Major Sites To Join ‘World IPv6 Day’

netbuzz writes "Facebook, Google, and Yahoo are among the major sites on board with what the Internet Society is dubbing 'World IPv6 Day,' a collective trial scheduled for June 8. 'It's an exciting opportunity to take IPv6 for a test flight and try it on for a full 24 hours,' says Leslie Daigle, the Internet Society's Chief Internet Technology Officer. 'Hopefully, we will see positive results from this trial so we will see more IPv6 sooner rather than later.'"

Yay

[GeorgeMonroy]

An IP address for everybody and for everybody an IP address!

Re:Yay

[jgagnon]

You could damn near have an IP address for every cell in your body.

Re:Yay

So you're admitting there are not enough addresses for every cell in every person's body. Didn't anybody think about the future?

Re:Yay

[Lumpy]

And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.

Re:Yay

And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.

NAT != Stateful Firewall, why not install a firewall and you can use these Public IPv6 addresses with security?

Re:Yay

While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home. For a limited time only, I'm offering, direct to the consumer, the latest and greatest in home security, a little invention I like to call "curtains". Yes, now people won't be able to see into your home anymore, which obviously makes it impossible for them to rob you. Act fast though, these babies will sell out quickly.

Re:Yay

[xaxa]

And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.

I won't, since I don't think anyone is going to port scan me.

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

Also, a firewall is simpler than a NAT, and doesn't have the disadvantages of NAT, so you can just do that instead.

Re:Yay

[Desler]

Because not everything behind a router needs a public address?

Re:Yay

[vlm]

Because not everything behind a router needs a public address?

Um, why? Here's a resource that is inherently by design non-scarce, but you prefer to act as if it were? The "hair shirt" brigade might approve but the rest of us kinda laugh.

Re:Yay

So use private addresses for those, then. fc00::/7 is reserved for this purpose. Having the option of some publicly addressable computers is still better than using and working around NAT in my view and essentially forcing every computer to not be publicly addressable.

Re:Yay

Good point! The numbers are astronomically large with IPV6. Does this "security through obscurity" improve your risk profile? I discussed the challenges of testing networks this large: www.redspin.com/blog/

Re:Yay

[ArhcAngel]

They are working on IP V Mitosis.

Re:Yay

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

Re:Yay

That's going to limit some future medical nanobot applications I'd guess. We'll need IP7 for immortality.

Re:Yay

[cduffy]

Here's a hint: "No NAT" doesn't mean "no firewall".

Re:Yay

[zrbyte]

Not only that, but you could give about 7 IPs to every atom in the body of every human alive on Earth! Taking the number of stars in the observable Universe, each star could get about a quadrillion IP addresses. So yeah, there's plenty of IPs for your toaster :)

Re:Yay

[nibbles2004]

whether is has a public or private address is nothing to do with scarcity of IP but need and suitability and there a lot of IP device's that do not need a public address, my printer for starters, don't need to manage it from the outside, don't need to print to if from outside. Plain old private IP4 seems to work fine and dandy.

Re:Yay

Why not?? In the *real world* everything has a public address. I know people don't "get it" when it comes to networking, but this is just FUD and is getting ridiculous.

NAT is like having a chaperone, where all communication happens through a 3rd party. It increases network traffic, it makes peer-to-peer internet impossible. And it is not security. You only need to trick inside device to connect to outside device, and there goes NAT as security! And that is quite easy.

Firewall is like having a security guard monitoring traffic. A firewall is actually designed to handle security, not illusion of security. This can actually catch and prevent unsanctioned communication. And if you want to use Skype, you can actually allow inbound connections.

Skype went down because of NAT. If the internet was IPv6, there would be no need for "supernodes". People could actually communicate, peer-to-peer instead of through their chaperones.

Finally, when I was young and stupid, I believed that NAT was a cool thing. When I asked a network admin at local university why they don't do more NAT and all departments gets /24 or larger, the answer was quite simple. Security. I didn't understand that answer for a few years, but now years later, it is as plain as night and day. NAT creates more problems than it's worth. And if someone brought some shitty SPAM relay (virus), it becomes a challenge just trying to identify where the rogue program is communication from.

Traceability and accountability and transparency and security is what public internet brings. NAT gives you an illusion of anonymity and security.

Re:Yay

[xaxa]

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

OK. 5000 £1 coins, spread randomly over a suitable area. But what is a suitable area?

£1 coins have area 4*pi*11.25*11.25 mm^2. Multiply by 0xFFFF,FFFF,FFFF,FFFF to get about 10^16 m^2.

Ringworld will do nicely.

Re:Yay

[kent_eh]

Because not everything behind a router needs a public address?

Um, why?

'cause I don't want my NAS box to have one.
There's no legit reason for any machine outside my house to access it. Ever.
It's part of that layered approach to securing thing.
Yes, there is a firewall
Yes, there is a password
And, yes, the device's address is not publicly routable.

Paranoid? maybe, but so what.
It's my stuff, and I don't want you to be able to look at it. End of story.

Re:Yay

[Hydian]

Life is generally easier if you have a unified addressing scheme on your network.

Having a public IP address does not mean that you have to allow public access to that IP address. A simple ACL on your router is sufficient to restrict that.

Re:Yay

[Gerald]

...or you can just use site (or even link) local addresses.

Re:Yay

[vlm]

whether is has a public or private address is nothing to do with scarcity of IP but need and suitability and there a lot of IP device's that do not need a public address, my printer for starters, don't need to manage it from the outside, don't need to print to if from outside. Plain old private IP4 seems to work fine and dandy.

But using a separate address space makes your work WAY more complicated and less reliable.

All public scenario: Your stateful firewall prevents incoming traffic to your printer, just like it prevents incoming connections to anything else that you haven't specifically allowed. One address range everything reaches everything. Everything on one happy layer 2 LAN. Simple dynamic (re-)addressing.

Public plus private scenario: You still need a configured stateful firewall for all your other devices but now you have the joy of adding a statically configured LAN. How do the two networks reach each other? Route thru your slow firewall? Or multiple static and dynamic addresses on every device in your LAN? The time you spend complicating the heck out of your LAN, is time you're not spending securing it at the network and device layers.

So, sure, if you really want, you can spend a lot more time, money and effort to get a LAN that is much harder to design, configure, troubleshoot and monitor, all while being less secure, but you would be "saving" one of the 3 x 10 ^ 38 addresses, except you actually aren't because they assigned you a /64 for your LAN so its not like anyone else could use that address anyway.

IPv6 doesn't outright prevent you from shooting yourself in the foot, but its still kinda usable.

Plus if your LAN is a corporate LAN you've now gained the nightmare of merging multiple LANs using the same private addresses. Even if FC00::/8 is mostly empty, you know most clowns are going to use network=0 / host=1 for their firewall and watch the chaos when they interconnect.

There seems to be no advantage to private ipv6 space...

Re:Yay

[CyprusBlue113]

Good point! The numbers are astronomically large with IPV6. Does this "security through obscurity" improve your risk profile? I discussed the challenges of testing networks this large: www.redspin.com/blog/

I'm sorry, I'm confused, you are complaining about security through obscurity, and that is your argument in *favor* of nat? /boggled

Re:Yay

[vlm]

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

Hmm, lets run the math here. If you insist on not installing a stateful firewall (why? Its already a part of your old ipv4 nat box) then they have to find a random-ish 32 digit hexadecimal number, in order to find an address to break into, then break in, which is hopefully non-trivial, and then hopefully steal your random-ish 16 digit decimal credit card number. However, if the bad guy has the resources to randomly find a needle in a haystack inside a 32 digit number, why waste the time? Why not randomly farm the 16 digit number directly and skip all that "breaking into" junk and searching about and installing keyloggers?

Re:Yay

Here's a better one: "No connectivity" means "No chance of attack".

Re:Yay

[spongman]

misconfigured NAT: NO traffic gets through
misconfigured ACLs: ALL traffic gets through

which is a better solution for grandma?

Re:Yay

'cause I don't want my NAS box to have one.
There's no legit reason for any machine outside my house to access it. Ever.
It's part of that layered approach to securing thing.
Yes, there is a firewall
Yes, there is a password
And, yes, the device's address is not publicly routable.

If you want layered security, use a separate internal network that's not routable for your private devices. Layered security and IPv6 routing are completely separate issues.

Here's a clue stick for you:

http://en.wikipedia.org/wiki/Virtual_LAN

If you're going to tell me you have all this hardware sitting on some crappy switch that doesn't have VLAN, I'm not going to feel a lot of pity for you when IPv6 leaves you in the dust. VLANs. Learn them and love them.

Re:Yay

[vlm]

Paranoid? maybe, but so what.

I wouldn't say paranoid so much as wasted effort compared to other things having a much higher rate of return. You can configure a LAN using private space at huge time and effort both in set up and long term maintenance. Grats, you did it. However that time would far better be spent on securing your internal clients which do have access to the NAS, patching your NAS, patching your firewall, etc.

That particular layer is very expensive yet likely to be spectacularly ineffective. If everything worse has already been done, then it makes sense to waste time and money on that plan.

It would be like hurricane proofing my server, despite the nearest coast being over 1000 miles away...

Re:Yay

[surgen]

Then don't give it a global ipv6 address, only give it a link- or site-local addresses.

Re:Yay

[CAIMLAS]

If I had a hundred thousand acres of land where I kept my 10 cattle, I'd prefer to have just one gate into the property instead of one every mile or so. It'd be harder for people to steal my cows that way, and I could more easily maintain the gate.

Re:Yay

[Rising+Ape]

There's really no excuse these days for a device not to be secure out of the box - i.e. you should be able to plug it straight into an unfirewalled network without problems. Security issues have been known about for years - even Microsoft's got on the ball now. I had a Vista box with a public IP and no separate firewall for months, and there were no problems.

Re:Yay

[j+h+woodyatt]

If you don't want any host outside your house to communicate with your NAS box, then giving at a private address behind a NAT is the wrong thing to do. Every private address behind a NAT gateway is routable to exterior domains. If you assign a globally routable address to your NAS box, even a private one from RFC 1918, then you need a firewall to prevent it from communicating with hosts in exterior domains. (No, your cheap commodity NAT gateway is not a firewall.)

With IPv6, you can assign your NAS box a non-routable address because you don't need a NAT gateway as your home router.

Re:Yay

[profplump]

What makes you think the firewall for grandmother won't come pre-configured with exactly the same unidirectional, stateful firewall provided by NAT boxes? Why do you think she'd have to setup ACLs?

Also, how badly do you have to muck up your ACL to get the "all traffic gets through" configuration? Is "deny by default" the status quo for any firewall?

Re:Yay

You know, there are google searches that can find all credit cards numbers on the internet? You think it takes more than 30 seconds to recraft that into a search for ipv6 numbers? Guess what, since you posted it above, it is now trivial for a hacker to find it. In fact, google already knows of 15k+ search hits for this part of the ipv6 space, I'm sure the hackers will be attacking it soon! :-)

Re:Yay

[j+h+woodyatt]

On top of that, we have an excellent way to keep your teen-age daughter from running up the home phone bill with 900 services: an unlisted number! She won't be able to make trouble if she can only make outgoing calls.

Re:Yay

[segedunum]

Um, why?

Because not every device needs a public IP address on a private network and public devices on the internet are not entitled to see any of my IP addresses from my devices, no matter how firewalled they are.

In addition, I don't want to have to piggy-back on to an ISP for an available public IP address when I can easily serve that with an internal network device I know will at least work most of the time. No one is thinking through the practical considerations and the network issues we have today.

Re:Yay

[hedwards]

But do you offer them in the same color as the upholstery?

Re:Yay

[hedwards]

Solid point, for most people addresses on the network shouldn't be publicly accessible unless you choose to make them so. And if you're having to manually add access to new devices, what's the difference between a publicly routable, but blocked, address and one that isn't a public address.

Re:Yay

[Quietlife2k]

Security though obscurity is no security at all.

For every website or service you encounter on the internet you have to provide an address to which replies can be sent.

Who needs to port scan ?

Port scanning is not even as difficult as was first believed : http://www.youtube.com/watch?v=c7hq2q4jQYw

Address randomisation does not even begin to solve the problem, in fact it makes it worse. How can my firewall be expected to know the difference between an address generated by my network printer that should not be seen from outside my network and one from a pc that should ?

