Slashdot Mirror
Free IPv6 Subnets Are Going Away
ar32h writes "The 6bone is going to be phased out soon.
This means all of us who have IP addresses or subnets beginning with 3ffe from tunnel brokers like Freenet6 are going to be sorry out of luck." According to the linked phaseout plan, "It is anticipated that under this phaseout plan the 6bone will cease to operate by July 1, 2006, with all 6bone prefixes fully reclaimed by the IANA," but there are a number of sub-deadlines along the way.
sucks to be the people that use freenet! ha ha. . . oh wait.. that includes me. SHIT! =(
Oh wait...
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
I used a 3ffe prefix a few years ago to get acquainted with IPv6. These days, my JANET provided tunnel serves me well. Performance to a lot of 6bone networks has been deteriorating with all the free subnets they have been allocating.
"...by July 1, 2006, with all 6bone prefixes fully reclaimed by the IANA," but there are a number of sub-deadlines along the way."
would it not be more useful to name the closest deadline, not one three years away!?
mmmm pissed @ boathouse chester.
Strikes me that IPv6 was about to make some progress amongst the early adopters (ie unix/linux users - or at least me) and now it's gonna cost, so what's the point?
the IANA giveth, the IANA taketh away. Are they running out of addresses already?
The closing of the 6bone is a step backward, but the claiming of the address space maybe a step forward in a large scale implementation of ipv6. Till then I am still going to run my experimantal private backbone on ipv6 even if IANNA wants it or not, or care for that matter. :)
http://ebgp.net/ccc/
Ah, allright... I just hope I moved by then. I hope my tunnel broker does too.
You can get free IPv6 subnets using the much more efficient 6to4. 6bone isn't needed any more; that's why it's being phased out.
2006? Who cares, we will all have jet cars by then...
Am I the only one who reads IANA as "I am not a?"
Hurricane Electric also provides free IPv6 tunnels...I used one to play around with IPv6, but tunnels seem to have fairly high latency.
So from reading the memo, I get the impression that this is the first step in phasing in IPv6 as the Real Deal... am I way off base here, or are we finally gonna be able to get rid of IPv4 once and for all?[1]
[1] Yeah, I know... backwards compatibility and everything, we'll never *totally* get rid of IPv4, but I'm just so damned tired of the hassles of NAT...
- fader
The problem is till IETF gets the next protocol going we will be without IPv4 addresses and your isp is going to sell you a nated connection.
http://ebgp.net/ccc/
Are they afraid they're gonna run out of IPs or something?
Haha, I just can't wait till IPv7... According to Serial Experiment Lain, that will lead to a socially inept script kiddie/h4x0r-g0d ctr-alt-deleting reality.
Don't hold your breath for everybody to implement IPv6, IETF is already planning the next generation of IP without (hopefully) all the problems.
What's the working group called?
the 6bone network was a TEST NETWORK, if you didn't fully expect this TEST NETWORK to go away after a while, you are just plain delusional.
Here's the relevant text, snipped from the TOP of the memo (i.e. you didn't even have to read MUCH of it.)
The 6bone was established in 1996 by the IETF as an IPv6 Testbed network to enable various IPv6 testing as well as to assist in the transitioning of IPv6 into the Internet. It operates under the IPv6 address allocation 3FFE::/16 from RFC 2471. As IPv6 is beginning its production deployment it is appropriate to plan for the phaseout of the 6bone.
So, please, please, PLEASE stop complaining about something that was supposed to be going away from the very beginning!!!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
6bone? Oh my, i've slipped onto one of those sites again! /me closes before mum walks in
ARIN is the reason there are no more IP addresses. Their polices don't allow small compaines any way to dual home and their stupidity results in lots of compaines getting far more addresses than they need. Did you need more than a /24? I know you got more because they can't dish out any less than /22 or so now.
I think that ARIN should start a policy that for any new allocation, 1/16 must be dual homeable. These addresses would be dual allocated to two ISPs at the same time and that any large ISP that needs more address space must set up agreements with other ISPs. This would force them to change from the model they use now to one with more cooperation.
Right now I need 16 address that can be routed via either NTT or Telstra but to get 16 with ARINs model, I have to pay then too much and then they give me far more addresses that I will ever use.
