Slashdot Mirror
There Is No Plan B, the Ugly Transition To IPv6
An anonymous reader writes "The Internet is running out of IPv4 addresses — not at some point in the future, but right now. But the only solution to the problem, IPv6, is just now really starting to be deployed. That's why we're all in for some tough times ahead."
Nobody cares, nor needs to, except the ISP's and hosting outfits. If they provide a nice 6-4 proxy (or whichever way around it is), 99.999% of users can continue doing everything they normally do. I've done it on several of my machines in the past, been in the IPv6 net and browsed IPv6 websites to confirm it, and I never once had to touch my IPv4 config or do anything too fancy - certainly nothing that an ISP couldn't do transparently from their side of the net.
It's an issue if you're hosting websites, because then your site needs to be accessible from the IPv6 addresses, but that's an issue for the hosters, most of the biggest of which are managed hosting outfits that can switch that on overnight if they haven't already - if they are allocating static IPv4 addresses, it's just a matter of translating and passing on IPv6 requests for a recognised IPv4 equivalent address to an internal IPv4 network. The root DNS servers are running IPv6 already, etc. There's absolutely nothing to stop this just working on most people's machines today and, no, not every machine needs to upgrade to IPv6 addressing in order to do that. In fact, if anything, suggesting that internal business networks suddenly become IPv6 addressable is the most stupid suggestion in the history of the world - most places just want an "4-6 convertor" in layman's terms and they'll tick along quite nicely on their internal 10, 176, and 192's without caring. Most places would run absolutely fine, the only place it matters is the extreme borders of the Internet.
People don't run IPv6 not because of any of those reasons in the article but because a) they haven't heard of it, b) ISP's don't support it or won't do it for them automatically and c) a lot of OS's never come preconfigured to use IPv6 if it's available. Oh, and of course, d) nobody will care until their IP address allocation requests start getting turned down.
It's not a big deal, it's not going to kill NAT's and 30 years from now there will STILL be local networks, internal VoIP systems, print-servers and whatever else using IPv4 addressing because it's a damn sight easier to leave a working config alone than to upgrade/replace every bit of hardware that touches IP. I can use IPv6 today. There's absolutely no need to until every link in the chain supports it and that's still YEARS away even with US government backing. And even then, IPv4 isn't going anywhere - it's just being superceded. It's like saying that all SSH servers have to switch to SSH2, or all wireless LAN's to 802.11n - it'll happen, and a little nudge won't hurt, but overall people just don't care enough for the majority of cases and their old stuff will still work on IPv4 in 20-30 years time if it's still operational.
Tell me when even 5% of the websites that I use regularly are available over IPv6 and I'll look at setting up my VPS to do the same.
And at every job I've worked in the past 5 years, management has completely had their head in the sand about it. :-( And none of the developers understood enough about IPv6 to push in an even faintly credible way. :-(
I've been running IPv6 on my home network since about 2002. It's just not that hard. In fact, it's a lot easier than running IPv4. My IPv4 home network has a seriously contorted configuration because of the constrained addressing. When I wasn't even given a block of IPs but instead given X number of individual IP addresses it was even worse. My IPv6 network, OTOH, is configured quite simply and obviously.
OTOH, even though I've had an IPv6 DNS server for ages, my stupid registrar STILL does not support IPv6 glue records. It's ridiculous. The standard has been stable enough to do something like that for at least 3-4 years now. I just want to strangle them.
Last I checked, we only have about 200 days before ARIN stops being able to hand out new IPv4 addresses. It's around 7 months. After that, hosts start appearing on the Internet that only have IPv6 addresses. The connectivity breakage will be slow, subtle and inexorable. I bet it takes the tech industry at least another 5 or 6 years before they have to fix the problem or not have customers, and I bet it won't be fixed before then. So very very stupid.
Need a Python, C++, Unix, Linux develop
blablablabla. i99% of the times, NAT is in conjunction with a stateful firewall. That's why people say NAT = FIREWALLED.
