Slashdot Mirror
What About IPv6? How Long Until Widespread Deployment?
Christopher Blood asks: "Over at the register, they talk about the EU adopting IPv6. So what about the USA? When do we get it?
IPv6 would solve some and DOS problems and we will need the extra address space. What's the holdup?" While IPv6 may be the cure for all of our IPv4 ills, upgrading the whole internet to the new technology isn't going to happen over night. What has been done to prepare for the jump, and what still needs to happen before it can become a reality?
I guess not in close future. When free IPV4 addresses run out, large address blocks reserved to big companies etc become very valuable. So, if you want addresses which work 100% of the time, you'll have to cough up money for the companies to get them. It will be that simple. Really.
Yup.
:)
As in IPv4 addresses are just a subset of IPv6, so any IPv4-based stuff will still work in an IPv6 network no problem.
Not true the other way round, but then that doesn't matter
So yes, they could upgrade the entire Internet backbones etc to IPv6 (and *should* do so asap) and all old IPv4 traffic will carry on as normal.
People should not be afraid of their governments - Governments should be afraid of their people.
When corporate America determines they can make a profit from it.
sPh
Why?
Why should univerisities and large corporations HOG IP space? There is no need to update millions of machines for because of a few corportions are remoted from the address large blocks.
FREE THE IP!! FREE THE IP!! They belong to people. Storm the high castles and take back what belongs to the people!!
Really though -- who needs IPv6? Get the corporations to use NAT - What corportation needs a A-Class? (beside an ISP/Backbone). I know of a corporation that has a A-Class - all machines besides servers are DHCP assigned anyway. They could convert tomorrow and free the IPs. So way hog them?
I have not seen one benifit for IPv6. I do not say IP for my toaster. There is not a single benfit for the cost or hasle of the millions of machines that need to changed.
Lastly, there is not even a clean routing assignment plan for IPv6. So Dukes use of IPv6 would now have to grandfathered in wasting everyone times and money. With that many IPs, why not assign the first Hex^2 to a country, one to the porn world, one to the sport world. that way filtering would be very simple.
What would be better time and money?
Required all machines to use DHCP/DNS - no more hard ips, period. Your router to the internet would get its IP from its upstream provider, and would supply the DHCP for all machines below it.
Lastly it would have a send up the DNS enteries for any routes to servers behind it. This way only one IP is need at each junction and all could be from private pools. In the end more IPs freed.
Because of the larger space, theres no reason AOL can't be aggragated into *one* bgp announce and be allocated *one* block that they will ever need, forever.
Fear that!
-- dieman - Scott Dier
Hmm, seems like there's already a solution in place for this... I've been using DNS for years...
Except... take a game like counter-strike. Kids that can barely check their email can usually figure out how to set up a dedicated win32 CS server. Point-and-click.
A lot of these guys get introduced to the concept of "IP Addresses" via this method. You think they have DNS set up? Or even static IPs?
Sure, there's gametiger.net.. but that's a hack anyway. Sometimes, IPs matter.
(Oh, and I don't think adsl-24-232-22.lacr.isp-domain.net is easier than an IP address, btw.)
From the point of view of any individual organization, there are no reasons to switch to IPv6 right now. First movers receive no benefits at all: in fact, it only makes communicating with the rest of the (currently IPv4) internet more difficult. Moreover, I imagine that many businesses large enough to have an impact already have a large IPv4 address block, and have a vested interest in discouraging others from making the switch:
The various hacks available for IPv4 do the job. I can easily imagine a scenario where Cisco doesn't push IPv6 routers hard enough in the future, and people invest more and more in NATs and so forth, making a global switch harder and harder as time goes on.
The fundamental problem is that IPv6 doesn't provide any short-term killer benefits, and that's what's necessary for an evolution to take place. My prediction (though predicting acceptance of technologies is always risky, so I may well turn out to be wrong) is that we will still be using an IPv4 internet in a decade.
We could have a cntral database where everybody applies for a unique, easy to remember coputer name.
Something like DNS?
Of course only blocking incoming connections is only a part of a security policy.
/. (as this very post bears witness to). Would my IPv6 site-local address be able to do the same - in other words, is the state of NAT for IPv6 anywhere near IPv4? Considering the common opinion is that NAT is unneeded in IPv6, I very much doubt it.
However, both the examples you gave in your message required you to be able to connect to the target machine via HTTP and issue an HTTP GET request - therefor you had inbound connectivity to the target, just not inbound connectivity to J. Random Port.
