Slashdot Mirror
IPv6 Adoption Up 300 Percent Over 2 Years
Mark.J - ISPreview writes "The Number Resource Organization, which is made up of the five Regional Internet Registries, has revealed that the rate of new entrants into the IPv6 routing system has increased by 300% over the past two years. The news is important because IPv4 addresses (e.g. 123.23.56.98), which are assigned to your computer periodically, are running out. IPv6 addressing (e.g. 2ffe:1800:3525:3:200:f8ff:fe21:67cf) was invented as a longer and more secure replacement." IPv6 is still gaining ground slowly, particularly in the US.
No, the rate went up by 300%, not the total number of entrants. I.e., instead of 1 person/year we're now up to 4 people/year ;)
And everyone who's a network admin knows that it is.
You're right, 100%, and I fully support IPv6 adoption end to end, because I know managing port assignments is a pain in the ass for non-UPnP compatible apps, and the problems that NAT has created. Even more absurd is the solutions to those problems (e.g. Skype-style) that are more like hacks than fixes.
NAT has created a very lazy fix to the problem of network security and filtering. If you're behind NAT, you're not addressable unless UPnP or an explicit port forward does it for you, and that's extremely convenient.
In a situation where every single computer in a network is internet addressable (something not always desired in business, which is probably the reason IPv6 adoption is so slow), you have to implement a very strict firewall to block and filter unsolicited traffic to those machines. If you're NATing them, as long as your network is physically secure, you don't have a problem.
This puts a lot less stress on network security than there should be in a business environment, and much less attention to what should or shouldn't be allowed through a local firewall, let alone a site firewall.
I'll stop ranting, but the point is that NAT has created an artificial deficit of proper network security, and I fear that when IPv6 becomes ubiquitous, NAT will linger on as a replacement for real security. The skills required to secure a fully addressable network of machines simply aren't needed in the majority of current environments because making every host in a network internet addressable today is simply not an option.
Boot Windows, Linux, and ESX over the network for free.
Or intelligently design protocols to assume that not everyone has a direct IP back to them? In the early days of online gaming, one had to forward easily a half-dozen ports (UDP, and maybe 3 ports TCP) to play online. These days, it's normally 1 UDP and 1 TCP port, if that.
IPv6 won't change any of the issues seen with NAT. At best, you'll have a firewall blocking incoming connections to all but a single IP (the system providing the gateway and firewall), so you'll juat have huge spaces of IPv6 addresses that are unreachable anyways. So your toilet might have a real live IPv6 address, but it's not reachable outside the local network anyhow. Heck, that gateway may very well perform NAT on IPv6. To assume all the issues with NAT, firewalls, etc, go away magically by using IPv6 is naive - they're still going to be around. At the minimum, there's going to be firewalls up, and apps will still have to request people poke holes in it somehow. Most likely, nothing will change.
Despite having all these addresses available to them, most ISPs will probably just offer the user 1 or 2 IP addresses (though, an IPv4 and IPv6 address), and charge them an extra $5/month for another one. Or maybe they'll get a clue and give them a pile of addresses, to which the user will probably just stick a router in and use 1 address. And might as well stick all the machines behind it in the private address range anyhow.
IPv6 is important because we're running out of addresses (or some countries already have). But unless the protocol mandates things like evil bits and other junk, people are still going to put up firewalls, NAT-based routers, etc, and we're really just going to end up in the same situation we're in now. Everyone talks grand of "even your toilet can be connected", then it just takes someone to say "well, if it is, I don't want people to hack into it". IPv6 won't save us from buggy exploitable services, spam, OSes with poor default security, etc. The only thing it may save us from is that portscanning blocks of IPs got significantly harder, but botnets are good for that sort of thing. Heck, even exploits have seemed to work around the fact that a good chunk of people are behind a firewall.
There's no reason every person on earth needs an IP.
There's no reason everyone needs their own phone number, either. In the old days, several houses shared the same phone number. Calls were distinguished by different rings. They got along just fine with that.
Does it make you happy you're so strange?
The problem with IPv4 isn't really that we're running out of addresses, although that could become an issue in the near future. No, the problem is routing. Reallocating the remaining IPv4 addresses would mean abandoning any presence toward maintaining hierarchical subnets. High-level routers would need to know where to send packets based on not just the /8 or /16 prefix, but perhaps /24 -- or worse. That's potentially millions of additional records in every router, when we're already having trouble with an explosion of routing-table entries. IPv6, on the other hand, has enough bits in just the upper (network) portion of the address (/64) to permit purely hierarchical routing to the ISP level, which means that the routing tables become far simpler. There's no need for each router to know about dozens -- perhaps hundreds, or thousands -- of minuscule disjoint subnets serviced by each ISP.
The other advantages of IPv6, such as improved security and access to a routable /48 subnet for each local network, are merely bonuses. The routing issues alone are sufficient justification to migrate.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat