Slashdot Mirror
Federal Agencies Must Use IPv6 by 2008
MoiTominator writes "The White House Office of Management and Budget announced on Wednesday that all federal agencies must deploy IPv6 by June 2008. So far, Defense is the only agency which has made any progress toward implementing the new protocol." From the article: "While we know that IPv6 technologies are deployed throughout the government we do not know specifically which ones, how many there are, or precisely where they are located...For cost, the agencies must report on estimates for planning, infrastructure acquisition, training and risk mitigation."
Especially "anycasting". But what about SCTP ? Now that would be worth wide support.
Well, I'll bite.
IPv6 has such a large address pool to allow autoconfiguration of addresses for now and in the future. It basically redifines the whole issue of keeping up with who has which IPs. Just keep up with their network number and autoconfig the rest.
While the addresses may be 4 times the size and the header is twice the size, the header itself can be processed and delivered faster.
...all desktops in the US Federal Government will have unique IPs, making it even easier for the bad guys to exploit a machine many layers deep in a network. After all, why secure the routers when your department managers just keep complaining that they can't connect from home?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
1) You're thinking older Cisco equipment.
Wrong. Recent IOS releases still have the same problems, they are also quite catastrophic from a usability point of view in comparison with the IPv4 features.
3) Memory and CPU performance hasn't been a major issue with most routers in a long time, especially BGP routers.
This is always an issue, as memory costs money. The global routing table has just passed the RAM barrier a few months ago for many routers; most Cisco routers holding that table now require 512MB minimum route memory. (of course it also depends on what else the router has running, but as a general rule, the mark was hit.)
Either way, IPv6 means more memory and resource requirements, which in turn means a lot of investment with no return. That's why IPv6 will only come when it has become absolutely necessary. Which will take a few years still. So no, it is not "ready for prime time".
I'm paid well for my linux work. Software is a service, not a product. Once the artificial scarcity of copyright law is eliminated and we return to a free market, I'll still be doing fine. The windows weenies won't be.
"4) You're right, minimum MTU size in IPv4 networks is 576 bytes. But that's a difference of 3.5% versus 7%. Not a major issue -- especially since most MTUs are in the range of 1250-1500, or even higher in pure GigE networks."
In a world where an ever increasing percentage of IP traffic is streaming, the MTU is becoming irrelevant, and the header size a huge burden.
I was referring to what is available for purchase, not what's currently deployed. I still work with production Cisco 2501's on occasion, so believe me, I know that the IPv6 transision is not going to be cheap, or easy.
Thing is it'll never be absolutely necessary here in the US, at least not for a long time to come. Enough kludges have been developed for NAT that it's "good enough" for the time being, espeically to IT managers facing the hard choice between sticking with NAT or dumping a metric ass-ton (roughly equivilant to an Imperial crapload) of money into an IPv6 infrastructure.
The "prime time" buzzword has been an excuse for the last few years, even though no one can really give a hard definition of what "prime time" is.
The tin foil hat brigade is on the march, again.
If you want an "anonymous" IP address, there is nothing to prevent you from using a sooper-sekret random number instead of the interface's MAC. See RFC 3041.
Mea navis aericumbens anguillis abundat
Not to mention the fact that with IPv6 we are back to a situation where addresses can be assigned hierarchically, and so the routing tables can be quite compact, dealing with a small number of rangers rather than a large number of network addresses.
I am TheRaven on Soylent News
Oozing slowly.
Basically, install an IPv6 stack on everything you can and use IPv6 ready software/hardware over IPv4. Eventually upstream people will see IPv6 all over the place using Toredo, and implement an IPv6 network.
My school runs on IPv6, along with a few others in the area, and our upstream provider is already implementing an IPv6 network for us.
How many people can read hex if only you and dead people can read hex?
Is there any nat-pt solution for linux?
I don't think anyone wants go through the
pain of double stacks. So to run a ipv6
only network, and connect it with both
v4 and v6, you would need a v6tov4 nat
device (nat-pt). I haven't seen anyone
offering that, at least no linux based solution
(some *bsd might be able to do that, not sure).
