Slashdot Mirror
The exhaustion of IPv4 address space
FireFury03 writes "Cisco has an interesting article talking about estimates for the exhaustion of the IPv4 address space, and the inevitable move to IPv6. It predicts that the IPv4 address space will be exhausted in 2 - 10 years and suggests that it isn't worth trying to reclaim old allocations. With the mainstream use of IPv6 now potentially within the ROI period of many products the manufacturers need to start including support, but will the ISPs roll out native IPv6 networks before they absolutely have to? IMHO, ISPs providing native IPv6 support would be a Good Thing since it opens up the door for peer-to-peer technologies such as SIP without needing nasty NAT traversal hacks, but a major stumbling block seems to be a complete lack of IPv6 support on current consumer-grade DSL routers (tunneling over IPv4 is an option but requires more technical know-how from the end user)." Of course, Cisco may have some vested interest in driving up the IPv6-compatible router sales *cough*, but the bottom line is that the transition will have to happen at some point in the near future.
is 2 - 10 years as precise as they can be
In the article, this range comes from the fact that the data can be fitted to different curves, resulting in a different timescale. Some of the curve fitting I saw in the article used polynomials, exponentials, and linear functions.
It's a bureaucratic one. The manufacturers aren't going to spend time and money to make their products until it either makes business sense (Cisco, Microsoft) or they are forced to (TV stations that are having to support HDTV).
Evil Overlord Rule #86. I will make sure that my doomsday device is up to code and properly grounded.
The one "benefit" of NAT over IPv6 is that you can't access ports which aren't forwarded to that computer. i.e. it basically acts like a firewall, but potentially a little weaker because it isn't designed to be a firewall. As IPv6 doesn't keep you from having a firewall, this is almost moot. It's not entirely moot because home users who have NAT would not always consider having firewalls. The benefits of IPv6 are numerous, however.
-Amalcon
NAT is not defense. The stateful firewall is defense. You can use stateful firewalls on IPV6 also and there is no reason that consumer grade routers would not include the firewall.
Everyone is just waiting to push the big red button and turn on the support
Why do you need to wait to turn it on? IPv4 and v6 can run side by side. I've been running v6 for a few years using 6to4 tunnelling to provide connectivity since my ISP doesn't do native IPv6... infact I haven't seen *any* ISP (in the UK) offering IPv6 connectivity over DSL. Just providing a 6to4 anycast gateway on their core network would be a start.
http://blog.nexusuk.org
I've been playing with IPv6 off and on since 2000. My current IPv6 plant incarnation is a Cisco 2610XM tunneling traffic from btexact (best tunnel broker if you want to play), a Cisco 1605 that is sometimes online, and a FreeBSD box. I don't have a site up this time, just taking it slow and playing, doing this mostly because the CCIE lab has started requiring IPv6.
The transport works just fine, the application support is still a hassle. If its a barrier for me after five years of dinking and nothing left to do Cisco wise except complete my CCIE
Moving to IPv6 from IPv4 is as much a change in mindset as moving from IPX to IPv4 was
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Since demand for addresses necessarily comes from the leaf nodes of the network (where the bulk of them are consumed) rather than the backbones, I think it is disingenuous (to say the least) to claim that IPv6 is already "rolled out" because it is available from various backbone providers when the reality is that it is not available directly to the end users.
STATIC: this is when the router assigns one routable address to one non-routable address. This 'hides' your IP address, but as the new address always points to your real one... Well you get the idea
DYNAMIC: this selects a random routable address from a 'pool'. The assignment is temporary and this will hide where your requests are coming from. But as the pool is a range of addresses given to you offically, it wouldn't be hard to find who was using them.
DYNAMIC-PORT: this uses only one routable IP, but translates all of the non-routable IPs onto different ports for each connection. The appearence is of one computer making many connections.
I hope this helps.
Shaw Cable (In Western Canada) now assigns IPv6 and IPv4 addresses to all DHCP requests. Whether your home firewall does anything with the IPv6 address is another matter.
That was my "link local ID"
Besides the huge amount of fully routable IP addresses IPv6 will open up, what are the benefits to the average end-user?