Yes 6bone itself is going away, which means the 3ffe::/16 address allocation is going to be reclaimed down the road. What this means is tunnel brokers like freenet6 are just going to need to get a new address allocation. There are a number of tunnel brokers already using other addresses, mainly under 2001::/16. So for all the posters who are going all doom and gloom, get a clue, wait, this is slashdot.
I wish people would *read* the articles first and *understand* what they mean before blathering on about them.
-AS
One of the main problems with it is security. What firewall admin in their right mind would allow users to do end-to-end encryption through a firewall without being able to control the traffic?? IPV6 will NEVER take off. Besides, there's no shortage of IP addresses if IANA would get off their ass and allocate them. There are huge class A network yet to be touched and more and more businesses are just finding NAT'ing is easier and more secure anyway. Why pay ARIN for address space when you can NAT several thousand people to one or two IP addresses?
You do realize that you can get a block of IPs from one of your ISPs, and if they are willing, they will SWIP it to you, assign you an ASN, and you can do BGP between the main ISP (that the IPs belong to) and any other ISP that will do BGP with you.
/20 as of 1998 i believe it was)
/20 or more, you are suppost to buy the block from ARIN directly.
:)
/24 of theirs on its own ASN, and tell the other ISPs you use to route over the whole block. /28 out of that, your more than welcome to. /24, it would be more wasteful to leave them unused than to simply route them to you in the first place.
Even if your link to the main ISP goes away, your IPs that belong to them will still route through the other ISPs you have connections to.
This is how you are suppost to get IP space and multihome for small blocks of IPs. (Small being under a
If you need a
In their contract, it actually states you have a years time to renumber your networks and give the ISPs IP space back to them, and use only your ARIN space. If you dont give the ISPs space back, you are in voilation of your contract.
But the whole reason that is there is because getting an ARIN block of IPs is an upgrade path from your large block of ISP IPs.
Both can still do BGP just the same.
Also to get an ARIN block, you must be multihomed already. That in itself should tell you you can multihome without their help
The main problem is, alot of routers are configured to ignore routes smaller than a C class (/24) so if you got less than that, they cant garentee all backbones over the world will have routing table entrys for their customers/transiant trafic to find your network.
Any backbone that used such filters would never route traffic to you, either from their customers, or from anyone that has to route packets through them.
Backbones do this because they do not want to buy memory for lots of routers. This has nothing to do with ARIN.
Some nicer ISPs will still do BGP with you on very small blocks of IPs, but as a large chunk of the net wont see you.
The only way to solve this is for the main ISP to mark a whole
If you want to subnet just a
But as the ISP cant use any of the other IPs in that
What? You are not a what?!
Computers are useless. They can only give you answers.
-- Pablo Picasso
i have heard of ipv6 and have a vague idea of what it is, but could someone elaberate? why arent we already using it as de facto, and what are the ups and downs to it?
> "I allege that SCO is full of it" -Linus
does anyone know what in the hell this story is about?
What firewall admin in their right mind would allow users to do end-to-end encryption through a firewall without being able to control the traffic??
Have you ever heard of SSH or SSL?
I don't think you know what you're talking about.
The IPv6 protocol declares that extension options are end-to-end, meaning that in-between nodes do NOT look at any of the options headers. The ONLY exceptions are the Hop-by-Hop option header, the Routing header, and the Destination options header.
Packet fragmentation and reassembly are ONLY done by the source and destination nodes. (Yes, the underlying link may do fragmentation, but that is entirely the problem of the layer below, IPv6 does not care...) The IPv6 header area - which includes the Hop-by-Hop header, Destination options, and Routing headers, if present - is considered UNFRAGMENTABLE.
You need to re-read RFC 2460.
