Monday, January 7, 2013

20130107 IPv6, Layer 2 is dead, version 2


IPv6 has a big enough address space that it's more than reasonable to consider subnetting to the port.  Effectively this means Layer 3 routing at a port level for an entire enterprise network.

The benefits to this are many, and should be straight forward to understand.

  • Reliability
  • Performance
  • Fault tolerance
  • Simplicity
  • Security

I'm not going to go into any depth at this time on those bullet points, I'll save that for future articles.

Here's an example interface config for a Cisco L3 capable switch.

interface GigabitEthernet1/0/19
 no switchport
 ip address 10.0.4.9 255.255.255.248
 no ip redirects
 no ip unreachables
 ip pim sparse-mode
 ipv6 address FDAA:AAAA:AAAA:AA00:0:13:7F77:1/96
 ipv6 enable
 ipv6 nd other-config-flag
 no ipv6 redirects
 no ipv6 unreachables
 ipv6 verify unicast source reachable-via rx allow-default
 arp timeout 60

One of the items that I've learned since Version 1 of this post is that some devices *do* consider EUI-64 to be a hard set standard, and will not accept the variable subnet mask on the interface.

EUI-64 is a mistake, as integrating the MAC address into the IP address doesn't enhance the function of IP, and doesn't provide the additional level of security it was intended to (RFC 4941).  Converting the network to completely L3 to the port performs most of the intended functions of EUI-64 much better than EUI-64 ever could.

So, the /96 bit subnet mask wouldn't be possible with the way the current RFC is being interpreted right now by some devices it seems.

So, EUI-64 on every port is the direction that this standard is going to push us.  The idea of L3 to the port isn't going to go away once enterprise network engineers understand the concept.  It provides too many benefits to the enterprise network, particularly in the area of security.  (But, performance and reliability are key as well).

The issue is, at this time, EUI-64 wasn't constructed with the idea of port level layer 3 in mind.  As big as a 64 bit subnet address space seems, allocating subnets per port wasn't in the minds of the designers.

That doesn't mean per-port layer 3 is wrong, quite the opposite.  Layer 3 to the port is a worthwhile goal.  EUI-64 simply needs to be changed to accommodate it.

Before dismissing the idea of a complete layer 3 network, keep in mind that most ideas like this in IT were dismissed as impractical, but later found to be beneficial to the environment. Some examples are enterprise networks completely converting to all switch ports, or of computers using more than 64k of memory, or 640k of memory. IT is filled with concepts like these that didn't seem practical at the time, but eventually did come to pass. The Internet itself as an idea is probably the best example of this.

This idea will happen in the enterprise, it's simply a matter of this decade, or the next.  It would be better if the standards were scaled appropriately to the eventuality.

Rob

Posted by at No comments:

20130107 Hyperbole, Analogy, Similie and Metaphor



First of all, I want to apologize to anyone that understands the concepts I am talking about, without all of my figures of speech.

I live in a world where very few people that I know, truly understands what I'm trying to say.  Most of the time, when I try to explain an idea, or a process, I get blank looks.  Some people even have the audacity to point fingers and tell me that I'm the one at fault.  Some, simply because they don't understand or have a background they can pull from; some simply because they don't really care.

As an example, Weialgo.  The concept is simple, ping stuff, and then graph it en mass, and use those graphs to get a better understanding of how applications work over your network.  Some people just don't understand all the technical talk, but they could, if they wanted to, understand green is good, yellow means caution, and red is bad or stop.  Strangely, only a few people have ever realized what I was saying with this.  Few being a handful; almost everyone else that I have talked to about this simple idea has ridiculed it or told me I was crazy or wasting my time.  They ask questions like, "Who else is doing this?"  "Wouldn't HP be doing this if it was that useful?"  "Why don't we hear about this from Cisco if it's so great?"

To me, weialgo is about as plain of a concept as I believe it could be.  There are no drawbacks.  While some may debate the usefulness of the information gathered by pings, tell me, what's the harm?  The information gathered is very useful, in my eyes it's critical for some things.  Why is it so hard for people to understand?

Over the years, to help illustrate my points, I've developed a method of explanation using hyperbole, analogy, similie and metaphor.  These simplified explanations have progressively gotten even simpler over the years, trying to make it easier for the non-technical audience to understand.  At times though, I forget there are people out there that are more technical and do understand concepts at their core.