So now even my network printer (toaster, fridge, whatever) needs a built in firewall with guaranteed bug fixes.

When was the last time you saw a printer or other device manufacturer fixing such security flaws in a timely manner ?

And this is progress ????

Auto configuration is a nightmare. I want to be alerted to the addition of any kit to my network and be given the choice to allow or disallow access to my resources before whatever it is starts to use the limited data allocation that is my internet connection, starts to print a copy of wikipedia or otherwise use resources that cost me time or money.

Before anyone chimes in with "Security Enhanced Neighbour Discovery" - find me a howto that shows the proper configuration of "SEND" that creates a secure network of Windows and Linux machines..... Go on... I'm not holding my breath......

Re:Yay

[segedunum]

While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home.

Unfortunately your little joke falls over because NAT is only one part of this thing called a firewall - i.e. houses have these things called doors and windows that can be locked. However, shock, horror, even though people are quite comfortable with their locks they still don't want anyone being able to look inside. That's why most people have curtains, or blinds, and they don't leave their house unlocked because they have them. Funny that.

Re:Yay

[grumbel]

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

In theory, yes. In practice IPv6 addresses aren't quite that randomly distributed and often follow common patterns (DHCP handing out addresses sequentially, etc.). There was a talk about the issue at 27C3. Conclusion basically that you can find 90-95% of the servers with just a bit brute force search. This might of course change in the future when IPv6 gets more used in practice and security issues will be handled more seriously.

Re:Yay

[Ant+P.]

How many people have a house with curtains and blinds but no doors or windows? That's what your NAT gets you.

Re:Yay

[Ant+P.]

While it's certainly *possible* to brute-force 64 bits of network address space, I'd imagine such people have better things to do with 18 trillion packets than go looking for grandma.

Re:Yay

No it doesn't.

Re:Yay

[Just+Some+Guy]

Security though obscurity is no security at all.

Then post your password here and/or SSH private key here. "Security through obscurity" is not remotely close to what you think it means.

How can my firewall be expected to know the difference between an address generated by my network printer that should not be seen from outside my network and one from a pc that should ?

Set your firewall policy to "default deny" and whitelist connections you specifically want to allow. This has been the correct way of building firewalls since the idea was first invented.

So now even my network printer (toaster, fridge, whatever) needs a built in firewall with guaranteed bug fixes.

Why? You don't have a firewall on your router? Again, "default deny": don't open up a rule that allows random Internet hosts to connect to your toaster.

I want to be alerted to the addition of any kit to my network and be given the choice to allow or disallow access to my resources before whatever it is starts to use the limited data allocation that is my internet connection, starts to print a copy of wikipedia or otherwise use resources that cost me time or money.

Use whatever mechanism you're using right now, today, that alerts you when a new device connects to your network.

Re:Yay

[Quietlife2k]

Then post your password here and/or SSH private key here. "Security through obscurity" is not remotely close to what you think it means.

Those are secrets that have no existence outside of my network. Unlike IP addresses. I believe you are mistaken in equating them.

Set your firewall policy to "default deny" and whitelist connections you specifically want to allow. This has been the correct way of building firewalls since the idea was first invented.

Why? You don't have a firewall on your router? Again, "default deny": don't open up a rule that allows random Internet hosts to connect to your toaster.

And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?

Pull the other one it's got bells on.

Re:Yay

[Marillion]

Mod this up!

I have ipv6 at home and I have a /64 subnet. That's 18,446,744,073,709,551,616 addresses. If you assume an adult human has about 50 trillion cells. You can assign one of those IP addresses to every cell of everyone in the US and still have leftovers.

No, not everything needs a public address. But everything could with no risk of scarcity.

Re:Yay

[Just+Some+Guy]

Those are secrets that have no existence outside of my network. Unlike IP addresses. I believe you are mistaken in equating them.

But why do you care if they're known outside your network? You have a stateful firewall that protects them from the world. Here's my printer's IPv6 address: 2001:453:da65:1:94ab:7c00:8cba:beb5. Go ahead, have fun trying to connect to it.

And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?

Yes, of course. Why wouldn't you?

Re:Yay

[Quietlife2k]

But why do you care if they're known outside your network? You have a stateful firewall that protects them from the world. Here's my printer's IPv6 address: 2001:453:da65:1:94ab:7c00:8cba:beb5. Go ahead, have fun trying to connect to it.

You have far more confidence in your firewall than I have. One slip in the coding, one unchecked buffer is all that it takes for it to be breached.

Yes, of course. Why wouldn't you?

Privacy.
http://playground.sun.com/ipv6/specs/ipv6-address-privacy.html
http://www.faqs.org/rfc/rfc3041.txt

Re:Yay

[lennier]

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

Your collateralised debt obligation investment scheme intrigues me and I would like to contribute to your hedge fund.

Re:Yay

Unless you have someone invading your house, yes, it does.

Re:Yay

[Rich0]

Here's a better one still:

NAT = firewall = no connectivity... :)

If your firewall is set up right (which takes almost no effort), then you're just as protected as if you set it up correctly with NAT. Just set a default rule that blocks anything incoming, and then allow specific IPs/ports - just like with NAT, but minus all the IP mangling.

Re:Yay

[kasperd]

a lot of IP device's that do not need a public address, my printer for starters

It may be correct that your printer does not need a public IP address. However the same argument has been used for lots of devices that do need to communicate with the outside world. And there certainly aren't enough IPv4 addresses for the devices that do need a public address for proper operation.

Let's get back to that printer. Let's assume you will never want to print to it from computers outside of the same local network, then you can indeed assign it a link local or unique local address. This however is not an argument in the favor of NAT. That printer then should never communicate with the outside world, and those devices that do need to communicate with the outside world have their own address for communicating with the outside world.

The use of address reserved by RFC 1918 has not been without problems. There may be a lot, but there have still been conflicts. The problem is there isn't exactly one scope within which you want them to be unique. You may have a router in your home that assigns a range of RFC 1918 addresses to a local segment. Your ISP might also be using some RFC 1918 addresses for equipment that you need to communicate with as a customer, but doesn't need to be accessed by anybody outside of that ISP's network. You might also be using a VPN connection from a machine on your local network to some remote site, which makes use of RFC 1918 addresses.

These addresses are all assigned by different people and none of them know at the time they assign the addresses, which other RFC 1918 addresses you will need to communicate with. This leads to conflicts.

With IPv6 there is a replacement for RFC 1918, it is RFC 4193. With RFC 4193 there is first of all a randomly selected 40 bit site ID which reduces the risk of collisions significantly. And each such site will have a 16 bit subnet ID that you can manage locally. With that you get as many subnets as if you had split 10/8 into /24 subnets, and you still avoid all the collisions that would have happened if multiple entities decided to assign the same subnet of 10/8 to things that you needed to communicate with.

So, even for the case of devices that don't need a globally routable address, IPv6 is still better than IPv4.

Re:Yay

[asdfghjklqwertyuiop]

And you'll still be a complete idiot for doing so since the firewall rules that are currently keeping those attacks away work exactly the same way without NAT on IPv4 or 6.

Re:Yay

[asdfghjklqwertyuiop]

misconfigured NAT: NO traffic gets through

That isn't true. Usually if the attacker can get packets with your private destination IP addresses to the outside of your router and you have no ACLs saying to drop that, it will get forwarded in regardless of what the NAT says.

The solution for grandma will be the same as it has always been: buy some product that filters correctly and never even hear the words "NAT" or "ACL".

Re:Yay

[thethibs]

You've confused NAT with VLAN. Two very separate things. VLAN requires local communication through the router, NAT doesn't. And it has no impact on network traffic, LAN or WAN.

Behind NAT everybody is part of one happy non-routable family. If you want to control who gets out through the router, that's what MAC address filtering is about and that, in most cases is a one-click effort in the router dialog (at least it is on my cheap SMB router). SPI's a given. Nobody's built a router without it in a very long time.

If you want to open a port for inbound connections, that's also just a few keystrokes. Nothing complicated.

Nobody suggested NAT replaces firewalls. It just makes everything else easier.

Re:Yay

[thethibs]

I have ipv4 at home and a /16 subnet. I'm not going to run out of addresses any time soon.

Re:Yay

[takev]

You are forgetting the whole point of NAT: To make non-routable addresses routable to the internet.
This simple fact is why the "NAT is a security device" argument "Because my network addresses are not routable" does not hold.

And MAC address filtering is not a NAT function, but a firewall function.

Re:Yay

[Crag]

It seems like a lot of people can't think of a use case for hosts behind firewalls to want to talk to each other.

I want to stream music from my local media server while doing system administration one any of three remote private networks.

My work uses a private network of 10/8, my university uses 172.16/12 and my secret club uses 192.168/16. Which private network should I use at home? It doesn't matter because whatever I pick, I cannot establish a tunnel from home to whichever location uses the same private network without running into a routing conflict. There is no way to tell whether an address is local or remote once I establish that connection. Regardless of the tunneling tricks used, my computer will have no way of knowing which side of the tunnel a host is on if both the source and destination network are the same private network. It could try both, but what if the same IP exists on both sides?

Most VPN software solves this by not allowing the client to access local network resources when attached to the VPN, but that's just dodging the real issue. The way IPv4 works, hosts need to have globally unique addresses to talk to each other easily, and it's not unreasonable to expect hosts on different protected networks to want to talk to each other.

You can have the advantages of NAT without the disadvantages. Get IPv6 and firewalling correctly configured.

Re:Yay

[yorugua]

>NAT is like having a chaperone, where all communication happens through a 3rd party. It increases network traffic, it makes peer-to-peer internet impossible. And it is not security. You only need to trick inside device to connect to outside device, and there goes NAT as security! And that is quite easy.

Mind to elaborate? Is there anything special in Ipv6 that makes a router any less hard to "trick"? Also, some NAT devices are not that easy to "trick" and have security certifications (Common Criteria).

on the other hand, in a NAT-less world, if you run a large organization, what good does it makes for an external web site or your ISP to know what each machine inside your network actually visits? Say you are a bank, or a .gob organization... now, instead of having all web access coming from one or two or three proxy/NAT addresses, you have a one-to-one connection from each pc in your network... is that difficult to "trick" someone you want to do something special now and address specific internal address of your organization from the internet?

I'm not against IPv6 itself, but the rage against NAT seems unjustified. If there's no need for it, it will go away alone. Now, there are people that might need NAT, as they don't want external addresses to "know" what each internal address of an organization browses or anything. For those, seems IPv6 is lacking some funtionality for no good reason.

Re:Yay

[yorugua]

> I won't, since I don't think anyone is going to port scan me. >Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff? Simple, social engineering: just make some of those ip addresses "browse" a specific address you control, and you'll know specifically what each address is and fingerprint it. Loads of fun if you are or catch an ISP machine and what to "see" the little things some of your customers "browse"!!

Re:Yay

[yorugua]

Another hint: no NAT means you know what each address browses... loads of fun if you can pinpoint specific addresses within an organization! Now, what's all that bad rap about a unique internet ID in the US?

Re:Yay

[Junta]

Ignore his first point, focus on the second. Everywhere you put a NAT for security today, have a default firewall set. Home routers deny any unsolicited traffic by default. There you go, all the security of NAT with *zero* of the PITA.

Re:Yay

[Junta]

Except that fc00::/8 is *not* supposed to be used at all right now, and when if it is, then all users *must* use a central registrar to assure uniqueness.

*Now* fd00:/8 Could be an issue. Ostensibly, following the rules a program is supposed to spew out your prefix instead of being manual choosing. So a lot of private network type devices that formerly just defaulted to 192.168.0.0 would instead default to some /48 out of fd chosen psuedo randomly, but the call for such a default network is greatly reduced with fe80:: link-local addressing. Leaving most private networks being a conscious choice, and drawing fd instead of running a utility I could see becoming a best practice in spite of the 'requirements' that people not do that given the inherent honor system of that whole thing.

Re:Yay

[Junta]

err.. I meant selecting fd<favorite hexspeak here> instead of running a utility.

Re:Yay

[Junta]

Your 'gate' is your router/firewall. People can't magically get around the same exact piece of equipment that NATs today simply because they are independently addressable. Those devices need to just have a 'no unsolicited incoming traffic' firewall by default.

