There Is No Plan B, the Ugly Transition To IPv6

An anonymous reader writes "The Internet is running out of IPv4 addresses — not at some point in the future, but right now. But the only solution to the problem, IPv6, is just now really starting to be deployed. That's why we're all in for some tough times ahead."

Article invalid

[drinkypoo]

Article invalid: Author considers NAT to be a security mechanism, and specifically cites Windows ICS as the example... I've personally had Windows machines owned by infected machines on the same segment.

Re:Article invalid

[jra]

It *is* a security mechanism: you can't Ping Of Death a machine that doesn't have a routable address from the public Internet.

That doesn't say it's a *sufficient* security mechanism for any specific threat, but saying simply that it is *not* one is ignorant.

Re:Article invalid

[jeffmeden]

NAT is insecure only if the machine operating the NAT is insecure. A host running a NAT with sufficient hardness/dumbness will shield the interior machines from any sort of inbound attack; the fact that they are unaddressable from the outside is as secure as you can get without unplugging. An attacker on the inside is a different story but that attack vector would exist with or without an internet in the first place.

Cue the "oh but there are insecure browsers/email/cellphones/whatever" crowd in 3, 2, 1...

Re:Article invalid

[Hatta]

You can't Ping of Death a machine that's behind a stateful firewall that's dropping ICMP packets either. Every bit of security you get from NAT can be done with a firewall without fundamentally breaking the peer to peer structure of TCP/IP. Claiming that NAT is a security mechanism is ignorant. NAT adds *nothing* a properly configured firewall does not already do.

Re:Article invalid

[arndawg]

Constantly whining about this shit is just as lame as correcting people for saying Linux instead of GNU/Linux.

Procrastination

[dmgxmichael]

Why is it that problems never seem to get corrected until they are well and truly disastrous in scope.

Re:Procrastination

[CoolVC]

I'm not sure if I'd call needing to use NAT with private IPs for a little while during the transition "disastrous"

Re:Procrastination

[oldspewey]

Because by being insanely focused on quarterly results, our society rewards short-term thinking, and often actively punishes long-term thinking. In most (not all, but most) companies, if a system architect told his CTO
"we need to undertake a $X million project to transition our systems to IPv6. This is going to become a big deal in about 10 years time and we want to be on top of it,"
the CTO might or might not take the idea seriously. But even if the CTO did decide to bring the idea to the board for approval, he'd be shot down in seconds.
"You want to reduce shareholder profits by $X million to fix something that might become a problem in 10 years? Let's move on to the next item on the agenda shall we? And don't bring stupid ideas like this one to the table again in the future Bob. We need you focused on shareholder value."
.

Re:Procrastination

[cgenman]

I'm glad someone finally said it. NAT is the (slightly slower) Plan B.

We don't need every computer on the network to have an address. We need every SERVER and external-facing router on the network to have an address. A company of 10,000 desktops may really only have 100 servers and a few external access routers, meaning they could work fine with 100 IP addresses instead of 10,000. Heck, most of those servers are internal anyway. You could require users to VPN in first (which you should be doing anyway), and then those servers could live entirely on the local NAT.

And yes, that will break a few applications, which will have to find ways around it. NAT issues have been worked around in consumer software since the mid 90's. It's not a deal breaker. I haven't had a real IP at home in about 10 years.

And then you start having DNS-style auctions with IP addresses. Eventually, those start going for too much money, and everyone gets off their butts and enables IPv6.

Re:Procrastination

[hedwards]

That's why some of us advocate increasing the short term tax rate to something much higher than what we currently have and tailing off to what we've got now for long term capital gains. And pushing the holding period to 2 years or so. And cut the tax rate on dividends to the rate that people pay for capital gains.

The effect of that is to increase the holding period of an investment and discourage reckless speculation. People tend to forget that Enron produced far more winners than losers. The people who ended up holding the bag were a small fraction of the total number of people who invested in it.

It also has the upside of discouraging charlatans that practice technical analysis from screwing up the markets with their charts. Any practice which ignores what a business does to make money should be discouraged.

