Slashdot Mirror
One Step Closer to IPv6
gbjbaanb writes "IPv6 came a step closer yesterday as ICANN added IPv6 host records to the root DNS servers, reports the BBC. 'Paul Twomey, president of Icann which oversees the addressing system, told the BBC News website there was a need to start moving to IPv6. "There's pressure for people to make the conversion to IPv6," he said. "We're pushing this as a major issue." The reason for the urgency, he said, was because the unallocated addresses from the total of 4,294,967,296 possible with IPv4 was rapidly running out. "We're down to 14% of the unallocated addresses out of the whole pool for version 4," he said. Projections suggest that this unallocated pool will run out by 2011 at the latest.'"
130,000,000 / 4,294,967,296 = 3%
The article says we will run out of unallocated IPs by 2011. The unallocated pool is 14%. It is currently 2008. 2011 - 2008 = 3 years. What makes you think that reclaiming 3% is going to buy us 5 to 10 years?
The only justification you ever hear for moving to IPv6 is address exhaustion in IPv4. There's a lot of other stuff built into the protocol that will make the net a much better place. Even if IPv4 had the same amount of addresses as IPv6 it would still be worthwhile to switch. Just give this a once over for an introduction
http://en.wikipedia.org/wiki/Ipv6#Features_and_differences_from_IPv4
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
All class A's should be re-designated as class B's, and entities that currently have class As that need more than a class B should be able to claim multiple class B's from their current class A.
I'm a contractor with the Postal Service (Class A 56) and I don't think we need the whole thing. Probably 50-75% of postal computers are individual post offices that access the network through a DSL (or in some small towns, dialup) and VPN. Data Centers and other large facilities should easily be able to fit in 1-10 class B's depending upon just how many sites there are.
10.0.0.0/8 is one of the IP blocks allocated as for private networks (ten dot star), but if hosts are in a private network they can't contact other private networks directly.
Change is certain; progress is not obligatory.
I get a surprising number of IPv6 hits on my webserver at home. Most of these appear to be XP or Vista boxes with Internet connection sharing turned on that automatically assign themselves a 6to4 addresses when they have an interface with a public IPv4 address.
IPv6 with 6to4 is easy to set up, and I'd recommend it to anybody who has a static IPv4 address. You can use NAT-PT so all your IPv6 hosts can still get to the IPv4 network. If you have a couple of DNS servers, you can even set up reverse DNS for your IPv6 network just the way you want using this nice web interface from the NRO.
I maintain some good links to stuff about IPv6 on del.icio.us.
I hate NAT. And I think IPv6 can be just as secure. Partly because a 64-bit address space is really hard to effectively randomly probe working addresses and partly because it's fairly easy to configure a firewall to not allow incoming connections.
Need a Python, C++, Unix, Linux develop
Lest anyone think this jackass is correct:
IPv6 barely supports firewalls or NATs, allowing any Joe Sixpack to see what your secured corporate network topology is like from anywhere.It is not up to the protocol to support the hardware. And anyway, all good firewalls support IPv6 already. NAT? It's there if you're dumb enough to want it.
It also does not support reserved IP blocks... change ISPs, and you are forced to re-ip your whole network.Step one: update your router to the new netblock.
Step two: sed -i'' 's/^old:net:block/new:addr:ess/' db.mydomain.com; rndc reload
Step three: laugh at people who go around changing ISPs all the time.
Of course, IPv6 has -zero- hooks for IP level encryption, so this has to be handled at the trensport or app level.If only it support IPSec, "the goal of [which] is to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments." Oh, wait...
Dewey, what part of this looks like authorities should be involved?
NAT is, well, better than nothing, which, currently, is your alternative. But I'd hardly call it an "elegant and awesome solution". IMO, ultimately, NAT sucks because you *do not have a globally routable address* for devices in your network. Sure, that gives some security benefits, but makes it a PITA when you do want to open connections directly to a computer or consumer electronic device in your network.