Re:Yay

[Junta]

Yes, they are thinking it through. There have been blind eyes to various things as some people wanted to bathe in the theory of how they thought it *should* work, but most concerns you have are considered and have reasonable answers.

At least you hit on the one facet of security that NAT does at least help with, more accurately measuring how many hosts are beyond a particular gateway. I do wonder what the practical risk is there, however. If you are doing non-privacy stateless addressing, ok it divulges your hardware address, but I'd advocate for either the privacy autoaddressing or DHCP range which has nothing to do with your system and moves that entirely onto site-persistent selection instead of device-persistent selection.

If you have an internal-only service on a system that you don't want routable at all to internet, just do either the fe80:: address (which admittedly could be awkward with the required zone index suffix) or generate a ULA out of fd00:/8. Either way you slice it, you have a non-routable IPv6 host. If you are concerned that your hosts need aliased addressing and that's "weird", well, all IPv6 hosts will at least have two 'aliases', one in fe80:: world and one global, and aliasing is more 'mainstream' in IPv6 thinking.

Finally, IPv6 to IPv6 NAT should exist, so you could have exactly your analogous config, with an fd<whatever> address on the inside and dynamic mapping to external address space, but *please* don't make that so ubiquitous so that your hangups on how IPv6 needs to act exactly like IPv4 get in the way of me getting my /56 at my house one day.

Re:Yay

[Junta]

Ok, that VLAN comment was odd. VLAN is a construct where an ethernet switch can manage a broadcast domain in a manner distinct from the specific physical layout. One switch can present three broadcast domains, different VLANs can be aggregated over various things to acheive complicated things. VLAN has nothing to do with a router, unless you are doing some sort of layer 2 tunneling, which I still cannot logically tie to what the grandparent post said in any way.

NAT doesn't make anything easier except hiding how many systems are behind a gateway. NAT is just a pain in the ass that is accepted and a one-rule firewall is just as capable and requires no special treatment regardless of where the device goes. For example, if your linksys box choses 192.168 by default, but you are plugging it into a network that also uses 192.168, you must reconfigure. A linksys getting a delegated v6 prefix never has to bother the administrator for a different firewall rule because it somehow magically conflicts with the context it is applying to.

All the practical security concerns seem moot with the reality that 'reject unsolicited incoming traffic' is sufficient to get the commonly perceived 'security' benefit of NAT. At the same time as I agree that people have overblown the inherent security of NAT over 'plain ol' firewalling, I do kinda wish that a blessed NAT66 RFC would exist so that people would just shut the hell up about it, but at the same time am afraid any hope of getting my /56 to use the *right* way will evaporate when that happens.

Re:Yay

[Junta]

I agree with you, but will also point out for the NAT fanatics that IPv6 makes the case you described better. With fd::/8 ULA, your work, university, and secret club will have /48s that have a near zero chance of colliding with each other or the random ULA prefix you get at home.

Re:Yay

[Junta]

And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?

How is that different from your NAT today? If you want to accept incoming connections, you must tell your NAT box a port to DNAT map from your external thing to something internal, defined by, surprise surprise, a static entry.

If you are talking about *outgoing* traffic, I'd say the default is to allow outgoing if you just want to mimick NAT 'security' out of the box.

Re:Yay

[Junta]

Ok, but what if you wanted to hypothetically print a form you had open on your cell phone *right now* wherever you are for later review? Might be nice to actually be able to reach your printer then, so long as it is properly secured.

Re:Yay

[Junta]

My counterpoint would be that websites can and already do track individual machine accesses via session cookies, and can develop a pattern from that just as easily as by IP.

However, I personally would not be adverse to NAT66 being implemented commonly, but I think there is a fear that if NAT66 exists, the ISPs will bone the residential market that includes the people who really want an actual usable subnet for their home.

Re:Yay

[jonfr]

The IPv6 address you give up does not exist. It is guaranteed that nobody can connect to your printer because it is on non-existence IPv6 address.

whois 2001:453:da65:1:94ab:7c00:8cba:beb5
#
# Query terms are ambiguous. The query is assumed to be:
# "n 2001:453:da65:1:94ab:7c00:8cba:beb5"
#
# Use "?" to get help.
#

No match found for 2001:453:da65:1:94ab:7c00:8cba:beb5.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Re:Yay

[putaro]

Printers don't need public addresses but it is nice to have UNIQUE addresses. That way when you take your laptop to another network it doesn't try talking to the wrong IP.

Using "public" addresses in IPV4 is more of a security hole because most subnets are small, address space wise, and it's easy to start guessing IP addresses from outside and see what you hit. In IPV6 the host part of the address is 64 bits and they're usually assigned using the MAC address, rather than starting at 1. Therefore, it's pretty hard to guess an address and hit it even if your firewall doesn't block the traffic.

Re:Yay

[Quietlife2k]

How is that different from your NAT today? If you want to accept incoming connections, you must tell your NAT box a port to DNAT map from your external thing to something internal, defined by, surprise surprise, a static entry.

The differences are :
1) A single static ip address in ipv4 can be either a single device or a NAT gateway. In ipv6 it is guaranteed to be a single device.
2) The perception that since a static ipv6 address is just one of the possibilities out of a 64bit subnet, that this renders address scanning useless. This perception is blatantly false, as without address randomisation you leave "footprints" everywhere you go hence the privacy extensions. Who needs to scan for your address when you leave it wherever you go ?

The current implementations of ipv6 leaves you the choice between security and privacy - you cannot have both.
If you choose security you cannot even have plausible deniability by running an open wifi as all ipv6 addresses are unique.
If on the other hand you choose privacy, then you cannot implement a default deny firewall as this would require a whitelist listing all of the allowed ipv6 addresses - something that you cannot provide if you are randomising your ip address as per the privacy rfc.

I will wait until someone figures out how to do both before I consider going live with ipv6.

Re:Yay

It'll likely be IPv8 ... just like Star Trek movies, the odd numbered ones suck.

Re:Yay

Yes but it's useful to have an address space for yourself which is not globally interconnected. This way, you can configure everything in the LAN to use that and everything will keep working if you move to another ISP.

I'd use $ORGANISATION.local for this internal network and configure local clients to use it as the default search domain.

Re:Yay

[yorugua]

The thing is that in a NAT environment, all sessions from an organization behind a NAT4 device, all they see is the NAT device IP address, and not the real IP address of the systems the user is at.

If in a IPv6 NAT-less world, you have a firewall, but no NAT, you see what each individual IP6 address likes or diskiles, regardless the span of a "session" . That could be interesting for folks like Google to do "analytics" on what you browse. Also, it could be interesting for other folks if they narrow down that IP6 address to a name.

Re:Yay

[m50d]

I'd agree with you if it were easy to get an IPv6 subnet of your own (actually assigned to you, not just probably not used by anyone else like that webpage gives you). But it isn't. I tried to IPv6 my home network a couple of years ago, and for supposedly non-scarce addresses they're actually harder to get hold of (as a private individual) than IPv4 addresses.

Re:Yay

[Junta]

1) Whether it is an IPv6 address or an IPv4address+DNAT port, the exposure is the same, the outside world has a door into a specific system.

My thought is that running an open wifi does not provide plausible deniability. It's more likely that someone will do something malicious behind your gateway and you'll take the blame than vice-versa. *Especially* if you seem technically capable, the fact that you explicitly left your wifi open would be taken as a sign you were *trying* for plausible deniability. Face it, for the residential case, *there is no plausible deniability*, at least with respect to traffic that originates from your residence, *unless* you have a trusted proxy shared with others out there that you *know* won't retain enough data to trace your identity. The only way to have plausible deniability is to find an open-wifi somewhere and hope there's no security camera. If it is some poor sap's house, then they will probably get blamed, if a business, that business may be required to discontinue open wifi under legal pressure.

If you did want to put your static address into your firewall rules, you could do the exact same strategy as IPv4, either staticly decide your IP (which is still very much possible) or use DHCPv6 to assign addresses. The entire IPv6 world isn't just the stuff defined in stateless auto-addressing.

Re:Yay

How about not exposing equipment to the internet that does not need it. You might be one of those wannabe anklebiters that thinks everything needs to be, but I for one prefer security over being silly.

AS for the "rest of us" You and your 3 friends that still live in their mom's basement? Because real professionals agree with the usefulness of NAT. HP has had enough IP addresses in IPV4 to have had EVERY SINGLE device and PC they own on the net with a static IP address for decades, yet they have NEVER done this. I'm certain the IT people at large corporations are far more knowledgeable than you and your small band of delusional brothers. And take a bath, you stink.

Re:Yay

[Junta]

Right, but if they are wanting to do analytics, they use long lived tracking cookies today. They already do all the tracking they need to do at the HTTP/Browser layer. A better argument would be that users can at least opt out by controlling their acceptance of cookies, even if no one does as in practice it breaks too many sites to blanket deny and way too many questions to consider one at a time.

The sad fact is that NAT gives very little protection in practice against things like tracking, *particularly* to the home market, where household granularity in tracking is quite sufficient no matter how you look at it.

Re:Yay

[Lumpy]

I fire up the VPN on my iPhone, and then print.

Just like I do now and with far more security because the connection is encrypted.

Note: I would never do that, Why the hell do I need to print something from my phone when I am miles from the printer?

Re:Yay

[Lumpy]

Huge time and effort. 30 seconds max.

Let me guess, you are one of those guys at the office that wigs out at the vending machine because it took 3 seconds to get you your 3rd redbull this morning.

it is not a huge time and effort, it's negligible effort even for 1024 devices spanning several subnets in IPV4, in IPV6 it's a single subnet, even less effort.

Re:Yay

[Lumpy]

If you think your ISP will gladly give you more than 1 IP address with your basic broadband service , then you are completely disillusioned.

Re:Yay

[Lumpy]

"it makes peer-to-peer internet impossible."

and that is a POSITIVE. I want P2P to be impossible for most of what I need on the NAT.

Firewall+NAT = more control over the network. OR are you telling me that when ipv6 comes along all of a sudden all ISP's are going to become benevolent and give everyone what they want?

NO you will get 1 IPV6 address and pay for every other address you want, Thus back to NAT.

Re:Yay

[Lumpy]

No you're the complete idiot in thinking your ISP is going to give you more than 1 IPv6 address.

Re:Yay

[Junta]

If IPv6 is cheaper for them to do, and NAT66 isn't commonly available, then you bet your ass they will. They know well that some number of devices greater than one always access their service. They don't want to bridge customer networks together in a layer 2 sense, so they will delegate prefixes for use by linksys gateways and the like. IPv6 explicitly made efforts so that prefix delegation is trivially automatic, so there isn't work associated with it, and addresses are so bountiful there simply is no point in *not* doing it.

Re:Yay

[asdfghjklqwertyuiop]

I know, right? They already give me more than 1 IPv4 address right now, so it would make perfect sense to reduce it to 1 once there are 79228162514264337593543950336 more addresses available...

Re:Yay

[kasperd]

NAT doesn't make anything easier except hiding how many systems are behind a gateway.

But even that doesn't really work with IPv4. The main problem is with the IPID field. Any combination of source IP, destination IP, and IPID must not be reused within a packet lifetime. But when two machines behind the NAT sends packets out the gateway mangles the source IP address, and if two packets were send with different source IP but identical IPID, it would have been perfectly valid until they passed the NAT. A typical NAT doesn't touch the IPID field and just pass it on unmodified. Modifying the IPID wouldn't work very well anyway as the state that would need to be tracked gets impractical.

Many systems generate predictable IPID values, and when they go through the NAT unmodified it is fairly easy to count the systems. Even if each system was to generate unpredictable IPID values, any collision would prove that two packets were sent by different systems. Since every packet in a TCP stream is from the same system, this will allow counting systems even if they generate unpredictable IPID values. You could work around this by setting DF on every TCP packet and just put random bits in the IPID field. This would of course have to be done by the sending host. If the NAT did those modifications, it would be breaking communication for hosts that didn't anticipate such modifications.