There is NO inbound port available to you. Not 80, not 22, not 25, nothing. The only inbound ports would be when I am FTPing down a file, if I am not running passive mode. However, since the firewall only allows traffic from the FTP server, you would either have to spoof that (and then all you would do is corrupt the file I am downloading) or hack the FTP server (same problem).
And as to the other people who pointed out that I could use a site-local address: Of course, what do you think 10.200.120.4 is? However, NAT for IPv4 is very well tested, so my "unroutable" 10.x.x.x address is still able to get to
The great thing about my workstation being unroutable is that, should I be stupid enough to get a Trojan that announces itself to the 'net and says "I am at $address $port, come abuse me", if $address is not routable, this does very little good for the script kiddie - even if the system reports a traceroute so that he can follow it back, he STILL cannot route a packet to it.
(now, this does not stop the Trojan from connecting to an [icq|http|SOAP|...] server and pulling its commands down, but as I stated at the first of this post, no one aspect of securing a system is sufficient - security is a journey, not a destination).
www.eFax.com are spammers
I'll start using IPv6 when the backbones start using IPv6 and I can get IPv6 addresses from my ISP.
I really shouldn't have used someone else's email address for this account.
They operate in the Internet community, yet claim 16 million addresses for themselves, even though practically all of their internal machines are hidden behind a solid firewall system for which NAT would not be a big problem (and possibly a security asset.)
My employer has a similar setup -- many class B networks, all allocated to systems that are firewalled off from the Internet, set up this way because it required less thinking than NAT.
When IPv6 is widely used, I imagine we'll see much more of this foolishness.
First thing I did when I took over responsibility for hosting and internet connectivity at a (largish) company I worked at was to replace their existing public IP space (a few thousand addresses) with private IP, hidden behind NAT. It made internal routing *far* easier.
Of course, a few hardcore techies complained. So, I said that if they had a problem with it, they could come tell me why. If they had a good reason for public IP and they convinced me they were trustable as far as security was concerned, I'd happily give them as many of the deallocated public addresses as they needed, and noted them down carefully. After a few months, those allocations would be reassessed.
As far as HP is concerned, something like:
find . -exec perl -pi -e 's/15\.(\d+\.\d+\.\d+)/10.$1/go'
should do the trick! =)
That doesn't change what the guy is saying. NAT prevents another computer from initiating a connection to the internal network, but it doesn't prevent you from being hacked. A clever hacker can hijack existing connections, or convince you to open connections that aren't friendly.
For example: you browse to www.ima.hacker.net. The page has code to exploit a browser vulerability, and the exploit code initiates a connection back to www.ima.hacker.net.
Another problem is connection hijacking -- a hacker can send extra packets to a firewall that actually get through because they are marked as being from the same port and address as those of a real connection. This is especially easy if the hacker is able to sniff packets en route.
Yes, being behind a NAT does reduce the risk of attacks: you probably only have to secure your client apps, not your server apps. But clients are vulnerable, too.
Overall, IPv6 will be far more resistant to hacking. The designers had the wisdom of many years of IPv4 problems and security flaws to influence the design. Now it is much harder to spoof a packet. Now you can't sniff packet ID numbers. Any advantage that you are currently attributing to NAT can be gotten with a firewall, and much more reliably.
Can't wait can't wait can't wait.
Time flies like an arrow. Fruit flies like a banana.
No NAT does not. There are some problems, but they are very specific to stupidly engineered client/server programs where the server attempts to contact the client (using whatever the client thinks is it's address.) Almost every java rmi/corba based piece of shit has this problem.
Next you're going to say firewalls causes lots of problems.
I have mangaged class A's and class C's both with and without NAT. While NAT does make things easier in one respect. For the company managing it, NAT is a bigger headache than what it solves. The ROI isn't there.
Forcing NAT is nice and all, but it ain't the easiest and best solution.
Nah, you just go and tell other ones to change their system because they are smaller than you.
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
Don't you realize how idiotic it is to avoid the update to IPv6 by instead requiring an update to NAT and an update of every protocol that doesn't work well with NAT. That's more time and money wasted, not less!!
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
It made internal routing *far* easier.
Not always. A big problem with private adress space appear when two business (or dept, or whatever) bridge their LAN with a VPN and they are using the same private range. Most LAN use etheir 192.168.[0|1].0/24 or 10.0.0.0/8, so this happen often (it happen to me all the time). Hopefully one or the other use DHCP so they can be migrated to an other adress range (almost) painlessly.
:wq
I think it *IS* a form of security, it's an easy form of security. Just like dead-bolts.
Just because *you* know a way around it, doesn't mean it can't/shouldn't be used.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)