Hello everyone, as promised during the WG session in Marseille, here is the result of my analysis of the draft ITU Recommendation Y.IPv6RefModel “Reference model of IPv6 subnet addressing plan for Internet of things deployment”. It's not exactly a scientific masterpiece, but right now I have only limited time to get this out... Upon another closer look at the document I realized that in *all* relevant cases not 8 but 16 bits of each address are re-purposed. This leads to an even more dramatic reduction of the expected usable life time of IPv6, as explained in point 5. If I manage to turn this into a video blog session (no promises, but I'll try to find the time somehow) I'll let you know. And yes, I've already recorded a session on this topic in late 2013 at https://www.stepladder-it.com/bivblog/2/, so this problem has been around for at least a good four years. Enjoy the read. Cheers, Benedikt ---8<--- In One Sentence =============== The entire document is flawed beyond repair due to its underlying approach; if applied as a "reference model" it will critically endanger the future of the IPv6 based Internet. Some Core Problems ================== 1. The model is inapplicable to real-world networks. 2. The model will dramatically hinder any further evolution of all IP based networking. 3. The model carries all legacy problems from IPv4 into the IPv6 era. 4. The model precludes the application of several of the most basic security measures considered best practice by todays standards. 5. The model shortens the expected usable life time of IPv6 by at least 25%, or 42+ years at the current Internet growth Analysis and Explanations ========================= 1. The model is inapplicable to real-world networks --------------------------------------------------- Real world networks are split into subnets based on a number of fundamental criteria. These usually include - real-time behaviour (e.g. low latency for VoIP vs. high bandwidth for SAN) - security considerations (e.g. splitting networks into adequate security zones) - service level considerations and many more. The document defines a categorization that ignores all of these criteria but for some reason considers "IoT"---without any consideration of the normal criteria applied to the particular IoT application---as special. As a result, when designing networks according to the proposed model, there are two possible results: If the commonly used criteria are ignored, then the result is a network that is an ill fit to the purposes and security requirements it should be designed for. If the commonly used criteria are applied, then the encoding of the categories required by the model will lead to a fragmentation of the network that causes a tremendous increase in the number of routes needed throughout the network. In sufficiently large networks, e.g. at an enterprise level, this will make it impossible to apply the commonly used criteria for network design. 2. The model will dramatically hinder any further evolution of all IP --------------------------------------------------------------------- based networking ---------------- The proposed model doesn't cater for future development of IP based networks. (Having a category "Reserved & Others" in obviously doesn't do, since a "reserved" subnet range can't be possibly used for "other" applications.) But even if this was somehow fixed in the document, this wouldn't help any. Reserving a sufficiently large part of the address space for future specifications would seriously aggravate the other problems in this analysis to the point that the entire model becomes impossible to implement. Not reserving a sufficiently large part of the address space however will quickly lead to the situation that the Internet outgrows the model proposed. Considering that it took IPv6 approximately 30 years to get to where it is right now, then even if we started on a successor IP protocol today---which to my knowledge is nowhere in sight---then we have to assume that IPv6 will by around for another 30+ years until it can be replaced. Considering the speed at which the Internet, and IP networking in general, have evolved in the last 30 years there is no chance that the proposed model can be used throughout such a period in an evolutionary way. 3. The model carries all legacy problems from IPv4 into the IPv6 era -------------------------------------------------------------------- Attempting to map IPv4 and IPv6 in a 1:1 fashion carries all the legacy issues we have with IPv4, like broadcast-based applications leading to undesirable network topologies, over into the IPv6 world. Once IPv4 gets obsolete in parts of a network, this approach either forces yet another redesign of the then-productive IPv6 network, or it carries the IPv6-related problems even after IPv4 has otherwise been removed from the network into the IPv6-only period. 4. The model precludes the application of several of the most basic ------------------------------------------------------------------- security measures considered best practice by todays standards -------------------------------------------------------------- In enterprise and other data center environments, microsegmentation and hierarchical security zones as well as a number of other, more specific designs, are used to reach a sufficient level of security. All of these measures however require a network design that can't be implemented within the constraints of the proposed model except through an excessive bloat of the routing tables, firewall configurations and application based access control lists involved. Depending on the security requirements of the given network environment, this is unacceptable at best and violating various legal requirements at worst. 5. The model shortens the expected usable life time of IPv6 by at least ----------------------------------------------------------------------- 25%, or 42+ years at the current Internet growth ------------------------------------------------ IP addresses by their very design are supposed to hold all the information needed to route IP packets from their source to their destination. As such IP addresses must be assigned in a way that matches the chosen network topology, and nothing else. The proposed model however effectively re-purposes two octets of data for purposes unrelated to routing. Applying the HD ratio concept (as used for IPv6 subnets in general), or basic information theory (Shannon 1948/1949), this can be worked into more palatable numbers: The proposed model - reduces the number of usable subnet prefixes to 1/65536 = 0.00153% of the address space, - at a continued exponential growth of the Internet reduces the expected usable life time of IPv6 by (64-48)/64 or 25% and - at a continued exponential growth of the Internet by the commonly measured/estimated factor of 1.3/year, reduces the effective life time by log_1.3(2**16)=42.27 years. This doesn't even take into account the impact it has on the size of routing tables, access control lists and such, which may or may not reduce the usable life time of IPv6 at the Internet level even further. Only when the network topology correlates, or is made to correlate, the encoding of the categorization data in the addresses could this effect be slightly reduced. Trying to make use of this fact will however make network design decidedly more complex while at the same time only generating a marginal effect. Conclusion ========== Following from the results of this analysis---which is by no means meant to be complete---the proposed reference model is ill-conceived and critically endangers the future of the Internet. ---8<--- -- Benedikt Stockebrand, Stepladder IT Training+Consulting Dipl.-Inform. http://www.stepladder-it.com/ Business Grade IPv6 --- Consulting, Training, Projects BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/