How Feds are Dropping the Ball on IPv6

BobB-NW writes "U.S. federal agencies have six months to meet a deadline to support IPv6, an upgrade to the Internet's main communications protocol known as IPv4. But most agencies are not grabbing hold of the new technology and running with it, industry observers say. Instead, most federal CIOs are doing the bare minimum required by law to meet the IPv6 mandate, and they aren't planning to use the new network protocol for the foreseeable future."

As things go ...

[foobsr]

Regional registry IPv4 address exhaustion in... 1442 Days, 07 Hours, 42 Minutes, 42 Seconds. ( http://penrose.uk6x.com/ )

So there is plenty time for someone to wake up, wanting it yesterday.

CC.

Re:As things go ...

[Glowing+Fish]

But before that happens, we are going to hit peak oil anyway, and people will be too busy killing their neighbors with their bare fingernails to steal his tree bark to eat to worry about the fact that everyone in the family's laptops, palmtops and wired household appliances can't have their own IP addresses.

I don't blame anyone for avoiding IPv6,

[yagu]

I don't blame anyone, even government in this case, for avoiding the hassle of getting everything converted to IPv6. Maybe eventually we all will have to be there, but there always seems to be workarounds that work for everyone, minimal hassle, minimal pain.

If you wanted a Starbucks coffee, and it was one street down, and someone told you you had to go through the in-between building, climb up and down its twenty flights of stairs just to get to the next street for you coffee, and you knew you could just walk around the building on the sidewalk, what would you do? Now, if the building were only two stories high, and the block to walk around were 600 ft each side, it might be a different choice.

An interesting aside, meeting the mandate only requires they are IPv6 capable, not running it. This is the same height bar the government set for Microsoft in the early nineties when Microsoft delivered the DOA POSIX-compliant (never to be really used) NT. NT, with its barely implemented POSIX subsystem (only implemented the library portion, btw, not the user interface) got to put a check in the POSIX checkbox for government contracts.

Lesson to be learned? If you want to make an effective mandate, make it a mandate for implementation, not capability.

The government:

• couldn't do metric
• couldn't do POSIX
• isn't doing IPv6

No real drive

[Marillion]

I also look at the industry as a whole. I don't see any real drive, a critical mass if you will, for getting off of IPv4. My ISP doesn't offer IPv6. My company doesn't use IPv6. It's little wonder that the government is dragging it's feet.

What is IPv6 compliance?

[Midnight+Thunder]

IPv6 isn't that complicated to set up, especially since most recent desktops support IPv6 out of the box, though that doesn't mean that there aren't a few hurdles, including:
    - Upgrading routers, firewalls et al to support IPv6.
    - Some application software still not being fully IPv6 ready.
    - A large number of sites still don't have IPv6 DNS addresses

I think the problem, like many government proposals is not the recommendation, but the lack of research guidelines or instructions on how to make the infrastructure IPv6 compliant or what it means to be IPv6 compliant. For example is simply having a 6to4 gateway considered IPv6 compliance.

All this said and done, has anyone here on /. actually upgraded a network to be IPv6 compliant and what can you tell us about real world experience.

Re:What is IPv6 compliance?

[Tony+Hoyle]

IPv6 isn't that complicated to set up

Yes it is.

Desktops are only the start.
Your servers need it (no ipv6 AD support).
No ipv6 network printer support.
No ipv6 VOIP support.
Poor to nonexistant ipv6 router support, and of those that do most of them don't support firewalling it.
Poor to nonexistant connectivity. Try asking the average ISP for an ipv6 address and they'll just look at you funny. It's not just consumer ISPs either - this business park I'm in at the moment has *no idea* what ipv6 is and has no timescale to look at it either.

Then there's the bits and pieces.. Dies Blackberry support ipv6? I know iphone doesn't, and Symbian's implementation is broken (relies on a dhcpv6 server and even then seems to need some kind of proprietary extension to that).