If your intention with using NAT is to hide how many machines are behind the NAT, then you are better off using NAT with IPv6. With IPv6 the IPID field doesn't exist if it doesn't have to. And the DF bit does not exist either because it is implicitly on, any fragmentation must be done by the sender, intermediate routers are not allowed to do it. This means with IPv6 there is much fewer packets with IPID, that could reveal the number of hosts behind the NAT. And when IPID is included, it is twice as large as in IPv4, which reduces the risk of collisions significantly. That means less risk of the NAT breaking stuff by causing IPID collisions, and with fewer collisions there will be less chance of identifying different systems behind the NAT due to collisions.

Re:Yay

[kasperd]

If in a IPv6 NAT-less world, you have a firewall, but no NAT, you see what each individual IP6 address likes or diskiles, regardless the span of a "session" .

I suppose an OS could actually easily address that concern. Whenever a connection is established it could be assigned a newly generated random address unless the application had explicitly bound the socket to an IP address. It does mean the gateway will have to keep track of more IP to MAC mappings than it would otherwise, but the number of entries to track isn't going to be more than the number of connections a NAT would have to track today. And if they do expire, it just means you'll have to wait a few microseconds for it to ask for the IP address. When the same kind of expiry happens in a NAT, it causes the connection to break.

Re:Yay

[kasperd]

Address randomisation does not even begin to solve the problem

Did you even watch the video you linked to? If you watched the video you would find that address randomization does solve that problem, but only if you use it. What he found was that a lot of servers have IP addresses that are not random, so he could find them by scanning with a few different tricks.

Since the starting point was a bunch of DNS entries, it is not clear that these IP addresses were even supposed to be secret to begin with. But if you do use random addresses, none of the tricks mentioned in that video will find it.

The rest of the video was discussing various attacks that can be performed if you are on the same LAN as the target. Many of those attacks are similar to what you could do with IPv4, and the typical solution with IPv4 would be to configure filters in your switches. Similar attacks against IPv6 requires similar filters, which shouldn't come as a shock to network administrators.

I think the most interesting attack mentioned was that a rogue machine on an IPv4 only network could perform a man-in-the-middle attack by sending out an IPv6 router advertisement and cause other machines on the LAN to believe it was a dual stack network and use IPv6 by default.

He pointed out a few other places where the IPv6 stacks are not as mature as IPv4, and that supposedly you can crash most machines on a LAN through these. But none of this should discourage you from upgrading your network, since the attacks only worked locally, and they would work even if your network was IPv4 only because the attacker could turn on IPv6 on demand.

All in all an interesting video, but the one point you mentioned wasn't being made.

Re:Yay

[kasperd]

If people violate the standard in that way, then collisions can happen. But at least it only happens if both networks violate the standard in the same way. If it does break at least you can blame each administrator independently as he is obviously responsible for misconfiguring his network. (If you want to avoid a situation where an administrator tries to argue that it is easier to fix the other network, then pretend there are three conflicting networks and it is easier for him to fix his own network than to get both of the other networks fixed).

The situation could be even worse, if some joker decided to use the same prefix that he saw some other network using. In such a case it wouldn't be obvious which of the networks didn't make a random choice. The standard could have included an elaborate technique for proving that the random prefix is yours. (Generate an RSA keypair, hash the public key and use the first 40 bits in your prefix. If necessary use the private key to prove that you picked this prefix). But this would be kind of overkill to put in the standard.

The fc00::/8 prefix is specifically reserved for use in case the random assignments somehow don't work out and would require a central authority. How the process for assigning prefixes would work in that case remains an open question, as we haven't seen the need yet, and we might never. If people are stupid enough to violate the standard, chances are that being able to pinpoint exactly who is violating the standard isn't going to help all that much.

Re:Yay

[Quietlife2k]

1) Whether it is an IPv6 address or an IPv4address+DNAT port, the exposure is the same, the outside world has a door into a specific system.

Unless you are running the ipv6 privacy extensions :
http://playground.sun.com/ipv6/specs/ipv6-address-privacy.html
http://www.faqs.org/rfc/rfc3041.txt

My thought is that running an open wifi does not provide plausible deniability. It's more likely that someone will do something malicious behind your gateway and you'll take the blame than vice-versa. *Especially* if you seem technically capable, the fact that you explicitly left your wifi open would be taken as a sign you were *trying* for plausible deniability. Face it, for the residential case, *there is no plausible deniability*, at least with respect to traffic that originates from your residence, *unless* you have a trusted proxy shared with others out there that you *know* won't retain enough data to trace your identity. The only way to have plausible deniability is to find an open-wifi somewhere and hope there's no security camera. If it is some poor sap's house, then they will probably get blamed, if a business, that business may be required to discontinue open wifi under legal pressure.

Here I think we will have to agree to disagree. Particularly when you consider some of the advantages to the privacy extensions. My point is that at present, there is no happy medium. You have a choice between a centralised traditional firewall, and a decentralised randomised more privacy friendly solution.

I think we can agree that ipv6 could be far better than it is with what we know today verses when it was designed 15 years ago. I'm just willing to wait a little longer for my feature set than you are for yours.

Re:Yay

[Quietlife2k]

Did you even watch the video you linked to?

I did, and from it I headed down the path that you are on. That was until I also wanted a firewall as well as randomisation. If you implement a default deny firewall and are running randomised addresses, just how do you open a port ? Or otherwise grant access for inbound connections ?
All the flaws of NAT but without any of the benefits.

I am sure that there is a solution to this problem, it just has yet to be released.

I am just willing to wait for that or until ipv6 reaches critical mass and I am forced.

Re:Yay

[kasperd]

If you implement a default deny firewall and are running randomised addresses, just how do you open a port ? Or otherwise grant access for inbound connections ?

Randomly assigned IP addresses can be static or dynamic. You assign one static to each machine and let it generate dynamic addresses on its own. For incoming connections you use the static IP of the machine. For outgoing connections you use one of the dynamic IP addresses of the machine.

I am just willing to wait for that or until ipv6 reaches critical mass and I am forced.

Too many people with that attitude is the reason for the mess we have now.

Re:Yay

[Quietlife2k]

Please mod parent up !

Randomly assigned IP addresses can be static or dynamic. You assign one static to each machine and let it generate dynamic addresses on its own. For incoming connections you use the static IP of the machine. For outgoing connections you use one of the dynamic IP addresses of the machine.

Thank you for this, it forced me to re-read the faq (http://www.faqs.org/rfc/rfc3041.txt). I must admit that had been focusing on it's primary declared relationship to "Stateless address autoconfiguration [ADDRCONF]", and failing entirely to grasp the "may also apply to interfaces with other types of globally unique and/or persistent identifiers" part.

Too many people with that attitude is the reason for the mess we have now.

Some of us are either more cautious, or less well informed. I was both, now I am merely cautious. I will gladly and with thanks, move on to basic connectivity testing rather than waiting.

If you have information regarding implementing Security Enhanced Neighbour Discovery please link it as this is now the final hurdle for me.

Re:Yay

[kasperd]

Some of us are either more cautious, or less well informed.

Being cautious is ok. A 10 year transition plan to ensure there is time to address any issues coming up sounded like a good plan. But what happened was that nobody wanted to make the first move. And we now have a situation where we have realized what the first hurdle is and the first large scale test to see if we have resolved that hurdle is scheduled to happen a few months after the IANA pool of IPv4 addresses run out.

All the years where almost nothing happened means that the transitioning now have to happen faster, and it will be more problematic because there won't be any free IPv4 addresses for the last part of the transitioning. If the transitioning had gone according to the plan people would be shutting down IPv4 networks now because it wouldn't be worth the hassle to run both IPv4 and IPv6. Unfortunately that isn't the situation.

For the Internet as a whole, all this cautiousness appears to be causing more problems than it prevented. I can understand why it from each individual's viewpoint seemed like the right thing to do. But from a global perspective it is turning into a disaster.

If you have information regarding implementing Security Enhanced Neighbour Discovery

I don't know more than what was mentioned in the video. I would expect that some high end switches can be configured to do filtering that will address the majority of issues, but I don't know any specific details about that either.

Re:Yay

[segedunum]

No, it doesn't.

new outage

Now Slashdot will have another facebook outage to report.

Dual-stack mode

[Fwipp]

From TFA, it appears that they are supporting IPv6 in dual-stack mode. Most users without IPv6 connectivity should still be able to access their sites on June 8th.

Re:Dual-stack mode

[Athrac]

From TFA, it appears that they are supporting IPv6 in dual-stack mode. Most users without IPv6 connectivity should still be able to access their sites on June 8th.

Yeah, that's kind of obvious. Nobody's abandoning ipv4 anytime soon.

Re:Dual-stack mode

[foksoft]

Yes, they will continue to run it in dual-stack. But instead of current practice where you need to enter ipv6.google.com you will just simply type www.google.com and will reach them via IPv6. It is similar for other sites. You, who are like me stuck in IPv4 space mark June 8 in your calendars. As it might be day when you might not reach some resources on internet. It is due to fact how DNS will be resolved. Your computer will ask for IP addres and will get AAAA record but you don't have IPv6 connectivity so you will not connect. In better case it will fall back to IPv4.

Re:Dual-stack mode

[tlhIngan]

Yes, they will continue to run it in dual-stack. But instead of current practice where you need to enter ipv6.google.com you will just simply type www.google.com and will reach them via IPv6. It is similar for other sites. You, who are like me stuck in IPv4 space mark June 8 in your calendars. As it might be day when you might not reach some resources on internet. It is due to fact how DNS will be resolved. Your computer will ask for IP addres and will get AAAA record but you don't have IPv6 connectivity so you will not connect. In better case it will fall back to IPv4.

Actually, you will still be able to reach those resources just fine, with patience. What happens is (and always has when OSes started blindly enabling IPv6) the connection waits for the IPv6 connection first. If that doesn't get established, it falls back to IPv4 and you get your content. What everyone found is well, pages took forever to load as you had to wait for the IPv6 TCP session to return an error first before the IPv4 fallback.

Frankly, the problem with IPv6 is the lack of a simple drop-in router replacement that works as well as current NAT routers. I don't care to have 3 IPv6 IPs on every IPv6 capable device on my network (nevermind all the IPv4-only gear I have). Yes, 3 IPv6 addresses, because you'll have a link-local (always present), your internet IPv6 address (you get a prefix that's usually /64, so all the PCs will use that prefix and add a suffix, and that will get you to the router), and since entering random numbers and letters is annoying, and a private set of IPv6 addresses (FC00:: prefix (/64) is for private networks, akin to 10/8 and other IPv4 private space). Why can't I have a NATv6 box that can have 192.168.0.1 and FC00::1, and keep everything going the way it is? Bonus to handle IPv4-to-IPv6 translation as well (there are tricks that you can do to have IPv4-only devices support IPv6 addresses, like ipv6-literal.net virtual domain Windows has to support IPv6 CIFS and IPv6 address entry).

That's what people want - a simple box they can drop into their network without having to reconfigure their intranet immediately that works just like their existing NAT router.

Re:Dual-stack mode

[dch24]

How about a software solution instead of a hardware solution?

Why doesn't glibc patch their DNS resolver to cache the "working/not working" state of IPv6? Or even better, run the IPv6 and IPv4 DNS queries in parallel and use whichever answer is returned first -- not to discard the slower of the two but to wait for it to succeed and cache the state ("working/not working").

Re:Dual-stack mode

Actually, you won't need patience. As similar tests have revealed before, very few users experience slow downs or connection failures when web sites enable dual-stack IPv4/IPv6 access. Much fewer users than previously expected. Almost all users connect through IPv4 without seeing any difference at all, because the priorities of applications and operating systems are such that IPv6 is only used if native IPv6 connectivity is available or no IPv4 connection is possible (either due to the remote end not supplying A records or the local side not having IPv4 connectivity). The few notable deviations from this principle have long been identified and corrected. The remaining problems are basically all due to freakishly wrong network configurations.

The test in June will most likely show that a vanishingly small number of users experience problems at all (like 1 in 10000) and most of these problems will be configuration issues on their network, not hardcoded problems in software.

Re:Dual-stack mode

[hedwards]

Strictly speaking, there's no reason why anybody should need to run IPv4 on their home network, or likely even on their corporate network. An N:N NAT mapping should solve most of the problems that we were trying to deal solve with the switchover.

