Pondering subnet allocations

Edit, 2011-05-03: To all those poor souls who have been directed here by Google in their search for best practices on IPv4 and/or IPv6 subnet allocations (or worse, the HP A5500’s NAT capabilities), please accept my sincere apologies.  This page is more about asking questions than providing answers.

Edit, 2011-08-07: Network World has an interesting blog post by Jeff Doyle talking about issues in IPv6 address space design. Good reading.

This is my third go at writing this post.  I started in the middle of the night, because i woke up with IPv4 allocations and VLAN assignments running around in my head and couldn’t get back sleep.  After writing what seemed to me a reasonably coherent post, i accidentally hit the back button instead of the left arrow (surely they could have found somewhere better to put that on the ThinkPad keyboard).  Dismal failure 1 for the day.  After that i just threw a few notes in here as a draft and went back to bed.

I’m in the middle of a network redesign for a major client, a medium-sized K-12 private school.  We have about 70 switches, and a little over 2000 ports.  It’s nowhere near the scale of a university, enterprise data centre, or service provider network, but it requires significantly more design, planning, and implementation effort than your average small network.

The campus houses a few loosely-coupled related entities over about 25 or so buildings, all connected by Gigabit fibre.  A few years ago when we upgraded the phone system and switched to VoIP, i made an allocation plan for subnets using the IPv4 space.  We have quite a few VLANs, using /16 and /24 subnet sizes.

The network upgrade i’m working on has a number of goals: getting all client systems off the server VLAN (which has been progressing slowly over the last 18-24 months), providing redundant routing using a new pair of HP A5500 switches using IRF (HP/3Com’s equivalent to Cisco stacking), and moving routing between VLANs from an old cluster of Linux servers to the new switches.

At the same time, i’m planning a move from switch-based VLANs to building-based VLANs, and i thought to myself: since we’re going to need IPv6 on the outside network soon, i’d better make sure my new plan allows for IPv6 on the inside.  I want to keep the IPv6 structure pretty much identical to IPv4, since our subnet plan mirrors the physical structure of the network.

Selecting the subnet size on IPv6 is easy, since it’s pretty much fixed to /64 (insert appropriate mind-boggling about why we would want burn half of our addressing bits on the local subnet here), but there’s another complication: because there’s no NAT (yet), my IPv6 subnet plan must fit within our external address range.  This is a big difference for many (most?) organisations using IPv4 only: at the moment, we have complete logical decoupling of our internal and external address ranges; under IPv6 we must tie the two together.

This is my big concern with the lack of NAT in IPv6: it places constraints on internal network design that do not exist in the IPv4+NAT world.  I don’t dispute the wisdom of the designers in leaving out NAT – it is unquestionably a complicating hack.  But in my limited understanding of IPv6, i’m not aware of an equivalent to the useful part of IPv4 NAT (the internal/external address decoupling).  When we implement IPv6, i’m guessing that i’ll implement one-to-one address translation at our network edge to achieve equivalent functionality.

So what happens with our external address space?  I’m not fully clear on APNIC‘s IPv6 allocation rules, but as far as i can tell, an existing holder of an IPv4 /23 can expect a maximum IPv6 allocation of a /48.  This means that we would have 16 bits of subnets, which is exactly the same number of /24s we have available in the address space.  My first reaction to this was, “Sweet – i’ll use the exact same subnet numbers in hexadecimal, and i’ll have my IPv6 subnet plan.”  But i wonder whether that’s all there is to it.  And having exactly the same number of subnets at our disposal doesn’t seem like much of a leap forward in terms of protocol functionality…

What are other people’s thoughts?  Are the issues for IPv6 subnet allocation different from IPv4?  Is there a best practice for this sort of thing?

Source: libertysys.com.au

When (Windows) software updates go awry

One of my clients had some very interesting Internet traffic statistics last week.  We came in Thursday morning and found that overnight we had downloaded over 700 GB of data from our ISP (UQ SchoolsNet).

Traffic graph from last week

When we looked through our proxy server logs we found that 538 GB of the total came from a single PC attempting to download a single URL for Adobe Acrobat Reader 9.2 updates.  Fortunately, we’re on an Internet plan which is capped rather than charged for excess traffic, and more fortunately still, our ISP hosts an Akamai mirror, which is where the URL for the updates resolved to.  So, no harm done.

What this reinforced to me was that allowing direct access to the Internet by PCs is rather irresponsible, both from a bandwidth utilization perspective and a cost perspective.  (And that doesn’t even take into account what legal ramifications there might have been if it had been a BitTorrent client rather than a misconfigured/buggy software update client.)

Attachment Size
internet-traffic.png 20.37 KB
internet-traffic-2.png 60.4 KB

Source: libertysys.com.au

Back to the future for the Ubuntu desktop

The Register has a review of the Ubuntu 11.04 beta release which suggests there are some rocky times for existing Ubuntu users ahead.  The part the article that stuck out to me reads:

The highlight of the current launcher is the plethora of keyboard shortcuts, which let you to launch applications, open file browsers and call up system-wide searching without taking your hands off the keyboard.

This is basic functionality which X11 window managers have had for years.  I use IceWM which has had these features available through editing simple text configuration files for as long as i can remember (probably more than 10 years, since the SourceForge history for icewm’s 1.2 branch extends back to the year 2000).  And icewm provides many keyboard features which are simply not exposed to the user in current versions of the default Ubuntu GNOME desktop (e.g. go back to the previous virtual desktop used regardless of which number it was).

The paragraph continues:

There are also a few nice touches in the various indicator apps – for example you can simply hover your mouse over the volume indicator and use the scrollwheel to adjust the volume without ever actually clicking anything.

Again, this is basic functionality.  I use this feature in Amarok 1.4 (a really old version that i’m not supposed to admit that i still use – but that’s the subject of another blog post 😉 all the time.  Is it really so innovative?  Not only that, Ubuntu has been pulling functionality (like tooltips which tell you how much battery time is remaining) out of the indicator apps for the past several releases.

What this all suggests to me is that we’re about to embark on a period in Ubuntu’s history where functionality will be back to basics.  (Similar to what happened when Apple first released iOS and it lacked basic functionality like cut & paste.)  As for me, i’ll stick with Ubuntu classic desktop or perhaps take refuge on Debian while things settle down.  At the moment, Ubuntu 10.04 LTS actually fulfills all of my desktop/mobile computing needs, and i’m not prepared to iron out the bugs for them on a user interface which is targeted at users with very basic skills and with much more limited functionality needs than my own.

Source: libertysys.com.au