Slashdot Mirror
MIT Technology Review Slams IPv6
PCM2 writes "In the MIT Technology Review, Simson Garfinkel, noted author of Internet security books, writes that "the next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure." His article goes on to explain that all IPv6 code is untested and therefore insecure; that IPv6 makes encourages 'peer-to-peer based copyright violation systems'; and of course, that the switch is never going to happen anyway (and yet, somehow, the United States is 'falling behind')."
Is this article technical or is it political? It sounds as if it might be better suited for the opinion pages.
MIT is one of the great hogs of current IP addresses, maybe if issues like this were addressed no knew system would be neccesary.
vampirical
Well sure the ipv6 code isn't as tested as ipv4 and might be insecure at first... But did that stop the internet from being built on ipv4? It's a stupid argument against upgrading to a new technology.
Cthulhu Saves.
Sure, they're not exactly the most honourable or squeaky clean businesses on the planet, but they sure as hell are the most popular.
0110100100100000011000010110110100100000011000100
security and functionality over speed. Speed will catch up, eventually. doing NAT everywhere sucks. If speed is the biggest con, then, well, there is no con.
The result of this decision made nearly 30 years ago is that the Internet simply cannot handle more than 2^32 or 4,294,967,296 devices.
Hey MIT - do you really need/use all 16.7 million IPv4 rotable addresses you have? Why not share a few?
Don't blame me, I voted for Kodos
One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there's never a good time to have people start deploying systems that are only V6--that's because somewhere, somebody is going to have a machine that's V4 only, and they won't be able to communicate with you.
I think that admins will find themselves not bothering with IPv4 for individual things at their site when they find themselves out of IPv4 addresses for less-critical things.
For example, pretend it's 2008 and IPv6 is commonplace. You have a IPv4 /28 from your provider. You also have an IPv6 /48. The /28 has been fully allocated since 2006. Your www.yourcompany.com server will have an ordinary A record pointing IPv4 users at it for a long time yet, but what's your plan to let people on the outside get to your [insert-not-entirely-mission-critical-thingy-here] server (that happens to work with IPv6)?
It's an even easier decision if you, as a home user, get a single static IPv4 address for your DSL line as well as an IPv6 /48.
There is absolutely no security requirement! Security is supposed to be applied in other layers, with SSL and stuff running on top of an assumed unsecure link.
It would be *nice* if there was better encryption support at low levels, to overall prevent information leaking, but even total lack of such features would mean no step back from IPv4.
Simson's right in denying IPv6's short-term inevitability, but he's still being too easy on it! IPv6 is just plain dumb. He should say it.
IPv6 creates much larger headers, so there's more overhead, particularly, as a percentage, on short packets (voice, ACK's, etc.). So it'll waste bandwidth, or lower effective throughput on fixed bandwidths. We need this? It is not even using its 128 bits efficiently. The general approach is to use the top half to identify the network and the bottom half to include the 48-bit MAC address of the computer. That was a clever hack in 1985 when proposed for DECnet Phase V (which never caught on) and became an approach in OSI CLNP. But that was not for a public spammer-ridden insecure Internet. Now it is a security and privacy hole to do that. It also means the 128 bits are not used efficiently -- we are tight with 32 bits, but an address for every atom?
IPv6 also does nothing for QoS (ignore the hype, which is based on a misunderstanding) and nothing for security (IPsec works just fine with v4). It just wastes bandwidth. So it does something for, oh, MCI. No wonder Vint (the Chauncey Gardner of the Internet) likes it! And Sprint, AT&T and VeriZontal. Great.
IPv4 could use a decent replacement some day, but IPv6 is everything you don't like about v4, and more. Eccch. A dozen years since it was "adopted" and it's gone nowhere, for good reason. The Asians weren't so involved with IETF at the time, to know the messy politics behind it. And btw the whole thing about their not having addresses is false; there is plenty of space left in the IPv4 space waiting to be allocated where needed. China can have more, as they provide more and more spam relays for the h3rb@1-v14gr4 crowd.
Typical American Ethno-Centric viewpoint.
We'll *HAVE* to move to IPv6 when the third world finally gets connected! China 1+ billion people.. India 1+ billion people.. it starts to add up!
