What About IPv6? How Long Until Widespread Deployment?

Christopher Blood asks: "Over at the register, they talk about the EU adopting IPv6. So what about the USA? When do we get it? IPv6 would solve some and DOS problems and we will need the extra address space. What's the holdup?" While IPv6 may be the cure for all of our IPv4 ills, upgrading the whole internet to the new technology isn't going to happen over night. What has been done to prepare for the jump, and what still needs to happen before it can become a reality?

Well, it's here already

[Moridineas]

At my university, IPv6 has been deployed since last year, maybe longer. I've been running FreeBSD w/ IPV6 for at least that long. Honestly, it hasn't made that big a difference for me :)

Re:Well, it's here already

[Gid1]

First thing I did when I took over responsibility for hosting and internet connectivity at a (largish) company I worked at was to replace their existing public IP space (a few thousand addresses) with private IP, hidden behind NAT. It made internal routing *far* easier.

Of course, a few hardcore techies complained. So, I said that if they had a problem with it, they could come tell me why. If they had a good reason for public IP and they convinced me they were trustable as far as security was concerned, I'd happily give them as many of the deallocated public addresses as they needed, and noted them down carefully. After a few months, those allocations would be reassessed.

As far as HP is concerned, something like:
find . -exec perl -pi -e 's/15\.(\d+\.\d+\.\d+)/10.$1/go'
should do the trick! =)

What about the major backbone routers?

[kronin]

I would like to know how close the backbone through the US is to being IPv6 ready. Anyone that knows care to respond?

Re:What about the major backbone routers?

[Raindeer]

Japan and Korea are leading, together with some other countries in the Asia/Pacific region (APNIC-countries). Second is Europe (RIPE-countries). Third is the United States and its neighbours.(ARIN-countries), though the United States is second as a nation.

The reason I name the RIR's is that I base this on the amount of IPv6 space assigned. See:
http://www.ripe.net/ripe/meetings/archive/ri pe-41/ presentations/plenary-globalrir-stats/sld011.html
http://www.ripe.net/ripe/meetings/archive/ripe-41 / presentations/plenary-globalrir-stats/sld012.html
and here for the up to date list of all assignments:
http://www.ripe.net/ripencc/mem-serv ices/registrat ion/ipv6/ipv6allocs.html

Furthermore you might find it interesting that in the RIPE-area, the RIPE community has decided that all Local Internet Registries can apply for a /32, which should suffice for all of them :-)
You can find that policy here:
http://www.ripe.net/ripe/mail-archives/ipv6 -wg/200 20101-20020401/msg00093.html

When do we get it?

[nublord]

When do we get it?

When corporate America determines they can make a profit from it.

When Cisco decides to...

[sphealey]

There are two factors holding IPV6 back: lack of concensus from those that make the decisions in the networking world that IPV6 solves any problems that need to be solved at anything like a reasonable cost. And lack of push from Cisco for implementation. There are thousands of other facets to the discussion, but let's face it: if Cisco had said a year ago that "oh, IOS 12.x now supports IPV6 and we think you should start using it" the world would have fallen in line. They haven't, which makes you wonder what they know that we don't. The story is that "customers aren't demanding it yet", but that didn't stop them from introducing the router when no one was demanding them, did it?

sPh

Re:When Cisco decides to...

[isdnip]

Cisco knows that IPv6 is a lose; they have to support it, but don't have to push it hard.

IPv6 is a bad job, period. Most Slashdotters probably don't know its provenance. It has been around for about a decade. IETF created it as a compromise. IETF insider Steve Deering had created a poor-quality hack called SIP (Steve's IP) while insider Paul Francis (aka Tsuchiya) created one called PIP (Paul's IP). How bad? SIP, for instance, assigned all addresses by countries, based on population, and thus gave a shorter prefix to North Korea than to South Korea because it was a bit more populous in his almanac. IPv6 is PIP and SIP glommed together.