And yet, if you RTFA (I know, I must be new here) he talks about how dropping NAT led to having to use a firewall.
Windows ICS NAT never saved anybody. The machine which would be compromised is behind another system of the same or similar OS and vulnerabilities.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Only if you consider the possibility of getting a letter from the RIAA/MPAA's lawyers trying to blackmail you for several thousand dollars because some teenager sharing your IP via NAT decided to torrent the latest Uwe Boll movie "disastrous".
Although, I guess if sharing IPs will make it more difficult for the RIAA/MPAA to "legally blackmail" people it can't be all bad.
This sig is in another castle.
Nah you just ping the address you know and the machine behind that one still get borked.
Great.
I doubt OMGYOUCAN'TPINGME is the greatest benefit.
While that might have been a better design, smarter people than me decided it wasn't practical to approach it that way
The problem with the approach is that it's very difficult to do in a way that doesn't break backwards compatibility, and if you're going to break compatibility then you may as well fix other things at the same time.
One option, for example, might have been to get rid of the port field as a fixed length and make network, machine, and port number all combined in the same way that network and machine addresses are now. This would let you have, for example, 256 ports per machine while getting 256 times as many IP addresses, or doubling the available addresses at the cost of only having 32K ports per machine. Only the routers at the very last hope would need any modification for this to work. Since you only need a unique port for each app that connects to the Internet (you can reuse ports, as long as the remote end is different), 2^16 is a lot more than most machines need, and losing 3-4 bits from the port field would be a lot more convenient than NAT for a lot of home users.
Of course, that would still not be a good long-term solution. After a little while, you'd end up with the port field being shortened so much that people would complain. You'd also have the problem that you actually use the variable-length port field, every machine on your local segment would need an upgraded network stack, and protocols that expected to be able to use high port numbers would have serious problems.
The effort in deploying such a solution would only be slightly lower than the effort of deploying IPv6 and it would be a significantly inferior long-term fix.
I am TheRaven on Soylent News
attackers don't only come from the Internet. The "hard shell, gooey centre" security model is doomed now that people are buying laptops, ipads, iphones etc. Mobile devices need to protect themselves, and since everybody is buying mobile devices, upstream network located firewalls are losing their effectiveness.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
Is it not entirelly impossible that IP vendors, network providers, ISPs and hosting companies have already accumulated or say squattered enough 4byte IPs to take advantage of the upcoming IP shortage situation and are not rushing the much needed IPv6 hardware deployment as they should?
For your information, plan B is ISP NAT and a zero-sum game address transfer market. That would allow us to reallocate upwards of 80% of IPv4's addresses, extending the life of IPv4 some 10 to 20 years. It's not a fun prospect, but it's eminently workable -- perhaps even more so than IPv6.
So, anyone who says there's no plan B doesn't know what they're talking about.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
So why do we need entire replacement protocol?
Let's see, IPv6 autoconfiguration is nice, but DHCP is working fairly well by now. So no need for a new protocol here. No checksums for mutable header IP fields? Nice, but does it require a whole new protocol?
What else? Multihoming? Nope, IPv6 doesn't help here. Mobile IPv6? That's just a result of a large address space, so nothing new here.
So, why do we need a replacement protocol if not because of a larger address space?
Really?
Well, ok, a little recap:
IPV6 has been resisted by virtually all major players, with few exceptions.
IPV6 is poorly tested in the real world. We will see massive problems getting it working.
IPV6 WILL WORK. It will take some time.
IPV6 will coexist with IPV4 poorly, and we will see a dramatic changeover as the critical mass of IPV6 nodes comes online, and IPV4 is more trouble than it's worth to keep around for a little while longer. My estimate, 3 years.
Asia will lag behind in IPV6 adoption.
Some interesting points:
The U.S. Department of Defense holds 11 Class A blocks. If they could reduce their usage to just 3, we could give IPV6 another 3 years of grace. But:
- If we give IPV6 3 more years, it will still take 3 years from then to substantially implement it. And the industry will take those 3 years to avoid the pain.