A few reasons you might want to have a public address inside your network:
* Direct VOIP telephony (SIP, Skype, various instant messenger clients, run a TeamSpeak Server), etc
* Running game servers, web server, mail server, etc
* Remote access (VNC, SSH, etc)
* Direct file transfer with a friend (I've, from time to time, run into problems with things like instant messenger client based file transfers not working behind a NAT - though they do seem to have somewhat alleviated that problem - I suspect by routing my file transfer through the IM network instead of directly to the other person), or P2P file sharing systems, like Bittorrent - yes, they can usually work behind NATs; but they work better if direct connections could be more easily made).
Yes, yes, I know about port forwarding. That's fine and dandy as long as you only have a single device per port that you want to allow incoming traffic to. Ultimately, IPv6 is a much better solution to the problem of address space limitations than is NAT. NAT usually requires software to do ugly hacks to get around the limitations of only allowing outbound connections. A simple firewall with every device having a global address is a better solution, because then I can open up as many ports to as many devices as I like, without having to worry about only allowing one device per port.
I've had a number of times where I've been extremely frustrated by NAT. Often times, if software isn't explicitly written with NAT in mind, and the problems it creates, then it won't work well in a NAT'ed network.
Now, maybe day one I only need 4 IP addresses. I get a subnet that can handle that, plus maybe 2 more. Now, when I need to add 2 more, I have to add a whole new subnet, waste more IPs, AND my ISP is going to have to get new ones. After all, they can't just have an unused subnet laying around, or else it would be wasted as well, right?
Getting back to end-to-end networks is what needs to happen (no more NAT), and IPv6 is the way.
Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
While I would love to agree with you completely as I believe ARIN is a bunch of tards (can't speak for the other registries). There are/were technical reasons behind the way IPs are assigned. Machines haven't always had 2 gigs of ram. Maintaining routing tables on a network the size of the Internet was a difficult task, which required aggregating networks at upstream links and all sorts of stuff in a desperate attempt to prevent every multihomed router on the Internet from needing a few gigs to hows the paths to various subnets and determine what path was the best.
... do this on hardware from 10-15 years ago. Well, first off, unless your at a NAP 10 years ago, doing this would require expensive memory upgrades on your routers because most didn't have the ram required to deal with a such a routing table in the first place, now add in the processing increase your going to need because even though you can cache routes and deal with updating the cache only as the external paths change, it only helps so much because those external paths change a lot so your cache hits have to be revalidated more often than you think. God forbid you have a flapping connection, as I can tell you from personal experience, on many routers from 15 years ago, a flap of a line that relays BGP information resulted in a router that was busy for a few seconds dealing with the BGP changes unless it was a fairly high end router.
... the point to all that is, a lot of the way address space was assigned was because the hardware we had to work with 'back in the day' was only capable of so much.
...
... this is how businesses make money, but not doing extra work they are just going to have to do again later if they can prevent it.
... just like all the ones who made out over y2k fears/bugs.
Of course, time goes on, ram is cheap, and doing it now is somewhat easier, but it still requires ram and processing power, and that increases latency and cpu utilization.
For instance, assume that everyone was assigned address space in blocks of 256 address (class C) and had to show they utilized the address space before getting more as well as prove they continued to use it. Now assume that only half of the address space available was assigned. 2.1 billion addresses in use. Thats approximately 8.3 million class C blocks
allocated. I'm going to assume thats higher than what we have actually in use these days (not allocated, in use) but bear with me for reference purposes.
Now, for each packet you route, you have to search through those allocated blocks and find the one that contains the address you're communicating with. You also have to determine which path of the many you may have on your router is the best path to use based on number of hops to the destination (we'll pretend AS hops are real hops for simplicity), include other factors such as your internal weights for a route because its expensive for you to use the OC3 you have rather than the DS3 because you got a great deal on the DS3 but not so much on the OC3.
