Slashdot Mirror
There Is No Plan B, the Ugly Transition To IPv6
An anonymous reader writes "The Internet is running out of IPv4 addresses — not at some point in the future, but right now. But the only solution to the problem, IPv6, is just now really starting to be deployed. That's why we're all in for some tough times ahead."
Maybe we should reclaim some of AOL's massive block of addresses. It would help a little in the short run. And they sure aren't using them.
What? We're running out of IPv4 addresses? Why are we only learning this NOW? This is an outrage! Why haven't tech sites told us about this problem sooner...say, several times a year?
Why is it that problems never seem to get corrected until they are well and truly disastrous in scope.
We should just censor half the internet and reclaim those IP addresses! That should solve the problem and give us plenty of time to move to IPv6!
Hey, it looks our "tech-aware" government is already trying that -- never mind!
Wow. DJB misunderstands something?
Say it ain't so, Joe!
(His piece, written in his usual "I am not at all nuts" style, assumes that IPv6 is *solely* a new "address space", and not an entire replacement protocol.
(While that might have been a better design, smarter people than me decided it wasn't practical to approach it that way, so listing the ways in which that wasn't well implemented is useless, since *that wasn't what they were TRYING to implement*; the entire page is a strawman.)
It *is* a security mechanism: you can't Ping Of Death a machine that doesn't have a routable address from the public Internet.
That doesn't say it's a *sufficient* security mechanism for any specific threat, but saying simply that it is *not* one is ignorant.
Nobody cares, nor needs to, except the ISP's and hosting outfits. If they provide a nice 6-4 proxy (or whichever way around it is), 99.999% of users can continue doing everything they normally do. I've done it on several of my machines in the past, been in the IPv6 net and browsed IPv6 websites to confirm it, and I never once had to touch my IPv4 config or do anything too fancy - certainly nothing that an ISP couldn't do transparently from their side of the net.
It's an issue if you're hosting websites, because then your site needs to be accessible from the IPv6 addresses, but that's an issue for the hosters, most of the biggest of which are managed hosting outfits that can switch that on overnight if they haven't already - if they are allocating static IPv4 addresses, it's just a matter of translating and passing on IPv6 requests for a recognised IPv4 equivalent address to an internal IPv4 network. The root DNS servers are running IPv6 already, etc. There's absolutely nothing to stop this just working on most people's machines today and, no, not every machine needs to upgrade to IPv6 addressing in order to do that. In fact, if anything, suggesting that internal business networks suddenly become IPv6 addressable is the most stupid suggestion in the history of the world - most places just want an "4-6 convertor" in layman's terms and they'll tick along quite nicely on their internal 10, 176, and 192's without caring. Most places would run absolutely fine, the only place it matters is the extreme borders of the Internet.
People don't run IPv6 not because of any of those reasons in the article but because a) they haven't heard of it, b) ISP's don't support it or won't do it for them automatically and c) a lot of OS's never come preconfigured to use IPv6 if it's available. Oh, and of course, d) nobody will care until their IP address allocation requests start getting turned down.
It's not a big deal, it's not going to kill NAT's and 30 years from now there will STILL be local networks, internal VoIP systems, print-servers and whatever else using IPv4 addressing because it's a damn sight easier to leave a working config alone than to upgrade/replace every bit of hardware that touches IP. I can use IPv6 today. There's absolutely no need to until every link in the chain supports it and that's still YEARS away even with US government backing. And even then, IPv4 isn't going anywhere - it's just being superceded. It's like saying that all SSH servers have to switch to SSH2, or all wireless LAN's to 802.11n - it'll happen, and a little nudge won't hurt, but overall people just don't care enough for the majority of cases and their old stuff will still work on IPv4 in 20-30 years time if it's still operational.
Tell me when even 5% of the websites that I use regularly are available over IPv6 and I'll look at setting up my VPS to do the same.