Brandon Hume
hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
ON TOPIC: It reminds me when I was a kid and our neighborhood was being built over a period of several years. It wasn't one of those circuit neighborhoods where they develop three floor plans and build 1000 identical homes. This was a neighborhood where you bought the land and were then responsible for buying your own floorplan and/or hiring an architect to design or modify one for you. We had lived there for a number of years, and during that time, my friends and I had turned some abandoned lots, still covered with trees "in the wild", into our "clubhouse." It was really cool. We had put together these cheezy, sloppy little shacks with all kinds of construction leftovers from other parts of the neighborhood, like 2x4s and pieces of thrown away plywood. It was probably dangerous--these things could have toppled over on our heads because they certainly weren't nailed in place. But we were kids, so who cared? There was even a small crater where a four-seater airplane crashed some years before, and that was our "punishment hole." If all the kids voted that one of the kids was a troublemaker or a bully or something, then when that kid came outside to play, he had to sit in that pit all day without being allowed to play with the rest of us, and this had to go on for a specified number of days. (Nobody ever got sentenced to that punishment though.) It was really cool, and this went on for a number of years. One day, we go to our "clubhouse" to find that all our stuff was taken down and there was a big bulldozer knocking over all the wild foliage. They had already taken down a few of the trees and were in the process of clearing the rest of the land to begin construction of a house. Of course, I was a kid and didn't understand these concepts, so I remember running home to my parents and yelling that someone was tearing down our clubhouse! They explained that this land had belonged to someone throughout all the years that we had used it as a clubhouse but they just now got around to developing it. So how come we were being kicked out, I asked... My parents said, "You should be happy that they let you use that land for all this time, instead of complaining that you're being kicked out!"
That's what I have to say about this 6bone. Don't bitch about getting kicked off. Be grateful that you had the 6bone at your disposal for about six years. And then drink Negra Modelo, get drunk, and feel no pain.
/me watches everything said splat onto the wall behind his head.
;)
Never understood subnetting. Never will. Hope I don't need to
And already, some corporate firewalls are starting to forbid them...
By far the best tunnel provider I've used is IPNG-UK. I can whole-heartedly recommend it to anybody wanting to use IPv6 now!
why do you think that ip6 is going to remove the necessity of NAT? I've seen several network installations that use 1-to-1 NAT. This configuration does not cause anywhere near the number of problems that you are thinking of. I can even think of one site that used 1-to-1 NAT twice on the same network block. Once to go from public IP to a private range, and then on the other side of the network another router did 1-to-1 NAT back to the packets' original IP.
Not to mention that many users of consumer level NATing devices (Cable/DSL routers) do so for financial reasons, not out of necessity. Why pay your ISP for another IP address when you can run upwards of 200 machines on the one you already have.
My spouse works for the cable co, so I get free cable modem service, but I only have 1 IP because I'd rather not play the dhcp game with every machine on my home network, praying that they stay within the same subnet so they can talk to eachother directly. Plus, I don't like the idea of all of my local traffic being bridged to the NOC just because the modem firmware doesn't know any better.
One of the main problems with it is security.
This should be good.
What firewall admin in their right mind would allow users to do end-to-end encryption through a firewall without being able to control the traffic??
Never heard of VPNs?
Besides, you can set up IPSec on IPv4 if you want.
Besides, there's no shortage of IP addresses if IANA would get off their ass and allocate them.
Routing tables are finitely-sized. You can't just run around slicing everything up finely and handing out three addresses here, seven there. Having a routable address with not-hideously-expensive routers means some address space waste.
There are huge class A network yet to be touched and more and more businesses are just finding NAT'ing is easier and more secure anyway.
NAT *easier*? That's a new one.
As for more secure, you can get the same degree of impaired functionality by simply telling your organization firewall "no inbound connections".
Why pay ARIN for address space when you can NAT several thousand people to one or two IP addresses?
Because NAT is a PITA and an utter hack?
May we never see th
Guys, there are a lot of misconceptions about IPv6. I appreciate this - it's not an intuitive subject, and it's possible to believe you know a lot more about it than you actually do. But, the details are there. Please do the reading and start asking your ISP for connectivity. No, your real ISP. There are people out there who want to deploy this, now, and we're waiting for customer demand. Go nuts!
Dave
NAT breaks end-to-end connectivity, which is the way the Internet is supposed to work. Every host should be reachable by every other host. Additionally, NAT by itself does not make a network more or less secure, though it may cause lazy sysadmins to believe they don't need to secure individual hosts because they are not on a publicly routed network. Remember that most attacks come from within your network!
Blog Ho
Note that any single IPv4 address can be used to claim a /48 -- that's 80 bits of address space -- of IPv6 address space by sticking 2002: in front of it, e.g. 192.0.2.69 -> 2002:c000:0245::/48. This is called 6to4; see RFC 3056.
