Hi, Jean,
On Thu, 2021-06-10 at 08:23 -0400, Jean St-Laurent wrote:
> Let's start with this example. When I click sync my clock in windows,
> this happened.
>
> On the inside or Private side
> 08:15:07.434344 IP 192.168.254.205.123 > 13.86.101.172.123: NTPv3,
> Client, length 48
> 08:15:07.47368
On 6/10/2021 4:04 AM, Fernando Gont wrote:
Hi, Blake,
Thanks a lot for your comments! In-line
On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
Current gen Cisco ASA firewalls have logic so that if the connection
from a private host originated from a privileged source port, the
NAT
find the devices that don't follow this behaviour, right?
Jean
-Original Message-
From: Fernando Gont
Sent: June 10, 2021 7:09 AM
To: j...@ddostest.me; nanog@nanog.org
Subject: Re: NAT devices not translating privileged ports
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG wrote:
> Hi Fernando,
>
> NTP sounds simple but it could be very complex when you dig deep down
> and/or get lost in details.
> Here are 2 things to consider:
>
> 1. NTP clients can query NTP servers by using SRC UDP ports >
Hi Fernando,
NTP sounds simple but it could be very complex when you dig deep down and/or
get lost in details.
Here are 2 things to consider:
1. NTP clients can query NTP servers by using SRC UDP ports > 1024.
2. NTP servers cannot query/sync/communicate to another NTP server when using
SRC
Hi, Bjørn,
On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
> Fernando Gont via NANOG writes:
>
> > What has been reported to us is that some boxes do not translate
> > the
> > src port if it's a privileged port.
> >
> > IN such scenarios, NTP implementations that always use src
> > port=12
Fernando Gont via NANOG writes:
> What has been reported to us is that some boxes do not translate the
> src port if it's a privileged port.
>
> IN such scenarios, NTP implementations that always use src port=123,
> dst port=123 might be in trouble if there are multiple NTP clients
> behind the s
Hi, Jean,
On Fri, 2021-06-04 at 08:36 -0400, Jean St-Laurent wrote:
> I believe all devices will translate a privileged ports, but it won't
> translate to the same number on the other side. It will translate to
> an unprivileged port. Is it what you meant or really there are some
> devices that wi
Hi, Blake,
Thanks a lot for your comments! In-line
On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
> Current gen Cisco ASA firewalls have logic so that if the connection
> from a private host originated from a privileged source port, the
> NAT
> translation to public IP also uses an
For Linux iptables SNAT (used with --to-source), the default is to change
the packet as little as possible.
https://linux.die.net/man/8/iptables
"If no port range is specified, then source ports below 512 will be mapped
to other ports below 512: those between 512 and 1023 inclusive will be
mapped
Current gen Cisco ASA firewalls have logic so that if the connection
from a private host originated from a privileged source port, the NAT
translation to public IP also uses an unprivileged source port (not
necessarily the same source port though).
I found out that this behavior can cause issu
I believe all devices will translate a privileged ports, but it won't translate
to the same number on the other side. It will translate to an unprivileged
port. Is it what you meant or really there are some devices that will not
translate at all a privileged port?
What are you trying to achieve
I currently have about ~2750 public IP's (11 /24's) for ~53,000 broadband
customers. (ftth, cable modem and dsl)
I cap them at 3,000 ports using PBA, port block allocation.. Blocks of 100
at a time, and 30 blocks per subscriber. (100*30=3000)
I usually see, when a private internal IP is u
The problem asking whether this can be done "at line rate" in a specific
switch platform ignores these critical measurements:
- what's the packet rate expected for the nat flows?