Sure it's a bit kludgy, but for home users, it's probably the best way, at least until the older computers without native support for IPv6 and software is in place for everybody.

Re:Dual-stack mode

[j+h+woodyatt]

The exception: dual-stack hosts, e.g. Mac OS X, Windows 7, iOS 4, Linux, FreeBSD, etc., on home networks with dual-stack gateways which comply with I-D.ietf-v6ops-cpe-router by advertising a unique-local IPv6 prefix even when there is no globally routable prefix available from their service provider.

Some of the newer, popular routers in the field are doing this today. Yours might be doing it right now, and you may not actually know it until World IPv6 Day arrives, when your access to Facebook, Yahoo! and Google will either be impaired or denied outright, depending on various geeky technical factors. The point of doing the World IPv6 Day exercise is to find out just how bad this problem is going to be.

Re:Dual-stack mode

That is some bullshit right there. ISPs are only going to give a single IPv6 address per residential account as far as I know, so your router will be the only one with a WAN IPv6 address. The "link-local" address is just ::1, better known as 127.0.0.1. So just like IPv4's 10.0.0.0/8 and 192.168.0.0./16, you'll get FC00::/64 addresses. NAT is NAT, and ISPs won't buy more IPv6 address blocks than they have to.

Re:Dual-stack mode

[FranTaylor]

What is wrong with multiple IP addresses? If you set up your routing correctly, you can assign local IPv6 addresses to all your machines, so they can talk to each other regardless of your IPv6 connectivity to the Internet. You can then add the global IPv6 subnet handed to you by your provider and assign those also. This setup is nice because you can enable and disable your IPv6 connectivity, and even change providers and global IPv6 addresses, without interfering with your local addresses.

Being able to assign multple IP addresses is a nice feature and you should take advantage of it, not shy away from it. With just a little bit of smarts you can use DHCPv6, run your own DNS server, and you don't have to deal with those pesky IPv6 literal addresses at all.

Re:Dual-stack mode

Ahem, there is not a single correct information in your comment.

ISPs are definitely not going to give just a single IPv6 address per residential account. Expected assignment sizes are /48 or more likely /56, which is 256 networks with 2^64 addresses each (IPv6 autoconfiguration needs /64 networks). ::1 is the loop-back address. Link-local addresses are not loop-back addresses. Link-local addresses are used for (non-routable) communication on the local network (duh).

NAT is not implemented for IPv6 in the operating systems commonly used in small routers.

IPv6 addresses are assigned in large enough chunks to make it unlikely that additional addresses need to be assigned later (to keep routing tables manageable). ISPs get mind-bogglingly huge address spaces, even if every user gets a /56. For example, German Telekom has a /19, which contains 32 times more /56 blocks than there are IPv4 addresses.

Re:Dual-stack mode

IPv6 can't be assigned like that. IANA is all but requiring /48s to be issued to the end sites - i.e. the ISP customer. That's roughly 18.4 quintillion IP addresses per customer. The ISPs themselves can't get anything smaller than a /32, which is 65536 /48 subnets.

Re:Dual-stack mode

[foksoft]

Why are people so persistent with attempts to bring NAT to IPv6?
If you want DHCP functionality in your home network, then you have autoconfiguration in IPv6 and all your devices will get IPv6 address in the same way as DHCP assigned IPv4 addresses. If you have any device that supports IPv4 only, then you need to run your network dualstack to ensure that it can connect to its target.
And to your complaint about length of IPv6 address. You don't have to stick with autoconfiguration. You can assign pretty any IP address you like based on prefix you get from your provider. So you can still have [your prefix]::1 address. On the other hand with ULA adresses (FC00::/7) you should use random generated interface identifier part of the address that makes it more random than static public IP addresses, where you will quickly get familiar with your prefix. And as you noted you will never reach public internet with that IP address.
But in all cases it is much easier to use computer names and forget about IP addresses.

Re:Dual-stack mode

[KiloByte]

Unless your routing is terminally broken, the IPv6 connection attempt fails immediately. You'd need to have an useless box that not only fails to handle IPv6 but also silently drops the packets.

For that NAT idea -- one of the core purposes of the IPv6 upgrade is to get rid of NAT. If you'd inflict a RFC1918-esque subnet on yourself, your machine cannot be addressed anymore.

Re:Dual-stack mode

[tftp]

Strictly speaking, there's no reason why anybody should need to run IPv4 on their home network

Except that pesky problem of about a billion IPv4-only devices - routers, printers, and all other stuff that you can't replace.

I bought a pair of 802.11a/n access points this week to do some bridging, and they work fine ... in IPv4 mode. There is not a bit in them about IPv6, and these are super-new devices. There will be no hope of large scale IPv6 acceptance until all consumer grade hardware on store shelves supports it out of the box. Routers also need to do the right thing regardless of what IP version the ISP supports. The whole setup should be "hands off" - but today it requires a rocket scientist to just play on your LAN.

Re:Dual-stack mode

You're a bit behind the times on how major sites are providing IPv6 connectivity.

I do not need to enter ipv6.google.com. If your ISP can demonstrate two redundant native IPv6 routes to Google then Google will whitelist hosts from the ISP's /32 to connect by default to the IPv6 addresses.

For example, I am currently connected to www.google.com on 2a00:1450:400c:c00::68 and www.youtube.com on 2a00:1450:400c:c00::8b. I didn't have to type any special URL.

Re:Dual-stack mode

[sjames]

That will only happen if you configure v6 on your side but the connectivity is broken somewhere. If you DON'T configure v6, your machine will never even know the server has v6 available.

Re:Dual-stack mode

[sjames]

What's the big deal if there's 3 addresses on each machine, all 3 will work the same for you. As a bonus, then your router doesn't need to rewrite packets for v6 at all.

The firewall rules needed to provide NAT-equivalent protection are rather simple. In most cases, NAT on v6 is just snatching defeat from the jaws of victory. There's no need to reconfigure your anything. Just run dual stack and be happy.

Re:Dual-stack mode

[kasperd]

Why doesn't glibc patch their DNS resolver to cache the "working/not working" state of IPv6?

The DNS resolver only knows if the DNS resolution worked. It won't know if the actual connection to the resulting IP worked. (And even if it did know that the connection didn't work, the result could be different depending on what communication you did with that IP address, for example it could be that some ports work on IPv4 and others work on IPv6).

Or even better, run the IPv6 and IPv4 DNS queries in parallel and use whichever answer is returned first -- not to discard the slower of the two but to wait for it to succeed and cache the state

The resolver probably already does the lookups in parallel. But in many cases the DNS lookup works but the actual connection fails. And if DNS lookup fails, it is not guaranteed that trying both will help. I have seen a case of a DNS server that would corrupt its own cache if you asked for IPv4 and IPv6 addresses for the same domain name. So the first lookup to reach the DNS server would work, and the other would not. This could lead to a situation where you first lookup the IPv6 address get a correct answer, but then find you cannot connect. Then you try IPv4, but because the DNS server's caching is so broken, the presence of an IPv6 in the cache prevents it from looking up an IPv4 address for the same domain name.

Re:Dual-stack mode

[dch24]

Ok you make some good points.

I still think a software solution is possible, but it would have to be done in the browser.

If a DNS server is so broken that the presence of an IPv6 in the cache prevents it from looking up an IPv4 address, then the web site will be inaccessible -- if they don't care to fix it, they'll simply lose viewers.

Re:Dual-stack mode

> As it might be day when you might not reach some resources on internet. It is due to fact how DNS will be resolved.
> Your computer will ask for IP addres and will get AAAA record but you don't have IPv6 connectivity so you will not
> connect. In better case it will fall back to IPv4.

I'm glad to say that's not correct. In RFC 3484 the default precedences for destination address are
global IPv6 > public IPv4 > link-local IPv6
even if your host asks for AAAA at all.

Re:Dual-stack mode

sorry, I've got mixed up, this is not about your case

Re:Dual-stack mode

[kasperd]

I still think a software solution is possible, but it would have to be done in the browser.

If the browser tries to open IPv4 and IPv6 connection in parallel and use the one that connects first, it will help on reliability in many cases. There are still a couple of issues. If you have an MTU problem the connection may open just fine but break when you transfer data. Sending the request over both connections is a bad idea as it will waste resources, and in some cases sending the request twice will actually cause state changes on the server to happen twice. So, by the time you realize that you have an MTU problem with one connection, it is too late to switch to the other. However you can get around many MTU problems by tweaking your MSS. None of these methods will help in case of the extremely broken DNS server, that I mentioned.

If a DNS server is so broken that the presence of an IPv6 in the cache prevents it from looking up an IPv4 address, then the web site will be inaccessible -- if they don't care to fix it, they'll simply lose viewers.

The problems are not on the IPv6 enabled websites. It is not because the people running those sites don't know how to run a website. They do in fact know how to run a website, and if the problem is on their own side of the connection, they can fix it. In many cases such sites will even find workarounds for problems on the client side or the intermediate network.

The DNS server I mentioned is on the client side. I don't know if the flaw was in the ISP's DNS servers or in the caching DNS server in the router provided by the ISP. In either case if you were a customer of that ISP and let your computer use the defaults, you would be using a broken DNS server.

If you are responsible for a website and you have to keep several nines of availability, how do you deal with such clients? You can't just go and fix the root problem, because it is completely outside of your control. And when you receive an AAAA request you just know the IP address of the DNS server the client is using, you don't know specifically which client. And by the time you have send an AAAA record, it is too late to change your mind.

When there is brokenness on the client side, a site that wants a high reliability will have to not just ensure their own systems work correctly, but also find the best workarounds for problems in other systems. In case of broken IPv6 connectivity, the workaround being used is mainly whitelisting of DNS servers that can receive AAAA records.

For some of the involved content providers the change is then going to be for one day they will pretend every DNS server is on the whitelist. (Care must be taken with the ttl values to ensure the exact time window is going to be predictable.)

Retarded

[xTantrum]

Why have one day? Then when something goes wrong or an unexpected circumstance appears it'll be the fault of IPV6? Seriously people this doesn't need to be a big deal. It can be rolled out over time and quietly fade out V4. I hope all goes well but I'm not a big fan of this idea.

Re:Retarded

[Pojut]

It's precisely BECAUSE something could go wrong. A full day on a site like Facebook is more than enough time to see any major issues crop up, yet isn't long enough to deeply impact their service*.

*I know, I know..."Facebook" and "service" in the same sentence. Hurpadurp.

Re:Retarded

[TheL0ser]

It's precisely BECAUSE something could go wrong. A full day on a site like Facebook is more than enough time to see any major issues crop up, yet isn't long enough to deeply impact their service*.

*I know, I know..."Facebook" and "service" in the same sentence. Hurpadurp.

The juvenile side of me wants to make a joke off of "long enough" and "deeply impact", but I'd rather just say this: A full day on facebook is also a lot more likely to cause thousands of grandma's and others to claim the internet is broken if something goes wrong. I hope ISPs are going to be ready for support calls.

Re:Retarded

[Lennie]

If the day is 'marketed' properly, then yes that should be fine.

Re:Retarded

[ObsessiveMathsFreak]

It can be rolled out over time and quietly fade out V4.

Why would we ever want to "fade out" IPv4? Why should we? The IPv4 network has worked, robustly and reliably for 30 years. Running out of address space is not a good enough reason to totally drop interoperability with this working standard.

"there is one network that has aol.com and cnn.com and cs.utk.edu and an incredible number of other sites. Normal people call this network ``the Internet.'' They insist on being connected to the Internet, so that they can exchange email and web pages and so on with other Internet sites.

IPv4 is going nowhere fast. IPv6 either supports connections to the internet, i.e. to IPv4 sites, or else it will remain an essentially academic exercise.

Re:Retarded

[Brewmeister_Z]

This could work well to inform users that their ISP is antiquated and even their computers are due for an upgrade. If Google, Facebook, etc. are still allowing IPV4 then information should be provided stating why IPV6 may not work for them before proceeding to the normal pages (they may be doing this but I can't be bothered to RTFA). Downside will be fear created by an unexpected pop-up or page stating this which will make many thing they have some type of malware since these sites did not come up as expected.

Either way, ISPs and computer services will be getting calls. Hopefully these calls will get appropriate answers and not lead to service offers to solve imaginary problems (Geek Squad anyone?) or upgrades to hardware that are premature.

