Slashdot Mirror
Windows 7 May Finally Get IPv6 Deployed
Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."
Uhh... 3 letters for you. D.N.S.
Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.
You don't need NAT to run a firewall that has the same security functionality as NAT
Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?
I have to say that this is what struck my eye :
In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings.
OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?
By the way, this sets up an IPSEC VPN, so I am not sure why the OP says it doesn't require a VPN.
Mod parent up. If you can map between the "inside" and the "outside" of your organization you can drop packets coming from the outside just as readily.
The World Wide Web is dying. Soon, we shall have only the Internet.
Yeah, typing in IP addresses is a pain in those situations. Maybe in future Microsoft will add a "cut" and "paste" feature to Windows 7, like they have in OSX - that should make life easier.
We looked at deploying DirectAccess, but after months of talks and discussions with Microsoft, they finally came out and told us that it wouldn't work unless we rolled out IPV6 (and pushed other MS services (CA, DC) externally). We passed. We decided to stick with SSL VPN for most and Cisco AnyConnect client for our Win7 64 bit rollouts. Maybe next time, Microsoft?
Dynamic DNS, then. I use that for remoting into my computer and router from other places.
Hail Eris, full of mischief...
E pluribus sanguinem
Offtopic, but I'd much rather you typed in whatever.com.
--- Mr. DOS
IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.
"I use a Mac because I'm just better than you are."
Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?
Network address translation came into use because you had limited supply of IP addresses, pigeonhole problem basically. With IPv6 that's not needed, because surely 3.4×10^38 addresses should be enough for anyone. You'll just need a firewall to reject requests from outside your own assigned block.
Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.
Except that it doesn't work with the networking you have.
It is a very tough feature to code however, just ask the guys who failed to add it to the iphone for several years...
BGP filters are hard enough in v4 can you imagine doing this crap?
ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48
ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128
Forget it.
I couldn't fail to disagree with you any less.
IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.
Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.
Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...
This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.
No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries, they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?
If you've never had a problem with NAT, you don't have enough uses for the internet. I used to be a firm believer that NAT was a seemless solution to the problem of not having enough IP's.
Once you try implementing it in the professional world, where you have to worry about not just NAT but NAPT, because you've got Webservers, Print Servers, Email Servers, Backup Servers, File Servers, Application Servers - and then you've got to implement some service such as Remote Desktop from a WebApp (that has to get past the Proxy, no less), so that those who want to work from home can Remote into their PC without a VPN - lets just say that even a small handful of extra IP's would help, and if we COULD get each PC it's own individual IP, it'd be much appreciated.
It's not that it's impossible to do what you want, its just that as things grow, things get more convoluted, and doing such tasks take far more troubleshooting.
From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:
Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:
. set specific policies (no split tunneling)
. force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
. ensure proper key and credential management, including two-factor or challenge/response
. audit activities while user is connected to the VPN.
The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.
What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.
As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.
Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.
Pretty much every machine has a DNS name these days. They aren't usually authoritative... But for a LAN game it'll do.
For non-LAN games you've frequently got some kind of server listing service or match-making service out there that can help you find your buddy's server. Or you could always use DynDNS/No-IP/whatever to get yourself a DNS name.
But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)
Again, many (most?) devices have a DNS name of some sort.
If not... Yes, it can be a pain to write down an address. And the extra address space in IPv6 is going to make that more painful... Although there are shortcuts built into IPv6 that let you shorten the address...
But, seriously, is that a reason not to adopt IPv6? There's too many digits, it's too hard to write out by hand?
"Work is the curse of the drinking classes." -Oscar Wilde
Yes NAT is a pain..and some cases breaks business apps. Hair Pin turns are the bane of my existence. But you are saying place thing either outside a firewall because its easier, or place your support staff on the Internet with out VPN?
I agree that ISP have a need for IPv6. But why would a Windows 7 user need it? Default out of the box? Or did I miss read that MS has that service on by default?
In some games you even have to manually type in the address if you want to connect to your friends server.
Either you're playing some older games, which came out when TCP/IP Was just starting to Boom and didn't have any DNS functionality built in - or your friends aren't hosting their server on the web, and thus DNS wouldn't resolve it - or your friends aren't port forwarding properly for that games specific host-finding service to pick it up.
In any case - if you are willing to go through the trouble of communicating an IPv4 Address to join a game, making it an IPv6 address will either be the smallest most miniscule inconvenience that you'll forget after its deployed
OR
You'll learn to set up servers and DNS in such a way that they will work without you needing to memorize and jot down IP addresses.
Either way, its moving forward.
The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.
