What About IPv6? How Long Until Widespread Deployment?

Christopher Blood asks: "Over at the register, they talk about the EU adopting IPv6. So what about the USA? When do we get it? IPv6 would solve some and DOS problems and we will need the extra address space. What's the holdup?" While IPv6 may be the cure for all of our IPv4 ills, upgrading the whole internet to the new technology isn't going to happen over night. What has been done to prepare for the jump, and what still needs to happen before it can become a reality?

Well, it's here already

[Moridineas]

At my university, IPv6 has been deployed since last year, maybe longer. I've been running FreeBSD w/ IPV6 for at least that long. Honestly, it hasn't made that big a difference for me :)

The installed base is hard to change...

[Old+time+hacker]

I think that IPv6 will take a significant amount of time to acheive widespread deployment in the US. Why? There are too many devices (cable/dsl router/firewall appliances) in use that don't support v6. While they may be flash upgradeable, I'm sure that the vendors would prefer to sell a new box which did support v6.

I've thought about running v6 at home and connecting up to the 6bone. However, the list of instructions was long and complex, and it was unclear to me that my existing ipchains based firewall code would continue to protect me. It was also unclear that I could enhance the ipchains rules to protect myself.

I quite like the idea of being able to expose multiple devices on different IP addresses, but it is (still) a non-trivial exercise.

On a side note, I'd like to see more deployment of multicast -- this could help Internet Radio stations significantly in the future. Yes, there aren't good multicast clients at the moment, but that is because there is little multicast to listen to, and no way of getting multicast to the end user. Lobby your ISP for multicast!

p.s. In case you think that I'm an idiot for not being able to configure IPv6 on Linux -- I'll tell you that I was kernel contributer in the pre-1.0 kernels.

Re:When?

[noahm]

Is that still true? Last I read they gave a large portion of their address space back.... For all I know they could have kept a coupple million though.

No, it was Stanford that gave up their class A. What were they thinking? MIT still has ungodly amounts of address space. We have net 18 (18.0.0.0/8), plus random assorted /16s (128.52, for example, is the AI lab). There are a couple others.

The thing is, though, there's a whole lot of "reserved" address space out there. The IPv4 address space shortage is partially artificial. In some ways this is to preven the world from grinding to a screeching halt where there really are no more IPv4 addresses. Another is that maybe it will put pressure on people to be conservative with address allocation, which might make the shortage less pressing. Maybe it will also help to speed the deployment of IPv6.

Most OS vendors are already supportind IPv6 out of the box. WinXP, for example, can be set up as an autoconfiguring IPv6 host very easily (ipv6/install at a command prompt, IIRC). The BSDs support it very well, as do many Linux vendors. I think that it won't be long until IPv6 communication on the internet is very widespread. I don't, however, think the whole internet will be IPv6 any time soon.

noah

I've tried IPv6 with Windows 2000...

[chrysalis]

A major showstopper may be Windows.

Let's see. To be widely deployed on WAN networks, IPv6 should first be widely deployed on local LANs.

It works very well on Unix systems. My little personal network has a bunch of OpenBSD and Linux boxes, 100% IPv6, and everything works like a charm.

But what about Windows?

I tried it with Windows 2000. Because the OS doesn't support IPv6 natively, I had to download a patch (and it's not very easy to find, I can't remember the exact URL, the link was posted on a ML a while ago) .

Before the patch applied I had a big fat warning "Disclaimer: this is very alpha software, your OS can become extremely unstable. Don't call the Microsoft technical support any more after that, we won't answer" (the words were different, but it was the meaning) .

And indeed. The system went very unstable, even for IPv4 requests. IE worked. *some* command-line tools worked. But third party packages like Mirc, CuteFTP and Opera crashed with no further warning.

It looks like there's no effort in the Windows world to provide IPv6-enabled software. This is a major showstopper.

Re:What about the major backbone routers?

[Raindeer]

Japan and Korea are leading, together with some other countries in the Asia/Pacific region (APNIC-countries). Second is Europe (RIPE-countries). Third is the United States and its neighbours.(ARIN-countries), though the United States is second as a nation.