Americans.. a whole world exists outside of your borders you know.
-=-Ze End-=-
Once upon a time, the entire internet was shut down for a day or so to switch over to IPV4. We survived. I suspect we would survive the switchover to IPV6, especially since it won't require a complete shutdown. It will be a lot like the current situation for VGA monitors; nobody really worries too much about the folks still running 640x480 anymore. Likewise, when IPV6 starts to take over, people will gradually switch over until a critical mass develops, after which the rest of the world will follow very quickly. Then after a while, most of the world will stop catering to anybody still running V4. That doesn't mean that everybody will switch then, but the ones that don't will simply pay the price in inconvenience.
I didn't really follow the assertion that V6 would be less secure -- I expect that any such problem will be quickly fixed, and probably long before the majority of folks actually make the switch. As for the timing, I don't think it will be as long as Mr. Weekly says. I think that 2005 is a reasonable prediction for V6 reaching critical mass.
--
Insurance for H1-Bs: http://www.H1Bins.com
Healthcare for the uninsurable: http://www.AFFHC.com
Medigap insurance information: http://medigap.supremesite.net
Concealed Handgun License Courses in Plano, Texas
Getting everybody's home machine out from being a NAT box should make possible a lot of interesting applications that are either very difficult or downright impossible today. And in all likelihood, some of those applications will not be popular with the Recording Industry Association of America or the Motion Picture Association of America, both of which have taken the lead against peer-to-peer networks. As soon as they understand what a threat IPv6 is to their police actions, they are likely to start fighting against.
I have no strong opinions on the technical merits of IPv6 but I want to address the above statement, and the (IMHO) wrongheaded mentality behind it.
Why should the fact that these monopolistic groups oppose new, useful technologies, lead anyone to the conclusion that those technologies should be abandoned? Shouldn't we rather abolish the MPAA and RIAA?
When the light bulb was invented, did anyone argue we should abandon it because the candlestick industry would oppose it?
The truth is that new digital technologies are making "content" businesses like those represented by the *AA's obsolete. There is no benefit to society to engage in costly, counterproductive and futile "wars" against P2P and other useful new technologies in the name of enforcing "intelectual property" laws created in a different era that now benefit only special interests and not the public interest.
Simson Garfinkel is an incurable gadgeteer, an entrepreneur, and the author of 12 books on information technology and its impact
Translation: he's old and new technology scares him. He writes books about technology because he doesn't actually understand it. Describing P2P networks as being "for teenyboppers" is quite insane, he must have never tried to download anything large recently (especially given the maturity of solutions like BitTorrent for free software / content distribution - even NASA used it to release their Magellan rover software to the public). This guy should retire and stop his "THE SKY IS FALLING" shriek of panic. Suggested activity: gardening.
He also has absolutely no suggested *solutions* to the problems that he pretends exist. It's not as if IP6 is going to be any less tracable than IP4, nor will it magically create problems that didn't already exist. People are still going to want to firewall off networks under IP6 - in the same way that IP4 can be firewalled off - but this will be done without NAT.
Just because a protocol is "new" doesn't automatically mean that it's a danger. I have to wonder if this guy has never bought any new software in case the CD is so new that it's infected with the Ebola virus. Which makes no sense. Yes, corporations typically hold off adopting new products till version 1.1 or 2.0, but there's no point condemning the early adopters to insecurity hell before IP6 has been rolled out to the public.
Next he'll be complaining about kids and their music... why in his day there, etc, blah, blah.
The ethnocentrism comes from the fact the Americans are the main people resisting IPv6. America has most of the IPv4 addresses, so they don't see a problem, and don't care about those without.
Kind of the entire American situation in a nutshell.
Ever wonder why only Americans complain about IPv4?
Isn't funny how Asian nations, which you ignorantly claim have so many IPv4 addresses available, are the principal backers of IPv6 right now?
Don't feel bad -- most people are incapable of believing in any problem that doesn't affect them personally.
The author's point was that NAT brings a false sense of security
Then he's even more clueless than I thought.
someone could easily sneak something in behind the NAT and you'd be completely unprotected
And this is different without NAT HOW??!?! A non-NAT firewall will present the exact same security vulnerabilities as one that is using NAT.