If you were to remove the firewalls and simply attempt to "secure" every individual node on the Internet (a difficult task, one might suggest an impossible one), you can bet there'd be a hell of a lot more attacks than there are today.
Firewalls, NAT routing, and other security measures, no matter how half arsed, are certainly cutting down on the number of targets of opportunity on the Internet, and that's a good thing. That said, I'm probably going to try the 6on4 route myself at some point. I hope Slackware and Mac OS X are both reasonably secure, and it'll be an interesting experience reorganizing my network to work in an environment where I can't just assume that only my own machines will have access to the services they offer each other.
You are not alone. This is not normal. None of this is normal.
While previous coverage of the OS mostly centered on technical issues, this revelation about the future of the global network will hopefully involve an upswing in LainOS development,
Lead developer Neoevangelist , last reported looking for some good Open Source spech recognition libraries, was unavailable for comment.
Let me put it this way.
:)
A long time ago, we had a network. It was quite good. It was the phone network. It was great, but it carried voice traffic, and not a whole pile else.
Some bright spark had this notion of packet switching, and it caught on. It's like this - once you deploy the packet switching network, the telco is no longer the arbiter of what applications are run on it. You are. You can run a mail server, I can run NNTP, and some maniac over there is writing something called a Web Browser.
The innovation that made the internet what we know today came from the fact that any idiot could develop a protocol, not just a telco engineer.
Now, cut forward. We have an internet, but we're kind of short of address space, so we use a lot of NATs to conserve them. What's going on here? Well, I can use a sensible TCP application, but that's about it. If I want to run some crazy app that needs Multicast, or an instant messenger, or something that just doesn't get on with the TCP congestion algorithm - well, not only do I need the permission of my network security team (which is good and proper) - but I need support from the NAT box.
The NAT box needs to support my protocol, which might not even exist yet. You want to talk about chicken and egg?
And innovation stops. There's a lot of talk of the end-to-end principle and handwaving and that, but that's the meaning - there's no more innovation.
NAT is not a security policy. It's a means to conserve addresses. It has an added feature that prevents you connecting directly inward to hosts on the network - but so does a stateful firewall. The point of compromise is exactly the same. It's rude to use global IP space behind a firewall like that in IPv4 land, but only for purposes of conservation. In IPv6, that doesn't apply.
I'm not claiming that IPv6 is going to solve all these ills - but NAT is a bigger hassle than you give it credit for. A prerequisite for solving this is having mnore address space. We'll tackle the rest in good time.
Why pay your ISP for another IP address when they'll give you a /48?
Why play the DHCP game when IPv6 completely obsoletes DHCP?
Why worry about whether the computers get stuck on different subnets when IPv6 stacks all cleanly handle being on more than one subnet? (one of which need not be your ISP's)
in soviet russia, subnets take you away!
I suspect the 're' in re-read was not needed. ;)
The Kruger Dunning explains most post on
Given that there are 2^128 (= 3.4*10^38) addresses available, how about a group unilaterally grabs around 10^30, a very small (negligible?) portion, for free distribution? Each person on earth gets allocated around 10^20 addresses for their personal use. Allocation could be done by setting up a web site and having a script that keeps track of enough details to uniquely identify a person and allocating them an address block. It will be up to each person to honour others' address allocations and keep to their own turf. Given that each person can easily get 10^20 addresses of their own, hopefully the incentive to invade other people's address space will be small. As new people are born, parents can divide their family pool among their children. 10^20 addresses should see even the most active couple out for quite a few generations.
IANA can have fun assigning the rest of the (10^38-10^30 = a big number) addresses.
If IANA don't like this, they can go and make a running jump. As long as enough people participate in the scheme (and the network is decentralised enough) it will work.
NOW is the time to do this! One does not need the network to be implemented to allocate addresses!. If by the time IPv6 hit the streets a few tens of millions of people have personal address spaces allocated, it will be difficult to demand that IANA be the sole issuing authority. If enough people have allocations, and someone tries to take them away, the ballot box might even come into play.
The above is just an idea.
These ones think it means a withdrawal of IPv6.
Far from it. The 6bone was established when nobody had IPv6 stacks really, nobody really used it. It was a playground to try it out. And we have been.