Second case in point.  IPv6, RIP Layer 2.

Looking back at it, I could probably go on for an hour about everything wrong with that post. But, my reasoning behind escalating the use of 'figures of speech' is, I can't get anyone to listen to me.  If people really would stop and understand the impact of what I am saying in that post, I would get an immediate response.  However, since I didn't receive a response, I decided to try a bigger audience.

I cross posted it to Reddit.

Now, in hindsight, this was a huge mistake.  But not for the reasons you may think.

On reddit.com/r/networking, there were people that actually understood what I was saying.  Of course, I received the usual "you're a moron", "this is the dumbest thing I've ever read" comments.  I couldn't care less about that, I'm used to it.

What really bothered me was that there were some people on /r/networking that actually seemed to understand the concept.  But all of the layers of hyperbole, analogy, similie and metaphor got in the way of their understanding.  The people that I wanted to reach were put off, by the very things I was trying to do to make the concept more understandable.

There are people in this world that I don't need to use all of the figures of speech with.  They understand what I'm saying, without having to explain it like it was a different language.

At that point, I realized that I had made a huge mistake.  I realized that my manner of explanation was insulting to everyone.  If someone didn't understand what I was saying, I was insulting them by "talking down to them" with the 'figures of speech' I was using.  If someone did understand what I was saying, I was insulting them by insinuating that they couldn't understand the idea I was trying to relate.

It led to several days of soul searching.  Really.  Am I  really where I want to be?  Does the idea of spending the rest of my life talking down to people help me or anyone I'm trying to help?  What would it be like to work somewhere that had people at a level that I didn't have to explain everything using simplified, and in many cases, inaccurate due to simplification, descriptions of everything?

So, first, I want to repeat.

I apologize to anyone that understands the concepts that I'm trying to convey without all of my 'figures of speech'.  I really don't mean to insult anyone.

Second.

Within this blog, I'm going to try to write (bad habits are hard to break, forgive me if I slip) as though everyone reading this blog can understand what I'm saying without covering it up with 'figures of speech'.

That's it.  Have a great day.

Posted by at No comments:

Wednesday, January 2, 2013

20130102 IPv6: RIP Layer 2



This has been another long standing topic for me.  IPv6.  Everyone needs to learn it, and implement it, as fast as possible.  But, not of ANY of the reasons that you have heard up to this point.

Yes, yes....  IPv4 is running out of addresses....  Except, like petro, they seem to keep finding more of them all the time.  But, there is a point where squeezing more v4 addresses out of that 32 bit shale wont make any sense.  But, so far, they've been able to frak their way to more addresses to keep the IPv4 Internet happy and moving at meme speeds.

When it comes to IPv6 conversations, on why you'd want to go to v6, it basically goes like this.

  • OMG We're going to run out of addresses!!!  (Yes, and peak oil was in 1995!!!)
  • IPv6 is better thought out than v4.
  • IPv6 has a streamlined (although larger) header.
  • Removes some of the processing routers have to do with IPv4.  (Fragmented packets, etc)
  • IPv6 is compatible with v4 at a sockets layer.
  • DHCP is dead.  Long live DHCP.
  • IPv6 builds into the protocol some things which are optional in v4.  (Multicast, IPSec, etc)
  • And... everybody's doing it...   You -know- you want to do it....  (Slap the sales guy when he does this.  I mean it, smack him.)

And, that's about as far as it gets.  I hate to say this, but most of that stuff is so incredibly technical, only the most hard core of network engineers can stay awake while talking about it (and, if it actually gets you excited, welcome to the club).  Honestly, if you want to make normal people go to sleep, start talking about IPv6 in depth.  Sends them right to that "I'm pretending to care about something meaningful but really only care about happy cute kitty pictures that I see on reddit.com" droopy eyelid flutter.  You know, the dozing off to sleep look that people get while listening to a college professor drone on about the inner workings of the financial system as it applies to banking balance sheets, or chemical chains related to cholesterol conversion by the mitochondria.  Unfortunately, people always end up doing that little head shake and snap back to attention and try to pretend they were paying attention.  I kinda wish they would quit wasting our time and just fall right to sleep sitting there.  Sleep is good, and maybe, after they've napped awhile, they'd wake up and be a bit more interested in the things that keep them alive and make humanities existence on this dirtball better for everyone.  One can only dream...

