Slashdot Mirror


MIT Technology Review Slams IPv6

PCM2 writes "In the MIT Technology Review, Simson Garfinkel, noted author of Internet security books, writes that "the next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure." His article goes on to explain that all IPv6 code is untested and therefore insecure; that IPv6 makes encourages 'peer-to-peer based copyright violation systems'; and of course, that the switch is never going to happen anyway (and yet, somehow, the United States is 'falling behind')."

11 of 709 comments (clear)

  1. NAT is bad, NAT is good by retrosteve · · Score: 4, Interesting
    Interesting to compare Garfinkel's view on IPv6 vs NAT (IPv6 'encourages Peer-to-peer copyright violations') with John Walker's announcement today that he's Withdrawing Speak Freely due to the takeover of NAT.


    Walker sees NAT as encroaching oppression by the "powers that be", whereas Garfinkel seems to take the "powers that be" point of view! Simson how you've changed!


    In fact, Walker is skeptical that even IPv6 could promote "consumers" back to "peers":


    First of all, any bets on when IPv6 will actually be implemented end-to-end for a substantial percentage of individual Internet users? And even if it were, don't bet on NAT going away. Certainly it will change, but once the powers that be have demoted Internet users from peers to consumers, I don't think they're likely to turn around and re-empower them just because the address space is now big enough.


  2. Hurmph by fazil · · Score: 5, Interesting

    "It will be the biggest, the most drastic, and the most comprehensive change to the underlying structure of the Internet in more than 20 years. "

    I'd love that thought applied to space.. It's so confusing, and hard to do, we should tuck our tail between our legs and run! This change will happen one router at a time.. correct me if I'm wrong.. but I do believe IPv4 addresses will coexist with IPv6. And lets face it.. for the most part, this will be done my highly experienced techs at the ISPs, and filter down to very experienced end users at business. Dialup and High Speed users could use IPv4 for ages sitting behind their ISP's big gateways.

    "The deployment of IPv6--the sixth version of the Internet Protocol--will be a massive undertaking that will require the reconfiguration of more than 100 million computers."

    It's not like this will happen over night.. and one day all the end users (hi mom) will have to become IPv6 Gurus. Once again, we're back to.. It's hard.. lets run away.

    "But when the IPv6 rollout is finally done, not all the effects will be positive"

    Argh.. this guy bugs me.. He seems to totally forget about the evolution of software.. Of course it'll be slow at the beginning.. then some company like Nortel will put it all into a hightech ASIC chip.. and we'll leave IPv4 in the dust. For each of his arguements.. there's a swell counter arguement, that's never far from reach.

    Faz

    --
    -=-Ze End-=-
  3. Japan, China, South Korea will develop IPv6 by Quirk · · Score: 4, Interesting

    "Japan, China and South Korea will jointly develop the next-generation Internet technology IPv6, aiming to have the global standard for the technology set in Asia, the Nihon Keizai Shimbun reported yesterday.

    US firms now dominate the market for equipment like routers that serve as the infrastructure for the current IPv4-based Internet.

    By working together, the three countries aim to take the lead in developing technologies for a world in which all equipment is connected to the Internet"

    --
    "Academicians are more likely to share each other's toothbrush than each other's nomenclature."
    Cohen
  4. Less biased than the summary... by Junta · · Score: 4, Interesting

    But still a bit harsh on IPv6....

    As to the notion of never running out of address space 'never, never' as he puts it, I wouldn't be so sure. The 32-bit address space provides 4.2 billion addresses. With that in mind, we are much nearer to exhaustion than current usage would dictate. It is all about the allocation, and if sloppy allocation occurs, the 128-bit address space of IPv6 could be exhausted too. For example, the architecture of current implementations make it so that the smallest subnet anyone will likely allocate are 64-bit networks, and use MAC addresses (or something else, but still 64-bit, because it's easy), so immediately you take the address space down tremendously. Still should be well more than enough for everyone on earth to have a /64 network, but it has yet to be seen whether certain organizations might, for the hell of it, get allocated /8 networks because they can. As near as I can tell, the high 16 bits seem to be somewhat protected, but you never know what will happen. If there is a grab for /8 networks among big players, you have the same problems that IPv4 has today.