Now, Sun has IPv6, Cisco has it ready and waiting, the BSD's all have, Linux has it, AIX, HPUX, MacOS X. Hell even Windows has it. (I await MS's announcement of its invention soon).
IPv6 is here and ready and tested.
The notion of closing the 6bone (discussed for months on the 6bone lists), is that in 3 years you SHOULD be able to get IPv6. Not tunneled, no long hops.
Me? I call my cable modem people (dsl before I moved) and would get the second level tech support people and ask for IPv6 support. Try to get it on their radar. Wouldn't you love your cell phone to have an IP address? Hell, wouldn't you love a (firewalled) IPv6 aware electrical outlet? (x10 is getting old and lame).
So you have 3 years to convince your ISP that they should have IPv6.
This isn't the place to go into details, but it's designed and planned to run concurrently with IPv4. This isn't like the NCP/TCP change over where there was a huge redflag day for all 200 hosts on the Arpa net.
Everything in my house speaks IPv6 except a printer and a terminal server (you do all have terminal servers for those serial toys, yes?). Those will never be upgraded - too old. When I ssh, mail or browse, if they have a 6 address and I can reach it, it gets used. Otherwise it falls back to IPv4.
At work, if you have a subnet with all IPv6, you can turn off IPv4 and let your edge gateway it. But you may not be turning off all the IPv4 until that last printer dies. Do it subnet by subnet and leave IPv4, but just watch it not be used.
Bonuses?
No more need for NAT (I have 65 thousand INTERNETS of addresses here).
IPv6 stacks are looking faster than IPv4 (not based on a presumption of 16 bit PDP-11 processors).
So where the hell is www.slashdot.org?
nslookup -q=aaaa www.slashdot.org
Can't find www.slashdot.org: Non-existent host/domain
One of the big problems with IPv4 is that worms can trivially scan the complete address space. With IPv6 that is not practical. This means that worms would have to use other methods, such as guessing dns names and resolving them to IPv6 addresses. This would slow them down tremendously and cause them to fail to hit most of the vulnerable machines. In contrast, Code Red managed to get behind firewalls in many companies. To me it looks like the IPv6 scenario is safer to a naive user (the kind who thinks that NAT protects them), and any security policy that is applied to IPv4 can be applied equally well to IPv6.
Finally! A year of moderation! Ready for 2019?
Anyone know if there's a way to connect to IPv6 yet from a GNU/Linux box through a Linksys router? I've got NAT on the router so that I don't have to pay for multiple IP addresses, but that seems to kill most tunnel software.
One of the largest worldwide networks (government-related) is moving to "cracking" all incoming SSL connections (mainly by acting as an intermediary). Works great but high latency. Connections initiated from inside the network are still allowed encrypted. Their policy is without content scanning, there will be no connections from outside the network.
What you are suggesting here is a very bad idea.
/19, with exceptions in their filters for the majority of /24s and /23s allocated by the old registries in the days before the 4 RIRs (192...., parts of 203, etc.)
/23 will always win because it's more specific.
The whole reason that provider-based IP space is advocated over each multi-homing customer obtaining their own space off the RIR is because of the mess of really long prefixes that the latter causes in BGP.
Advertising part of a larger allocation is frowned upon, as it causes the same problem. Additionally, the majority of tier 1 providers in the US (and, I presume, elsewhere) will not pass on the advertisement of anything longer than about a
Additionally, if you advertise part of an ISP's TLA to another provider, and the ISP who owns the block hasn't put a hole in their aggregation filter, ALL your traffic will flow through the second ISP (the one who doesn't own the block.) This is due to longest-match routing, where the most specific match wins. Routers will have entries for, say, 203.94.128.0/19 (aggregate from the ISP,) and 203.94.156.0/23 ('your' network which is being advertised through the OTHER ISP.) the
You're doing it wrong.
I am totally underwhemled by this turn of events.
Given that IPv4 space is no longer at risk of being exhausted, there is virtually no real incentive to switching to IPv6. The only one that exists right now is the "geek factor", a measure of "coolness" recognized only by other geeks (and then, most of those are now considering it to be boring).
Had the IPv6 proponents really wanted to get more people to switch to IPv6, they would have wised up and offered something substantial. Free IPv6 addresses in the 6bone that were never intended to be permanent simply brought out just a small limited response. But if they had offered real permanent addresses, maybe a lot more people would have responded.