Whoops...  Back on course Rob...  Anyways, where was I?  Oh Yeah...

So, those bullet-points are bull.  Well, mostly bull, simply because  #1  The address prophets have been wrong up to this point, and will probably continue to be wrong into the near future.  #2  The rest of the stuff doesn't fix anything broken, it just improves some stuff in IPv4 that's "less than optimal".

So, any of the droopy-eyes that actually stayed awake long enough to get half of an understanding of why to do an IPv4 to IPv6 conversion are thinking at this point that the Network Engineer is  #1  Wrong (because doom and gloom IPv4 addresses haven't run out).  #2  Doesn't have a life (and should get a hobby like normal people instead of worrying about when DHCP leaches are going to run out).

And, if the droopy-eyes do a little research, they find out that IPv6 has some (GASP!) very scary drawbacks.
  • Complete retraining for ALL IT people, not just the network engineers.
  • Application compatibility questions (You mean you're NOT supposed to hard code IPv4 addresses into your applications?)
  • Vendors milk the $#!+ out of this conversion.   Secret vendor code for a organization doing an IPv4 to IPv6 conversion:  CHA-CHING!!!
  • The consultants say that you're doing it wrong.  (Doesn't matter how you are doing it, you're doing it wrong)
  • Not a simple conversion that you can do in a weekend for a organization with non-trivial network.  ("Don't worry Billy-Bob, we'll be done by Saturday night.  Wouldn't want to cut into beer-thirty.")
  • And.... after you're done, IPv4 will still be alive and well in your network.

Once droopy-eyes figures all of this out, the first thing he'll do is make a "Can't believe a word they say" mental sign for the network person involved, and that will be the end of the conversation.

Obviously, I believe, us engineering types are having the wrong conversation, and with the wrong reasons.

Complimentary TLDR header...  You're welcome.


Here's what most network people miss (it's not obvious, don't feel bad).

IPv6 allows for much greater flexibility in subnetting.

Yep, that's it.  And, that's HUGE!  As in OMGWTFWIT HUGE!

First of all, let's remember back a few years...  Back before everyone was running Ethernet.  Back before Layer 3 switches.  Back before Layer 2 switches.  Way back in time, before a company called Kalpana killed off every networking technology other than Ethernet (RIP Token Ring).

Way back in time, before the mid-90's, everything was Layer 1.  Yes, for those of you that aren't network people, we talk about Layers in networking, it's a code word, kinda like a secret handshake.  Back in the bad old days of Layer 1, networks of any real size were a pain to keep running.  Along comes the concept of the "Ethernet Switch", and networking has never looked back.  Switches broke up the large single Layer 1 networks into much smaller Layer 1 segments, connected into a single large Layer 2 broadcast domain.

Thank you Kalpana, for destroying the scourge of networking, the fire breathing dragon of Layer 1, and making Ethernet so wildly overpowered that every other networking standard is practically dead.

Now, I'm going to point out what should be obvious.  

IPv6 plus Layer 3 switches means the same thing for Layer 2.  Death to Layer 2.

What???  Heresy I say!  Heresy!   I shall put carrot sticks in my ears until you stop with this utter sense!  I live by the abuse I receive from Layer 2!  I shall not turn from the scourging that I receive from spanning tree freaking the hell out every time someone plugs a DLink switch into the network twice in a sales conference room!  Begone with your words of common sense you blogger you!

Wait for a second before you call me a nut.  Layer 2 is not good, it's just been a (un)necessary evil due to limitations in how networking technology has worked since Bob Metcalfe made commodity networking technology available to everyone (and every organization).  If we think of breaking up our Layer 2 networks the same way we broke up our Layer 1 networks twenty years ago, all of a sudden, life becomes much easier.  It becomes much better, in nearly every way.

  • Reliability
  • Performance
  • Fault tolerance
  • Simplicity
  • Security

Before I address any of these, I just want to say this.  I've heard of organizations that have the stereotypical "One Single Huge Flat %@#$%#! Network".  You know, the University campus with 70 thousand students all hooked up to 10.0.0.0/8.  The networks where one PC sending out a stream of broadcast packets can shut the entire city down.  The networks where, when you call up the company looking for a quote, the person taking the phone call says "our network is down right now, can I call you back with that price?"

