Federal Agencies Must Use IPv6 by 2008

MoiTominator writes "The White House Office of Management and Budget announced on Wednesday that all federal agencies must deploy IPv6 by June 2008. So far, Defense is the only agency which has made any progress toward implementing the new protocol." From the article: "While we know that IPv6 technologies are deployed throughout the government we do not know specifically which ones, how many there are, or precisely where they are located...For cost, the agencies must report on estimates for planning, infrastructure acquisition, training and risk mitigation."

Nice to see that...

[cato+kaze]

Its nice to see that government is implementing IPv6, but I'm more curious as to when it will be implemented by the private sector and widely used. (Is there an FCC ruling or guidelines for transition time somewhere or are we just oozing towards it?)

Re:Nice to see that...

[jav1231]

Why should they? What is gained by IPv6? Nothing currently. Oh you get to say, "Dude! I'm IPv6!" Big deal. NAT has stifled IPv6 for the masses and brought at least some level of security to Winblows users around the globe. The idea that the whole government should be on it is probably the compulsion of a bunch of advocates. In the case of the government, I can live with it. As for the rest of us it's really just a solution who's problem has largely already been solved.

Re:Nice to see that...

[anthony_dipierro]

NAT, dynamic DNS, and all the other "hacks" which resolved the problems in ways which were backward compatible. Between NAT, dynamic DNS, and application level protocols to negotiate ports, we don't have merely 4 billion IP addresses, we have 28147 trillion, and that, to misquote Bill Gates, should be enough for anyone.

I'm not saying IPv4 is going to last forever. Like anything else, it won't. But I'm pretty convinced that IPv6 won't be the next widely adopted protocol after IPv4. To (properly) quote D. J. Bernstein, "The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space."

Re:Nice to see that...

[Mr+Smidge]

NAT will not allow you to do easy VOIP or video-conferencing.

Now think about this: there's an entire class A subnet allocated to MIT. There's quite a few class A subnets allocated for various US governmental institutions. There's a whole one for Apple computer.

But, there's just one for the entire African continent. Some ISPs in countries besides the US cannot give their customers a real IP address! There are not enough to go round. The way they have been allocated is clearly skewed.

So yes, lots of people stand to gain by having more addresses. They just happen to be in some of the poorer nations.

Re:Nice to see that...

[Mysticalfruit]

I agree with that quote from Bernstein as well. If IPv6 was made complimentary to IPv4 so that you could have both on the same network and able to talk to one another without tunnels and crap, I think when people migrated their networks to gigE, they would have also migrated their devices to IPv6 as well.

Re:What the hell?

[Njovich]

Oh, I don't know? Cisco? Microsoft? IBM? There are lots of people having interest in computer infrastructure investments.

Progress in DoD

[dgb2n]

Although there has been alot of noise around it, actual progress hasn't been so convincing and the 2008 date appears highly unlikely. In many cases its more a matter of "here's how we'd do it if you gave us X dollars" than a funded plan forward.

This has appeared all along like a deliberate attempt to force a "technology refresh" that would be beneficial to major US networking companies than any real response to technical superiority of the IPv6 protocols.

If the technical merit were really there (many of the supposed IPv6 improvements have been backported to v4), my guess is a specific mandate wouldn't be necessary. Business would take care of it.

NAT

[debilo]

Before people jump and say that we don't need IPv6 because NAT is good enough: No, NAT is not good enough. While I am grateful for NAT (and I am sure every other pood sod stuck with a single address only is grateful too), NAT has some serious shortcomings and limitations which increase the need for sometimes ugly, drastic or awkward workarounds for many things. It would be nice to be able to communicate with machines behind routers directly, though the security aspect that NAT provides really is useful.

Re:NAT

[Baricom]

Actually, most people I've talked with use NAT not for the security but because they need it to get more than one computer online (the local broadband providers provide one IP address and rent extras for about $10 per month). I think whether NAT continues to be popular or not will probably be influenced by whether residential ISPs become less stingy with the address space.