You've just spent a lot of CPU cycles trying ot figure out which path to use. Now
So
Okay, so now we can do better, great! Lets readdress everyone
I'm not going to bother going into the complexities of re-addressing a large network, but its rather a pain in the arse and can cost a whole hell of a lot of money in IT resources. So when you look at the big picture and think, 'well, I can readdress now and help deal with the problem and then have to eventually switch to the new protocol (for now, IPv6) eventually anyway OR I can wait till everyone has to switch to the new protocol because of this problem and only do it once'
It makes more sense to wait and do it at once, save yourself some money, deal with it when everyone else does, and deal with the least amount of work you can until that time. And
Of course, on that same note, there are plenty of businesses which don't exist yet that will make a killing off the scare of running out of IPv4 address space and the switch to IPv6
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
This is actually a very important step towards what you want. About two-thirds of the TLDs have authoritative servers which are reachable over IPv6. There's a complete list at my blog - http://www.personal.psu.edu/dvm105/blogs/ipv6/2008/01/ipv6-dns.html
.com DNS servers using IPv6. If you want Google to be reachable over IPv6, go talk to Google. Everything higher in the tree is IPv6-enabled now. And Google has an IPv6 allocation from ARIN - they got a /32 2005 - http://ws.arin.net/whois/?queryinput=!%20NET6-2001-4860-1
So you can query the root and
I agree that there isn't much content on the IPv6 internet now. So if you want it, yell at the content providers.
It's not just the ISP's deriving revenue from fixed IPv4 addresses. Aside from all the corporate Class A's mentioned up top, there are hundreds or thousands of Class B's, and many of them list the possession of these address pools as an asset on their balance sheets. They are fought over in bankruptcy court. It's outrageous.
I used to work for Ampex, the inventors of the VCR, once a company with about 20,000 employees, now essentially a patent licensing firm with fewer than a hundred. They have a Class B: 136.185.0.0/16. That's right, more Class C address pools than employees.
There are lots of sunset companies in that situation.
-- "The only thing that is ever new in the world is the history you do not know." -- Harry Truman
whois 3.0.0.0
OrgName: General Electric Company
NetRange: 3.0.0.0 - 3.255.255.255
CIDR: 3.0.0.0/8
NetName: GE-INTERNET
So naturally, you would expect www.ge.com to be in that block. And you would be wrong.
dig www.ge.com
www.ge.com. 30 IN A 216.74.131.56
I have always thought it was rather irresponsible of them.
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
End-user netblocks are 2^64 addresses in size. If an attacker could ping a billion hosts per second, it would still take them 585 years to scan a single block.
So, again, NAT-as-security is even dumber on IPv6 than it is on IPv4.
As for the stated IPsec, it was a nice draft... but never made in the standard.From Wikipedia:
Wow. Guess you're wrong there, too.
Dewey, what part of this looks like authorities should be involved?
You might consider the last part a warning about the lack of utility of 6to4. If I can't figure it out, and I've been using IPv6 for, wow, it's a decade now, then someone who has no clue (and such people make up the bulk of the people you're trying to get to use IPv6) is not going to have a chance.
I firewall ipv6 very nicely, thank you very much.
And you're last comment proves you're not a net admin.
There is nothing interesting going on at my blog
HP used to have another Class B: 130.168.x.x, which it acquired along with Convex Computer. However, they subsequently gave it to Agilent when spinning it off.
http://www.ipv6.com/articles/military/Military-and-IPv6.htm
is just one example showing how the U.S. Military is required to be all ipv6 by 2012, in fact there's large chunks of the network that are supposed to be moving to IPv6 before then. So I'd say that's your "ball-rolling" starter. I have no idea how many networks and computers the U.S. Military represents, but considering they have an entire TLD, I assume they have a few. And I'd also be willing to bet that all the big router & OS vendors out there don't want to loose a big fat juicy customer like the U.S. Military, and therefore will do whatever it takes to get that network up and running.
You know in some senses, I think using the military as a guinea pig for things like this is a good thing for federal tax dollars to be spent on.
Sig 'em boy!
ocalhost (127.0.0.1) has a 32-bit subnet mask, so 127.0.0.1/32
/8 is valid is part of the loopback:
It may be setup this way on your computer's network settings but the RFC says the whole
http://www.faqs.org/rfcs/rfc3330.html
Pre-canned Evolution Links for all those Slashdot holy wars.