Slashdot Mirror
MIT Technology Review Slams IPv6
PCM2 writes "In the MIT Technology Review, Simson Garfinkel, noted author of Internet security books, writes that "the next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure." His article goes on to explain that all IPv6 code is untested and therefore insecure; that IPv6 makes encourages 'peer-to-peer based copyright violation systems'; and of course, that the switch is never going to happen anyway (and yet, somehow, the United States is 'falling behind')."
...by David Weekly can be found here.
Good summary of CIDR and NATing adoption, too.
The Army reading list
MIT is one of the great hogs of current IP addresses, maybe if issues like this were addressed no knew system would be neccesary.
vampirical
Well sure the ipv6 code isn't as tested as ipv4 and might be insecure at first... But did that stop the internet from being built on ipv4? It's a stupid argument against upgrading to a new technology.
Cthulhu Saves.
Sure, they're not exactly the most honourable or squeaky clean businesses on the planet, but they sure as hell are the most popular.
0110100100100000011000010110110100100000011000100
security and functionality over speed. Speed will catch up, eventually. doing NAT everywhere sucks. If speed is the biggest con, then, well, there is no con.
These problems go away when every computer on the Internet really does have its own IP address--something that's impossible today with IPv4, but which is the raison d'etre for IPv6. In a world with IPv6 and without NAT, every computer in my house has its own unique IP address on the public Internet. That means my desktop can open up a peer-to-peer connection with my desktop at work, but it also means that my daughter can network her machine directly with some teenybopper P2P network in San Jose. Getting everybody's home machine out from being a NAT box should make possible a lot of interesting applications that are either very difficult or downright impossible today. And in all likelihood, some of those applications will not be popular with the Recording Industry Association of America or the Motion Picture Association of America, both of which have taken the lead against peer-to-peer networks. As soon as they understand what a threat IPv6 is to their police actions, they are likely to start fighting against.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Cisco routers support it, as do the routing stacks in Linux and the BSDs. If you would have read the article, you would have at least known Cisco routers support ipv6.
Cthulhu Saves.
The result of this decision made nearly 30 years ago is that the Internet simply cannot handle more than 2^32 or 4,294,967,296 devices.
Your statement that 'no routers have it' is quite simply a pile of rubbish; Cisco, Juniper, Foundry, and Nortel routers all support IPv6 in at least one version of code, if not multiple versions.
If by 'routers' you mean Linksys, Belkin, or D-Link, you really need to redefine your concept of the word.
Hey MIT - do you really need/use all 16.7 million IPv4 rotable addresses you have? Why not share a few?
Don't blame me, I voted for Kodos
I ssh over ipv6 all the time -- it's just like v4 but prints out a really ugly address the first time you connect.
Will I need to update my apt.sources file?
Probably not if your favorite apt servers support it as well. Most of the switching over is handled by DNS (which has had v6 support for quite a while).
Damn,
with only 3 routers at the medium-sized business I work
for, this is going to cost us $187,500 !!!
No IPV6 for us
Walker sees NAT as encroaching oppression by the "powers that be", whereas Garfinkel seems to take the "powers that be" point of view! Simson how you've changed!
In fact, Walker is skeptical that even IPv6 could promote "consumers" back to "peers":
IPv6 makes encourages 'peer-to-peer based copyright violation systems'
That sounds like a plus to me.
Karma: It's all a bunch of tree-huggin' hippy crap!
"It will be the biggest, the most drastic, and the most comprehensive change to the underlying structure of the Internet in more than 20 years. "
I'd love that thought applied to space.. It's so confusing, and hard to do, we should tuck our tail between our legs and run! This change will happen one router at a time.. correct me if I'm wrong.. but I do believe IPv4 addresses will coexist with IPv6. And lets face it.. for the most part, this will be done my highly experienced techs at the ISPs, and filter down to very experienced end users at business. Dialup and High Speed users could use IPv4 for ages sitting behind their ISP's big gateways.
"The deployment of IPv6--the sixth version of the Internet Protocol--will be a massive undertaking that will require the reconfiguration of more than 100 million computers."
It's not like this will happen over night.. and one day all the end users (hi mom) will have to become IPv6 Gurus. Once again, we're back to.. It's hard.. lets run away.
