Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation Says All Major Distros Are IPv6 Compliant

Posted by Soulskill on from the getting-things-done dept.

ruphus13 points out news from the Linux Foundation, which announced that all major Linux distributions meet certification requirements for the US Department of Defense's IPv6 mandates. The announcement credits work done by the IPv6 Workgroup, whose members include IBM, HP, Nokia-Siemens, Novell and Red Hat. Quoting: "Linux has had relatively robust IPv6 support since 2005, but further work was needed for the open source platform to achieve full compliance with DoD standards. The Linux Foundation's IPv6 workgroup analyzed the DoD certification requirements and identified key areas where Linux's IPv6 stack needed adjustments in order to guarantee compliance. They collaboratively filled in the gaps and have succeeded in bringing the shared technology into alignment with the DoD's standards."

45 of 241 comments (clear)

  1. Embedded Linux does ipv6 too by dattaway · · Score: 4, Insightful

    Many embedded linux devices are IPV6 compliant. Even my AXIS webcam can talk ipv6.

    Unfortunately, my ISP, RoadRunner is stuck in dark ages.

    1. Re:Embedded Linux does ipv6 too by PolygamousRanchKid+ · · Score: 5, Funny

      With the US auto industry going down the shitter, some /8s could be reassigned real soon.

      Viva IPv4!

      You mean, they are going to be ".gov" domains, real soon, at your expense.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:Embedded Linux does ipv6 too by ArbitraryConstant · · Score: 3, Informative

      We're going through a /8 about every month. Even if several of these are freed up it doesn't push the exhaustion date back very far.

      --
      I rarely criticize things I don't care about.
    3. Re:Embedded Linux does ipv6 too by mrsteveman1 · · Score: 3, Funny

      Water is a liquid.

      Your turn

    4. Re:Embedded Linux does ipv6 too by mqduck · · Score: 5, Funny

      GNU is not UNIX.

      --
      Property is theft.
    5. Re:Embedded Linux does ipv6 too by Daimanta · · Score: 3, Funny

      GIMP is an utterly stupid name.

      There, I said it.

      --
      Knowledge is power. Knowledge shared is power lost.
    6. Re:Embedded Linux does ipv6 too by Gorgonzolanoid · · Score: 5, Funny

      EMACS is a decent operating system, but it could use a better text editor.

    7. Re:Embedded Linux does ipv6 too by kasperd · · Score: 2, Informative

      I always thought NAT was a good solution from a security perspective for most homes and organizations.

      It does help against some security problems, but it also introduces new security problems (for example DNS is sometimes done from a random port to help against poisoning, but if that goes through a NAT the random port is replaced with a non-random port). And the workarounds needed because of NAT are not improving security either. They make software more complicated for no good reason, and more complicated means more bugs, including security vulnerabilities.

      NAT forces the router to do connection tracking, and it is also forced to filter out incoming packets that don't match a known connection. The security it provides is just by coincidence, not by design. You can do all the connection tracking and filtering without translation, that way you'd get the benefits without the drawbacks. The vendors just have to start making routers that support IPv6 and does connection tracking and filtering by default. Apple already makes routers that will do 6to4 tunneling by default, I don't know if they also do connection tracking and filtering on IPv6 by default.

      --

      Do you care about the security of your wireless mouse?
    8. Re:Embedded Linux does ipv6 too by Gorgonzolanoid · · Score: 2, Insightful

      Why was that modded troll? Someone with enough mod points who disagreed but couldn't come up with a good argument?

      The success of IPV4, and the reason it survived so long, has always been its simplicity. The right way would have been to extend the address space while still obeying to the KISS principle (Keep It Simple, Stupid).

      IPV6 is such an example of bloat that you'd almost believe Microsoft wrote the specs.
      The OSI model splits things up in levels for a reason. Trying to stuff too many levels into a single protocol is a stupid idea. IPV6's biggest fault is that it tries to go grab land up to the presentation layer, jumping two levels above the two that IPV4 was already doing.

      That's no attempt to troll, it's simply my view on why IPV6 still hasn't taken over.
      And just wait until it does, then you'll see the result: more complexity only leads to more problems.

