Slashdot Mirror

So you don't black hole those IPs and hosts at the router/firewall level?

How will you ever know if you got them all? Malware authors have evolved techniques like rotating their C&C to different IPs based upon to the current UTC time. Microsoft has 20+ million IPs to pick from, and those are just the ones with their name on them. You can't block them all without taking out all of Azure, which hosts lots of legit non-MS services.

Really, this is voted as +5 Informative here on *Slashdot*?! Comcast are not going to be laying OC3 lines all over the place. OC3 costs so much because it is strung directly to your office building or whereever. When you are talking about the cost of bandwidth to Comcast, it is the cost of IP transit. Right now you can get a 1Gbps (with a full cabinet for your equipment) for $400/month: https://he.net/special.pdf (I have nothing to do with them other than that I used to be happy customer for a long while). If you need just IP transit (no cabinet), it goes down to $0.32/Mbps per month. To transfer 1 Tb of data per month (i.e. their current cap), you need about 4 Mbps of bandwidth. So the data cost to Comcast is roughly $1.28 for each 1Tb. So please, let's stop with the bullshit indeed.

Eurobyte operate a fairly big block rented from Webazilla, which is 46.30.40.0/21.. and I recommend that you block traffic to that entire lot. But a lot of Webazilla's other customer are pretty shitty too. I don't think you miss much if you blocked traffic to the entire AS35415.

My previous ISP (also in Europe) has been promising IPv6 for the last 5 years, but delayed IPv6 rollout year after year. Since UPC has recently been bought by Ziggo, IPv6 is not to be expected for the next 5 years as well. My current ISP (again, in Europe) is the only ISP that can give me more than 2MBit at my location, and I believe they haven't even heard of IPv6 yet.

Luckily, I got myself a free IPv6 tunnel.

I'm not sure where you got your numbers from, there are only 919 root-delegated Top Level Domains. There are a few hundred more pending new gTLD application with ICANN so the total for the next few years won't exceed 1200. (There are plans for a second round of new gTLD applications. The first round cost each applicant $185,000 USD.)

Definitions:
TLD = Top Level Domain
gTLD = Generic Top Level Domain (.com, .net, .org, .info, .biz)
new gTLD = New Generic Top Level Domain recently allowed by ICANN (.club, .bike, .software, .guru, .ninja, .computer, .sucks, .wtf, .porn, .xn--io0a7i, .google, .canon etc etc)
sTLD = Sponsored Top Level Domain aka "restricted TLD" (.aero, .pro, .tel, .museum, .travel, .edu, .coop etc)
ccTLD = Country Code Top Level Domain (.uk, .me, .io, etc)
Extension = a sub-domain you can register under (.co.uk, .de.com, 0.bg, .com.au etc)

Sponsored TLDs are restricted. For instance, you need a "UIN" delegated by the "Travel Industry" for a .travel domain, only legit museums can get a .museum domain, and only licensed professionals can get a .pro domain, which is why you don't see many of them (and never get spam from them either).

All legacy gTLDs are unrestricted. For awhile, .info domains were sold super cheap ( $5) so scammers bought them up.

Most new gTLDs are unrestricted, while some are restricted like .berlin and .nyc (need to be local to the city) and .bank (need to be a real financial institution and get audited every 2 years and sign your domain with DNSSEC, etc).

ccTLDs can do whatever they want and are not governed by ICANN.

For now, you can "blacklist" new gTLDs without much consequence, because people and businesses are only starting to use them. Keep in mind scammers/spammers/annoying-people register CHEAP domains, so you might want to blacklist .xyz (cheap) but not .bank (expensive). But in the future, legitimate activities under new gTLDs will occur so you might want to allow them over time.

But really, why block at the TLD level and not based on content and RFC compliance?

Hurricane Electric/TunnelBroker.net IPv6 certification. If you need a hand with any of that, ][CyberPillar][ IPv6 Tutorial is available, or the video tutorials at HE.Net/TunnelBroker Presentations and/or HE.Net/TunnelBroker Cert FAQ.

So, there's your answer. A free IPv6 cert.
Oh, did you want a popular IPv6-centric cert that the business world is clamoring for? Ooh... that's not going to be so easy to find.

The problem is, nobody seems to care about IPv6 enough to want to pay much for it. Even now that operating systems are supporting IPv6 more, IPv6 seems to be in a bit of flux; DHCPv6 has been getting to be used for default gateway info, which was previously expected to be handled by router advertisements and not DHCPv6. The whole idea of breaking up the first bits into pieces for the ISP and so forth has been thrown out, just like IPv4 classes got thrown out when classless inter-domain routing (CIDR) took over. Nuances are still seeming more likely to be subject to change than what they are likely to be bringing additional income to a company, so there's little interest in investing in that quite yet, still.

