Windows 7 May Finally Get IPv6 Deployed

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

IPv6 addresses are overly complex

[sopssa]

While it will be useful, I don't think widespread usage of IPv6 will start before we run out of IPv4 addresses.

I rather type in 49.1.4.22 than 2001:db8:85a3::8a2e:370:7334

Re:IPv6 addresses are overly complex

[kennedy]

Uhh... 3 letters for you. D.N.S.

Re:IPv6 addresses are overly complex

It pains me to think it, but how long before we see "IPv6 shortening services"?

Re:IPv6 addresses are overly complex

[johnw]

Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.

Re:IPv6 addresses are overly complex

You've heard of DNS right?

Re:IPv6 addresses are overly complex

[mr+crypto]

Hmmm... Looks like the tiny URL problem all over again. We need tiny IP! :)

Re:IPv6 addresses are overly complex

[Virak]

Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?

Re:IPv6 addresses are overly complex

Your average joe won't be typing in ip addresses

Re:IPv6 addresses are overly complex

[Cro+Magnon]

I might be in the minority here, but I'd rather type "www.whatever.com" than either of the other choices.

Re:IPv6 addresses are overly complex

[sopssa]

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Re:IPv6 addresses are overly complex

[elzurawka]

Your average Joe probably doesn't even know what IPv4 is, let alone the reasons for going to 6

Re:IPv6 addresses are overly complex

[sunderland56]

Yeah, typing in IP addresses is a pain in those situations. Maybe in future Microsoft will add a "cut" and "paste" feature to Windows 7, like they have in OSX - that should make life easier.

Re:IPv6 addresses are overly complex

Even worse is the fact that a lot of routers still can't handle it.
This has caused a lot of problems for users of Ubuntu Karmic Koala, which enabled IPv6 by default.
After upgrading to Kubuntu 9.10 I was getting huge delays and failed connections (but not all the time) on everything from Konqueror to apt-get.
It turns out the problem was a bug in my DSL modem, causing it to choke when trying to connect to a host that has IPv6 enabled.
I was able to work around it, but a lot of people are still having trouble.
Let's see how Microsoft deals with all the older installed hardware.

Re:IPv6 addresses are overly complex

[selven]

We won't run out. It's like peak oil - we won't just have one random guy scrape and hit rock bottom and suddenly the world panics. It'll become gradually harder and harder to find and prices will slowly go up, reducing consumption. Essentially, we'll never use 100% of our oil until it is completely superseded by newer technologies. Same with IPv4 addresses. They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

Re:IPv6 addresses are overly complex

[Nimey]

Dynamic DNS, then. I use that for remoting into my computer and router from other places.

Re:IPv6 addresses are overly complex

[Greg+Hullender]

While it will be useful, I don't think widespread usage of IPv6 will start before we run out of IPv4 addresses.

I rather type in 49.1.4.22 than 2001:db8:85a3::8a2e:370:7334

I don't think that'll happen until we run out of words and names!

--Greg

Re:IPv6 addresses are overly complex

[vlm]

Uhh... 3 letters for you. D.N.S.

I've been involved long enough to remember people saying DNS A6 records were the wave of the future, and look where they are today.

(Yes I know, use AAAA now, I'm just pointing out the turmoil)

Re:IPv6 addresses are overly complex

[Mr.+DOS]

Offtopic, but I'd much rather you typed in whatever.com.

      --- Mr. DOS

Re:IPv6 addresses are overly complex

I'm far more annoyed with the security roadblocks put up by the V.7 RDP client.

Re:IPv6 addresses are overly complex

[Chris+Mattern]

Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.

Re:IPv6 addresses are overly complex

[negRo_slim]

Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?

I agree to the 'average' person IP4 addresses are already too long.

Re:IPv6 addresses are overly complex

[sakdoctor]

http://ipv6.youtube.com/watch?v=oHg5SJYRHA0

I'll just leave this here. Although the URL isn't currently valid, it will be once ipv6 rolls out.

Re:IPv6 addresses are overly complex

[OnlineAlias]

It is a very tough feature to code however, just ask the guys who failed to add it to the iphone for several years...

Re:IPv6 addresses are overly complex

Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.

You still type? How quaint.

--
Posted by OnStar(tm) Internet voice gateway

Re:IPv6 addresses are overly complex

Most ISPs already assign "easy" IDs at the moment, as you will probably have seen in a router / modem / filesharing program / certain games.
Some usually just use generate several sub-domains with the octets of the IP, some use an internal ID generated from god knows what.
The only problem with this is how do you compress a long base62 string to something smaller?
In IPv4, creating a smaller, easily remembered ID was pretty trivial since IPs (by default) octets use 0-255, but now the octets use all the characters traditionally used for these IDs.
Now you either let people choose their own IDs (stevescomputer.homedns.ISPSITE.TLD), or somehow use non-traditional characters, potentially breaking support for countless applications. (seriously, some things don't even accept hex-encoded IPs...)

It would make sense for ISPs to try cash in on this actually, a DNS address directed at your IP. Shocks me that they haven't (AFAIK) tried it.
Yeah, not good from our point of view, but as a business choice, it would make sense.

Entering IPs is so last decade. DynDNS or the countless others, oh yes yes yes.
I wish things would change over, no human should ever need to memorize IPv6 addresses. (minimized versions of IPs don't count much)

Re:IPv6 addresses are overly complex

[PizzaAnalogyGuy]

Hello!

I'm coming from year 4931 and using my time machine, I have traveled here to tell you that this url actually worked. We rolled out ipv6 four years ago.

Now where do I get those delicious Hawaiian pan pizzas... With ham, pineapples, bacon and salami.. With some BBQ sauce, mm..

Eat your delicious pizzas now, because when China soon takes over the world they will make pizza illegal.

See you in future!

Re:IPv6 addresses are overly complex

[Ephemeriis]

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

Pretty much every machine has a DNS name these days. They aren't usually authoritative... But for a LAN game it'll do.

For non-LAN games you've frequently got some kind of server listing service or match-making service out there that can help you find your buddy's server. Or you could always use DynDNS/No-IP/whatever to get yourself a DNS name.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Again, many (most?) devices have a DNS name of some sort.

If not... Yes, it can be a pain to write down an address. And the extra address space in IPv6 is going to make that more painful... Although there are shortcuts built into IPv6 that let you shorten the address...

But, seriously, is that a reason not to adopt IPv6? There's too many digits, it's too hard to write out by hand?

Re:IPv6 addresses are overly complex

I imagine they will deal with it fine seeing as how it was on by default and the preferred interface in Vista too so they have several years experience with it.

Re:IPv6 addresses are overly complex

Wow, time-delayed Rickrolling... I am impressed at your initiative.

Re:IPv6 addresses are overly complex

[Monkeedude1212]

In some games you even have to manually type in the address if you want to connect to your friends server.

Either you're playing some older games, which came out when TCP/IP Was just starting to Boom and didn't have any DNS functionality built in - or your friends aren't hosting their server on the web, and thus DNS wouldn't resolve it - or your friends aren't port forwarding properly for that games specific host-finding service to pick it up.

In any case - if you are willing to go through the trouble of communicating an IPv4 Address to join a game, making it an IPv6 address will either be the smallest most miniscule inconvenience that you'll forget after its deployed
OR
You'll learn to set up servers and DNS in such a way that they will work without you needing to memorize and jot down IP addresses.

Either way, its moving forward.

Re:IPv6 addresses are overly complex

[Adm.Wiggin]

Actually, I'm surprised that Google's current IPv6 roll-out (by attaching AAAA records to their domains for qualifying name servers) doesn't include youtube.com yet.

Re:IPv6 addresses are overly complex

[Mister+Whirly]

I hate lazy people, and I'd much rather you typed "http://www.whatever.com". I mean, otherwise how is your web browser supposed to know to use hypertext transfer protocol??

Re:IPv6 addresses are overly complex

Why would you feel the need to dictate that example.com resolve to my web server?

That is pretty presumptuous of you to even assume I have a web server, or that I only registered a domain to do one thing, namely serving web pages.

My personal network has a number of machines at home, plus a number of machines spread around in colo centers, which all combined probably run a good 30 services.

The www hosts point to web servers within the sub-domain they belong in. Yes there is more than one.

The '' A record (ie no sub-domain) is a round robin address that returns the IP addresses of specific servers running a specific service, none of which are a web server.

I guess to the post-1995 internet users, where nothing else exists except the web, this is acceptable (Thou email is magically shoehorned in there somehow, but it is still "email on the web" to those types.)

But a lot of us here are the back end technical types in charge of keeping things actually working, so could not make use of your suggestion at all.

Re:IPv6 addresses are overly complex

My hosts file is going to be messy, too.
But I think it's going to come into its own now.

However, I can see all sorts of problems when I have to ask a client which IP6 block he has for his LAN. Every one will be different. You won't be able to simply use 192.168 or 10.x or 172.x for in-house? Sounds like endless opportunities for excellence.

Re:IPv6 addresses are overly complex

[Rockoon]

IPv6 wont become widespread until the millions upon million of existing routers that do not support it die of old age.

Re:IPv6 addresses are overly complex

[fearlezz]

Anyone can type a DNS name. An ipv4 address is a bit cooler. But just imagine your coworker's respect when they see you telnet to 2001:db8:85a3::8a2e:370:7334

Re:IPv6 addresses are overly complex

[Urban+Garlic]

I actually do that http thing. It's not that I'm espeically diligent, or think the browser won't guess correctly, it's somewhere between a persistent habit and a neurosis. On the other hand, I am diligent about getting the https:/// ones right.

Re:IPv6 addresses are overly complex

[ogl_codemonkey]

Yeah, I'd be right there with you *if* it wasn't an error to make the root record for a DNS zone a CNAME (which would apparently break mail services, among other things - I'm not a DNS *or* E-mail expert, ymmv)

So if your hosting infrastructure is managed separately to your customer's DNS records, they can either only point HTTP requests at your entry point (load balancer du jour) or they have to statically configure it as an A (or A6) record - and then it becomes *your* problem when you retire an old uplink and their website doesn't work anymore.

Also, a redirect is at *least* one extra round-trip; so if your brain-dead clients (see: 'Webmins') put the 'www' in their phpbb or Gallery configuration - adding extra round trip to every resource in a request - they start complaining about hosting performance...

Re:IPv6 addresses are overly complex

[im_thatoneguy]

By definition joining a Friends' server shouldn't be any more difficult than clicking "Join Friend's Game". That's what Steam and Live are for.

Re:IPv6 addresses are overly complex

[TheTurtlesMoves]

Even in my home network with only 4 machines I use DNS. moocow, the cowlaptop and eatingcows. Easy to remember and spell, and i run both ip6 and ip4.

Re:IPv6 addresses are overly complex

[richlv]

cut&paste sort of works everywhere. except where it doesn't.
for example, there's still no cross platform cut and paste support in sdl (http://www.libsdl.org/), which is a major pain in some cases.

Re:IPv6 addresses are overly complex

Many games don't allow you to cut+paste.

Re:IPv6 addresses are overly complex

[HertzaHaeon]

Maybe oil won't run out, but it can (and likely will) be superceded by something superior, regardless of whether there's still some left or not.

I think the same can be said for IPV6. It's not just more of the same, but something better.

Re:IPv6 addresses are overly complex

[A+beautiful+mind]

We won't run out. It's like peak oil - we won't just have one random guy scrape and hit rock bottom and suddenly the world panics. It'll become gradually harder and harder to find and prices will slowly go up, reducing consumption. Essentially, we'll never use 100% of our oil until it is completely superseded by newer technologies. Same with IPv4 addresses. They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

I'm sorry, but you're simply uninformed. This is exactly like global warming and I made the analogy before in reverse.

In both cases, the experts say it's happening and it's a problem, while layman continue to have a flawed and incomplete picture. For example, you're stating that "it'll be harder and harder to find", however there is no market in IPv4 addresses, they are not sold or bought at the ISP level, but rather they are supplied on demand by the registrars. Market analogies do not apply. It is a finite resource with extremely low elasticity in supply. Partitioning IPv4 addresses to small chunks and coming up with a procedure to reclaim them would be extremely hard, for routing reasons. Even if you'd attempt to set up a market for IPv4 addresses, you'd need global agreement (the Copenhagen Climate Summit showed recently how well that works out) and you'd risk fracturing the Internet due to conflicts of interests when it turns out that you can't get IPv4 addresses anymore unless you pay for them. The question who gets the money is a big open question. To put it simply, you just can't apply market schemes to a finite addressing scheme. It does not work.

Oh, and just to lay the "universities with large address spaces" argument to rest, even if we'd reclaim the legacy spaces, we'd extend exhaustion by 3-5 months. No, an IPv4 address market is not viable, is not going to happen and we're better off focusing on migrating to IPv6 instead of picking the "do nothing" option and waiting for a panic solution when the IPv4 addresses run out in 2011 (IANA pool)/2012 (RIRs). Besides, why meddle with temporary solutions? Data shows that IPv4 address space consumption is accelerating. We simply need IPv6 to provide for the increasing addressing demands.

Re:IPv6 addresses are overly complex

[Yaztromo]

They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

The problem with breaking up a /8 is that you can't just spread around 16.7 million addresses to the individual machines around the globe that need them -- not unless we're ready to handle the massive explosion of routing table entries that would require (and we're not). CIDR still defines a routing hierarchy, where the huge swaths of free addresses exist within that hierarchy isn't necessarily geographically where they are needed, or where the systems that need them are going to be able to connect to them.

Not to say that some breaking up of largely unused /8's and /16's can't be done -- just that it's nowhere near as trivial a problem as most people seem to assume it is. It isn't like there is an abundance of resources in one area, so we can put them on a ship and send them to an area where the resource need exists.

Of course, all of this presumes that the holder of the /8 is using it in some sane manner where is it even possible to break the address space into routeable blocks...

Yaz.

Re:IPv6 addresses are overly complex

[Bengie]

it won't be this bad live. first 64bits are your country/state/city/isp, the last 64 bits is you. It will be more like ABCD:DEAD:BEEF:1234::1

Since I'll have 18,446,744,073,709,551,616 IPs for my personal use, I would subnet my home network quite nicely. Yay for no more NAT

Re:IPv6 addresses are overly complex

[TBoon]

Can you recommend any implementation of cut & paste that works over the phone? Preferably open source of course.

Re:IPv6 addresses are overly complex

[Mr.+DOS]

Normally, I would use example.com; in this case, I was imitating the parent. I do understand what you're saying, though.

      --- Mr. DOS

Re:IPv6 addresses are overly complex

[Tynin]

Sad but true. For some reason I just had a thought that at some point when we run drastically low on IPv4 space, the US gov might, much like it did with the analog to digital TV transition, be handing out coupons for low end crappy IPv6 routers.

