Slashdot Mirror
One Step Closer to IPv6
gbjbaanb writes "IPv6 came a step closer yesterday as ICANN added IPv6 host records to the root DNS servers, reports the BBC. 'Paul Twomey, president of Icann which oversees the addressing system, told the BBC News website there was a need to start moving to IPv6. "There's pressure for people to make the conversion to IPv6," he said. "We're pushing this as a major issue." The reason for the urgency, he said, was because the unallocated addresses from the total of 4,294,967,296 possible with IPv4 was rapidly running out. "We're down to 14% of the unallocated addresses out of the whole pool for version 4," he said. Projections suggest that this unallocated pool will run out by 2011 at the latest.'"
Its sad to look at the list of class a allocations and know that we're almost out. All this was done before NATs became popular. I think ICANN/IANA should work on wrestling some of those class As back from companies like Ford, Apple, HP, etc. None of those companies are going to ever have 16,000,000 hosts on public IPs. I know some of those companies have already made sub allocations. We could probably buy 5-10 years if they could reclaim just the 3, 9, 13, 17, 19, 20, 34 and 40 class As and get over 130,000,000 IPs back.
I mean, if those companies complain, who cares. They wouldn't get such large and prestigious allocations in an IPv6 network anyways. So what's the difference.
I know, I know, we should move to IPv6 anyways. Just a suggestion. Poor initial planning warrants changes down the road.
They're not going to be very eager to give up their position as a gatekeeper of a limited resource just so their customers can frolick in a vast address space for free. Since most of them operate in a monopoly or duopoly situation, the proverbial "free market" won't force them to move off IPv4 either.
That's why ICANN is adding IPv6 to the root DNS servers. IPv6 adoption has to start somewhere, and for years everyone has been waiting for someone else to start the ball rolling. Well looks like ICANN finally got fed up and have given the ball a small push to see how far it rolls and is now waiting for someone else to give it another push to keep it rolling.
Insert funny smart-ass comment here.
IPv6 is not quite there yet, with some of the popular web sites still not accessible via IPv6.
If you are stuck behind a home router, with NAT then you will probably find yourself unable to access IPv6 sites. In the meantime there are two solutions:
- Teredo. If you have Vista this is standard. For everything else there is Miredo
- Aiccu. A litte more work and bureaucracy to get up an running, but a solution non-the less
Of course there is also Apple's Airport Extreme, which is one of the few home routers out there that support IPv6. I believe some of the third-party firmwares will do this too, but I don't think the IPv6 support is mature. As for Linksys, D-Link, et al. I think you are out of luck for the moment.
Also, if you running Apache, you will need a minium of Apache 2 and specify IPv6 support, using the configure script, prior to building it.
Jumpstart the tartan drive.
I've been waiting a while for Netgear, Linksys and that crowd to add 6to4 support to their home NAT routers as a way to help jump start IPv6 adoption. There would be no security issue if incoming connections were blocked by default and people could turn it off if they didn't want it. But 6to4 can be set up automatically by any machine with a publicly routable IPv4 address.
Well, I'm happy to say that my wait is finally over. They didn't make a big deal about it, so I don't know exactly when they did it, but Apple added that support to their Airport Extreme. So now when I go anywhere that has one of those, I can directly SSH into those inside machines that I've opened ports for without undue muss or fuss.
Apple has been a stalwart supporter of IPv6, from my observation. It's been possible to use AFP file sharing over IPv6 since at least Tiger and the built-in VNC stuff works over IPv6 too (though there is a naming lookup bug that requires you to connect using the IPv6 address literal if you use the command-K "Connect to" dialog).
So, Netgear and Linksys, what's holding you guys up?
So when IPv6 finally does become the norm, will there be any need for NATs on home routers, or will ISPs simply give you many addresses?
I work for them (but obviously do not speak for them) and I personally have 8 machines with 9. IP addresses. Times that by a third of a million staff and add in whatever servers, managed services, infrastructure etc, you're getting to needing a class A.
People are adopting IPv6 from the outside in, but they're using 6to4 and Teredo instead of the obsolete 6bone.
Look at this:
/8 for them (3.x.x.x).
003/8 May 94 General Electric Company
So GE has a whole
And now, look at this:
www.ge.com has address 216.74.131.56
NAT has a number of advantages though:
1: People see one external box, and have to crack that box to get to your internal network segments. Yes, this can be regarded as security through obscurity, but this keeps someone who is "driving by" with some autodiscovery tool from gleaning info they shouldn't have.
2: An attacker has to figure out if the box with a web server is one machine, or actually multiple, with the router redirecting ports. For example, if there is an attack that requires something done with both the FTP server and a SSL server at the same time, it won't succeed. Another example is having the SSL port to one machine and the non-secure Web server point somewhere different, or having the dynamic Web stuff hanging off of a different port than the static (which is not all good -- a lot of businesses block Web stuff that isn't going to port 80.)
3: A NAT box allows one to protect traffic, and deal with an abuse problem internally rather than have an outside person come in. For example, if someone is sending out obnoxious content, without a NAT, the outside place can bypass the net admins and try legal action against the owner of the machine. With a NAT, they would have to go through the company or organization's security (including legal team).
4: Legal reasons. If someone is being prosecuted for hacking, it gives a better case to show that the knowledge of internal network segments is protected and shielded, forcing the defendant to bypass security.
5: Business intelligence. Its always good to keep the number of machines (and what segments they are on) hidden, so the competition can't easily find out that one is ramping up a new backend infrastructure for a service rollout (for example.) This also goes for foreign intelligence as well. For example, if country A finds out that country B is adding a lot more computers to their IPv6 segment of a certain type in their infrastructure, it can bring meaningful info that country B may be ramping up for a military offensive.
6: Contracts. In a lot of security contracts, internal traffic and external Internet traffic have to be completely separate (separate IP address space), or else severe criminal and civil penalties can ensue.
7: Corporate laws like SOX, HIPAA, and PCI compliance. These laws make NAT a requirement. Fail to do this as a network or security admin, and you just lost the "due diligence" protection. This can mean shareholder lawsuits and prison time should a security breach occur.
Yes, NAT is ugly, but its something that is a must have on the Internet for most companies, even with the vastly larger address space of IPV6. NAT is also the law in a number of countries (as a consequence of "due diligence"), and not protecting internal assets by this could mean civil and criminal liabilities.
NAT just makes it easy for the network to have a single point-of-contact going in/out of the network.
And Firewall issues would still be the same - as far as having to poke-holes, etc. And not-having firewalls would make for a rather in-secure network and not solve any of the problems that we have today any way.
So the issue really is an IP allocation issue, and NATing would be good regardless of using IPv4 or IPv6. It would be nice for everyone to be able to have a static IP at their network gateway, but not beyond that.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Offtopic, but---
It simply doesn't follow that Co2 levels haven't ever been this high. That Co2 that we are generating; you know, from fossil fuels?
Where do you think it was before it became fossilized?
http://www.geocraft.com/WVFossils/PageMill_Images/image277.gif
For most of the current Cenozoic era, Co2 levels have been *higher* than they currently are. The *only* possible issue with "global warming" right now is whether or not the rapid rate of change in Co2 levels will be damaging, not the absolute level of Co2 in the atmosphere.
For example, during the Jurassic period, Co2 levels were at 1800 ppm. During the Cambrian period, Co2 levels were 5000 ppm. Currently, Co2 levels are at 378 ppm, and even if we burn ALL known sources of Fossil Fuels it is unlikely we will drive that above 900 ppm or so.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell