MIT Technology Review Slams IPv6
PCM2 writes "In the MIT Technology Review, Simson Garfinkel, noted author of Internet security books, writes that "the next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure." His article goes on to explain that all IPv6 code is untested and therefore insecure; that IPv6 makes encourages 'peer-to-peer based copyright violation systems'; and of course, that the switch is never going to happen anyway (and yet, somehow, the United States is 'falling behind')."
I thought we were running out of /20 assignment blocks, not addresses.
/28 anymore except the IPv6 approach ends up using 4x the memory for each address.
Of course if you increase the number of assignment blocks, routers will need more memory and were back to the same reason no one will route a
Interesting... The author slates NAT for being an easy security option, causing firewalling problems and not letting each device have its own IP. Then he seems to fail to mention that letting each device have its own IP opens up a whole host of possible attacks. Who would honestly let an out of the box Windows machine be open to the rest of the internet with no NAT?
Walker sees NAT as encroaching oppression by the "powers that be", whereas Garfinkel seems to take the "powers that be" point of view! Simson how you've changed!
In fact, Walker is skeptical that even IPv6 could promote "consumers" back to "peers":
"It will be the biggest, the most drastic, and the most comprehensive change to the underlying structure of the Internet in more than 20 years. "
I'd love that thought applied to space.. It's so confusing, and hard to do, we should tuck our tail between our legs and run! This change will happen one router at a time.. correct me if I'm wrong.. but I do believe IPv4 addresses will coexist with IPv6. And lets face it.. for the most part, this will be done my highly experienced techs at the ISPs, and filter down to very experienced end users at business. Dialup and High Speed users could use IPv4 for ages sitting behind their ISP's big gateways.
"The deployment of IPv6--the sixth version of the Internet Protocol--will be a massive undertaking that will require the reconfiguration of more than 100 million computers."
It's not like this will happen over night.. and one day all the end users (hi mom) will have to become IPv6 Gurus. Once again, we're back to.. It's hard.. lets run away.
"But when the IPv6 rollout is finally done, not all the effects will be positive"
Argh.. this guy bugs me.. He seems to totally forget about the evolution of software.. Of course it'll be slow at the beginning.. then some company like Nortel will put it all into a hightech ASIC chip.. and we'll leave IPv4 in the dust. For each of his arguements.. there's a swell counter arguement, that's never far from reach.
Faz
-=-Ze End-=-
"Japan, China and South Korea will jointly develop the next-generation Internet technology IPv6, aiming to have the global standard for the technology set in Asia, the Nihon Keizai Shimbun reported yesterday.
US firms now dominate the market for equipment like routers that serve as the infrastructure for the current IPv4-based Internet.
By working together, the three countries aim to take the lead in developing technologies for a world in which all equipment is connected to the Internet"
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
But still a bit harsh on IPv6....
/64 network, but it has yet to be seen whether certain organizations might, for the hell of it, get allocated /8 networks because they can. As near as I can tell, the high 16 bits seem to be somewhat protected, but you never know what will happen. If there is a grab for /8 networks among big players, you have the same problems that IPv4 has today.
As to the notion of never running out of address space 'never, never' as he puts it, I wouldn't be so sure. The 32-bit address space provides 4.2 billion addresses. With that in mind, we are much nearer to exhaustion than current usage would dictate. It is all about the allocation, and if sloppy allocation occurs, the 128-bit address space of IPv6 could be exhausted too. For example, the architecture of current implementations make it so that the smallest subnet anyone will likely allocate are 64-bit networks, and use MAC addresses (or something else, but still 64-bit, because it's easy), so immediately you take the address space down tremendously. Still should be well more than enough for everyone on earth to have a
As to security implications, it is true that implementations will be for the short term future less tested and therefore likely to contain critical flaws, but still IPv6 code is receiving a fair amount of testing, and critical flaws will not be quite so devastating as you may think, no more than an Apache, Linux Kernel, or MS security exposure, which we have seen all of in fairly recent history without the sky falling.... Of course the wrinkle in this is a lot of the 'home router' concepts that happen to protect common home systems will cease to provide that protection. They provide NAT features, therefore masking to an extent the system behind the device. Despite what the author says about NAT being bad because it doesn't protect against things like browser exploits and physical intruders, NAT is on the level of firewalling in terms of protection. Any reasonable network security person will realize that browser exploits, email worms, and physical intrusion must always be kept in mind, and it has nothing to do with NAT or firewalling. NAT remains effective at, for example, fending off web server and rpc attacks from unsuspecting or experimenting workstations. If NAT goes away (hopefully), people need to be mindful of good old firewalling strategies. Implementations are maturing (experimental ip6tables implementation, for example, is approaching closely the ipv4 iptables featureset). If cable/dsl 'routers' revert to hubs in a wealth of addressing, I expect either cable/dsl 'firewall' devices or increased ISP vigilance to deal with the more widespread system exposure.
All that said, I like IPv6 (my desktop, gateway, and laptops are using IPv6 and each have public IPv6 addresses, keep NAT on IPv4 on some systems), but I (and everyone else) has been waiting and watching a long long time and no encouraging migrations are yet to be seen, and I doubt the near future will bring any incentive to push such a change.
XML is like violence. If it doesn't solve the problem, use more.
Although addressing issues like that will delay the time at which we will have to deal with the shortage, it doesn't solve the problem.
IPv6 isn't just about having enough IPs for all the computers in the world. It's about having enough IPs for all the *anything* in the world - your toaster, your house-cleaning robot, whatever. Even things like RFID tags could potentially be given their own subset of the IPv6 address space - it's that huge.
Using the IPv4 space more efficiently might deal with the problem for a while, but it will not allow the expansion IPv6 would.
A Minesweeper clone that doesn't suck
Anyone know what the adoption rate of IPv6 is for the major broadband ISPs? TimeWarner/Comcast, etc?
What with Win95 being EOL'd, a fair number of them will be upgrading to Windows XP (or Linux, OK?) with it's built-in support. Maybe the best approach would be from the bottom up?
Chip H.
I'm not sure at all.
The IPv4 addresses are inefficiently distributed. MIT for instance has 16.7 millions of them. IBM too.
Entire classes of addresses are reserved for things we don't REALLY use like multicast and so on.
Plus we now have NAT and CIDR that help save some addresses.
I bet we could use IPv4 for 20 more years. IPv6 is to complex, bulky and inefficient.
I studied it and the fact that MAC addresses are in it blows me away.
Aren't the IP addresses a logical layer that prevents problems when you change a NIC ? If each time you change your NIC you have to change you address I foresee lots of trouble here.
And 128 bits addresses, okay, but entire classes are already wasted (multicast, network IDs, etc) and in the long term we could run into the same problems !
Anyway its too expensive and slow for the moment. Nobody wants to pay 1 million dollars for the last Cisco router with IPv6 where the one we bought last year for another million is working just fine.
Why not just add an extension to IPv4 if we really need these addresses ? I know it has a lot of flaws but hey, why change EVERYTHING ?
Iraq: war to save the U
Yes, even then.
Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it, and each human has 1 billion devices that need IP addresses. In that case, only 1/340,282nd of the possible 128-bit IPv6 addresses would need to be assigned.
Is this like: "I think there is a world market for maybe five computers."?
What *if* molecular nanotechnoloy takes off? Humanity then decides to build a large space based object, which will be built by a massive number of 'replicators', each working within a 100nm per side cube. (Raw material will come from a passing asteroid.) It is decided that each replicator is to be individually addressable. The number of IP addresses required is then (<linear size>^3)/((100nm)^3). 2^128 addresses will be required to build a 700km cube.
Sure this far fetched, and there are lots of other technologies which need to be invented before something like this can happen, but lots of today's things were far fetched in recent history.
firewall and nat are not mutually inclusive. You can firewall a network of public addresses, you can assign those addresses via dhcp. You don't NEED nat.
Nat is a horrible and evil thing. Ever tried to run 4 ftp servers behind nat? Doesn't work very well does it? Right now there are barely enough ip's for every person to have one... but wait, what about work? oops now everybody needs two, but *gasp* your cell phone! Now everybody needs 3... we are already at 3 times what IPv4 can provide with what is already out there and popular and is pretty much guaranteed to be as essential tommorow as having a hammer or screwdriver.
What's more, people get new cellphones, they throw old ones away, sometimes have multiple phones, sometimes multiple computers. IPv6 would provide 5000 addresses for every micrometer of the surface of the earth. Giving everyhousehold on the internet a full 255 address block would be a fairly conservative approach in relation ot the address space.
Don't you want to see that world? Especially knowing it doesn't mean your can't have a router to share a net connection, and knowing that you can still be firewalled? Having public addresses means that you can configure your router not to block port x on ANY computer in your network, instead of being able to forward port x to ONE computer in your network.
Let's just hope when IPv6 becomes mainstream one can register for addresses without a fee right up on a website instead of the political review that is required now.
I have IPv6 from my ISP. Its enabled by default for every one of their clients, and has been for more than 2 years. Most of the other small providers in Europe are now offering it standard, and I have talked with one large telco who will be trialing it this year, for a rollout before a big marketing push in September.
/48 block of IPv6 at home. All my machines speak it, Solaris, Mac, Windoze, BSD, cisco, Nokia, Ericsson. My firewall filters both IPv4 and IPv6 with no problem, the rulesets are quite similar. With autodiscovery, router advertisements, and all the other cool protocols built into the IPv6 specs, adding a new machine means it just works.