Re:What is IPv6 compliance?

[Russ+Nelson]

- A large number of sites still don't have IPv6 DNS addresses
That's the biggest problem. Until I can reach every server with IPv6, I'll still need IPv4. Since I need IPv4, why should I bother with IPv6?

Re:What is IPv6 compliance?

[anticypher]

has anyone here on /. actually upgraded a network to be IPv6 compliant and what can you tell us about real world experience.

I've done it. And now that I have a couple of posts in this thread banging the drum FOR IPv6 and correcting serious misconceptions, I'll use this thread to trash IPv6 :-)

On most networking equipment, turning on IPv6 is no more complex than a global "ipv6 routing" and setting the address on interfaces just like you do for IPv4. I'll use a pseudo-cisco example
interface Gig0/0
ip address 223.123.40.1 255.255.224.0
ipv6 address 2001:1a1:98b5:1::1/64

After that, most modern OSes on that segment will recognize the router announcements, autoconfigure, and start using IPv6. That's the easy part.

All routers and switches introduced to the market in the last two or so years seem to support v6 traffic, in VLSI hardware for the higher end kit. In fact, I haven't seen one new product announcement in at least two years that didn't have wire speed IPv6, no more passing unknown packets to CPU. But new kit is only put in slowly, and old kit has a useful lifespan of around a decade. Try passing IPv6 traffic on an older layer2 switch over a dedicated vlan, and many older switches can't deal with production traffic levels.

Once you start climbing the protocol stack you run into more problems.

With the sole exception of OpenBSDs pf firewall, there isn't a firewall out there that does IPv6 fully. Many firewall manufacturers will announce IPv6 support, but all that means is they have a rule for detecting IPv6 packets and either dropping them or passing them. They can't filter on address ranges or higher level protocols. One big manufacturer of firewalls now claims they support IPv6 because although their equipment doesn't yet support it, their tech support will take feature requests. Network security software (types like nmap) have little to no support, mostly because the authors have no real world examples to code around.

Services vary in their v6 support. Bind is fantastic. Apache kind of supports it, but many modules in Apache2 choke when it's turned on. The web programming languages are all a mess in their support; perl, PHP, java, python and the rest are a complete gamble, and even when support is mostly there, bugs crop up all over the place. The databases used behind many websites, such as MySQL and Postgres have spotty support, and if you don't go back and clean up your database code, they'll return all kinds of shit if the webserver starts passing in IPv6 addresses where someone hardcoded 4 bytes. Some of the freeware/GPLed/opensource projects like ircd and jabberd seem to have full support, and there are very few service daemons that don't at least acknowledge IPv6 existence.

Up at the application level, all modern browsers will use IPv6 correctly. Many apps written for Apple OSX make use of IPv6 if it's present, the only exception I know of is skype. All my networks, and most of my client's networks are dual stacked, so I never even notice that all my SSH sessions are over IPv6, as are all my web connections to nagios or cacti machines, our instant messenger traffic and most everything else. At least at the user application level, there has been years of preparation and it shows. On Vista, what little playing around I've done shows almost no application level support except IE7 which works as well as IE7 possibly can.

Small networking appliance support is almost non-existant. Except for Apple's wireless networking box, there isn't a DSL or cable modem on sale in the west that has support. In China, Korea, Japan and a few other south-east asian countries, most CPE boxes have IPv6 support, because most ISPs are forced to use it as they can't get enough IPv4 addresses for their end users. Much of the IPv6 web traffic I see outside my own little European island is to sites in the far east, where support is widespread.

Mandatory IPSec security is a joke, many v6 n

Academic Attitude

[jeremiahbell]

During this last college semester I expressed my disappointment that IPv6 wasn't being implemented as widely as I thought it should be. I also subtly hinted at my disappoint that IPv6 wasn't covered at all (except one half a page of 405). My teacher said "I think it will take a new generation of Network Tech to implement IPv6". How in the hell are we going to have a new generation implementing it when it isn't even taught? I just took that joke of a Network+ test and now I'm certified, and I don't know diddly-squat about IPv6. Thankfully Wikipedia is there to explain a little bit of it to me.