And, in the end, IPv6 is likely to be a rather minor issue at most, because end users shouldn't ever have to do anything with IPv6. For that matter, end users really shouldn't have to use IPv4 addresses either; they should just be relying on DNS. So what you're saying you want to focus on is getting packets from one location to another using IPv6, rather than using IPv4. That's kind of like saying you want to focus on Wi-Fi instead of Ethernet. The thing is, when it works properly, end users shouldn't notice any difference in their browser.

Cisco and Microsoft and others (presumably CompTIA will soon, if they haven't already) are starting to actually require more IPv6 knowledge in their general networking certs, so soon enough there will be plenty of people who have learned the most basic of IPv6 topics.

More advanced topics will often involve networking theories, higher layers of the OSI Model, or other factors that are not really specific to IPv6 (nor are they specific to only IPv4). You'll probably need to broaden your scope to be very marketable as a networking expert.

But, in the mean time, go ahead and get that free IPv6 cert. It's an interesting one: take it at home, free. But unlike all those certs that people pay for, so that those people can prove how much head knowledge they memorized, getting this cert involves creating working services. HE.Net/TunnelBroker.net will have their automated systems interact with your servers to make sure that your stuff actually works.

Hurricane Electric/TunnelBroker.net IPv6 certification. If you need a hand with any of that, ][CyberPillar][ IPv6 Tutorial is available, or the video tutorials at HE.Net/TunnelBroker Presentations and/or HE.Net/TunnelBroker Cert FAQ.

So, there's your answer. A free IPv6 cert.
Oh, did you want a popular IPv6-centric cert that the business world is clamoring for? Ooh... that's not going to be so easy to find.

The problem is, nobody seems to care about IPv6 enough to want to pay much for it. Even now that operating systems are supporting IPv6 more, IPv6 seems to be in a bit of flux; DHCPv6 has been getting to be used for default gateway info, which was previously expected to be handled by router advertisements and not DHCPv6. The whole idea of breaking up the first bits into pieces for the ISP and so forth has been thrown out, just like IPv4 classes got thrown out when classless inter-domain routing (CIDR) took over. Nuances are still seeming more likely to be subject to change than what they are likely to be bringing additional income to a company, so there's little interest in investing in that quite yet, still.

And, in the end, IPv6 is likely to be a rather minor issue at most, because end users shouldn't ever have to do anything with IPv6. For that matter, end users really shouldn't have to use IPv4 addresses either; they should just be relying on DNS. So what you're saying you want to focus on is getting packets from one location to another using IPv6, rather than using IPv4. That's kind of like saying you want to focus on Wi-Fi instead of Ethernet. The thing is, when it works properly, end users shouldn't notice any difference in their browser.

Cisco and Microsoft and others (presumably CompTIA will soon, if they haven't already) are starting to actually require more IPv6 knowledge in their general networking certs, so soon enough there will be plenty of people who have learned the most basic of IPv6 topics.

More advanced topics will often involve networking theories, higher layers of the OSI Model, or other factors that are not really specific to IPv6 (nor are they specific to only IPv4). You'll probably need to broaden your scope to be very marketable as a networking expert.

But, in the mean time, go ahead and get that free IPv6 cert. It's an interesting one: take it at home, free. But unlike all those certs that people pay for, so that those people can prove how much head knowledge they memorized, getting this cert involves creating working services. HE.Net/TunnelBroker.net will have their automated systems interact with your servers to make sure that your stuff actually works.

Hurricane Electric/TunnelBroker.net IPv6 certification. If you need a hand with any of that, ][CyberPillar][ IPv6 Tutorial is available, or the video tutorials at HE.Net/TunnelBroker Presentations and/or HE.Net/TunnelBroker Cert FAQ.

So, there's your answer. A free IPv6 cert.
Oh, did you want a popular IPv6-centric cert that the business world is clamoring for? Ooh... that's not going to be so easy to find.

The problem is, nobody seems to care about IPv6 enough to want to pay much for it. Even now that operating systems are supporting IPv6 more, IPv6 seems to be in a bit of flux; DHCPv6 has been getting to be used for default gateway info, which was previously expected to be handled by router advertisements and not DHCPv6. The whole idea of breaking up the first bits into pieces for the ISP and so forth has been thrown out, just like IPv4 classes got thrown out when classless inter-domain routing (CIDR) took over. Nuances are still seeming more likely to be subject to change than what they are likely to be bringing additional income to a company, so there's little interest in investing in that quite yet, still.

