IPv6 Still Hotly Debated

inkslinger77 writes "A significant stumbling block to IPv6 adoption may be IPv4 loyalists who are keen to keep the old protocol in preference to the 'new improved' version, according to a Computerworld Australia article. The article covers the views of Cisco's senior technical leader for IPv6 technologies, Tony Hain and Geoff Huston, a senior Internet research scientist from Asia Pacific Network Information Centre (Apnic)." From the article: "Go to your favourite venture capitalist and say 'I want to be an ISP'. By the time he stops laughing and [finds you want to run] IPv6 - the discussion gets terminated. No one wants to hear this. IPv6 is well ahead of adoption in this market so everyone is deferring. No one is running IPv6, because there is no business case for it ... if we really wanted to leave a legacy to our children we'd review the crap we have today which is pretty ghastly ..."

Me too

[Phroggy]

To be honest, IPv6 never really made sense to me either. I mean, OK, so we're running out of IP addresses and we need more... but as more and more companies are turning to NAT instead of using public IPs behind a firewall for internal services, some IP blocks are being freed up, and it looks to me like there are still a HUGE number of reserved subnets out there.

But assuming we really do need more IPs, why IPv6? Why 128 bits instead of, say, 64? Why build the functionality of DHCP, which (mostly) works perfectly well* and is extensible enough to support cool stuff that hadn't been thought of when IPv4 and DHCP were invented (e.g. WPAD, netbooting), into IP? What's the deal with including your MAC address as part of your IP address?

Going with the assumption that the problem really is as bad as people say it is (China has a gazillion people and more of them are getting online, and it'd be great if my refrigerator had a web-based interface I could access remotely without setting up port forwarding or a VPN, etc.)... I'm not convinced that IPv6 is the right solution to the problem. It just seems to be the only solution anyone has offered, and a lot of money has been spent bringing it closer to reality.

So, convince me: why is IPv6 the right answer to the problem?

* Off-topic, but can someone explain to me why (at least with ISC dhcpd) I can't assign IPs on two different subnets on the same physical LAN? Can this be done with a different DHCP server? Is there any kind of limitation to the protocol that makes this impossible, or is it just an implementation problem?

Re:Me too

[MightyMartian]

NAT really isn't anything more than a kludge, and despite a lot of work done to make some of the finickier protocols work through it, the point behind IPv6 is to create an address space sufficiently large that we don't have the provisioning problems that are evolving now. Is it overkill? Well, for 2005 there's no doubt. But IP4 was probably massive overkill in 1980. The point here is that these artificial limits we've set (640k, IP4, two-digit years) eventually lead to very big hastles, and if we're going to have to find some new way to enlarge the address space, why not do it right?

Re:Me too

[cnlohfin3109]

IPv6 gives us more then just more address space. The ip is designed heirarchally(sp) which will help _significantly_ with routing, decreasing tables etc. Not to mention not wasting time havening to check checksums all the time... cause there is none! Its silly if we get into the terabit speeds and still wasting so much time just tring to route the ethernet frames, not to mention the sheer processing power required by a router for those speeds.

Re:Me too

[exaviger]

Nicely put, just to stengthen your point - a little historical snippet "In the early days of mainframe computing, resources were at a premium. Memory was expensive, disk storage was limited and input devices constrained. Every programming method was used that made efficient use of each component. One of the methods used was to truncate the year value to a two digit number for entry, storage and processing. This saved space and saved on the associated cost of storage and processing. After all, why enter and store the century portion of the date when it will always be 19? Right? It would be decades before the year 2000. By then, all the programs and hardware being used would be obsolete and replaced with newer equipment and programs." Do we not learn from our mistakes? Calling IPv6 overkill is silly, why should we not overkill? Why not make sure that for the next century every electronic device will be able to have its own unique IP address. NAT is all good and well but what about the growing number of mobile devices, what about some services that dont work behind NAT? Who knows what will happen in 5,10,50 years. Soon every single vehicle, vending machine, traffic light and any other electronic device will require and IP address be it public or local. I am all for IPv6!

