with both
the IPv4 infrastructure and the IPv6 infrastructure?  E.g.
a Web browser that I can supply with either an IPv4 URL
or an IPv6 URL and still have it fetch the right content for me?
I've never heard of such software.  How can a transition possibly
happen without such software?  Just looking at:

http://www.ipv6.org/v6-apps.html

things don't look very promising at this time.

I can see how Mr. Durand, in his role as IPv6 Architect, might
paint an optimistic view for a transition to IPv6, but nothing in
that presentation suggested to me a way out of the fundamental
dilemma.  That is, how Comcast (or any ISP) is going to get to
the point of selling IPv6-only connectivity to the Internet.  I
believe that before that can happen we will have had to have
a dual IPv4 and IPv6 infrastructure for some time with systems
and applications supporting both IPv4 and IPv6.  I don't hear
anybody even talking like that.  I don't see the needed software
development happening (even on the server side - e.g. in Apache -
where of course it would need to happen first), let alone in
lesser feeder applications like ssh.

I found this discussion of IPv6 and Apache of interest:

http://httpd.apache.org/docs/2.0/bind.html

I of course run numerous Web servers (~20 if you count them
by IP address - note that I need to use a separate IP address
for each https server).  Naturally the first day there are any
users who have only IPv6 connectivity, I will be quite motivated
to provide access to our Web sites for them.  How will I do
that?  Can I use that --enable-v4-mapped default configuration,
together with a system that supports IPv6, a local and Internet
connectivity that supports IPv6 to enable access to such
IPv6-only users?

If that's the case, then perhaps there might be some progress
within the 5 years that I mentioned.  However, I don't understand
how that can work.  Just consider logging as an example.  All
the Apache logs must of course be able to correctly log
IPv6 addresses.  Can they do so?   Is there log analysis
software available that supports IPv6 addresses?  What about
the DNS structure even for IPv6?  I can't tell you how much
infrastructure we have for things like intrusion detection, firewalls,
Bro, etc., etc. that are IPv4-only.   Perhaps I'm just ignorant
of this infrastructure buildup that's been happening and it's just
about now ready for serious deployment?  It still seems to
me that people at my level (system administrators) are going
to have to hear about it pretty darn soon to support even an
IPv4 Web that's reachable from an IPv6 extended Internet
within the next 5 years.

Sorry to act the role of the pessimist here, but there you go.
Naturally having 32 bit addresses seems like a great idea to
me, but I'm afraid I still see that Catch-22 there.

--Jed http://www.nersc.gov/~jed/

More information about the cap-talk mailing list