And, in the end, IPv6 is likely to be a rather minor issue at most, because end users shouldn't ever have to do anything with IPv6. For that matter, end users really shouldn't have to use IPv4 addresses either; they should just be relying on DNS. So what you're saying you want to focus on is getting packets from one location to another using IPv6, rather than using IPv4. That's kind of like saying you want to focus on Wi-Fi instead of Ethernet. The thing is, when it works properly, end users shouldn't notice any difference in their browser.

Cisco and Microsoft and others (presumably CompTIA will soon, if they haven't already) are starting to actually require more IPv6 knowledge in their general networking certs, so soon enough there will be plenty of people who have learned the most basic of IPv6 topics.

More advanced topics will often involve networking theories, higher layers of the OSI Model, or other factors that are not really specific to IPv6 (nor are they specific to only IPv4). You'll probably need to broaden your scope to be very marketable as a networking expert.

But, in the mean time, go ahead and get that free IPv6 cert. It's an interesting one: take it at home, free. But unlike all those certs that people pay for, so that those people can prove how much head knowledge they memorized, getting this cert involves creating working services. HE.Net/TunnelBroker.net will have their automated systems interact with your servers to make sure that your stuff actually works.

If I were TW, I'd refuse too. Why do I have to allocate space in my datacenters for free for someone who is not a customer of mine?

I'm assuming Netflix doesn't buy transit from TW based on this:
http://bgp.he.net/AS2906

Now that Level 3 owns TW, this might change.

They have (had?) more than one provider. They have their own ASN - AS2906. It's readily apparent they suck at traffic engineering. (or they let it happen to try to push Open Connect.)

Technically, it's just where you're buying the connection. Netflix are already at a shitload of peerings.

AS2096 - 170 peers - http://bgp.he.net/AS2906
AS40027 - dead since Feb 23, 2012 - http://bgp.he.net/AS40027
AS55095 - 2 BGP peers - http://bgp.he.net/AS55095

So now I'm even more confused to WTF they're bitching about.

Technically, it's just where you're buying the connection. Netflix are already at a shitload of peerings.

AS2096 - 170 peers - http://bgp.he.net/AS2906
AS40027 - dead since Feb 23, 2012 - http://bgp.he.net/AS40027
AS55095 - 2 BGP peers - http://bgp.he.net/AS55095

So now I'm even more confused to WTF they're bitching about.

Technically, it's just where you're buying the connection. Netflix are already at a shitload of peerings.

AS2096 - 170 peers - http://bgp.he.net/AS2906
AS40027 - dead since Feb 23, 2012 - http://bgp.he.net/AS40027
AS55095 - 2 BGP peers - http://bgp.he.net/AS55095

So now I'm even more confused to WTF they're bitching about.

Yes IPv6 still uses BGP, but in a way that favors greatly reduced fragmentation.

Take a look at BellSouth's list of announced prefixes for a pretty egregious example of this - Notice anything "funny" about it? They could reduce that list of almost 3000 down to under a hundred.

Huh, hosted in France. See how long this lasts...

No. That is the BGP peers of Netflix, tell me where in that list is AT&T (AS7018) or Verizon (AS701)? There are very few US ISPs on that list, most are research networks like National Lambda Rail.

The US ISPs on that list (excluding transit providers like Layer3 and Cogent):

* NTT America
* QWest
* Hurricane Electric
* Teljet (Firstlight)
* TDS Telecom
* RCN
* Carolina Internet Ltd.
* LiveAir Networks
* City of Thomasville Utilities

There are quite a few Cloud providers I didn't list, I assume because people outside the US use US cloud VPNs to access Netflix, and Netflix wants their experience to be good without officially acknowledging that people outside the US are accessing Netflix. Interesting the vast majority of research networks peer with Netflix.

Perhaps it's possible more ISPs provide direct peering without any BGP visibility (static routes, OSPF filtering, or CDNs on the ISP's IP addresses), but if you look at the BGP peers for Verizon and AT&T, you will see Google, Facebook, Akamai, and other CDNs listed as peers, so it seems more likely that Netflix is simply not peering to AT&T or Verizon.