Re:Procrastination

Say what you want, but disasters are just *so* much more motivating than distant problems

Re:Procrastination

[hjf]

Yes, all sounds good, until your ISP starts providing you with 1 private IP address for your home, with no way around it. Here in my city 1 of the ISPs does this, you get an address from the 10.0.0.0/8 range. If you need to poke a hole in the firewall for things like IM file transfer or webcam, any kind of P2P, SIP, SSH/remote desktop/vnc into your home machine, etc... guess what? you're out of luck. Change ISPs? Sure, until the other ISPs are forced to do the same. What are we going to do then?

And that's what we're going to get. I simply don't see the point of mentioning NAT as a near-term temporary solution: it ALREADY is doing that. Guess what? Companies don't give their desktops public IPv4 addresses anymore, they haven't done that in several years now, so I don't see what your point is. You're just in denial and being too optimistic.

I wonder why no one mentions v4 addresses are "lost in routing". Take for example an ISP here, they used to give you a full /24 (legacy CLASS C, and let me stop here for a bit: NOT EVERY ASSIGNMENT IN THE NET IS A, B or C. Only script kiddies dreaming of "T3" "pipes" talk about "class C" and "ping of death", get over it! It's 2010 already. OK, back to my point). So they used to give you a /24. For every 256 addresses on a /24, the .0 and .255 are usually not usable, and the .1 is usually the CPE router. But now they don't give out a /24 anymore, unless you specifically state why you need such a large space. So they give out a /30. 8 addresses, again the first and last are unusable, and the first available is the CPE router. 3 out of 8 or 27% of the addresses are lost in routing.

Let me recap: NAT is not the solution, it's already there holding the internet like duct tape.

NAT

[TheCount22]

Finally we will no longer have to use this IPv4 NAT garbage with all it's limitations!

Re:NAT

[betterunixthanunix]

One issue with NAT is the difficulty in running a server. I like being able to ssh to my home computer when I am at work; but behind NAT, that becomes more difficult (not impossible, just more difficult).

Re:NAT

[Ares]

There's no reason you can't NAT to 100 servers for SSH, run 50 webservers (with both SSL and non-SSL ports)

Sure there's no reason you can't run 50 web servers on different ports on the same IP. except for customers who will never learn that you have to type in http://www.google.com:8080/ instead of google.com. browsers have been designed to assume that any url without a protocol type is for http port 80. why? because port 80 is the standard designated protocol for http.

the inability for customers or potential customers to access your business's web site is a sufficient motivator to not stray from the standard.

Re:The IPv6 nightmare begins with it's design...

[jra]

Wow. DJB misunderstands something?

Say it ain't so, Joe!

(His piece, written in his usual "I am not at all nuts" style, assumes that IPv6 is *solely* a new "address space", and not an entire replacement protocol.

(While that might have been a better design, smarter people than me decided it wasn't practical to approach it that way, so listing the ways in which that wasn't well implemented is useless, since *that wasn't what they were TRYING to implement*; the entire page is a strawman.)

When is /. going to get an IPv6 address?

[avij]

Serious question. I already have an IPv6 address, why doesn't Slashdot have one?

Re:When is /. going to get an IPv6 address?

[gmueckl]

heise.de, a major German tech news site ran a test for precicely that reason about two weeks ago: they added an AAAA to heise.de in addition the normal AA record. Out of the thousands of visitors they have each day less than 10 were unable to reach that site in that configuration and wrote in about their problems and only one turned out to be unfixable because of a router misconfiguration somewhere else in the network. Since they advertised their test weeks ahead and asked users to report any problems they might experience during the test, the number of complaints they received is pretty low. So the argument of mixed AA/AAAA records not working properly of users is luckily losing its credibility, it seems.

Re:Right now?

[2.7182]

Actually you might say we've been running out of them since the moment the first one was assigned...

Re:Why didn't somebody tell us?

[catmistake]

What? We're running out of IPv4 addresses? Why are we only learning this NOW? This is an outrage! Why haven't tech sites told us about this problem sooner...say, several times a year?

LOL Sarcasm aside... wouldn't it be better not to tell anyone? Just let them... how do I say this... movie metaphors might help... like letting them remain asleep inside the Matrix, or Inception style, dreaming inside their dream, or IPv6 is "oh, this is the real party" from Brain Candy. Then the NEW IPv6 Internet could be Flash-free! No more click fraud on pr0n sites! Just think of it!

Re:Right now?

Exactly. Haven't we been running out of them for at least the last 10 years?

Awesome that no-one ever cared.