    9. Re:Embedded Linux does ipv6 too by dadragon · · Score: 5, Funny

      Water is a liquid.

      I'm Canadian, you insensitive clod!

      --
      God save our Queen, and Heaven bless The Maple Leaf Forever!
    10. Re:Embedded Linux does ipv6 too by ArbitraryConstant · · Score: 4, Informative

      > What happens if NAT is used all over the place? You could imagine a bunch of
      > subnets that use one address to the outside world but have hundreds or
      > thousands of machines internally.

      It *is* used all over the place. It's even used on an ISP-wide scale (expect that to become more common in the west). NAT delayed IP address exhaustion for a few years, a few years ago. The current rate of IP usage is what's happening *with* widespread use of NAT.

      > There's a lot to be said for NAT from a security point of view too. Since you
      > need to open up holes manually for incoming services, incoming connections
      > for anything else will be blocked which makes it impossible for people to
      > exploit most security flaws on the machines behind the router.

      You can get all of that from a stateful firewall that blocks inbound connections by default.

      > Reading between the lines it seems like IPv6 was a revolutionary solution to
      > running out of address space. NAT was an evolutionary one. As usual the
      > market has picked the evolutionary solution and more purist types are whining
      > about it.

      NAT isn't a solution at all, it's a way to delay the inevitable. It has successfully done that, into approximately 2011-2012. What it doesn't do is change the fundamental problem, it's not possible to use it *enough* to hold off exhaustion indefinitely.

      Breaking end-to-end connectivity isn't the primary concern. This has already largely happened with NAT, and will continue to happen to a certain extent with IPv6 because we'll be using stateful firewalls. We can deal with this for most home users.

      The problem is that NAT still consumes IPs, and other hosts like servers really do need to be reachable. The market prefers NAT now because exhaustion hasn't happened yet, and as the last few months have demonstrated, the market is remarkably good at ignoring problems for as long as possible.

      Purist types *are* whining about it. But pragmatic types like me are also concerned that people like you seem to think NAT is something we can use later as a solution, when we've already been using it for years as a way to buy time.

      --
      I rarely criticize things I don't care about.
    11. Re:Embedded Linux does ipv6 too by j+h+woodyatt · · Score: 3, Interesting

      "The right way would have been to extend the address space while still obeying to the KISS principle."

      The IETF has considered so many proposals along this line that it just produces eye-rolls from the greybeards now. They don't work any better than IPv4 w/ NAPT extensions, they still don't preserve backward compatibility with IPv4, and they don't solve the problems that IPv6 does.

      If you think you're smarter than everybody who's tried to do this before, then write up an Internet Draft. What's stopping you?

      --
      jhw
    12. Re:Embedded Linux does ipv6 too by klapaucjusz · · Score: 3, Insightful

      Would you stop giving the damn ISP's more reasons to slack off on implementing IPv6!!!

      When their customers do their own tunnelling, ISPs loose the ability to perform their own traffic engineering, and loose money.

      Once they see that they are loosing money because people are implementing their own tunnelling, ISPs will rush to implement native IPv6, in a form that they can control.

    13. Re:Embedded Linux does ipv6 too by fireman+sam · · Score: 3, Funny

      Yes, your toaster does need its own IP as part of its TRM (toast rights management). "Smart" toasters are subsidized by bread manufacturers, and as such require you (the user) to only install certified bread into the device. TRM was designed so the bread manufacturers can be assured that their (subsidized) product (the smart toaster) is being used in the legal manner.

      Note that GNU/Bread will not operate in TRM enabled toasters as this reduces the proffitability (sp?) of smart toasters.

      --
      it is only after a long journey that you know the strength of the horse.
    14. Re:Embedded Linux does ipv6 too by Anonymous Coward · · Score: 3, Funny

      Water is a liquid.

      I'm Canadian, you insensitive clod!

      ok then... beer is a liquid

    15. Re:Embedded Linux does ipv6 too by darthdavid · · Score: 4, Funny

      I'm American you insensitive clod, our beer is water!