Re:Me too

[Kadin2048]

This is a misunderstanding, and has been debated elsewhere: NAT offers no security by itself, it's because normally NATs have a firewall effect at the same time that they create the illusion (and in some cases reality) of security.

There's no reason why using IPv6 with a firewall wouldn't be just as -- and probably more -- secure. Especially because you wouldn't have to spend time configuring the NAT functionality and could instead configure it as a single-purpose stateful firewall.

It is possible -- although you probably wouldn't want to -- to create a situation using static NAT without any firewalling effect that leaves your computer just as open to attack as it would sitting on the public net. Likewise it's possible to assign every computer on a LAN a globally routable IP address and secure them using a properly designed firewall (that's actually how my company is set up).

If your comment had just said you didn't want your fridge and toaster exposed to the internet without your trusty Linux firewall between it and the internet, I would heartily agree. Although I don't doubt some would argue for you about choosing Linux over BSD. :)

Re:Me too

[MicahStevens]

You can hack through a NAT, not being l33t, I'm unfamiliar with the exact practice, but I've seen security reports about this.

My real point is though, If you have a device like your toaster on the internet, and it's vulnerable to an attack that a firewall fixes, the problem is with your toaster, not the internet. That whole example is totally weak.

Why do you want to connect your toaster to the internet, so that you can connect to it, right? Or make connections out from the toaster. Either way, you need ports open. If someone can connect to ports that you don't want open, the software/hardware in the toaster is to blame. Not the absense of a firewall, or NAT. If your toaster can be hacked through the toaster port, then a firewall ain't going to help you.

This overreliance on the firewall is disturbing to me, it makes people not fix the real issues. Granted with certain general purpose machines (i.e. your Desktop workstation) this is more difficult than others, but there's no reason why an embedded internet-aware processor can't be very secure with no firewall or NAT fo that matter. If it's not, fix the problem, don't mask it with a firewall.

Re:Me too

[eric76]

Security by obscurity is not the answer

I hate that phrase. While true, it is very misleading since obscurity does contribute to security.

It should be "Security by obscurity is not the TOTAL answer.

Security by obscurity is a necessary and vital part of security. By reducing the likelihood of computers being randomly attacked over the Internet, there would be an increase in security. It would not provide absolute security, but it would help.

If you think about it, when you use passwords, you are using security by obscurity.

For that matter, when you use a public key that is the product of two very large primes, you are using security by obscurity. With increases in techniques and hardware, that obscurity is greatly reduced overtime and the security suffers.

"IPv4 loyalists"

[FirienFirien]

What are the chances that the term "IPv4 loyalists" includes those who just have no reason to make the effort to shift to the new system? Considering the number of [people, admins, even that amusing case where MS didn't patch its own servers] who don't even download security patches - the shift to a parallel system while the old system still works fine just isn't going to happen in droves.

Re:"IPv4 loyalists"

[Phisbut]

the shift to a parallel system while the old system still works fine just isn't going to happen in droves.

The real question though is "Do we really want to wait until the old system finally breaks and nothing works anymore before making the change?". The old system still works, but we know it won't work forever, and we know we need to change it. Why wait till it breaks?

(Obligatory car analogy) When you put gas in your car, there's still gas left in it, so it can still work. Yet you don't wait till you go dry to put some more gas in.

Re:Something I don't get...

[Daedala]

Sometimes, it's good that NAT impedes some forms of communication. Like, say, exploits.

One Reason Alone is Enough

[Nom+du+Keyboard]

One reason alone is enough to make IPv6 a "good idea." Permanent static IP addresses for everything.

I, for one, will welcome the end of the NAT kludge.

Market Forces

[bizitch]

Just like anything else, market forces will dictate when this gets adopted.