"But when the IPv6 rollout is finally done, not all the effects will be positive"
Argh.. this guy bugs me.. He seems to totally forget about the evolution of software.. Of course it'll be slow at the beginning.. then some company like Nortel will put it all into a hightech ASIC chip.. and we'll leave IPv4 in the dust. For each of his arguements.. there's a swell counter arguement, that's never far from reach.
Faz
-=-Ze End-=-
Quote: "Put another way, the switchover will result in roughly 5,000 addresses for every square micrometer of the Earth's surface. There are so many IPv6 addresses that humanity will never run out of them--never, ever."
I bet they said that when IPv4 was invented.
This sig is in Spanish when you're not looking....
"Japan, China and South Korea will jointly develop the next-generation Internet technology IPv6, aiming to have the global standard for the technology set in Asia, the Nihon Keizai Shimbun reported yesterday.
US firms now dominate the market for equipment like routers that serve as the infrastructure for the current IPv4-based Internet.
By working together, the three countries aim to take the lead in developing technologies for a world in which all equipment is connected to the Internet"
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
That's absolutly not true. IPv6 info @ Cisco. I quote: "In May 2003, the availability of Cisco IOS 12.3 Mainline that integrates the IPv6 feature set from 12.2(15)T enables production deployment for all Cisco based networks." Obviously routers have it. Linux has it as well, so its certainly not a MS only thing.
The problem with IPv6 isn't software or hardware -- it's politics and money. Theres no benefit to service providers to update their IPv4 setup to do IPv6 because they'd have to find some way to still talk to the "normal" IPv4 internet (because, really, who wants to get on an ISP that isn't on the internet?). Additionally, many many ISP's charge a premium on extra IP addresses. What makes you think that they want to ditch that income so you and I can each address our refrigerator from the supermarket to see how much milk is left?
There is absolutely no security requirement! Security is supposed to be applied in other layers, with SSL and stuff running on top of an assumed unsecure link.
It would be *nice* if there was better encryption support at low levels, to overall prevent information leaking, but even total lack of such features would mean no step back from IPv4.
Unless IPv4 is "unplugged", there's no hard reason for the end user to switch to IPv6. Right now, everything in my house that wants an IP address can have a 10.x.x.x address behind my NAT, and those that need to have a dedicated port can have their port forwarded at the router.
Nobody's going to run out of IPv4 addresses if they can set up a NAT, which is why IPv6 is waiting to jump in during a crisis that just isn't coming.
nobody will ever need more than 640 IP addresses.
Actually, many backbones have switched to IPv6 because ROUTING is FASTER on IPv6 than IPv4.
On this simple fact I assume that the author of this article just don't know what he is talking about. As for security and as for NAT (which is less secure than he even thinks it is, as a protection).
IPv4 has seen many, many security issues in the *recent* past btw (ISN Prediction anyone ? Spoof with any ip)
He also forgot that there are tunnels from ipv4 to ipv6 and from ipv6 to ipv4, effectivly adding compatibility. If someone is stuck with ipv4 somewhere on the globe, np, he setup a tunnel to ipv6 and none is stuck. Damn FUD, I say.
refs:
IPv6 FAQ
Routing
(IPv6 has less headers => faster routing
(Better QoS => more efficient network
(etc.)
Getting everybody's home machine out from being a NAT box should make possible a lot of interesting applications that are either very difficult or downright impossible today. And in all likelihood, some of those applications will not be popular with the Recording Industry Association of America or the Motion Picture Association of America, both of which have taken the lead against peer-to-peer networks. As soon as they understand what a threat IPv6 is to their police actions, they are likely to start fighting against.
I have no strong opinions on the technical merits of IPv6 but I want to address the above statement, and the (IMHO) wrongheaded mentality behind it.
Why should the fact that these monopolistic groups oppose new, useful technologies, lead anyone to the conclusion that those technologies should be abandoned? Shouldn't we rather abolish the MPAA and RIAA?
When the light bulb was invented, did anyone argue we should abandon it because the candlestick industry would oppose it?
The truth is that new digital technologies are making "content" businesses like those represented by the *AA's obsolete. There is no benefit to society to engage in costly, counterproductive and futile "wars" against P2P and other useful new technologies in the name of enforcing "intelectual property" laws created in a different era that now benefit only special interests and not the public interest.
Everyone seems to be switching from Linux 2.4.x to 2.6.x
Now we're going from IPv4 to IPv6
What the fuck do you people have against the number 5?
