Slashdot Mirror
Windows 7 May Finally Get IPv6 Deployed
Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."
You don't need NAT to run a firewall that has the same security functionality as NAT
IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.
"I use a Mac because I'm just better than you are."
Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.
IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.
Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.
Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...
This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.
No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries, they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
You make it sound like that's a difficult problem, rather than a matter of putting a few extra lines in a config file for the transition period.
No, you're wrong there. While an IPv4 connection cannot reach IPv6 hosts, an IPv6 connection can reach any IPv4 host using tunneling. You talk pure IPv6 to your IPv6 ISP, and if there's a need to fall back to IPv4, they route the traffic via a tunnel broker.
Using similar technology, you can get IPv6 even if your ISP only supports IPv4. That's how I'm doing it.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
//My problem, from your point of view, is that I'm not an elitist.//
Your problem, from my point of view, is that you're not competent. //In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world.//
It's called a firewall. Or a router with a proper ACL. You can google this stuff. NAT doesn't prevent routing to the outside world; it merely prevents the outside world from seeing your internal network structure. A properly-configured router or firewall will do that and more. //If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.//
Every firewall I've ever seen has a default-deny setting which can be enabled for ingress/egress independently for every IP address, by individual IPs, or by ranges. Your argument boils down to the fact that NAT must drop inbound packets without either an existing connection or a mapping by default. You're proposing security by virtue of laziness---and neglecting other security features, to boot. //So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing//
You're using NAT as a method of access control, which is not what it was designed for. In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.
In short, the control NAT gives you is illusory and meaningless. You have a far greater degree of control with a real firewall---regardless of whether it uses NAT. Get a real security implementation going and quit QQing about this new-fangled intarweb.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.
The problem with breaking up a /8 is that you can't just spread around 16.7 million addresses to the individual machines around the globe that need them -- not unless we're ready to handle the massive explosion of routing table entries that would require (and we're not). CIDR still defines a routing hierarchy, where the huge swaths of free addresses exist within that hierarchy isn't necessarily geographically where they are needed, or where the systems that need them are going to be able to connect to them.
Not to say that some breaking up of largely unused /8's and /16's can't be done -- just that it's nowhere near as trivial a problem as most people seem to assume it is. It isn't like there is an abundance of resources in one area, so we can put them on a ship and send them to an area where the resource need exists.
Of course, all of this presumes that the holder of the /8 is using it in some sane manner where is it even possible to break the address space into routeable blocks...
Yaz.