Technology advances are great but if it requires scrapping working hardware for little or no benefit to the user then it is a waste of money and adds to the electronic junkyards. Many perfectly good mobile phones are scrapped due to plan upgrade discounts, locking phones to a carrier and carriers refusing to support old phones since they can't lock you into a service plan anymore.

Re:Retarded

[BitHive]

You're right, IPv4 is going nowhere because it's a dead end. The transition to IPv6 will not be instantaneous or painless but it is necessary, inevitable, and will render the old working standard obsolete, and irritating to keep alive. Your argument that version six of the internet protocol is a dead end because it won't support internet protocol connections to internet protocol sites is humorous at best.

Re:Retarded

[T_Tauri]

I sure hope IPv4 does fade out. Setting up firewall rules for example requires concentration and checking (AKA time). If I need to set up one set of IPv6 rules and another set of IPv4 rules (with this old thing called NAT which can get confused when the other end is also using NAT) then it has just doubled the time required and probably increased the chances of me making a mistake and being vulnerable on one or the other versions. Once IPv6 is widely used there will be no benefit to hosting content on IPv4 and people will stop bothering.

Unfortunatly the problem is getting IPv6 "widely used" when every site currently supports IPv4. Until there are sites only on IPv6 there is no big benefit for anyone to upgrade their systems/service/settings to IPv6 however until almost everyone is on IPv6 content providers will still provide an IPv4 address. Until this is sorted both IPv4 and IPv6 can work well side by side just like most other new technologies - people did not throw out all their floppies the day that CD's became available.

Re:Retarded

[WaffleMonster]

Why would we ever want to "fade out" IPv4? Why should we? The IPv4 network has worked, robustly and reliably for 30 years. Running out of address space is not a good enough reason to totally drop interoperability with this working standard

This is an easy one. At a certain (distant future) critical mass there becomes no market incentive for operators to continue to waste their time and resources having to maintain and secure two different set of IP protocols at a future point where most everyone has IPv6. The stragglers will find their IPv4 universe shrinking and be forced to get with the program if they want to access anything accelerating the collapse of the IPv4 universe.

IPv4 will still have a niche in internal/private networks but thats about it.

Re:Retarded

[sjames]

v4 will fade away but it won't happen in a day. At some point, v6 will cease to be 'new'. We'll all be running dual stack with NATed v4 addresses assigned from our providers for the few holdouts. Meanwhile servers will be v6 with (perhaps if they could get one) a v4 address for holdouts. By that time, the Internet will be bigger than the v4 address space. The v4 addresses will be used less and less on the public internet. They will see somewhat more use on LANs due to legacy equipment.

At some point after that, v4 addresses on servers will be mostly 'useful' to people brute forcing SSH accounts and hoping to find outdated and ignored v4 firewall setups. That's about the point where admins start just dropping the v4 addresses entirely to reduce the attack surface. On the ISP side, they'll notice that practically all uses of their NAT service end in abuse reports so they'll just turn it off. They might or might not still be using 6rd to provide v6 connectivity for their customers (v4 might remain alive as a sort of routable layer 2.5)

An alternative to the continuing use of 6rd would be to go all v6 and replace the NAT with a v4 proxy gateway. At some point, the vast majority of attempts through that proxy will end in no route to host (due to abandoned DNS zones with old A records). At that point, it'll likely be turned off.

Even then, v4 won't be totally dead. Corporate LANs will likely still be using it for the sake of ancient internal hardware. Being told to enable the IPv4 protocol to reach the printer will be a bit of a WTF moment, but will continue until that printer dies. Years later, some admins will come across an old disused DHCP server still-running and have a laugh as they shut it off. Nobody will notice.

On the flip side, why does v6 have to support connections to v4 devices (beyond supporting ::ffff:aabb:ccdd)? That's why we have dual stack as the recommended transition.

A site seems to be missing from the participants

[wowbagger]

A site seems to be missing from the participants, but I just can't put my finger on it /.

Only one day?

[slaxative]

I dont understand why they wouldnt just make this change permanent. If this is the protocol we're going to, make it stick. One day is just toying with us.

Re:Only one day?

[drinkypoo]

With current implementations turning on IPv6 can cause long resolutions and even failures.

Re:Only one day?

[Monkeedude1212]

You sound ridiculous.

You know that saying "Rome wasn't built in a day?" That has some factual evidence to it; it took many days to build Rome. And you want to know something a lot of people don't know? They took it down the next day, right after finishing it, because they weren't sure if it was going to work. Then they erected it all again later when they saw there were no problems.

Re:Only one day?

[dkleinsc]

It sounds like they're trying to test it first, and see this as a way to avoid the "After you, sucker" problem. If the test works, it's likely they'll make the move permanently relatively quickly. If it fails miserably, they'll do their best to fix what went wrong and try again.

Re:Only one day?

[slaxative]

Thanks for a useful quote and I'm ridiculous... Though it has no relevance to the subject. We've known about the ipv6 push for years now, and major Operating Systems have supported it. We know ipv6 works ... because people are actively using it now, I'm one of them. google over ipv6 already works, and has been working for some time. Its time for the rest of the major websites to catch up. One day is not going to prove a lot.

Re:Only one day?

[GPLHost-Thomas]

Except that ... it's been 20 YEARS that the ipv6 protocol was drafted. Now that it's already too late and there's not enough IPv4, it's legitimate to ask for speed-up!

Re:Only one day?

[vlm]

With current implementations turning on IPv6 can cause long resolutions and even failures.

Only if you connect to a faulty v6 network, that no one bothers to fix because "its only ipv6". Current *network* implementation not end user boxes. Its hardly an inherent part of the protocol or OS implementation.

Re:Only one day?

[vlm]

We've known about the ipv6 push for years now, and major Operating Systems have supported it.

If you want a good laugh look up major OBSOLETE OS that support ipv6. W2K, NT, even to a limited extend supposedly W98 had an addon.

Re:Only one day?

[Monkeedude1212]

Psssssst

(I'm agreeing with you... I thought I might help show how silly it is to do a 1 day stunt by throwing it into the context of something physical, like a city. I thought calling someone else ridiculous might help push the 'over the top' tone to the post)

Re:Only one day?

If Google over IPv6 worked, Google would have done a full rollout of IPv6 by now. Google still only gives you AAAA records for its IPv6 hosts if you've proved to Google that your IPv6 network is good (redundant links, etc.). Other tests have shown that a full rollout of IPV6 (so everyone gets AAAA records) means a small minority of users (less than 1% if I remember right) will be unable to access the services or get minute-long waits until they can get an A record resolution. Everything's not completely working yet, which is what this day is about.

Re:Only one day?

[PrimaryConsult]

I'll counter this with a service-related example.

The New York subway in 2001 decided to test a new service pattern by running rush hour levels of service on a Sunday morning with a new pattern. After they found the problems with the pattern (congestion, delays), they repeated the test a few months later with a tweaked pattern, which ended up going into 'production'.

This type of test will help push ISPs and network managers to find where the problems lie in their IPv6 implementation and hopefully give them time to correct them.

Re:A site seems to be missing from the participant

[mcneely.mike]

That's because the average slashdot user isn't savvy enough for this, whereas your average facebook user is... i mean, these people run their own FARMS, for chrissakes!

June 8th?

[VGPowerlord]

"Hopefully, we will see positive results from this trial so we will see more IPv6 sooner rather than later."

So, why not schedule it sooner rather than later? June 8th is still nearly five months away!

Re:June 8th?

[Infiniti2000]

So, why not schedule it sooner rather than later? June 8th is still nearly five months away!

Because it takes a while to set this up, get approvals and commitments, etc. It's not easy just getting ready for something like a trade show and this is likely a much more difficult proposition.

Re:June 8th?

I remember, some time ago, someone was making a similar comment on /. : "2010 is ten years away!" With that in mind, I don't see this schedule as too conservative.

So how about it, Slashdot?

[Epsillon]

Isn't it about time News for Nerds got a 128bit address? You know it makes sense!

Re:So how about it, Slashdot?

"yro.slashdot.org" already appears to require 128 bits. :P

Re:So how about it, Slashdot?

[evilviper]

Slashdot would absolutely have to change its name. Something like "colonAF" Id say.

Re:So how about it, Slashdot?

[Koos]

According to Savvis invested in a new ipv6-capable network in 2006, to be finished in 2008. Savvis hosts sourceforge / slashdot (from the whois record). Yet, according to the nanog grapevine in 2010, Savvis is not yet able to offer IPv6 to customers. Time to put 'working ipv6' on the checklist for your new hosting?

How do I get to their sites using IPv6?

[ravnous]

I imagine most home users don't have IPv6 addresses. Ideally, everyone would slowly start to switch over to IPv6, with sites having both v4 and v6 addresses serving the same content, and users that are connected with a v6 address getting addresses from a DNS that supports v6 would connect using v6. But where I live, I don't get an IPv6 address with Fios. I imagine the big ISPs don't give residential users v6 addresses nationally and globally.

Re:How do I get to their sites using IPv6?

Tunnel brokers. I like SixXS since they gave me a free tunnel and a free subnet for all my home PCs (an entire /48, I think I should be set for a while). Works like a charm. Also check out Hurricane Electric.

Re:How do I get to their sites using IPv6?

[Bob_Sheep]

Use a tunnel broker service. There are at least 2 free tunnel brokers, SixXs and Hurricane Electric

Re:How do I get to their sites using IPv6?

[Monkeedude1212]

I imagine most home users don't have IPv6 addresses.

In Canada we do. Most ISPs (Meaning the 3 big ones) are already set up to do it, and will dish you an IPv6 address if you configure things on your end (and they'll walk you through how to do it, if you wish) but they basically warn you that not every site is using it yet so they advise against using it.

Re:How do I get to their sites using IPv6?

[icebraining]

They won't turn IPv4 off for probably many years. But if you actually want to try IPv6 without ISP support, you can try a free tunnel broker.

Re:How do I get to their sites using IPv6?

If you don't have IPv6 connectivity, you will still participate in the test, because it is as much about ensuring that you can still connect as it is about testing whether IPv6 enabled systems can connect reliably. Big web sites have long hesitated to enable IPv6 dual stack access, because there are some potential problems, like web browsers seeing IPv6 IP addresses and trying to use them without having IPv6 connectivity, which results in long delays or even failure. This test is meant to show that the implementation issues are under control and that very, very few users are affected by these problems, so that more web sites can enable IPv6 access. Right now, even if you had IPv6 connectivity, most of your web traffic would still be IPv4, simply because there aren't many IPv6 enabled web sites out there (and quite a few use different domains for their IPv6 enabled servers, or whitelist IPv6 enabled networks in DNS).

Re:How do I get to their sites using IPv6?

What?? Seriously, what??

Who said anything about turning off IPv4? IPv6 co-exists with IPv4. They are different IP spaces. An ISP can assign IPv4 and IPv6 at same time.

Re:How do I get to their sites using IPv6?

[GPLHost-Thomas]

Move to France, use "Free" (from the Illiad company) and you'll get a full dual-stack connectivity (it's been YEARS they have it...). If your ISP isn't doing it, ask if others are. In fact, that's the best thing you could do to speed-up adoption: move to ISPs that have it, and leave the non-brainier behind. As soon as these realize they are loosing businesses, they will move their bottom to do it quick.

Re:How do I get to their sites using IPv6?

Wait what? A cursory search through the dslreports forums says no one on Bell Sympatico or Rogers is getting native IPv6 yet. I know TekSavvy offers it, but who else?

Re:How do I get to their sites using IPv6?

[h4rm0ny]

What about within the home? Do most routers support IPv6 now or do you have to do something special?

Re:How do I get to their sites using IPv6?

[Monkeedude1212]

When I do an Ipconfig /all I get a Link-Local IPv6 Address so I would assume that yes, most routers now support IPv6.

Re:How do I get to their sites using IPv6?

[rastos1]

Try 6to4 - follow the instructions on http://6to4.version6.net/. If you are behind NAT, you need to put your machine into demilitarized zone (i.e. it receives all packets that the NAT-ing router receives)

Re:How do I get to their sites using IPv6?

