IPv6 for the Linksys WRT54G

AndersBrownworth writes "Earthlink Research and Development has released a firmware load for the Linksys WRT54G wireless access point that supports end-to-end IPv6. They suggest features such as extremely large address space, stateless autoconfiguration and low cost restoration of end-to-end addressability will revolutionize IP communications. It would be interesting if releases like this significantly boost the IPv6 take-up rate but as far as I know, Earthlink doesn't supply end-to-end IPv6 yet."

How does this increase adoption rate?

[eln]

Plenty of devices and operating systems fully support IPv6, but that doesn't mean anyone uses it. With things like widespread usage of NAT making the IP availability crunch less and less of a problem, there is no real incentive for the average user to convert to IPv6.

Re:How does this increase adoption rate?

[FrankSchwab]

Yeah, it does a great job of breaking all those incoming connections from, say, the 1000 worms traversing the internet as well. I'll stick with having to configure my router to forward a port, thank you.

Re:How does this increase adoption rate?

[jsoderba]

You never heard of firewalls? A firewall is much easier to configure than a NAT network.

Re:How does this increase adoption rate?

When (if) IPv6 comes about, they'll probably give you a whole block of IPs. Not just 1.

IPv6 incremental support won't help

[jquiroga]

Some people think incremental steps like this will somehow help IPv6 rollout worldwide. I think that is a completely different problem, and very hard to solve. Any volunteers to solve the hard and difficult problem?

The best description I know about The Problem comes from Dan Bernstein, The IPv6 mess.

The IPv6 designers don't have a transition plan. They've taken some helpful steps, but they typically declare success (``IPv6 support'') when the real problem---making public IPv6 addresses work just as well as public IPv4 addresses---still hasn't been solved.

Re:IPv6 incremental support won't help

[mellon]

Dan does mention some real problems on the page to which you've linked, and I agree with some of his criticisms of the IPv6 process, where a lot has been invented prior to identifying a need for it, and in many cases all of this theoretical invention has wasted valuable time and opportunity.

However, a lot of what he says is quite out of date at this point. Furthermore, he complains that he's willing to hack but wants to be able to autoconfigure his hosts, and the implication is that he would hack if only he were told what to hack on, which frankly doesn't sound like the Dan we've all grown to know and love in the DNS world. If he really wants to fix these problems, the best way to show what the big bad people at IETF are doing wrong is to demonstrate it with working code.

The fact is that right now having an IPv6 address doesn't get you a whole lot of goodness in the U.S., and so we probably will be the last to adopt it if everybody here maintains your attitude.

IPv6 deployment in Asia is a reality, and to a lesser extent this is true in Europe as well. Anywhere where the IP infrastructure is being expanded is an easy place to deploy IPv6. 6to4 gateways are doable, just as are NATs. So you will see widespread deployment of IPv6 in Asia in the relatively near term.

As far as the U.S. and Europe go, slashdotters are precisely the people who should be thinking about trying to use IPv6 as soon as possible - as geeks, we are the early adopters, and as we try out the technology and try to use it, the world will catch up with us. The more we poo-poo it and don't try to actually deploy it, the longer it's going to take to address the concerns that Dan raises, and, I think, the more it's going to cost us in the long run.

One last thing: IPv4 link local addressing is fairly badly broken. If you want to be able to do link local addressing, it works a lot better in V6-land. This is largely an accident - nobody thought to cripple it until it was too late. But it's still true that you do get some value from deploying IPv6, even if only within your own home. If you use Rendesvous/Bonjour, you're probably already using IPv6 and just don't know it yet.

Re:IPv6 incremental support won't help

[jquiroga]

You're right in the technical aspects, but I believe the big problem isn't technical.

I agree with Dan in these two:

• The big mistake was not to extend IPv4 to make it easier for normal users to adopt the New Way.
• The problem that the previous mistake caused is that most normal users are deadlocked, all of them waiting for the others to adopt the New Way first.

That's why I think this discussion is quite relevant, especially if you expect IPv6 to finally enter the mainstream. It seems the mainstream is deadlocked. That won't be solved by pitching the technology, they don't care. They are sensitive to economic arguments and to marketing, and both are stacked against IPv6.

I post from Europe, and we've been enticed and encouraged to adopt IPv6 for years. However, it remains exotic for most techies and almost completely unknown to normal users. Why? Because IPv4 already won. Even if I decide to embrace IPv6 myself, I can't recommend it to paying clients who hire me to help them avoid dumb mistakes. The adoption of a new technology to do the job of an existing and deployed old technology that seems to work OK, and a real expense to get some unknown benefit with no timeframe will look like a dumb mistake to many of them. And I can't change their short-term way of thinking.

Re:Great!

[fo0bar]

Don't forget about 172.x

Don't forget that you are overlapping with public space if you use all of "172.x". Private space in the Class B range is only 172.16.0.0/12, or 172.16.0.0 - 172.13.255.255 (which is 1048576 IPs).

