I hate to be this dismissive, but it feels like an academic with a paternalistic streak looked deeply at how the Internet works, saw lots of different protocols and weird design decisions, and decided: this is not coherent enough. Then he figured, I'll make all the decisions now, that way it'll be coherent. And let's give every subnet a centralised source of trust and management. That'll make the design so much cleaner!
By which I mean to insinuate there's a lot of nuance and learned lessons in the current situation that this design seems not to learn from. Even though it did learn some lessons, I don't think this passes 'Chestertons fence'
nah. this is palantir operating through a bermuda holding company trying to shoe-horn oauth into every single packet to force every single click ever to be authenticated against a persona. the goal is 1984.
One of the main (vocal) issues people seem to have with IPv6 is that the addresses are hard to remember. But having eight different three digit numbers (r.r.r.r.n.n.n.n) does not seem any easier unfortunately.
But more seriously, it gives me a pause when we try to bake more complex, application-centric logic into foundational protocols. The list of assigned IPv4 and TCP option numbers is a graveyard of tech experiments, but at least we had the sense to separate them from the main protocol. Baking JSON web tokens and OAuth into IP seems kinda crazy from that point of view. Is this what we want to commit to for the next 40 years?
I kinda wish that IPv6 just used this ("IPv8") addressing scheme and left everything else the same, though. I think the expectation that IPv6 should entail an architectural rethink for existing networks really slowed us down. Fun fact: at this point, IPv6 is 30 years old, we're still under 50%, and growth is visibly tapering off.
This document is an Internet-Draft (I-D). Anyone may submit an I-D to the IETF. This I-D is not endorsed by the IETF and has no formal standing in the IETF standards process.
Why not discuss the I-D itself. Many drafts are garbage but simply being a draft does not by itself tell us about its likelihood of becoming an RFC or standard
> East-west security -- traffic between devices within a network -- is enforced by ACL8 zone isolation. Devices communicate only with their designated service gateway. The service gateway communicates only with the designated cloud service. Lateral movement between devices or zones is architecturally prevented by the absence of any permitted route to any other destination.
I must be missing something or misinterpreting that section because if there is no "lateral movement" how do people in an office print a file, access a network drive, connect to the Exchange server? And those are only the most naive scenarios.
That's a good question and the core over-states it.
The east-west means that natively clients don't arp and icmp from each other they do it from ACL8 on the GW. Your printer registers, you mark it anonymous, anyone can get to it, and when you arp for it, it answers.
But when you have 2,000 clients on a vlan and you want 1999 of them to only reach the internet and not each other, you make one rule at the ACL server.
It means everything goes to the ACL8 server for a decision even on the local network.
IPv8 does not require dual-stack operation. There is no flag day. 8to4 tunnelling enables IPv8 islands separated by IPv4- only transit networks to communicate immediately.
How is this different from IPv6? We've had 6to4 for ages, the problem is the other direction: how does a IPv4 host initiate a connection to a IPv8 host?
Existing IPv4 applications use the standard BSD socket API with AF_INET and sockaddr_in. The IPv8 compatibility layer intercepts socket calls transparently -- the application has zero IPv8 awareness.
Except many IPv4 applications use the addresses of the source or that they bind to in some form. If it's secretly an IPv8 behind their back that'll break.
Your local router sees the dns request, does some lookup, sees that its in a different ipv8 network, creates some tunnel to it. Seems like only the end client isn't aware of ipv8.
This is not a serious proposal and we should not treat it as such. And I apologise in advance for the length of this comment.
"IPv4 is a proper subset of IPv8. No existing device, application, or network requires modification. 100% backward compatible."
This cannot be true. Section 5.1 states that IPv8 uses version number 8 in the IP header Version field and the header is 8 octets longer than IPv4's. Any existing IPv4 router, switch ASIC, NIC, host stack, or firewall that sees a Version=8 packet will fail to parse it (most will drop it). Backward compatibility is logically impossible when the wire format is different.
The spec simultaneously demands sweeping new machinery everywhere: new socket API (AF_INET8), new DNS record type (A8), new ARP (ARP8), new ICMP (ICMPv8), new BGP/OSPF/IS-IS, mandatory certified NIC firmware with hardware rate limits, mandatory Zone Servers, mandatory OAuth2 on switch ports, mandatory persistent TCP/443 to the Zone Server from every end device, and a new IANA version-number assignment. "No modification required" is contradicted on nearly every page.
IP version 8 is already historically assigned (it was PIP, later folded into the IPv6 effort). The draft's IANA request ignores this.
The ASN model conflates identity with location. ASNs are organizational identifiers assigned by RIRs, turning them into the 32-bit routing prefix means an organization cannot change providers, multihome with provider-assigned space, or use PI space the way networks do today. Every organization that wants public IPv8 connectivity must now hold an ASN - roughly a 1000x increase in ASN allocation.