- will the control plane add a forwarding plane rule for every new session?
if so, how quickly can that rule be pushed t
On 10/16/18 08:55, Brandon Martin wrote:
> On 10/16/18 10:05 AM, James Bensley wrote:
>> NAT/PAT is an N:1 swapping (map) though so a state/translation table
>> is required to correctly "swap" back the return traffic. MPLS for
>> example is 1:1 mapping/action. NAT/PAT state tables tend to fill
>> q
On 10/16/18 10:05 AM, James Bensley wrote:
NAT/PAT is an N:1 swapping (map) though so a state/translation table
is required to correctly "swap" back the return traffic. MPLS for
example is 1:1 mapping/action. NAT/PAT state tables tend to fill
quickly so to aid with this we also have timers to tim
On Mon, 15 Oct 2018 at 10:07, wrote:
>
> Interesting, but isn’t stateful tracking once again just swapping, but in
> this case port 123 in port 32123 out?
>
> So none of the chips you named below support swapping parts of L4 header and
> that part is actually done with SW assistance please?
>
>
Paul Zugnoni
Sent: Thursday, October 11, 2018 6:04 AM
To: w...@felter.org
Cc: nanog@nanog.org
Subject: Re: NAT on a Trident/Qumran(/or other?) equipped whitebox?
The key to answering the question of NAT support on a Broadcom switch
forwarding chip, is... another question: What /flavour of NAT
The key to answering the question of NAT support on a Broadcom switch
forwarding chip, is... another question: What /flavour of NAT/ you're
looking for. Generally Trident (1,2,3), Tomahawk(1,2) and I believe Jericho
all support varying degrees of swapping parts of an IP or Eth header for
other part
On 10/9/18 10:35 AM, Jason Lixfeld wrote:
Has anyone played around with this? Curious if the BCM (or whatever other
chip) can do this, and if not, if any of the box vendors have tried to find a
way to get these things to do a bunch of NAT - say some flavour of NAT,
line-rate @ 10G. If so, an
Indeed, however there are some other features currently missing from the Arista
stack that sort of take it off the table (granted, those features have been
promised early-ish next year).
> On Oct 9, 2018, at 11:52 AM, Edward Dore
> wrote:
>
> Not sure if you count Arista as whitebox given the
The older Fulcrum/Intel FM6000 in the Arista 7150 can do NAT.
--
Tim
On Tue, Oct 9, 2018 at 10:54 AM Edward Dore <
edward.d...@freethought-internet.co.uk> wrote:
> Not sure if you count Arista as whitebox given their use of merchant
> silicon but running their own NOS, however they were touting
Not sure if you count Arista as whitebox given their use of merchant silicon
but running their own NOS, however they were touting the 7170 series as being
able to do NAT recently. That's a Barefoot Tofino chip under the hood.
I've no idea how well it can do NAT or what the limitations are mind y
Wonderfully crafted, too. Great work.
S.
On 5 July 2016 at 15:39, Seth Mattinen wrote:
> On 7/1/16 19:28, Edgar Carver wrote:
>
>> Hello NANOG community. I was directed here by our network administrator
>> since she is on vacation. Luckily, I minored in Computer Science so I have
>> some famil
FYI
There is no way to reset the password on a PAN without doing a factory
reset if you do not know the password of any previous config release
version.
If you do a reset then you will have to reconfigure the fw rules, ip
addresses, routes, nat, inspection policy's, and other basic functions
depe
On 7/5/2016 18:46, Matt Palmer wrote:
On Fri, Jul 01, 2016 at 09:28:54PM -0500, Edgar Carver wrote:
Hello NANOG community. I was directed here by our network administrator
since she is on vacation. Luckily, I minored in Computer Science so I have
some familiarity.
Well played, Tay. Well pla
On Fri, Jul 01, 2016 at 09:28:54PM -0500, Edgar Carver wrote:
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
Well played, Tay. Well played.
For everyone else:
https://twit
You know the cosmological model that the earth is balanced on the back of a
giant turtle, which is supported by successive lower tiers of other turtles?
https://en.wikipedia.org/wiki/Turtles_all_the_way_down
It's like that, except it's trolls all the way down.
