Re: IPv8 / BGP8 / CF

[Jamie Thain via NANOG <nanog () lists nanog org>]

Richard,

Wolfy did write about but he didn't ask me any details.

64 Bit headroom -- IPv8 is not headroom, it is about adding an AREA code to
32 bit addressing, its not 64 bit at all. So to put it in perspective
rather than enough ip address for every atom in the solar system there is
only enough for ever square cm on the planet to have 4 ip address.

DNS + WHOis Validation is meant to increase north south security. You
cannot get to an ip address that doesn't have whois, and dns in strict
mode. Of course you can turn that off.

VPN survive functions... Zone Server doesn't track who opened what and
when. It doesn't track the DNS lookups it tracks performance, and errors.
How ever every corporate fw tracks this.

Rate Limits turn Zone Server into a single point of failure... except for
you can have as many zone servers as you need to be reliable. They come in
pairs anyways. Its like losing your DNS server.

Rate Elevation inside a company requires you to sign into the corporate
networks, that way guests can't harm you.

No Flag day is true, you can start with one card, and one router somewhere
on the internet and grow from there.

Wolfy thinks that policy egress isn't already being managed in firewalls.

Oauth2 is being used as an authorization and configuration policy replacing
clear-text RADIUS.

The draft doesn't violate RFC 7258 as already your work is monitoring you.
And at home your in control of your own Zone Server, Zone Server doesn't
log packets, just errors

*The draft assumes unlimited data storage and doesn’t care.*
No it doesn't we only report errors, and performance every five minutes and
accounting where required the third A of a radius server. A 1000 person
company would be less than a 100G per month. 2 years on a single drive.

it doesn't log, dns, or flow, thats all a different device called SIEM or a
FW, or a NetFlow none of which NetLog does.

*Mandatory identity binding eliminates hardware anonymity by default.* OAuth2
JWT binds to the device at the NIC level before any user interaction

This is true, it is built for corporate, the network card is usually
following a person around, its built so you can roam from network to
network.

*The anonymity eliminated is at the layer hardest to restore.*
Me thinks wolfy has never looked at a fortigate log, it correlates, MAC
address, last ip, every flow, the last logged in, logged in to what
networks, all in a handy dandy report manager.



*Device-to-traffic attribution becomes a database query, not an
investigation.*Me thinks wolfy has never reviewed online firewall logging.

*NIC firmware rate limits make the network unusable without Zone Server
permission.*

This is the broadcast rate so unathenticated users can't DDOS

*This architecture is fail-closed, and that can kill people.*

Each network segment can be dns-only and have no other restrictions and you
need DNS to get from ipv4 to ipv8 there is no other way in the eco system.

*IPv8 is fundamentally incompatible with real-time operating systems *

IPv8 is 100% ipv4 compatible at the segment level, use IPv4 if you don't
want the overhead of IPv8.



*All of the stuff about blocking*Its like wolfy has never admined a modern
day firewall, you can do all that stuff already.

Enough said.

On Thu, Apr 30, 2026 at 5:18 PM Rich Kulawiec via NANOG <
nanog () lists nanog org> wrote:

> When this was floated on various IETF mailing lists, someone took
> the time to write:
>
>         We Need to Talk About the IPv8 Draft - wolfy
>         https://substack.com/home/post/p-194315405
>
> ---rsk
> _______________________________________________
> NANOG mailing list
>
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QD6JBVIIPOPHYMAWXTES2AV2DZSK2TAL/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/TUSOARZ2MCFXGAR4JMPWHKVQIK4QWQQ4/