Re:IPv6 addresses are overly complex

[molecular]

nice one!

Re:IPv6 addresses are overly complex

[molecular]

Off-offtopic, but I'd much rather you typed in example.com.

Re:IPv6 addresses are overly complex

[molecular]

universities? if it was just universities.
what really drives me mad is corps like ford, general electric, daimler, merck,... having /24 subnets and making no real use of them, hiding them completely behind firewalls. how about these fuckers just use 10.* and give their huge blocks to providers that are in real need (like qsc), having to let go of business opportunities otherwise because of the shortage.

Re:IPv6 addresses are overly complex

[DarkTempes]

That's only 3. What's the 4th?

Re:IPv6 addresses are overly complex

[AVee]

I've been involved long enough to remember people saying DNS A6 records were the wave of the future, and look where they are today.

(Yes I know, use AAAA now, I'm just pointing out the turmoil)

$ host -t AAAA slashdot.org
slashdot.org has no AAAA record

Quite clearly not there yet. Who needs ipv6 if it doesn't have /.?

But frankly, ipv6 is still growing. Way to slow, but it's far from dead. My ISP is currently experimenting with native ipv6 on there DSL lines, google is also pushing towards ipv6:

$ host -t AAAA www.google.com resolver.xs4all.nl
Using domain server:
Name: resolver.xs4all.nl
Address: 2001:888:0:6::66#53
Aliases:

www.google.com is an alias for www.l.google.com.
www.l.google.com has IPv6 address 2a00:1450:8001::63
www.l.google.com has IPv6 address 2a00:1450:8001::69
www.l.google.com has IPv6 address 2a00:1450:8001::6a
www.l.google.com has IPv6 address 2a00:1450:8001::67
www.l.google.com has IPv6 address 2a00:1450:8001::68
www.l.google.com has IPv6 address 2a00:1450:8001::93

For now that's on selected ISPs only, but I'm using it daily. And more stuff like that is popping up regularly, all small steps, but moving in the right direction.

Re:IPv6 addresses are overly complex

[Shatrat]

I think the site you did link to was pretty appropriate.
I didn't even know the effort existed, but I applaud it.
Is there a more difficult letter to say 3 times fast than w w w?

Re:IPv6 addresses are overly complex

yeah cos writing or typing 1.2.3.4 is so much harder than
www.llanfairpwllgwyngyllgogerychwyrndrobwyll-llantysiliogogogoch.com

Re:IPv6 addresses are overly complex

[alchemy101]

thereisnocowlevel

Re:IPv6 addresses are overly complex

well if I may interject, ipv6 is as good as the business models that goes into it. Let me explain:

In a paranoid controlish society, the advantage of the larger range is that you use the address spaces to experiment on your subjects - an ip address in every facet of their lives - clothes, car, shaver - scrutiny, it's greed.

In a catering nurturing society, there is also an advantage of the extra address range. An insurance that ipv6 would be an echo of hope for humanity, that if we spread out into the stars and greatly multiply and flourish on distant planets, we can still all have some access to a digitally based hub if we need to.

So it's really a matter of perspective IMO. It's not what we use, it's how we use it.

I'm in favour of expansion to ipv6 provided there are in fact address spaces available for the right reasons

I'm in favour of social networking (as long as the user is reponsible, and our masters don't violate our privacy) ahead of
electic shavers with ipv6 addresses in them)

- Paul

Re:IPv6 addresses are overly complex

Site-local and link-local addresses.
Nitpick: 172/8 isn't private.

Re:IPv6 addresses are overly complex

[grumbel]

Quite clearly not there yet. Who needs ipv6 if it doesn't have /.?

The problem is that on the client side there are a ton of computers with broken IPv6 routing (6to4 for example fails for me with a large number of hosts). So if you have a server with AAAA record and a client with broken IPv6 routing the webpage will stop working or at least be pretty slow, as you have to run into a timeout before falling back to IPv4. Without an AAAA record stuff just works and as there is zero benefit of IPv6 for a service like slashdot.org its just wise to not use it.

The benefit of IPv6 lies in P2P communication, not in the classic client->serverfarm webpage.

Re:IPv6 addresses are overly complex

[swillden]

I rather type in 49.1.4.22 than 2001:db8:85a3::8a2e:370:7334

Meh. Besides the question about why you'd type either given the existence of DNS, my machine's IPv6 address is 2001:470:c:36b::1. Since pretty much EVERY IPv6 address in use in the near future begins with 2001, you don't really have to remember that, which means all I really have to remember is 470:c:36b. I think that's easier than any IPv4 address I've ever had.

Re:IPv6 addresses are overly complex

[TemporalBeing]

So you're expecting all the people who set up private LANs to also setup a DNS on that LAN? Like that will happen.

Not to mention the games have to support IPv6 too...

Re:IPv6 addresses are overly complex

[TemporalBeing]

You do know that not everyone, and especially the casual gamers, don't pay for a gaming service like Steam and Live, right?

Re:IPv6 addresses are overly complex

Since when did you pay to be on Steam except to actually buy the game(s)?

Re:IPv6 addresses are overly complex

[Mycroft_VIII]

Oddly enough I've found most programs that won't let you cut and paste with the mouse will happily let you do it with the keyboard shortcuts.

Mycroft

Re:IPv6 addresses are overly complex

In some games you even have to manually type in the address if you want to connect to your friends server.

Maybe some really old games, modern games have a combination of server browsers and friends lists that make this a non issue. Even old games you could retrofit with something like xfire to join your friends games. Assuming they even worked with xfire, you'd probably need to rig up a vpn like hamachi over it.

Also as someone who has connected to many gameservers and ran quite a few, setting up DNS is trivial. Most game server providers have DNS by now, and if not you can point a domain to it for free.

Re:IPv6 addresses are overly complex

[IcePic]

Then again, some of us dont use the randomized ipv6 addresses but rather get to choose the numbers ourselves (especially for servers which you may need to enter ips for), and in those cases, you can get away with having to remember five "octets" instead of four, like 2001:abc:def:123:: which means it will be possible to learn for you to use when the DNS is unusable.

Re:IPv6 addresses are overly complex

[IcePic]

bah, my neat < > disappeared. After the ::, you get to choose your own number, just like as if you would on a v4 subnet.

Re:IPv6 addresses are overly complex

[Vancorps]

Ya know, I looked and I don't see any IPv6 support on DynDNS. Until more DNS servers support IPv6 it's adoption will still fall short. Fundamentally changing how you network is no small feat. I predict organizations will deploy IPv6 internally first, then upgrades will move further out. For instance, my 4 month old top-end Sonicwall doesn't have IPv6 support. Not exactly a fringe piece of hardware. My Barracuda load balancers don't support IPv6. My Cisco 2811s don't support IPv6 without paying for a software upgrade. My HP Procurves at least support IPv6 but at this stage that's about it which fortunately for me, my primary routing is done on a Procurve so internally I can do IPv6 without much hassle. None of my gear is terribly old and I'm not afraid of learning new ways of networking which are more efficient and eliminate problems. Right now it will cause more problems than it solves.

And as an answer to your question, I write down product keys for software without much trouble so I imagine adapting to right out IPv6 addresses in hex wouldn't be that much harder than what I write down now. So no, I don't think that is hurting the adoption of IPv6.

Re:IPv6 addresses are overly complex

[delt0r]

My router has local DNS configured out of the box. I don't know any that don't. I play ioquake3 a bit. On ip6. Don't know about other games. ip6 will make games easier since it will get rid of the dirty evil hack that is NAT.

Re:IPv6 addresses are overly complex

Off-Off-Offtopic, I'd rather not have you give a shit because no one cares if you use whatever.com or example.com as examples, since they're both examples.

Re:IPv6 addresses are overly complex

[dodobh]

So why can't qsc get IP addresses from RIPE?

Re:IPv6 addresses are overly complex

[dasmoo]

Why is anything bad said against IPv6 a troll? It's not like we're trolling, the addressing scheme is annoying, especially if your DNS is down.

Re:IPv6 addresses are overly complex

Thankfully, now Apple have invented it Microsoft have someone to copy it from.

Re:IPv6 addresses are overly complex

[yabos]

He seems to have an obsession with cows, so my guess is "mywife". Badum dum

Re:IPv6 addresses are overly complex

[joss]

You're partially right, but the pain will be alleviated a lot by the fact that IP addresses will no longer be so precious that people cannot have fixed ones for lots of purposes... the main motivation for Dynamic DNS type services is for situations where people don't have fixed addresses which can be tied into DNS.

Re:IPv6 addresses are overly complex

[Ephemeriis]

Ya know, I looked and I don't see any IPv6 support on DynDNS. Until more DNS servers support IPv6 it's adoption will still fall short. Fundamentally changing how you network is no small feat. I predict organizations will deploy IPv6 internally first, then upgrades will move further out.

It's kind of a chicken/egg problem right now.

Individual businesses don't want to upgrade to IPv6 because there's no real return on the money. It doesn't really enable them to do anything new and amazing.

Various web sites don't want to upgrade to IPv6 for the same reason. Since hardly anyone is using IPv6, there's no return for their money.

And ISPs don't want to roll out IPv6 for the same reason. Their customers aren't demanding it, and the websites don't generally support it, so there's no reason to roll it out.

For instance, my 4 month old top-end Sonicwall doesn't have IPv6 support. Not exactly a fringe piece of hardware. My Barracuda load balancers don't support IPv6.

I suspect that they're capable of IPv6... If the world were to suddenly switch over tomorrow I'm sure there'd be a software update available to keep them functional.

What worries me are all the crappy little home routers... The Netgear WGR614s and similar... I doubt if they'd have any kind of software update. You'd have thousands of people required to buy new hardware.

Right now it will cause more problems than it solves.

Which is why nobody really uses IPv6. And nobody will use it, until it solves more problems than it causes.

Re:IPv6 addresses are overly complex

[Ephemeriis]

So you're expecting all the people who set up private LANs to also setup a DNS on that LAN? Like that will happen.

Nope.

When you set up a Windows PC you give it a host name... Or sometimes it comes pre-configured with one from the manufacturer. Windows is able to communicate with other machines on the network, by host name, without actually setting up a private DNS server. Right out of the box.

Not to mention the games have to support IPv6 too...

They do, but I suspect that isn't terribly hard for your average game. There might be some packet optimization to reduce latency or something like that... But unless you're talking about the server side of some massive MMOG, they're probably just using somebody else's library or pushing the calls off to the OS.

Re:IPv6 addresses are overly complex

[ckaminski]

IPv6 will be widespread when Comcast + Company support it natively, the webservers of the world are using it, and they decide to shut ipv4 off. At that point, every mom and pop still using a WRWT54G with default firmware will need to either upgrade, or buy a new router.

Either way, it's going to happen. The only question is when.

Re:IPv6 addresses are overly complex

[melikamp]

Pff, I routinely telnet to port 22 and do the encryption by hand. Copying pictures is a bit of a drag...

Re:IPv6 addresses are overly complex

[TemporalBeing]

So you're expecting all the people who set up private LANs to also setup a DNS on that LAN? Like that will happen.

When you set up a Windows PC you give it a host name... Or sometimes it comes pre-configured with one from the manufacturer. Windows is able to communicate with other machines on the network, by host name, without actually setting up a private DNS server. Right out of the box.

That's the SMB+netbios protocol. Not sure how well it plays with IPv6, though there do seem to be at least some patches for SMB for Samba; so it's likely to support it at least on the non-Windows side of the CIFS/SMB networking. However, that only works for games that recognize SMB, which is not all - though likely most.

Also, that relies on them being able to see each other via SMB, which can sometimes be very problematic - especially when systems are set up for different work groups, domains, etc.

Re:IPv6 addresses are overly complex

[Adm.Wiggin]

Uh, Vista (including Windows 7) and Mac OS X have had IPv6 enabled by default for quite a while now.

Why?

[pdangel]

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

What ever, just another service I have to stop/remove on a PC.

Re:Why?

You don't need NAT to run a firewall that has the same security functionality as NAT

Re:Why?

[FooAtWFU]

Mod parent up. If you can map between the "inside" and the "outside" of your organization you can drop packets coming from the outside just as readily.

Re:Why?

May I suggest you do a little more research on the currently impending doom.

http://www.lammle.com/blog/

Re:Why?

[0racle]

IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.

Re:Why?

[MathiasRav]

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

Network address translation came into use because you had limited supply of IP addresses, pigeonhole problem basically. With IPv6 that's not needed, because surely 3.4×10^38 addresses should be enough for anyone. You'll just need a firewall to reject requests from outside your own assigned block.

Re:Why?

nat will NOT go away. nat IS useful, at least to easily identify the hosts in your private network
ipv6 has some thing similar, but combined that with the fact that you can have multiple ips on one interface (without alias) and to the large number of addresses, and you get why nat is no longer a problem.

Re:Why?

[Monkeedude1212]

On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

If you've never had a problem with NAT, you don't have enough uses for the internet. I used to be a firm believer that NAT was a seemless solution to the problem of not having enough IP's.

Once you try implementing it in the professional world, where you have to worry about not just NAT but NAPT, because you've got Webservers, Print Servers, Email Servers, Backup Servers, File Servers, Application Servers - and then you've got to implement some service such as Remote Desktop from a WebApp (that has to get past the Proxy, no less), so that those who want to work from home can Remote into their PC without a VPN - lets just say that even a small handful of extra IP's would help, and if we COULD get each PC it's own individual IP, it'd be much appreciated.

It's not that it's impossible to do what you want, its just that as things grow, things get more convoluted, and doing such tasks take far more troubleshooting.

Re:Why?

[pdangel]

Yes NAT is a pain..and some cases breaks business apps. Hair Pin turns are the bane of my existence. But you are saying place thing either outside a firewall because its easier, or place your support staff on the Internet with out VPN?

I agree that ISP have a need for IPv6. But why would a Windows 7 user need it? Default out of the box? Or did I miss read that MS has that service on by default?

Re:Why?

[Ephemeriis]

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

While I don't think I'd recommend connecting any machine - Windows or otherwise - to the Internet without a firewall... I don't see why you think you need NAT.

NAT is Network Address Translation. It has absolutely nothing to do with security. It's a way to overload a single public IP address and funnel multiple private IP addresses through it.

Yes, NAT gives you a default, basic firewall just because you have to explicitly define incoming translations. But there's absolutely no reason you need NAT in order to do a firewall.

I've got dozens of servers sitting behind firewalls with absolutely no NAT going on at all.

Re:Why?

[Monkeedude1212]

Meh, we need a solution to let regular business dev reps to Remote in from home (not the support staff) without a VPN. It'd be nice if it was hosted in a web app so that we don't have to install anything on Client machines. (Something Like Remote Web Workplace).

