IPv6 Challenges and Opportunities

1sockchuck writes "Opinions differ on when the Internet will run out of IPv4 addresses, prompting a wholesale transition to IPv6. In recent videos, John Curran of ARIN provides an overview of issues involved in the IPv6 transition, while Martin Levy of Hurricane Electric discusses his company's view that early-mover status on IPv6 readiness can be a competitive advantage for service providers. Levy's company has published an IPv4 DeathWatch app for the iPhone to raise awareness of the transition."

IpV6 reality check

[AbbeyRoad]

Dan Bernstein has chimed in on this before:

        http://cr.yp.to/djbdns/ipv6mess.html

He is basically dead right.

The people who came up with IPv6 seemed to be too ivory tower: they forgot about
the reality on the ground. Few ISPs are even thinking about IPv6.

-paul

Re:IpV6 reality check

[Just+Some+Guy]

He is basically dead right.

Umm, about what? He trots out a bunch of hypothetical problems that people have been cheerfully ignoring because they don't manifest in reality. IPv6 is here and working today, even if Dan didn't want to believe it possible.

Re:IpV6 reality check

[swillden]

So, in the current situation, everyone who switches to IPv6 needs to be a network engineer.

That's bull. End users don't need to know or do anything. At this point, all we really need is for ISPs to provide IPv6 and the rest will happen without users doing -- or knowing -- a thing.

Yes, the network works, but there is no decent upgrade plan.

Also crap. The upgrade plan is for IPv4 and IPv6 to coexist for a few years. Users deal with DNS names, not IP addresses, and applications and resolvers already transparently look for both AAAA and A records and use the AAAA records if available. All of the major OSes have solid IPv6 support in place -- if you don't believe me, install a radvd server on your home network and notice how *instantly* all the machines on your LAN have IPv6 addresses (heck, they all have link-local addresses now) right next to their IPv4 addresses. Of course, if your ISP set up support for IPv6, you wouldn't have to do anything.

The only reason that IPv6 won't currently work for most people even if their ISPs support it is that their current NATing router appliances don't support it properly. But if ISPs implemented v6 support, Linksys, D-Link, etc. would start rolling out devices with proper IPv6 in their firmware. With enough users on the v6 network, web site admins, etc., would add v6 support and AAAA DNS records, which the v6-enabled users would instantly (and transparently) begin using.

The transition plan is solid, and works very well in practice (as you can verify by using Hurricane Electric or another v6 tunnel provider). What's lacking is the ISP motivation, and being able to use a v4 address as a v6 address wouldn't change that at all.

Re:IpV6 reality check

[Yaztromo]

If you want to, you *can* work around them, by using a v6 tunnel provider (like Hurricane Electric). The configuration is not hard, but isn't something Grandma could do (not my Grandma, anyway)....

Those are the two big problems with v6 right now: ISPs that don't provide v6 addresses and home routers that aren't properly configured for v6 support. If ISPs start providing v6, though, router manufacturers will eventually pull their heads out and new routers will do the job correctly (and the manufacturers will probably also provide new firmware for those courageous enough to go that route).

Apple's Airport Extreme base stations have built-in IPv6 with auto configuration for clients. They even have built-in tunnelling. On their IPv6 configuration page, you just have to turn it on and specify whether you want it to be tunnelled or not, and you're all set. As an added bonus, all of their wired ports are gigabit, and the latest revision has independent 802.11b/g and 802.11n radios (so 802.11g clients don't slow down the network for 802.11n clients, and so that 802.11n clients can run in the 5Ghz range).

If you're into IPv6 at home, it's the best off the shelf solution available. I installed one last fall, and have been able to convert my entire network to using IPv6 internally, and many of the wired clients to gigabit speeds.

Yaz.

thank the US government

[Lord+Ender]

US government contracts are starting to require IPv6 support. This is the main reason I'm seeing for IPv6 adoption. If it weren't for the government, we would all be keeping our heads in the sand until the internet starts slowly failing and Goldman Sachs starts selling remaining IPv4 netblocks to speculators.