Being able to get around NAT restrictions or trying to get UPnP working each time they want to play a particular online game, video conferencing, or transfer files directly with another person behind a NAT.
Most End Users may or may not notice it or understand it, but often when say a group of people use a NAT they are unable to connect direct to anyone else's computer who is also behind a NAT. UPnP kind of gets around this but it has limitations since it only knows what programs are expecting to be receiving and often times may or may not know which computer to forward this too.
Say, I wanted to play Age of Empires with another person who was behind a NAT because he was sharing his internet connection with his family and I was sharing my connection with three over of my own computers. We would both have to go online and look up what ports AOE uses and then set our routers to foward request to the specific computer running AOE. Its not that hard to do, but for the average End User it can be way to complex if you don't know anything about your own router. UPnP helps but like I said its not perfect.
IPv6 would give out of the box direct connections... End Users would be able to play direct connect games, video conference, and share files via AIM or Yahoo without having to futz with their router or call their more technically inclined friend asking why "x feature" won't work with "x program" when they bought their router?
Oh and a side note... If you are wondering why Quake, UT2k4, NWN, and Skype and other services work out of the box, it is because the connection is going to a server that is not behind a NAT. If you want to host an online game or have some type of VoIP service then you leave the box directly connected to the internet without a NAT.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Can IPv4 and IPv6 coexist?
/. story about it a while back.
Yes, in fact they are expected to for around two decades. Can't seem to find the link to the RFC I read it int. Anyone?
When do the root servers transfer over? The root servers already support name resolution to IPv6 addresses. There was a
If they can co-exist, what's the motivation for *everyone* to switch?
I guess we'll see. I think it will just be up to the vendors (read: Cisco ^_~) as to when they drop IPv4 support.
What happens to smaller countries that don't have the resources to make hardware changes to keep up to date.
Twenty years is a long time.
From a laymen's perspetive this seems a lot like Y2K in terms of the scope of changes required.
When you look at how much work has to be done, your right, but in this case, there's not a moment that we're approaching when everything will blow up if it's not switched over.
This sig rocks the casbah.
is home nat routers. They effecively prevent you using either 6to4 or native IPv6 unless the nat router itself explicitly supports it.
and they are effectively closed devices so adding support requires the manufactueres cooperation.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
afaict most home nats are similar to the most basic config of a statefull packet inspection firewall. That is they let you connect out but don't (at least easilly) allow connections in.
the problem is of course that you wan't some connections coming in but not others (because of chronically insecure lan protocols etc). UPNP helps to some degree as generally only internet orientated applications use it leaving stuff thats only safe for lan protected. another option is to manually open the holes but this is a pita for experianced people and basically impossible for the masses.
the final possibility is software firewalls. Theese work good at controlling what apps can be accessed from the internet but running on the pc you are trying to protect leaves them vulnerable to interferance from malware.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
There are *millions* of Linksys, Netgear, DLink, routers and access points out there. Most of which don't support IPv6. And I doubt these vendors are going to update all that firmware.
Nor will consumers be into throwing out old hardware "to get more IP space"... that's not exactly going to work (marketing wise).
Nor will people with old OS versions, or other odd devices (IP cameras, etc. etc.).
IMHO this will need government pressure, similar to the digital switchover for TV. Some sort of a date for compliance of devices, and a clean switchover date.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
A modern firewall (including consumer-grade routers) use Stateful Packet Inspection, which will help defend against varoius man-in-the-middle attacks, while NAT does not. NAT alone will still be susceptible to replay and injection attacks, while a SPI firewall will be able to detect and block such an attack. Besides, you can have a very effective firewall that only has a couple rules, as long as you aren't running any boxes you want accessible from the Internet.
Never start vast projects with half-vast ideas.
I'm using 6to4 right now, but it's not good enough! One of the greatest benefits of IPv6, true multicast support, does not work, since the underlying IPv4 layer does not support multicast.
Many applications could take advantage of multicast if it were available.
Some examples:
Bittorrent is a cheesy IPv4 emulation of multicast.
