Slashdot Mirror
IPv6 and the Business-Case Skeptics
Julie188 writes "Experts keep screaming that the IPv4 sky is falling. Three such experts were recently asked point-blank to state an irrefutable business case for moving to IPv6 now, and their answer was more plausible than the old refrain (the lack of addresses and a yet-to-be-seen killer IPv6 app). They said that there isn't a business case. No company that is satisfied with all of its Internet services will need to move, even in the next few years. They also pointed out that Microsoft is a unique position in the industry both causing and hindering IPv6 adoption — causing through its IPv6 support in its OSes, and hindering by not extending IPv6 support into very many of its apps."
There are plenty of business cases for IPv6, you just have to ask business experts, not technology experts...
Countries like China and India, that have lots of people that might one day want to connect, but not a lot of existing infrastructure yet, and certainly not a lot of IP4 addresses, will have a far better motivation than countries that have an abundance of unused addresses.
The killer app will come, alright - just not from the US.
IPv6 will happen when China demands it. China's growing need for IP address space will drive the issue. China needs at least a billion IP addresses. Especially since the Chinese government would like a system where each device has a permanent IP address.
192.168.1.87 -vs- fe80::e1c0:5620:bc95:3c71%9
I see your unwieldly addressing and raise you a DNS.
Besides, if you want to talk Rube Goldberg, check out IPv4's variable-length headers and the processing required to sort them out at line speed.
Dewey, what part of this looks like authorities should be involved?
Actually, Microsoft is the last company to add IPv6 support to its OSs. By the time of arrival of WinXP, most other OSs including Linux, Solaris and BSDs had it atleast for 2 years. And WinXP offered it as an optional protocol that had to be installed manually. Vista is the first version of windows to offer IPv6 in a default install.
The largest prime factor of my UID is 263267.
Moving to IPv6 means that I can't use NAT anymore for my home network.
Why not?
That means I need a block of IP addresses assigned to me. So does my telco/cable company have this set up and will it cost me a huge amount to get a block of IPs?
IPv6 addresses are cheap, and I bet your provider has a fairly easy way to allocate a block to their clients (or could set one up pretty easily if people ask).
Remember supply and demand? IPv4 addresses are low in supply and high in demand, so they're expensive. IPv6 addresses are very high in supply and relatively low in demand.
You can do port forwarding without NAT.
And he's wrong, nothing's preventing you from doing NAT on IPv6, except that it's probably never been implemented since it's kinda pointless.
It sounds like you work for an awful boss. Have you considered taking night classes to help land a job that rewards intelligence?
Dewey, what part of this looks like authorities should be involved?
NATing between the internal LAN and the internet they can get up to ~250,000 entries (provided their hardware can support that), allowing each of their 2,000 users to be using, on average, 125 internet applications (or open connections) at once.
What's going to be more expensive: A massive NAT box or an IPv6-enabled router (as many already are)?
What's going to be more expensive: Adding NAT buster support into many apps, or using IPv6 (many apps are already IPv6-aware)?
At the APNIC 26 conference last month, NTT presented some ballpack numbers for how many people can be comfortably put behind NAT. They're not encouraging. Basically, the common "Web 2.0"-type apps open a lot of background connections, which chews through your ephemeral port space quickly, limiting the number of people that can be NATted. Google echoed those claims loud and clear: "AJAX applications break behind excessive NAT."
Also, consider that by 2012 we'll have run out of public IPv4 addresses. But only 25% of Earth's population will be online. Do you propose to put another 3.5 billion people behind NAT? I'm pretty skeptical that NAT can handle that load.
While NAT will likely be needed in the short term to deal with IPv4 address exhaution, I'm highly skeptical of its long-term scalability.
Have you ever actually looked at what's required to parse an IPv4 header vs. an IPv6 header? There are plenty of good reasons that IPv6 decided the IPv4 structure was not a good plan.