Notwithstanding, however, thanks to this quaint little notion of "extension headers" in ipv6, it is even entirely possible to route _THROUGH_ a NAT... directing packets to specific machines inside of the NAT as long as the NAT is configured to act like a router and to process the appropriate extension headers... an upshot of this is that it would effectively increasse the total number of usable IP's, because the effective IP address length would be extended by however many bits of address you put into the extension header. This process could even be chained through multiple levels of NAT's _theoretically_ indefinitely, but in practice would always be limited by the sizes of the routing tables involved, and whatever the minimum MTU for an IP packet is at the time (which is theoretically as small as 68 bytes today, but nobody uses them anywhere close to that small). Individual IPv6 packets have a maximum size of 64K each, so there's a hard limit in how big it can get regardless of how much the MTU goes up.
File under 'M' for 'Manic ranting'
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Anyone can type a DNS name. An ipv4 address is a bit cooler. But just imagine your coworker's respect when they see you telnet to 2001:db8:85a3::8a2e:370:7334
.sig: No such file or directory
IPv6, with its 128-bit addresses and the resulting astronautical address range seemed the perfect answer.
Wait, are you claiming you don't use IPv4 for anything? Or are you claiming you use IPv6 for some things? Because if the latter, you're right in line with Bernstein's claim. Note he doesn't say IPv6 doesn't work, he says there is no smooth transition path for IPv6 adoption from IPv4.
Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.
Does this mean you cannot run IPv6 at home? No, it just means you must also run IPv4 to get to websites that haven't bothered to support both.
Which relegates IPv6 to hobbyists, same as in 2002.
Changa hates change.
Along with the last vestiges of privacy in IP space. Every single connection you make traced directly to you instantly. Joy.
You make it sound like that's a difficult problem, rather than a matter of putting a few extra lines in a config file for the transition period.
No, you're wrong there. While an IPv4 connection cannot reach IPv6 hosts, an IPv6 connection can reach any IPv4 host using tunneling. You talk pure IPv6 to your IPv6 ISP, and if there's a need to fall back to IPv4, they route the traffic via a tunnel broker.
Using similar technology, you can get IPv6 even if your ISP only supports IPv4. That's how I'm doing it.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.
The problem with breaking up a /8 is that you can't just spread around 16.7 million addresses to the individual machines around the globe that need them -- not unless we're ready to handle the massive explosion of routing table entries that would require (and we're not). CIDR still defines a routing hierarchy, where the huge swaths of free addresses exist within that hierarchy isn't necessarily geographically where they are needed, or where the systems that need them are going to be able to connect to them.
Not to say that some breaking up of largely unused /8's and /16's can't be done -- just that it's nowhere near as trivial a problem as most people seem to assume it is. It isn't like there is an abundance of resources in one area, so we can put them on a ship and send them to an area where the resource need exists.
Of course, all of this presumes that the holder of the /8 is using it in some sane manner where is it even possible to break the address space into routeable blocks...
Yaz.
Sad but true. For some reason I just had a thought that at some point when we run drastically low on IPv4 space, the US gov might, much like it did with the analog to digital TV transition, be handing out coupons for low end crappy IPv6 routers.
The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.
In most of our lifetimes? Per Wikipedia:
The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses—or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.
It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.
Do what thou wilt shall be the whole of the Law
1/2. would you prefer 192.168.127.123.67.88.76.44.246.254.65.183?
3. I have no solution for that.
4. For suitably small values of "works". NAT breaks a lot of stuff, adds needless complexity (annoying hacks such as UDP hole punching and the like) and merely trades one addressing limit (2^32 IP addresses) for another (2^16 ports).
We already have a simple solution, IP4 with NAT. It works great.
I take it you've never had to program any application that needs peer to peer communications then?
What happened to IPv1, IPv2, IPv3 and IPv4 The short answer is that they never existed.
Get your free Dropbox account with 2 GB Free storage!
FUD, glorious FUD.
You do not need Homegroups to make sharing work. It just makes it easier. The older technique of keeping the passwords synced across the machines is still operational.
And someone has already answered the IPv6 no internet connectivity FUD as well.
Trying to become famous by taking photos. Visit my homepage please.
In most of our lifetimes? Per Wikipedia:
The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses--or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.
It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.
That quote from Wikipedia you pulled, is immediately followed by this:
"While these numbers are impressive, it was not the intent of the designers of the IPv6 address space to assure geographical saturation with usable addresses. Rather, the longer addresses allow a better, systematic, hierarchical allocation of addresses and efficient route aggregation."
If we could arbitrarily ignore the network structure and special ranges assigned in IPv4, we have 4.2 billion possible IP numbers (2^32). Do we have 4 billion computers on the Internet? No. Do we have IPv4 shortage? Yes. In fact we had IPv4 shortage even back in the early 90-s when Internet was far from being mainstream yet (which prompted the jump from classful network to CIDR).
You haven't met my managers.
DRM 'manages access' in the same way that a prison 'manages freedom'