IPv6, to me, was a bit of a disappointment because it lacks two features that I find important:
A) A protocol between the ordinary level2 and IP(level3) (Could be named layer 2.5) that takes care of error-corrections via retransmissions. Not replacing TCP's error-correcting retransmissions, but in addition to those. The reason is that most lost packets are lost packets on a single link because of load issues and such, and not because a whole link falls and breaks a route. In those cases, it is very inefficient to retransmit the whole route, and to add a huge latency-overhead to the packet transmission.
B) Get rid of the silly "port" concept. Ports are just internal-computer addresses, and as such, should simply be part of the address itself. There should be no reason to distinguish between the network address and the host address and thus subnets were created, and that separation no longer exists. Just the same, there should be no reason to distinguish between net/host address an application addresses. Removing the "port" concept and placing it as part of the IP address itself has the following benefits:
I) UDP becomes redundant to IP itself, the whole protocol is about adding the port address and can be discarded.
II) DNS entries can point to applications and not hosts. This would allow www.server.com and www2.server.com to point to different webservers in the same computer. This would allow to discard the "virtual web hosts" feature. It would also allow to support multiple servers of any type (ftp, smtp, etc) on any host, all pointed by dns, without messing with the port supplied to the user.
III) An internal network can route the same application address to any host it chooses, easing the distribution of load. It would also not expose to the external world how applications are served on which hosts.
Anyhow, I look forward to seeing those features in IPv7.
Yeah, he probably IS right. It's not as much connected to the article as the IPv6 thing, or more precisely, only to the IPv6 part.
Still, someone typing fast, who knows what he wants to say and has the foresight to spot something he wants to comment on in the mysterious future might pull this off.
OMB gets off an making these grand IT pronouncements! I spent the last few years watching them blow millions of taxpayer dollars on their last bunch of IT crap they pushed down which was poorly planned and even more poorly managed. Hearing them mandate this by 08 is the funniest thing I have ever heard. All the agencies already have their budgets pretty well known through FY07, so where will they get the money? Some agencies like DOI don't even have a fully functional network - parts of it are not allowed to connect to the internet by court order because their security was so bad. So how the hell will that non-functioning entity move to IPv6?
Home users would buy a hardware firewall with routing and DHCP, plug it in, and get a home network that doesn't allow incoming connections by default.
Almost. The box wouldn't do DHCP, because it wouldn't know what IP addresses to hand out. DHCP service could be provided by the ISP, but since we're talking about IPv6, it's more likely that DHCP would simply disappear, and the machines would use autoconfiguration.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I'm old enough to have lived through the GOSIP debacle two decades ago. I see a replay.
GOSIP (Government OSI Profile, and the acronym was used separately by the US and UK) was a requirement to implement the OSI protocol stack by some date in the 1980s. It was a procurement requirement: Every system bought by the feds as of a certain date had to have OSI. Unless it got a waiver.
Some people took this to mean that the government would transition from TCP/IP to OSI by then. And this would lead the world to OSI. And so they invested heavily in OSI. (Remember DEC?) Come to think of it, the way the lead story is written here, you get the same impression, that by 2008 the feds really will be using IPv6.
But that's not what GOSIP meant. It meant that the equipment had to have OSI available, not that the government would actually use it. Having OSI was a checklist item. And eventually it got discarded, because nobody would actually use it; TCP/IP did the job well enough, and some of the early OSI implementations were, to be polite, a pile of crap. But a pile of crap still meets the checklist for an option that won't be used!
IPv6 is somewhat dumber, protocol-wise, than OSI. It has been around for well over a decade, solving non-problems with non-solutions, ignoring problems of the public Internet that developed since then, while promising higher overhead, obsolesence of equipment, difficult management and transtion, and more money for Cisco. So unless you're Cisco, there's no reason to go there. And nobody is going there.
Microsoft will meet the checkoff, as will other vendors, but I predict that in 2009, IPv6 will still see little use, even by the feds. Perhaps if we're lucky somebody will be talking about really fixing the problems in the current protocol stack, rather than going with a hack that was created for internal political reasons at IETF before the Internet was even open to the public.