Windows 7 has DirectAccess or whatever they're calling it, which supposedly allows for this to happen, and it needs IPv6 to run I guess.

Re:Why?

[mark-t]

The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

Notwithstanding, however, thanks to this quaint little notion of "extension headers" in ipv6, it is even entirely possible to route _THROUGH_ a NAT... directing packets to specific machines inside of the NAT as long as the NAT is configured to act like a router and to process the appropriate extension headers... an upshot of this is that it would effectively increasse the total number of usable IP's, because the effective IP address length would be extended by however many bits of address you put into the extension header. This process could even be chained through multiple levels of NAT's _theoretically_ indefinitely, but in practice would always be limited by the sizes of the routing tables involved, and whatever the minimum MTU for an IP packet is at the time (which is theoretically as small as 68 bytes today, but nobody uses them anywhere close to that small). Individual IPv6 packets have a maximum size of 64K each, so there's a hard limit in how big it can get regardless of how much the MTU goes up.

Re:Why?

[dave562]

Have you looked at the Sonicwall SSL/VPN appliance? I'm sure that there are probably other vendors and even open source solutions that provide similar functionality. With the Sonicwall device all you need is a web browser and you can have a secure remote desktop connection into anything on the private network. I think you can also publish individual applications (a la Citrix, etc) but I never had to get that fancy with it.

Re:Why?

[isomer1]

Along with the last vestiges of privacy in IP space. Every single connection you make traced directly to you instantly. Joy.

Re:Why?

[yoghurt]

For the sake of argument, I will suppose that your ISP gives you IPv6. What makes you think they'll give you more than one working address? Verizon and Comcast are known for their greed an ineptitude. For competition you need at least 3 viable choices.

Re:Why?

[Urkki]

an upshot of this is that it would effectively increasse the total number of usable IP's, because the effective IP address length would be extended by however many bits of address you put into the extension header. This process could even be chained through multiple levels of NAT's _theoretically_ indefinitely, but in practice would always be limited by the sizes of the routing tables involved, and whatever the minimum MTU for an IP packet is at the time (which is theoretically as small as 68 bytes today, but nobody uses them anywhere close to that small). Individual IPv6 packets have a maximum size of 64K each, so there's a hard limit in how big it can get regardless of how much the MTU goes up.

In the context of extending available address space, there's also a hard limit on number of addressable entities (such as atoms or Planck length grid positions in space-time) in our universe. Just a small fraction of 64K maximum packet size should be plenty for having enough extension header space for addressing whatever you can imagine to address.

Re:Why?

[Bert64]

Not sure about sonicwall, but other ssl/vpn setups i've seen required that your browser support activex and you permit the site to execute arbitrary code, where it installs a kernel driver (like a normal vpn client would)... I always thought the idea of allowing your browser sufficient privileges to load kernel drivers seemed extremely insane.

Re:Why?

[Tynin]

Along with the last vestiges of privacy in IP space. Every single connection you make traced directly to you instantly. Joy.

You have never had privacy in IP space. Not even behind a NAT. Whoever is maintaining that NAT could have every packet you've ever sent (extreme, but possible), and if it is you who are maintaining the NAT, then at best you've obfuscated your topology but it will be traced back to you. Besides, it isn't like proxy servers and services like Tor will stop working when IPv4 becomes a legacy protocol.

Re:Why?

[AVee]

I can easily identify the host internal to my ipv6 network, they all get the same prefix. With ipv6 your not getting random addresses assigned, instead you will normally get a block of adresses to use inside your network.

Re:Why?

[rantingkitten]

who the fuck going to connect a Windows box to the internet without NAT/Firewall?

Teeming multitudes of clueless users who only have one computer and therefore never got a router. Every one of their boxes is totally owned, but they're oblivious.

Re:Why?

[AVee]

I've got several reasons to expect a proper ipv6 netblock from my ISP:
1. Thats what I'm currently already getting from my ISP.
2. Thats how ipv6 is supposed to work.
3. Thats will be the default configuration of big routers.
4. Ipv6 addresses will not be scarce, so handing out single addresses instead of blocks will not save any money.
5. Actually, not using the default mac-address based numbering scheme will complicate configuration and will raise the requirement on end-point routers, so it's actually likely to be more expensive.
6. I won't pay any ISP which offers 'ipv6' and then hands out single addresses, so should you.

Re:Why?

[mishehu]

s/can go away/should go away/ There, fixed that for you :-)

Re:Why?

[mister_playboy]

The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

In most of our lifetimes? Per Wikipedia:

The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses—or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.

It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.

Re:Why?

[Koutarou]

ipv6 already has an addressing scheme for private networks, Unique Local Addresses.

There's no justification for using that as support for need for nat.

Re:Why?

[Koutarou]

The recommendations have been that end-users get a /64 (a single subnet with 64 bits worth of addresses to work with)

Originally when more subnets were required the recommendations were to allocate a /48 per business customer (65,535 /64 subnets) but that has been since relaxed to /56 (256 subnets) for small businesses.

Re:Why?

[Darkk]

Umm... We tried Sonicwall's SSL VPN functionality and it SUCKS eggs!!

Frankly I wouldn't touch Sonicwall with a 10 foot pole!!

I am sticking with open source such as PfSense

Re:Why?

[Anpheus]

I'm pretty sure I've heard that before.

The only reason I think we should have an IPvX, or an extensible standard that allows longer strings, is that you never know what people will use it for in the future. Anticipating future needs and then saying "This is good enough, forever" has never, ever worked. And people have said largely the same thing about every past technology.

Who would ever need four billion addresses? Only COMPUTERS will be using them and only universities and big businesses have those!

Re:Why?

The only thing that is exhausting is the manifest stupdity of the IETF. The world is running out of IPv4 addresses so lets direct the reserved class E block (1/16th of total IPv4 address space) to be released for use as private network space because god knows the current allocations for that purpose are not more than enough for even the worlds largest corporations.

We need a new IP protocol so lets forget the fact payload size of 50% of all Internet traffic is 40 bytes and invent a protocol with an absurdly unecessary 128-bit addressing scheme.

Then lets fuck up the deployment, not take interop seriously and change our minds WRT transition mechanisims so many times it hurts. Can someone please tell me WTF the difference between ffff::x.x.x.x and ::x.x.x.x are and then think about what you just said.

Then while we are at it lets break cardinal rules of decoupling ISO layers with %interface designations as if we didn't already learn our lessons on why breaking the network knowledge rule with IPSec and SIP tend to lead to extraordinary deployment disasters.

Now that we're on a stupid streak lets make it so IPv6 computers can't address themselves using their own frigging network facing address.

All of this while rejoicing the end of NAT without understanding people don't want to pay for OR expose knowledge of individual systems within their network..let alone this link-local IPv6 MAC mapping nonsense.

Sorry just blowing off steam... on the bright side at least slapper worm type propogation will no longer be feasable with such a massive address space.

Re:Why?

[Stan+Vassilev]

In most of our lifetimes? Per Wikipedia:

The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses--or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.

It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.

That quote from Wikipedia you pulled, is immediately followed by this:

"While these numbers are impressive, it was not the intent of the designers of the IPv6 address space to assure geographical saturation with usable addresses. Rather, the longer addresses allow a better, systematic, hierarchical allocation of addresses and efficient route aggregation."

If we could arbitrarily ignore the network structure and special ranges assigned in IPv4, we have 4.2 billion possible IP numbers (2^32). Do we have 4 billion computers on the Internet? No. Do we have IPv4 shortage? Yes. In fact we had IPv4 shortage even back in the early 90-s when Internet was far from being mainstream yet (which prompted the jump from classful network to CIDR).

Re:Why?

[QuoteMstr]

Besides: if you really want, you can NAT IPv6. IPv6 has private address blocks just like IPv4.

Honestly, NATing might be useful just to avoid network renumbering if you're not big enough to get an AS number.

It's not *that* evil, because with IPv6, we'll have enough public addresses to make a one-to-one NAT scheme feasible, which will allow incoming connections to work transparently.

Re:Why?

[delt0r]

NAT does not provide any measure at all of anonymity. In fact if you are not using TOR you don't have any anonymity. /. knows your IP, and can probably buy the database of time/ip/address allocations from your ISP. I am on a static IP, you could probably get the phone number on my desk within 30 mins without a warrant.

Also IP6 does provide for "randomized" addresses. So when you travel for example, your laptop would get different addresses( if you want). Or your home network would if thats what you want. But this is still not the same as anonymity.

Re:Why?

[delt0r]

NAT and ipsec......now thats a nightmare...

Re:Why?

[tylernt]

It will take way more than poor management to use up all those numbers

You haven't met my managers.

Re:Why?

Just because you aren't using NAT doesn't mean you are outside the firewall. Many universities and colleges have large ranges of IPs and all their workstations on publicly-routable IPs. They are protected by ingress filtering on a gateway firewall.

If you agree that ISPs need IPv6, surely that means that clients should have it too. Just think, you'd never have to worry about whether your NAT implementation supports SIP correctly or not, or when you buy a new router model whether they've managed to get all the bugs out of the max size of the connection tables when you are running bittorrent.

How many hours have been wasted by these two problems?

Re:Why?

Ethernet MAC addresses have a 'gazillion addresses'. That doesn't mean its a problem. NAT/Firewall is a retarded statement. NAT and firewall are different functionalities. Use of profanity doesn't prove your point - it just makes you look like a moron (not that your statements in themself do not).

Re:Why?

You're on the money AC. The biggest problem I can see with IP6 is it's so different to IP4. Why didn't they just tack on a few octets and keep the same dot notation? Why switch to hex with colons? I'm familiar with IP6 and it's abilities to shorthand, but that problem isn't insurmountable.

Re:Why?

[ckaminski]

NAT is not useful. Before the advent of NAT, you had straightforward network topology. You had one DNS server telling the outside world your public hostnames, and that same DNS server telling your inside hosts all of your hostnames. And every machine had it's own network adddress.

And your firewalls did all sorts of smart filtering. Oh Johnny on the internet can get to the web server, but not the database backend.

NAT needs to die. NAT is a kludge, a hack. I for one will not be sorry to see it go.

Re:Why?

[ckaminski]

And such was the case LONG before NAT came along.

The problem is that not using NAT prevents you from using the unroutable address space.

Re:Why?

[dave562]

It also supports Java. Like the next responder said, he doesn't like Sonicwall and is sticking with PfSense. I've never heard of that product but it is probably worth looking into.

Re:Why?

[Adm.Wiggin]

Also important to note is that NAT is a poor security method.

Re:Why?

[Adm.Wiggin]

As I said earlier in this thread, both Windows Vista and Mac OS X have both had IPv6 installed and enabled by default for quite some time.

Wah happen to ipv5?

I gotz to noze !!

Re:Wah happen to ipv5?

[isama]

the even versions are stable, the uneven are testing, so i'd like to ask the question what happened to ipv2?

Re:Wah happen to ipv5?

[dlaudel]

Here's a brief explanation

And here's a snarkier internet response

Re:Wah happen to ipv5?

[ksemlerK]

What happened to IPv1, IPv2, IPv3 and IPv4 The short answer is that they never existed.

Re:Wah happen to ipv5?

[isama]

Thank you for the info!

Another Genuine Advantage ?

[mbone]

I have to say that this is what struck my eye :

In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings.

OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

By the way, this sets up an IPSEC VPN, so I am not sure why the OP says it doesn't require a VPN.

Re:Another Genuine Advantage ?

The main advantage of NAP is to insure that connected computers are up to date and running the approuved corporate software. Your not brigning your home laptop without antivirus and proper certificate on my network.... etc

Re:Another Genuine Advantage ?

[LOLLinux]

OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

You're an idiot? All this is saying is that it has to pass a bunch of policy settings to connect. What exactly is supposed to be sinister about that?

Re:Another Genuine Advantage ?

[nielsm]

This is a server-checks-client-security thing, not a Microsoft-checks-customer-setup thing. Refusing to work with known-broken software.

Re:Another Genuine Advantage ?

[VoltageX]

No, NAP is more like making sure you've deployed the patches from last Tuesday. And from reading about it ages ago, I thought it was fairly configurable

Re:Another Genuine Advantage ?

[mystik]

I read about this feature a few weeks ago.

MS Is touting "this is not a VPN" (even in their marketing for this feature) -- but the parent is right, it's just an ipsec VPN that's initialized early in the boot up process.

I guess it's handy, most vpn clients I've seen are klunky things that have to run after login.

Re:Another Genuine Advantage ?

OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

The fact that you are a FUD spreading idiot?

Re:Another Genuine Advantage ?

[j+h+woodyatt]

"so I am not sure why the OP says it doesn't require a VPN." ...because it doesn't use private addressing realms. Everything gets numbered out of the global address realm.

Re:Another Genuine Advantage ?

How did he get modded insightfull, this is not a MS license checking feature, it is a commonly implemented feature in many large organisations through various technologies including MS Windows,

but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

probably because your a tin foil hat basement living geek that doesn't really understand the technology here but thought they would try and be cool and have a swipe at MS anyway?

Re:Another Genuine Advantage ?

MS Is touting "this is not a VPN" (even in their marketing for this feature) -- but the parent is right, it's just an ipsec VPN that's initialized early in the boot up process.

No, it's actually more than that. The reason that they are touting this as "not a VPN" is because it's philosophically different. A VPN is intended to connect a user to the network. DirectAccess was designed to extend the manageability of your internal networks to remote/mobile devices, regardless of where they are or how they connect to the Internet. A VPN typically requires user intervention to initiate the connection. DirectAccess does not.

It also is not "just an IPSec VPN." Even if you're behind a firewall that blocks IPSec traffic you can still use DirectAccess because it will use IP-HTTPS to tunnel over port 443.

Re:Another Genuine Advantage ?

yes.. but 'broken' can mean many things.

Slashdotted, but regarding VPNs

[jimicus]

.... right now they're a necessary evil. There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access. Though of course that's of limited benefit unless you can configure every application that needs to be accessed remotely to do this, regardless of server or client OS (...or you don't need to care because you only run applications which can be configured like this).

Knowing Microsoft, this is only useful if all your clients are Windows 7 and all your servers are Windows Server 2008. Can any early adopters confirm whether or not this is the case?

Re:Slashdotted, but regarding VPNs

[vlm]

There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access.

And add two factor authentication (pretty much required for a SERIOUS vpn)

Re:Slashdotted, but regarding VPNs

[Sancho]

The key is that with VPN, you can set up those client certs and two factor auth for a single server on your LAN--the VPN server--and all the rest can be used with lower security. Compare to configuring every host on your network in this way. Furthermore, a firewall helps guard against error. Did you accidentally set up a server incorrectly? Well the firewall still prevents everyone from accessing it unless they're using VPN.

VPN/Firewall is still a good portion of the layered security approach, and it would be even if every device on the network supported SSL/client certs.