Use a tunnel broker service. There are at least 2 free tunnel brokers, SixXs and Hurricane Electric

The use of tunnel brokers is part of the problem not part of the solution. There is no way you can hoist that much traffic on top of a dumb ineffecient overlay network and expect any kind of performance parity with IPv4. The deployment of crappily performing tunnels is a HUGE problem for content providers who want to make IPv6 available but can't because everyone will complain that it takes forever to load a stupid youtube video over IPv6.

HE and the rest are great for experimenting and dinking around with IPv6 but they just don't have that kind of bandwidth at a price you would be willing to pay for this to also be a solution for real world large scale deployment of IPv6.

What needs to happen is you need to demand that your ISP provide you with a real IPv6 address on their network or be willing to find another ISP who is. It does not take many lost customers for ISPs to get a clue and get serious about deployment.

Re:How do I get to their sites using IPv6?

[Smitty825]

I've generally found that most "home grade" switches can route IPv6 traffic without issue. However, it's doubtful that your Cable/DSL router supports IPv6 out of the box, unless you're running a custom firmware such as DD-WRT.

Re:How do I get to their sites using IPv6?

[Raenex]

What needs to happen is you need to demand that your ISP provide you with a real IPv6 address on their network or be willing to find another ISP who is. It does not take many lost customers for ISPs to get a clue and get serious about deployment.

The problem is many home consumers don't have a choice over an ISP, and even if they did, are clueless about IPv6, and even if they aren't, don't have a practical benefit to demand an IPv6 address. Yes, if everybody collectively moved to IPv6, it would be great, but each individual looks at the situation and sees no benefit.

Better to make up a deadline than to wait

[Quick+Reply]

Having an "IPV6" day is not such a big deal for these sites as they have already more or less prepared themselves for IPV6 already. The challenge is getting ISPs and OEMs ready to supply IPV6 links and IPV6 equipment. I think that making a big deal of "IPV6 day" will push these companies into getting their asses into gear to offer IPV6, if consumers and businesses can keep pushing them "We need IPV6, are your links going to be ready for IPV6 day?" and "We need IPV6, are your firmware updates going to be ready for IPV6 day?" even if this is only a marketing campaign.

What is important here is that we give ISPs and OEMs a deadline because at the moment the precise date for NEEDING IPV6 is up in the air and they are reluctant to do anything until a deadline is put in place (or even to START until the customers are complaining- when it is too late)

Re:Better to make up a deadline than to wait

[sstern]

My dlink router does IPV6, but my cable modem doesn't. Until my provider goes IPv6, it's just a curiosity.

Re:Better to make up a deadline than to wait

[vlm]

My dlink router does IPV6, but my cable modem doesn't. Until my provider goes IPv6, it's just a curiosity.

You can't buy a cablemodem that doesn't support V6. Don't get all technical with me about buying some stolen properly out of a car trunk from 1997 meaning you can buy a non-ipv6 cablemodem. I mean anything sold to the cablecos for years has supported v6. Its now gotten to the point that you can't legally call yourself DOCSIS 3.0 compatible without shipping a working ipv6 implementation. Mandatory ability as part of the standard.

Now your local provider can limit any and all technical abilities. Just like a cellphone manufacturer is free to include hardware and firmware which the local cellphone company can prevent you from using (tethering etc). Or your cableco is free to enable/disable any output jack on the back of your settop box.

Your cablemodem almost certainly merely requires some behind the scenes work at the cableco and one remotely initiated reboot of your modem and you've got working ipv6.

If you don't believe me, find your modems model number and google for the promotional fliers or even technical manuals from the manufacturer.

Heise.de did it first...

The operator of one of the biggest German web sites, the Heise publishing house, held its own IPv6 day on the 16th of September 2010. Their domains got AAAA records in addition to the IPv4 A records and the web servers responded to IPv4 and IPv6. Long story short: The test produced much fewer problems than expected and two weeks after the test, Heise.de enabled IPv6 permanently. The story is here (in German).

Re:Heise.de did it first...

[Artem+S.+Tashkinov]

This story in English.

Funnily their English office/rep web site still runs IPv4 exclusively.

Re:Heise.de did it first...

[Adm.Wiggin]

And we're not at all surprised... I'm sure this one will go similarly. So much doom and gloom over such a little thing, where all the kinks are already worked out.

Re:A site seems to be missing from the participant

... it's because IPv6 uses UTF-8 encoded addresses.

Re:A site seems to be missing from the participant

[SlothDead]

You mean the one that has no Unicode support?

Re:A site seems to be missing from the participant

Yes, and the one that is broken in some different way on every browser.

Re:not enough

[TaoPhoenix]

Dieting is a matter of national security!

Re:not enough

Being overweight does not increase the number of cells in your body: the existing fat cells just swell.

Comcast gives all customers IPv6 through 6to4

[YesIAmAScript]

They also have 6RD.

All you need to do is turn it on. And if you have certain base stations, it is on by default.

http://comcast6.net/

Re:not enough

[nedlohs]

Amputations are a matter of national security!

Re:not enough

They both multiply and swell.

Force hardware supplier by law

[GPLHost-Thomas]

Can any of you give me a brand of WiFi N router that can do ipv6? I guess there aren't that many. Why manufacturers aren't FORCED by law to do it? That would be simple: pass the law, declare all new ipv4 only equipment illegal, end of the story. Then, next step, do the same with all ISPs. Within 1 year, this could be done. The only issues is that law makers don't understand technology...

Re:Force hardware supplier by law

[dkuntz]

Apple Airport Extremes can do ipv6. I know this cause Charter in my area gives out ipv6 addresses as well as v4.

Re:Force hardware supplier by law

3rd party firmware such as dd-wrt offer ipv6. I run ipv6 on my home network with a linksys wrt610n router running dd-wrt.

Re:Force hardware supplier by law

[GPLHost-Thomas]

Can it do BOTH WiFi N and WiFi G *at the same time*? If yes, then I might get one... :)

Re:Force hardware supplier by law

[vlm]

Can any of you give me a brand of WiFi N router that can do ipv6? I guess there aren't that many. Why manufacturers aren't FORCED by law to do it?

In bridging mode, you can't (easily) make a wifi access point that won't support ipv6. Its just another type of packet on the (virtual) wire. For a good fraction of a decade that is how I've had my home set up.

The market has spoken and you cannot buy a non-docsis 3.0 cablemodem anymore. docsis 3.0 requires ipv6 support. Many people have a "wireless cablemodem" basically a modem and router and access point in one little box. Thus all wireless cablemodems going forward will support ipv6, and presumably at least some will support N.

The main problem with N wifi is I do not have the connection speed to saturate my decade old plain ole 802.11B network. If I upgrade to N, rather than being capped by my provider to max out at about 33% of my network speed, I'll merely run at about 1% of my network speed. Who cares?

Re:Force hardware supplier by law

I can't find the section of the constitution that allows lawmakers to do that, nor would such a heavy handed policy be justified.

Re:Force hardware supplier by law

[vlm]

I can't find the section of the constitution that allows lawmakers to do that, nor would such a heavy handed policy be justified.

Well thats never stopped them from doing what they want in the past, has it?

Aside from that, if my local monopoly regulated cableco is required to provide service rates, that can be provided by docsis 3.0, and no other competing technology exists but docsis 3.0, and docsis 3.0 also happens to require a working ipv6 implementation, which it does, we are half way there.

Now convince the docsis 4.0 guys to demand the removal of ipv4 or whatever and you're basically done.

The main problem with the guys plan, is equipment rollout, depreciation, replacement/upgrade cycle is a bit longer than one year.

Re:Force hardware supplier by law

[John+Hasler]

> Well thats never stopped them from doing what they want in the past, has it?

Yes. Many times. For a recent example see the "Children's on Line Protection Act".

Re:Force hardware supplier by law

[Yaztromo]

Can it do BOTH WiFi N and WiFi G *at the same time*? If yes, then I might get one... :)

Yes, and you can even run N at 5Ghz and G at 2.4Ghz simultaneously. The latest Airport Extremes have dual independent radios specifically for this use case. Coupled with their IPv6 support (including IPv6 firewalling), IMO the Apple Airport Extreme is the best home wired/wireless router on the market.

Yaz.

Re:Force hardware supplier by law

[Yaztromo]

The main problem with N wifi is I do not have the connection speed to saturate my decade old plain ole 802.11B network. If I upgrade to N, rather than being capped by my provider to max out at about 33% of my network speed, I'll merely run at about 1% of my network speed. Who cares?

Anybody how has more than one host on their home network, and does data transfer between hosts?

I suppose if you only have one machine going out through your network, or if the hosts you do have never inter-communicate (or only do so at a superficial level), then sure -- 802.11b should be sufficient. Then again, so would 10-Base2 Coaxial networking (aka "fun with terminators!").

Personally, 802.11n is the best way to connect to the hosts on my home gigabit network. Not as good as wired (where I have got within 5% of the theoretical maximum throughput between hosts doing large file transfers -- over IPv6 at that), but still really nice for my wireless networked devices (that support it -- I'm looking at the two iPod Touches that necessitate my continuing to run a parallel 802.11g network).

Yaz.

Re:Force hardware supplier by law

[vlueboy]

I believe what you are looking for goes by simultaneous dual band.

DLink's 825 does it, though my ISP made it so I need the router's 6-to-4 tunnel anyway, till the ISP's PPPoE eventually serves DHCPv6 instead of DHCPv4. I'm not sure about the sumult dual-band on the cheaper model 625, but like that one, other products also do v6, but you'll have to check them individually.

Always check forums before making your final choice; implementations can be wonky: even in LAN-bridge mode, a new bottom-of-the-line white-shell G-band router refused to bridge DHCPv6 announcements to PC's on their other side of the LAN. Remember too that browsers need [ brackets ] around v6-style IP addresses, that a tunnel's anycast gateway is 192.88.99.1 and that your manual DNS queries will be plenty even today, --browsers refuse v6 on dual-stack sites entered by hostname on your address bar: eg: www.kame.net vs. 2001:200:dff:fff1:216:3eff:feb1:44d7. Oh, and don't dare hyperlink to IPv6 addresses like the above. Even /. slurps it as nonsense.

Re:Force hardware supplier by law

[knorthern+knight]

Exactly this type of stuff has been done many times in the past...

1) A couple of years before the analogue TV shutdown, it became mandatory for tuners in all TV sets above a certain size to be ATSC-capable. And companies that didn't comply were subject to fines... http://www.twice.com/article/242085-FCC_Cites_Two_For_DTV_Tuner_Violations.php It was legal to sell "monitors" (i.e no tuner), or dual (ATSC+NTSC) tuner, or ATSC-only tuners, but NTSC-only tuners were outlawed.

2) Before that, FM radios in cars were kick-started in the 1970's by a requirement that all factory-installed radios on new cars have FM tuners. You could sell a new car with no radio, or dual AM-FM radio, or FM-only, but AM-only was illegal.

3) And before that, to solve the chicken-and-egg problem for UHF TV, all new TV sets were required to be able to tune UHF channels, which at that time went up to 83.

So, yes, it has been done in the past, and can be done again.

Wow, almost half a year ...

[garry_g]

... down the road ... they better hurry up, not long until the first RIRs might run out of v4 addresses ...

I guess it's time that porn and p2p sites switched over to v6 only, that should put some pressure on hardware manufacturers and ISPs to finally deliver v6 ...

Re:Wow, almost half a year ...

[vlm]

I guess it's time that porn ... sites switched over to v6 only, that should put some pressure on hardware manufacturers and ISPs to finally deliver v6

More like, a bunch of clowns in the government trying to make v6 illegal because they think everyone should have to do what their imaginary man in the sky told them.

Yeah, but...

are they going to turn off their ipv4 servers world wide on that day? No, I thought not. Also, since they have been dragging their feet, and come last to the party, they have ensured that it won't possibly work as well on that day, as it would have worked on that day, had they been using ipv6 for the past 10 years already. Essentially, once they actually flip, and not just have a single day, they will then be that many years behind where they would have been, if they had brought up the entire ipv6 network with them on it. So, for example, if they flip the switch in 2020, they will be about 20 years behind where we could have been, had they flipped it on in 2000.

I can remember the _day_ that uunet required reverse lookups to work. On that day, or the next, the entire world put in reverse dns data. They just did it, and never looked back.