Game servers could multicast 'common' data and save roughly 50% of the total bandwidth used.
Mirror sites could multicast their updates. Debian, Redhat, and other mirrors would use a fraction of their current bandwidth.
If you went the bittorrent way, files could be sent via looping multicast, no more slashdotting the Id games servers.
Basically, any duplicate TCP/IP streams could be a single stream that gets replicated at the router. I want it now!
Think of it, even spam could be more efficient with multicast emails!
Shae Erisson - ScannedInAvian.com
Weaker how? If you can't address a node, how can you attack it?
Well, ignoring the fact that there _are_ ways to defeat NAT (although they usually require cooperation from hosts behind the NAT anyway), one notable weakness is that you're relying on your ISP to get things right, and relying on someone else's cluefulness is always bad.
What I mean by that is, given a network like:
PC (192.168.0.1) ------ (192.168.0.254) Router (1.2.3.4) ------- ISP
Assuming 1.2.3.4 is a global scope address and 192.168.0.0/24 is site-local. The router is doing NAT, all well and good. However, if the ISP somehow ends up routing traffic destined to 192.168.0.1 to your router (for exacmple, a routing cockup on their end) then most consumer grade routers will just let it right through because they don't explicitly block incoming traffic.
Admittedly it's unlikely this would happen, and only nodes reasonably close to you would be able to take advantage of the routing. However, I still maintain that trusting a third party as part of your network security is a Bad Thing.
but I don't see how it's less secure than the complicated (and thus fallible) filtering rules in a "real" firewall.
Firewall rules don't have to be especially complex - a firewall that does the same job as a NAT (security wise) but provides protection from the above problem is simply a connection tracker configured to drop incoming connections. Infact, since a NAT is basically a connection tracker with some more stuff shoved ontop it could be argued that the NAT is more complex and thus more fallible.
http://blog.nexusuk.org
Black Cat Networks (http://www.blackcatnetworks.co.uk/ offer native IPv6 ADSL.
It's "not worth it" simply because of the greedy bastards hoarding those /8's. Let's see who is hoarding all that space... ...
/8's -- more if you count the number of big contractors holding /8's.
003/8 - GE
004/8, 008/8, 046/8 - BBN
009/8 - IBM
015/8 - HP
016/8 - DEC
017/8 - Apple
018/8 - MIT
019/8 - Ford
045/8 - Interop Show Network !!
And then there's the US GOVERNMENT with 8+
Why don't you try to remember v6-tunnel34-uk6x.ipv6.btexact.com instead?
I mean, that's why you have the DNS. You don't have to remember any addresses. Honestly, how many public IP addresses do you know and actually use? Even as a sysadmin, I think you'll manage. Seriously, the "difficult to remember" argument isn't really an argument. 99.9% of the Internet-using population couldn't care less if their address had 32, 128 or 1024 bits or were written using Babylonian numerals. Heck, most don't even know what this "IP Address" thingy is. And sysadmins will for the most part be clever enough to work with any notation.
A hack is just an idiom waiting for wider use.
Try a Cisco 87x router. These are sold in the UK, are fully IPv6, provide 4 10/100 ports in case your switch is v4 only, offer WLAN 802.11b/g option (does this carry v6? i dunno) and have lots of other nice features as well. Haven't had time to check compatability. Expensive - ish, see : http://www.broadbandbuyer.co.uk/Shop/ShopDetail.as p?ProductID=2277&CategoryID=325&ShopGroupID=78 (the top model in the series) but available now.
p roducts_data_sheet0900aecd8028a976.html
Data sheet : http://cisco.com/en/US/products/hw/routers/ps380/
IPv6 addressing architecture
IPv6 name resolution
IPv6 statistics
IPv6 translation-transport packets between IPv6-only and IPv4-only endpoints
ICMPv6
IPv6 DHCP
Until the ISP backhaul is routing IPv6 it's still not native all the way, so A&A or whoever your ISP is doesn't. Ask for a allocation and tunnel to the 6bone. Until not so long ago NTT UK offered ranges and free peering, and there were other free v6 peering intiatives. coupl'a years since i cared much about this so forgive me if anything changed (save the ready availability of IPv6 capable routers). Hopefully POPs with lots of LLU will be the first to go native in the UK, so we can have v6 and >=8Mbps to cope with all that traffic from my fridge, cooker, clock, toilet, kitchen drawer, hallway light . . .