Why do you think that NATted, say, fridge is a good idea ? How do you think I'll be able to check what's in it remotely ? Think of using browser on your cellphone to do that. To your second point, NAT done by ISP is even worse - you are not able to "serve" any data. You have false sense of security -like cracker wardriving around your neighbour's open WiFi AP and therefore gaining access to your so called "secure" intranet. The fact that useful technology for remote home access is not here yet, does not mean that we should ruin the infrastructure for it.
"I think that 2005 is a reasonable prediction for V6 reaching critical mass." Do you realize that that isn't even economically feasible? That would require such a huge amount of switches and other network equipment to be replaced in the course of a year that the costs would be unimaginable. I imagine that half the internet (I dont know what you consider "critical mass" to be) will not be using IPv6 before 2007.
This seems like such an American view here, "We own 3 billion of the 4 billion addresses, we won't ever run out so why should we care about the rest of the world..."
Well, you know what? You don't move to IPv6! You add IPv6. You can still keep your IPv4 connection. Then you can start adding IPv6 support to each protocol and application, one at a time. You can and will still be fully IPv4 compatible. You'll just allow yourself to use IPv6-only services and make it possible for you to set up new new IPv6-only services even though you've run out of IPv4 addresses.
Seems to me that they are saying much the same thing. Walker:
Garfinkel:As far as IPv6 security goes, I'd like to see the new and interesting worms and network scanning utilities that can scan such a huge number of addresses, 4 billion addresses wasn't a difficult feat for programs that simply scanned incremented octets in IPv4, but now we have a lot more address space to slow such things down... this could just as easily be a problem though, imagine blacklisting a network from a spammer... oh darn, looks like they just need to find another billion addresses to randomly use.
IIRC, MIT has a class B IP range, meaning it has 255^3, or 16,581,375 IP addresses. while China and South Korea--with a combined population of more than 1.3 billion--have been allocated 38.5 million and 23.6 million respectively. Does that sound unfair to anyone? MIT having 6139 students, plus faculty and staff, compared to China having over 1 billion people. China as a whole barely has over twice what MIT has in IP allocation, while having 160,000 times more people. I believe this is a biased, pointless article, written by a moron who does not realize the enormity of what he's saying. Many Asian countries are literally running out of IP addresses, and he's complaining about "lack of security", and thinks that no routers support IPv6 (Pretty much ALL Cisco routers support IPv6 flawlessly.) This man does not know what he's talking about.
got sig?
There's so much wrong with Garfinkel's "review" of IPv6 that I won't be reading his security books. Meanwhile, at the SpeakFreely RIP (repost) thread, the NAT bashers get poked pretty hard.
--
make install -not war
In order for the general internet to function primarily off of IPv6 (and actually see the benefits), there are several things that would have to happen:
1. Most major firewall vendors would have to support it;
2. Load balancing vendors would have to support it;
3. Cache vendors would have to support it;
Home-based router vendors would have to support it;
4. IT administrators would have to understand it (they barely understand IPv4, forget about IPv6;
5. Major co-location facilities would have to offer IPv6 support on the network connectivity; and
6. The majority of hardware and software running on network devices would have to be versions that support it (which isn't the same as that the vendors support it).
Fact: Most vendors of firewall products have only recentally announced support in their flagship products for IPv6 functionality. Only when the majority of users actually use versions that support IPv6 will there be critical mass.
Fact: most load balancing systems don't support IPv6.
Fact: Most routing products sold today for edge use don't support IPv6, and will probably never support it.
Fact: Consumer and even general business ISP's don't provide IPv6 support for connectivity.
IPv6 is akin to multicast Internet access: It is available in a few places, some networks can and do use it, some network hardware vendors support it, but as a mainstream technology that people everyday encounter, it will never be widespread (or won't happen in a LONG time). Predictions of it happening in this decade are way too optimistic, and if it does, then it could easily trigger a buying spree for network hardware that supports it of the like we have never seen, and network equipment stocks will probably explode through the roof. I don't feel this will happen though.
I still think re-working the way people think about IP addresses will solve more problems.
E.g. You're toaster doesn't really need a public IP does it? [or your cell phone for that matter].
Good use of NAT can solve all of these problems...
There is no reason why certain companies/schools have millions of addresses each. Plain and simple.
Tom
Someday, I'll have a real sig.
Windows XP has an "Advanced Networking Pack" update that enables IPv6 and Toredo Tunneling. It'll probably be rolled into SP2 as well.
The application "3degrees" makes use of the peer to peer componant for people to create groups to share music, chat and animations.
MS is pushing IPv6 heavily in Longhorn both for peer to peer collaberation applications and external devices such as bluetooth headsets.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
So the burden is on China, Japan, India, and other countries worried about IP address shortages. And, as it happens, that's where the bulk of the development is being done (Japan especially). So you see, it works: the people who need IPv6 most are doing the most work on it, and the people who need it the least are contributing less.
When the internet's backbone switched to IPv6, they set it up to tunnel IPv4 over it. That's why most experts still talk about it like it's something in the future. IPv6 is actually faster and more convenient for routing, which is why the backbone routers have already switched. Furthermore, there is support built in for tunnelling your IPv6 over IPv4, so that you can have an IPv4 internal network which works perfectly well with an IPv6 upstream provider (your routers don't have to be very smart; all of the IPv6 traffic is needed to your upstream, which will deal with the IPv6 aspect). Currently, the backbone is tunnelling IPv4 (for most people on the internet) over the IPv6 backbone.
The real reason to switch is that there are a lot of useful special addresses. For example, there is a space of addresses for NICs in ad hoc mode, so you can make a network by connecting a bunch of devices together without needing address assignment at all.
NAT is like preventing your children from running out into the street by chopping off their legs. Yes, it works, but it has some unpleasant side-effects. What's worse, NAT breaks IPSEC, making it difficult to improve security by using authentication and encryption.
Mea navis aericumbens anguillis abundat
Or, more generally, all the people who had a working box before, and don't want to touch it. It may be running an old OS and a bunch of old apps, and everything might work fine.
Some people, who don't live in the real world, like to think of this type of thing as something that can just be phased out in a few years. Everyone will patch their systems slowly, and vendors will recompile the code with new libraries, and old routers will be replaced with hardware IPv6 routers, and then, magically, everyone is using IPv6.
The reality is that people won't patch their systems, routers will work for eons and nobody wants to replace them, and app vendors are long gone because they don't make money on your legacy app anymore.
This reminds me of arguments about switching to linux. I love GNU and linux of course, but we have a tendency to think of some typical case of an office or home user. But so many people, especially those most likely to care about switching, are atypical. To assume that eveyone needs the same things out of a computer is to turn it into an appliance, which has been shown to completely fail. It ends up that someone has an intricate, delicate system, and nobody in their right mind wants to touch it.
Social scientists are inspired by theories; scientists are humbled by facts.
Actually, how do you propose to "roam the IPv6 space"? IPv4 can be randomly pinged; but with IPv6 you have a better chance of winning a lottery than of randomly hitting a computer on the IPv6 net...
Actually, any IPv4 equipment that is running flat out would not be able to handle the same load as IPv6. Most equipment doesn't run at 100% all the time. It has spare capacity under normal load and administrators track load growth, budgeting money for replacement equipment according to a formula adopted by the organization. Instead of replacing everything, what's more likely is that everything will get replaced a month or two early from previous replacement estimates. Is this going to cost more money? Yes, but it's not a very big deal. You buy in June instead of August or you limp along for two months with degraded capacity and buy on your regular schedule.
You know, mods, when someone puts the word "troll" in their nick, you're supposed to pay attention.
The world does not need more than the 4 billion addresses available with IPv4, and I challenge you to come up with an application that requires that many. Assuming that you can actually come up with one, it could easily be solved with Network Address Translation, or NAT as it is commonly known.
Here's an application for you: there are more than 4 billion people on the planet. When we're all hooked up, what do you suggest? Do you really think we'll all be online behind some uber-NAT devices 50 years from now? Have fun using your cell phone/PDA/personal whatever when you and 1000 of your neighbours are all sharing the same IP, and you're using a protocol as complicated as *gasp* FTP (hint: NAT breaks more than it fixes). Really, please share with us what the "shortcoming" of too many address is. Overkill, it may be. But how does it hurt the protocol?