On Tue, Jul 5, 2016 at 3:24 PM, C
My how the world has changed!
On 7/1/2016 21:28, Edgar Carver wrote:
Hello NANOG community. I was directed here by our network administrator
since she is on vacation.
I am Old School, I guess. In my day Step One would be "Fire the
administrator." The job is by nature a 24 X 7 X 52 job and "
My how the world has changed!
On 7/1/2016 21:28, Edgar Carver wrote:
Hello NANOG community. I was directed here by our network administrator
since she is on vacation.
I am Old School, I guess. In my day Step One would be "Fire the
administrator." The job is by nature a 24 X 7 X 52 job and "
--- se...@rollernet.us wrote:
From: Seth Mattinen
On 7/1/16 19:28, Edgar Carver wrote:
> Hello NANOG community. I was directed here
> by our network administrator since she is
> on vacation. Luckily, I minored in Computer
> Science so I have some familiarity.
:: This is not legit, ya'll ar
On 7/1/16 19:28, Edgar Carver wrote:
Hello NANOG community. I was directed here by our network administrator
since she is on vacation. Luckily, I minored in Computer Science so I have
some familiarity.
This is not legit, ya'll are being trolled.
~Seth
The original email was not a serious question, but a joke:
https://twitter.com/SwiftOnSecurity/status/749059605360062464
https://twitter.com/SwiftOnSecurity/status/749062835687174144
https://twitter.com/SwiftOnSecurity/status/749068172460847105
On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve wr
It is all about defense in depth. The engineers here are speaking to the
network pieces (the second N in NANOG is network, right :) and we have told
this person that it is unlikely that v6 in the only vector and I myself talked
about malware handling on the clients themselves. From a network e
You may want to look into a new product by Ixia
https://www.ixiacom.com/products/threatarmor (seems their site is under
maint atm).
On Tue, Jul 5, 2016 at 10:31 AM, Naslund, Steve
wrote:
> On another note, using a firewall to stop viruses is probably not going to
> work in general (unless the f
On 5 July 2016 at 21:47, Octavio Alvarez wrote:
> Everything else has been already said by others: fixing the Palo Alto is
> still your best bet.
>
No while that is also needed, it is very unlikely to fix his issue. The
issue at hand is that some of their computers have become virus infected.
T
On 07/01/2016 07:28 PM, Edgar Carver wrote:
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses?
You need layer-7 firewalls for this. NAT-based "firewalls"
(pseudo-firewalls, really) are layer-4 only. Those will not help you
block typical viruses
Hi,
> Right. But how long is it going to take to secure the Palo Alto firewall?
around 5 minutes?
recover password, restart, log in, fix rules.
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Reset-the-Administrator-Password/ta-p/57581
obviously the firewall is also blocking
Hi,
> > The Palo-Alto's also don't support anything but NAT64,
>
> They don't support proper dual-stack?? Or NAT64 is the only NAT flavor
of course they support native IPv6 ...or IPv4 with IPv6 in dual-stack.
i believe the comment was related to the 6/4 xlat stuff - ie just NAT64 and not
464X
On 5 July 2016 at 17:40, Lee wrote:
>
> Right. But how long is it going to take to secure the Palo Alto firewall?
> If the central Cisco Catalyst really is an IPv6 router, doing a
> conf t
> ipv6 access-list denyIPv6
> deny ipv6 any any
>
> interface [whatever connects to the ISP]
> ipv6 traf
On 7/5/16, Naslund, Steve wrote:
> Did you get the impression that this person asking for help was going to be
> able to set that up?
Yes, I think the OP could create & apply the acl. Which is why I said
it could break their network & suggested they get Cisco tech support
on the phone to figure
Not to belabor the point, because it will likely be made frequently in
responses, but every legitimate service _should_ have both IPv4 and IPv6
addresses.
Get Palo Alto on the horn, and get access to that box. Get it configured
properly.