If NAT goes out of style, the home router people will just focus more on delivering good firewalls, and a lot of people (probably including me) will still buy them.

Re:NAT

[nxtw]

You *could* do that, but no matter how it's done, it's not a good idea.

In cases where hosts are already connected when the router is turned on, this means that whatever device requests an IP address first would get connections forwarded to it.

And in cases where there's only one PC connected, that's probably because people are using it as a firewall *because* it does not forward incoming connections. I know a few people that recommend this.

Re:Not ready for Prime Time

[Uhlek]

Obviously you only read trade mags and know nothing about networking:

1) You're thinking older Cisco equipment. But, the same argument could be made for any number of enterprise/carrier routing vendors. If you have a router/multilayer switch designed for IPv4, you're going to have to either upgrade it with IPv6 ASICs, or replace it completely. That's part of the price of transisition, and there's no way around that.

2) No one with any level of education in the matter says "We're running out of addresses." We're running out of address SPACE. Big difference. The huge class A and B networks issued to large US corporations and the military means those countries who got online later on are losing out. Case in point...I was on the redesign team at a USAF base that had two class B networks -- for 30,000 customers.
And NAT is only a stopgap. You end up with a massive number of interoperability problems when you start NATing. With IPv6, there simply isn't the need for it, and you remove those problems.

3) Memory and CPU performance hasn't been a major issue with most routers in a long time, especially BGP routers. Massive OSPF networks, yeah, the Dykstra algorithm hits hard, but there are other, less CPU-intensive options like IS-IS, or just design your network right from the ground up and summarize properly.

Again, the problem we're going to run into here is the specialized memory used for wire-speed packet switching. But, if you're doing wire-speed, you're going to have to replace the ASICs anyway, so the TCAM gets replaced too.

4) You're right, minimum MTU size in IPv4 networks is 576 bytes. But that's a difference of 3.5% versus 7%. Not a major issue -- especially since most MTUs are in the range of 1250-1500, or even higher in pure GigE networks.

The road to IPv6 will be bumpy, but the only issue you mentioned with any real weight is the first, and that's an easy one. You just throw money at it.

Where the problem is going to lie is in long-haul data transport, IPv4 interoperability, and legacy application support. The network's the easy part.

Re:Not ready for Prime Time

[MathFox]

1. Cisco routers suck at IPv6.

Cisco will have to fix that or go dodo...

2. The world does not need more than the 4 billion addresses available with IPv4.

Think VOIP: it would be nice if my "Mobile communicator", home PC and work PC could be directly accessed from all over the world. With 6 billion people on earth, I estimate a demand for 18 billion IP addresses.

3. IPv6 addresses are too large.

Moore's law: The capacity problems will be solved in a few years. And routers don't need to keep full routing tables (they never did!)

4. The IPv6 header is too large.

Network speeds have boomed... 8 Mbit ADSL is affordable and available nearly everywhere in the Netherlands. When you redo your computation with a MTU of 1500 (ethernet), overhead increases by a bit more than a %.

I see a lot of reasons to go IPv6, especially now China (1.3 billion people) and India (1 billion people) get connected.

Re:Mac OSX has had great IPv6 for a while (10.2)!

[Armadni+General]

The feds are always pushing back deadlines. I'm sure regular readers have seen two or three articles here about the total conversion of all broadcast television from analog to digital signals? It's the same case. They need to get tough on these "deadlines," or else nothing'll get done at any pace faster than that of a snail.

And here shall commence the argument about whether or not anonymity on the Internet is a Good Thing or a Bad Thing.

Re:Not ready for Prime Time

The grandparent was obviously a pre-rolled troll. I mean, come on, it's huge and it's like the first post.

I beg to differ: NAT can do it, and well too

[CdBee]

Intelligent use of NAT can get a lot of users into one IP. 9 out of ten surfers only need outgoing-initialed connections (web surfing, email, instant messaging, IP-based broadcasting and legal music download software).