And at every job I've worked in the past 5 years, management has completely had their head in the sand about it. :-( And none of the developers understood enough about IPv6 to push in an even faintly credible way. :-(
I've been running IPv6 on my home network since about 2002. It's just not that hard. In fact, it's a lot easier than running IPv4. My IPv4 home network has a seriously contorted configuration because of the constrained addressing. When I wasn't even given a block of IPs but instead given X number of individual IP addresses it was even worse. My IPv6 network, OTOH, is configured quite simply and obviously.
OTOH, even though I've had an IPv6 DNS server for ages, my stupid registrar STILL does not support IPv6 glue records. It's ridiculous. The standard has been stable enough to do something like that for at least 3-4 years now. I just want to strangle them.
Last I checked, we only have about 200 days before ARIN stops being able to hand out new IPv4 addresses. It's around 7 months. After that, hosts start appearing on the Internet that only have IPv6 addresses. The connectivity breakage will be slow, subtle and inexorable. I bet it takes the tech industry at least another 5 or 6 years before they have to fix the problem or not have customers, and I bet it won't be fixed before then. So very very stupid.
Need a Python, C++, Unix, Linux develop
blablablabla. i99% of the times, NAT is in conjunction with a stateful firewall. That's why people say NAT = FIREWALLED.
And yet, if you RTFA (I know, I must be new here) he talks about how dropping NAT led to having to use a firewall.
Windows ICS NAT never saved anybody. The machine which would be compromised is behind another system of the same or similar OS and vulnerabilities.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Just force all porn sites on the internet to be accessible from IPv6 addresses only.
Serious question. I already have an IPv6 address, why doesn't Slashdot have one?
Follow your Euro bills at EBT
So, what are the best ways to profit from this crisis?
Hoarding IP addresses is an obvious way, but that market seems pretty crowded already.
Actually you might say we've been running out of them since the moment the first one was assigned...
While that might have been a better design, smarter people than me decided it wasn't practical to approach it that way
The problem with the approach is that it's very difficult to do in a way that doesn't break backwards compatibility, and if you're going to break compatibility then you may as well fix other things at the same time.
One option, for example, might have been to get rid of the port field as a fixed length and make network, machine, and port number all combined in the same way that network and machine addresses are now. This would let you have, for example, 256 ports per machine while getting 256 times as many IP addresses, or doubling the available addresses at the cost of only having 32K ports per machine. Only the routers at the very last hope would need any modification for this to work. Since you only need a unique port for each app that connects to the Internet (you can reuse ports, as long as the remote end is different), 2^16 is a lot more than most machines need, and losing 3-4 bits from the port field would be a lot more convenient than NAT for a lot of home users.
Of course, that would still not be a good long-term solution. After a little while, you'd end up with the port field being shortened so much that people would complain. You'd also have the problem that you actually use the variable-length port field, every machine on your local segment would need an upgraded network stack, and protocols that expected to be able to use high port numbers would have serious problems.
The effort in deploying such a solution would only be slightly lower than the effort of deploying IPv6 and it would be a significantly inferior long-term fix.
I am TheRaven on Soylent News
One issue with NAT is the difficulty in running a server. I like being able to ssh to my home computer when I am at work; but behind NAT, that becomes more difficult (not impossible, just more difficult).
Palm trees and 8
attackers don't only come from the Internet. The "hard shell, gooey centre" security model is doomed now that people are buying laptops, ipads, iphones etc. Mobile devices need to protect themselves, and since everybody is buying mobile devices, upstream network located firewalls are losing their effectiveness.
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
It's the unnecessary use of IPv6 on private networks.
what limitations? my iphone is on NAT. what will IPV6 allow me to do on it that i can't do now
The original idea of the Internet was a network of peers. Every address was globally routable, and any machine could host content.
There are obvious security issues with this... Which is why we've got firewalls... But there wasn't really anything standing in the way of you hosting a game server, or website, or whatever on your home machine.
NAT now stands in the way of you doing this. NAT has destroyed the whole "network of peers" thing.