I won't hammer you since you're just trying to solve a prob
On Fri, 1 Jul 2016 21:28:54 -0500
Edgar Carver wrote:
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
Luckily!
> router. Or, ideally, is there an easy way to turn off IPv6
NAT64 is the only type of IPv6 NAT they support.
*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com
On Tue, Jul 5, 2016 at 12:18 PM, wrote:
> On Tue, 05 Jul 2016 11:54:14 -0400, Spencer Ryan said:
> >
On Tue, 05 Jul 2016 11:54:14 -0400, Spencer Ryan said:
> The Palo-Alto's also don't support anything but NAT64,
They don't support proper dual-stack?? Or NAT64 is the only NAT flavor
they support on the v6 side?
pgpMGuNc6KiEk.pgp
Description: PGP signature
Did you get the impression that this person asking for help was going to be
able to set that up? I didn't (if he was he would probably already know what
an ACL is). I do not know if the Catalyst he is looking at is his or his
service providers edge devices (or maybe the consultants didn't give
The Palo-Alto's also don't support anything but NAT64, so depending on what
you meant by the IPv6 side is sharing "one address" might not be correct.
*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com
O
Hi,
I would go through the password recovery options on the PaloAlto.
as a next gen firewall you need to ensure you are getting all the latets
rulesets
and detection code through - check your subscription with them
once you've sorted out access you can look at the policies and ensure that
the
On 7/5/16, Naslund, Steve wrote:
> Hard to know where to begin with this one, but let me take a shot at it.
>
> 1. My top priority would be to get into that Palo Alto firewall. Get Palo
> Alto on the phone and figure out password recovery with them. Since you
> don’t have the password it is pos
AM
To: Edgar Carver
Cc: nanog@nanog.org
Subject: Re: NAT firewall for IPv6?
On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
> We're having problems where viruses are getting through Firefox, and
> we think it's because our Palo Alto firewall is set to bypass
> filtering fo
> On Jul 5, 2016, at 9:33 AM, valdis.kletni...@vt.edu wrote:
>
> On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
>
>> We're having problems where viruses are getting through Firefox, and we
>> think it's because our Palo Alto firewall is set to bypass filtering for
>> IPv6.
>
> Do you ha
On 7/1/16 8:28 PM, Edgar Carver wrote:
Unfortunately, the network admin couldn't give me the password since
a local consultant set it up, and it seems they went out of business. I
need to think outside the box.
So your network admin didn't bother to get the login/enable password for
a device t
On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6.
Do you have any actual evidence (device logs, tcpdump, netflow, etc) that
support th
On another note, using a firewall to stop viruses is probably not going to work
in general (unless the firewall has some additional malware detection engine).
Here is the issue in a nutshell. A firewall primarily controls where people
can connect to and from on a network. The problem with th
Hard to know where to begin with this one, but let me take a shot at it.
1. My top priority would be to get into that Palo Alto firewall. Get Palo
Alto on the phone and figure out password recovery with them. Since you don’t
have the password it is possible that firewall is compromised. Do n
You emailed the wrong list to say this "Or, ideally, is there an easy way
to turn off IPv6 completely? I
really don't see a need for it, any legitimate service should have an IPv4
address."
Turning off IPv6 is not the right solution, nor will it magically fix your
issues.
Fix the Palo Alto, eithe
On 1/7/16, 7:39 PM, "NANOG on behalf of Doug Barton"
wrote:
>On 12/18/2015 01:20 PM, Lee Howard wrote:
>>
>>
>> On 12/17/15, 1:59 PM, "NANOG on behalf of Matthew Petach"
>
>>> I'm still waiting for the IETF to come around
>>> to allowing feature parity between IPv4 and IPv6
>>> when it comes to
On 12/19/2015 07:17 AM, Sander Steffann wrote:
Hi Jeff,
It's far past time to worry about architectural purity. We need people
deploying IPv6 *NOW*, and it needs to be the job of the IETF, at this
point, to fix the problems that are causing people not to deploy.