Canadian Netflix is pretty crappy compared to the American version and we don't have much else. It's not like the content companies want to sell their products here, at least in an easy to purchase downloadable format

Pro tip:

Netflix is fully IPv6 enabled, which is actually great news for Canadian Netflix users. Just setup an IPv6 tunnel to the nearest Hurricane Electric tunnel server farm (if you have a router that supports this, you can enable IPv6 invisibly for your entire home quickly and easily. Apple's routers all support this out of the box, for example), and presto -- you'll have US Netflix.

Note that this only works on IPv6-enabled devices, of course, so your set-top box or smart TV may not benefit. And you have to ensure the browser you're using properly supports Happy Eyeballs so as to ensure it will prefer IPv6 over IPv4 (Safari on Mac OS X since Lion uses an algorithm to prefer whichever connection is fastest in responding, which can cause it to initially load Netflix via IPv6, showing all the US content you can't otherwise see in Canada, only to be blocked when you actually try to view it if OS X switches down to IPv4 for optimization purposes).

As I have IPv6 tunnelling enabled right at the router, there is no software to be installed or anything that needs to be configured anywhere once this is setup, unlike VPN/proxy solutions. It's also fast -- even though the IPv6 is tunnelled, I can't perceive any speed issues when watching content this way.

Enjoy!

Yaz

ARIN only handles North America. Other regions use their own pools of addresses.

Some statistics.

There have been some efforts to reclaim unused but assigned addresses that have given some extra life to the v4 system as well. Most of the savings have been from aggressively deploying NAT wherever possible though.

http://bgp.he.net/AS5056 Looks like XO comm is their biggest with around 50% and Cogent and Spring mostly sharing the other 50%, based on blocks routed.

I've been getting up to speed on IPv6 and have a tunnel from he.net (tunnelbroker.net). It seems to pop out somewhere on the other side of the Atlantic, judging from geographically targeted advertising. Several big sites are already IPv6 enabled (Firefox plugin SixOrNot), e.g. Facebook, Google, Youtube.

"....this reads like a brochure for Incapsula's services..."

http://bgp.he.net/AS19551#_whois

Well, I imagine most US server farms are hurting pretty bad right now, what with all the NSA luvin' going around over here. Now imagine a company that has all of it's servers in the US, Israel and Germany (with a few in Japan)--in light of recent revelations regarding NSA spying--and maybe you'll understand why Incapsula is paying for ads/articles all over the damn place, including /.

They are fucked, and this marketing blitz is a Hail-Mary attempt to save their ass from the fire that Snowden just lit under it. Personally, I love a good BBQ.

No they don't - Emtel (AS30999 http://bgp.he.net/AS30999) connects solely to Belgacom.

Mauritius Telecom (AS23889 http://bgp.he.net/AS23889) has far more diversity - connecting to Tata, Telecom Italia, France Telecom, Telekom Malaysia and TTN Vietnam.

Also, Emtel peers at MIXP but MT doesn't.

No they don't - Emtel (AS30999 http://bgp.he.net/AS30999) connects solely to Belgacom.

Mauritius Telecom (AS23889 http://bgp.he.net/AS23889) has far more diversity - connecting to Tata, Telecom Italia, France Telecom, Telekom Malaysia and TTN Vietnam.

Also, Emtel peers at MIXP but MT doesn't.

I run the Firefox plugin SixOrNot. Google - a green 6. Youtube and Facebook ditto. Slashdot, a red 4. There are major sites out there running IPv6.

I have a free tunnel from Hurricane Electric. The only issue is that Google thinks I'm in the USA, which can't be a bad thing.

Now that there are no more IPv4 addresses available in Europe, it's in the interests of the established players to suppress IPv6 and lock out disruptive new startups: e.g. ISP's or Co-Lo's.

According to Hurricane Electric Asia (APNIC) has 18M addresses left while Europe (RIPE) has 17M. I will grant you that the US (ARIN) has nearly 100M, but we also have the largest use which explains the big allocation. And yet we're doing something about migrating to IPv6...

Yeap, free them as soon as possible... :) and sell them while they still have value :)

According to Hurricane Electric Asia (APNIC) has 18M addresses left while Europe (RIPE) has 17M. I will grant you that the US (ARIN) has nearly 100M, but we also have the largest use which explains the big allocation. And yet we're doing something about migrating to IPv6...

This is slashdot, everybody already knows to use Hurricate Electric.

5) Your MAC address theory only works if you have a node on the local network. The MAC is used for link-local, which is only accessible by other devices on the local-link.

It's also used by the Neighbor Discovery Protocol to create a globally scoped IPv6 address.