Although IPv4 space is no longer at risk of running out, it does have limitations that prevent any substantial portable address space from being allocated to all who want it. IPv6 has that space. There is no excuse for not doing so. But the IPv6 people are trying to make using IPv6 hard by their absurd policies. They have no one to blame but themselves why so many are not migrating to IPv6.
I do have IPv4 space. For places potentially running only IPv6, there will be the IPv4 equivalency range of IPv6 which I can use. But I won't have any reason to deploy that until after there are a substantial number of IPv6-only locations. Of course, no one will want to have only IPv6 until enough reachability exists in IPv6. Chicken. Egg.
now we need to go OSS in diesel cars
I mean, I understood why IPv4 addresses cost so damned much - there was a really limited supply. (Having taken econ in high school and college, I'd like to think I understand the basics of supply and demand.)
I thought the point of ipv6 was that there was so huge a supply that it really didn't matter. So - then - WHY do they charge so much for blocks? $2500/year is a lot! Yeah, I know, on a PER ADDRESS basis it is nil, but still!
Anyone have an answer?
Or is it "because they can?"
quis custodiet ipsos custodes - Juvenal
6 to 4 is all anybody can use unless you have a fat pipe or a sponsor. It'll still be there.
sorry, but IP6 will never take off as an addressing system till Microsoft includes a full stack, installed on a NIC by default, with Windows . Till then, I wont be getting to excited by ANY development for IP6.
IRECTAL
The problems with NAT in many cases are overestimated. I was working for one mom & pom ISP which provided over 100 business clients in Riga, Latvia with internet, mainly over wireless links to areas where DSL or cable were not available. I was responsible to implement all this system, and what I did was put a Linux router on the roof on one high building installed antennas and started to figure out how do the routing considering that we were connected to two different uplink ISP but they asked some fee for every block of 16 IPs.
Besides, we were too small to install BGP4 or anything, so we just bought only 16 addresses and used NAT for all clients. Plus one ip for SMTP, POP3, DNS and web servers we were hostings for the clients. We routed the "real" ip address only to a few geeky clients who asked for them. They were only 5 or 6 cases. Majority of clients saw no problem with NAT. They simply used internet for web browsing, e-mail, banking and chatting.
NAT helped to keep our network more or less secure. The clients don't know anything about security. Hey, while creating POP3 account for them I even had to tell them: "No sir, you cannot have an e-mail account without a password." They windows boxes are never patched but we never had Code Red or other worms.
Of course, NAT breaks many things and sometimes I wished we had not used it. When we started to connect residential clients it turned out that they were much more demanding regarding bandwith, realiability etc. including routable ip addresses than businesses, although they were ready to pay much less. However, from the business point of view I cannot see much profit from using IPv6 instead of IPv4 combined with NAT.
This is kind of interesting --- when you will look where IPv6 was started to be adopted, first you will see Asia, mainly Japan. Then, slowly, Europe joined --- in fact from January on, things start to massively speed up here, a lot of providers decided at once that they want to try the thing out. Then there is North America, where somehow... well it doesn't seem that some remarkably wide IPv6 adoption is going on there.
The main reason is availability of IPv4 addresses (whole Japan has IIRC less than MIT, overally North America is where the addresses shortage is least apparent), but the side effect is that the centre of progress and cutting-edge front is moving from America to Asia and Europe. That is where probably the most of the further development is going to happen.
It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
Why play the DHCP game when IPv6 completely obsoletes DHCP?
I am sorry but IPv6 still has DHCP for active configuration, but also has a passive configuration protocol that is supported by the radvd - router advertisement daemon.
In 2001, I installed a IPv6 subnet with Mobile IPv6 support, where passive auto-configuration was needed to detect that the computer (Mobile Node) had changed network.
Fear is the mind-killer.
SSL is secured against man in the middle attacks.
Basically, Trent, (ie, Verisign, Thawte or others) signs a certificate for Bob indicating his domain. Alice sends Bob a request for the certificate, Bob sends Alice the certificate. Alice verifies that the certificate is properly signed. Alice then uses that certificate to encrypt all communication with Bob.
Yes, I glossed over LOTS of details, like what the certificate is, but that's the portion of the algo that stops man in the middle attacks.