I partially agree with you. I
On 12/18/2015 01:20 PM, Lee Howard wrote:
On 12/17/15, 1:59 PM, "NANOG on behalf of Matthew Petach"
I'm still waiting for the IETF to come around
to allowing feature parity between IPv4 and IPv6
when it comes to DHCP. The stance of not
allowing the DHCP server to assign a default
gateway to
Hello,
Does anyone use Citrix Netscaler MPX 14000 as a CGNAT for more than 25K
users?
Regards,
Comments inline
> On Dec 22, 2015, at 12:47 PM, Owen DeLong wrote:
>
>
>> On Dec 22, 2015, at 01:21 , Bjørn Mork wrote:
>>
>> Owen DeLong writes:
On Dec 20, 2015, at 08:57 , Mike Hammett wrote:
>>>
The idea that there's a possible need for more than 4 bits worth of
subnets
> On Dec 22, 2015, at 01:21 , Bjørn Mork wrote:
>
> Owen DeLong writes:
>>> On Dec 20, 2015, at 08:57 , Mike Hammett wrote:
>>
>>> The idea that there's a possible need for more than 4 bits worth of
>>> subnets in a home is simply ludicrous and we have people advocating
>>> 16 bits worth of s
Owen DeLong writes:
>> On Dec 20, 2015, at 08:57 , Mike Hammett wrote:
>
>> The idea that there's a possible need for more than 4 bits worth of
>> subnets in a home is simply ludicrous and we have people advocating
>> 16 bits worth of subnets. How does that compare to the entire IPv4
>> Internet?
On 21/Dec/15 07:22, Jason Baugher wrote:
>
> >From a service provider perspective, I feel we have 2 choices. The first is
> to spend a lot of time trying to educate our customers on how networks work
> and how to manage theirs. Personally, I'd rather have my fingernails pulled
> out. The second,
--- ja...@puck.nether.net wrote:
From: Jared Mauch
I'd love to hear from people on what they perceive and
the real barriers they have seen with regards to IPv6
in your environment.
---
In the enterprise; managers that don't (and don't want
Not quite true…
"What happens when we have to make an incompatible change to the fundamental
packet header?” is the real challenge.
It happens that in the case of IPv4, we didn’t hit that particular wall until
we needed a larger address.
In IPv6, it will probably be something related to the ab
with 10 RIRs.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> - Original Message -
>
> From: "Daniel Corbe"
> To: "Mike Hammett"
> Cc: "Mark Andrews" , "No
In message , Tony Fin
ch writes:
> Alan Buxey wrote:
>
> > Most people don't need the devices to talk to each other
>
> A lot of home networking uses mDNS - partitioning off devices will break
> things like printing and chromecast and using your phone as a remote
> control for your media player
We already have CPE vendors shipping with "guest" ssids. These
require a seperate /64 and are usually treated as external to the
home network. With IPv4 you grab a seperate chunck of rfc1918 space
and nat that as well as the main chuck of space. For IPv6 you need
multiple /64s from the ISP. A
Alan Buxey wrote:
> Most people don't need the devices to talk to each other
A lot of home networking uses mDNS - partitioning off devices will break
things like printing and chromecast and using your phone as a remote
control for your media players, etc. ad nauseam.
Tony.
--
f.anthony.n.finch
In article <4102d692-a315-4c38-a2cb-54f96999e...@lboro.ac.uk> you write:
>I'm surprised that noone of the home wifi router folk haven't cornered the
>market on that
>one in terms of client separation. Most people don't need the devices to talk
>to each
>other so by default all ports on different
I'm surprised that noone of the home wifi router folk haven't cornered the
market on that one in terms of client separation. Most people don't need the
devices to talk to each other so by default all ports on different VLANs ..
