What About IPv6? How Long Until Widespread Deployment?

Christopher Blood asks: "Over at the register, they talk about the EU adopting IPv6. So what about the USA? When do we get it? IPv6 would solve some and DOS problems and we will need the extra address space. What's the holdup?" While IPv6 may be the cure for all of our IPv4 ills, upgrading the whole internet to the new technology isn't going to happen over night. What has been done to prepare for the jump, and what still needs to happen before it can become a reality?

When?

I guess not in close future. When free IPV4 addresses run out, large address blocks reserved to big companies etc become very valuable. So, if you want addresses which work 100% of the time, you'll have to cough up money for the companies to get them. It will be that simple. Really.

Re:When?

[furiousgeorge]

true. but if you're not located next door to said company, the main trunk routing tables become ridiculous.

Remember --- M.I.T. has more assigned IP addresses than ALL OF CHINA.

It's not north america thats going to drive IPv6, it's Europe and Asia where they're already starting to feel the address squeeze.

Re:Newbie question..

[ColdGrits]

Yup.

As in IPv4 addresses are just a subset of IPv6, so any IPv4-based stuff will still work in an IPv6 network no problem.

Not true the other way round, but then that doesn't matter :)

So yes, they could upgrade the entire Internet backbones etc to IPv6 (and *should* do so asap) and all old IPv4 traffic will carry on as normal.

When do we get it?

[nublord]

When do we get it?

When corporate America determines they can make a profit from it.

Re:When do we get it?

[sabinm]

More right than not. Why in the world would corp ISP want to give you a static IPv6 when that is a constant bandwidth tap?

Joe Public will never "own" ip addresses again. That was made evident after the "great subnet rush" of the ninties.

Having IPv6 addresses mean that anyone can have as many as they want if given away for free-
until there is a way to consistently and legally charge for "per seat" usage for internet bandwidth, with crimial reprocussions (can you say DMCA) corporations will not adopt a standard which basically says, "a static and public IP address is worthless as a marketable commodity".

When Cisco decides to...

[sphealey]

There are two factors holding IPV6 back: lack of concensus from those that make the decisions in the networking world that IPV6 solves any problems that need to be solved at anything like a reasonable cost. And lack of push from Cisco for implementation. There are thousands of other facets to the discussion, but let's face it: if Cisco had said a year ago that "oh, IOS 12.x now supports IPV6 and we think you should start using it" the world would have fallen in line. They haven't, which makes you wonder what they know that we don't. The story is that "customers aren't demanding it yet", but that didn't stop them from introducing the router when no one was demanding them, did it?

sPh

Re:Tech Issues

[dieman]

Because of the larger space, theres no reason AOL can't be aggragated into *one* bgp announce and be allocated *one* block that they will ever need, forever.

Fear that!

Never?

[Broccolist]

I'm going out on a limb here, but has anyone considered that IPv6 may never get widespread acceptance?

From the point of view of any individual organization, there are no reasons to switch to IPv6 right now. First movers receive no benefits at all: in fact, it only makes communicating with the rest of the (currently IPv4) internet more difficult. Moreover, I imagine that many businesses large enough to have an impact already have a large IPv4 address block, and have a vested interest in discouraging others from making the switch:

1. There is no reason for them to pay for new routers
2. A crowded IPv4 internet might allow them to loan out some of their in-demand addresses for extra profit.

The various hacks available for IPv4 do the job. I can easily imagine a scenario where Cisco doesn't push IPv6 routers hard enough in the future, and people invest more and more in NATs and so forth, making a global switch harder and harder as time goes on.

The fundamental problem is that IPv6 doesn't provide any short-term killer benefits, and that's what's necessary for an evolution to take place. My prediction (though predicting acceptance of technologies is always risky, so I may well turn out to be wrong) is that we will still be using an IPv4 internet in a decade.

Re:the bothersome part

[Fastolfe]

We could have a cntral database where everybody applies for a unique, easy to remember coputer name.

Something like DNS?

Re:NAT provides convenience, not security

[wowbagger]

Of course only blocking incoming connections is only a part of a security policy.

However, both the examples you gave in your message required you to be able to connect to the target machine via HTTP and issue an HTTP GET request - therefor you had inbound connectivity to the target, just not inbound connectivity to J. Random Port.

There is NO inbound port available to you. Not 80, not 22, not 25, nothing. The only inbound ports would be when I am FTPing down a file, if I am not running passive mode. However, since the firewall only allows traffic from the FTP server, you would either have to spoof that (and then all you would do is corrupt the file I am downloading) or hack the FTP server (same problem).

And as to the other people who pointed out that I could use a site-local address: Of course, what do you think 10.200.120.4 is? However, NAT for IPv4 is very well tested, so my "unroutable" 10.x.x.x address is still able to get to /. (as this very post bears witness to). Would my IPv6 site-local address be able to do the same - in other words, is the state of NAT for IPv6 anywhere near IPv4? Considering the common opinion is that NAT is unneeded in IPv6, I very much doubt it.