  2. so i see talk of ipv6 more and more.... by wjh31 · · Score: 2, Interesting

    is it something i as an end user of some linux distro or other ipv6 supporting OS can make use of, some option i can toggle in some options somewhere to improve something, or is it all just something in the backbone for admins and people with servers to worry about? i want to know what ipv6 means to your average jo

    1. Re:so i see talk of ipv6 more and more.... by Morth · · Score: 2, Insightful

      The advantage is you get rid of your NAT. You can for example use it to access your computer remotly with ssh or file sharing, or get IP telephone provided separately from your ISP.

      You can turn on 6to4 in your OS, it will give your whole home network global IPv6 addresses with your IPv4 connected computer as router. Some OSes might require further configuration.

      Around here (Sweden) many ISPs actually have a local 6to4 router so the speed is the same, but in some locations you will get a longer route if you do this though.

    2. Re:so i see talk of ipv6 more and more.... by Dolda2000 · · Score: 5, Interesting

      I, too, am using 6to4 at home in order to get rid of NAT, but lately I've been having great trouble when traveling around with my IPv6-enabled laptop (running Debian).

      See, whenever I get to a public access point (which uses public IPv4 addresses, rather than a private 192.168.x.x net) it turns out that any Vista computers connected to the same link auto-configure themselves to use 6to4 and then advertise over ICMP that they are willing to route traffic through their 6to4 net. However, it turns out that they just drop the traffic! My laptop, not knowing that, though, will try to route IPv6 traffic through them nevertheless, which just makes every IPv6 site (including my own) stop working. Viva Vista!

      Does anyone know why Vista does this, and whether it's possible to prevent or work around it somehow?

    3. Re:so i see talk of ipv6 more and more.... by kasperd · · Score: 2, Interesting

      Vista computers connected to the same link auto-configure themselves to use 6to4 and then advertise over ICMP that they are willing to route traffic through their 6to4 net. However, it turns out that they just drop the traffic!

      That is an interesting case. I wish I could point out what you should be doing differently, but it isn't obvious to me. When you have a public IPv4 address, you could run your own 6to4 gateway. But of course if you have a network with public IPv4 addresses to multiple machines, you usually don't want each and every one of them to run a 6to4 gateway. It would be more appropriate to have one machine being the 6to4 gateway, and your machine seems to be trying to find it, and fail at that.

      So that leaves us with two questions. Why are those Vista machines behaving the way they do? And what can you do to make your own laptop work under those circumstances? You could get your laptop to ignore advertisements of 6to4 routers if it already has a public IPv4 address, and then just setup your own 6to4 gateway in that case (but don't announce it on the network unless you intend to forward packets in both directions). Doing that should work as long as the network you are on does not filter away the 6to4 packets. Possibly that is what is going wrong for the Vista machines. It is plausible that they are actually working correctly, and the network is at fault. It would be worth setting up your own 6to4 gateway just to find out if that is the reason.

      The other question to ask is when there is a bunch of gateways all announcing an 6to4 segment, how do you find out if there is one among them, that works correctly. I don't have any better suggestion than just trying to send a handcomputerful of pings through each of them to servers known to respond.

      What do you do when all you are provided by the network is an RFC1918 address? Are you using a tunnel broker? Perhaps you could have a white list of good 6to4 gateways and if you receive announcements from any 6to4 gateway not on your list, just pretend it does not exist, and do whatever you would do in that case.

      --

      Do you care about the security of your wireless mouse?
    4. Re:so i see talk of ipv6 more and more.... by sjames · · Score: 3, Insightful

      NAT for firewalling is really an abuse of the protocol. Instead, dump it and use IPv6, then have the router filter the packets. That way, instead of having to rewrite the packets, the router just has to make a drop or forward decision.

      If you make DROP the default decision and then add specific ALLOW rules, you'll get the same semantics as NAT with a lower load on the router

      AN added benefit (FOR NOW anyway) is that most ssh dictionary attacks are against IPv4 addresses. If your internal machines can only be reached through v6, you won't have to worry about those.

      Even if the crackers update to use v6, they won't be nearly as successful since they would first have to guess which dozen or so v6 addresses out of the possible billions on your 6to4 prefix actually have something listening. Sending out a few billion probe packets wouldn't really be a good option for them, especially when someone might have a honeypot assigned hundreds of IPs (making it by far the most likely machine to be attacked).