    As to security implications, it is true that implementations will be for the short term future less tested and therefore likely to contain critical flaws, but still IPv6 code is receiving a fair amount of testing, and critical flaws will not be quite so devastating as you may think, no more than an Apache, Linux Kernel, or MS security exposure, which we have seen all of in fairly recent history without the sky falling.... Of course the wrinkle in this is a lot of the 'home router' concepts that happen to protect common home systems will cease to provide that protection. They provide NAT features, therefore masking to an extent the system behind the device. Despite what the author says about NAT being bad because it doesn't protect against things like browser exploits and physical intruders, NAT is on the level of firewalling in terms of protection. Any reasonable network security person will realize that browser exploits, email worms, and physical intrusion must always be kept in mind, and it has nothing to do with NAT or firewalling. NAT remains effective at, for example, fending off web server and rpc attacks from unsuspecting or experimenting workstations. If NAT goes away (hopefully), people need to be mindful of good old firewalling strategies. Implementations are maturing (experimental ip6tables implementation, for example, is approaching closely the ipv4 iptables featureset). If cable/dsl 'routers' revert to hubs in a wealth of addressing, I expect either cable/dsl 'firewall' devices or increased ISP vigilance to deal with the more widespread system exposure.

    All that said, I like IPv6 (my desktop, gateway, and laptops are using IPv6 and each have public IPv6 addresses, keep NAT on IPv4 on some systems), but I (and everyone else) has been waiting and watching a long long time and no encouraging migrations are yet to be seen, and I doubt the near future will bring any incentive to push such a change.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  5. Re:MIT is one to talk by Hanji · · Score: 4, Interesting

    Although addressing issues like that will delay the time at which we will have to deal with the shortage, it doesn't solve the problem.

    IPv6 isn't just about having enough IPs for all the computers in the world. It's about having enough IPs for all the *anything* in the world - your toaster, your house-cleaning robot, whatever. Even things like RFID tags could potentially be given their own subset of the IPv6 address space - it's that huge.

    Using the IPv4 space more efficiently might deal with the problem for a while, but it will not allow the expansion IPv6 would.

    --
    A Minesweeper clone that doesn't suck
  6. Re:2nd by SEE · · Score: 5, Interesting

    Yes, even then.

    Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it, and each human has 1 billion devices that need IP addresses. In that case, only 1/340,282nd of the possible 128-bit IPv6 addresses would need to be assigned.

  7. Re:MIT is one to talk by shaitand · · Score: 5, Interesting

    firewall and nat are not mutually inclusive. You can firewall a network of public addresses, you can assign those addresses via dhcp. You don't NEED nat.

    Nat is a horrible and evil thing. Ever tried to run 4 ftp servers behind nat? Doesn't work very well does it? Right now there are barely enough ip's for every person to have one... but wait, what about work? oops now everybody needs two, but *gasp* your cell phone! Now everybody needs 3... we are already at 3 times what IPv4 can provide with what is already out there and popular and is pretty much guaranteed to be as essential tommorow as having a hammer or screwdriver.

    What's more, people get new cellphones, they throw old ones away, sometimes have multiple phones, sometimes multiple computers. IPv6 would provide 5000 addresses for every micrometer of the surface of the earth. Giving everyhousehold on the internet a full 255 address block would be a fairly conservative approach in relation ot the address space.

    Don't you want to see that world? Especially knowing it doesn't mean your can't have a router to share a net connection, and knowing that you can still be firewalled? Having public addresses means that you can configure your router not to block port x on ANY computer in your network, instead of being able to forward port x to ONE computer in your network.

    Let's just hope when IPv6 becomes mainstream one can register for addresses without a fee right up on a website instead of the political review that is required now.

  8. Re:IPv6 Support - everywhere important by anticypher · · Score: 5, Interesting

    I have IPv6 from my ISP. Its enabled by default for every one of their clients, and has been for more than 2 years. Most of the other small providers in Europe are now offering it standard, and I have talked with one large telco who will be trialing it this year, for a rollout before a big marketing push in September.

    But as the whingey Garfinkel points out, the U.S. is very much behind the curve in IPv6 rollouts. Typical corporate american incompetence.

    As for routers, all real routers have it. It takes more effort today to get a cisco router without IPv6, because all the machines being delivered recently come with a version of IOS which has IPv6 installed. Just waiting for a Cisco Certified Button Pusher to configure it correctly, and bob's your uncle.