Re:Slashdotted, but regarding VPNs

Meh, ROT13 works for me, and if I want something REALLY secure I just ROT13 it twice.

Re:Slashdotted, but regarding VPNs

[jimicus]

Client and server verifying each others certificates gives you the first factor (something you both have).

Stick a password in front of your applications and there's your second.

Re:Slashdotted, but regarding VPNs

[houstonbofh]

With your solution, you have to expose every device to the internet at large, and then filter. With VPN, you do not even know what is behind it. So they are not the same.

Re:Slashdotted, but regarding VPNs

[jimicus]

This is just it - my solution is only really workable if you have a very narrow range of "things it is desirable to have available from outside the corporate network".

In other words, fairly useless for most practical purposes. By hypothetically doable...

Re:Slashdotted, but regarding VPNs

[gad_zuki!]

So instead of managing one or two cert/keys youre managing dozens all running with the quirks of the implementation of the application - and you lose two factor authentication, centralized management, site to site, and about a few other features.

Something tells me VPN is going to be here as long as tcp/ip is. At least for serious applications. Heck, Joe Blow can remotedesktop/ssh to his computer and get some level of encryption by default now. No need for ipv6 and direct connect.

On top of it, if adding SSL to old established protocols is so easy, then why arent we doing it for everything now. Sure, its not a technical challenge, but the inertia on the application end of things means that people wont implement it. What percentage of smtp or ftp is encrypted? How many non-upgradable legacy solutions are out there? The nice thing about VPN is that you sidestep the application level and you just take care of security on the network level.

Re:Slashdotted, but regarding VPNs

[Curate]

Knowing Microsoft, this is only useful if all your clients are Windows 7 and all your servers are Windows Server 2008. Can any early adopters confirm whether or not this is the case?

Actually the server requirement is Windows Server 2008 R2, aka "Windows 7 Server". And yes, that is the case; it's a new feature introduced in Windows 7 that other OSes have absolutely no concept of. It remains to be seen if this can be/will be backported to previous versions of Windows. My guess is probably not since it would require fairly extensive changes to the networking subsystem and impacting other subsystems as well.

Re:Slashdotted, but regarding VPNs

[jimicus]

And yes, that is the case; it's a new feature introduced in Windows 7 that other OSes have absolutely no concept of.

In that case, it won't be any good until at least the third iteration anyhow and nobody who's serious needs concern themselves with it for at least four years.

Re:Slashdotted, but regarding VPNs

[arndawg]

But if you client gets hijacked the hacker gets both. What your password is (what you know) and your certificate (what you have). A password and a certificate really just sounds redundant in this case.

Re:Slashdotted, but regarding VPNs

[jimicus]

But if you client gets hijacked the hacker gets both. What your password is (what you know) and your certificate (what you have).

A password and a certificate really just sounds redundant in this case.

If your client gets hijacked you're hosed anyway, VPN or no VPN.

Unless you're concerned about a MITM attack - but the whole point of SSL with verified certificates is that it's resilient to these things.

Re:Slashdotted, but regarding VPNs

[arndawg]

I don't agree. By that logic everyone with a trojan and that is using online banking would loose their money. Why isn't this happening? Because the of the token.

Re:Slashdotted, but regarding VPNs

[jimicus]

I don't agree. By that logic everyone with a trojan and that is using online banking would loose their money. Why isn't this happening? Because the of the token.

Are you referring to the electronic OTP that some banks in some countries provide?

These aren't standard worldwide. UK banks are only just starting to offer things like this, and there are plenty of instances of people with trojans losing money.

Re:Slashdotted, but regarding VPNs

[arndawg]

Okay I didn't know that. In my country it's standard. Yes i'm refering to OTP tokens. For me that is the only way to provide two-factor authentication. Or using SMS for OTP.

Exactly why we didn't deploy DirectAccess

[Bubba]

We looked at deploying DirectAccess, but after months of talks and discussions with Microsoft, they finally came out and told us that it wouldn't work unless we rolled out IPV6 (and pushed other MS services (CA, DC) externally). We passed. We decided to stick with SSL VPN for most and Cisco AnyConnect client for our Win7 64 bit rollouts. Maybe next time, Microsoft?

Doesn't require a VPN

[CranberryKing]

Yeah.. I'll just toss out my vpns and start using the MS solution which greatly simplifies remote access security.. I can see lots of people will be running to this.. Yeah..

How Ironic

[fat_mike]

"According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be ,'the year of IPv6' that most of us have stopped listening."

Kind of like Linux on the desktop!

Re:How Ironic

[MathiasRav]

Nah, more coincidental really, when you think about it

IPV6 is fatally broke

I'm not a big fan of djb but he hit this nail right on the head.

http://cr.yp.to/djbdns/ipv6mess.html

Re:IPV6 is fatally broke

[Just+Some+Guy]

I'm not a big fan of djb but he hit this nail right on the head.

Yes, you are. No one but DJB fanboys would claim that IPv6 is fatally broken and can't work, despite the fact that many of us are using it in production today.

Re:IPV6 is fatally broke

[Changa_MC]

Wait, are you claiming you don't use IPv4 for anything? Or are you claiming you use IPv6 for some things? Because if the latter, you're right in line with Bernstein's claim. Note he doesn't say IPv6 doesn't work, he says there is no smooth transition path for IPv6 adoption from IPv4.

Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.

Does this mean you cannot run IPv6 at home? No, it just means you must also run IPv4 to get to websites that haven't bothered to support both.

Which relegates IPv6 to hobbyists, same as in 2002.

Re:IPV6 is fatally broke

[metamatic]

Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.

You make it sound like that's a difficult problem, rather than a matter of putting a few extra lines in a config file for the transition period.

Does this mean you cannot run IPv6 at home? No, it just means you must also run IPv4 to get to websites that haven't bothered to support both.

No, you're wrong there. While an IPv4 connection cannot reach IPv6 hosts, an IPv6 connection can reach any IPv4 host using tunneling. You talk pure IPv6 to your IPv6 ISP, and if there's a need to fall back to IPv4, they route the traffic via a tunnel broker.

Using similar technology, you can get IPv6 even if your ISP only supports IPv4. That's how I'm doing it.

Re:IPV6 is fatally broke

[TheLink]

> an IPv6 connection can reach any IPv4 host using tunneling.

You're wrong. He's not talking about ISPs. He's talking about websites (and other servers on the Internet).

If a server you want to access only supports IPv4, you either need IPv4 on your client, or something has to do proxying or NAT.

If there are enough IPv4 addresses to do NAT for everyone using IPv6, then there are enough IPv4 addresses to do NAT if those users use IPv4 instead :).

Try this experiment: remove the IPv4 addresses on your home machine's network interfaces. Now see how well you can access the rest of the Internet.

Or even this: Remove the IPv4 addresses on your home machine's network interfaces. Now try to ping/access an IPv4 only device on your home network.

Re:IPV6 is fatally broke

[metamatic]

Try this experiment: remove the IPv4 addresses on your home machine's network interfaces. Now see how well you can access the rest of the Internet.

A system with IPv6-only connectivity can use a tunnel to access the rest of the Internet. Really. Go read about it, it's RFC 2473.

So if you as a client have native IPv6, there's no reason not to use it, as you can reach the entire Internet that way. Then when enough clients are migrated, servers will start to switch over.

Re:IPV6 is fatally broke

[TheLink]

> A system with IPv6-only connectivity can use a tunnel to access the rest of the Internet.

A system with IPv6-only connectivity can use a tunnel to access the rest of the _IPv6_ hosts on the Internet.

An IPv6-only system cannot communicate with IPv4 only hosts (unless there is some proxying or translation). And that was what the poster was talking about.

Re:IPV6 is fatally broke

[metamatic]

An IPv6-only system can communicate with IPv4-only hosts, using the tunneling mechanism described by the RFCs. Example diagram. Note that the IPv6 machine on the IPv6 network doesn't have to handle the tunneling. So there's no reason why an ISP couldn't deploy IPv6 to customers, and provide DSTM tunneling for them to use to reach legacy IPv4-only systems.

The issue of IPv4 over IPv6 was dealt with years ago, so that IPv6-only backbone connections could be deployed without eating further into the IPv4 address space.

Re:IPV6 is fatally broke

[TheLink]

You clearly[1] don't understand the documents you're linking to.

Go read what they actually do. They solve a very different problem from what I and the other poster are talking about.

The stuff you're talking about either wraps IPv4 packets in IPv6 packets, or wraps IPv6 packets in IPv4.

That does NOT help an IPv6 only machine talk to an IPv4 only machine.

[1] just look four lines into the document you just linked to:

"DSTM Clients: Dual-stacked nodes, create tunnels to Tunnel End Pont (TEP)."

See there? Dual-stacked nodes.

That means the nodes have both IPv4 and IPv6 addresses. They are not IPv6 only (or IPv4 only). If there will be enough IPv4 addresses in the world for these nodes, then it logically follows there will be enough IPv4 addresses for IPv4 only nodes.

If you still can't understand this (or the problem), you're still wrong, but I'm sorry I don't know how to explain it better to you.

Re:IPV6 is fatally broke

[metamatic]

The transition nodes on the edges of the IPv6-only zone are dual-stack, yes. The hosts inside the IPv6-only zone are not dual stack, nor are the IPv4 servers they connect to.

So you can have 20,000,000 IPv6-only nodes, connecting to a legacy IPv4-only node, via a single IPv4 tunnel broker at the edge of the IPv6-only network.

Just like all the machines on my home network believe they are on an IPv6 network, because the gateway router invisibly handles all the IPv6 over IPv4 tunneling to get them connected via my ISP.

I can go to http://ipv6gate.sixxs.net/ right now. It tells me I'm connecting via IPv6, and lets me connect to various IPv4-only web sites via IPv6. That shows the principle. The rest is just setting up your edge-of-IPv6-net routers to handle it.

Re:IPV6 is fatally broke

so.... IPv6 is fatally broken because some companies are stupid and IPv4 is fatally broken? If a company doesn't go IPv6, screw them. All the big companies already have IPv6 connectivity anyway.

I think I remember this same argument with the Pentium Pro. It ran 16bit apps slowly but ran 32bit very fast. Since 16 bit is the future, who would buy a PPro?

Re:IPV6 is fatally broke

[TheLink]

> I can go to http://ipv6gate.sixxs.net/ right now. It tells me I'm connecting via IPv6, and lets me connect to various IPv4-only web sites via IPv6.

That's exactly my point. You'd have to use a NAT or a proxy. http://ipv6gate.sixxs.net/ is a proxy.

Good to see that you've finally realized the problem.

Your original links (RFC2473 etc) and comments (e.g. "an IPv6 connection can reach any IPv4 host using tunneling") were the wrong answer to the problem.

As I said: "you either need IPv4 on your client, or something has to do proxying or NAT."

Lastly, the push for IPv6 might not be so great if Big Media realize that they might like a world where the $$$$ is in the IPv4 Internet, and the "viewers" are stuck behind NATs or proxies run by ISPs.

Then ISP users can't easily P2P or be "broadcasters" in that situation.

Most users might not realize the implications - the web stuff and even many online games will still work.

Re:IPV6 is fatally broke

[metamatic]

That's right, ignore the OTHER part of my reply, where I explained the non-proxy solution to accessing IPv4-only sites from an IPv6-only system. Dishonest tosser.

Re:IPV6 is fatally broke

[TheLink]

If it doesn't involve proxying, it involves NAT.

I don't see how I'm being dishonest. I've been telling the truth. If you can't handle the truth, that's not really my fault.

As for me being a tosser, while it may be true, it should not be relevant to this discussion.

They've invented SSH/SSL!

[Chris+Mattern]

Except that it doesn't work with the networking you have.

IPv4 Forever!!!!

[waterlogged]

BGP filters are hard enough in v4 can you imagine doing this crap?

ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48
ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128

Forget it.

Re:IPv4 Forever!!!!

[jareth-0205]

Hate to break this to you, but the necessity of IPv6 is based on somewhat larger issues than that...

Re:IPv4 Forever!!!!

[dasmoo]

More addresses, not IPv6. They're just jamming the wrong technology down our throats, which is why everyone's ignoring it.

Re:IPv4 Forever!!!!

[TheLink]

Actually Big Media might be rather happy if everyone stuck to IPv4, ran low on IPv4 addresses resulting in ISPs putting everyone behind NATs.

Then:
1) P2P wouldn't work so well - since the NAT device is controlled by the ISP.
2) Only a few with public IPs could "broadcast" to the many. Just like the old days of TV and Radio.

Second link drowned.

"Heres the $64,000 question"..."did it make your security senses break out in a cold sweat?"..."IT administrators are champing at the bit "

And that was just by paragraph four. I gave up -- this person can't write. I'm certainly not going trust that this "Expert Voice" can assemble facts correctly.

Misleading Summary

[EvilRyry]

IPv6 is only required for the VPN side. The Internet connection on both sides may still be IPv4 however. Read TFA for more details. I have a feeling Time Warner will be in no rush to upgrade my neighborhood to IPv6 no matter how many companies start using DirectAccess.

Re:Misleading Summary

[shutdown+-p+now]

This. In particular, it's worth remembering about IP-HTTPS, which tunnels an IPv6 connection over a single exposed port, which pretends to be handling HTTP CONNECT, on the DirectAccess server that is the gateway between Internet and the intranet in question. So, while client has to be IPv6-aware, and so has to be the intranet, all the networking infrastructure between them has no such requirement.

Article is so full of inaccuracies...

[A+beautiful+mind]

...that I barely know where to begin.

IPv6 has been "the next generation of TCP/IP protocols" for so long that you can be forgiven for thinking that it will never be useful.

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.

Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6.

No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries, they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.

Re:Article is so full of inaccuracies...

[lymond01]

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Yep, like electric whip cream.

Wait, what?

Re:Article is so full of inaccuracies...

[key134]

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

I'm not really sure where you get the idea that you can only use 30-50 computers on a single public IP. I can guarantee if you use enterprise-grade firewalls to do the NAT'ing you have no problem going into the thousands of clients.

Re:Article is so full of inaccuracies...

The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet.

That's simply not true, either. I've got around 2300 users behind a single NAT. Yes, some things get complicated but our setup is absolutely usable.

Re:Article is so full of inaccuracies...

[A+beautiful+mind]

No matter what enterprise level thing you use, you're still going to bump into the limit. With NAT, you're trading ports for ip addresses. The number of ports is finite and nowadays there are things like http keepalive, ajax calls, skype, IMAP, and other programs, so you're ending up with hundreds of open connections per computer. When the NAT translating box runs out of ports, it's game over.

Re:Article is so full of inaccuracies...

