There Is No Plan B, the Ugly Transition To IPv6

An anonymous reader writes "The Internet is running out of IPv4 addresses — not at some point in the future, but right now. But the only solution to the problem, IPv6, is just now really starting to be deployed. That's why we're all in for some tough times ahead."

Procrastination

[dmgxmichael]

Why is it that problems never seem to get corrected until they are well and truly disastrous in scope.

Re:Procrastination

[oldspewey]

Because by being insanely focused on quarterly results, our society rewards short-term thinking, and often actively punishes long-term thinking. In most (not all, but most) companies, if a system architect told his CTO
"we need to undertake a $X million project to transition our systems to IPv6. This is going to become a big deal in about 10 years time and we want to be on top of it,"
the CTO might or might not take the idea seriously. But even if the CTO did decide to bring the idea to the board for approval, he'd be shot down in seconds.
"You want to reduce shareholder profits by $X million to fix something that might become a problem in 10 years? Let's move on to the next item on the agenda shall we? And don't bring stupid ideas like this one to the table again in the future Bob. We need you focused on shareholder value."
.

Re:Procrastination

[hedwards]

That's why some of us advocate increasing the short term tax rate to something much higher than what we currently have and tailing off to what we've got now for long term capital gains. And pushing the holding period to 2 years or so. And cut the tax rate on dividends to the rate that people pay for capital gains.

The effect of that is to increase the holding period of an investment and discourage reckless speculation. People tend to forget that Enron produced far more winners than losers. The people who ended up holding the bag were a small fraction of the total number of people who invested in it.

It also has the upside of discouraging charlatans that practice technical analysis from screwing up the markets with their charts. Any practice which ignores what a business does to make money should be discouraged.

Re:Procrastination

[hjf]

Yes, all sounds good, until your ISP starts providing you with 1 private IP address for your home, with no way around it. Here in my city 1 of the ISPs does this, you get an address from the 10.0.0.0/8 range. If you need to poke a hole in the firewall for things like IM file transfer or webcam, any kind of P2P, SIP, SSH/remote desktop/vnc into your home machine, etc... guess what? you're out of luck. Change ISPs? Sure, until the other ISPs are forced to do the same. What are we going to do then?

And that's what we're going to get. I simply don't see the point of mentioning NAT as a near-term temporary solution: it ALREADY is doing that. Guess what? Companies don't give their desktops public IPv4 addresses anymore, they haven't done that in several years now, so I don't see what your point is. You're just in denial and being too optimistic.

I wonder why no one mentions v4 addresses are "lost in routing". Take for example an ISP here, they used to give you a full /24 (legacy CLASS C, and let me stop here for a bit: NOT EVERY ASSIGNMENT IN THE NET IS A, B or C. Only script kiddies dreaming of "T3" "pipes" talk about "class C" and "ping of death", get over it! It's 2010 already. OK, back to my point). So they used to give you a /24. For every 256 addresses on a /24, the .0 and .255 are usually not usable, and the .1 is usually the CPE router. But now they don't give out a /24 anymore, unless you specifically state why you need such a large space. So they give out a /30. 8 addresses, again the first and last are unusable, and the first available is the CPE router. 3 out of 8 or 27% of the addresses are lost in routing.

Let me recap: NAT is not the solution, it's already there holding the internet like duct tape.

Re:The IPv6 nightmare begins with it's design...

[jra]

Wow. DJB misunderstands something?

Say it ain't so, Joe!

(His piece, written in his usual "I am not at all nuts" style, assumes that IPv6 is *solely* a new "address space", and not an entire replacement protocol.

(While that might have been a better design, smarter people than me decided it wasn't practical to approach it that way, so listing the ways in which that wasn't well implemented is useless, since *that wasn't what they were TRYING to implement*; the entire page is a strawman.)

Re:Article invalid

[jra]

It *is* a security mechanism: you can't Ping Of Death a machine that doesn't have a routable address from the public Internet.

That doesn't say it's a *sufficient* security mechanism for any specific threat, but saying simply that it is *not* one is ignorant.

When is /. going to get an IPv6 address?

[avij]

Serious question. I already have an IPv6 address, why doesn't Slashdot have one?

Re:When is /. going to get an IPv6 address?

[gmueckl]

heise.de, a major German tech news site ran a test for precicely that reason about two weeks ago: they added an AAAA to heise.de in addition the normal AA record. Out of the thousands of visitors they have each day less than 10 were unable to reach that site in that configuration and wrote in about their problems and only one turned out to be unfixable because of a router misconfiguration somewhere else in the network. Since they advertised their test weeks ahead and asked users to report any problems they might experience during the test, the number of complaints they received is pretty low. So the argument of mixed AA/AAAA records not working properly of users is luckily losing its credibility, it seems.

Re:Right now?

[2.7182]

Actually you might say we've been running out of them since the moment the first one was assigned...