--I don't want the world, I just want your half.
But still a bit harsh on IPv6....
/64 network, but it has yet to be seen whether certain organizations might, for the hell of it, get allocated /8 networks because they can. As near as I can tell, the high 16 bits seem to be somewhat protected, but you never know what will happen. If there is a grab for /8 networks among big players, you have the same problems that IPv4 has today.
As to the notion of never running out of address space 'never, never' as he puts it, I wouldn't be so sure. The 32-bit address space provides 4.2 billion addresses. With that in mind, we are much nearer to exhaustion than current usage would dictate. It is all about the allocation, and if sloppy allocation occurs, the 128-bit address space of IPv6 could be exhausted too. For example, the architecture of current implementations make it so that the smallest subnet anyone will likely allocate are 64-bit networks, and use MAC addresses (or something else, but still 64-bit, because it's easy), so immediately you take the address space down tremendously. Still should be well more than enough for everyone on earth to have a
As to security implications, it is true that implementations will be for the short term future less tested and therefore likely to contain critical flaws, but still IPv6 code is receiving a fair amount of testing, and critical flaws will not be quite so devastating as you may think, no more than an Apache, Linux Kernel, or MS security exposure, which we have seen all of in fairly recent history without the sky falling.... Of course the wrinkle in this is a lot of the 'home router' concepts that happen to protect common home systems will cease to provide that protection. They provide NAT features, therefore masking to an extent the system behind the device. Despite what the author says about NAT being bad because it doesn't protect against things like browser exploits and physical intruders, NAT is on the level of firewalling in terms of protection. Any reasonable network security person will realize that browser exploits, email worms, and physical intrusion must always be kept in mind, and it has nothing to do with NAT or firewalling. NAT remains effective at, for example, fending off web server and rpc attacks from unsuspecting or experimenting workstations. If NAT goes away (hopefully), people need to be mindful of good old firewalling strategies. Implementations are maturing (experimental ip6tables implementation, for example, is approaching closely the ipv4 iptables featureset). If cable/dsl 'routers' revert to hubs in a wealth of addressing, I expect either cable/dsl 'firewall' devices or increased ISP vigilance to deal with the more widespread system exposure.
All that said, I like IPv6 (my desktop, gateway, and laptops are using IPv6 and each have public IPv6 addresses, keep NAT on IPv4 on some systems), but I (and everyone else) has been waiting and watching a long long time and no encouraging migrations are yet to be seen, and I doubt the near future will bring any incentive to push such a change.
XML is like violence. If it doesn't solve the problem, use more.
Don't worry, having IPV4 addresses as a sub-block of IPV6 addresses, dual IPV4/IPV6 hosts, and IPV6 protocol encapsulation was such a good idea that the designers of the IPV6 protocol decided to use it.
::203.131.45.99)
They even made it simple! If my IPV4 address is 203.131.45.99 my IPV6 address will be 0:0:0:0:0:0:203.131.45.99 (there's even an abbreviated notation for a V6 address which would just be
The likelyhood is that the migration to V6 isn't proceeding as fast as possible for political and financial reasons rather than technical ones.
Yes, even then.
Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it, and each human has 1 billion devices that need IP addresses. In that case, only 1/340,282nd of the possible 128-bit IPv6 addresses would need to be assigned.
The problem with NAT is that it breaks some protocols, eg FTP. The protocol says something like "My IP address is X, make a connection back to me.", but with NAT the computer reports its IP as something that's not a valid public address. That not only breaks some protocols, but you can use that to tunnel in past a firewall onto a private network in some cases.
The other problem is more aesthetic than anything... but it can be a problem if the NAT device is badly configured. Because it has to translate incoming and outgoing packets, the NAT device must track the state of the incoming and outgoing connections. This takes memory, and sometimes there's not really any way for the NAT device to tell when the connection has been severed. So it has to time them out, and this can result in connections evaporating without warning when the server and the client want them to stay open.
Fortunately, you can usually set this to something more reasonable with OpenBSD or Linux (or another BSD, Solaris, whatever). OpenBSD 3.4 with "set optimization conservative" waits 5 days. I've never had any problems with that, but it's tweakable if necessary.
When someone might yell at me, it has to be OpenBSD.
"Five is RIGHT OUT!"