Step 1) Flip the 7th bit of the MAC-address. 00:11:22:33:44:55 becomes 02:11:22:33:44:55.
Step 2) Split the result in two and put "FF:FE" between the two parts, i.e. 02:11:22:FF:FE:33:44:55.
Step 3) Prepend IPv6 prefix. So Google could end up with e.g. 2A00:1450:400F:801:0211:22FF:FE33:4455.

Here's a traceroute to that address using HE's Looking Glass. Looks routable to me...

IP6 addresses I think they are free.

I'm mostly wondering what to do about my iptables in linux.

The good news is that ipv6 has been available on linux for I donno a decade or so, and ipv6 tunnels have been available, etc. The ipv6 land rush is very much like people in 1997 talking about that "brand new" internet thing, and just like the great ipv4 rollout its a good thing there's a decade or so of sound traffic engineering experience out there already for ipv6.

1) I guess it depends a lot on your distro.
2) Some terms to google for beyond the obvious are "ip6tables".
3) nobody needs NAT on ipv6 which inherently provided stateful firewalling on ipv4. TCP is pretty easy, SYN packets only allowed in one interface...
4) Personally I find it easiest to make two firewall scripts a ipv4 and a ipv6. If for no other reason than totally screwing up ipv6 will not mess up your ipv4 access and vice versa making it simpler to recover from mistakes.
5) Good luck wrapping your head around the concept of "every host is a multihomed host" aka "link-local addresses". Please don't attempt to route LL out on the greater internet, mkay, they're for mdns / bonjour type stuff.
6) Good luck with dynamic addresses and revdns. If you never used BIND's ORIGIN lines well you best learn how, and quickly.
7) Please block all RH0 aka rt-type 0 packets they're the ipv6 evil bit
8) Go to Hurricane Electric (they rock in general, BTW) and become a sage ipv6 dude. I found this quite easy when they initially rolled this out several years ago, maybe its harder now. You need to do this "course" to learn the ropes and glossary before you can learn to firewall or you'll turn all sorcerers apprentice.

http://ipv6.he.net/certification/

9) Once you know ipv6 you could do worse than to start at

http://www.sixxs.net/wiki/IPv6_Firewalling

SIXXS is kind of like a major cell phone company, in that everyone's opinion of them seems exclusively driven by their local sixxs pop or their local cellphone tower quality. So you'll get meaningless comments all over the map about how they rock or suck based on the little neighborhood the commenter lives in. That said if you live in range of the Chicago pop, it rocks, although it had some exciting momentary outages a couple years ago. I use them on a dynamic endpoint and HE's tunnelbroker on a static endpoint and I'm very happy with both... your mileage may vary...

DNS is great, except I'm sure the bastards at ISP headquarters will still charge a monthly fee for a static ipv6 addy and more for a block.... simply because they CAN... and is there a free dynamic dns solution? Last i checked (some years back), no.

Sure. They even specifically support IPv6.

I've also had good luck with CloudFlare, who includes DNS as part of their free service. That includes dynamic DNS.

Afraid.org also does free DNS, including dyanmic DNS and IPv6.

Virgin Media has blocked just the IP address currently exposed via DNS for thepiratebay.se, far as I can tell. (I haven't tested exhaustively.) https://plus.google.com/109104274582476853846/posts/4ZDXRpUt99J

TBP advertise a whole bunch more addresses via BGP, which I'm sure they could start using pretty quickly, if they wanted: http://bgp.he.net/AS51040#_prefixes

This thread is worth a read regarding dyndns and their practises.

They recently bought everydns and editdns, offered existing users who paid or donated "free" accounts, and then once they bought it, went back on their word. the free accounts included a migration fee for domains, and the accounts were limited, so users would have to pay again to get the same level of service they may have paid for at editdns for example (and due to dyndns strange pricing where you have a limit of 75 subdomains on the standard paid account, you may have to pay them a significant amount of money)

Also worth noting, then editdns users expressed their concerns, dyndns were very quick to close down their old forum and place with a note to email their staff.

Worth noting that Hurrican Electric have a free dns service (http://dns.he.net) - with up to 50 domains allowed and it can operate as a secondary dns also. They also include a dynamic dns facility. There are some other free options left, but how long until dyndns buys them too ? :)

[Disclaimer: I am a pfSense developer, so I'm a bit biased. For those of you who don't know what pfSense is, it's a BSD-based firewall distribution.]

pfSense 2.0 won't officially support IPv6, but there is a branch available that does IPv6 which will later become 2.1. I'm running it on my home router with a GIF tunnel to Hurricane Electric ( http://he.net/ http://tunnelbroker.net/) to get IPv6 even though my ISPs do not have any native IPv6 support yet. The IPv6 support is a work in progress but is complete enough that it will do what most people want/need.