Beside that, there's no practical way to add address length to IPv4 headers that wouldn't break old equipment. Moreover the kind of breakage caused would be harder to detect and repair -- old equipment would see the IPv4 header, not know about the new extensions, and likely do the wrong thing (like forward traffic to the address corresponding to the first 32-bits of the longer address). At least if you change the protocol number old equipment won't start randomly sending traffic it doesn't understand around the Internet.
Correction: they're a tech on a tiny network where they're used to memorizing the DNS zones. At this very moment, I'm not sure I can tell you the IP of the webserver I work on most often - not because I never access it, but because I've been accessing it via DNS for the last five years and have never once in that time needed to connect via IP.
So you've never needed to troubleshoot a network problem. Good for you.
Your assumption that anyone who needs to know an IP address must be working with a tiny, memorizable DNS zone is completely false. Like I said, DNS is something that can break. For example, where I work, our dynamic DNS is broken, and the server team refuses to work on the problem (or delete bad entries...). So, when I want to work on one of my user's machines remotely, I sometimes need to find out from the user what their IP address is. Now, I don't know about you, but I'd much rather deal with repeating "192.168.1.87" over the phone than "fe80::e1c0:5620:bc95:3c71%9" (to use the previous example).
And what if you suspect the name servers are down, but want to be sure that they are, indeed, the problem? Boy, it would sure be nice to have a nice, easy IPv4 address memorized for testing, than a long, unwieldy IPv6 address.
Your lack of ability to imagine situations where knowing IP addresses is useful does not mean that they don't exist.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
Well not all 2,000 users in my example are going to open 125 connections simultaneously so the NAT table on the router isn't going to be that enormous, but maybe just a small fraction. Your typical enterprise Cisco/Juniper router/firewall can probably handle that load fine (I'd have to double check on that), or maybe you can load balance between multiple routers each with different public IP pools.
If you agree with that assumption then you can say your business class router/firewall that can handle both the NAT load and that can also handle IPv6 if you enable it. So you have the same device that can do either. You are currently running the NAT "solution", so you pay nothing for hardware to make the transition. However, there is still an administrative cost associated with a network wide infrastructure shift like that. So your networking team takes the time to transition the whole system and you may even have intermittent downtime while certain parts of the network are upgraded. That cost of the time spend and the possible downtime is what needs to be justified to be able to make this upgrade.
You may already have the equipment to be able to do it, and your ISP may already provide you with IPv6, but it comes back to the original question... "why send the time and money to move if our current 'solution' works?"
Remember that internally your organization can stay at IPv4 forever (or until some killer IPv6 app comes out) and just NAT itself off to the IPv6 world (NAT dual stack or NAT 4to6 transition methods). The best thing I can think of off the top of my head is to try to spin a 'future proofing' angle to management -- we make the investment now and it will pay off in the long run. But management has a way of crossing bridges when they get to them.. at least that's how it seems to be where I work.
Network architects and admins with clue are currently at the "Depression" stage (4th stage).
Why Slashdot feels that putting up a commentary authored by someone who's still in the first stage ("Denial") is useful to anyone is beyond me.
IPv4 exhaustion is coming. CIDR got us from the mid-90s until now. But it's coming now. Please stop denying, being angry, trying to bargain it away. Hopefully we'll all move past depression into acceptance (as vendors and infrastructure gets ready) before it hits. But I know a lot of smart people who would prefer to retire in the next 2 years instead of be there when it hits.
They probably won't, but would like to...
Even if you said "Here, have a /8 completely free, use whatever you like," they'd still want to do NAT. Why? Privacy and security. NAT automatically gives a good measure of security. You have an inbound firewall by default, simply because of how it works. You have to explicitly set up any inbound ports to be forwarded. Also this means that to get to any system that doesn't have a forwarded port, you'll have to get access to a system that does. With public IPs, there is always the possibility that the firewall fails or is shut off and you can get at a system. With NAT, you have to get inside to be able to get at anything.