Are we really running out of IPv4 numbers? The market will tell us.

Is there a killer app for IPv6? The market will tell us.

Can we ram IPv6 down everyone's throat? The market will retailiate and hit back.

BTW - what's with this "wont somebody please think of the children" bullshit about? If we need to get to IPv6 - we'll get to it - relax already!

Two reasons.

[khasim]

#1. It allows you to run multiple boxes at home WITHOUT having to pay extra for a "family" connection plan.

#2. Cheap and easy way to block worms and such.

Re:Two reasons.

[Kadin2048]

Neither of these points are really arguments for the current system, if anything they're good arguments against it, and in favor of IPv6.

#1 is nothing but a direct consecquence of the current shortage of IPv4 addresses. Under IPv6, there'd be no reason why every device on your network couldn't get a separate "real" address. The way they're handed out -- using a hierarchy instead of finite blocks -- would allow your ISP to let your home DHCP router hand out globally addressable IPs if it was set up correctly. Assuming your ISP doesn't suck, that is, and that's really not the fault of the IP system, one way or the other.

#2 is pretty frightening, because it shows a misunderstanding of what NAT is and a certain amount of laziness about security in general. That said, there's no reason why you couldn't get a 'firewall in a box' that would provide just as much (or as little) security without the NAT facility. It's just that right now when you go and buy a "home firewall" from Linksys, it almost always includes NAT by default (because of point #1, the pressure by ISPs on home users to only have one IP address due to limited supply). There's no reason why this needs to be true, however, and the security comes from the firewall effect and not the address translation itself.

Re:Something I don't get...

[MightyMartian]

One does not need NAT to lock up vulnerable ports. I have a Linux-based firewall that covers my public IP Windows boxes, and it works fine.

NAT is not the answer!

[kasparov]

Anyone who has to deal with SIP absolutely hates NAT. SIP is a VoIP protocol that is pretty much where everything is headed. Some instant messenger clients/servers even use it. And it is most definitely not NAT-friendly. In SIP, the call setup information and the media can travel differnt paths. This means that endpoints can comunicate directly without having to send media through a central location. Since the SIP message contains a description of what ports to expect the audio to arrive on in the body of the packet, NAT boxes will generally block the media coming from the other device. 90% of the problems that VoIP providers end up having to deal with is NAT-related.

You have to go to all kinds of lengths (using special session border controllers, media proxies, etc.) to be able to support SIP calls where one or both parties are behind a NAT. It is awful. NAT is a hack--a useful one in certain situations, but still a hack.

Market? Or cynical manipulation?

[DoctorNathaniel]

"The death of IPv4 has not really killed the Internet. In fact, far from it, we've managed to make an industry around it."

In other words, by keeping IPv4, we can sell NAT boxes (which we're already selling in huge numbers.. the wireless network hub in my den is a prime example.) Cisco has a big investment in building hardware to take care of IP space limitiations.

"You will still be able to get addresses, if you pay for them, because a market will appear."

In other words, this damned internet isn't making us enough money, because IP addresses are free. We want people to start trading them, so we can get commissions on the sales.

It's clear that this is "good buisiness" for the big internet companies: why invest in a new system that will make users's lives cheaper and easier when we can continue to sell patches on the old stuff, and make a market so that we can start charging the freeloaders?

It's also clear to me that the only way IPv6 will get adopted is if public bodies start using them and demanding their use. For instance, if Internet2, the US military, or all of .gov start adopting, then it will get off the ground. Of course, this is unlikely to happen because Cisco doesn't sell IPv6 switches.

I'm no expert, but to my cynical eye it looks not like market forces, but like the usual problems with capitalism exploiting a local maximum and avoiding short-term risk.

----Nathaniel

Are we ready to surrender anonymity on the net?

[schwaang]

What's the deal with including your MAC address as part of your IP address?

Yeah this looks like a serious privacy issue that most people haven't woken up to yet.