- The DOD will need at least 5 years to reorganize and give back those Class A blocks. The Navy alone will need 2 years to negotiate with EDS/HP to make the changes. Read up on NMCI and you will recognize a genuine military-grade CF. NMCI is a failure. IPV6 would merely give EDS/HP another opportunity to gouge the service. They rarely miss these opportunities.
- There are several Class A block owners that look like better candidates for either conversion or elimination. None seem ready to do what the DOD would have to do, i.e. spend massive amounts of time and money to make a change for the community, without any real benefit to them.
Just some personal IPV6 observations:
I had two different Fedora distros fail for me at home because IPV6 was turned on and both my router (Linksys WRT54G stock F/W) and my ISPs (Cox and Qwest) fritzed their IPV6 implementations. No, wait, both ISPs had no working IPV6 in the Phoenix area in 2005-2008, despite claims to the opposite. The Linksys I will probably have to reload with something more useful, but it's the early one that can take a lot of new firmware.
Oh, and turning off IPV6 in each Fedora release required different and arcane methods. A hint to the Linux community - common and stable configuration methods would be a blessing. And not just a GUI. I know, security, security, security. I can assure you, my broken Fedora builds were secure, even from me. A stopped clock is right twice a day.
I think my Ubuntu distro left IPV4 on and IPV6 off, but I haven't looked. It works, and has for 3 years.
Despite the clamoring for IPV6, it just has no traction. Why bother yet? Like a lot of things, crisis will have to escalate to failure before this gets fixed.
If Jon Postel were still with us, he would have already made this happen. I miss him so. We need individuals that drive Internet management and administration, not groups. Internet by committee is failing. Can we not find anyone trustworthy to lead Internet functionality at this level?
No, Stallman is not the answer. And nobody at Sun/Oracle either.
deleting the extra space after periods so i can stay relevant, yeah.
Seriously why do 3/4ths of these companies even have /8 addresses? do every one of their workstations in the company have a publicly routable address on them?
Ford certainly use addresses in their 19.0.0.0/8 space for employee workstations, even though none of those machines is accessible from outside.
Ydco co
Basically, this is what is going to happen:
Some ISP somewhere with a /20 is going to project that in 6 months time they will be out of IPs, /20.
and it's going to be too expensive to buy another
So they are going to buy some Cisco-hardware-NAT-appliance and say to their customers: "look here,
you are all on NAT from now on, if you want a real IP you pay extra."
This NAT box will NAT a /20 to a /24 of temp addresses+ports. It will be plug-n-play and
easier than setting up IPv6.
99.9% of customers won't read the announcement and won't notice. They are all NATing through
their DSL modems anyway, and this Cisco equipment will have hacks for all those special
apps that need it to work behind double NATing.
And no one will ever think of switching to IPv6
-paul
A friend of mine just colocated his server. The colo he used gave him 4 or 5 IP addresses for his single computer. Even though he is running VM's, he does not need 4 IP's.
This kind of thing is happening everywhere. Cleaning up that kind of junk will give us time to convert to IPv6
That is a 2006 map. So it's out of date. But first, the outright errors:
Top right block? Instead of green grass it ought to be missing. There is no way to use that space for anything, because it was marked as class D experimental space and so various devices (including old Windows PCs) exist which won't believe such addresses are Unicast. No way to fix that in reasonable time.
10 is green on the map. But it's reserved. The lack of _public_ addresses in 10/8 is necessary in order for them to work as _private_ addresses, so we can never allocate these publicly.
Now onto the updates:
77-79 marked "unused"? Not any more.
The green area (172 upward) in the bottom right? A few islands are left, but the vast majority is now earmarked, and a lot is already in active use.
The grass around "North America" in the bottom part of the map is depleted, but some is still there. The 92-95 lump sticking into "Europe" is all used though, as is all the stuff toward "Asia-Pacific" from 112 and up.