The /16 minimum injectable prefix rule eliminates essentially all of today's BGP traffic engineering and most multihoming patterns.
Cross-AS Cost Factor (CF) requires every AS on Earth to trust the metrics injected by every other AS, including a "economic policy" component. BGP is policy-based precisely because ASes do not trust each other's metrics, this has been understood since the 1990s.
The Zone Server kitchen sink (DNS + DHCP + NTP + OAuth + telemetry + ACL + NAT + WHOIS validation + PVRST root) concentrates a dozen unrelated functions into one box on one hardcoded address (.253/.254). This is an operational and security anti-pattern.
PVRST is mandated. PVRST is a Cisco-proprietary spanning tree variant, mandating a vendor-specific protocol in a Standards-Track draft is a non-starter for IETF.
The companion drafts (WHOIS8, NetLog8, Update8, WiFi8, Zone Server, RINE, routing protocols) are all by the same author, none have working-group review, and the core draft depends on all of them to function.
Reading parts of it seems only the end client would be unaware of ipv8, everything else is, and your local router uses a tunnel to the correct target by snooping on dns and using some new lookup. End clients are hardly the issue with ipv6.
I understand that you don't understand yet, as there is 8 more documents. To clarify it all. First of all at ARP8 it sends ARP8 and 50ms later it sends ARP4 and if the client marks it. An IPv8 only ever sends IPv4 packets to an IPv4 client.
The goal is to clean up the disparate services and get them under control. The spec doesn't demand sweeping new architecture, a company could exist on IPv4 using bootp until 2100, it allows for it.
OAUTH replaces RADIUS and that should of been clearer.
NetLog replaceslog.
CF is hard calculated like EIRGP but you can put cost factor on it like OSPF. If you can think of a better way, let me know.
PVRST I am thinking about that, the issue is the root. MST doesn't work, PVST is too slow. I am hoping to trade with CISCO and they make it open. Most vendors make it in compatible mode now. Arista, Juniper, HPE/Aruba, Extreme Networks, Dell, Huawei.
The Core Draft, only has existed for 4 days. There is a tremendous amount of support for it.
OAUTH and JWT are used for Card to Zone Services, so OAUTH replaces RADIUS.
The addresses of the Zone Server are not hard coded it is the highest and the second highest in the network as it should be.
All of the configs, for users, servers, network cards, updates are now standard protocols, built around OAUTH2.
The problem I'm working to solve is not address exaustion, its improved manageability.
In many regards IPv6 was a change that went too far and didn't go far enough all at the same time, although slowly but surely it is being adopted. Something like this had a better chance at adoption precisely for how little it changed things. The most radical part is the merging of all services into one central blob and I think that is going to be the part most people take exception too especially oauth. It doesn't solve fundamental issues like roaming with mobile devices, something that now is really important to get rid of a lot of complexity that has built up.
> Every manageable element in an IPv8 network is authorised via OAuth2 JWT tokens served from a local cache. Every service a device requires is delivered in a single DHCP8 lease response.
> IPv8 also resolves IPv4 address exhaustion. Each Autonomous System Number (ASN) holder receives 4,294,967,296 host addresses. The global routing table is structurally bounded at one entry per ASN
Yes, let's conflate routing and addressing while throwing out decades of IPv6 implementation and design. (/sarcasm)
45 comments
[ 3.5 ms ] story [ 71.5 ms ] threadBy which I mean to insinuate there's a lot of nuance and learned lessons in the current situation that this design seems not to learn from. Even though it did learn some lessons, I don't think this passes 'Chestertons fence'
But more seriously, it gives me a pause when we try to bake more complex, application-centric logic into foundational protocols. The list of assigned IPv4 and TCP option numbers is a graveyard of tech experiments, but at least we had the sense to separate them from the main protocol. Baking JSON web tokens and OAuth into IP seems kinda crazy from that point of view. Is this what we want to commit to for the next 40 years?
I kinda wish that IPv6 just used this ("IPv8") addressing scheme and left everything else the same, though. I think the expectation that IPv6 should entail an architectural rethink for existing networks really slowed us down. Fun fact: at this point, IPv6 is 30 years old, we're still under 50%, and growth is visibly tapering off.
The whole thing isn't a joke because of this. Technically, it's IPv4++ and that about it.
> Every manageable element in an IPv8 network is authorised via OAuth2 JWT tokens
What ?!
I'm not sure it's the path I want to follow.
https://datatracker.ietf.org/doc/draft-thain-ipv8/
"A well-formed RFC starts with a well-formed Internet-Draft."
https://www.rfc-editor.org/pubprocess/
For example, here is the Internet Draft for IPv6 which eventually became RFC 2460
https://www.ietf.org/archive/id/draft-ietf-ipngwg-ipv6-spec-...