The problem with a 64-bit network prefix is that routing tables become massive. Just do the math and you'll see that extreme amounts of memory are required to hold routing tables.
The whole point of IPv6 addresses is that we can do more EFFICIENT routing, as opposed to the hodge-podge of rules we have today. IPv6 routing is FASTER than IPv4.
This means that downloading stuff will take 3.4% longer.
Wow. A whopping 3.4%. Now, in the real world, a lot of us use MTUs > 1500. So we're talking just over a single percent. Stop the presses! Oh yeah, there's this neat thing called header compression, by the way.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Since the DoD is a huge consumer of IP services and moves a great deal of traffic across the Internet all over the world, the DoD's schedule for shifting over to IPv6 by 2008 is likely going to be the catalyst for everybody getting on the ball. If an ISP has a military base in their service area they're at least going to think about bidding for military data provisioning contracts. The money can be good and the checks generally don't bounce. You don't need more than one major customer to make IPv6 a requirement before an ISp will roll it out.
He is fairly aggressive at attacking IPv6, and even contradicts himself in his fury against the protocol...
all IPv6 code is untested and therefore insecure
Yes, if you don't count university networks that has been using 6bone for several years now. Read up a bit on 6bone, and you'll see that the primary purpose of it is to function as a testbed for IPv6. But of course, computer scientists aren't really able to find and fix problems in the protocol.
IPv6 makes encourages 'peer-to-peer based copyright violation systems
I won't even comment on this...
Deploying IPv6 means that every application that uses Internet addresses needs to be changed.
However, isn't IPv6 designed to be backwards compatible? I.e. have a separate address space that emulates IPv4? So there isn't an urgent need to switch *now* when it starts getting used? Using the IPv6 stack should not mean an unability to talk with IPv4 clients.
Today, most routers come equipped with special-purpose integrated circuits that can route IPv4 packets very quickly. But because there is no demand for it, those routers don't have similar hardware that can route V6 in hardware
I'll just let him contradict himself:
"The code that lets computers talk on an IPv6-enabled network is now built into the current versions of Windows XP, MacOS, Linux, and many forms of Unix. Every router made by Cisco comes ready to run IPv6. So does every Nokia mobile phone. The whole world is getting dressed up for the IPv6 party."
If they're already implementing software support for IPv6 before it's even starting to get used, doesn't he think this is a sign that the manufacturers are dedicated to bring hardware IPv6 support once it gets even more widely used? If not, he needs to explain why.
He complains about upgrade costs too, which seems to be a concept never heard or experienced by him before, as he seem to be in shock while discussing it.
But what IPv6 boosters won't tell you, unless you press them, is that every new IPv6 nameserver, Web server, Web browser, and so on has new code--code in which security problems may lurk.
True, updated software might get new bugs if they aren't tested properly. What's new? This risk is taken daily by adopters of upgraded or new software.
Beware: In C++, your friends can see your privates!
IPv6 has less headers => faster routing
Also, in IPv6, each packet doesn't get its checksum recalculated at every hop. Only the endpoints calculate it. That should take a heavy load off the routing.
From the article:
But what IPv6 boosters won't tell you, unless you press them, is that every new IPv6 nameserver, Web server, Web browser, and so on has new code--code in which security problems may lurk.
That's a bit of an overstatement. There will probably be very little new code in most applications. After all, all applications call the same IPv6 code on each operating system. What may arise are initial problems with a protocol-stack on certain OSs, but probably no new security problems on the application-level.
6to4 is the technology to replace NAT. For one IPv4 address you get 65536 times the current size of the internet addresses for use in your local company.
This is a solution to a problem that nobody has (on par with the spagehtti strainer lid and pot combo). I've never heard of a anyone running out of IPs in the private range.
IPv6 will only take off when (and if) it is needed to solve real problems that cost people money.