192.168.0-8.x etc
Internet of things security out of the box. Web
On Sun, 20 Dec 2015, Chuck Church wrote:
insist on "NAT/PAT != firewall". Well, a router routing everything it sees
is even less of a firewall. I'm really not trying to be argumentative here,
but I'm just having a hard time believing Joe Sixpack will be applying
business networking principals
--- chuckchu...@gmail.com wrote:
From: "Chuck Church"
but I'm just having a hard time believing Joe Sixpack will be applying
business networking principals such as micro-segmenting to a home network
with 3 to 7 devices on it. If anything, these complexities we keep
To: nanog@nanog.org
Sent: Sunday, December 20, 2015 10:06:26 PM
Subject: RE: Nat
You can lead a horse to water, but you cannot make it drink. If people choose
to be the authors of their own misfortunes, that is their choice. I know a good
many folks who are not members of NANOG yet have multipl
Hi,
> > > persuading people to move to IPv6. Especially when everyone
> > > already understands DHCP in the v4 world.
> > enterprise) and once they stop thinking "I want to do everything
> > in IPv6 in exactly the same way as I have always done in IPv4"
exactly.
as my thoughts often gather at
Hi,
On Sat, Dec 19, 2015 at 03:03:18PM +0100, Sander Steffann wrote:
> > The mix of having to do this crazy thing of gateway announcements
> > from one place, DNS from somewhere else, possibly auto-assigning
> > addresses from a router, but maybe getting them over DHCPv6. It's
> > just confusing a
On Sun, Dec 20, 2015 at 10:54:49PM -0500, Chuck Church wrote:
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matt Palmer
> >Depends on how many devices you have on it. Once you start filling your
> >home with Internet of Unpatchable Security Holes devices, having everything
> >on a si
yet have multiple
> separate L2 and L3 networks to keep the "crap" isolated.
>
> > -Original Message-
> > From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On
> Behalf
> > Of Mike Hammett
> > Sent: Sunday, 20 December, 2015 20:37
> &
-Original Message-
> From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On Behalf
> Of Mike Hammett
> Sent: Sunday, 20 December, 2015 20:37
> Cc: North American Network Operators Group
> Subject: Re: Nat
>
> We can't get people to use passwords jud
-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matt Palmer
Sent: Sunday, December 20, 2015 10:29 PM
To: nanog@nanog.org
Subject: Re: Nat
>Depends on how many devices you have on it. Once you start filling your
home with Internet of Unpatchable Security Ho
merican Network
> Operators' Group'
> Subject: Re: Nat
>
>
> >I have a single CPE router and 3 /64's in use. One for each of the
> wireless SSID's and one for the wired network. This is the default for
> homenet devices. A single /64 means you >hav
dy Fischer"
To: "Mike Hammett"
Cc: "North American Network Operators Group"
Sent: Sunday, December 20, 2015 9:34:16 PM
Subject: Re: Nat
On Sun, Dec 20, 2015 at 10:15 PM, Mike Hammett < na...@ics-il.net > wrote:
Most people couldn't care less and j
On Sun, Dec 20, 2015 at 10:15 PM, Mike Hammett wrote:
> Most people couldn't care less and just want the Internet on their device
> to work.