Just before the time it was adopted, IETF had adopted a different replacement for IP, TUBA (which I think was also called IPv8). TUBA used a profile of the OSI Connectionless Network Protocol (CLNP). Cisco had already implemented it, along with CLNP's routing protocol, IS-IS. CLNP was elegant and flexible -- some of the OSI work stank, but CLNP and TP4 were gems. The only reason TUBA was dropped was because Vint Cerf, the Chauncey Gardner of the Internet (not really so smart, but he's famous for Being There), changed his vote and dropped TUBA support.

Had Vint not been so perfidious, IPv8 would have been phased in before the public Internet boom of the mid-1990s. The code has been in Cisco and other vendor equipment for a decade.

IPv6, on the other hand, has a wasteful 16-octet address field (only 8 octets are useful at a time) and does little else to solve IP's problems. It does NOT provide QoS (that's an urban legend) or security any better than IPv4 with its existing options. And given the inefficient assignment of IPv4 adresses in the past, the 32-bit field has a lot of life left.

Think about VoIP: With IPv4, the header has 8 address octets, while the payload has to be short in order to minimize delay. And it's bloody inefficient. With IPv6, the header has 32 address octets while the payload is the same. It's a bleedin' joke! IPv6 is just plain wasteful.

the bothersome part

[nukey56]

IPv6 will fix a lot of problems, but one nasty side effect is that we're going to end up with addresses that look like 3ffe:400:34:fd01::1, instead of the easily memorizable four octets. When that day comes, it's going to be a lot harder to shout down the IP of the game server you're playing on down the hall.

"Oh, I'm on three-f-f-e-four,four-zero-zero,three-four,f-d-zer o-one,not(?),one. What's taking you so long?!?"

Moving a super-tanker

[iPaul]

IPV6 is better. Autoconfiguration, neighbor discovery, big address space, compatability with IPV4, etc. However, the more hacks we put in to make IPV4 work the harder it is to change. For the most part we're educating people to do "Stupid IPV4 Tricks" rather than moving to IPV6. The more of that we do the harder it is to change. Also, the more ominous the prospect of change, the more people will dread it.

Frankly, I'm thinking we might see another round, like IPV7 (or IPV8 if they make a habit of skipping odd numbers), or it might come very late. Maybe we'll see it on phones and wireless devices before we see wide-spread adoption of IPV6 or general purpose networking.

Re:When?

[furiousgeorge]

true. but if you're not located next door to said company, the main trunk routing tables become ridiculous.

Remember --- M.I.T. has more assigned IP addresses than ALL OF CHINA.

It's not north america thats going to drive IPv6, it's Europe and Asia where they're already starting to feel the address squeeze.

The installed base is hard to change...

[Old+time+hacker]

I think that IPv6 will take a significant amount of time to acheive widespread deployment in the US. Why? There are too many devices (cable/dsl router/firewall appliances) in use that don't support v6. While they may be flash upgradeable, I'm sure that the vendors would prefer to sell a new box which did support v6.

I've thought about running v6 at home and connecting up to the 6bone. However, the list of instructions was long and complex, and it was unclear to me that my existing ipchains based firewall code would continue to protect me. It was also unclear that I could enhance the ipchains rules to protect myself.

I quite like the idea of being able to expose multiple devices on different IP addresses, but it is (still) a non-trivial exercise.

On a side note, I'd like to see more deployment of multicast -- this could help Internet Radio stations significantly in the future. Yes, there aren't good multicast clients at the moment, but that is because there is little multicast to listen to, and no way of getting multicast to the end user. Lobby your ISP for multicast!

p.s. In case you think that I'm an idiot for not being able to configure IPv6 on Linux -- I'll tell you that I was kernel contributer in the pre-1.0 kernels.

Re:Newbie question..

[Codifex+Maximus]

> For _most_ network-aware applications, the only
> thing different is the address format. Once you
> have the connected socket, the rest of the network
> code should remain unchanged.

