Why You Shouldn't Worry About IPv6 Just Yet

nk497 writes "While it's definitely time to start thinking about IPv6, it's not time for most to move up to it, argues Steve Cassidy, saying most can turn it off in Windows 7 without causing any trouble. Many network experts argue we're nearing network armageddon, but they've been saying that for years.'This all started when Tony Blair was elected. The first time. Yep, that's how long IPv6 has been around, and it's quite a few weeks ago now.' He says smart engineering has avoided many of the problems. 'Is there an IPv6 "killer app" yet for smaller networks? No. Is there any reason based on security or ease of management — unless you're running a 100,000-seat network or a national-level ISP — for you to move up to it? No. Should you start to do a bit of reading about it? That's about the stage we're truly at, and the answer to that one is: yes,' he says."

Re:I have read it...

[vlm]

Anonymity is lost pretty quickly with IPv6

RFC 3041 dated January freaking 2001, assuming you're talking about using MAC addresses in the ipv6 address. Frankly I feel this is paranoia combined with ignorance of current ISP logging technology, in other words you don't have anonymity with ipv4 either.

along with ISPs seeing how many systems you have running on their network

Rates somewhere between 1) who cares 2) See RFC 3041 3) News to me that proxy servers are impossible on ipv6

exposes systems to OS flaws.

I suppose there are / will be bugs in v6 that would not happen in v4.

The logic in fact seems to be nothing but a really big switched network.

Thank god. Die NAT die! Can't happen soon enough. Some people will still want stateful "one way" firewalls. No problemo.

In short, I don't like what IPv6 gives us over what we lose with IPv4.

Given your list of misconceptions and misinformation, I'm not surprised.

Actually you SHOULD worry about it...

[nweaver]

For three big reasons.

a: Its actually ubiquitous in the LAN these days. Both Apple and Microsoft use IPv6 link local operations very heavily, because it Just Works with nice stateless autoconfiguration and multicast.

b: You can have things screw it up if you don't have V6 deployed, and you have to worry about V6 even if you don't 'have' V6: EG, a Windows box with connection sharing and 6to4 enabled will happily try to "share" the 6to4 connection with everyone else on the LAN, so everyone else gets a V6 address that doesn't actually work. And with Apple prefering a 6to4 IPv6 address over a V4 address, the macs on the same network will now see horrible behavior going to any dual-stacked site, as it will try V6 first, take a timeout, then revert to V4.

c: Address space exhaustion is real, and IPv6 + DS-Lite (or even just IPv6 + IPv4 NAT) allows an ISP to get around address space exhaustion in a much cleaner way than the alternatives.

Re:I have read it...

[vlm]

So if you want a NAT router to keep network wormable flaws away from the OS you can still do it.

you're confusing NAT address translation with stateful firewalling. Linux has been able to do that for ages on ipv4 or ipv6.

A side effect of ipv4 NAT is providing stateful firewalling, in that obviously the fw has no idea what to do with incoming traffic that doesn't belong to a flow you've already set up. All you need is one line to do this in v6.

You're looking for a line vaguely similar to this:

ip6tables -i eth0 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

And try not to forget to drop by default anything coming in thru eth0 that doesn't match the line above, of course.

Re:I have read it...

[Spazmania]

Overloading outbound traffic from multiple machines onto a single IP address (what you call port address translation) *is* NAT, if only because most of the vendors appropriated the name from that other kind of address translator that was hardly ever used and few even remember (RFC 1631).

PAT was never really a correct name for it anyway; that was a cisco-ism. What we call NAT today derived primarily from the stateful transparent proxies of the mid-90's and as the word "stateful" implies, it remains as much a proxy as a translator.