It will be like this as well for oil and clean water and air. Populations need to learn to dis-trust their businesses and governments more, that would be a good start and a help. It would also help a lot if people learned to look themselves in the eye.

Re:There is truth in what you say -

[drinkypoo]

The notion that a border firewall was a sufficient security mechanism ended when the portable computer was invented, which is to say, it was never a valid concept. Indeed you could make the case that indeed telecommunications itself basically invalidates the idea. Get someone to hook up a modem to some internal system and you've got an attack surface.

It's truly distressing how many effective security mechanisms go unused for lack of a user interface. SElinux has the potential to make system intrusion all but a thing of the past, but it is tragically underutilized because it is difficult to create a useful profile. NX/DEP goes unused in many cases because it causes compatibility problems. All POSIX.2 systems have ACLs but virtually none of them use them because there's no GUI tools. Firewalling did not become popular for user desktops until the various add-on firewalls for Windows with autoconfiguration interfaces appeared (e.g. ZoneAlarm.) I'm sure some other people can imagine some other even more excellent examples... well, actually, it's hard to imagine a better example than SElinux. But I really want ACLs, and I'm kind of annoyed that GNOME or KDE hasn't taken a stab at them yet.

Re:Reclaim Some?

[Anpheus]

At the rate that we're exhausting addresses, even if it were possibly to schedule and reclaim more than one Class A a month, we'd only be postponing the inevitable... by about a month.

And that assumes you can move all of their infrastructure off their class A in that time, maybe when your team gets around to dealing with , you realize it could take a year long migration.

Yeah, that'll work.

Re:The IPv6 nightmare begins with it's design...

[AbbeyRoad]

> The only thing that *fails* is when [...]

thats quite a lot of things failing.

> similar to using an NAT router

no, there are 100 million people connected to the internet using ADSL and all *their* stuff works fine

why, because NAT is a solved problem with lot's of workarounds

ergo: IPv6 is just NAT all over again

we might as well solve the IPv4 address-space problem with huge /8 NAT'd networks.

good luck to the 0.0000001% of the Internet that has "successfully" switch to IPv6 after 20 years of IPv6 promotion.

-paul

Re:Reclaim Some?

It's probably just not worth the trouble. I looked at the rate of /8 allocations: over the past 10 years, we've allocated an average of 8 /8s per year to the RIRs. That means clawing back a Class A will buy us about 45 days. It's probably just not worth the trouble to get an extra 45 days.

Ford

[CarpetShark]

Non-IT Companies like Ford doesn't need to be on a list like this at all. Apart from a a few WAN IPs, a webserver, and a mailserver, they could probably put their whole network behind NAT, and no one would notice.

Re:Ford

[Nursie]

"The security issues only exist if the network people shouldn't be doing security anyway. "

Right, like my mom. The internet is not just for geeks these days, and the idea of having publicly routable (and thus more easily root-able) systems in the hands of my less-than-computer-savvy family members is scary.

Re:Reclaim Some?

[SamSim]

There are two major reasons why this almost certainly won't happen. The first reason is that at the current rate of use this would delay IPv4 exhaustion by only a few months to a year.

The second is that for an organisation to claim such a large block of addresses, it must have done so relatively early in history. That probably means the organisation is a technology group or another organisation which has had a vested interest in the internet for a very long time. Over those decades, there's a good chance that the organisation has swelled up to make maximum use of its assigned address spaces, and rearranging its network and systems for greater efficiency would be a mammoth undertaking for relatively little gain (see above).

Re:The solution is simple

[Archangel+Michael]

This is actually insightful, and would force the issue. People would do anything to get their porn.

However the problem with 6 vs 4 is that 4 works. It works well enough with NAT for most things. People aren't going to change until they absolutely have to. And right now, almost nobody "has to", so it isn't going to happen.

It is going to take someone like Google to force us to switch.

Re:what stuns me...

[Daniel+Phillips]

is why didn't we just go for an extension?

That would have made too much sense and the IPv6 committee wanted to build a monument.

Re:what stuns me...

[Sancho]

Putting the remaining 2 sections on separate portion of the packet, keeping the first 4 sections normal, would allow legacy hardware to route these, yet trivial to make new hardware to understand.