Re:NAT

[betterunixthanunix]

One issue with NAT is the difficulty in running a server. I like being able to ssh to my home computer when I am at work; but behind NAT, that becomes more difficult (not impossible, just more difficult).

Re:There is truth in what you say -

[drinkypoo]

The notion that a border firewall was a sufficient security mechanism ended when the portable computer was invented, which is to say, it was never a valid concept. Indeed you could make the case that indeed telecommunications itself basically invalidates the idea. Get someone to hook up a modem to some internal system and you've got an attack surface.

It's truly distressing how many effective security mechanisms go unused for lack of a user interface. SElinux has the potential to make system intrusion all but a thing of the past, but it is tragically underutilized because it is difficult to create a useful profile. NX/DEP goes unused in many cases because it causes compatibility problems. All POSIX.2 systems have ACLs but virtually none of them use them because there's no GUI tools. Firewalling did not become popular for user desktops until the various add-on firewalls for Windows with autoconfiguration interfaces appeared (e.g. ZoneAlarm.) I'm sure some other people can imagine some other even more excellent examples... well, actually, it's hard to imagine a better example than SElinux. But I really want ACLs, and I'm kind of annoyed that GNOME or KDE hasn't taken a stab at them yet.

Re:Reclaim Some?

[Anpheus]

At the rate that we're exhausting addresses, even if it were possibly to schedule and reclaim more than one Class A a month, we'd only be postponing the inevitable... by about a month.

And that assumes you can move all of their infrastructure off their class A in that time, maybe when your team gets around to dealing with , you realize it could take a year long migration.

Yeah, that'll work.

Re:Reclaim Some?

It's probably just not worth the trouble. I looked at the rate of /8 allocations: over the past 10 years, we've allocated an average of 8 /8s per year to the RIRs. That means clawing back a Class A will buy us about 45 days. It's probably just not worth the trouble to get an extra 45 days.

Re:Reclaim Some?

[SamSim]

There are two major reasons why this almost certainly won't happen. The first reason is that at the current rate of use this would delay IPv4 exhaustion by only a few months to a year.

The second is that for an organisation to claim such a large block of addresses, it must have done so relatively early in history. That probably means the organisation is a technology group or another organisation which has had a vested interest in the internet for a very long time. Over those decades, there's a good chance that the organisation has swelled up to make maximum use of its assigned address spaces, and rearranging its network and systems for greater efficiency would be a mammoth undertaking for relatively little gain (see above).

Re:Plan B

[PitaBred]

Assuming you don't want to use VNC, VoIP, IM file transfers, bittorrent, access your home DVR remotely... sure, it's workable! It's as workable as a backup to the Internet as candles are a backup to electricity.

Re:May are reporting doom scenarios

[jd]

Y2K was only a minor issue BECAUSE every programmer and their cousin was busy fixing the bugs for several years. A few million man-hours and workarounds from hell later, you'd expect things to function fine. There were vendors that ignored the issue and it is those vendors that reported problems in 2000. It is THOSE examples you should look at, because THAT is what your world would have been had the rest of us not fixed things for you. Be grateful, wretch, that we bothered. Because next time we might not. And there is NOTHING you can do or say to change that.

Re:The IPv6 nightmare begins with it's design...

[DavidTC]

Hey, did you actually read the fucking article?

What djb says is exactly what's wrong with IPv6.

No, IPv6 clients cannot, under any circumstances, talk to IPv4 ones. They also have to run IPv4. There is no conversion at all, and the IPv4 address space 'inside' IPv6 will never, under any circumstances, be turned into IPv4 when it hits the 'edge' of IPv6, nor will it be turned into IPv6 going the other way.

And, no, routers cannot 'convert' between protocols, as there is no way to convert back and forth. There are ways to tunnel, but no way to convert. The IPv4 address space in IPv6 is just a goofy allocation scheme, saying 'If you have some addresses in another protocol, you get these addresses free also.' They are utterly different addresses in any sense of the word, you can have them on different computers or even different networks.

Christ, you read an article about how IPv6 is broken because the way that people expect the upgrade to work is broken, and you walk away going 'What an idiot. The way people thinks it works is great, and I've decided to ignore the place where points out that way is not, in fact, how it actually works.'

How you think it works, how everyone including djb thinks it should have worked but doesn't, was not chosen, for no apparent reason. Instead, we've got a damn stupid 'dual stack' approach.

Incidentally, I'm no djb fanboy, he's a total idiot in my book. He has no idea of the proper way to actually follow standards and write software, instead choosing to invent entirely different control systems, and that's just the start of the problem.

But that doesn't mean anything written by him is wrong. He's exactly right about how IPv6 fucked up, and if it had been a superset of IPv4 we might actually have an internet that's 90% IPv6 and 10% IPV4, and we'd be talking about the sysadmin's hard choice to keep paying for IPv4-compat IPs or use IPv6-only IPs.

Instead, IPv6 is still almost completely unused, and we've run out of fucking time.