Current deadline, in case anyone's interested

[tygerstripes]

Stolen from wikipedia:
"As of April 2008, predictions of exhaustion date of the unallocated IANA pool seem to converge to between February 2010 and May 2011"

Re:Readiness test checklist

[Above]

1B)

% dig any org @a.root-servers.net

; > DiG 9.7.0a2 > any org @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER- opcode: QUERY, status: NOERROR, id: 4577 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;org. IN ANY ;; AUTHORITY SECTION:
org. 172800 IN NS B2.ORG.AFILIAS-NST.org.
org. 172800 IN NS C0.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS D0.ORG.AFILIAS-NST.org.
org. 172800 IN NS A0.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS A2.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS B0.ORG.AFILIAS-NST.org. ;; ADDITIONAL SECTION:
A0.ORG.AFILIAS-NST.INFO. 172800 IN A 199.19.56.1
A0.ORG.AFILIAS-NST.INFO. 172800 IN AAAA 2001:500:e::1
A2.ORG.AFILIAS-NST.INFO. 172800 IN A 199.249.112.1
A2.ORG.AFILIAS-NST.INFO. 172800 IN AAAA 2001:500:40::1
B0.ORG.AFILIAS-NST.org. 172800 IN A 199.19.54.1
B0.ORG.AFILIAS-NST.org. 172800 IN AAAA 2001:500:c::1
B2.ORG.AFILIAS-NST.org. 172800 IN A 199.249.120.1
B2.ORG.AFILIAS-NST.org. 172800 IN AAAA 2001:500:48::1
C0.ORG.AFILIAS-NST.INFO. 172800 IN A 199.19.53.1
C0.ORG.AFILIAS-NST.INFO. 172800 IN AAAA 2001:500:b::1
D0.ORG.AFILIAS-NST.org. 172800 IN A 199.19.57.1
D0.ORG.AFILIAS-NST.org. 172800 IN AAAA 2001:500:f::1 ;; Query time: 15 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Thu Aug 20 15:18:36 2009 ;; MSG SIZE rcvd: 423

Check.

2a is also a check for me.

Re:I'm sorry but

[jonbryce]

Apple's market share for routers is tiny compared to Netgear and Linksys. I'm one of the 8% or so of people who uses a Mac, but it talks to a Netgear router.

Re:marketing speak = teh suck

[chrylis]

It won't shake out this way. ISP's aren't giving you that many addresses now, and many (if not all) limit and/or upcharge-for the quantity assigned. It isn't difficult to imagine scenarios where is doesn't matter, to be sure, but this kind of convenience is something that NAT has allowed us to take for granted.

I believe that the registries are requiring the provision of /64s and /48s to end-user connections. Even if they weren't, the ISPs would provide at minimum /64s, since most networking equipment can't handle routing prefixes longer than /64 in hardware--i.e., routing anything longer than /64 is more expensive.

You're referring to 'non-ameteur' admins with a voice of authority, yet you cannot avoid being confused over how DHCP allows you to set these addresses once instead of many times over?

IPv6 isn't IPv4. You can use stateless autoconfiguration to find that router, no DHCP needed. The advertisement can also include information on DNS servers. If the DNS servers and default gateway aren't sufficient, you can still run DHCPv6 if you like.

try it tonight

[digitalsushi]

Ok kids. Go home tonight and turn ipv6 on. I know you're all running homebrew linux nat routers.

Here's all you gotta do.

Install radvd. It's a Router Advertisement server. Router Advertisements are how your LAN clients learn what the hell their IPv6 "prefix" is. You're going to use something clever called 6to4, which basically converts your public ipv4 address into the first half of your ipv6 address. You plug that information into your radvd configuration, and voila, all your LAN clients can learn their unique global ipv6 address. Then you just run a little script, which turns up the 6to4 tunnel on your linux nat, and all of a sudden, all your LAN clients have globally routable ipv6 addresses! And once the v6 stack fires up, your computers will try resolving AAAA records, so you might even get to visit some v6 websites!

You're not strictly running native ipv6, since 6to4 is a tunnel to an anycast server (dont worry, there's plenty of them sharing the same address). It emulates pretty damned close though. Enough for you to try it out!

Here's the thing that keeps blowing my mind. Remember back before NAT? The Internet was actually symmetrical back then. Any host could contact any host. Well, it's restored. I keep forgetting I can literally contact ANY lan host from remotely, using its v6 address. Security nightmare? You betcha. Restored services? Makes up for it! Maybe I can figure out what a firewall is, after all!

Sure, there's tunnel brokers out there too... don't waste your time with all that. 6to4 is quick and easy, and it works fairly faithfully. By the time a tunnel broker OKs your info, you could be pinging already with 6to4.

Oh yeah. That malarkey about "ooh my address is so long, it's just not worth it" -- My address is 2002:xxxx:xxxx::1 through ::5. Also, a few weeks ago they released an interesting workaround to memorizing ip addresses, called "The DNS". As ominous as that sounds, it's actually pretty clever and I've been enjoying it for a while.