This would have made minimal to no impact whatsoever for backbone networks at this moment, all it would have needed are:

    - Some new edge routers for those who wish to extend
    - Software update to operating systems of trivial level
    - Instead of Class Cs given for new applicants, you give just a Class D (what is now single IP address)

So they go into the payload? Thus decreasing the amount of real, useful data that you can actually put into the packet and increasing the total number of packets flowing through the backbone, as well as the total amount of data that's being pushed through. This quite obviously impacts the backbone.

You seemingly haven't considered low-mtu links, either. The extra data you have to put into the packet will really start to add up there.

- Software update to operating systems of trivial level

Networking stacks are hard--not because the protocol itself is hard, but because interoperability is absolutely essential. We can't get IPv4-only network stacks right. To suggest that this would be a trivial modification blows my mind.

- System requests dns for slashdot.org
- Switch detects this and waits for response
- Response is arriving, switch looks into the results: (changed to extended)
slashdot.org. 3583 IN A 216.34.181.45.100.100

Changes response IP to:
224.216.100.100

And this adds a huge amount of complexity by breaking the networking stack model wide open. Switches modifying content? No. Just...no.

Re:Plan B

[PitaBred]

Assuming you don't want to use VNC, VoIP, IM file transfers, bittorrent, access your home DVR remotely... sure, it's workable! It's as workable as a backup to the Internet as candles are a backup to electricity.

Re:May are reporting doom scenarios

[jd]

Y2K was only a minor issue BECAUSE every programmer and their cousin was busy fixing the bugs for several years. A few million man-hours and workarounds from hell later, you'd expect things to function fine. There were vendors that ignored the issue and it is those vendors that reported problems in 2000. It is THOSE examples you should look at, because THAT is what your world would have been had the rest of us not fixed things for you. Be grateful, wretch, that we bothered. Because next time we might not. And there is NOTHING you can do or say to change that.

Re:The IPv6 nightmare begins with it's design...

[DavidTC]

Hey, did you actually read the fucking article?

What djb says is exactly what's wrong with IPv6.

No, IPv6 clients cannot, under any circumstances, talk to IPv4 ones. They also have to run IPv4. There is no conversion at all, and the IPv4 address space 'inside' IPv6 will never, under any circumstances, be turned into IPv4 when it hits the 'edge' of IPv6, nor will it be turned into IPv6 going the other way.

And, no, routers cannot 'convert' between protocols, as there is no way to convert back and forth. There are ways to tunnel, but no way to convert. The IPv4 address space in IPv6 is just a goofy allocation scheme, saying 'If you have some addresses in another protocol, you get these addresses free also.' They are utterly different addresses in any sense of the word, you can have them on different computers or even different networks.

Christ, you read an article about how IPv6 is broken because the way that people expect the upgrade to work is broken, and you walk away going 'What an idiot. The way people thinks it works is great, and I've decided to ignore the place where points out that way is not, in fact, how it actually works.'

How you think it works, how everyone including djb thinks it should have worked but doesn't, was not chosen, for no apparent reason. Instead, we've got a damn stupid 'dual stack' approach.

Incidentally, I'm no djb fanboy, he's a total idiot in my book. He has no idea of the proper way to actually follow standards and write software, instead choosing to invent entirely different control systems, and that's just the start of the problem.

But that doesn't mean anything written by him is wrong. He's exactly right about how IPv6 fucked up, and if it had been a superset of IPv4 we might actually have an internet that's 90% IPv6 and 10% IPV4, and we'd be talking about the sysadmin's hard choice to keep paying for IPv4-compat IPs or use IPv6-only IPs.

Instead, IPv6 is still almost completely unused, and we've run out of fucking time.

Re:This is really sad

[Omnifarious]

Ahh, a denier. I've seen you people too. The estimates that you claim to hear periodically keep on changing as the estimates change. I think you are mistaking early warnings for estimates that IPv4 will run out of addresses in a short period of time.

For the past 3 years, the date has remained relatively consistent. I have a nice phone app that shows exactly how many blocks are left. The number's been going down right on schedule.

Re:The solution is simple

[sjames]

It's modded funny, but it would actually get the job done. There would be a few holdout ISPs claiming they don't support v6 "for the children", but most would be falling all over themselves to make sure they had v6 up and running by the day porn goes dark on v4.

Re:Reclaim Some?