    5. Re:so i see talk of ipv6 more and more.... by berend+botje · · Score: 2, Funny

      Not when I'm in the jury, it isn't.

  3. You'll see IPv6 . . . by PolygamousRanchKid+ · · Score: 2, Insightful

    . . . when you see IPv6.

    Until your ISP starts offering it, don't worry about it.

    Everything that is worth buying has been IPv6 compliant for years.

    The only thing that is missing for IPv6, is well, how about an IPv6 net, to the end user.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    1. Re:You'll see IPv6 . . . by treuf · · Score: 4, Interesting

      A major French ISP - Free (second largest ISP after Orange) - is offering IPv6 to anyone asking for it (it's an option in their control pannel, disabled by default).
      It would be interesting to see how much peoples activated that option :)

      Another smaller one here have been offering IPv6 since ages (can't remember its name though)

      A major mass-hosting facility - OVH (doing buiness in France and doing massive deployment currently in europe) is providing IPv6 to all its servers (hosted or housed).

      They are both new-commers (compared to the country operator / old hosting facilities) - which may explain such massive deployment (they have only new hardware everywhere)

    2. Re:You'll see IPv6 . . . by jonbryce · · Score: 2, Informative

      Except for routers. I've not seen an IPv6 compliant router yet. I'm sure they must exist, but you don't see them in the likes of PC World.

      But, until ISPs start offering IPv6, an IPv6 ready router isn't going to be much of a selling point.

    3. Re:You'll see IPv6 . . . by Tony+Hoyle · · Score: 3, Interesting

      Everything that is worth buying has been IPv6 compliant for years.

      Hmm..

      iphone - nope.
      xbox 360 - nope.
      PS3 - nope.

      That's 3 things worth buying that definately aren't.. and I'm not even including home routers on that list which are a glaring example of 'not ipv6 compliant'.

    4. Re:You'll see IPv6 . . . by HomerJ · · Score: 2, Informative

      Not since v24SP1

      There's a different version of ddwrt that does support IPv6 that is all but hidden on their site. But the standard dd-wrt doesn't do IPv6 anymore.

  4. Re:Catching up on the competition by UnknowingFool · · Score: 5, Informative

    Well Apple and MS has had some IPv6 support for a while but they are shades to the amount of support. I believe that IPv6 has been available in Linux before MS or Apple (since 1996). However it was deemed "experimental" until 2005 even though it worked well enough for most people and distros. MS has had limited IPv6 starting with Win2K and has had some IPv6 support with XP in 2002. As for DoD compliance, only Vista with SP1 is partially compliant and OS X does not to appear to have been tested.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. Re:Let's not forget by mwoliver · · Score: 3, Interesting

    Yup. In fact, back in the day, the IPv6 support in FreeBSD was the determining factor in my choice to run FreeBSD rather than any then-current distribution of GNU/Linux. Being focused on networking, I didn't have a dog in the OS race, I just needed IPv6 support, and FreeBSD won hands-down. I have enjoyed the blessings of FreeBSD ever since. Even so many years later, IPv6 support on my DD-WRT (Linux) access point is quite non-intuitive and hackish.

    Big shout-out to the fine KAME team, especially the late Itojun.

    --
    Mike O, KT2T
  6. IPv6 has been known to be needed since 1991 by apathy+maybe · · Score: 2, Interesting

    Kapor is in his element now, fluent, thoroughly in command in his material. "You go tell a hardware Internet hacker that everyone should have a node on the Net," he says, "and the first thing they're going to say is, 'IP doesn't scale!'" ("IP" is the interface protocol for the Internet. As it currently exists, the IP software is simply not capable of indefinite expansion; it will run out of usable addresses, it will saturate.) "The answer," Kapor says, "is: evolve the protocol! Get the smart people together and figure out what to do. Do we add ID? Do we add new protocol? Don't just say, we can't do it."

    Source: http://www.mit.edu/hacker/part4.html

    So why the fuck hasn't it been adopted yet?

    ------

    Anyway, does anyone have any sources as to know the other "big" OS's (MS Windows, Mac OS, the BSD's etc.) were able to speak IPv6 (if they are able to at all?)?