NAT is fine for simply consuming content. For your iPhone, for example, I doubt if it's an issue. And if you're just loading up random web pages at home, or connecting to WoW, or whatever - you'll be fine.
But if you want to host a web page at home you're going to have to not just open the ports in your firewall, but forward the traffic from your outside IP to the inside IP. And if you want a second box to serve up a web page too? Too bad. You only get one port 80 per IP address, and you've only got one globally routable IP address.
Again, if all you're doing is consuming, this isn't all that much of a problem. But then you aren't a peer, either.
Where this starts to be more of an issue is with various devices that we now want to be able to communicate with remotely. It's becoming more and more common for people to want to remote into home computers. Or maybe program a DVR remotely. Or maybe some utility company wants to be able to check your electric/water meter remotely.
Being able to host your own content is becoming more important, not less. And shoving everything behind NAT is becoming more of a problem, not less.
"Work is the curse of the drinking classes." -Oscar Wilde
For your information, plan B is ISP NAT and a zero-sum game address transfer market. That would allow us to reallocate upwards of 80% of IPv4's addresses, extending the life of IPv4 some 10 to 20 years. It's not a fun prospect, but it's eminently workable -- perhaps even more so than IPv6.
So, anyone who says there's no plan B doesn't know what they're talking about.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I'll never switch to IPv6 with its cold, digital precision rendering of data. The lower resolution of IPv4 just provides a better rendition of old favorites like slashdot, to my eyes anyway. Sure, there's some noise, some clicks and pops, but nothing matches wikipedia seen through a nice tube monitor.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
You have 65,000 inbound ports. You can't possibly be peering with more then 1000 or 2000 other torrents anyway without completely destroying your bandwidth. Further, there is nothing that says SSH has to run on port 22. You just like it to because it's easy. There's no reason you can't NAT to 100 servers for SSH, run 50 webservers (with both SSL and non-SSL ports), torrent to 5000 of your best friends and still have 59,000 ports left to play with. And a translation table with 5000 entries isn't beyond the capabilities of anyone that might actually have the much infrastructure running behind the device.
Really?
Well, ok, a little recap:
IPV6 has been resisted by virtually all major players, with few exceptions.
IPV6 is poorly tested in the real world. We will see massive problems getting it working.
IPV6 WILL WORK. It will take some time.
IPV6 will coexist with IPV4 poorly, and we will see a dramatic changeover as the critical mass of IPV6 nodes comes online, and IPV4 is more trouble than it's worth to keep around for a little while longer. My estimate, 3 years.
Asia will lag behind in IPV6 adoption.
Some interesting points:
The U.S. Department of Defense holds 11 Class A blocks. If they could reduce their usage to just 3, we could give IPV6 another 3 years of grace. But:
- If we give IPV6 3 more years, it will still take 3 years from then to substantially implement it. And the industry will take those 3 years to avoid the pain.
- The DOD will need at least 5 years to reorganize and give back those Class A blocks. The Navy alone will need 2 years to negotiate with EDS/HP to make the changes. Read up on NMCI and you will recognize a genuine military-grade CF. NMCI is a failure. IPV6 would merely give EDS/HP another opportunity to gouge the service. They rarely miss these opportunities.
- There are several Class A block owners that look like better candidates for either conversion or elimination. None seem ready to do what the DOD would have to do, i.e. spend massive amounts of time and money to make a change for the community, without any real benefit to them.
Just some personal IPV6 observations:
I had two different Fedora distros fail for me at home because IPV6 was turned on and both my router (Linksys WRT54G stock F/W) and my ISPs (Cox and Qwest) fritzed their IPV6 implementations. No, wait, both ISPs had no working IPV6 in the Phoenix area in 2005-2008, despite claims to the opposite. The Linksys I will probably have to reload with something more useful, but it's the early one that can take a lot of new firmware.
Oh, and turning off IPV6 in each Fedora release required different and arcane methods. A hint to the Linux community - common and stable configuration methods would be a blessing. And not just a GUI. I know, security, security, security. I can assure you, my broken Fedora builds were secure, even from me. A stopped clock is right twice a day.