A MAC address is (usually) a globally unique identifier. How long before someone big builds a database relating MAC to user identity (Microsoft, your ISP, law enforcement, whoever).

At that point, no matter where you connect your laptop from, your traffic can be identified as yours. Be it for the purpose of advertising, tracing communication, or other data mining.

So the question is, are we ready and willing to surrender anonymity on the net?

Re:Are we ready to surrender anonymity on the net?

[Halo-]

A couple of points:

1) With a static IP, especially if you have a DNS name to go along with it, you leave just as big of a footprint, if not more. (Since I've only got the one directly addressable IP, I might as well get a name to go with it, right? And then use something like DynDNS? Well, unless I register by proxy, I have to give my name, address, phone, etc...)

2) MAC address, while theoretically static, can easily be changed in most OSes and hardware. For example, my LinkSys router has an option to "clone MAC address" in the setup. The problem with changing your MAC address is that the prefixes indicate the vendor, and that might get you in trouble with someone who "owns" that prefix. (I doubt it though)

3) There is nothing preventing you from NAT'ing IPv6, and I suspect some people probably will simply for the quasi-deny-all-in firewall effect. Moreover, if you really want to be anonymous, IPv6 makes it much easier to implement things like "onion routing" because it's a lot easier for individuals to set up persistant servers.

The point is, you can control the "MAC" portion of the address, and the "public" portion is just as visible (or not) as with IPv4. Hell, you could change your MAC address every coupla minutes for a REALLY long time without ever repeating one if that's what you wanted. (Persistant connections be damned...)

It's supposed to be Overkill

[Pii]

Overkill is exactly the point.

The previous poster asked Why 128 bits instead of, say, 64?

The amount of work required to jump to 64 bit addressing or 128 bit addressing is identical. Since you're going to have to re-write everything anyway, you may as well figure in a ridiculously large address space, because not doing so saves you nothing.

Additionally, the routing table saving offered cannot be understated. With huge swaths of continguous address space, you can (hypothetically) represent an entire continent as a single aggregated routing entry (The more granular routing information would only be seen locally.), and the number of unique addresses within that range would be virtually inexhaustable.

Overkill is a good thing when it doesn't cost you anything.

Not me too

[mwood]

Is there an echo in here? "We'll never run out of [2^N for any value of N] addresses". Yes we will. There are people who are scheming to put every bloody light switch and kitchen appliance on the Internet. There are people designing applications to run on microscopic hosts that will be scattered like seeds, by the thousands or millions.

It's 128 bits instead of 64 so we don't have to go through this again in five years.

Remember, the Internet *core* used to run over 56kb/s lines -- the same speed as those $20 modems that individuals are throwing away by the basketful today because they're unbearably slow for *personal* use. It's *hard* to plan well for that kind of growth. Better to waste a couple of bits than have to waste the whole thing and do it over.

Re:IPv6 is good, but so is NAT

[rpresser]

NAT is actually solves a secondary problem: allowing individuals to have their own home network without having to register each of their computers with some sort of central authority. Almost all IPv6 advocates say that NAT won't be supported as part of the protocol, which is not such a bad thing if you see NAT simplay as a solution to solves address space issue, but it isn't if you see it as a solution allowing individuals to allocate their own addresses, without having to go through the bureaucratic process of registering each one. I feel that in missing this fact is actually a real issue and one that needs to be dealt with - if there already is a solution to this, then no one I have asked has yet provided me with one.

**You have missed the point entirely**

Forcing everyone back into the bureaucratic process is exactly what the designers want to do. Imagine how much less money would be made by cell phone companies if you could pick up any phone and it would automatically choose a phone number, then register your name with a decentralized directory so anyone who wanted to reach you could. Instead, you have to pay that $50 activation fee, plus a sizable portion of every month's cell phone bill, just for the privilege of being told when and where you can make telephone calls. That is the ideal that our IPv6 overlords are shooting for. I for one welcome them.