Well, if the best practice for CPE routers included as a matter of course
the subnets "connected to internet", "local only (e.g. IoT)" and "guest
network"
On Sun, Dec 20, 2015 at 09:23:04PM -0500, Chuck Church wrote:
> I agree that a /48 or /56 being reserved for business
> customers/sites is reasonable. But for residential use, I'm having a hard
> time believing multi-subnet home networks are even remotely common outside
> of networking folk
On Sun, Dec 20, 2015 at 08:11:53PM -0700, Keith Medcalf wrote:
> > I agree that a /48 or /56 being reserved for business
> > customers/sites is reasonable. But for residential use, I'm having a hard
> > time believing multi-subnet home networks are even remotely common outside
> > of networkin
Most people couldn't care less and just want the Internet on their device to
work.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
- Original Message -
From: "Keith Medcalf"
To: nanog@nanog.org
Sent: Sunday, December 20, 2015 9:11:53
> I agree that a /48 or /56 being reserved for business
> customers/sites is reasonable. But for residential use, I'm having a hard
> time believing multi-subnet home networks are even remotely common outside
> of networking folk such as the NANOG members. A lot of recent IPv4
> devices
> s
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Thursday, December 17, 2015 7:46 PM
To: Chuck Church
Cc: 'Matthew Petach' ; 'North American Network
Operators' Group'
Subject: Re: Nat
>I have a single CPE router and 3 /64's in u
On 20 December 2015 at 17:57, Mike Hammett wrote:
> The idea that there's a possible need for more than 4 bits worth of
> subnets in a home is simply ludicrous and we have people advocating 16 bits
> worth of subnets. How does that compare to the entire IPv4 Internet?
>
Does those extra bits som
> On Dec 20, 2015, at 1:22 PM, Matthew Petach wrote:
>
> On Sun, Dec 20, 2015 at 9:55 AM, Daniel Corbe wrote:
>>> On Dec 20, 2015, at 11:57 AM, Mike Hammett wrote:
>>>
>>> There is little that can be done about much of this now, but at least we
>>> can label some of these past decisions as r
On Sun, Dec 20, 2015 at 9:55 AM, Daniel Corbe wrote:
>> On Dec 20, 2015, at 11:57 AM, Mike Hammett wrote:
>>
>> There is little that can be done about much of this now, but at least we can
>> label some of these past decisions as ridiculous and hopefully a lesson for
>> next time.
>
> There isn
l Message -
>
> From: "Daniel Corbe"
> To: "Mike Hammett"
> Cc: "Mark Andrews" , "North American Network Operators' Group"
>
> Sent: Saturday, December 19, 2015 10:55:03 AM
> Subject: Re: Nat
>
> Hi.
>
>> O
"Mike Hammett"
Cc: "Mark Andrews" , "North American Network Operators' Group"
Sent: Saturday, December 19, 2015 10:55:03 AM
Subject: Re: Nat
Hi.
> On Dec 19, 2015, at 11:41 AM, Mike Hammett wrote:
>
> "A single /64 has never been enough
Hi Matthew,
> I have multiple sets of clients on a particular subnet; the subnet
> is somewhat geographically distributed; I have multiple routers
> on the subnet. I currently am able to explicitly associate clients
> with the most appropriate router for them in v4.
> How can I do this using only
On 19 December 2015 at 15:49, Jeff McAdams wrote:
> It's far past time to worry about architectural purity. We need people
> deploying IPv6 *NOW*, and it needs to be the job of the IETF, at this
> point, to fix the problems that are causing people not to deploy.
>
If you want to deploy IPv6 NO
James R Cutler wrote:
> All that is necessary is for us to end the years of religious debate
> of DHCP vs RA and to start providing solutions that meet business
> management needs.
Heresy! Burn him!
Nick
This is OT of NAT, but follows the existing discussion.
Since discussion has warped around to host configuration DHCP (again), it might
be useful to review discussions dating from 2011:
The stupidity of trying to "fix” DHCPv6
and
The Business Wisdom of trying to "fix” DHCPv6
which also refer to
Hi Nick,
> Unfortunately, this turned into a religious war a long time ago and the
> primary consideration with regard to dhcpv6 has not been what's best for
> ipv6 or ipv6 users or ipv6 operators, but ensuring that dhcpv6 is
> sufficiently crippled as a protocol that it cannot be deployed without
On Sat, Dec 19, 2015 at 7:17 AM, Sander Steffann wrote:
> Hi Jeff,
>
>> It's far past time to worry about architectural purity. We need people
>> deploying IPv6 *NOW*, and it needs to be the job of the IETF, at this
>> point, to fix the problems that are causing people not to deploy.
>
> I partia
1 - 100 of 197 matches
Mail list logo