Big flat Layer 2 networks are the bane of IT, which means they should be the bane of humanity.  If you've grown up living on a Single Huge Flat Network, I'm here to say this...   THAT'S NOT NORMAL!  Just because you grew up watching your parents beat each other does not mean that you should go out and get a spouse and beat them just so that you can be like your parents.   BIG LAYER 2 IS BAD (NO SPOUSE BEATING)!  Same way as big Layer 1 was bad (ok, big Layer 1 is worse than big Layer 2, but networks were smaller back then).

Let's say that you take every layer 3 switch that you have and stop using it as a "switch".  "no switchport" every interface, and use them as 48 port routers instead.  This idea would be pure crazy in IPv4-world.  In IPv6-world, actually, it makes sense.  If we do something other than EUI-64 (which is a bad (ethically terrible?) standard, no other way to say it, the MAC address to IP address spec is badly implemented, and moot the moment that RFC 4941 became standard), say a /96 instead of a /64, and put that on each interface of all of our Layer 3 switches, each switch port becomes it's own Layer 3 network.  Each network could handle a subset of 32 bits (something less than 4 billion) addresses.  But, if we assign a /64 to a site, as recommended  that would give us 2^32 number of Layer 3 ports, each with roughly 2^32 total available addresses on each port.

If your site is using nothing but Layer 3 switches, that means every cable in the site is it's own Layer 3 network.  Hundreds, thousands, millions(?), of Layer 3 networks, all working together on the same network.  

No Spanning Tree.  Bye bye STP, we don't need you anymore.  Plug in two cables into the same DLink switch?  No problem, now all of the PC's on that DLink see two networks instead of STP (hopefully) getting engaged, BPDU guard shutting them down, or the network going down because it's one of those neat little switches that block STP.

No PC's freaking out and taking down huge sections of the network with broadcast storms.  Broadcasts are only between the PC and the switch.  IGMP and CGMP are gone, as they should be.  Multicast is tightly controlled by default, no extra work needed.

No "Default Gateway".  Network traffic is localized and can be routed via multiple ingress and egress points.  Bye bye default gateway as we knew you.  We can now have multiple "gateways" functioning concurrently and in parallel into any network environment.  It's trivial almost.

Routing protocols handle all uplink traffic.  Want to hook a closet switch up to multiple backup paths?  No problem.  Rerouting traffic between and through closets becomes as fast and easy as the routing protocol you use.  If you keep it organized and have each switch assigned it's own /80, then it can send out that single summarized /80 instead of each of the individual interface /96 networks.  On a single /64 campus, that means you can have 65536 different switches, each with a potential 65536 Layer 3 ports.  (Quick Cisco note, EIGRP makes this easy IMO)

The concept of a VLAN is gone, forever.  Yes, gone, good bye, don't let the door hit your trunking protocol on the way out.  Stop your internal dialog, VLANs are a bad kludge, and that's all they ever were.  Good riddance to bad rubbish.  VTP is the Devil.  (Now, I'm saying it this way for effect, simply because VLANs are a kludge, and kludges should be the very rare exception, not the rule.  With IPv6 and Layer 3 switches, you don't need to kludge anymore, kludging is not normal, stop beating your spouse.)

Setting up a "no switchport" Layer 3 IPv6 network is much easier than Layer 2.  You'll just have to trust me on this one.  I'll take a post or two and demonstrate this.  Compared to Layer 2, IPv6 L3 is simplicity itself.

But, the three most important reasons for IPv6 and only Layer 3 switching to the port.  Security, Security, Security.  This should take all of 30 seconds to realize, and I guarantee 99% of network engineers haven't thought of it.  And, it is because of the UNBELIEVABLE BENEFITS TO SECURITY, that we'll get to implement IPv6 as a way to eliminate Layer 2.

I'll leave it here.  Obviously there are a bunch of concepts here, and if I could have written a small book on Weialgo, advocating for the elimination of Layer 2 at a switchport level the same way we eliminated Layer 1 would end up being a very large book.  By no means did I cover every reason to do this in this post, but, hopefully it gets you thinking in that direction.

My next post will be an example of one of the configs that I'm using for this.

Let me know what you think.

Rob

Posted by at No comments:
Subscribe to: Comments (Atom)