Most surfers are considerably safer behind NAT anyway, as shielding incoming TCP connections on ports 135-139, 445 and 593 kills 9 out of 10 Windows remote exploits stone cold dead. Deploying technologies like uPNP in the ISP routers can negate the inability to accept incoming packets nmany low-grade server style apps (Messenger, VoIP)

In an ideal world yes, every device could be addressed by its own IP address, but in this world I don't want some cracker port-scanning my fridge and getting a backdoor through a butter overflow exploit.

I don't trust any modern operating system enough to run it without a hardware firewall device, and I always keep that (it's a linux-based consumer router) well-patched up to date and with all remote admin functions disabled and locked down.

As a regular fixer of friends PCs, I would love to see ISPs provide the option of fully-NATted connections. I'd recommend them. It'd save me so much time trawling eBay for bargain routers for my friends.

Re:I beg to differ: NAT can do it, and well too

[m50d]

Web surfing is only possible if people run web servers. Internet radio is only possible if people run streaming servers. The fact that ordinary users can do these things is what makes the web what it is rather than being controlled by big media conglomerates like most other media. I don't want to see it ending.

The solution to that is to disable the services running on those ports. It will have the same effect. uPNP shouldn't be necessary.

Why does your fridge have open ports unless you want to use them? If you want to use them, why do you want them hidden behind nat?

I trust my linux box in the DMZ on my router. I keep it fairly up to date, within a week say. The ports I have open are open because I want them to be open, if I wasn't in the DMZ I'd just port forward them anyway. The only thing I'm any more vulnerable to is a tcp stack flaw.

I think such ISPs exist. They don't advertise the connection being nat because it's a bad thing. I am continually amazed by how many otherwise intelligent people have fallen for this "you need to be behind a router" crap. If you need a router, you're a complete idiot or running an OS written by one.

It will when major ISPs start supporting it

[js3]

The #1 reason the private sector isn't picking is up is the vast majority of the big isps don't offer it, as long as they remain on ipv4, ipv6 isn't going anywhere fast.

Re:It will when major ISPs start supporting it

[anthony_dipierro]

And the major reason the vast majority of the big isps don't offer it is because there is no demand for it. Anyone offering a useful service on the web can afford a few bucks a month for a static IPv4 address, and I don't see that fact going away, ever. So what do you get by going with IPv6? AFAICT, nothing but incompatibility problems.

IPv6 would have been better than IPv4, if we were building the internet from scratch. But Beta is better than VHS too, and I don't know very many people with Beta cassette players.

Bring on the Vultures

[Gothmolly]

I've seen this sort of first thing first-hand. Here's how it goes down:

Consultant: Hey, buddy o'mine in the White House Budget office, lets do lunch.
WhiteHouse: OK
Consultant: You know, if you dont use IPv6, you're obsolete.
WhiteHouse: Really?
Consultant: Yep. You wouldn't want the (Commies|Al-Qaeda|Chinese|French) to be ahead of us, would you?
WhiteHouse: Hell no!
Consultant: Nobody is going to deploy IPv6 w/o a reason. It's hard to do.
WhiteHouse: Hmm, we need to do this, its a matter of Homeland Suck-your-ity. Can you help?
Consultant: Why sure, but you should make sure that only me and a few others are approved for this gig, you wouldn't want any incompatibilities, would you?
WhiteHouse: Damn straight, I think I'll have another Scotch.
Consultant: Go ahead, its on me. *evil cackle*

Re:Missing improvements

Not trying to be harsh. But the missing improvements are outside the IP scope and functions. Just for your information:

A) Look for MPLS and its future succesor GMPLS.
B) The port concept is a TCP/UDP layer issue, not an IP issue. You can use lots of IPv6 addresses for the same device (IPv6 permits explicitly that) and just one port if that is what you prefer. I personally don't see the improvement. IP addresses are assigned to devices (in the IPv6 paradigm), ports are assigned to application uses. I personally beleive it is much straightforward this arrangement that an IP derived solution. At least now, you now port 80 means (at least should) web access.