Instructions for the setup and more info can be found on the pfSense IPv6 board here: http://forum.pfsense.org/index.php/board,52.0.html

I get a 10/10 on the IPv6 tests from http://test-ipv6.com/ on all my PCs as well as my Droid X running 2.3.3. If you're already using pfSense 2.0, give the IPv6 code a try, setup a tunnel to he.net, and enjoy. Doesn't take too long at all to setup.

Hurricane Electric ran their Fremont datacenter on generator power for about one week during power equipment maintenance by the local electric company (evidently power was going to be unreliable for that week, so they opted to run full-time on the generator rather than switch on and off frequently), according to a rep I met with several years ago. He claims they burned through about 5,000 gallons of diesel during that time.

Their generator is big.

The same experiment can actually work out very differently. At Google's IPv6 implementors conference in summer 2010, a japanese ISP reflected about the very
same experiment like heise.de or the World IPv6 day do of adding AAAA-records for a day.
They've been doing IPv6 for years now, including hosting via IPv6. When they added AAAA-records for their very large japanese portal site biglobe.ne.jp, they lost about 5% of page views immediately and 5 minutes later, their phone started ringing endlessly. A few hours later, they've chosen to cancel the experiment by removing AAAA-records from their DNS.
In my mind, many japanese ISPs have been using and offering IPv6 access for years now, but there haven't been any major services available via IPv6 in Japan, so the actual IPv6 traffic has been very low and most people weren't aware that their IPv6 setup is simply broken. Maybe even Yahoo's and Google's often-quoted "0.025% of users do have IPv6 issues" bases on Japan being largely broken in terms of IPv6 service while the rest of the world may run IPv6 without any issues :-)

Well, Germany is quite a very different issue. Most large german access (DSL/broadband/dialup) ISPs don't yet support IPv6 and the de-facto standard-dsl-router range of most ISPs (AVM's Fr!tz-box) didn't support any kind of IPv6 at all until quite recently. Even now, IPv6 is something hidden deep in their menues and actually needs to be manually turned on. German web hosting consists of a few large companies, where support of IPv6 is currently left as a DIY-option for dedicated servers and not for any shared hosting plans. On the other hand, close to every ISP peers via IPv6, is running 6to4 gateways and happily runs IPv6 on their own networks, but IPv6 isn't yet used for any actual major public service, so in theory, IPv6 shouldn't be that hard to get working in Germany today ... but for today, IPv6 in Germany is actually VERY poor.

To illustrate how worse IPv6 in germany is, check the TLD stats at Hurricane Electric, compare the amount of AAAA-records vs. the amount of A-records.
For about every TLD (.com, .net, .org, ...), there's one AAAA-record for roughly about every 90 A-Records. For .de, only about one out of thousand A-Records do have an AAAA-record. That's a ten-fold in being worse!

So heise.de didn't really venture a lot when they turned on IPv6, as even far less users in Germany actually do use IPv6 than in any other country. However, they've still done something very intelligent: once German Internet access ISPs do turn on IPv6 connectivity for their customers and customers notice about heise.de being unreachable, heise.de users are already aware that heise.de has been served via IPv6 for months without any problems, so any brokenness must be related to their own ISP (or their personal setup). They'll directly complain to their ISP and won't blame heise.de.

Use a tunnel broker service. There are at least 2 free tunnel brokers, SixXs and Hurricane Electric

No, the implication is that dual stack fails as a general Internet solution if providers start to give their users IPv6-only... at a point in time long before all IPv4 users and services have dual stack. The fact is, at the moment IPv6-only users can access only a small percentage of what the Internet has to offer. If you're an AT&T user, there's no real reason to complain about your wretched ISP not having any immediate plans to give you native IPv6, because you can always go out and get yourself a /48 from a tunnel broker, such as Hurricane Electric, or SixXS. However, I've not yet seen the reverse: tunnel brokers that are willing to offer their customers one or more public IPv4 addresses via an IPv6 tunnel. At the rate things are going, though, I'll bet there will be a market for this sooner as opposed to later.