    I have my own /48 block of IPv6 at home. All my machines speak it, Solaris, Mac, Windoze, BSD, cisco, Nokia, Ericsson. My firewall filters both IPv4 and IPv6 with no problem, the rulesets are quite similar. With autodiscovery, router advertisements, and all the other cool protocols built into the IPv6 specs, adding a new machine means it just works.

    While typing this response, I ran some statistics on web servers I manage. Approximately 5% of the traffic was IPv6 during the month of December, up from about 2% last June. That means that 5% of the PCs out there have IPv6 enabled, connected to an ISP offering IPv6, and are using an IPv6 capable browser like mozilla or IE6.

    the AC

    --
    Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  9. Flaws a little more dramatic than the political... by Scott+Robinson · · Score: 4, Interesting

    I went through the entire current posted responses, and I'm suprised people missed mistakes that - in the words of my girlfriend - must mean that the author was simply having a bad day and couldn't be writing this as a serious article.

    The most important thing that IPv6 does is quadruple the size of the Internet address field from 32 bits to 128 bits.

    Quadruple? 2^32 * 2 != 2^128. In fact, there is a very distinct difference. I would hope a writer for the M.I.T. Tech Review would know the difference.

    One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there's never a good time to have people start deploying systems that are only V6--that's because somewhere, somebody is going to have a machine that's V4 only, and they won't be able to communicate with you.

    This is so horribly backwards, he must be joking. One of the points of IPv6 is that IPv4 can be routed within and through it. (visa-versa too, but let's assume we're taking about an all v6 net) The real worry would be when someone created a v6 only site that some v4 person wouldn't be able to address.

    Ugh. I think IPv6 upgrade path will be similar to analog and digital cell phones. They're still able to route to each other, and the improved features and quality of connections have caused people to leave older analog phones. The older phones still have better coverage; but, the newer phones are still able to switch to analog mode if necessary.

    Problems with a v6 peer not being accessible to a v4 peer aren't too worrying to me. The same technologies enabling Akamai and NAT will almost certainly solve that.

    One obvious solution is an automated DNS -> TCP/IP forwarding service:

    1. Your v4 peer performs a lookup for a v6 address it cannot access.
    2. The DNS server notes your IP and responds with a forwarding v4->v6 peer.
    3. The DNS server instructs the fowarding peer of the v6 adderess you're attempting to access.
    4. When you contact the v4->v6 peer, it performs NAT to the v6 peer.

    Amy is cute.

  10. Re:NAT is bad? by tftp · · Score: 4, Interesting
    Though I'm still curious why my appliances need to surf the web.

    Your appliances can surf the Web even through NAT, it is perfect for that. The difference begins when your service center can ssh into your fridge and troubleshoot it remotely. That you can not have with a standard, untweaked NAT.

    This is not a contrived example, BTW. I have a fridge in my rental apartment which sometimes vibrates a lot, but often it does not. Since I don't own the fridge, I don't care as long as it's minor. But a properly designed modern fridge would be able to monitor itself, signal the service center when something bad happens, and upload the diagnostics data for the mechanic to see.

    As another example, I have a bread maker. It has a timer, but how would I know when I am going home a whole working day ahead? So I don't use it. If I have an internet connection to the bread maker, I could begin the baking cycle 3 hours before going home, and get a nice loaf exactly when I need it.

    It is also hard to argue that you'd like to ssh into your VCR or Tivo and program them to record something that you just remembered. More than once people called me and asked to tape Buffy or something because they forgot :-)

    Some of my friends are seriously involved with home automation. They have tons of gadgets, sensors, motors and everything else. Currently, a Web server is used to control all that. But that is extra complexity. With IPv6 you add devices as you need them, and they are instantly online, accessible to you as long as you have the IPSec key or whatever you choose to secure them.

  11. Re:Another "IPv6 won't be here soon" article... by Omnifarious · · Score: 4, Interesting

    The solution is for routers sold with IPv6 support to come configured by default to have rules that prevent any incoming connections from the 'outside', wherever that may be for the router in question. That's just as secure as NAT, and doesn't have the stupidity of non-adressable nodes that somehow still get IP traffic from the outside.

    Have you ever thought that IPv6 might actually increase security? It makes address scanning completely impractical. The method by which Code Red, and several other worms have spread would no longer work at all.