[Bios_Hakr]

Agreed. In my office, we have a Cisco ASA with about 3000 client devices behind a single public IP. We have no real problems dealing with the vast majority of web services. People can play WoW, chat on Skype/MSN/Yahoo, watch videos on YouTube, and post comments on /. Hell, even bittorrent works well enough that we are considering a packetshaper to reclaim some of our bandwidth. We currently average about 200mbps up and down per day.

Re:Article is so full of inaccuracies...

[nine-times]

Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

Right. Most users don't know what IPv6 is and are simply using whatever they've been set up to use. In the case of home users, users have been set up to use whatever their ISP has told them to use. In the case of both businesses and individuals, it's hard to say anyone opted for anything since IPv6 usually isn't even a real option. ISPs aren't supporting it. It's possible to do some kind of tunneling to use IPv6, but since it's basically not in use, there isn't a lot of payoff.

To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

Well NAT can accomplish a lot, but you're right that it can break a lot of things. The idea of giving everything a non-routable address and then using NAT is sort of adding a level of complexity where it shouldn't be necessary. But ultimately, my firewalls are doing a good enough job at managing it, though, and that's not what bothers me. (Yes, I'm just talking about me personally here. I know NAT is causing problems for others.)

What really bothers me is that there *is* an IPv4 address famine. It's just that the IPv4 addresses are being rationed well enough that we haven't yet reached the point of outright crisis. If you really think that IPv4 addressed are plentiful, then riddle me this: why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a static IP.

Really it's just another example of ISPs refusing to invest in the upgrades they need in order to provide a modern level of service. They're hoping that they can continue indefinitely giving us dynamic IP addresses, milking DSL and even... *sight*... dial-up. Part of it, we have to realize, is that they don't want the Internet to be a P2P network. They want it to be a broadcast network where they control the broadcast. There's no incentive for them to make your two-way communications easier. They're probably just as happy if you're behind several layers of NAT and can't do anything but download web pages.

Re:Article is so full of inaccuracies...

[whoever57]

why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a static IP.

just because your isp wants $200 for a business connection does not mean that static ip addresses actually cost $200. for example, linode charges somwhat less

All new accounts include one IP and are permitted to add an additional IP via the Linode Manager for $1.00 per month.

Re:Article is so full of inaccuracies...

[Anomalyst]

How many non 80/443 connections are you internal hosts using for pity's sake?
In a SOHO with all those additional services, you aren't going to overwhelm even a SOHO router. Anything larger you are going to proxy or relay them out through internet facing servers. You burn a couple public IP addresses for those servers, voila access for multiple thousands of desktops. Mebbe a couple IT people are doing some SSH and oddball ports thru static translations, but the brunt of average desktop users go through the proxy on 80/443.

Re:Article is so full of inaccuracies...

Unless we get IPv6 going, that can only mean one thing: Since servers can't use NAT, the IP addresses will come from "clients", i.e. the public address on your DSL or cable modem will be replaced by a NATed address. Mobile phone networks already do this and it's only a matter of time until it spreads to other access networks, unless IPv6 becomes viable for the masses.

Re:Article is so full of inaccuracies...

[growse]

It's the source ports you're worried about, not the destination ones. I get in the office and along with 6,000 other people turn on my desktop and open my browser which may have 15 saved tabs. With the HTTP and DNS requests (and whatever other connections from other IM etc. apps), I could simultaneously be opening tens of connections out to different servers on the WAN. With NAT, every connection uses up a source port on the public IP. At some point, you run out of ports.

Re:Article is so full of inaccuracies...

[tlhIngan]

What really bothers me is that there *is* an IPv4 address famine. It's just that the IPv4 addresses are being rationed well enough that we haven't yet reached the point of outright crisis. If you really think that IPv4 addressed are plentiful, then riddle me this: why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a static IP.

And guess how much a single static IPv6 address will cost from your ISP? That's right, $200/month because you'll need a business account.

IPv6 gives you more addrss space. ISPs will still nickle and dime you. Even if your ISP is "wasteful" and gets you a /96, they'll just make sure that xxxx:...:xxxx::1 actually reaches you (and everyone else gets the same, too), dsepite giving you a whole IPv4 set of address spaces. Buy another IP address, and they'll also give you xxxx::1 to keep all the routing simple. (Side note: also makes the virus and worm's jobs simpler). Heck, if they need to double their address space, they just use another bit, so your /96 becomes a /97, not that you could've used those 2 billion addresses they "stole".

NAT won't die, unless ISPs are willing to give up the money they're making on extra IPs. At best, while NATv6 is being worked on, everyone has to buy extra IP addresses so everyone's home PC, roaming laptop, etc., can be connected simultaneously. Linksys, D-Link and Netgear will be happy as they get to sell everyone IPv6 firewalls, then IPv6 "IP Sharing" routers that can save everyone money by not having to buy extra IPs.

Re:Article is so full of inaccuracies...

[Fenris+Ulf]

Network size on IPv6 is /64, not /96. Companies are usually given a /48, and ISPs a /32.

If your ISP tried to restrict you to ::1 for some reason, you could tunnel out to a broker that gives you a /64 or /48. I can't see why anyone would, Comcast for example has no plans to.

Re:Article is so full of inaccuracies...

... IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries

So Hollywood was right, the world does end in 2012!

Re:Article is so full of inaccuracies...

[Timothy+Brownawell]

With NAT, every connection uses up a source port on the public IP. At some point, you run out of ports.

That's not inherent, since it's only the combination of source and destination address/port that has to be unique. It's no different than running out of file descriptors, just an implemenation limit.

Re:Article is so full of inaccuracies...

[Bengie]

business accounts also removes the ISP's reason to bitch at you for "leeching" bandwidth

Re:Article is so full of inaccuracies...

While you are pretty much on the money, NAT isn't as broken as you think. i know for certain that my OpenBSD installations can successfully NAT and reverse net many thousands of IPs.

You mention that NAT breaks many protocols and you are correct, but I assure you that many of those protocols are poorly planned out security wise, and even if one were to allow them it wouldn't be without an intermediate bastion, defeating the rationale behind direct routing.

IP6 has many advantages but I doubt that making corporate LANs as permissive as home internet links is one of them.

Re:Article is so full of inaccuracies...

[Com2Kid]

ISPs aren't supporting it.

Like for instance Comcast! That huge nation wide cable modem ISP! How dare they not support IPv6!

Your IP is 2001:1af8:1:f006::6

--- http://ipv6.whatismyipv6.net.ipv4.sixxs.org/

Oh wait...

Re:Article is so full of inaccuracies...

[GravityStar]

Then, they will ask for government bailouts to help in their unforeseeable crisis.

Re:Article is so full of inaccuracies...

Keep in mind that the firewall will release the port back into the pool as soon as the tcp connection closes properly or the udp connection times out.

In order for 6k users to exhaust a pat pool they would all have to have 10+ active concurrent sessions going.

Re:Article is so full of inaccuracies...

[Bengie]

Then a service goes down and I'm on my Vacation and I need to access my computer to fix the code. Well, I could just remotes Desto... oops, no internet facing IP, everything behind a NAT. VPN!! ohh,wait... The company doesn't want to put out more $$ just so every programmer can have a licence for the VPN client software for their home computers, which would then need to be available for audits.

Well, kind of stuck there.

Or more fun when at home. Try to P2P with a local computer. Local IP subnet 192.168.1.x, outward IP 123.456.789.1. Hmmm..lets speed up that game patch download. Whoops, P2P software only sees the internet facing IP, so instead of doing a local copy, it forwards the data stream to the ISP then back to the cable modem. YAY. wasted bandwidth.

I have multiple computers hosting services on the same port.. ohh, sorry, can't do that with NAT. Please pick a different port.

NAT is good for one thing. Being a crutch for IPv4. Anyone who likes NAT is just lazy and doesn't properly secure their networks anyway.

Re:Article is so full of inaccuracies...

[Bios_Hakr]

WRT issue 1. We have SSH forwarded to an internal box. If we need to admin something inside from outside, we SSH (or TightVNC) internally and then jump from there.

WRT issue 2. Pretty sure you have no idea what you are talking about. Most torrents have Peer Exchange on Local Peer Discovery enabled now. I'm looking at a torrent right now and I see several clients on my private subnet.

WRT issue 3. If you have public-facing services, they need to be in the DMZ. You can put the web server in the DMZ and then put the database server inside the firewall and create a tunnel from outside to inside. We do the same thing with our email servers, web servers, and DNS servers.

no VPN

It doesn't require a VPN because IPv6 has IPsec built in.

Article is so full of Y2K.

"No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries, they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade."

Another Y2K?

Re:Article is so full of Y2K.

[A+beautiful+mind]

IPv6 is actually the anti-Y2K. This is a problem mainly ignored by mainstream media that has the potential to affect the global economy, while Y2K was a relatively minor issue compared to this, which got overhyped by the media.

Tec Laziness?

I was under the impression that it was the cost of new hardware that was holding back the adoption of IPv6... turns out it was just the laziness of tecs... who would of guessed.

So.....

[mortal-geek]

....are we cool with Microsoft now, hmm?

Or DirectAccess may just sink it for good...

[BobMcD]

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

. set specific policies (no split tunneling)
. force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
. ensure proper key and credential management, including two-factor or challenge/response
. audit activities while user is connected to the VPN.

The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.

Re:Or DirectAccess may just sink it for good...

[Spad]

DirectAccess is actually much more VPNy than Microsoft like to claim, it's just more transparent to the user. Authentication can be simply an AD username/password if you want or two-factor authentication like any other VPN and it's not like users can just connect into your network without any control on your part (unless you're an incompetent admin, ditto on the auditing). I'm not sure about the split tunnelling aspect; I would be very surprised if you *can't* disable it when authenticated, but I haven't dug into it in enough detail to say for sure.

Microsoft have somewhat shot themselves in the foot by making all the "it's not a VPN" claims; it *is* a VPN really, just without the need for a dedicated concentrator and additional software on the clients.

Re:Or DirectAccess may just sink it for good...

[Spad]

To answer my own questions:

Although split-tunnel routing is the default configuration for DirectAccess, IT professionals can disable the feature to send all traffic through the enterprise network.

DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. You can use any IPsec encryption method, including DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys...IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES

Re:Or DirectAccess may just sink it for good...

[Daltorak]

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit

Oh come on. You're a professional (right?), you should know better than to say this kind of crap. You know what your problem is? You think NAT is a security mechanism -- it's not. Just because we have spent the last ten-plus years having the Firewall also perform network address translation, doesn't mean the two roles have anything to do with eachother -- they don't. NAT is a workaround for the problem of limited IP address spaces; it says so right in the freakin' abstract of the original NAT RFC (1631), which was published in 1994! Don't assign it responsibilities it wasn't designed to have!

IPv6 can (and should) be firewalled just as IPv4 can (and should). It's always a good idea to have a device between your Internet connection(s) and your in-house systems that makes decisions about whether or not packets going to & from certain IP addresses+ports should be allowed through. But, seriously, who cares if the source or destination address is IPv4 or IPv6?

Re:Or DirectAccess may just sink it for good...

[girlintraining]

Oh come on. You're a professional (right?), you should know better than to say this kind of crap. You know what your problem is?

His "problem" is nothing more than the fact that a new operating system was just released to the public with a flotilla of new technologies which few people thoroughly understand. He is understandably unwilling to implement or allow a technology to run on his network that is not well-understood by himself or any of his staff. As to assigning "responsibilities it wasn't designed to" -- that's the working definition of most IT jobs. The right tool for the job is the tool you have that gets the job done.

Next time, use more exclamation points. It makes you sound more... professional.

Re:Or DirectAccess may just sink it for good...

Do you actually know what are you talking about or just going WTF WTF WTF WTF???? OMG?!

http://www.microsoft.com/windows/enterprise/products/windows-7/features.aspx#directaccess

And for people that actually block microsoft.com,

Enhance mobility and manageability with DirectAccess

        * Working outside the office is easier than ever. DirectAccess in Windows 7 and Windows Server 2008 R2 enhances the productivity of mobile workers by connecting them seamlessly and more securely to their corporate network any time they have Internet access—without the need to VPN. When your IT department enables DirectAccess, the corporate network’s file shares, intranet websites, and line-of-business applications remain accessible wherever you have an Internet connection.

        * Manage remote machines more effectively. Flexibility gives IT the opportunity to service remote machines on a regular basis and ensure that mobile users stay up to date with company policies. With DirectAccess, IT administrators can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on.

        * Enhance security and access control. To keep data safer as it travels public networks, DirectAccess uses IPv6-over-IPsec to encrypt communications transmitted across the Internet. DirectAccess is designed to reduce unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server (running Windows Server 2008 R2), or the administrator can choose to send all traffic through the corporate network. In addition to authenticating the computer, DirectAccess can also authenticate the user and supports multifactor authentication, such as a smart card. IT administrators can configure which intranet resources specific users can access using DirectAccess.

So what is DirectAccess? How about a better VPN that's been integrated into native windows network topology (thing Active Record, Domain controller, and related fluff)

But then, why are you freaking about about IPv6? MS could have done similar stuff with IPv4, but chose not to because IPv4 solutions are kludges that must work over NAT and worse. IPv6 only makes this service simpler on the programming side as *some* of the features required to make DirectAccess work are part of the protocol.

      http://en.wikipedia.org/wiki/DirectAccess

Anyway, congratulations on being the dumbass of the week.

Re:Or DirectAccess may just sink it for good...

[BobMcD]

You know what your problem is? You think NAT is a security mechanism -- it's not.

In fact that's not my problem. My problem, from your point of view, is that I'm not an elitist. That would be the best definition of your pejorative of my point of view.

I'm not specifically advocating NAT as a security mechanism. The actual use for NAT (working around limited space) doesn't actually present itself to the argument. Imagine instead a firewall that did one-to-one address mapping if it makes you feel better. It doesn't really matter. In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world. If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.

Maybe you can get that on IPv6 and maybe you can't. I don't really know. I haven't researched it because there's not really any great need to do so. The inherent design behind IPv6 is that there are enough addresses so that everything can be set to route to everything else. Not only is this not necessary in any way, it is also the opposite of what is desired.

So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing. I understand that this control was delivered due to a gap in the design purpose, but again I don't really care about the 'why'. Convince me to allow that traffic to route inbound without being mapped. Please.

Re:Or DirectAccess may just sink it for good...

[EndlessNameless]

//My problem, from your point of view, is that I'm not an elitist.//

Your problem, from my point of view, is that you're not competent. //In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world.//

It's called a firewall. Or a router with a proper ACL. You can google this stuff. NAT doesn't prevent routing to the outside world; it merely prevents the outside world from seeing your internal network structure. A properly-configured router or firewall will do that and more. //If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.//

Every firewall I've ever seen has a default-deny setting which can be enabled for ingress/egress independently for every IP address, by individual IPs, or by ranges. Your argument boils down to the fact that NAT must drop inbound packets without either an existing connection or a mapping by default. You're proposing security by virtue of laziness---and neglecting other security features, to boot. //So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing//

You're using NAT as a method of access control, which is not what it was designed for. In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.

