Marcus J. Ranum, CEO,
Network Flight Recorder Inc,
Woodbine, MD,
E-mail:
mjr@nfr.net
URL http://www.nfr.net
Personal web pages at http://www.clark.net/pub/mjr
Does anyone remember IPv6? That was the next generation of TCP/IP, which was going to replace the current version, IPV4, any time now. "Any time now" began years ago, and somehow it hasn't happened yet. One of the features everyone wanted from IPv6 was extended address space, so that there wouldn't be any more shortage in obtaining registered Internet routable networks. Arguably, the extended address space was the ONLY feature many of us wanted from IPv6. But we were told that a major redesign was the only way to get it: doubling the existing address space was not deemed to be a viable solution for technical reasons which may no longer hold true. Unfortunately for us all, the IETF has adopted an ISO-like immobility in the standards process, and IPv6 is still a work in progress, after over 8 years -- and eternity in Internet time.
What's happening in the meantime? A combination of 3 events has caught us:
Not all of these events are inherently bad, but they combine to create an environment in which it is extremely hard to get "correct" IP addresses, it is hard to keep them if you change ISPs, and there is a simple "solution" available in the form of network address translation. Increasingly, ISPs' service contracts stipulate that you must "return" your IP addresses, if you cancel your service. It is nearly impossible to get more than a few class C networks, and most network managers are terrified to get a class C network that they might have to "return" in the future. As a result, the only apparent solution is a firewall performing network address translation between Internet routable networks and network 10 addresses.
Network 10 is the old class A network for the Arpanet, which was formally retired a number of years ago. Nobody can legally route network 10 traffic over the Internet; it's reserved for "private" use only. It's used very widely: a majority of the new network connections being installed are using network 10 addresses to some degree. How is this a problem? If I'm on a network 10 address and you're on a network 10 address, then, to communicate, I need to translate my traffic to a routable Internet address, then send it to you for translation to another network 10 address.
Performing this operation isn't as simple as it sounds, unfortunately. Some protocols, such as FTP, encode IP addresses as part of their control protocol: to work properly not only must the addresses in the packets be changed, the traffic must be re-assembled and modified. Many firewalls and some routers can do such translation, but they do not operate effectively at gigabit speeds or even FDDI speeds. We're designing networks with a built-in performance problem, as a way of "solving" what is essentially a simple protocol problem. Try doing full-motion video through a pair of back-to-back firewalls and you'll achieve an up close and personal understanding of the bottleneck.
So what does the future hold? The IETF appears to be incapable of producing an effective, timely standard -- now that the Internet is big business, the vendors have usurped control of the dialog by deliberately fragmenting the standards process. We didn't have this problem back in the days when nobody made money off the Internet. Now, everyone has a vested interest. Performance and scaleability aren't the only parts of the Internet that are suffering; security is, as well. Part of the IPv6 standard was to include encryption and authentication: IPSEC. The IPSEC standard has been limping along for almost as long as the IPv6 standard, and, while it appears to be about to come to closure, vendors are scared to implement it because it has suffered so many turn-around and changes.
My guess is that a lot of vendors are going to ignore IPv6 and IPSEC until quite a while after the standards are completed - if they ever are. In the meantime, people with networks to build will keep building IPV4 networks with network 10 addresses. The firewall vendors will be happy with this, since they'll get to sell lots of translators, but in the long run, the next generation of networkers is going to have a nasty problem. Will the only form of communication in the future be through translating gateways? Can we accept the performance loss? How well will the network 10 "solution" serve us in the long run? My guess is that future networkers will curse our names, just as we are complaining about all the COBOL programmers who didn't realize that time spans more than 2 digits. The COBOL programmers were trying to save 2 precious bytes in their databases, and we're trying to save 32 precious bytes and an upgrade in a packet header.
Perhaps, like the COBOL programmers, we can come back 20 years from now and make a lot of money as consultants to fix the problem. Or, we can fix it now by pressuring the standards committees to get off their backsides and stop arguing how many angels can dance on the head of a pin. The year 2000 is only a few years away. If only we had a new IP packet format we could switch to on the year 2000, we could blame it on the COBOL programmers as part of the Y2K problem!! :)