Why IPv6 is needed

[Jimmy_B]

This thread will of course trigger a bunch of replies from people saying we don't need IPv6, but in fact, we do, badly, and the need is only increasing with time.

NAT helps somewhat, but if you're using NAT your computer can't receive incoming connections. That's a problem for servers, for peer-to-peer networking, for games, and for VoIP. Home users can usually work around this with their firewall configuration, but businesses usually can't (one important reason being that only one computer behind the firewall can receive connections this way, not multiple). And, as someone pointed out in the last IPv6-related thread, merging the networks of two corporations is a nightmare - they both use the same IP addresses.

There are theoretically 4 billion IP addresses total. That sounds like a lot, but an IP address isn't just a number which can be assigned individually; what you do is hand out big consecutive blocks of them, so that routers can say things like "for 123.231.*.*, send packets in this direction". The shortage of IP addresses has introduced lots of special cases, so that internet routers need tons of memory and processing power to figure out the mess.

Finally, switching to IPv6 cuts off one of the major ways worms propagate. The Sapphire worm, for example, worked by picking a random IP address and trying to infect it, repeating for a whole bunch of IPs, and it was able to double every 7 seconds. That works because the odds of finding a computer (not necessarily a vulnerable computer) is about 10%. With IPv6, that changes to 10^-28% - instead of doubling the number of infected computers every 7 seconds, it would've scanned for a few years, never find a single computer, and get disinfected.

Re:Why IPv6 is needed

[TCM]

Finally, switching to IPv6 cuts off one of the major ways worms propagate. The Sapphire worm, for example, worked by picking a random IP address and trying to infect it, repeating for a whole bunch of IPs, and it was able to double every 7 seconds. That works because the odds of finding a computer (not necessarily a vulnerable computer) is about 10%. With IPv6, that changes to 10^-28% - instead of doubling the number of infected computers every 7 seconds, it would've scanned for a few years, never find a single computer, and get disinfected.

This might be true, but you can't make claims like "IPv6 prevents worm spreading" or that IPv6 "cuts off one of the major ways worms propagate". The effect might be the same, but relying on it would be security by obscurity. The only secure way is to secure the boxes, not "hide" them in vast address space.

Re:Why IPv6 is needed

[tyagiUK]

I have to disagree.

Firstly, most VoIP architectures currently look to SIP proxies for segmentation between the operator's network and the user agent or equipment. A SIP proxy is basically just an application-layer gateway. This type of software is being incorporated in to many of the forthcoming customer premises equipment. Therefore, if your application layer gateway is at the edge of your network, proxying incoming and outgoing SIP requests, what does having end-to-end IPv6 buy you?

Secondly, despite evidence of a shortage of IPv4 addresses, there is some confusion over what this really means. There is a shortage of AVAILABLE IPv4 addresses. This is distinctly different from having a shortage of UNALLOCATED IPv4 addresses. Basically, many telcos, ISPs and large institutions are sitting on some very large blocks of address space. This address space was handed out readily in the 1990s because demand (i.e the dotcom boom) wasn't anticipated.
Due to certain organisations receiving such large allocations, there was little or no control over how this resource was allocated to their networks. The result of this is highly wasteful allocation, some still using classful addressing (so summarising subnets on classful boundaries such as 255.255.255.0 or 255.255.0.0, /24 or /16). A similar problem exists where organisations have gradually learned about HOW to allocated public address space. In some cases, large portions of significant allocated blocks are wasted on infrastructure, customer link connections and some other, unnecessarily wasteful applications.

Many of these places could actually go back over their allocated address ranges and re-claim huge chunks. All it requires is a motivation to do so and the time and resource to plan and execute it. At the moment, the motivation is rarely there and organisations would generally prioiritise such activity at the bottom of a long list of things to do.

The problem arises when they are required to demonstrate to their regional registrar that they have sensibly used their current allocations in order to obtain new blocks of unassigned space. Generally, this is when you will hear the cries of "Oh no, the Internet is running low on available IPv4 space! Panic!".

Finally, your worm theory is just wrong. Yes, it decreases the probability of hitting an exploitable host, but it increases the depth to which the worm can scan. What I mean by this is that the worm will be able to scan in to people's private networks if NAT and firewalling are not used. If rules are not explicitly put in place to protect your home IPv6 LAN, then worms will be able to scan all hosts from the outside.

How many people put up a NAT/PAT box or a firewall, and then think they're perfectly safe from the outside? Most networks conform to the Twinkie theory -- crunchie on the outside and soft and squidgy in the middle. Chances are that an IPv6 home lan would be totally unprotected once on the inside. If this inside is exposed to the Internet then the chances of remote exploitation increase dramatically in my opinion.

Re:Why IPv6 is needed

[pHDNgell]

NAT is a "Good Thing"(tm) because most machines shouldn't have incoming access from outside their LAN. The inconvenience of manually mapping incoming packets forwarding far outweights the blatant lack of security. And god knows our networks are insecure enough already.