This is good news for Contractors

[Zugot]

If you are a network engineer type, and you want to make some money, this is maybe some very good news. Most government agencies contract out this type of work. And I know there is a severe shortage of good network types out there who can grok ipv6. I am actually glad about this. It is kinda like Y2K all over again.

Re:Benefits of IPv6

[drsquare]

I really wish people would stop quoting more address space as a feature.

Yeah, because actually being able to have an address so people can connect to you over the Internet is a terrible thing... Better to have NAT where the Internet is only one-way, you can't provide anything, just be a mindless consumer of websites. And forget p2p, ftp, and all that crap. Oh and forget about the fact that corporations and universities in America each have as many addresses as the whole of Africa. As long as rich Americans have proper IP addresses, fuck everyone else.

First off, have you ever tried to enter an IP over a noisy phone connection? Now try it with eight 4-digit groups!

What the hell are you talking about? Perhaps you should get a better phone. I see no reason why we should put up with sub-standard Internet just so your tech-support job is slightly more convenient.

Second, Do you have any idea how many dark /8s there are? Do you have any idea how many people have /8s that shouldn't? There is no IP shortage problem for now.

With 128 bits, everyone could have millions of IP addresses. Every household could give every computer its own address, every corporation would have enough to go round. Not having to pay through the nose to ISPs just for single extra IP addresses. No shitty dynamic IP addresses. No shitty NAT. What about the people who have /24s who don't deserve them?

Actually you may have a point. With American corporations/governments in control of the Internet, it will always be fucked up, with all the power and luxuries given to the rich American corporations, and everyone else getting shafted.

There is no IP shortage problem for now.

I take it you have your own IP address?

You CAN have IPv4 and IPv6 on the same network.

[TERdON]

Both IPv4 and IPv6 were designed to be implementable as software protocols. They were also smart enough to implement a version flag in the protocol. There is nothing at all stopping you from installing dual IP stacks on all of your computers, giving each interface an IPv4 and one IPv6 adress, and use both of them interchangably.

What is stopping the implementation of IPv6 are those pesky legacy devices, legacy operating systems (ie Windows) and legacy hardware accelerated routers, and the fact the Internet being as big as it is - it's basically impossible to do a clean switchover, and there ARE problems when combining the two systems - even though you can have both on the same network, they won't be interoperable (=really bad).

Of course IPv6 has been designed to work around these issues as well as possible, but there will be issues eg getting a IPv4 machine to connect to a IPv6 one. And NAT has been the easier-to-implement short-term-solution for home 'puters etc...

Re:Missing improvements

[Spy+Hunter]

It's not necessary or desirable to have retransmission at the IP level. Firstly, it would put a humongous burden on routers because they would have to keep packets in memory after they have been sent, in case they need to be retransmitted. This would only make "load issues" worse and result in *more* packets being dropped, not less. Secondly, the correct response to packet loss on a link is to route around the link, not to retransmit over the link and produce more congestion. Routing around the link will not only reduce current packet loss but reduce future loss as well by evening out the load. This makes any packet loss due to congestion temporary, unless there is one link that can't be routed around (a bottleneck). In this case, retransmitting still can't help you because there simply isn't enough bandwidth to satisfy user demands. Some packets will be eventually dropped *no matter what*, and the only solution is to add more bandwidth.

As long as packet loss is temporary, then handling it at the TCP level is just fine. Yes, it occasionally introduces latency due to retransmission but it is worth it to keep the network simple. A simple network is more robust and more predictable, with cheaper hardware. Cheaper hardware means more hardware and more bandwidth, which then reduces latency and packet loss overall. This is the correct solution to packet loss problems.

Also, a big reason the Internet is as reliable as it is today is due to its inherent *unreliability*. It's a "worse is better" philosophy. When failures are an everyday occurrance, your failure-handling must be robust. This paradoxically makes the system as a whole more reliable. The Internet is the epitome of this philosophy. Packet loss is a natural and healthy thing for the Internet.