The great thing about my workstation being unroutable is that, should I be stupid enough to get a Trojan that announces itself to the 'net and says "I am at $address $port, come abuse me", if $address is not routable, this does very little good for the script kiddie - even if the system reports a traceroute so that he can follow it back, he STILL cannot route a packet to it.

(now, this does not stop the Trojan from connecting to an [icq|http|SOAP|...] server and pulling its commands down, but as I stated at the first of this post, no one aspect of securing a system is sufficient - security is a journey, not a destination).

I'll start using IPv6...

[ewieling]

I'll start using IPv6 when the backbones start using IPv6 and I can get IPv6 addresses from my ISP.

I can't wait...

[jbf]

...for IPv6 because...

• ...I want my IP headers be twice as long
  
• ...I want to go from 50% header overhead in Netmeeting to 75% header overhead
  
• ...I want to include a 16-bit field (Flow ID) in my header that no-one has yet figured out how to use
  
• ...I feel the need to address every atom on the face of the universe, and then some
  
• ...I love IP addresses like 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
  
• ...I like the idea that we'll all have to buy new copies of embedded hardware that are currently IPv4-only
  

Re:Well, it's here already

[JLouder]

They operate in the Internet community, yet claim 16 million addresses for themselves, even though practically all of their internal machines are hidden behind a solid firewall system for which NAT would not be a big problem (and possibly a security asset.)

My employer has a similar setup -- many class B networks, all allocated to systems that are firewalled off from the Internet, set up this way because it required less thinking than NAT.

When IPv6 is widely used, I imagine we'll see much more of this foolishness.

Re:Well, it's here already

[Gid1]

First thing I did when I took over responsibility for hosting and internet connectivity at a (largish) company I worked at was to replace their existing public IP space (a few thousand addresses) with private IP, hidden behind NAT. It made internal routing *far* easier.

Of course, a few hardcore techies complained. So, I said that if they had a problem with it, they could come tell me why. If they had a good reason for public IP and they convinced me they were trustable as far as security was concerned, I'd happily give them as many of the deallocated public addresses as they needed, and noted them down carefully. After a few months, those allocations would be reassessed.

As far as HP is concerned, something like:
find . -exec perl -pi -e 's/15\.(\d+\.\d+\.\d+)/10.$1/go'
should do the trick! =)

Re:NAT provides convenience, not security

[cookd]

That doesn't change what the guy is saying. NAT prevents another computer from initiating a connection to the internal network, but it doesn't prevent you from being hacked. A clever hacker can hijack existing connections, or convince you to open connections that aren't friendly.

For example: you browse to www.ima.hacker.net. The page has code to exploit a browser vulerability, and the exploit code initiates a connection back to www.ima.hacker.net.

Another problem is connection hijacking -- a hacker can send extra packets to a firewall that actually get through because they are marked as being from the same port and address as those of a real connection. This is especially easy if the hacker is able to sniff packets en route.

Yes, being behind a NAT does reduce the risk of attacks: you probably only have to secure your client apps, not your server apps. But clients are vulnerable, too.

Overall, IPv6 will be far more resistant to hacking. The designers had the wisdom of many years of IPv4 problems and security flaws to influence the design. Now it is much harder to spoof a packet. Now you can't sniff packet ID numbers. Any advantage that you are currently attributing to NAT can be gotten with a firewall, and much more reliably.

Can't wait can't wait can't wait.

Re:Well, it's here already

[Cramer]

No NAT does not. There are some problems, but they are very specific to stupidly engineered client/server programs where the server attempts to contact the client (using whatever the client thinks is it's address.) Almost every java rmi/corba based piece of shit has this problem.

Next you're going to say firewalls causes lots of problems.

Re:America Doesn't Change Standards Easily

[Sri+Lumpa]

We don't just go change a system just because someone bigger than us tells us to.

Nah, you just go and tell other ones to change their system because they are smaller than you.

Re:Well, it's here already

[-brazil-]

God, that's bullshit. There isn't even enough IPv4 addresses around to give one to each person, and static IPs are desirable, and more than one of them per person.

Don't you realize how idiotic it is to avoid the update to IPv6 by instead requiring an update to NAT and an update of every protocol that doesn't work well with NAT. That's more time and money wasted, not less!!

Re:Well, it's here already (slightly OT)

[Etyenne]

It made internal routing *far* easier.

Not always. A big problem with private adress space appear when two business (or dept, or whatever) bridge their LAN with a VPN and they are using the same private range. Most LAN use etheir 192.168.[0|1].0/24 or 10.0.0.0/8, so this happen often (it happen to me all the time). Hopefully one or the other use DHCP so they can be migrated to an other adress range (almost) painlessly.

Re:NAT provides convenience, not security

[Havokmon]

I think it *IS* a form of security, it's an easy form of security. Just like dead-bolts.

Just because *you* know a way around it, doesn't mean it can't/shouldn't be used.