NAT stands for ``Network Address Translation'' not ``Stateful Firewall.'' I will never understand why people confuse these things so easily.

Re:Why IPv6 is needed

[asdfghjklqwertyuiop]

What confusion? NAT or no NAT, you don't want incoming connections routed to a bunch of different addresses on your network.

The confusion is that a lot of people think NAT is what is causing their network to be secure. It is not. The firewall is. You can take away the NAT and leave the firewall and your network will be just as secure.

Re:Why IPv6 is needed

[TCM]

When IPv6 comes and I have my own address I may have to buy an IPv6 NAT box just for safety's sake.

WTF? See if you can make something out of the following two lines:

block in from any to any
pass out from any to any keep state

NAT for IPv6 is the most stupid thing I've seen today.

Re:Well, since China, India, and Japan are going I

[IntergalacticWalrus]

You're underestimating the power of inertia in the US. Remember that this is a country that still doesn't recognize the metric system!

Re:Well, since China, India, and Japan are going I

[WillAffleckUW]

You're underestimating the power of inertia in the US. Remember that this is a country that still doesn't recognize the metric system!

Doesn't matter. We already converted over in science, in manufacturing, and in retail.

Why do you think it's 8.5 ounces when you buy a carton? It's actually a metric measurement - we just pretend it isn't for the consumer.

MOD PARENT UP!

[swillden]

NAT stands for ``Network Address Translation'' not ``Stateful Firewall.'' I will never understand why people confuse these things so easily.

You, sir, have hit the nail on the head.

What people like about NAT boxes from a security perspective is that they must implement a particular sort of stateful firewalling in order to do their job. But a very simple stateful firewall accomplishes *exactly* the same security task without the limitations of NAT.

IPv6 For Beginners, A Guide

[jd]

I was one of the Early Adopters of IPv6 in England - my site was the first listed in the UK (by 1 day) and ran under Linux 2.4.20 with the experimental IPv6 patches and a whole bunch of NRL software ported to Linux.

IPv6 is an attempt to re-engineer the IP protocol to solve a number of problems, but exactly how it does so has shifted a few times over the course of time. Here is a summary of what it does, why it matters, and what it means to the newcommer:

• IPv6 has more addresses. Many, many, many more addresses.
  
  • This matters for three reasons. Firstly, it makes it possible to reliably auto-configure the network, without an administrator watching to make sure DHCP hasn't screwed up.
    
  • This is because the last 48 bits of the address are the MAC address on your network card, which guarantees that nobody else will have that same address. The initial part is purely identifiers for what network you are on.
    
  
  
• Secondly, it means that networks can be organized on a heirarchical basis, which means that routers have simpler routing tables, which means that there's less lookup time and therefore less latency
  
• Thirdly, it means that true mobility is possible. Because the last 48 bits are a unique identifier, the network is capable of tracking mobile users as they migrate through the network, forwarding packets to them, so connections are sustained.
  

IPv6 is a simpler, heirarchical protocol

• This also offers three key benefits. Firstly, because the header isn't stuffed with every possible flag and variable for every possible contingency, it is faster to process and therefore there's less latency in assembling and processing them at each end, which makes for a faster connection.
  
• Secondly, because you can extend the header for new, specialist, types of application, IPv6 can absorb new technologies as they come out, without needing major work done. IPv4 has been a real pain, in that regard, needing all kinds of encapsulation and meta-packets to handle newer uses of the Internet.
  
• Thirdly, it means that devices that don't need certain features don't need to implement them, so can get away with simpler and smaller implementations. This is important with PDAs and other other miniature networkable devices, where there isn't the memory to handle anything that isn't vital.
  

IPv6 is automagic

• Firstly, it detects the MTU - the largest packet size - that the connection with a remote machine you are connecting to will support. This means that connections will be adjusted to the capabilities of the network, which should make for more reliable, faster connections.
  
• Secondly, it supports anycasting, where you specify the information you want and the request is forwarded to all nearby servers that can supply it. First one back is the winner. This means you don't need to remember addresses of servers for your ISP, and they are free to do upgrades and maintenance without disrupting users.
  
• Thirdly, it detects available gateways - it doesn't need to be programmed with them manually or even by DHCP - which means that you can connect to multiple ISPs without confusing your machine.
  
• Fourthly, because IPSec is a part of the standard, security is automatic. All your connections will be encrypted, all of the time. Normally, with IPv4, people don't use security if they don't have to. Which means that all the social information perps can use to break encryption quickly is all sent in the clear, and the critical information is easily identifiable - it's the only thing sent via SSL. By encrypting everything, crackers can't use insecure data to crack the secured data - a very common way to crack secured data, by the way.
  

Re:Of course, NAT greater than Firewall,

[TCM]

NAT rewrites addresses, it is not a firewall and it does not provide decent security in itself.