Slashdot Mirror

← Back to Stories (view on slashdot.org)

Federal Agencies Must Use IPv6 by 2008

Posted by Zonk on from the quick-turn-over dept.

MoiTominator writes "The White House Office of Management and Budget announced on Wednesday that all federal agencies must deploy IPv6 by June 2008. So far, Defense is the only agency which has made any progress toward implementing the new protocol." From the article: "While we know that IPv6 technologies are deployed throughout the government we do not know specifically which ones, how many there are, or precisely where they are located...For cost, the agencies must report on estimates for planning, infrastructure acquisition, training and risk mitigation."

17 of 295 comments (clear)

  1. Benefits of IPv6 by lw54 · · Score: 5, Informative
    IPv6 is a powerful enhancement to IPv4. Its primary features are as follows:
    • The larger address space provides new global reachability, flexibility, aggregation, multihoming, autoconfiguration, plug and play, and renumbering. IPv6 increases the IP address size from 32 bits to 128 bits, allowing more support for addressing hierarchical levels, a much greater number of addressable nodes, and simpler autoconfiguration of addresses.
    • The simpler, fixed-size header enables better routing efficiency, performance, and forwarding rate scalability.
    • The numerous possibilities to transition from IPv4 to IPv6 allow existing capabilities to exist with the added features of IPv6. Various mechanisms are defined for transitioning to IPv6, including dual stack, tunneling, and translation.
    • Mobility and security ensures compliance with Mobile IP and IP Security (IPSec) standards.

    Page 46, CCNP Self-Study, Paquet Teare

    1. Re:Benefits of IPv6 by Florian+Weimer · · Score: 4, Informative

      Reality is quite different and does not live up to the short-sighted analysis you quoted.

      The larger address space is meaningless as long as it's harder to get independently routeable IPv6 prefixes than it is for IPv4. IPv6 headers are not fixed-size, especially in enterprise environments, the extension headers make the IPv6 header variable-length, causing endless headaches with hardware-assisted forwarding. Quality of implementation of the transition mechanism often suck, and they introduce new security issues. IPsec for IPv6 is not widely available, in contrast to IPsec for IPv4 -- even though it is mandated by the RFCs.

      Right now, IPv6 cannot deliver any of the new features it promises. It makes a lot of sense not to deploy it at this stage.

    2. Re:Benefits of IPv6 by laugau · · Score: 2, Informative

      What? Have you even READ the spec? Have you read a book on the subject?

      IPv4 has standard headers and then extended headers. IPv6 does not. period. No extentions, exceptions, addendums or substitutions. Header extensions are simply NOT part of the protocol. So guess what? If there is any type of extension, it HAS to occur at the protocol layer.

      Likewise, one of the biggest issues is not only routing, but fragmenttation. So if you send a big packet and it goes through a router with a smaller MTU, the router has to fragment it. IPv6 does not allow this. If you send a big packet and a router can't put it over the link, it sends an ICMP too big error back and the packet source must re-package the packet at a smaller size.... Is this more traffic? only for the very first packet, but the cost is realized over time. (Imagine trying to keep track of sequence numbers of the fragmented packet at the point it is fragmented... a real nightmare).

  2. Mac OSX has had great IPv6 for a while (10.2)! by Anonymous Coward · · Score: 5, Informative

    Mac OSX has had great IPv6 for a while (10.2)

    http://evanjones.ca/macosx-ipv6.html

    And the feds moved back their deadline so many times that even 2008 will be pushed back.

    Apple even had a demo of ipv6 in OS9 once, and a long while back was big on it.

    Most people, who enjoy semi-anon IP addresses from defacto forced reissue taht I know are against IPv6 and see it for all its regretful faults, despite its wonderful goals and alleged benefits.

    In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.

  3. Re:Not ready for Prime Time by Uhlek · · Score: 2, Informative

    Looked up something interesting. Minimum MTU in IPv6 is 1280 bytes. So, now you're talking a difference of 1.5% versus 3.1% (rounded). Even less of a big deal.

  4. Re:NAT by FrostedWheat · · Score: 4, Informative

    though the security aspect that NAT provides really is useful

    Nothing a simple firewall can't handle.

  5. Re:Likely future events... by Taladar · · Score: 2, Informative

    Repeat after me "NAT is not a firewall...NAT is not a firewall"

    --
    Linux is not Windows
  6. Re:I beg to differ: NAT can do it, and well too by TummyX · · Score: 4, Informative


    Intelligent use of NAT can get a lot of users into one IP. 9 out of ten surfers only need outgoing-initialed connections (web surfing, email, instant messaging, IP-based broadcasting and legal music download software).

    But if you want to do video conferencing or VOIP then you're screwed unless you go via proxy servers and give up speed and security.


    In an ideal world yes, every device could be addressed by its own IP address, but in this world I don't want some cracker port-scanning my fridge and getting a backdoor through a butter overflow exploit.

    It doesn't matter whether you use NAT or IPV6 . There's no reason why your fridge ith an IPV6 address should not sit behind your home firewall. At least, when you need to be able to open certain ports (at which point you're vunerable to buffer overflows regardless of the protovcol), you'll be able to do so using router rules rather than port mapping (which can only go so far). In both situations you'll have to buy an additional device -- an IPV6 router/firewall or a NAT based IPV4 router/firewall. There is no reason why an IPV6 router/firewall needs to be configured by default to permit all incoming connections.

  7. Re:NAT by Fished · · Score: 2, Informative

    Nawww... you're missing the point that IPV6 is designed to require significantly fewer entries in routing tables for the same number of networks. Yes, the addresses are 4 times as long, but that doesn't make the routing table takes four times the memory.