A common shtick in third-rate science fiction is that when the crisis hits, the civilian government is busy pretending there's no problem, when the military heroes save the day. Like a lot of other people posting here, I'm not used to endorsing the military strong-arming anyone, but in this case, I'm relieved to see someone with some authority actually taking the problem seriously.

We've got about 58 days left before we run out of assignable IPv4 addresses. IPv6 has been ready-to-go for years, except for the ISPs, which are dragging their feet. Yes, I know about Comcast's beta testing -- I signed up to beta test dual-stacking over a year ago. They should have been rolling this out years ago, not running a tiny beta test at a glacial pace at the last moment.

I'm not sure how serious a problem suddenly running out of assignable IPv4 blocks will be for the global economy. It's certainly going to be a serious problem for IT. Continued expansion of the Internet, and services based upon it, depends upon IP addresses being available. A lot of us remember the comic overreaction to the Y2K problem -- in this case, there seems to be a comic underreaction.

I don't think this is as easy as you think. Search for "Cablevision" and you're suddenly in a maze of twisty little /24s, all alike.

There's little excuse at this point to buy a router that doesn't support IPv6. And for existing routers, a simple software upgrade will suffice. There will be some "eWaste", but not nearly as much as you think. In addition, IPv6 is not that big a headache, and there are already resources to learn and implement IPv6. I've had IPv6 in my home and on my server for the past 18 months for free, and my ISP doesn't support IPv6 at all. http://ipv6.he.net/

It depends where that bandwidth is going among other things...

In the UK at least (not sure about belgium), traffic over the telco's adsl platform is very expensive and that just gets it to the isp, it then has to traverse the internet...

On the other hand, internet transit is quite cheap, he.net for instance appear to offer $1/mbps (quick google search - http://he.net/ip_transit.html?gclid=CJi3mPy3yqMCFQGY2AodCWImuQ), 1mbps continuous over a month is good for about 300GB in each direction... A large isp is also likely to get much better deals if they bulk purchase.
There is also peering which can be much cheaper if not free...
Not to mention traffic which never leaves the isp (eg torrents might have peers nearby), and the biggest the isp the greater chance traffic wont leave.

Comcast is doing an IPv6 trial right now. Freenet in France has had IPv6 running using 6RD for quite a long time now. You can get IPv6 tunnels from Hurricane Internet and Sixxs. If you are interested in IPv6, go start using it. Don't just sit there on your (no doubt svelte) ass! :')

Do they offer SSH access? I don't seen anything on their site indicating they do on any of their accounts. For some that is a showstopper.

1) They did, back when I was a customer.

2) They claim to on their tutorial page titled "Beginning Unix & SSH Tutorial"

http://www.he.net/faq/tutorials/unix.tutorial/

3) They explicitly support SCP ... Some people ask for ssh, when they don't really want a login shell, but they want to use SCP for secure uploading. (or secure scheduled backing up, or as a secure "FTP" like site, I guess)

http://he.net/web_hosting.html

4) I have no connection to he.net other than being a very happy customer years ago, so I certainly can't speak for them. That said, they had it in the past, and their tutorials describe how to use it, and they claim to support it, so it seems very likely.

Do they offer SSH access? I don't seen anything on their site indicating they do on any of their accounts. For some that is a showstopper.

1) They did, back when I was a customer.

2) They claim to on their tutorial page titled "Beginning Unix & SSH Tutorial"

http://www.he.net/faq/tutorials/unix.tutorial/

3) They explicitly support SCP ... Some people ask for ssh, when they don't really want a login shell, but they want to use SCP for secure uploading. (or secure scheduled backing up, or as a secure "FTP" like site, I guess)

http://he.net/web_hosting.html

4) I have no connection to he.net other than being a very happy customer years ago, so I certainly can't speak for them. That said, they had it in the past, and their tutorials describe how to use it, and they claim to support it, so it seems very likely.

... unless you know you're going to be using them to operate a website that isn't ever going to see real traffic and will never have critical uptime needs.

Here's why: DreamHost accounts have two sets of rules: the ones they sell you on, and the other ones they're counting on you adhering to. That's right, they oversell. On purpose. They know it, and they admit it, and they have their little rationale as to why it isn't a problem, but it is.

Here's an example: their "unlimited" storage offer. They make this kind of offer betting that most people can't even come up with a use for half that (or, more accurate, courting the segment of the market that won't). They're right in that the vast majority of websites will never have more than tens of gigabytes of contents, and they *say* they're willing to put up with the hassle of the few that do.