Re:A rough guide as to why...

[jandrese]

IPv6 has better security provisions within the protocol itself, making the usual run of D- through to F- on Federal security audits less likely.

This has not been my experience with it. IPv6 is way more complex and poorly understood than IPv4 and as a result it is a lot more likely to have an unexpected security hole when set up by actual human beings than IPv4.

Re:why not an IPv4.1

[jandrese]

Because there is no space in the IP header for that, and no router support. This means you'd have to extend the IP packet header by creating a new protocol number and once you get all of that stuff done and implemented, you have done just as much work as you would have done to switch over to IPv6 (which is afterall just another protocol number). One of the primary design goals of IPv6 was to avoid ever having to make this transition again (look how painful it has been already), so halfassed solutions that will require us to make yet another transition down the road are less than appealing.

Routers can be a big issue

[Sycraft-fu]

That is the reason why we don't do IPv6 where I work (university). A lot of people think it is easier, and more importantly cheaper, than it really is because they've worked on small networks, or have been at a place that did IPv6 wrong.

What happens on a large, high speed, network is that your routers rely on hardware acceleration to be able to pass traffic as quickly as you want, while still implementing all the rules you want. What that means is there are ASICs of various kinds that can handle various kinds of traffic. On older hardware (and some newer too), these are for IPv4. So anything else has to be handled by the router's CPU, which really isn't very powerful.

So, what that means is that you can technically support IPv6 by just turning it on, but only if you are willing to do it poorly. If we enabled it on all the routers, we would effectively support IPv6 internally. Great, and initially everything would work fine. However if any significant number of people actually decided to use it, network performance issues would come up in a hurry.

To really support it we have to buy new routers that support IPv6 in hardware. This could be done, but it would be expensive. Last time it was looked at the price tag was over $5 million. As you can probably guess, the university wasn't that interested in spending money like that for what was perceived to be no gain at all.

So while in a smaller network, where there's only an edge router and it isn't very high speed, yes IPv6 can be as simple as some software updates and turning it on for all devices. However when you have a larger, higher performance, network, you often need new hardware. That's a lot of money, and it is hard to justify that being spent for no real gain.

Re:This presumes that IPV6 is a good idea

[coolGuyZak]

the onerous idea of tracking every conceivable device right down to bullets fired (look it up) is staggeringly senseless overkill.

I tried to look up the result on Google multiple times and wikipedia, finding nothing. Interestingly enough, your post is the first quote in the first google search.

If you're going to ask us to research something ourselves, please have the courtesy to provide enough information for the search.

That's a lot of trolls for one article!

[billstewart]

Yes, the IPv6 space is bigger than it could have been - some people thought that 64 bits would be enough, some wanted 80, some wanted 160. But the transition is enough of a pain that it's worth only doing it once, and 128 bits isn't that much more trouble than 64. Also, it's turning out that having more bits of network side will simplify a lot of potential network applications.

There isn't a lot of hoarded Class B space out there - if anything, most of the hoarding is at the /24 level, by companies that need a /24 for dual-carrier routing reasons, but would otherwise need only a /29 or so to handle the external side of their firewalls.

IPv6 had a lot of optimistic goals, some of which (like security and autoconfiguration) have been achieved in other ways (like IPSEC and DHCP), and others (like hierarchical simplification of routing structures) don't look like they'll really happen. But the IPv4 space is going to run out, and we're not going to be able to squeeze much past 2012 - especially if a billion people want data on their cellphones, or if the Chinese economy adds a couple hundred million broadband users, which won't take long, or a couple million businesses, which won't take long either.

The IPv6 address space is very rationally designed, and yes, managing it does take work - but it's big enough that there's room to experiment, unlike IPv4 which ran out of slack well over a decade ago.