Today there are 14 of those grassy square blocks left to allocate. There are 5 RIRs (ARIN, RIPE, APNIC, AfriNIC, LANIC) and they'll each get one last block no matter what, as a sort of "farewell, and good luck". So there are nine blocks left before that happens. Typically 2-3 are assigned at a time. So we may be only three more assignments away from Exhaustion. It could happen in six months, or nine, but it won't be years.
NAT didn't exist in its present form when these addresses were handed out. The assumption was that every machine on the Internet was a routable entity unto itself.
IPv6 brings back that concept, with all its benefits and security issues.
- Michael T. Babcock (Yes, I blog)
4) It's Just Not Fair. Why should Ford, Apple, and HP be forced to give their /8s back when Level 3 and AT&T get to keep and resell theirs?
If you can think of a way to expand the address space without expanding the number of bits in the address, I think there's a Nobel prize in it for you.
But to answer your concern, you should look into this cool new technology: http://en.wikipedia.org/wiki/Domain_Name_System
I got shit canned by University of Chicago Hospitals for threatening to report their network manager, Tony Rubino to ARIN for misuse of their multiple class B address space. As the SOP, they use public address space on workstations that do not have internet access. RFC1918 address space would have been more appropriate here. Their utilization, as seen by the outside internet, is less than 1%. Last laugh will be on them when they are effectively forced to deploy IPv6 (or RFC1918 space for that matter) in the future. It's great, as a network engineer, to be able to say, "I TOLD YOU SO!" Many of these large companies, like Ford and IBM do the same thing as U of C Hospitals. I've worked for Ford and IBM as well in the past and the mindset is all ego based. One Ford engineer told me "We're too big to have ARIN take back space." Push is coming to shove and in 2011 I expect ARIN to be auditing and scrutinizing companies a lot closer on their RFC2050 compliance as outlined in the ARIN IP usage/utilization agreement. Just my two cents worth.
Maybe, maybe not. I'm not so sure it is harder now. We are just far more cowardly than we were in the mid 1990s and far less staffed up for change. Heck we got the country moved from DOS to Windows which meant replacing essentially all the hardware. We got the whole world hooked up on local lans, which involved physically touching every computer in the USA.
We scoped it, we did it.
What's changed is that:
1) People are much more dependent on the internet.
2) We've lost the manpower we used to have
I'd love to see IPV6 help fix (2).
The internet was undergoing explosive growth in 1995 people were distracted and focused on change that was happening monthly. There really is nothing complex about doing the shift to IPV6 by 1990s standards. You go in you, you tell people how to switch to the new system, you replace the old equipment with the new; configure away any bugs.
Further, the internet is big enough now that the FCC for example could just declare various days that things happen.
Feb 1, 2011 all ISP must provide IPV6 technology or lose their right to use of telecommunications / cable company interconnects for data.
April 1, 2011 All corporations operating in the United with over 50 employees must have a list of all routers and switches not IPV6 capable or lose their right to business class connectivity.
etc.... It really isn't that hard to do as a series of dictates. The US government used to lead on technology shifts. They refused to so under the GW Bush administration but that doesn't mean they couldn't go back to leading like they did under Clinton and HW Bush.
So in 1995 it would have been much easier when getting on the internet was supposed to be hard, and people expected it to be tricky and thus followed instructions. Also far fewer protocols you had to get working all at once. On the other hand you don't have a unified infrastructure. In 1994 I still would have believed that gopher was more important protocol than HTTP as far as information sharing.
Moreover I'm not even sure people would have wanted it. I would have wanted a much more hierarchical internet like we had but were losing. That sort of internet allowed for community, a low security environment. Things like spam, heck advertising didn't exist. I wouldn't have seen enabling commercial activity the way it exists today as a good thing. I probably would have been against the massive proliferation which is the whole point of IPV6. Widespread internet ubiquity destroyed accountability. We still had an open internet in 1995. If I could have looked 5 years in the future I'd see how cool the commercial internet would become and absolutely I'd say that's worth losing the open internet. But in 1995?
Remember the commercial people were online service providers that offered internet as a gimmick on top of their core offerings.
So no, I don't think its harder now. Its more work absolutely but that not the same thing.