I think my Ubuntu distro left IPV4 on and IPV6 off, but I haven't looked. It works, and has for 3 years.
Despite the clamoring for IPV6, it just has no traction. Why bother yet? Like a lot of things, crisis will have to escalate to failure before this gets fixed.
If Jon Postel were still with us, he would have already made this happen. I miss him so. We need individuals that drive Internet management and administration, not groups. Internet by committee is failing. Can we not find anyone trustworthy to lead Internet functionality at this level?
No, Stallman is not the answer. And nobody at Sun/Oracle either.
deleting the extra space after periods so i can stay relevant, yeah.
Basically, this is what is going to happen:
Some ISP somewhere with a /20 is going to project that in 6 months time they will be out of IPs, /20.
and it's going to be too expensive to buy another
So they are going to buy some Cisco-hardware-NAT-appliance and say to their customers: "look here,
you are all on NAT from now on, if you want a real IP you pay extra."
This NAT box will NAT a /20 to a /24 of temp addresses+ports. It will be plug-n-play and
easier than setting up IPv6.
99.9% of customers won't read the announcement and won't notice. They are all NATing through
their DSL modems anyway, and this Cisco equipment will have hacks for all those special
apps that need it to work behind double NATing.
And no one will ever think of switching to IPv6
-paul
The problem with the approach is that it's very difficult to do in a way that doesn't break backwards compatibility, and if you're going to break compatibility then you may as well fix other things at the same time.
Didn't have to be that way. We could have had an IPv5 with all the addresses and none of the backwards compatibility issues if not for special interests in the IETF:
http://bill.herrin.us/network/ipxl.html
Gets my vote for IPv7...
Y2K was only a minor issue BECAUSE every programmer and their cousin was busy fixing the bugs for several years. A few million man-hours and workarounds from hell later, you'd expect things to function fine. There were vendors that ignored the issue and it is those vendors that reported problems in 2000. It is THOSE examples you should look at, because THAT is what your world would have been had the rest of us not fixed things for you. Be grateful, wretch, that we bothered. Because next time we might not. And there is NOTHING you can do or say to change that.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Hey, did you actually read the fucking article?
What djb says is exactly what's wrong with IPv6.
No, IPv6 clients cannot, under any circumstances, talk to IPv4 ones. They also have to run IPv4. There is no conversion at all, and the IPv4 address space 'inside' IPv6 will never, under any circumstances, be turned into IPv4 when it hits the 'edge' of IPv6, nor will it be turned into IPv6 going the other way.
And, no, routers cannot 'convert' between protocols, as there is no way to convert back and forth. There are ways to tunnel, but no way to convert. The IPv4 address space in IPv6 is just a goofy allocation scheme, saying 'If you have some addresses in another protocol, you get these addresses free also.' They are utterly different addresses in any sense of the word, you can have them on different computers or even different networks.
Christ, you read an article about how IPv6 is broken because the way that people expect the upgrade to work is broken, and you walk away going 'What an idiot. The way people thinks it works is great, and I've decided to ignore the place where points out that way is not, in fact, how it actually works.'
How you think it works, how everyone including djb thinks it should have worked but doesn't, was not chosen, for no apparent reason. Instead, we've got a damn stupid 'dual stack' approach.
Incidentally, I'm no djb fanboy, he's a total idiot in my book. He has no idea of the proper way to actually follow standards and write software, instead choosing to invent entirely different control systems, and that's just the start of the problem.
But that doesn't mean anything written by him is wrong. He's exactly right about how IPv6 fucked up, and if it had been a superset of IPv4 we might actually have an internet that's 90% IPv6 and 10% IPV4, and we'd be talking about the sysadmin's hard choice to keep paying for IPv4-compat IPs or use IPv6-only IPs.
Instead, IPv6 is still almost completely unused, and we've run out of fucking time.
If corporations are people, aren't stockholders guilty of slavery?