In short, the control NAT gives you is illusory and meaningless. You have a far greater degree of control with a real firewall---regardless of whether it uses NAT. Get a real security implementation going and quit QQing about this new-fangled intarweb.

Re:Or DirectAccess may just sink it for good...

[growse]

You could, you know, use a firewall?

If not-letting-people-route-to-your-ip is your security mechanism, you've got the wrong tool for that particular job.

Re:Or DirectAccess may just sink it for good...

[raddan]

In short, the control NAT gives you is illusory and meaningless.

Then it is as illusory and meaningless as paging. After all, you can accomplish the same thing with segmented memory. But as time has shown, the properties inherent in paging make using a computer (for a programmer) much easier. You don't have to worry about bounds-checking; the bounds are built-in by virtue of addresses not being meaningful outside of a particular process, and your addressing model is simple.

NAT gives you the same thing: addresses that are non-routable outside of your network. Using it becomes simpler. You argue that this other fellow is not competent, but you yourself clearly do not understand the complexities of large private networks. E.g., where I work, we have a global private address space. Now, we're talking hundreds of IT people working in this domain, with probably a dozen or so engineers. When I expose one of my subnets to one of my colleague's over a point-to-point link, I don't need to worry if he's been careful to set up the correct IT policy on his edge devices, because my address space is NOT ROUTABLE on the Internet. Exposing it is possible of course, but now someone has to jump through some hoops to make it happen. Hopefully they get hit with the clue stick before they get that far.

Your anti-NAT argument is equivalent to the following: we don't need technology X because person Y should be better at his job. Yeah, sure, but X rules out an entire class of human error. We've heard the same thing over and over again about, e.g., garbage collection, object-orientation, strong typing, language-level support for parallelism, high-level programming, DHCP, network management software, W XOR X, automatic bounds checking, etc, etc, etc.

You're using NAT as a method of access control, which is not what it was designed for.

Sure, originally. But it turns out that it's useful for other things, too. E.g., RFC 2663, the updated NAT RFC, specifically talks about access control:

The need for IP Address translation arises when a network's internal IP addresses cannot be used outside the network either because they are invalid for use outside, or because the internal addressing must be kept private from the external network.

So while NAT may not have been designed to function as access control, it does. Dismissing it because it "wasn't designed" to work that way is like complaining that aspirin should only be used for headaches while ignoring that it might also prevent people from dying of heart attacks.

I think most people hate NAT because traversing it is annoying. Doing this is supposed to be annoying!

Re:Or DirectAccess may just sink it for good...

[Bill,+Shooter+of+Bul]

To be fair, the article brought up four requirements that it must have in order to be secure, and only talked about one. Its crappy journalism. Plus the GP, actually RTFM!! I think he should be given some credit for that.

Re:Or DirectAccess may just sink it for good...

[YesIAmAScript]

If you're any kind of network administrator, you can figure out how to control access to your network. IPv4 was designed to connect, not separate, hosts and you managed to make it do what you wanted.

If want people to connect to services in your network, don't deploy this service behind your firewall. And if you can't stop others from deploying it, well, then there were already a lot of things you couldn't stop anyway, this isn't the first one.

Re:Or DirectAccess may just sink it for good...

[tftp]

You have a far greater degree of control with a real firewall---regardless of whether it uses NAT

He does have a real firewall, regardless of whether it feeds a NAT. I don't even know if there is a NAT product on the market that doesn't come with a firewall.

He has no reason to drop the NAT, unless some of his needs (like a poorly done VoIP or videoconferencing) require that.

It is true that a NAT is not a security device. But we still have safeties on our guns, even though they are "mechanical devices that may fail at any time" and we are not expected to depend on gun safeties. But they are just another level of protection, however small, which one day you may find very useful. When handling a gun you point it into a safe direction, set safety, unload it, open the lock, visually check the chamber, shove your finger into the port, and still you don't point the muzzle at anyone. Would you like to treat any of these steps as optional?

Re:Or DirectAccess may just sink it for good...

My problem, from your point of view, is that I'm not an elitist

I don't really see how that is the cause of your problem. It might be nice to use as an ad hominem (look! I'm an elitist! I use non-tech jargon!), but to me it seems much more likely that your problem is caused by a lack of knowledge.

Maybe you can get that on IPv6 and maybe you can't. I don't really know. I haven't researched it because there's not really any great need to do so.

The IETF disagrees with your "needs assessment". If you're a network admin by profession, then you should have known about IPv6 since 1995. Maybe not in as much detail as you should know IPv4, but "I don't know about IPv6" just doesn't cut it.

The inherent design behind IPv6 is that there are enough addresses so that everything can be set to route to everything else. Not only is this not necessary in any way, it is also the opposite of what is desired.

Again, the IETF disagrees with you. The entire Internet and all its protocols are based on the premise of end-to-end connectivity. Break the end-to-end connectivity, break the Internet: you will get monstrosities like upnp (it doesn't deserve capitals) that are designed to punch holes in a NAT'ing device because your precious online games will not work without it. Or you get home devices that suddenly need to know the port usage of every application in existance, so that consumers only have to know the name of their program and place a checkmark next to it.

You shouldn't be advocating NAT at all. Not as a security mechanism, but neither as a workaround for whatever limitations of IPv4. If you need to use it at all (proxying should get the job done much cheaper), then you don't talk about it. And if your response to my mentioning of a proxy was "but not all programs work through a proxy", then you have understood why "it is necessary that everyhing can be set to route to everything else".

Re:Or DirectAccess may just sink it for good...

[dodobh]

s/routable/routed/

RFC 3330 space is routable, it's just blocked by a lot of ISPs. If your ISP doesn't block this at the edge, your IPs can still be routed.

Re:Or DirectAccess may just sink it for good...

He does have a real firewall, regardless of whether it feeds a NAT. I don't even know if there is a NAT product on the market that doesn't come with a firewall.

It doesn't matter if the NAT product comes with a firewall or not. The original argument was "I don't want IPv6 because I need NAT to keep my internal network from routing to the outside world". That argument is flawed simply because NAT (with connection tracking) does not prohibit routing from outside to the internal network. In order to prohibit routing, you need to use a firewall. And by "use a firewall", I mean "configure a firewalling device correctly", not "configure a NAT'ing device and hope that it correctly infers a firewalling configuration from my NAT settings".

He has no reason to drop the NAT, unless some of his needs (like a poorly done VoIP or videoconferencing) require that.

Uhm, yeah. Almost true. I assume that by "poorly done VoIP" you mean "VoIP that allows incoming calls as well as outgoing calls"? And being a business environment, I assume "his needs" do not include any file sharing applications, remote assistance, online games, or ftp?

Bottom line: there is always a reason to drop the NAT: it is a single point of failure. You can't do line balancing with NAT, you can't migrate exisiting connections to another device, you can't do traffic peering. You can't even configure two devices in failover mode.

It is true that a NAT is not a security device. But we still have safeties on our guns, even though they are "mechanical devices that may fail at any time" and we are not expected to depend on gun safeties. But they are just another level of protection, however small, which one day you may find very useful. When handling a gun you point it into a safe direction, set safety, unload it, open the lock, visually check the chamber, shove your finger into the port, and still you don't point the muzzle at anyone. Would you like to treat any of these steps as optional?

I don't understand. Car analogy, please? You seem to be arguing "we still have airbags while we already have ABS", but I fail to see how that relates to firewalls and NAT (hint: airbags and safety pins to not impede the normal operation of the device, as for nat: see above).

Re:Or DirectAccess may just sink it for good...

[delt0r]

Think about what this technology does. It allows unsolicited connectivity into your network without audit.

IPv6 does not permitthis in any way or form. Unless you configure it that way of course. Just like IPv4.

Re:Or DirectAccess may just sink it for good...

[tftp]

It doesn't matter if the NAT product comes with a firewall or not. [...] In order to prohibit routing, you need to use a firewall.

So it does really matter if the NAT comes with a firewall. And most (if not all) NATs do. No reason to argue a case that doesn't exist - firewalls are there.

I assume that by "poorly done VoIP" you mean "VoIP that allows incoming calls as well as outgoing calls"?

You need a SIP server anyway, unless you want all your phones to register at some myfreesipregistrar.com. I'm not aware of many businesses that dare to do that. And once you get that server (such as *) you can have your routing also, at the same place, be it SIP, IAX, H.323, T1/E1, POTS and anything else that you, hopefully, have. It will do all the permissions, accounting and more. So again this is a hypothetical situation that doesn't (or shouldn't) exist.

And being a business environment, I assume "his needs" do not include any file sharing applications, remote assistance, online games, or ftp?

Correct, naturally. Those are security and legal liabilities, if the mere fact of them being not related to the company's business is not enough.

there is always a reason to drop the NAT: it is a single point of failure

Failure of a NAT box is a rare, if not unheard of cause of a major downtime - at least because the box is easy to swap out, like any router or a switch. But if you have an Oracle or MySQL issue - that's when your site goes down and stays down. Fighting a nonexistent problem is rarely productive.

You seem to be arguing "we still have airbags while we already have ABS", but I fail to see how that relates to firewalls and NAT

The LAN behind the NAT box can't be [easily] accessed unless there is some NAT mapping. So when you combine a real firewall and a NAT "firewall" you get two chances, not one, to stop the bad packet. Since those are two different technologies, they complement each other, and a stupid error in the configuration of the external firewall will only allow the attacker to pound on a closed, non-routing port of the NAT box. People who argue that "a NAT doesn't offer any advantages over a proper firewall" just assume that the "proper firewall" is always perfectly configured and has no bugs.

Experienced sysadmins prefer multiple layers of isolation because they are not paid to promote connectivity - they are specifically paid to promote lack of connectivity, with rare exceptions made when a business case for them exists. Some businesses that I know of completely forbid workstations from talking to the internet gateway, regardless of what it is. You have your Squid running and you run filtering, access controls and logging there, if that needs to be for legal purposes. You have your SIP or H.323 server. You have your mail server, and DHCP/DNS for your local needs. All these servers have interfaces on the LAN - say, 10.0.0.0/8. The Internet gateway may not even be on the physical cable that goes into the cubicle farm. The reason for that? The workstations have no business reason to access Internet hosts directly. If you need HTTP, there is a proxy for that, and mind that everything is logged.

Re:Or DirectAccess may just sink it for good...

You're using NAT as a method of access control, which is not what it was designed for.

Sure, originally. But it turns out that it's useful for other things, too. E.g., RFC 2663, the updated NAT RFC, specifically talks about access control:

Funny, I read that RFC quite differently. Quoting from that RFC (emphasis mine):

The NAT function cannot by itself support all applications transparently and often must co-exist with application level gateways (ALGs) for this reason

IPsec techniques which are intended to preserve the endpoint addresses of an IP packet will not work with NAT enroute for most applications in practice.

There are two areas, however, where NAT devices often cause difficulties: 1) when an application payload includes an IP address, and 2) when end-to-end security is needed.

NAT is compute intensive even with the help of a clever checksum adjustment algorithm

Could you please quote the part where that RFC specifically mentions/endorses/recommends using NAT for access control, because I couldn't find it...

Re:Or DirectAccess may just sink it for good...

[EndlessNameless]

//NAT gives you the same thing: addresses that are non-routable outside of your network. Using it becomes simpler.//

I believe I clarified what I meant later in my post: his argument boils down to security through laziness. It's trivial (both in the presence or absence of NAT) to setup ACLs for devices or subnets which have no legitimate need for inbound connections. NAT happens to give you the equivalent of a free line or two you might otherwise need to type.
 
//Yeah, sure, but X rules out an entire class of human error.//

If people want to use equipment and practices that cater to a plug-and-play or "set it and forget it" mindset, that's fine. But the OP blowing up because IPv6 may take away a dirty little shortcut is still grossly stupid. We have a real security method that offers the same (or better) protections.

To bring this back into my original point about competence; assuming network connectivity and security is his job, he should be aware of configuration details and diligent enough to check them. If he doesn't know his DHCP address pools and how to setup ACLs for them he's not a competent network engineer (or whatever title is in vogue these days). ACLs may be a pain, but that's the job.

tl;dr - A hacktastic shortcut is going away. There's no need for him to QQ about it while accusing people who can cope of being "elitist".

Re:Or DirectAccess may just sink it for good...

Hey, those are really creative quote tags that you've come up with.

Re:Or DirectAccess may just sink it for good...

[ckaminski]

Maybe you can get that on IPv6 and maybe you can't. I don't really know. I haven't researched it because there's not really any great need to do so. The inherent design behind IPv6 is that there are enough addresses so that everything can be set to route to everything else. Not only is this not necessary in any way, it is also the opposite of what is desired.
</quote>

http://en.wikipedia.org/wiki/Private_network#Private_IPv6_networks

  IPv6 supports private networks. But your last statement, "it is also the opposite of what is desired" - I disagree. I would rather have a all my IPs available on the internet and have a bridging firewall to filter access or set up VPN. There is a large pool of people who would rather do without the vast headaches that using NAT brings to network topology.

Re:Or DirectAccess may just sink it for good...

[GravityStar]

NAT is not part of your security perimeter. Any attempt to treat it like it is a part of the security perimeter puts you in the wrong mindset and will result in failure. BTW, your analogy fails. So there.

Re:Or DirectAccess may just sink it for good...

[BobMcD]

I have multiple layers of firewall, an application-layer proxy, and other security goodies. I once designed a randomizing tarpit that would bluescreen packetscanners. It was quite a collaboration on the old mailing list. SANS has received thousands of my dollars, and I get their newsletter almost daily. Been there, done that. I still like having the workstations behind NAT. Your namecalling does nothing to convince anyone about anything. I've lived enough years that I don't really care what labels you'd like to pin on me. I know what works and what doesn't, and an know a worthless argument when I see one.

You're proposing security by virtue of laziness---and neglecting other security features, to boot.

So only security efforts that require a lot of training and use of a lot of features have any merit.

You're using NAT as a method of access control, which is not what it was designed for.

More labels. Nmap wasn't designed to tell me when one of my servers goes offline. I guess I should disable that script, then. We never use things for things they're not designed, and hacking is a figment.

In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.

As a part of a layered approach, it does quite well. It makes a great many things that much more secure. Alone in the wild, as you're assuming so you can have something useful to attack, you might have a point. But just because it isn't enough all by itself that doesn't deplete its value. E.g. patching.

In short, the control NAT gives you is illusory and meaningless.

Excellent opinion. I asked for facts.