The only way to perpetrate a man in the middle attack is to get Trent's keys, so you can sign your own certificate as Bob, or to get Bob's key, or to compromise Alice's or Bob's machine.
NAT helped to keep our network more or less secure.
My argument is that the "security benefits" of NAT that the AC was claiming can be easily reproduced without NAT...but you also have the flexibility to chose not to use NAT.
Granted, I don't know whether IPv6 blocks will be cheaper than IPv4 blocks. I would certainly hope so, but I suppose that if they cost the same (despite the larger supply), NAT would be worthwhile in those cases.
May we never see th
SSL is secured against man in the middle attacks.
Basically, Trent, (ie, Verisign, Thawte or others) signs a certificate for Bob indicating his domain. Alice sends Bob a request for the certificate, Bob sends Alice the certificate. Alice verifies that the certificate is properly signed. Alice then uses that certificate to encrypt all communication with Bob.
If you control both the gateway and the client machine (as in a corporate / govt. network), you can MITM SSL fairly easily.
Let's say that Vader is the big bad imperial gateway, it works like this:
Alice sends Bob a request for the certificate, which is intercepted by Vader because he is a transparent proxy. Vader proxies the request and gets the domain name from Bob. Vader creates a new certificate with Bob's domain name and signs it with Vader's key. The new cert is passed on to Alice, who has Vader's public key in her trusted CA list (as per company policy). So Alice encrypts data with Vader's key, who then decrypts it, scans the content, and re-encrypts it using a different key to send on to Bob. Higher latency, but it works.
So combine that with blocking any outbound traffic that can't be scanned (somebody brought a laptop from home, sorry, too bad, against company policy) and you're all set.
While Windows XP SP1 has "production" support for IPv6, this is a far cry from Windows supporting IPv6. The XP SP1 computers represent maybe 1% of all Windows computers. XP might represent 10% of all Windows computers. XP can't be installed on over 50% of Windows computers, so the only way those can support IPv6 for them to be upgraded to Linux.
And IPv6 isn't "out of the box" even with XP SP1. So that means that ISPs will have to provide their on network installation software to turn it on - most have their own "network installation" software to simplify configuration for their customers.
The lifetime of a recent Windows computer should be a decade. While a replacement computer costs around $200, you need to pay Microsoft $100 to get a valid license, so replacing things like CDROM drives and mice will make sense for most PCs which for the most part are used for web browsing and email.
ISP are part of the telecom world which is officially or in practice in bankruptcy, so none can afford to discard the customers who pay a couple of hundred a year for email and web access.
Businesses on the web can't afford to lose any customers so they can't afford to not have an IPv4 address.
The move to IPv6 is not going to happen soon, for the same reason that the move to broadcast HDTV is going to happen by the current deadline which is years later than the original deadline.
I wouldn't be surprised if IPv6 is replaced by another standard before IPv4 happens. After all, IPv6 is the second attempt to expand the address space, one that STARTED when the prior standard became available on all major operating systems.
The prior standard, the OSI suite was a COTS system, commercial off the shelf, which means it cost money to get an implementation. IPv6 was supposed to be so much simpler that it would be faster and cheaper to deploy, but as far as I can tell, IPv6 costs real money, and more real money, than IPv4, for all but the most technologically astute.
The reason many end-users consider dual-homing is to make sure that their services are available in the event of a failure of one of their Internet connections and under IPv4, BGP is among the least expensive ways to achieve that end.
IPv6 anycast fixes that problem and others without BGP or an AS number. Anycast works similarly to multicast under v4, except that when you address a packet to an anycast address, it is delivered ONLY to the closest host with that address. Because of that, you can have a collection of geographically diverse (for example) web servers on different subnets answering a certain anycast address, each of which will automatically take over for any of the others in the event of the failure of either a network or a host.
As for host-orginated traffic, IPv6 hosts handle multiple IP addresses and gateways very cleanly, so you can literally just bring in some T1's from a couple ISP's and let the hosts discover and use them for outbound connections.
IPv6's biggest driver was the rapidly-dwindling address space pool. But that problem is virtually gone due to the availability of NAT, and the way that web servers have cleanly implemented name-based hosting services.
Unless there's some new service that's only available on '6, or some other reason for people to learn a complex new technology... I just don't think v6 will ever be widely implemented.