Why not discuss the I-D itself. Many drafts are garbage but simply being a draft does not by itself tell us about its likelihood of becoming an RFC or standard
I must be missing something or misinterpreting that section because if there is no "lateral movement" how do people in an office print a file, access a network drive, connect to the Exchange server? And those are only the most naive scenarios.
The east-west means that natively clients don't arp and icmp from each other they do it from ACL8 on the GW. Your printer registers, you mark it anonymous, anyone can get to it, and when you arp for it, it answers.
But when you have 2,000 clients on a vlan and you want 1999 of them to only reach the internet and not each other, you make one rule at the ACL server.
It means everything goes to the ACL8 server for a decision even on the local network.
How is this different from IPv6? We've had 6to4 for ages, the problem is the other direction: how does a IPv4 host initiate a connection to a IPv8 host?
Existing IPv4 applications use the standard BSD socket API with AF_INET and sockaddr_in. The IPv8 compatibility layer intercepts socket calls transparently -- the application has zero IPv8 awareness.
Except many IPv4 applications use the addresses of the source or that they bind to in some form. If it's secretly an IPv8 behind their back that'll break.
"IPv4 is a proper subset of IPv8. No existing device, application, or network requires modification. 100% backward compatible."
This cannot be true. Section 5.1 states that IPv8 uses version number 8 in the IP header Version field and the header is 8 octets longer than IPv4's. Any existing IPv4 router, switch ASIC, NIC, host stack, or firewall that sees a Version=8 packet will fail to parse it (most will drop it). Backward compatibility is logically impossible when the wire format is different.
The spec simultaneously demands sweeping new machinery everywhere: new socket API (AF_INET8), new DNS record type (A8), new ARP (ARP8), new ICMP (ICMPv8), new BGP/OSPF/IS-IS, mandatory certified NIC firmware with hardware rate limits, mandatory Zone Servers, mandatory OAuth2 on switch ports, mandatory persistent TCP/443 to the Zone Server from every end device, and a new IANA version-number assignment. "No modification required" is contradicted on nearly every page.
IP version 8 is already historically assigned (it was PIP, later folded into the IPv6 effort). The draft's IANA request ignores this.
The ASN model conflates identity with location. ASNs are organizational identifiers assigned by RIRs, turning them into the 32-bit routing prefix means an organization cannot change providers, multihome with provider-assigned space, or use PI space the way networks do today. Every organization that wants public IPv8 connectivity must now hold an ASN - roughly a 1000x increase in ASN allocation.
The /16 minimum injectable prefix rule eliminates essentially all of today's BGP traffic engineering and most multihoming patterns.
Cross-AS Cost Factor (CF) requires every AS on Earth to trust the metrics injected by every other AS, including a "economic policy" component. BGP is policy-based precisely because ASes do not trust each other's metrics, this has been understood since the 1990s.
The Zone Server kitchen sink (DNS + DHCP + NTP + OAuth + telemetry + ACL + NAT + WHOIS validation + PVRST root) concentrates a dozen unrelated functions into one box on one hardcoded address (.253/.254). This is an operational and security anti-pattern.
PVRST is mandated. PVRST is a Cisco-proprietary spanning tree variant, mandating a vendor-specific protocol in a Standards-Track draft is a non-starter for IETF.
The companion drafts (WHOIS8, NetLog8, Update8, WiFi8, Zone Server, RINE, routing protocols) are all by the same author, none have working-group review, and the core draft depends on all of them to function.
The goal is to clean up the disparate services and get them under control. The spec doesn't demand sweeping new architecture, a company could exist on IPv4 using bootp until 2100, it allows for it.
OAUTH replaces RADIUS and that should of been clearer.
NetLog replaceslog.
CF is hard calculated like EIRGP but you can put cost factor on it like OSPF. If you can think of a better way, let me know.
PVRST I am thinking about that, the issue is the root. MST doesn't work, PVST is too slow. I am hoping to trade with CISCO and they make it open. Most vendors make it in compatible mode now. Arista, Juniper, HPE/Aruba, Extreme Networks, Dell, Huawei.
The Core Draft, only has existed for 4 days. There is a tremendous amount of support for it.
OAUTH and JWT are used for Card to Zone Services, so OAUTH replaces RADIUS.
The addresses of the Zone Server are not hard coded it is the highest and the second highest in the network as it should be.
All of the configs, for users, servers, network cards, updates are now standard protocols, built around OAUTH2.
The problem I'm working to solve is not address exaustion, its improved manageability.
Anyway Scotty out go read version 3.
https://xkcd.com/927/
Isn't it 2 weeks late for April Fools'?
Yes, let's conflate routing and addressing while throwing out decades of IPv6 implementation and design. (/sarcasm)
There's also at least three ipv9s, only one of which was a joke https://en.wikipedia.org/wiki/List_of_IP_version_numbers