And yes, ::1 is easily guessable and that makes it hackable. So please, no nmapping the 2002:xxxx/32 subnet tonight. (At the rate of 2^96 pings per second, it should be done by next century)

Re:try it tonight

[digitalsushi]

here's one way of setting a 6to4 tunnel up. i squished some semicolons in cause it's pasting funny.

#!/bin/bash

# Create a 6to4 tunnel in linux.

if [ $# -eq 0 ]
then
    echo "Usage: $0 [delete]";
    exit;
fi;

ipv4=$(ifconfig $1|grep "inet addr:"|awk '{print $2}'|awk -F: '{print $2}');
ipv6=$(printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`);
echo "ipv4 address: ${ipv4}";
echo "ipv6 address: $ipv6";

if [ "$2" = "delete" ]
then /sbin/ip link set dev tun6to4 down /sbin/ip -6 route flush dev tun6to4 /sbin/ip tunnel del tun6to4
    echo "IPv6 tunnel has been deleted."
    exit
fi; /sbin/ip tunnel add tun6to4 mode sit ttl 255 remote any local ${ipv4}; /sbin/ip link set dev tun6to4 up; /sbin/ip -6 addr add ${ipv6}/16 dev tun6to4; /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1;

if ping6 -c 1 he.net 2>&1 1>/dev/null
then
    echo "Verified IPv6 connectivity.";
else
    echo "Can't ping IPv6 network.";
fi;

Re:try it tonight

[xaxa]

For those without a Linux router:
sudo aptitude install miredo
sudo invoke-rc.d miredo start
ping6 -nc 1 ipv6.google.com
PING ipv6.google.com(2001:4860:a005::68) 56 data bytes
64 bytes from 2001:4860:a005::68: icmp_seq=1 ttl=58 time=29.9 ms
lynx --dump http://ipv6.whatismyv6.com/ | head -n 5
This page shows your IPv6 and/or IPv4 address
You are connecting with an IPv6 Address of:
2001:0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Re:try it tonight

[digitalsushi]

Teredo isn't 6to4.

It works through NAT, which actually makes it even easier to use than 6to4. Thanks for pointing it out! 6to4 is more of a site tool, and Teredo is a client tool.

Re:Cool But...

But let's look at cost. The cost for an IPv4 allocation is basically zero. This obviously conflicts with the scarcity argument.

Once IPv4 starts costing more, either directly on via a secondary market, then we may see some corner IPv6 implementations.

As soon as somebody tries to sell an IP address, he is clearly not using it according to the rules and has to return it to its Regional Internet Registry.

Re:marketing speak = teh suck

[chrylis]

I don't operate under the assumption that ISP's are going to hand out blocks of IPv6 addresses any more readily than they hand out IPv4's. I understand that others do. I'm not sure why they do, but since it is a futuristic sort of thing, we'll just have to wait and see. Looking at their past and present behavior, anticipating charity is dubious at best. In fact, NAT rose to popularity out of this exact same behavior. Not out of some ephemeral need to create more address space.

On this point, economics actually favors handing out at least /64 subnets: Not only does advertising at least a /64 permit stateless autoconfig (which significantly reduces management costs), but routing smaller subnets is more expensive because the route can't fit into a 64-bit machine word or CAM slot.

Re:marketing speak = teh suck

[chrylis]

There are currently 32 bits allocated for IPv6 subscriber connections. An entire datacenter only needs one of those, contrasted to a /23 or larger now.

What you go to with a /48 prefix (which is the standard ISP subscriber size) is a network with 16 subnet bits and space for an effectively infinite number of hosts in each subnet.

Re:marketing speak = teh suck

[cenc]

Try Temuco, Southern Chile. I know lots of people getting their internet via long distance wireless Bridges, 20, 30 miles out of town. Lots of people with Sat systems in the really rural area. The government provides sat systems to schools that are 2 days horseback ride in to the mountains.

Still, knowing the rural United States, our choices and speeds of ISP's here is likly larger. Many of my family in rural parts of the United States just got off of dial up internet about a year ago.

Re:marketing speak = teh suck

[smutt]

Where the fuck do you live where you have more than 2 viable choices for an ISP?

Try anywhere outside of the United States. I live in The Netherlands and I've only got one choice of cable ISP. But I have about 4-5 options for DSL.

//BEGIN Advert
An article I wrote a couple weeks ago makes plain how important competition is in the ISP market. http://metafarce.com/index.php?id=24
//END Advert