    --
    "He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
  8. For those of wou who want to check by Anonymous Coward · · Score: 1, Informative

    that their ipv6 installation is working

    http://www.whatismyipv6.net/

  9. Re:Missing improvements by df4b943c678dae · · Score: 3, Informative

    Your assuming that the 'port' concept is universal to all protocols above the IP layer. There is much more than just TCP and UDP traffic flying around. http://www.iana.org/assignments/protocol-numbers/

  10. Re:Nice to see that... by drsquare · · Score: 2, Informative

    Between NAT, dynamic DNS, and application level protocols to negotiate ports, we don't have merely 4 billion IP addresses, we have 28147 trillion,

    So please explain: if me and someone I'm trying to contact are both behind NAT, what number do I try to connect to if I want to directly connect to this computer, i.e. the whole damn point of the Internet?

    Like has been said before, the people who think NAT is acceptable all want or have their own real IP addresses.

  11. Re:You CAN have IPv4 and IPv6 on the same network. by freakmn · · Score: 4, Informative

    Actually, you can get the IPv6 stack directly from Microsoft, so it isn't 3rd party software. For Windows XP, it shows up in the list of available protocols to install for your network. It's not the default, but not any harder to install than IPX/SPX. With Windows 2000, they don't make it easy, you have to search for it on their site, but it's there.

    IPv6 Preview for Windows 2000
    Advanced Networking Pack for Windows XP
    FAQ About the IPv6 Protocol for Windows XP

    --
    warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
  12. The whole thing is absurd. by Mattintosh · · Score: 2, Informative

    I just read through way too much drivel about IPv6 vs. NAT just now.

    Here's the way things really should go. There are two possibilities, and they're not mutually exclusive.

    1) For mobile devices:

    Mobile devices should be addressed by a hardware address. This hardware address shouldn't be tied directly to the device, however, as mobile devices can be broken or lost easily. This is do-able right now with SIM cards. They have a SIM ID that could be used in place of an outdated phone number system. (Let's face it, POTS is ancient and crufty, and so are its numbering systems.) If you drop your cell phone and break it, move the SIM card to the new one.

    One thing to watch out for here, though: All cell phones must use the same protocols, and all cell providers must use the same protocols. This ends their convenient lock-in semi-monopolies on their customers. This is a practice that isn't going to end without a fight.

    2) Wired devices:

    Wired devices should use an assigned address. IPv4-style 4-octet addresses are fine. But the arrangement needs to be a bit more logical. They need to be arranged in a hierarchy. From 0.0.0.2 to 255.255.255.255, every address should be valid. 0.0.0.0 should be reserved as a null address (duh) and 0.0.0.1 should be the localhost address (or "self" or "this" or "me"). Any other address can be a node. Any node can serve as a gateway to a COMPLETE subnet.

    So if I want to reach grandma's wired VoIP phone, her number is "233.67.94.199::0.0.0.2". A phone keypad wouldn't have to be changed, as you could use * for . and # for :: when dialing, so the above number would be dialed as "233*67*94*199#0*0*0*2". And if I wanted to connect to her webserver, I'd point my browser at "233.67.94.199::0.0.0.3".

    And there would, with only a two-level hierarchy, be more addresses than IPv6 offers(*). With more levels in that hierarchy, there would be no such thing as an address shortage. And to top it all off, I'm guessing the top-level routing equipment wouldn't have to be substantially changed. It's still just routing from one IPv4 address to another. The gateways would all have to change, though.

    Notice another thing about this IPv4^n idea: Hierarchical NAT bypass. Notice how it resembles a C++ (and copycats) scope-resolution operator and how it resolves the scope of the actual device address and how it could easily be extended to multiple levels beyond what I've suggested.

    (*)If you don't believe me, do the math:

    IPv6:
    2^128 = 3.402823669e38

    IPv4^2 (IPv4-sqared)
    32^32 = 1.461501637e48

    IPv4^3 (x.x.x.x :: x.x.x.x :: x.x.x.x)
    32^32^32 = 1.461501637e1536

    With those IPv4^n address spaces, you have to remember that you don't get quite that many addresses, as you lose 0.0.0.0 and 0.0.0.1 from each range and subrange. In IPv4^2, you lose 8-billion-something addresses - 2 main-range addresses plus 2 addresses from each of the 4-billion-something-minus-two subranges. That's a trivial loss in the scope of this scheme, and yet is almost twice as many addresses as we have available right now.

  13. Re:NAT by nxtw · · Score: 2, Informative
    There is no reasonable default forward-all-ports setting. Most people that buy typical consumer NAT routers do so to share Internet access, so the router could assume that one system should have all incoming connections forwarded to it... but there's no way of knowing *which* system to forward to.

    Some people buy these devices as security devices, becasue incoming connections do not go through to their system by default...

  14. Re:NAT by kaisyain · · Score: 2, Informative

    My understanding of IPv6 is that you can use SLAAC to acquire an address (after all it is only called Stateless Address Autoconfiguration) but that you are expected to use DHCPv6 (aka IPv6's stateful autoconfiguration) to get stuff like NTP and SIP servers. A quick glance through the rfc for SLAAC didn't show an obvious way of including that information. Actually it even says to use DHCP to configure information other than the address.

  15. Re:You CAN have IPv4 and IPv6 on the same network. by TERdON · · Score: 1, Informative
    As I've written to all others that just answered the same thing - I STILL DON'T CONSIDER THAT WELL-SUPPORTED. Damnit. Supported, yes, but well-suppported, hell no. You said it yourself: "intended for development use and trial network deployments".

    In Mac OS X there is a settings window that I can use - so even my computer-illiterate dad could use it (if some one explained the options at least). It's also considered stable. It's been there since 10.3 as far as I know. THAT is what I call well-supported.

    --
    I have a really elegant proof for Fermat's last theorem. If this sig was only a bit longer...