You have a far greater degree of control with a real firewall---regardless of whether it uses NAT.

So NAT might be good, or it might bad, but you've lost track because you're having a good time making yourself look tough online. Gotcha.

Get a real security implementation going and quit QQing about this new-fangled intarweb.

Do the security world a favor and unplug your keyboard. Arguments like these do nothing to help anyone ever. Unless typing all this somehow made you FEEL BETTER, I'm actually at a loss as to why you'd do it. You offer no facts, no technical detail, and can only point to detractions where NAT is alone in its implementation.

I gave you a chance, and you demonstrated you have nothing to offer but more elitism. Thanks anyway, I guess.

Re:Or DirectAccess may just sink it for good...

[Adm.Wiggin]

Whatever software you're using for VPN right now (OpenVPN, etc.), just use that. If it already has IPv6 support, then you're good to go. iptables supports it, and if you have a firewall on the "corporate net", then filtering IPv6 is just as easy as filtering IPv4, except with longer addresses. Nothing has to change except the addressing (and a few bits of code underneath the surface, obviously).

Re:Or DirectAccess may just sink it for good...

[Adm.Wiggin]

With the tl;dr being: if DirectAccess doesn't do what you want, don't use it, use something else.

Re:Or DirectAccess may just sink it for good...

[Bengie]

NAT's only protect from unexpected incoming connections. If you computer is already infected, it can still connect out. NAT does not give almost any extra security. At this point, it's not about people breaking into your computer, but you willing giving the keys over and not making sure they can't walk out with your data.

Yes, NATs do keep people from port scanning you to probe you for back-door trojans or security vulnerabilities, but how many people are going to be port scanning 128bit IP addresses? It is feasible for a bot net to port scan through the IPv4 range, but 1,000,000 computers each scanning 10,000 IP/sec on JUST the /64 block assigned to you would take on average almost 300 years to find your local IP. Obviously this would be reduced per computer on your local network, but even then, if you had 300 computers on your local network it would still take about 1 year for those millions computers to land on a live IP.

How many bot-net operators are going dedicate 1 million bots for 300 years trying to port scan your IP range to see if they can hack YOUR computer?.....

You go on the average person's computer and run a spyware scanner to find 10 different trojans install, the NAT isn't going to do shit.

Re:Or DirectAccess may just sink it for good...

[tftp]

NAT's only protect from unexpected incoming connections.

And I accept this small help with gratitude.

If you computer is already infected, it can still connect out.

The firewall is a marginal help here if the virus connects out using HTTP. It will even breeze through your proxy, unless you happen to have a rule for that specific server (good luck with whack-a-mole.) And if the virus starts sending spam through your own SMTP server, it is just as legitimate as the user. The firewall will block the internal SMTP server of the virus itself, though, but that is a very common thing to do anyway - we aren't discussing here the strawman case of running a NAT without a firewall. NAT on Linux is part of the firewall package, not the other way around.

how many people are going to be port scanning 128bit IP addresses?

Plenty, since you can always use DNS to find an address of your target host. Why even would anyone want to scan *all* devices that may be out there, be it IPv4 or IPv6? Attackers typically have some purpose in mind, not [just] the childish desire to hack *some* host. So if anyone wants to attack *.example.com he just issues 'host -l -t any example.com' and proceeds from there.

So the point here is just that once you get a virus on your computer, the virus can do anything that you can do. The firewall is not a factor here. If you can send mail then the virus can; if you can browse the Web then the virus can; and so on.

The worst case for businesses is a bot that sits on a PC and slowly, using very little bandwidth, by small HTTP POST requests, reports files that the PC has access to. The herder of the bot can then place instructions on a certain Web site, and then the bot notices that and uploads the interesting files onto some other site, like GMail. None of that activity can be prevented by any firewall, unless the user is also forbidden to do it. And good luck blocking GMail in any business *and* retaining employees.

So firewalls and NATs are orthogonal to this problem. All they do is reduce the chance of getting the virus (or being rooted) in the first place, and that's the most important part of the battle. Once you get the virus the game is lost. Imagine a virus that, if it can't get out of the LAN, will "get angry" and start corrupting random files on network drives! The attack may be noticed only many backup cycles later, when the original tapes are overwritten.

Re:Or DirectAccess may just sink it for good...

[Bengie]

""NAT's only protect from unexpected incoming connections."

And I accept this small help with gratitude."

if you're using a firewall, then this is useless.

The ONLY thing NAT is good for is a "default" block for incoming connections, which is standard on any decent software/hardware firewall. The average user will already have the default block on incoming anyway via Vista/Win7 and any competent computer user could easily have a hardware firewall followed by a linux firewall(packet shaping also) followed by the ACL on your switch followed by the software firewall on your OS which can also filter on application level. In the end it makes no difference to the average user and is just a headache for a competent user.

Using a NAT for security is like you being thirsty and a stranger spits in your mouth and you say "Well, that's better than nothing"

"Plenty, since you can always use DNS to find an address of your target host. Why even would anyone want to scan *all* devices that may be out there, be it IPv4 or IPv6? Attackers typically have some purpose in mind, not [just] the childish desire to hack *some* host. So if anyone wants to attack *.example.com he just issues 'host -l -t any example.com' and proceeds from there."

Do they still do that with IPv6? Could you DoS your ISP's DNS by allocating all 18.4 quintillion IPs in your /64? Wouldn't even have to actually use them, just pretend to use it. Your ISP won't be assigning your IPs anymore with IPv6, just your subnet. Just storing all those IPs in hex format would take 562,949,953,421,312GB of storage for ONE customer. I'm not sure how your ISP plans to have a DNS entry for all of those.

Anyway, since your ISP won't be assigning your IP in your /64, how do they plan to put in a DNS entry for it? Right now they assign the IP directly to the cable/dsl modem which is then mapped to DNS, but when they start assigning subnets to dsl/cable modem, how do they plan to track which IPs you use? Yes, you get a *default* IP that is generated by the client, but you can also manually assign the IP if you so choose.

If you're talking about companies, well it doesn't matter since they should all have proper firewalls via their network admins.

Since NATs will be virtually useless once IPv6 becomes mainstream, I'm sure network companies will start selling actual firewalls instead. They'll probably mimic NATs with a default block for incoming traffic and require exceptions to come in.

Re:Or DirectAccess may just sink it for good...

[tftp]

Could you DoS your ISP's DNS by allocating all 18.4 quintillion IPs in your /64?

You could, but if the ISP charges you for each DNS entry then the ISP can afford a Google-sized farm to host your DNS :-) Most likely the ISP will simply give a few entries for free, and you pay if you exceed that quota.

Your ISP won't be assigning your IPs anymore with IPv6, just your subnet.

That's already the case with my IPv4 ISP. I have my own, small subnet, and it's up to me to pick addresses that I want to use today.

when they start assigning subnets to dsl/cable modem, how do they plan to track which IPs you use?

In my case, the ISP doesn't care - they sold me the service for a small business, and they only worry that all packets are routed correctly.

In case of a residential user, the subnet allocated to each DSL modem will be very small (like one IP address) and they will be expanding it for a small fee of $10 per IP per month. It costs them real money, you know, to maintain your additional IPs :-)

but you can also manually assign the IP if you so choose.

That would require new management at Comcast and its sister monopolies. Most likely you indeed can assign any IP address to your box, but packets with that IP address will get nowhere.

They'll probably mimic NATs with a default block for incoming traffic and require exceptions to come in.

Indeed; I only think they will configure this firewall to block both directions of traffic, and most ports, and most protocols too if they can get away with it. Then you will be paying for removal of those artificial restrictions. That's why I use a business ISP - they don't nickel-and-dime you, and you always get what you paid for.

Since NATs will be virtually useless once IPv6 becomes mainstream, I'm sure network companies will start selling actual firewalls instead.

Yes, NAT would be of not much value on IPv6; I guess you still could use it if you really want, but when you have a huge subnet, one of major reasons to have a NAT just disappears.

However it will be a painful process to upgrade to IPv6. There are many devices that simply can't do IPv6 - all the "small boxes", for example, industrial controllers, test equipment, automation, and everything else that is not a PC. But even not all PCs (Win98/2k/XP) can be easily switched to IPv6. And it will require new, IPv6-enabled applications... lots of trouble. Many people will just choose to use a bridge (doing simple IP address rewrite using a static map,) this will allow them to keep their LAN on IPv4, using whatever subnet they got. In many cases conversion to IPv6 is just impossible - consider a lab full of test equipment, each unit costs $50K and above, and each runs Win98 (they do, really) and the amortization period ends in 2020.

Re:Or DirectAccess may just sink it for good...

[Bengie]

Could you DoS your ISP's DNS by allocating all 18.4 quintillion IPs in your /64?

You could, but if the ISP charges you for each DNS entry then the ISP can afford a Google-sized farm to host your DNS :-) Most likely the ISP will simply give a few entries for free, and you pay if you exceed that quota.

What? Your ISP only assigns your subnet. What you do with your /64 is up to you. You can use all the IPs or not, but i highly dought your ISP is going to go through the trouble to have a DNS entry for every possible IP their customers may use or that fact to see what IPs their customers use, they would either have to port scan your network your passively watch traffic coming from your network and figure out which ones to map.

What you talked about was your *buy* IPs/subnets from your ISP and they know you have a few IPs and can easily map EVERY IP in your subnet(probably automated), but with IPv6, they can't tell which IPs you're using and automating the process could cause a DoS.

but you can also manually assign the IP if you so choose.

That would require new management at Comcast and its sister monopolies. Most likely you indeed can assign any IP address to your box, but packets with that IP address will get nowhere.

Uhhh.. What? They don't need to do shit on their side? Lets say you get 1234:5678:9ABC:DEF1/64 assigned to you. Someone sends a packets to 1234:5678:9ABC:DEF1::1. Your ISP only see "1234:5678:9ABC:DEF1" and routes that packet to you. Your DSL/Cable modem drops said packet on your switch and broadcasts it. All the computers see that packet, but one actually replies and now your modem knows which MAC address currently has that IP. EVERY TCP/IP device works this way.

Your ISP has NOTHING to do with your IP, just your subnet. The difference is you buy a /4 subnet and your ISP goes "hey, we can map that to DNS". Now you get a /64 and your ISP goes "Holy SHIT batman!"

I guess I could see your modem's ARP table going crazy, but usually ARP is like 30sec TTL, so just put a decent router between your cable modem and your network and now you can handle a lot more devices and ma'b setup your router with a longer TTL to reduce broadcasting.

They'll probably mimic NATs with a default block for incoming traffic and require exceptions to come in.

Indeed; I only think they will configure this firewall to block both directions of traffic, and most ports, and most protocols too if they can get away with it. Then you will be paying for removal of those artificial restrictions. That's why I use a business ISP - they don't nickel-and-dime you, and you always get what you paid for.

Paying Cisco/Linksys/Netgear/DLink/Belkin/etc to remove "artificial restrictions" they place on the firewall your bought from Newegg/BestBuy/etc? WTF you smoking?

Since NATs will be virtually useless once IPv6 becomes mainstream, I'm sure network companies will start selling actual firewalls instead.

Yes, NAT would be of not much value on IPv6; I guess you still could use it if you really want, but when you have a huge subnet, one of major reasons to have a NAT just disappears.

However it will be a painful process to upgrade to IPv6. There are many devices that simply can't do IPv6 - all the "small boxes", for example, industrial controllers, test equipment, automation, and everything else that is not a PC. But even not all PCs (Win98/2k/XP) can be easily switched to IPv6. And it will require new, IPv6-enabled applications... lots of trouble. Many people will just choose to use a bridge (doing simple IP address rewrite using a static map,) this will allow them to keep their LAN on IPv4, using whatever subnet they got. In many cases conversion to IPv6 is just impossible - consider a lab full of test equipment, each unit costs $50K and above, and

Re:Or DirectAccess may just sink it for good...

[tftp]

What you talked about was your *buy* IPs/subnets from your ISP and they know you have a few IPs and can easily map EVERY IP in your subnet (probably automated)

Your DNS service often has nothing to do with your ISP. Typically your domain registrar offers DNS, and you buy ISP services from anyone. You cannot create DNS records "automatically" because the content of each record (such as host name, for example) comes from you. My ISP does not run my DNS; I never even asked them about that service.

Lets say you get 1234:5678:9ABC:DEF1/64 assigned to you. Someone sends a packets to 1234:5678:9ABC:DEF1::1. Your ISP only see "1234:5678:9ABC:DEF1" and routes that packet to you.

In an ideal world only, where IP works as it should. However if a for-profit, residential service ISP allocates /64 just because the IPv6 standard says so, nothing stops it from activating a firewall in their DSL/Cable modem that only allows one IP out of that subnet to go in and out. There is no law against that, as long as they sold you one IP address. ISPs do that already, and charge extra for more IP addresses. This is not related to short supply of IP addresses, it's just a profit center.

Paying Cisco/Linksys/Netgear/DLink/Belkin/etc to remove "artificial restrictions" they place on the firewall your bought from Newegg/BestBuy/etc?

Firstly, your ISP may be owning and administering the DSL/Cable box. My router is managed by the ISP (but there is no firewall in it, I have my own.) Secondly, nothing stops the ISP from allowing only "purchased" IP addresses on their end. Solutions are always found when money is involved.

If it's worth enough to them, they'll find a work around and they can stop bitching that they shot themselves in the foot or bought a bad product. Just because it's worth $50k, doesn't mean it's good.

Perhaps so, but spectrum analyzers and oscilloscopes are not bought for their future network capabilities, they are bought for their performance as test equipment. They also have very long amortization period - ten years is common, due to their astronomical cost. Once you put them into an automated system you are pretty much locked into this solution because replacement is not financially possible, unless you find a $1 million on a sidewalk one day. If you look at production lines (which I did,) they are stuffed to the ceiling with legacy equipment.

Also, you say "If it's worth enough to them" - it won't be, because IPv6 is not wanted in so many businesses... because their networks are already built out of IPv4-only equipment, running IPv4-only software, and everything works fine. I think a huge number of existing networks will be simply using a 6to4 gateway or something similar.

But you can expect IPv6 to be growing fast on home networks, where ISPs simply ship the provisioned router to the LAN owner. The ability to sell several *usable* IP addresses is also a hot deal for an ISP; besides, without NAT you *need* one IP per host. On a home LAN you can expect all hosts to be IPv6-capable (Vista and Win7, not even mentioning *BSD and Linux.)

Re:Or DirectAccess may just sink it for good...

You cannot create DNS records "automatically" because the content of each record (such as host name, for example) comes from you.

Your ISP can, and many do, assign a hostname to your IP. My ISP (Virgin Media, in the UK) does for a residential cable internet connection. Perhaps you should try doing a reverse DNS lookup on your home connection's IP address.