Indeend, RFC3363 specifies AAAA should be used. RFC3364 explains why AAAA is preferred over A6.
Remi Denis
Except, they didn't say that. "They" predicted that oil production would PEAK by (twenty years from thirty years ago) - "peaking" is completely different from "running out" - "peaking" means, basically, that you're at the top point of the production curve --- it means you've used up roughly half of the oil (i.e. you are only halfway), and that you will start running out ("start" meaning to be on the downward slope of the production curve - but you still have a LOT of oil at the point when you "start running out"). You're thinking of Hubbert's estimation (which was already in 1956, actually) that global oil production would peak in 2000. It was predicted that US oil production would peak by around 1970.
See this link for more information on peak oil theory.
... and the US Government, of course. They are mandated to have IPv6 deployed by what, 2006?
--Catonic
BBN... currently known as Level 3 Communications.
They were one of the first movers and shakers in the internet industry 20 odd years ago.
They built this thing called "the Internet" that you might have heard of?
Testing this amazing new widget called a "router" required a fair amount of address space at one time.
Well, OK, actually they called it a "gateway" but that means something else now.
It's funny to see that the people who keep shaking their heads left and right when "IPv6" is mentioned are mainly ALL in the U.S. Fact: China, Japan, Korea and MUCH of Europe will move to IPv6 first...and much sooner no matter what the U.S thinks. Control is the issue, those moving to v6 see it as an opportunity to move away from having to call a U.S. organization to get address allocation. Also..since DNS becomes REALLY important with v6 (try to memorize IPv6 addressess..) Europe could use it as a means of setting up their own root DNS servers to take control of the future address space. Whoever has the DNS servers that people use will get control, and if Europe/Asia defines that first they will have control.
There are a lot more endpoints out there than you think. One of the major pressures to go IPv6 is coming from the wireless phone service providers (mainly out of Europe and Asia). ALL the phones they sell are IP enabled. That's LOTS of phones. It's a lot easier to just allocate them a static IPv6 addy than the constant DHCP traffic every time they access. We're talking MILLIONS of phones per service provider.
=Shreak
The localhost address in IPv6 is 0:0:0:0:0:0:0:1 (or 0000:0000:0000:0000:0000:0000:0000:0001 if you're anal), but since it's almost all zeroes, you can write ::1 instead. In the same way, I can replace the address for one of my hosts, 2002:52b6:8514:0100:0000:0000:0000:0001 with just 2002:52b6:8514:100::1. It's just so that you don't have to type out all the zeroes.
I can't really figure out why they replaced dots with colons, though. I can only guess that it is so that the address is easily discernable from an IPv4 address.
No it isn't. No correctly set up firewall will be susceptible that type of attack where the ISP makes your network routable.
On the other hand, if you aren't using a firewall, every kind of NAT will be susceptible to that because NAT alone doens't drop any packets, ever. It just translates or does not translate.
The address space in 1994 really was almost exhausted. What you saw at that conference was 100% true. They made a plan consisting of a long term solution, and a short term one.
IPv6 was the long term solution, and the idea is to eventually start using it.
What you seem to have missed is the short term solution, CIDR. The idea behind it was to take all the unused address space (and reclaim another addresses too) and allocate them in a less wasteful manner.
And yes, IANA should reclaim those
GPG 0x1B479C78
If they run it, they have to support it.
Not necessarily. Many ISPs provide non-core services that they don't offer support for; for instance, my ISP runs an NTP server, but the only support they provide is a single web page giving details of its address; if you phone up the tech support people and ask about it, they don't even know it exists.
Because it isn't advertised as part of the provided service, they don't have to support it. An IPv6 gateway would be similar -- all they need to do is put some text somewhere telling you how to access it, and warning you that it's an experimental service. If it stops working sometimes, that's your problem for using an experimental service.