How Feds are Dropping the Ball on IPv6

BobB-NW writes "U.S. federal agencies have six months to meet a deadline to support IPv6, an upgrade to the Internet's main communications protocol known as IPv4. But most agencies are not grabbing hold of the new technology and running with it, industry observers say. Instead, most federal CIOs are doing the bare minimum required by law to meet the IPv6 mandate, and they aren't planning to use the new network protocol for the foreseeable future."

As things go ...

[foobsr]

Regional registry IPv4 address exhaustion in... 1442 Days, 07 Hours, 42 Minutes, 42 Seconds. ( http://penrose.uk6x.com/ )

So there is plenty time for someone to wake up, wanting it yesterday.

CC.

I don't blame anyone for avoiding IPv6,

[yagu]

I don't blame anyone, even government in this case, for avoiding the hassle of getting everything converted to IPv6. Maybe eventually we all will have to be there, but there always seems to be workarounds that work for everyone, minimal hassle, minimal pain.

If you wanted a Starbucks coffee, and it was one street down, and someone told you you had to go through the in-between building, climb up and down its twenty flights of stairs just to get to the next street for you coffee, and you knew you could just walk around the building on the sidewalk, what would you do? Now, if the building were only two stories high, and the block to walk around were 600 ft each side, it might be a different choice.

An interesting aside, meeting the mandate only requires they are IPv6 capable, not running it. This is the same height bar the government set for Microsoft in the early nineties when Microsoft delivered the DOA POSIX-compliant (never to be really used) NT. NT, with its barely implemented POSIX subsystem (only implemented the library portion, btw, not the user interface) got to put a check in the POSIX checkbox for government contracts.

Lesson to be learned? If you want to make an effective mandate, make it a mandate for implementation, not capability.

The government:

• couldn't do metric
• couldn't do POSIX
• isn't doing IPv6

Academic Attitude

[jeremiahbell]

During this last college semester I expressed my disappointment that IPv6 wasn't being implemented as widely as I thought it should be. I also subtly hinted at my disappoint that IPv6 wasn't covered at all (except one half a page of 405). My teacher said "I think it will take a new generation of Network Tech to implement IPv6". How in the hell are we going to have a new generation implementing it when it isn't even taught? I just took that joke of a Network+ test and now I'm certified, and I don't know diddly-squat about IPv6. Thankfully Wikipedia is there to explain a little bit of it to me.

Routers can be a big issue

[Sycraft-fu]

That is the reason why we don't do IPv6 where I work (university). A lot of people think it is easier, and more importantly cheaper, than it really is because they've worked on small networks, or have been at a place that did IPv6 wrong.

What happens on a large, high speed, network is that your routers rely on hardware acceleration to be able to pass traffic as quickly as you want, while still implementing all the rules you want. What that means is there are ASICs of various kinds that can handle various kinds of traffic. On older hardware (and some newer too), these are for IPv4. So anything else has to be handled by the router's CPU, which really isn't very powerful.

So, what that means is that you can technically support IPv6 by just turning it on, but only if you are willing to do it poorly. If we enabled it on all the routers, we would effectively support IPv6 internally. Great, and initially everything would work fine. However if any significant number of people actually decided to use it, network performance issues would come up in a hurry.

To really support it we have to buy new routers that support IPv6 in hardware. This could be done, but it would be expensive. Last time it was looked at the price tag was over $5 million. As you can probably guess, the university wasn't that interested in spending money like that for what was perceived to be no gain at all.

So while in a smaller network, where there's only an edge router and it isn't very high speed, yes IPv6 can be as simple as some software updates and turning it on for all devices. However when you have a larger, higher performance, network, you often need new hardware. That's a lot of money, and it is hard to justify that being spent for no real gain.

Re:What is IPv6 compliance?

[anticypher]

has anyone here on /. actually upgraded a network to be IPv6 compliant and what can you tell us about real world experience.

I've done it. And now that I have a couple of posts in this thread banging the drum FOR IPv6 and correcting serious misconceptions, I'll use this thread to trash IPv6 :-)

On most networking equipment, turning on IPv6 is no more complex than a global "ipv6 routing" and setting the address on interfaces just like you do for IPv4. I'll use a pseudo-cisco example
interface Gig0/0
ip address 223.123.40.1 255.255.224.0
ipv6 address 2001:1a1:98b5:1::1/64

After that, most modern OSes on that segment will recognize the router announcements, autoconfigure, and start using IPv6. That's the easy part.

All routers and switches introduced to the market in the last two or so years seem to support v6 traffic, in VLSI hardware for the higher end kit. In fact, I haven't seen one new product announcement in at least two years that didn't have wire speed IPv6, no more passing unknown packets to CPU. But new kit is only put in slowly, and old kit has a useful lifespan of around a decade. Try passing IPv6 traffic on an older layer2 switch over a dedicated vlan, and many older switches can't deal with production traffic levels.

Once you start climbing the protocol stack you run into more problems.

With the sole exception of OpenBSDs pf firewall, there isn't a firewall out there that does IPv6 fully. Many firewall manufacturers will announce IPv6 support, but all that means is they have a rule for detecting IPv6 packets and either dropping them or passing them. They can't filter on address ranges or higher level protocols. One big manufacturer of firewalls now claims they support IPv6 because although their equipment doesn't yet support it, their tech support will take feature requests. Network security software (types like nmap) have little to no support, mostly because the authors have no real world examples to code around.

Services vary in their v6 support. Bind is fantastic. Apache kind of supports it, but many modules in Apache2 choke when it's turned on. The web programming languages are all a mess in their support; perl, PHP, java, python and the rest are a complete gamble, and even when support is mostly there, bugs crop up all over the place. The databases used behind many websites, such as MySQL and Postgres have spotty support, and if you don't go back and clean up your database code, they'll return all kinds of shit if the webserver starts passing in IPv6 addresses where someone hardcoded 4 bytes. Some of the freeware/GPLed/opensource projects like ircd and jabberd seem to have full support, and there are very few service daemons that don't at least acknowledge IPv6 existence.

Up at the application level, all modern browsers will use IPv6 correctly. Many apps written for Apple OSX make use of IPv6 if it's present, the only exception I know of is skype. All my networks, and most of my client's networks are dual stacked, so I never even notice that all my SSH sessions are over IPv6, as are all my web connections to nagios or cacti machines, our instant messenger traffic and most everything else. At least at the user application level, there has been years of preparation and it shows. On Vista, what little playing around I've done shows almost no application level support except IE7 which works as well as IE7 possibly can.

Small networking appliance support is almost non-existant. Except for Apple's wireless networking box, there isn't a DSL or cable modem on sale in the west that has support. In China, Korea, Japan and a few other south-east asian countries, most CPE boxes have IPv6 support, because most ISPs are forced to use it as they can't get enough IPv4 addresses for their end users. Much of the IPv6 web traffic I see outside my own little European island is to sites in the far east, where support is widespread.

Mandatory IPSec security is a joke, many v6 n