So, essentially what you're saying is: After you get past all the things that are different then the rest is the same?

Ok, I'll buy that.

Don't hold your breath

[MeowMeow+Jones]

Most of the people I know haven't even upgraded to IPv5 yet!

Come on people, it's 2002!

America Doesn't Change Standards Easily

[puppetman]

Heck, you are the only first-world nation that doesn't use metric, and that's easy to figure out.

Yup, a ball and chain slowing down progress....

Re:America Doesn't Change Standards Easily

[Arandir]

The US hasn't switched to metric for a very simple reason: those of us living here, regardless of political affiliation, have a very strong individualistic streak. We don't just go change a system just because someone bigger than us tells us to. We spent a decade in the process of conversion and in the end we decided we didn't want the hassle.

The metric system is still taught in schools, still used in industry, and still available on every milk carton from New York to San Fransisco. But we prefer the English system. We're individualists and that's our choice. Just because it isn't your choice is completely irrelevant.

Oh, by the way, we've been using metric currency since day one, far sooner than most other countries did.

In two words: unsold inventory

[mangu]

With purchases of new hardware shrinking along with the economy, wouldn't these equipment makers be in a perfect position to benefit from adaptation of IPv6?

The problem is that shrinking sales has caused a huge amount of hardware to be stockpiled at Cisco warehouses. IIRC, last year they had over 5 Giga$ worth of accumulated unsold hardware. They need technology to stand still for a while, so they can sell part of that obsolete inventory.

An interesting question

[wowbagger]

OK, I am about to say something that will make many of you who are knowledgable about IPV6 cringe, so take a deep breath and get over it now.

When IPV6 is deployed, how do I prevent the machines on the inside of my firewall from being routable?

Right now, my personal computer is on the inside of a NAT firewall. There is no way you can route a packet to it - go ahead, try to telnet to 10.200.120.4, I dare you.

Now, I know there are those who say NAT CONSIDERED HARMFUL, and I agree in the general case it does break the essential peer to peer nature of TCP/IP.

But what if I want to break it?

How well tested are the Linux kernel modules for firewalling IPv6? Can I still protect my internal machines from the slings and arrows of outragous 5|<197 |<!66!3Z?

How to transition?

[A+nonymous+Coward]

Suppose I take my home network (2 computers + 1 firewall), all running some form of highly modded Slackware, and switch the internal local net to IPv6 while leaving the connection from the firewall out as IPv4. Thus the 2 computers would be completely IPv6 while the firewall would have one IPv6 nic and one IPv4 nic. I have to change all dotted quad network addresses (such as in /etc/hosts); what else is there to do? Will existing software go along with the change without recompiling? Or even with a simple recompile?

I bet there's some FAQ somewhere that someone will find using Googole. AIA

Re:When?

[noahm]

Is that still true? Last I read they gave a large portion of their address space back.... For all I know they could have kept a coupple million though.

No, it was Stanford that gave up their class A. What were they thinking? MIT still has ungodly amounts of address space. We have net 18 (18.0.0.0/8), plus random assorted /16s (128.52, for example, is the AI lab). There are a couple others.

The thing is, though, there's a whole lot of "reserved" address space out there. The IPv4 address space shortage is partially artificial. In some ways this is to preven the world from grinding to a screeching halt where there really are no more IPv4 addresses. Another is that maybe it will put pressure on people to be conservative with address allocation, which might make the shortage less pressing. Maybe it will also help to speed the deployment of IPv6.

Most OS vendors are already supportind IPv6 out of the box. WinXP, for example, can be set up as an autoconfiguring IPv6 host very easily (ipv6/install at a command prompt, IIRC). The BSDs support it very well, as do many Linux vendors. I think that it won't be long until IPv6 communication on the internet is very widespread. I don't, however, think the whole internet will be IPv6 any time soon.

noah

I've tried IPv6 with Windows 2000...

