IPv6 Challenges and Opportunities

1sockchuck writes "Opinions differ on when the Internet will run out of IPv4 addresses, prompting a wholesale transition to IPv6. In recent videos, John Curran of ARIN provides an overview of issues involved in the IPv6 transition, while Martin Levy of Hurricane Electric discusses his company's view that early-mover status on IPv6 readiness can be a competitive advantage for service providers. Levy's company has published an IPv4 DeathWatch app for the iPhone to raise awareness of the transition."

IpV6 reality check

[AbbeyRoad]

Dan Bernstein has chimed in on this before:

        http://cr.yp.to/djbdns/ipv6mess.html

He is basically dead right.

The people who came up with IPv6 seemed to be too ivory tower: they forgot about
the reality on the ground. Few ISPs are even thinking about IPv6.

-paul

Re:IpV6 reality check

[swillden]

So, in the current situation, everyone who switches to IPv6 needs to be a network engineer.

That's bull. End users don't need to know or do anything. At this point, all we really need is for ISPs to provide IPv6 and the rest will happen without users doing -- or knowing -- a thing.

Yes, the network works, but there is no decent upgrade plan.

Also crap. The upgrade plan is for IPv4 and IPv6 to coexist for a few years. Users deal with DNS names, not IP addresses, and applications and resolvers already transparently look for both AAAA and A records and use the AAAA records if available. All of the major OSes have solid IPv6 support in place -- if you don't believe me, install a radvd server on your home network and notice how *instantly* all the machines on your LAN have IPv6 addresses (heck, they all have link-local addresses now) right next to their IPv4 addresses. Of course, if your ISP set up support for IPv6, you wouldn't have to do anything.

The only reason that IPv6 won't currently work for most people even if their ISPs support it is that their current NATing router appliances don't support it properly. But if ISPs implemented v6 support, Linksys, D-Link, etc. would start rolling out devices with proper IPv6 in their firmware. With enough users on the v6 network, web site admins, etc., would add v6 support and AAAA DNS records, which the v6-enabled users would instantly (and transparently) begin using.

The transition plan is solid, and works very well in practice (as you can verify by using Hurricane Electric or another v6 tunnel provider). What's lacking is the ISP motivation, and being able to use a v4 address as a v6 address wouldn't change that at all.

try it tonight

[digitalsushi]

Ok kids. Go home tonight and turn ipv6 on. I know you're all running homebrew linux nat routers.

Here's all you gotta do.

Install radvd. It's a Router Advertisement server. Router Advertisements are how your LAN clients learn what the hell their IPv6 "prefix" is. You're going to use something clever called 6to4, which basically converts your public ipv4 address into the first half of your ipv6 address. You plug that information into your radvd configuration, and voila, all your LAN clients can learn their unique global ipv6 address. Then you just run a little script, which turns up the 6to4 tunnel on your linux nat, and all of a sudden, all your LAN clients have globally routable ipv6 addresses! And once the v6 stack fires up, your computers will try resolving AAAA records, so you might even get to visit some v6 websites!

You're not strictly running native ipv6, since 6to4 is a tunnel to an anycast server (dont worry, there's plenty of them sharing the same address). It emulates pretty damned close though. Enough for you to try it out!

Here's the thing that keeps blowing my mind. Remember back before NAT? The Internet was actually symmetrical back then. Any host could contact any host. Well, it's restored. I keep forgetting I can literally contact ANY lan host from remotely, using its v6 address. Security nightmare? You betcha. Restored services? Makes up for it! Maybe I can figure out what a firewall is, after all!

Sure, there's tunnel brokers out there too... don't waste your time with all that. 6to4 is quick and easy, and it works fairly faithfully. By the time a tunnel broker OKs your info, you could be pinging already with 6to4.

Oh yeah. That malarkey about "ooh my address is so long, it's just not worth it" -- My address is 2002:xxxx:xxxx::1 through ::5. Also, a few weeks ago they released an interesting workaround to memorizing ip addresses, called "The DNS". As ominous as that sounds, it's actually pretty clever and I've been enjoying it for a while.

And yes, ::1 is easily guessable and that makes it hackable. So please, no nmapping the 2002:xxxx/32 subnet tonight. (At the rate of 2^96 pings per second, it should be done by next century)

Re:try it tonight

[digitalsushi]

here's one way of setting a 6to4 tunnel up. i squished some semicolons in cause it's pasting funny.

#!/bin/bash

# Create a 6to4 tunnel in linux.

if [ $# -eq 0 ]
then
    echo "Usage: $0 [delete]";
    exit;
fi;

ipv4=$(ifconfig $1|grep "inet addr:"|awk '{print $2}'|awk -F: '{print $2}');
ipv6=$(printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`);
echo "ipv4 address: ${ipv4}";
echo "ipv6 address: $ipv6";

if [ "$2" = "delete" ]
then /sbin/ip link set dev tun6to4 down /sbin/ip -6 route flush dev tun6to4 /sbin/ip tunnel del tun6to4
    echo "IPv6 tunnel has been deleted."
    exit
fi; /sbin/ip tunnel add tun6to4 mode sit ttl 255 remote any local ${ipv4}; /sbin/ip link set dev tun6to4 up; /sbin/ip -6 addr add ${ipv6}/16 dev tun6to4; /sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev tun6to4 metric 1;

if ping6 -c 1 he.net 2>&1 1>/dev/null
then
    echo "Verified IPv6 connectivity.";
else
    echo "Can't ping IPv6 network.";
fi;

Re:try it tonight

[xaxa]

For those without a Linux router:
sudo aptitude install miredo
sudo invoke-rc.d miredo start
ping6 -nc 1 ipv6.google.com
PING ipv6.google.com(2001:4860:a005::68) 56 data bytes
64 bytes from 2001:4860:a005::68: icmp_seq=1 ttl=58 time=29.9 ms
lynx --dump http://ipv6.whatismyv6.com/ | head -n 5
This page shows your IPv6 and/or IPv4 address
You are connecting with an IPv6 Address of:
2001:0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Re:marketing speak = teh suck

[chrylis]

I don't operate under the assumption that ISP's are going to hand out blocks of IPv6 addresses any more readily than they hand out IPv4's. I understand that others do. I'm not sure why they do, but since it is a futuristic sort of thing, we'll just have to wait and see. Looking at their past and present behavior, anticipating charity is dubious at best. In fact, NAT rose to popularity out of this exact same behavior. Not out of some ephemeral need to create more address space.

On this point, economics actually favors handing out at least /64 subnets: Not only does advertising at least a /64 permit stateless autoconfig (which significantly reduces management costs), but routing smaller subnets is more expensive because the route can't fit into a 64-bit machine word or CAM slot.

Re:marketing speak = teh suck

[smutt]

Where the fuck do you live where you have more than 2 viable choices for an ISP?

Try anywhere outside of the United States. I live in The Netherlands and I've only got one choice of cable ISP. But I have about 4-5 options for DSL.

//BEGIN Advert
An article I wrote a couple weeks ago makes plain how important competition is in the ISP market. http://metafarce.com/index.php?id=24
//END Advert