    Also, I've tried to find information about whether FreeDOS can do IPv6, but couldn't. Could anyone help there?

    -----

    Finally, the beauty of FLOSS.

    --
    I wank in the shower.
    1. Re:IPv6 has been known to be needed since 1991 by TheRaven64 · · Score: 2, Interesting

      Anyway, does anyone have any sources as to know the other "big" OS's (MS Windows, Mac OS, the BSD's etc.) were able to speak IPv6 (if they are able to at all?)?

      The KAME stack was completed in March 2006. It implements IPv6 and IPsec and is used by FreeBSD, BSD/OS, OpenBSD, NetBSD,DragonFlyBSD, and OS X. Linux achieved a comparable degree of support around a year later. KAME snapshots were incorporated in these operating systems before the project was completed, and enough of the protocol to be useful has been supported by them since around 2000. Linux does not use KAME, but I don't know how much (if any) code they borrow from it.

      Itojun did some really amazing work with KAME. It's sad that he didn't live to see worldwide IPv6 deployment.

      --
      I am TheRaven on Soylent News
    2. Re:IPv6 has been known to be needed since 1991 by Blakey+Rat · · Score: 3, Insightful

      IPv6 isn't backwards-compatible with IPv4, and a lot of networks have been really slow to convert over. In most case, they have to spend money to do this conversion, because they have older hardware without full IPv6 compatibility.

      Adoption is slow because IPv6 isn't backwards-compatible, and because it doesn't have enough benefits to outweigh that problem. No conspiracy or anything. (I think it's damn stupid that IPv6 has approx. 40 kajillion IP addresses, and yet they didn't bother to map the existing 4 billion there anywhere.)

      --
      Comment of the year
    3. Re:IPv6 has been known to be needed since 1991 by neirboj · · Score: 4, Insightful

      Section 2.5.5.2 of RFC-4291: IP Version 6 Addressing Architecture describes what in IPv4 terms one might call a super-network prefix that does exactly that: map the existing Internet onto an infinitesimal corner of the huge IPv6 address space.

  7. Re:Catching up on the competition by Tweenk · · Score: 2, Informative

    Until Vista, SMB/CIFS didn't support IPv6, so sharing resources over an IPv6 local network didn't work. On top of that, 2005 is the year the "experimental" status was removed. In fact this status is rather conservative and many distros routinely ship kernels with experimental options enabled (e.g. tickless kernel, the WMI drivers, etc.)

    --
    Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
  8. How about a report on ISPs? by Midnight+Thunder · · Score: 4, Interesting

    Now that I know Linux joins the ranks of IPv6 compliant OSs, I just need an ISP that supports IPv6. The problem is, in North America at least, is that there are still few to no ISPs providing IPv6 addresses. Instead I have to resort to tunnel providers (some listed here). What we need is a list of major internet service providers in North America and an indication of their IPv6 readiness and what they excuse is for not starting the migration.

    In order to get ISPs moving we could each mail the one we use and ask them when the plan to offer IPv6 addresses.

    Some 'cool stuff' using IPv6: https://www.sixxs.net/misc/coolstuff/

    --
    Jumpstart the tartan drive.
    1. Re:How about a report on ISPs? by Shikaku · · Score: 3, Informative

      https://www.sixxs.net/faq/connectivity/?faq=native

      ISP IPv6 listing.

  9. Re:Catching up on the competition by TheRaven64 · · Score: 5, Informative

    Apple didn't spend much at all. They use the KAME stack, which was developed by a consortium of Japanese companies for BSD-family systems. It was started in 1998 and achieved full compliance in 2006. Apple just pulled in the code and merged it. Since it already ran on BSD/OS, FreeBSD, NetBSD, OpenBSD and DragonflyBSD, this was not a huge undertaking.

    --
    I am TheRaven on Soylent News
  10. Re:Let's not forget by TheRaven64 · · Score: 2, Insightful

    Possibly because the Linux Foundation has a history of running press releases saying 'Linux can now do something that *BSD could do ages ago!' only without mentioning the fact that Linux is late to the party, and in some cases not mentioning the fact that the code that they are so proud of was ported to Linux from one of the BSDs.