[chrysalis]

A major showstopper may be Windows.

Let's see. To be widely deployed on WAN networks, IPv6 should first be widely deployed on local LANs.

It works very well on Unix systems. My little personal network has a bunch of OpenBSD and Linux boxes, 100% IPv6, and everything works like a charm.

But what about Windows?

I tried it with Windows 2000. Because the OS doesn't support IPv6 natively, I had to download a patch (and it's not very easy to find, I can't remember the exact URL, the link was posted on a ML a while ago) .

Before the patch applied I had a big fat warning "Disclaimer: this is very alpha software, your OS can become extremely unstable. Don't call the Microsoft technical support any more after that, we won't answer" (the words were different, but it was the meaning) .

And indeed. The system went very unstable, even for IPv4 requests. IE worked. *some* command-line tools worked. But third party packages like Mirc, CuteFTP and Opera crashed with no further warning.

It looks like there's no effort in the Windows world to provide IPv6-enabled software. This is a major showstopper.

What About IPv6?

[t_allardyce]

How Long Until Widespread Deployment?

About 15 years.

After the introduction of the SSSCA in 2003, Microsoft dominated the US OS market. While other countries switched to IPv6, America was forced to use the proprietary protocal built into windows (thanks to auto-updates) which included advanced DRM, IP tracking and P2P restrictions - as a standard client, your computer could only connect to a 'server' i.e a Windows machine running Windows Server Edition with a valid federal license. The internet was effectively split in 2 - USA, and the rest of the world (troll: this didn't matter as most US citizens didn't know about the 'rest of the world' lol :)

It wasn't until the great Microsoft witch hunt of 2017, when 4000 Microsoft employees where burnt at the stake after the SSSCA was lifted (well, not lifted per say, actually, someone just blew-up congress)

Never?

[Broccolist]

I'm going out on a limb here, but has anyone considered that IPv6 may never get widespread acceptance?

From the point of view of any individual organization, there are no reasons to switch to IPv6 right now. First movers receive no benefits at all: in fact, it only makes communicating with the rest of the (currently IPv4) internet more difficult. Moreover, I imagine that many businesses large enough to have an impact already have a large IPv4 address block, and have a vested interest in discouraging others from making the switch:

1. There is no reason for them to pay for new routers
2. A crowded IPv4 internet might allow them to loan out some of their in-demand addresses for extra profit.

The various hacks available for IPv4 do the job. I can easily imagine a scenario where Cisco doesn't push IPv6 routers hard enough in the future, and people invest more and more in NATs and so forth, making a global switch harder and harder as time goes on.

The fundamental problem is that IPv6 doesn't provide any short-term killer benefits, and that's what's necessary for an evolution to take place. My prediction (though predicting acceptance of technologies is always risky, so I may well turn out to be wrong) is that we will still be using an IPv4 internet in a decade.

Try freenet6.net

[MavEtJu]

If you are interested in playing with IPv6, try to get a tunnel via www.freenet6.net.

They're supporting devices running *BSD, Linux, Win*, Solaris, HP-UX and Cisco IOS.

NAT provides convenience, not security

[pHDNgell]

While it may sound neat to say, ``go ahead, try to telnet to 10.200.120.4,'' it doesn't exactly work that way.

Does this machine on 10.200.120.4 have the ability to make direct outbound connections? Assuming yes, does you realize that the only difference between an inbound connection and an outbound connection is who sent the first packet?

Many people tend to believe that the *only* security risk they have to worry about is inbound SYN packets, so they base their entire security policy on stopping bad inbound packets. The last two sites I broke into, I did so by tricking a machine to come to me. Just for humor, here are the two scenarios:

The first one was quite a while ago, and I did it at contract. A co-worker found a potential hole in a CGI, but nobody took it seriously. By sending the right data through the CGI, I found that I could make it execute arbitrary commands. First, I did some basic stuff (id; ls -lR /; etc...) and had it output the mail to me (couldn't see the output from the CGI). I figured out the web server user had a shell and a writable home directory, and the machine had ssh (client and server installed). I generated a private key and had it mail me the public version of that key, then I added it to my authorized_keys and installed my public key in the web server's authorized_keys. Then I had the web server user ssh to my host with remote port forwarding back into the web server's 22. ssh -p 2222 localhost and I'm sitting in a shell on the web server (192.168.something).

The next time I saw something like this, it was out in the wild. There was a web server that was running a CGI that *seemed* like it was probably just handing the input over to a command, so I gave it a shot. This time, the web server didn't have a usable home directory, so the ssh thing was out, but it did have X installed, so I fired up a VNC server, opened it to the world and opened an xterm up in it. Before too long, I had an entire X desktop running on some guy's web server. I sent the local admin an E-mail (through pine) letting him know what was wrong and recommending he fix it before someone meaner than I am comes along.

Anyway, point of the story. Having an unroutable IP address is good internet security as long as you keep it unrouted. Once you give the thing direct internet access, the unroutability of it becomes much less relevant.

Re:NAT provides convenience, not security

[wowbagger]

Of course only blocking incoming connections is only a part of a security policy.

However, both the examples you gave in your message required you to be able to connect to the target machine via HTTP and issue an HTTP GET request - therefor you had inbound connectivity to the target, just not inbound connectivity to J. Random Port.

There is NO inbound port available to you. Not 80, not 22, not 25, nothing. The only inbound ports would be when I am FTPing down a file, if I am not running passive mode. However, since the firewall only allows traffic from the FTP server, you would either have to spoof that (and then all you would do is corrupt the file I am downloading) or hack the FTP server (same problem).

And as to the other people who pointed out that I could use a site-local address: Of course, what do you think 10.200.120.4 is? However, NAT for IPv4 is very well tested, so my "unroutable" 10.x.x.x address is still able to get to /. (as this very post bears witness to). Would my IPv6 site-local address be able to do the same - in other words, is the state of NAT for IPv6 anywhere near IPv4? Considering the common opinion is that NAT is unneeded in IPv6, I very much doubt it.

The great thing about my workstation being unroutable is that, should I be stupid enough to get a Trojan that announces itself to the 'net and says "I am at $address $port, come abuse me", if $address is not routable, this does very little good for the script kiddie - even if the system reports a traceroute so that he can follow it back, he STILL cannot route a packet to it.

(now, this does not stop the Trojan from connecting to an [icq|http|SOAP|...] server and pulling its commands down, but as I stated at the first of this post, no one aspect of securing a system is sufficient - security is a journey, not a destination).

Re:NAT provides convenience, not security

[cookd]

That doesn't change what the guy is saying. NAT prevents another computer from initiating a connection to the internal network, but it doesn't prevent you from being hacked. A clever hacker can hijack existing connections, or convince you to open connections that aren't friendly.

For example: you browse to www.ima.hacker.net. The page has code to exploit a browser vulerability, and the exploit code initiates a connection back to www.ima.hacker.net.

Another problem is connection hijacking -- a hacker can send extra packets to a firewall that actually get through because they are marked as being from the same port and address as those of a real connection. This is especially easy if the hacker is able to sniff packets en route.

Yes, being behind a NAT does reduce the risk of attacks: you probably only have to secure your client apps, not your server apps. But clients are vulnerable, too.

Overall, IPv6 will be far more resistant to hacking. The designers had the wisdom of many years of IPv4 problems and security flaws to influence the design. Now it is much harder to spoof a packet. Now you can't sniff packet ID numbers. Any advantage that you are currently attributing to NAT can be gotten with a firewall, and much more reliably.

Can't wait can't wait can't wait.

Re:When?

[Cardhore]

That's because China only needs on IP for its firewall.