Privacy you also get just by the way NAT works. Since you have many people using a few (or one) IP addresses, it is much harder to track what any given computer is doing. Web browsing can be tracked with things like cookies (if the client accepts them) but over all you really can't tell what is going on for a given system inside the network.
So NAT is something companies may well want to keep doing, even if they don't have to.
This is a bit like saying there is no business case for doing something about climate change. ...
Oh, no! Now we have a Global Warming take on IPv6 adoption!
I think it's time for a new version of Godwin's law with Global Warming / Climate Change substituted for NAZIs:
As a scientific, technological, or political discussion or grant proposal grows longer, the probability of an assertion of a tie-in to climate change approaches one.
= = =
I realize you may have had a serious point. But (like NAZI analogies) the global warming tie-in has been used so often, and so inappropriately, that it's painful to read past it to search for any real meat in such a posting.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The cost of having (probably) Cisco write custom firmware for all their equipment, and the cost of maintaining that custom firmware. It's possible to get the routers to handle a /128 assignment, but you're fighting the equipment the whole way. And it fails to work with Windows, whose IPv6 stack assumes that IPv6 stateless autoconfig works properly and doesn't play well with routers that refuse to accept the stack's use of it's own MAC-address-based value in the lower 64 bits. Again this can be worked around, but it takes a lot of heavy messing-about in low-level configuration to make it all work right. And how many ISPs are going to tell their customers that the ISP doesn't support Windows?
Lucky you. There's not a system on my home network that can be reliably accessed through anything but the IP address. I've experienced the same reliability on every network I've ever touched.
Now internet-wide DNS is pretty damn solid, but that tends to happen when there are about seven levels of fall-back. LANs tend not to be nearly that robust.
Having said that, IPv6 addresses are stupidly over-complicated. Adding two groups onto IPv4 would probably have been more than enough for quite a number of years to come (281,474,976,710,656 IPs should be plenty for a while), even if it's not quite as futureproof as IPv6 which is something like 1 IP for every four atoms in the universe.
How are sites slashdotted when nobody reads TFAs?
Also, consider that by 2012 we'll have run out of public IPv4 addresses.
That is not the hard fact it sounds like, but depends on a number of assumptions that may or may not pan out. This has been proclaimed for quite a while now, and the date keeps getting pushed back. Why? Because assumptions keep getting broken by things like NAT and CIDR. The next big thing I imagine will be the reallocation of class A addresses: why should the likes of HP get multiple class A's?
I predict that the allocation of IPv4 addresses will not have a hard stop, but rather will trail off over time as IPv4 addresses slowly become harder and harder to come by. That is what has happened so far: addresses were thrown out like candy originally, then the aforementioned class A's were stopped, and then class B's were largely stopped too. It is hard to get a large chunk any more, and the trend will continue, but the change will be gradual.
So what do I do if I've only got a /64 from my ISP but I want to segregate unsecured wireless, secured wireless, and wired? I think it would be in Cisco's (and Microsoft's) best interest to have a solution for that use case, which would naturally translate into a solution for the ISPs. What's more, if some big ISP like AT&T or Verizon is pushing for it, I have little doubt that Cisco would comply.
With public IPs, there is always the possibility that the firewall fails or is shut off and you can get at a system. With NAT, you have to get inside to be able to get at anything.
In that sense, it's also always possible that the NAT gets shut off -- thus implying that a handful of computers on your network have live Internet IP addresses, and the rest are denied DHCP access -- or it's possible that it fails, as is the case with things like NAT hole punching.
Privacy you also get just by the way NAT works. Since you have many people using a few (or one) IP addresses, it is much harder to track what any given computer is doing.
An anonymizer may make sense for an individual behind the NAT, but I doubt it helps the corporation at all. In fact, if I get a ton of spam, and I send mail to your domain saying "It's from <IP>", wouldn't you rather know exactly which computer that IP corresponds to, so you can shut it down?
Since the corporation has no real reason to provide that privacy, why should it be their obligation?
Don't thank God, thank a doctor!