    Anything they release should be mentally tagged troll.

    --
    I am TheRaven on Soylent News
  11. Maybe by Midnight+Thunder · · Score: 3, Insightful

    In reality IPv6 is about infrastructure, so if it is all done right then your average Joe shouldn't see much of an impact. In most cases the average user leaves their setting in automatic mode, so as long as the OS and corresponding application are already IPv6 aware then they won't notice until they need to use a numerical address. If they have a home router, then they may find that they need to buy a new one as the manufacturer is only releasing IPv6 aware firmware for routers manufactured after a certain date.

    There are still plenty of issues before everything is working right on both the client and server front. Issues still in place:
      - network hardware not IPv6 compliant (the only compliant home router for the moment is the Apple Airport)
      - network administrators oblivious to IPv6
      - ISPs not preparing for IPv6
      - libraries for popular computer programming languages not IPv6 ready. Take Perl libwww for example.
      - people saying that no one else is doing anything, so they won't do anything either - the classic sheep mentality

    I would like to see stuff like Zeroconf (aka Bonjour, Avahi) become common place on all OSs (this include Windows), or at least if these routers could add the names of computers in their DHCP table (including themselves) in their DNS directory, so typing in numerical IP addresses should not be necessary.

    --
    Jumpstart the tartan drive.
  12. Re:Catching up on the competition by Bert64 · · Score: 2, Informative

    The support in win2k was an experimental addon published by microsoft research, it was never an official feature.
    It was XP which first introduced support in the base distro, but it was not turned on by default and if autoconfig didn't work you had to use the cli tools to configure it. Also it wouldn't do DNS over ipv6 so you still need ipv4 connectivity for your dns at least.

    Linux had support a lot earlier as you pointed out, as did digital unix (aka tru64 unix), the bsd's got support fairly early too. It was only market experimental because there was really no other reason to use it, you could pretty much only get tunneled ipv6 from a free tunnel broker with no guarantee you would keep the addresses etc. In terms of functionality, the stack worked great even in the 2.2.x kernel, ipv6 has long been popular on IRC because you can create more vanity hostnames more easily, and its a little harder for some of the script kiddies to dos you.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. Re:Embedded Toilets do ipv6 too by Teun · · Score: 3, Funny
    Why the whole toilet?

    The large AND small flush want their own, just like the lid and seat!

    Don't get me started about the light switch, extraction fan and deodorant dispenser...

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  14. Re:Catching up on the competition by Gorgonzolanoid · · Score: 2, Informative

    There's support and support. The first OS to have certified DOD compliant IPV6 support (what this topic is about) was Vista. Solaris 10 came second. Neither had IKEv2 capability. Then came Novell and RedHat, both with IKEv1 and IKEv2.

    So it's not only a neck-to-neck race, but you can also be first, and you can be first (with IKEv2).

    You can find the list, with certification dates, here.

  15. Re:Catching up on the competition by Tony+Hoyle · · Score: 2, Interesting

    Samba works on ipv6 but I think the OSX version doesn't. Things go *really* screwy if you use an ipv6 enabled samba in a Win2003 domain, so they probably disabled it to avoid problems.

  16. Re:Let's not forget by Ash-Fox · · Score: 2, Interesting

    Possibly because the Linux Foundation has a history of running press releases saying 'Linux can now do something that *BSD could do ages ago!' only without mentioning the fact that Linux is late to the party, and in some cases not mentioning the fact that the code that they are so proud of was ported to Linux from one of the BSDs.

    Is BSD even relevant anymore? - Serious question.

    Additionally, there has been IPv6 support in Linux for a very long time already, what was being said was major distributions showing compliance to a certain specification put forward by the DoD.

    --
    Change is certain; progress is not obligatory.
  17. slashdot.org on ipv6? why not? by Anonymous Coward · · Score: 2, Interesting

    ipv6.google.com has been running for quite a while (bouncing logo and all) and I use it as much as possible just to boost the stats on it, but really, slashdot is a perfect candidate to help boost adoption. It's pretty easy to get on ipv6 through a tunnel to someone like sixxs.net these days, especially for the likes of a slashdot reader.

    Come on already! Naysayers be damned!