IIRC, MIT has a class B IP range, meaning it has 255^3, or 16,581,375 IP addresses. while China and South Korea--with a combined population of more than 1.3 billion--have been allocated 38.5 million and 23.6 million respectively. Does that sound unfair to anyone? MIT having 6139 students, plus faculty and staff, compared to China having over 1 billion people. China as a whole barely has over twice what MIT has in IP allocation, while having 160,000 times more people. I believe this is a biased, pointless article, written by a moron who does not realize the enormity of what he's saying. Many Asian countries are literally running out of IP addresses, and he's complaining about "lack of security", and thinks that no routers support IPv6 (Pretty much ALL Cisco routers support IPv6 flawlessly.) This man does not know what he's talking about.
got sig?
I have IPv6 from my ISP. Its enabled by default for every one of their clients, and has been for more than 2 years. Most of the other small providers in Europe are now offering it standard, and I have talked with one large telco who will be trialing it this year, for a rollout before a big marketing push in September.
/48 block of IPv6 at home. All my machines speak it, Solaris, Mac, Windoze, BSD, cisco, Nokia, Ericsson. My firewall filters both IPv4 and IPv6 with no problem, the rulesets are quite similar. With autodiscovery, router advertisements, and all the other cool protocols built into the IPv6 specs, adding a new machine means it just works.
But as the whingey Garfinkel points out, the U.S. is very much behind the curve in IPv6 rollouts. Typical corporate american incompetence.
As for routers, all real routers have it. It takes more effort today to get a cisco router without IPv6, because all the machines being delivered recently come with a version of IOS which has IPv6 installed. Just waiting for a Cisco Certified Button Pusher to configure it correctly, and bob's your uncle.
I have my own
While typing this response, I ran some statistics on web servers I manage. Approximately 5% of the traffic was IPv6 during the month of December, up from about 2% last June. That means that 5% of the PCs out there have IPv6 enabled, connected to an ISP offering IPv6, and are using an IPv6 capable browser like mozilla or IE6.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I went through the entire current posted responses, and I'm suprised people missed mistakes that - in the words of my girlfriend - must mean that the author was simply having a bad day and couldn't be writing this as a serious article.
The most important thing that IPv6 does is quadruple the size of the Internet address field from 32 bits to 128 bits.
Quadruple? 2^32 * 2 != 2^128. In fact, there is a very distinct difference. I would hope a writer for the M.I.T. Tech Review would know the difference.
One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there's never a good time to have people start deploying systems that are only V6--that's because somewhere, somebody is going to have a machine that's V4 only, and they won't be able to communicate with you.
This is so horribly backwards, he must be joking. One of the points of IPv6 is that IPv4 can be routed within and through it. (visa-versa too, but let's assume we're taking about an all v6 net) The real worry would be when someone created a v6 only site that some v4 person wouldn't be able to address.
Ugh. I think IPv6 upgrade path will be similar to analog and digital cell phones. They're still able to route to each other, and the improved features and quality of connections have caused people to leave older analog phones. The older phones still have better coverage; but, the newer phones are still able to switch to analog mode if necessary.
Problems with a v6 peer not being accessible to a v4 peer aren't too worrying to me. The same technologies enabling Akamai and NAT will almost certainly solve that.
One obvious solution is an automated DNS -> TCP/IP forwarding service:
Amy is cute.
The current solutions to this are:
- IPv6
- UPnP
Fortunately, the two are compatible (since UPnP v2.0), but I see UPnP being deployed more rapidly than IPv6 in the future.Your appliances can surf the Web even through NAT, it is perfect for that. The difference begins when your service center can ssh into your fridge and troubleshoot it remotely. That you can not have with a standard, untweaked NAT.
This is not a contrived example, BTW. I have a fridge in my rental apartment which sometimes vibrates a lot, but often it does not. Since I don't own the fridge, I don't care as long as it's minor. But a properly designed modern fridge would be able to monitor itself, signal the service center when something bad happens, and upload the diagnostics data for the mechanic to see.
As another example, I have a bread maker. It has a timer, but how would I know when I am going home a whole working day ahead? So I don't use it. If I have an internet connection to the bread maker, I could begin the baking cycle 3 hours before going home, and get a nice loaf exactly when I need it.
It is also hard to argue that you'd like to ssh into your VCR or Tivo and program them to record something that you just remembered. More than once people called me and asked to tape Buffy or something because they forgot :-)
Some of my friends are seriously involved with home automation. They have tons of gadgets, sensors, motors and everything else. Currently, a Web server is used to control all that. But that is extra complexity. With IPv6 you add devices as you need them, and they are instantly online, accessible to you as long as you have the IPSec key or whatever you choose to secure them.