But as the whingey Garfinkel points out, the U.S. is very much behind the curve in IPv6 rollouts. Typical corporate american incompetence.
As for routers, all real routers have it. It takes more effort today to get a cisco router without IPv6, because all the machines being delivered recently come with a version of IOS which has IPv6 installed. Just waiting for a Cisco Certified Button Pusher to configure it correctly, and bob's your uncle.
I have my own
While typing this response, I ran some statistics on web servers I manage. Approximately 5% of the traffic was IPv6 during the month of December, up from about 2% last June. That means that 5% of the PCs out there have IPv6 enabled, connected to an ISP offering IPv6, and are using an IPv6 capable browser like mozilla or IE6.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I went through the entire current posted responses, and I'm suprised people missed mistakes that - in the words of my girlfriend - must mean that the author was simply having a bad day and couldn't be writing this as a serious article.
The most important thing that IPv6 does is quadruple the size of the Internet address field from 32 bits to 128 bits.
Quadruple? 2^32 * 2 != 2^128. In fact, there is a very distinct difference. I would hope a writer for the M.I.T. Tech Review would know the difference.
One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there's never a good time to have people start deploying systems that are only V6--that's because somewhere, somebody is going to have a machine that's V4 only, and they won't be able to communicate with you.
This is so horribly backwards, he must be joking. One of the points of IPv6 is that IPv4 can be routed within and through it. (visa-versa too, but let's assume we're taking about an all v6 net) The real worry would be when someone created a v6 only site that some v4 person wouldn't be able to address.
Ugh. I think IPv6 upgrade path will be similar to analog and digital cell phones. They're still able to route to each other, and the improved features and quality of connections have caused people to leave older analog phones. The older phones still have better coverage; but, the newer phones are still able to switch to analog mode if necessary.
Problems with a v6 peer not being accessible to a v4 peer aren't too worrying to me. The same technologies enabling Akamai and NAT will almost certainly solve that.
One obvious solution is an automated DNS -> TCP/IP forwarding service:
Amy is cute.
The solution is for routers sold with IPv6 support to come configured by default to have rules that prevent any incoming connections from the 'outside', wherever that may be for the router in question. That's just as secure as NAT, and doesn't have the stupidity of non-adressable nodes that somehow still get IP traffic from the outside.
Have you ever thought that IPv6 might actually increase security? It makes address scanning completely impractical. The method by which Code Red, and several other worms have spread would no longer work at all.
Need a Python, C++, Unix, Linux develop
there are lots of other advantages of ipv6 compared to ipv4:
/128 into multiple subbits (like /4) helps in the logical arrangement in the address.
/48 (65535 subnets) if you are able to utilize 200 subnets within 2 years. by default (i don't know how they run their network - if it is efficient or they just subnet their network and waste all the ip address) they may have a hard time getting allocation from arin. they might need to get the suballocation from a provider (since it is hierarchal) so that's why they are opposed to the idea.
routing - different rirs have now created policies that will make routing much efficient. it will be hierarchal so routing tables will much smaller (thus faster routing.)
headers - the ipv6 headers has been optimized compared to ipv4, data transmitted includes qos (standard)
multicast - no more broadcast. we don't have to worry about too much data storms in our network (better bandwidth utilization.)
autoconfig - ipv6 provides for automatic configuration of ip addresses. this will make transition much easier since most devices can be made ipv6 ready and activated and it will automatically configure itself and run on ipv6.
tunneling - you can do endless tunneling to seamlessly support ipv4 and ipv6 networks together. you can easily put an ipv6 backbone with ipv4 clients running (with all translation under the fe80 range.)
addressing - clear policies has been made with regards to addressing (and routing as well) to prevent problems that have plagued existing ipv4 networks. the division of the
maybe since mit has 16.7million ip addresses, they are afraid of ipv6. based on existing policies agreed upon by rirs (arin, apnic, ripe), you will be allocated a
even if they do not switch to ipv6 (i hope they will be the last one.) the entire world will be running in ipv6. here in asia, it is much harder to get ipv4 addresses. so we are already experimenting with ipv6 (and readying for production grade native ipv6 networks with full peering and routing - we have purchased ipv6 routers in preparation for a full ipv6 backbone with ipv4 tunneled instead.)
software is increasing its support with ipv6. windows xp already has support (not so savvy end users can now start benefiting from ipv6.) linux and apps already has support. most network equipment now supports ipv6. heck my mobile phone can access an ipv6 network natively!
final words. go ipv6! it's about time. (and note to all admins, experiment with ipv6 and you'll see.)
p.s. slashdot was inaccessible for a few minutes before i posted this content
Live your life each day as if it was your last.