The reason I name the RIR's is that I base this on the amount of IPv6 space assigned. See:
http://www.ripe.net/ripe/meetings/archive/ri pe-41/ presentations/plenary-globalrir-stats/sld011.html
http://www.ripe.net/ripe/meetings/archive/ripe-41 / presentations/plenary-globalrir-stats/sld012.html
and here for the up to date list of all assignments:
http://www.ripe.net/ripencc/mem-serv ices/registrat ion/ipv6/ipv6allocs.html

Furthermore you might find it interesting that in the RIPE-area, the RIPE community has decided that all Local Internet Registries can apply for a /32, which should suffice for all of them :-)
You can find that policy here:
http://www.ripe.net/ripe/mail-archives/ipv6 -wg/200 20101-20020401/msg00093.html

Try freenet6.net

[MavEtJu]

If you are interested in playing with IPv6, try to get a tunnel via www.freenet6.net.

They're supporting devices running *BSD, Linux, Win*, Solaris, HP-UX and Cisco IOS.

NAT provides convenience, not security

[pHDNgell]

While it may sound neat to say, ``go ahead, try to telnet to 10.200.120.4,'' it doesn't exactly work that way.

Does this machine on 10.200.120.4 have the ability to make direct outbound connections? Assuming yes, does you realize that the only difference between an inbound connection and an outbound connection is who sent the first packet?

Many people tend to believe that the *only* security risk they have to worry about is inbound SYN packets, so they base their entire security policy on stopping bad inbound packets. The last two sites I broke into, I did so by tricking a machine to come to me. Just for humor, here are the two scenarios:

The first one was quite a while ago, and I did it at contract. A co-worker found a potential hole in a CGI, but nobody took it seriously. By sending the right data through the CGI, I found that I could make it execute arbitrary commands. First, I did some basic stuff (id; ls -lR /; etc...) and had it output the mail to me (couldn't see the output from the CGI). I figured out the web server user had a shell and a writable home directory, and the machine had ssh (client and server installed). I generated a private key and had it mail me the public version of that key, then I added it to my authorized_keys and installed my public key in the web server's authorized_keys. Then I had the web server user ssh to my host with remote port forwarding back into the web server's 22. ssh -p 2222 localhost and I'm sitting in a shell on the web server (192.168.something).

The next time I saw something like this, it was out in the wild. There was a web server that was running a CGI that *seemed* like it was probably just handing the input over to a command, so I gave it a shot. This time, the web server didn't have a usable home directory, so the ssh thing was out, but it did have X installed, so I fired up a VNC server, opened it to the world and opened an xterm up in it. Before too long, I had an entire X desktop running on some guy's web server. I sent the local admin an E-mail (through pine) letting him know what was wrong and recommending he fix it before someone meaner than I am comes along.

Anyway, point of the story. Having an unroutable IP address is good internet security as long as you keep it unrouted. Once you give the thing direct internet access, the unroutability of it becomes much less relevant.

Re:When Cisco decides to...

[isdnip]

Cisco knows that IPv6 is a lose; they have to support it, but don't have to push it hard.

IPv6 is a bad job, period. Most Slashdotters probably don't know its provenance. It has been around for about a decade. IETF created it as a compromise. IETF insider Steve Deering had created a poor-quality hack called SIP (Steve's IP) while insider Paul Francis (aka Tsuchiya) created one called PIP (Paul's IP). How bad? SIP, for instance, assigned all addresses by countries, based on population, and thus gave a shorter prefix to North Korea than to South Korea because it was a bit more populous in his almanac. IPv6 is PIP and SIP glommed together.

Just before the time it was adopted, IETF had adopted a different replacement for IP, TUBA (which I think was also called IPv8). TUBA used a profile of the OSI Connectionless Network Protocol (CLNP). Cisco had already implemented it, along with CLNP's routing protocol, IS-IS. CLNP was elegant and flexible -- some of the OSI work stank, but CLNP and TP4 were gems. The only reason TUBA was dropped was because Vint Cerf, the Chauncey Gardner of the Internet (not really so smart, but he's famous for Being There), changed his vote and dropped TUBA support.

Had Vint not been so perfidious, IPv8 would have been phased in before the public Internet boom of the mid-1990s. The code has been in Cisco and other vendor equipment for a decade.

IPv6, on the other hand, has a wasteful 16-octet address field (only 8 octets are useful at a time) and does little else to solve IP's problems. It does NOT provide QoS (that's an urban legend) or security any better than IPv4 with its existing options. And given the inefficient assignment of IPv4 adresses in the past, the 32-bit field has a lot of life left.

Think about VoIP: With IPv4, the header has 8 address octets, while the payload has to be short in order to minimize delay. And it's bloody inefficient. With IPv6, the header has 32 address octets while the payload is the same. It's a bleedin' joke! IPv6 is just plain wasteful.