That means my desktop can open up a peer-to-peer connection with my desktop at work, but it also means that my daughter can network her machine directly with some teenybopper P2P network in San Jose.
I just don't understand this part. This is nothing specific to IPv6. This is how the internet works. People can already connect like this, and it's pretty obvious that they DO network like this. Or, did P2P networks suddenly die while I was asleep?
IPv6 creates much larger headers, so there's more overhead, particularly, as a percentage, on short packets (voice, ACK's, etc.). So it'll waste bandwidth, or lower effective throughput on fixed bandwidths.
Just some sanity checking here: IPv6 headers are only 2x the size of IPv4 headers. Folks with truly constrained bandwidth (like dialup users) can do what they do now: compress the headers (which btw, should be easier to do with IPv6). Anyway, given how much dark fiber is out there right now and how network technology continues to improve bandwidth at a pace that makes Moore's law seem kind of conservative, I think we can afford to make our headers 2x as large, particularly if it allows our routing tables to be smaller and our routing to be more efficient in general. In our current scheme, IPv4 throws away a lot of performance that IPv6 gets us back. The assumption that IPv6 is going to kill performance is rediculous.
sigs are a waste of space
Or, more generally, all the people who had a working box before, and don't want to touch it. It may be running an old OS and a bunch of old apps, and everything might work fine.
Some people, who don't live in the real world, like to think of this type of thing as something that can just be phased out in a few years. Everyone will patch their systems slowly, and vendors will recompile the code with new libraries, and old routers will be replaced with hardware IPv6 routers, and then, magically, everyone is using IPv6.
The reality is that people won't patch their systems, routers will work for eons and nobody wants to replace them, and app vendors are long gone because they don't make money on your legacy app anymore.
This reminds me of arguments about switching to linux. I love GNU and linux of course, but we have a tendency to think of some typical case of an office or home user. But so many people, especially those most likely to care about switching, are atypical. To assume that eveyone needs the same things out of a computer is to turn it into an appliance, which has been shown to completely fail. It ends up that someone has an intricate, delicate system, and nobody in their right mind wants to touch it.
Social scientists are inspired by theories; scientists are humbled by facts.
IP version numbers Damn, this isn't lame, hope it isn't lame enough now.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
He is fairly aggressive at attacking IPv6, and even contradicts himself in his fury against the protocol...
all IPv6 code is untested and therefore insecure
Yes, if you don't count university networks that has been using 6bone for several years now. Read up a bit on 6bone, and you'll see that the primary purpose of it is to function as a testbed for IPv6. But of course, computer scientists aren't really able to find and fix problems in the protocol.
IPv6 makes encourages 'peer-to-peer based copyright violation systems
I won't even comment on this...
Deploying IPv6 means that every application that uses Internet addresses needs to be changed.
However, isn't IPv6 designed to be backwards compatible? I.e. have a separate address space that emulates IPv4? So there isn't an urgent need to switch *now* when it starts getting used? Using the IPv6 stack should not mean an unability to talk with IPv4 clients.
Today, most routers come equipped with special-purpose integrated circuits that can route IPv4 packets very quickly. But because there is no demand for it, those routers don't have similar hardware that can route V6 in hardware
I'll just let him contradict himself:
"The code that lets computers talk on an IPv6-enabled network is now built into the current versions of Windows XP, MacOS, Linux, and many forms of Unix. Every router made by Cisco comes ready to run IPv6. So does every Nokia mobile phone. The whole world is getting dressed up for the IPv6 party."
If they're already implementing software support for IPv6 before it's even starting to get used, doesn't he think this is a sign that the manufacturers are dedicated to bring hardware IPv6 support once it gets even more widely used? If not, he needs to explain why.
He complains about upgrade costs too, which seems to be a concept never heard or experienced by him before, as he seem to be in shock while discussing it.
But what IPv6 boosters won't tell you, unless you press them, is that every new IPv6 nameserver, Web server, Web browser, and so on has new code--code in which security problems may lurk.
True, updated software might get new bugs if they aren't tested properly. What's new? This risk is taken daily by adopters of upgraded or new software.
Beware: In C++, your friends can see your privates!