As someone who was around during the IPv6 specification phase I can tell you that the spec that finally emerged from the IETF (following a great deal of ill feeling) had two main goals:
1) Not to be anything like OSI on principle
2) To be conveniently routable on the hardware then typically in use for academic workstations
So frankly, it's no real improvement on IPv4 and failed to consider ways of reducing latency and increasing the robustness of routing in large-scale carrier backbones.
It was too late even back then to consider the great "switch over" because there were just too many autonomous network operators around with no incentive to change unless everyone else did (those of you who knew DECnet Phase IV will remember a magic switch which was supposed to cause your entire network to transition to Phase V: not many customers actually activated it for the same reason).
The future is probably some rather different local area network protocol for all of those home appliances (connecting your PC, iPod, TV, PVR and toaster) and something different again for the long haul.
But it will have to be demand-led.
When you think consumer gadgets then the US isn't the first country to come to mind - its Japan, Taiwan and China, Malaysia, Korea and the Philippines (in no particular order).
If every gadget gets an IPv6 ip address then its irrlevant what some ex-MIT/Mass commentator thinks. Asian and especially the Japanese with KAME, are sniffing around for another edge that they can get.
Once the millions of games consoles get IP for LAN parties then ISP are going to be driven kicking and screaming into IPv6. Console sales outnumber PC sales so what Microsoft think here is irrelevant (unless its XBox related). Nope, in the same way that GSM eclipsed older analogue Cellular networks (with multi-billion costs in upgrades), then IPv6 will eclipse the older IPv4 and the drive will be consumer gadget driven.
Overall, it is a good article but I would add two points:
1) When it comes to security, Denial of Service (DoS) is a big issue. AFAIK, the IPv6 standard includes mechanisms that reduce the danger of DoS attacks.
2) It's true that with IPv6 many applications have to be revamped, but think it that way: Many IPv4 applications were written without security in mind and again and again pose a threat to attacks. Think of programs like bind8 or the MS IIS. When these programs are revamped, it's likeley that the programmers will right away take steps to avoid security leaks like buffer overflows and the like.
However, given the sad, vulnerable state of security and privacy, I'd expect more authors to expound on the benefits of IPv6's privacy and authentication mechanisms.
Likewise, as more bandwidth is eaten by spam and music downloading, IPv6 addresses quality of service, and better routing and addressing capabilities.
The only two reasons not to go IPv6, at least for intranets, is either espionage agencies oppose increased security and/or a particular large vendor fails to support it well. Maybe there are others. Wireless networks and VPNs are being thrown in all over the place. These are the perfect places to start with IPv6. The other option is NAT, but that will eventually have to be redone when the move is finally made. Kill 2 birds with one stone and install the new VPN or Wireless net with IPv6.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
When everything is switched over to IPv6, then the internet goes back to its original plan - where all computers are equal; they all have their own address, they can all do whatever they want (or, whatever they can, given the hardware inside of them) like run servers, etc. The big thing about IPv4 is that not all computers are equal - one IP goes to one broadband modem, and there's a NAT present in the event of more computers behind the one IP address. In this IPv4 situation, not every computer can do whatever they want (like run servers, etc); the computers behind IPv4 NATs are consumers. The computers behind IPv4 NATs aren't equal contributions to the internet, they're there to consumer services.
I'd imagine the companies providing these (or any, for that matter) services are trying quite hard not to switch to IPv6, where, if us present-day-consumers don't like how they handle the services, or if the billing for these services isn't what we expect, we can simply do it ourselves and take them right out of the picture. With IPv6, the providers would be forced to listen to their customers or risk not being the providers any more.
"Only the endpoints calculate it. That should take a heavy load off the routing."
But then the retransmits would be for the entire path, instead of just between two hops, right?
--- Hindsight is 20/20, but walking backwards is not the answer.
Your ISP doesn't want you to run a server; and they arn't going to change thier policy even if they have the address space to do so.
My ISP (RCN) filters ports 80 and 25, for example. Even though I have a real public IP address.
--
Mu
My ISP doesn't really mind if I run a server as long as I stay under my transfer quota or make arrangements to pay for more. (BTW, any reason that more ISPs aren't like that?) Unfortunately they don't need to block any ports to stop me from running a server, they just need to keep NATting me into oblivion.