My ISP does not run my DNS; I never even asked them about that service.

Maybe so, but that needn't stop them putting a default entry in for the IP they give you.

Hehe, I didn't even know I had native ipv6

[_GNU_]

until I installed windows 7 and it got an ipv6 adress automatically without a hitch.. (only used straight XP boxes and a FreeBSD with static ipv4 ip before)

Apparently my isp has been doing native ipv6 for almost a year now and it works like a charm.. for ipv6 enabled sites and services that is. ;)

(Bahnhof in Sweden)

Re:Hehe, I didn't even know I had native ipv6

[SwedishPenguin]

I'm using Bahnhof as well, but I had no idea they had IPv6 now (I'm using Arch, so not much is configured for me unless I do it myself ;)). I did some poking around a few years ago, none of the ISPs seemed to have any interest or plans for configuring IPv6, including Bahnhof.

Will ISP give more then one IPv6 IP? or will they

[Joe+The+Dragon]

Will ISP give more then one IPv6 IP? or will they make you pay? comcast may want $5 per pc.

also how many DSL and cable modems even can do IPv6? how many rented ones? routers? cable phone and HSI modems (that are forced rented?)

Either that...

[roc97007]

...or DirectAccess will be a dead feature because it requires a protocol that few want to support.

Might as well rename Slashdot --

[dwiget001]

-- three Microsoft related stories out of four.

I hereby dub Slashdot "Microdot!"

Oh, wait....

Re:Might as well rename Slashdot --

[Pigskin-Referee]

-- three Microsoft related stories out of four.

I hereby dub Slashdot "Microdot!"

Oh, wait....

Lets be reasonable. The over whelming majority of readers/posters to Slashdot are virulently anti Microsoft enthusiasts. They would never attach open-source, or as it is commonly referred to in Microsoft forums, 'open-sore' software. If they are not attacking Microsoft then they are probably in the corner beating off.

Re:Will ISP give more then one IPv6 IP? or will th

[orospakr]

The modems are layer 2 and below devices. They don't know or care.

Routers are the real problem as far as customer premise equipment goes; however, the relevant functionality is typically in software on most consumer routers. Ostensibly this means that manufacturers can release a firmware upgrade.

I find that the turnover on those router boxes is rather high, so I suspect that newer routers will ship with it and the problem will slowly go away.

Not localhost

[SuperKendall]

0:0:0:0:0:0:0:1

or ::1 shorthand.

Hopefully not

IPv6 is eeeevuuuul. If this feature is a killer feature for IPv6 then i wish the fate of Vista to Windows 7

From the article:

[Tubal-Cain]

IPv6, with its 128-bit addresses and the resulting astronautical address range seemed the perfect answer.

Re:Lisa Vaas?

[Esther+Schindler]

Yeah, we wimmin shouldn't oughta write about tech stuff. It just remind youze guys how much smarter than you we iz. And makes youze cry. ::Removing tongue from cheek with prybar::

Wonder why

[Sets_Chaos]

I wonder why no one has asked; does i4i make the whole world blind?

I fixed it for 'ya

[PNutts]

"According to this article at IT Expert Voice, Desktop and Linux: Useful at Last?, we've had so many predictions that this will be 'the year of Linux on the Desktop' that most of us have stopped listening. But Ubuntu may have new life breathed into it because Ubuntu is a requirement for my mom."

I kid, I kid.

DirectAccess

[mysidia]

Article says:

One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet

It will be a cold day in Hell before I plug a Windows system in both outside and inside the firewall.

Seriously, is Microsoft suggesting you hang pwn me signs on your servers too?

To be clear. Best practices has been and always will be to place a firewall between all your servers and the internet.

It would make more sense if the requirement was to plug one NIC into a trusted DMZ for remote access users to attach to (and gain slightly-elevated privileges), and another NIC into a less-trusted DMZ, to accept only valid DirectAccess traffic.

Re:Will ISP give more then one IPv6 IP? or will th

[Fenris+Ulf]

Comcast will give out /64s from what I recall. That's the smallest allowed network size for most IPv6 tools (radvd etc).

That leaves 2**64 addresses for your home network, or just let your hosts auto-create their local address which is the default config.

oh yeah those guys...

[g4b]

I tried to help those iPhone guys, by sending them the contact of the SE guys, who implemented that feature even on my cheap little walkmanmobile, ... but all they got was sms with garbage vcard code...

Re:Will ISP give more then one IPv6 IP? or will th

[j+h+woodyatt]

Last I checked, their IPv6 trial networks were handing out prefixes shorter than /64. I'm predicting either /56 or /60 myself.

Home group

[golfbum]

a feature of Win7 requires IPV6. gb

IPv6 sucks monkey bawls

[jackspenn]

There are several reasons I think IP6 sucks:

1. It uses ":" as the separator, which is stupid, given some scripts and files use ":" as a delimiter. Using a colon is retarded, period.
2. It is hexadecimal and long, which makes it hard for us humans to remember it. What is easier? 192.168.65.54 or e80::212:f0ff:fe90:a7ae
3. Familiar tools and apps don't work with it.
4. We already have a simple solution, IP4 with NAT. It works great.

Re:IPv6 sucks monkey bawls

1/2. would you prefer 192.168.127.123.67.88.76.44.246.254.65.183?

3. I have no solution for that.

4. For suitably small values of "works". NAT breaks a lot of stuff, adds needless complexity (annoying hacks such as UDP hole punching and the like) and merely trades one addressing limit (2^32 IP addresses) for another (2^16 ports).

Re:IPv6 sucks monkey bawls

[Ksevio]

We already have a simple solution, IP4 with NAT. It works great.

I take it you've never had to program any application that needs peer to peer communications then?

Re:IPv6 sucks monkey bawls

[FlyingGuy]

Actually I would prefer 1192.2168.3548.1256 rather then that asshat solution called ipv6. Hex?! Hex?! what a bunch of fucktards!

Re:IPv6 sucks monkey bawls

[Bengie]

sounds like either a troll or someone is afraid of change, even when it's much better.

VPN is easy

[Anonymous+Struct]

Good, simple VPN solutions are a commodity nowadays. VPN is easy to do, easy to manage, easy to deploy. DirectAccess does let you be 'on the network' at boot time, but outside of that, it's just a more complicated and vendor and version specific way to do something that is already cheap and easy to do in a universal, vendor-neutral way.

Quick Question

[camperdave]

Quick question re: IPv6. Those groups of four hex characters, is there an "official" name for them? I call them quads.

Re:Will ISP give more then one IPv6 IP? or will th

Well I get up to 5 (dynamic) IPv4 addresses included with my 100/100 fiber connection (for about 40 EUR), so I would be very surprised if they charged extra for multiple IPv6 addresses. ;)

No, just typical Microsoft:

[azrider]

Did anybody notice this:

If you are already using Window 7's IPv6 on a network with other operating systems using the protocol you may run into some compatibility problems. The root of this is that Windows 7 handles IPv6 auto-configuration with the Neighbor Discovery Protocol (NDP) in a manner that's not quite the same as how the RFC standards prescribes them

Or this:

You should also keep in mind that while you can join a HomeGroup with any edition of Windows 7, you can only create one in Home Premium, Professional, Ultimate, or Enterprise So, in short, you can't use it as drop-in replacement for an existing Windows XP peer-to-peer Workgroup network in which every PC shares all its resources with the others.

And, even better:

Some users who've already been using IPv4 may also have trouble turning IPv6 on for their HomeGroup. Typically, this is what happens: they try to enable IPv6 by opening Network Connections in the Control Panel, right-clicking the adapter, and clicking properties. Under "Local Area Connection Status" they see:
IPv4 Connectivity: Internet
IPv6 Connectivity: No network access
If that happens to you, you probably need to manually set up IPv6. This is done, according to Microsoft, with the following steps:
1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.

So, to get normal functionality for a HomeGroup, they have to edit the Registry.

Embrace, Extend, Extinguish anybody?

Re:No, just typical Microsoft:

[Anpheus]

No, there's no IPv6 access because they don't have an IPv6 router. Duh.

I get the same thing on Windows 7 Super Premium Edition, and Windows Server 2008 R2 Ultra Awesome Edition. Because we don't have IPv6 routing, we have no internet access. Seems simple enough to me. :/

When Windows says "IPv4 Connectivity: Internet", they're serious. You can access, or at least appear to be able to access the internet using that connection. No network access means you can't reach the internet and it's unsure that it's configured correctly. You can still ping anything locally using link-local IPv6, or set up teredo, or do half a dozen other things to enable IPv6.

Re:No, just typical Microsoft:

[bruce_the_loon]

FUD, glorious FUD.

You do not need Homegroups to make sharing work. It just makes it easier. The older technique of keeping the passwords synced across the machines is still operational.

And someone has already answered the IPv6 no internet connectivity FUD as well.

Re:Will ISP give more then one IPv6 IP? or will th

[Bengie]

Last I read, which was a few years back, that only the first 64bit of the 128bit address space is actually assigned. The other 64bit of the space is for the end user to use. This may have changed, not sure.

Re:Will ISP give more then one IPv6 IP? or will th

[Bengie]

I found this while looking around

"Globally addressable IPv6 unicast addresses are in the IPv6 Global Unicast Address Format which has a three level hierarchy that includes a Public Topology (the 48 bit external routing prefix), a Site Topology (typically a 16 bit subnet number), and an Interface Identifier (typically an automatically generated 64 bit number unique at least on the local LAN segment)."

From what I'm reading, the first 48bits is routing info, so like to the local ISP segment; if i remember correctly, this part is based on geographical locations. The next 16bits is for the ISP to subnet for that location. The last 64bits is for the local "LAN" aka end user??

yes? no?

LOL

[smash]

@ addresses being too long. Several reasons this won't matter:

1. DNS - people won't be typing in IPs
2. DHCP - people won't be setting IPs en-masse
3. Search engines - people won't even be typing in/remembering DNS hostnames

Set up a network properly and you very rarely ever need to type an IP once its been set up.

VPNs are easier

While I'm sure some IT goon somewhere might care.. I had some time to kill one day and decided to try and get direct access to work... After reading the list of prereques (MS domain controller, MSDNS (vendor lockin anyone?)) and how it works I shook my head and forgot about it.

Whats the point/difference? Current VPNs take two seconds to configure, do the same thing and everyone has/uses them. You could already do nailed VPNs with RRAS since I don't know 10 years now...

If MS really wanted to make themselves useful they would deploy zero knowledge authentication system such as SRP so there would be less of a need to fiddle with goofy client security certificates.

What is the state of IPv6?

[definate]

Just looking for someone who has any idea on what the state of adoption of IPv6 is at?

Is there anyway for me to tell if my ISP and similar has adopted it?

Are there gateways which translate IPv6 to IPv4, so users can adopt ONLY IPv6 while maintaining backwards compatibility at the ISP level?

One impediment to adoption is that, even nerds like me, who are interested in it, but aren't die hard fans, don't know much about it. The best thing I see from it, is having an address space that is public and under my control. Looking forward to that!

Direct Access = Back to my Mac

Looks like Microsoft had another wonderful, brilliant idea! Direct Access is so cool, it is... just... like... OS X's Back to my Mac?

Yeah, it is almost the same. Major difference is BtmM on road since Leopard (?) days -- at least 2 years I would say.

Not suprised why Win7 is working quite good these days. Can we add this one to the "OS X features found on Win7" list?

Old technology

[jmkrtyuio]

Microsoft fielded this stuff in windows 2000. It will work just fine the same way, controlled by gpo's configuring ipsec settings, the same way it would have with ipv4, except that since almost all ipv4 internal networks are behind a nat firewall it doesnt work for vpn remote access. Instead it was touted as a way to harden your internal network.

To work across the internet this requires that the entire internal network be publicly ipv6 addressed and accessible, at least for the ipsec protocols and no ipv6 nat, which currently isnt expected to be in any real use, but who knows?

SDL cut-and-paste

[OrangeTide]

Many of us have patched SDL ourselves with the functionality. I cribbed code from tightvnc and got it work on x11(well linux), osx and win32. but I didn't try to support any other platforms.

a function to set a selection string(SetClipboardData). a function to get the current clipboard(GetClipboardData). to do a cut or to end a selection I just handle setting an empty string as a special case (EmptyClipboard).

the linux and osx version was easiest. I took a lot of liberties with pasting in a bunch of win32 source I didn't understand. Other patches out there are much better than mine, and don't have questionable copyright/license status.

(I don't use SDL anymore, preferring my own OpenGL wrapper or GLFW.)

File sync-ing/monocultures

[martin]

Field has a specific headache he’s hoping DirectAccess will ease: file synchronization. “Someone might take their laptop home for weeks or months at a time, and it won’t synchronize their files on the network until [the laptop] is brought back in.” He anticipates that DirectAccess will make his life easier because he “won’t need to worry about people losing files because they rarely bring in their laptop,” he says.

What!!!- has he actually tried file sync-ing over something that's more than about 10ms latency away....and thats most people off LAN these days.

I read with interest Mr Field talking about GP and all things M$, he needs to get out more. GPO's are good but they can be complemented by other technologies, not just what M$ gives you in this particular release. monocultures bad and being brain washed into a single vendors view is not a good idea.

Re:Will ISP give more then one IPv6 IP? or will th

[johnw]

Will ISP give more then one IPv6 IP?

My ISP currently allocates (and routes) me 18446744073709551616 IPv6 addresses. They will increase this on demand up to a maximum of 1208925819614629174706176 addresses. Once I've used those I'll start to look for a new ISP.

This message coming to you from 2001:8b0:e9:1:21c:bfff:fe92:17c9

Already done

[GameboyRMH]

http://en.wikipedia.org/wiki/SMS

But on a more serious note, I see your point. Passing an IPv6 address between people would be a gigantic PITA. Now I'm not 100% sure here but can't you use IPv6 and IPv4 simultaneously? On IPv6-enabled LANs computers have both a v6 and a v4 address. Doesn't that mean that if you were at a LAN party, you'd only have to type in an IPv4 address to connect to the server? Still a PITA over the Internet (which obviously couldn't support v4 and v6 simultaneously...or at least it would be a pointless mess), but that's what DNS and DynDNS are for.

Again, Windows copies Mac - only 2 years behind

[coldcup]

This has been done on the Mac via Back to my Mac since Leopard (2007).

Windows 7 has IPv6

[Shadow-Copy]

IPv6 has been around since, XP.

Windows 7 has IPv6, so does Vista, as well as XP, carries version 6.

This article is not even correct, nor current in technology.

Microsoft doesn't answer to many rants from creditable media sources, because of the fact of how many throw slander at Windows that isn't even correct(as like this article).

This article is a bogus, all-the-way-around incorrect OPINION, with not one fact.

This "blog article" is just a thought-less rant.