But the problem is, if you offer a service, eventually, some significant number of people will find a way to use it. I noticed, for example, that their storage offer (a mere 200GB three years ago) essentially made them the cheapest game in town for backing up a lot of data to a remote location, as well as being a pretty good web hosting deal, so I decided to move some of my hosting over, and take advantage of the space for backup. Gradually other people noticed this to, and so over time, people were actually starting to use what DreamHost sold them. When you oversell, this obviously becomes a problem.

So, what did they do? They imposed new rules: you had to pay extra (3-4 times extra) to use that amount of space if the files stored weren't part of a website. That's right: different prices for different bits on the same disk.

Since I found the distinction pretty arbitrary and annoying, I decided to see what would happen if I did a bit of coding and essentially produced a simple web interface for what became a personal backup website. I'd pretty clearly met the letter of the law. DreamHost didn't agree, and said it didn't matter whether or not I had because my intent was clearly just to get around their restriction. They didn't back down; I paid their additional fees, but after a few months, found it irksome enough that I left.

I'm fairly lucky, because I had plenty of time to take my ball and go home. There are some people out there who have found their accounts suspended and even deactivated because of spiking demand -- not even demand that actually saturates a pipe or otherwise exceeds any of the limits they tell you about when they're selling, mostly just enough demand on shared boxes that causes Apache to crash or lock up. These people have essentially had to suddenly migrate under conditions where their access had been cut off.

And this is all before you get to general uptime and systems health. I don't know what it is, but they had a lot of hiccups in the time that I was with them. Some of the explanations really did sound like things beyond their control, and if I hadn't experienced better, I would assume that this just happens sometimes. Their connectivity got cut off, their email servers fail, they change their subdomain host naming system without telling you... no, uptime and predictability were not their strong points.

But the bottom line for me comes back to the first thing I said. Because they oversell, DreamHost accounts have two sets of rules: the ones they sell you on, and the other ones they're counting on you adhering to. If you cross the later line -- even well before you get to the former -- it's pretty clear they will not only accept your departure but in some cases they will actively throw you over the side of the boat. This is an annoying but possibly acceptable state of affairs for a limited hobby website, but if you count on someone like this for a business or client website, I think it's likely that you or the client will eventually regret it rather strongly.

If you want someone rock solid reliable, I've had an account with Hurricane Electric for 12 years. They e

You mean Hurricane Electric, right? They are great to work with!

IPv4 countdown is here: http://ipv6.he.net/

As for the rest, all of that is limited or handicapped because of NAT. Centralized servers are required because people are not directly addressable.

The preference for DNS over directly typing in an address doesn't change with a move over to IPv6. DNS can point to big addresses on home computers as easily as short ones on a hosting provider.

'And IPV4 vs 6 has nothing to do with Doanload rates and bandwidth.'

It has everything to do with end user systems being internet routable and serving their own content. I don't recall saying anything about technology to provide bandwidth magically changing. The demand is what will change. The demand in an IPv6 world will be centered around serving your own content and removing middle men like youtube.

It's annoying. Being a provider who is in transition from IPv4 to IPv6 I can say that people want IPv4 and if that's what the guy who is paying you money wants, that's what you give him. Because if you don't, he goes elsewhere. So really I'm looking forward to IPv4 running out because once my competitors stop handing out huge blocks without question then maybe my customers won't threaten to take their business elsewhere when I mention they need to actually prove they need the addresses before we expand their block. So yes, I hope the IPv4 Deathclock speeds up just a touch.

The problem is that congestion control on the Internet is strictly based on the Van Jacobsen hacks to TCP/IP. These work pretty well, but they have problems. First, a lot of IP traffic is not TCP. Second, various IP protocols like Bittorrent actually game congestion control to get more than their fair share of the pipe, and there's really no way to prevent this (e.g., what Comcast tried isn't a good solution).

The belief that no-one is working on this is incorrect, however. There's some very good work being done in the IRTF (a research organization associated with the IETF). They did a really cool presentation on their work at the Stockholm IETF this month. There are really good people at various ISPs and running the backbones. It is not the case that it's all on autopilot and slowly decaying. E.g., check out Hurricane Electric. Comcast has a very good team.

The most hopeless thing I see on the Internet is the continued prevalence of operating systems that are highly vulnerable to attack due to poorly-thought-out security models. Apple is starting to do some interesting work on this - they recently hired the guy who did BitFrost for the OLPC project, for example. A big complaint about Bitfrost is that it's not necessarily all that useable, but if anyone can fix that, it's probably Apple. Would be nice if Microsoft weren't backsliding on this.