[mikael_j]

... And every home user doesn't need a public IP. And every desktop in your enterprise doesn't need a public IP. Q1 2010, Verizon reported 3.6 million FiOS Internet customers. [vzw.com] Comcast reports 14.4 million high speed (not dialup) Internet customers. The majority of those customers don't need public IP's, nor do they even know what to do with them.

The way the internet is meant to work pretty much requires their addresses to be globally routable but these days we have a bunch of hacks in various layers to deal with the lack of available globally routable addresses. And it's not going to get better five or ten years from now.

I believe the routers that they're already transiting to reach the Internet at large is also capable of NAT. Assuming full utilization of their address space, that's greater than a single /8. More than likely they are operating at 50% to 80% of their address space.

Who are "they"? The end user? The ISPs?

There are lots of ways to manage IPv4. The drive to IPv6 isn't a drive. It's a haphazard stumble towards a new standard. The problem is, it isn't a standard. Most providers haven't purchased their IPv6 blocks. Even if I, Joe Provider, bought myself a nice fat IPv6 block, my upstream providers aren't routing IPv6 yet. Common web sites are not advertising their IPv6 address, because it will cause non-IPv6 users to hang until the invalid address times out. google.com does not have an AAAA record. ipv6.l.google.com does. slashdot.org doesn't have an AAAA record, nor do they appear to have any subdomains for it. Why? Probably because their upstream provider doesn't support it yet.

Plenty of medium to large ISPs use IPv6 in their networks, they just don't offer it to residential or basic business customers, sometimes you have to pay extra, sometimes you have to sign a piece of paper stating that you understand that your SLA doesn't cover the IPv6 part of the connection...

As for google.com, that's something Google did on purpose since there are so many machines out there stuck on misconfigured networks that would otherwise try to reach the IPv6 address even though they don't actually have IPv6 access (I've worked for an ISP like this, they announced IPv6 on the network but didn't actually route traffic, completely retarded but they were happy just telling tech support to inform customers that they needed to "disable IPv6 since it's incompatible with the regular internet").

The Internet works, because all parties from Point A to Point B agree on how the network is suppose to work. They've invested countless billions of dollars in their hardware. Sure, there's been a lot of IPv6 capable hardware out there for a while, but that doesn't mean that any of them have done anything at all with it. There's been some spot testing, but nothing wide spread, like on the entire Internet.

There are actually lots of IPv6 users, but we're still the minority. The main problem is that people have been pointing out that we need to migrate to IPv6 for 15 years or so now but managers and incompetent sysadmins without foresight have stubbornly refused with arguments along the lines of "Oh, we don't need IPv6 support now, and we'll write this hardware off in three years, then we'll see what the situation is like". And five years later they're complaining about how they don't want to replace said hardware...

Re:Reclaim Some?

[icebraining]

... And every home user doesn't need a public IP. And every desktop in your enterprise doesn't need a public IP. Q1 2010, Verizon reported 3.6 million FiOS Internet customers. Comcast reports 14.4 million high speed (not dialup) Internet customers. The majority of those customers don't need public IP's, nor do they even know what to do with them.

Yes, we do. NAT is a major blocking factor in the development of distributed P2P software - and I'm not only talking about uTorrent, but apps like Spotify, Joost, Skype, SwarmPlayer and dozens of others. Not to mention software important for free speech and prevention of censorship like Freenet and Tor.

Just because common users won't be installing Apache or Postfix doesn't mean they don't benefit from the possibilities that a public IP provides.

So what's the answer? Optimize utilization of the IPv4 space, and maybe we'll get another 10 years or so out of it. And this time do a serious migration towards IPv6. Or hey, we can all scream "the sky is falling, adopt IPv6 today!" and just look stupid when yet another "IPv4 is exhausted" deadline comes and goes without the entire world collapsing into a panic.

And companies will procrastinate^W "rationally manage resources" for another 10 years and then we'll be in the same situation as now. People have been warning about the IPv4 depletion for more than 10 years, we didn't just found out about it.

Re:Assumptions, and difficulty

[John+Hasler]

Adding a few bits would be no easier than adding 96.

Re:Plan B

[Spazmania]

My Vonage (VoIP) works just fine behind a NAT and my DVR calls out to a remote service from which I control it. I don't need VNC or bittorrent. Neither do 99% of the folks who buy residential Internet service. If you're one of the 1% that does, you buy the static IP address option for an extra five bucks. No muss, no fuss.