Better Day

[buckhead_buddy]

Two days earlier and it would have been June 6, or 6/6. Rolling out IPv6 on 6/6 would have been biblically ordained to take over the heavens and the earth. Now it's just... another day, another test.

Re:Better Day

[RichiH]

They wanted to, but 6.6.2011 is a holiday, somewhere, iirc. It's on the ipv6-ops mailing list where they, rightfully so, state that this date is _way_ too late. IANA will run out of IPv4 in a few weeks, the RIRs will be able to hold up up to a year longer.

If anything, they should do every 6th of every month starting February. And _that_ would still be too late, imo.

Re:not enough

[Beardo+the+Bearded]

I thought that muscles swell while fat cells increase in numbers.

Huh?

Since when is yahoo a "big site"?
It's a speck in comparison to facebook and google...

Re:Huh?

[YrWrstNtmr]

Since when is yahoo a "big site"?

According to Alexa, Yahoo is 4th behind Google, Facebook, and YouTube.

Re:Huh?

http://www.alexa.com/siteinfo/yahoo.com

Re:A site seems to be missing from the participant

[somejeff]

A site seems to be missing from the participants, but I just can't put my finger on it /.

What? /. is not owned by facebook?

Re:not enough

[Steneub]

Being overweight does not increase the number of cells in your body: the existing fat cells just swell.

Citation please.

Re:A site seems to be missing from the participant

Ahahaha, well done sir.

Important ipv6-ready site

Get shocked over ipv6

Three! Two!

[ThatsNotPudding]

One!...carrier lost...

Re:not enough

[micheas]

Being overweight does not increase the number of cells in your body: the existing fat cells just swell.

Citation please.

I don't have a citation handy, but the general definition of obese is when your fat cells start increasing in number after they have expanded, hence why people that are obese rarely get back down to their lower weight, and when they do it tends to be very hard for them to maintain that weight, as it requires the fat cells to be smaller than before becoming obese. This is an over simplification of course, but you get the idea. Fat cells mostly just grow and shrink, but at some point, they start to divide, and at that point weight loss becomes harder.

Re:A site seems to be missing from the participant

[MonsterTrimble]

Do you SEE a like button around here?!

Actually, Slashdot's moderation system on Facebook could be pretty interesting.

Re:not enough

[SuricouRaven]

The effect is perminant, too - people who are obese as children still have the inflated fat cell numbers when adults. Maybe intensive liposuction would help.

Can anyone say Internet ID?

With IPV6 every device in the world can have a laser-etched IP address assigned to it so "they" will know who you are.

Now where did I put that Aluminum Foil?

IPv6 rollout on corporate networks

[Doug+Neal]

At my workplace we've been doing some limited trials of providing IPv6 connectivity to internal systems (we don't have much in the way of outward facing stuff).

IMHO, and I would love to be corrected on this, but as far as I can see, there are some big problems to overcome with corporate deployments (not so much with home connections). Note that I am in no way advocating sticking with IPv4, this is just from my experiences so far:

It starts with the fact that your internal IP addresses will be determined by what your ISP gives you. What if you change ISPs? This means renumbering everything. Changing ISPs didn't used to mean that. What's the solution - use address autoconfiguration everywhere? That's not going to scale up very well. Think about DNS. Dynamic DNS updates? Over potentially thousands of hosts? And keeping all that secure? Sounds like a disaster waiting to happen.

OK, so if you're running a network that big, you probably want to get some provider-independent address space, then you keep the same address scheme and advertise your addresses out to your ISP. That way your addresses always stay the same no matter which ISP you use and you also have the option to multi-home. All well and good, but acquiring PI addresses still requires you to become a member of your local RIR; it's quite a paperwork-intensive process. With IPv4 this is acceptable as it's mostly only large enterprises and ISPs that need PI space and the number of RIR members remains low. With IPv6, medium and small companies will also have an urgent requirement for PI space. The process needs to be simplified, packaged up, and probably most importantly, delegated; will the RIRs be able to cope as it stands? We will end up with huge waiting lists to get address space. The process needs to be more like registering a domain than getting PI IPv4 space.

Now, of course, once so many more organisations are using PI addresses, what does this mean for the size of the global routing table? This is more of a problem for the ISPs and router vendors than the end users, but a problem nonetheless.

Can anyone more experienced in IPv6 than me refute these points?

Re:IPv6 rollout on corporate networks

[bbn]

Do you really need DNS to thousands of hosts? A normal PC on your corporal network should just get an IP using autoconf or DHCP exactly like it has always been done. Renumbering is just updating the DHCP server.

Servers yes, they need renumbering. But it is an easy task since you only need to change the prefix part of the address. If you use DHCP to assign addresses to your servers, this will also be a simple one line change to your DHCP server. Otherwise you could probably script the change.

There is also the option of using site local addresses if you really need to. This will allow you to assign addresses that will never change for internal use, and then in additional also assign DHCP/autoconf addresses for communicating with the rest of the internet.

Re:IPv6 rollout on corporate networks

[3.1415926535]

Do any operating systems use DHCPv6 by default? I know Linux just uses stateless autoconfig by default, which works great for renumbering, but how do you get DNS entries that way?

I guess you just manually configure your servers to use DHCPv6 and let everything else use autoconfig?

Re:IPv6 rollout on corporate networks

[Doug+Neal]

DHCPv6 is still desirable for almost every other device you care to name, because autoconfig doesn't say anything about DNS servers.

Re:IPv6 rollout on corporate networks

[bbn]

DHCPv6 is still desirable for almost every other device you care to name, because autoconfig doesn't say anything about DNS servers.

Not true. Autoconfig can do DNS. It is specified in RFC 6106:

http://tools.ietf.org/html/rfc6106

Re:IPv6 rollout on corporate networks

[bbn]

There is an option for DNS using stateless autoconfig: http://tools.ietf.org/html/rfc6106

But for the time dual stack is a more likely deployment option. If you are doing dual stack you are probably using plain old DHCP to assign IPv4 including DNS information.

Linux will happily pick up the IPv4+DNS from DHCP and the IPv6 address from stateless autoconfig.

Re:IPv6 rollout on corporate networks

[Junta]

Well, you can use unique local addressing for internal stuff. NAT is called a big no-no, but pragmatically, it should be doable if required. Besides, *everything* was architected carefully to make renumbering easier if your subnet changes in IPv6, which was not done in IPv4. In short, theoretically no worse than a company having a route from an ISP and changing ISPs today, with internal addresses that remain constant and NAT to remap on the way out. It's in practice significantly better because renumbering is baked in all levels. If you are talking about large companies that have their own allocations in v4 that do *not* vary on their 'ISP', I'll wager they will get /32s like an ISP and get to keep their address no matter who they partner with. In terms of security, it's no more work than maintaining the NAT rules even if not NATing. Replace the configuration required to do NAT with an equivalent amount of effort on firewalling and you are there.

I don't see why IPv6 makes it an urgent need for medium and small companies to get PI space. If they had no urgent need in IPv4, they can either accept the renumbering risk like they do today, or use ULA and NAT like they do today.

Now, they still have a few kinks to work out before DHCPv6 is even theoretically as workable as DHCPv4, and even with all the pending drafts going through, operators would have to rethink how they do things entirely, though they may be able to get to the same general goal.

Re:IPv6 rollout on corporate networks

[Junta]

Well, replace site local with ULA, but generally I agree. If you didn't need DNS before, you don't need DNS now. There may be extremely small corner cases where very few people with only very few systems to think about would not have set up DNS and used IP, and to this day I don't see mDNS frequently automatically working, so I guess they could complain that fd2d:c747:f314:d001::dead:beef is harder to remember than 10.0.1.7 (yes, both are examples I really use and yes, I did remember my IPv6 address I used without looking it up anywhere).

Re:IPv6 rollout on corporate networks

[Junta]

I have to agree that in theory, autoconfig would address many issues. Practically speaking, I think a lot of admins without thinking use DHCP as more than just a way to describe settings to systems, but as an authoritative aggregation of all that information in one place. You can aggregate on the fly, but it feels more concrete and under control if a DHCP infrastructure handles it. I think there was a lot of optimisim around stateless autoconfig, but DHCP was needed for various hard technical and some 'comfort' reasons.

Also, many environments would want to filter things like DHCPOFFERS, to avoid rogue services advertising and hijacking clients (generally by mistake, occasionally with malice). Autoconf makes them a bit edgy because that's a lot more complicated to control than a single protocol unless a single point of entry does all the services they want to allow to advertise.

Also, for my house, I think DHCP is the only automatic way for a random best buy router to theoretically get a subnet delegated instead of a single address out of my ISP.

Re:IPv6 rollout on corporate networks

[Junta]

Windows 7 and Windows Server 2008R2 I know by default will DHCPv6.

I believe RHEL5 and newer also DHCPv6 by default unless you tell it otherwise.

If you enable IPv6 at all in ESXi, it will DHCP. IPv6 is off by default completely, so DHCPv6 is no more harder to get then anything else.

'ifconfig up' (note ifconfig, not ifup) will start the autoconfig stuff for routers, but generally ifup will end up with DHCP solicits being sent.

In short, either a router advertising the prefix and relying on stateless auto configuration *or* DHCPv6 will get clients on the network. If an interface does DHCP solicits and noone answers, but radvd or similar provide enough info, no biggie.

Re:IPv6 rollout on corporate networks

[Doug+Neal]

But the renumbering risk today affects only your outward facing infrastructure. If you're using globally scoped addresses throughout your network then that risk is far bigger, no? Unless, as you say, you use NAT.

I know that there are some who don't see NAT as a bad thing. I'm not one of them. The biggest win with IPv6 is arguably the fact that you don't need to NAT again.

Two addresses (ULA and global) per host as suggested by 'bbn' is an interesting idea though.

OT: I also had that in my sig a while back... did you steal it from me? :P

Re:IPv6 rollout on corporate networks

[Junta]

I think it's far easier to let NAT66 exist, let corporations that want it have it, and let residences like mine decide between NAT66 and doing it the easy way. If renumbering is not going to work right or at least no one wants to run the requisite test or accept the risk, then NAT66 is far better than every mom and pop shop demanding provider-independent space.

My sig has been like that for a long long while. I think I might have stolen it but cannot recall from where.

Re:not enough

[the_hellspawn]

Fat cells are just in private subnets.

"Drop In" replacement

[FranTaylor]

Perhaps you might want to try installing a stripped-down linux distribution on a geode or arm based router.

Then you can customize it any way you want, and as a bonus you will probably be immune to those router attacks out there.

If you want the "simple box" experience, install webmin. You can do all the routine sys admin tasks with it and you don't have to go near a command line.

Missing the point of IPv6

[supergumby]

One of the main advantages of IPv6 is we will be able to abolish NAT (for security, transparency, and reliability), yet you propose we adopt IPv6 and issue all Internet users with an... address translation device? Why not advocate keeping IPv4 then?

Re:Missing the point of IPv6

[tftp]

One of the main advantages of IPv6 is we will be able to abolish NAT (for security, transparency, and reliability), yet you propose we adopt IPv6 and issue all Internet users with an... address translation device?

This is a popular request. What he really needs is an IPv6 firewall. Like NAT, it should auto-configure itself to allow TCP sessions that are initiated inside, and it should have manual controls to open ports for certain IPv6 hosts on the LAN. It also should have some form of a DNS server for the LAN because it will be hard to remember IPv6 addresses. DHCPv6 should be also present. In other words, it has to be a consumer box that I haven't seen anywhere yet.

Re:A site seems to be missing from the participant

Well, there is an ipv6.slashdot.org (216.34.181.48) so what more do you want? Ok, it's not fancy like ipv6.google.com (2001:4860:800b::6a) but it's a start.

Re:not enough

[VanGarrett]

While this is true, you must also consider that more skin cells are required to contain the increased volume of the fatty tissues.

D-Link DIR-615

[JSBiff]

D-link has a Wireless N 300 router, listed on their site for $65 (so you could probably find it a little cheaper than that at other resellers). The DIR-615, which claims to be IPv6 ready. As someone else mentioned, the Apple Airport routers also support IPv6.

It is a bit disappointing that there's only a few models with built-in IPv6 support, but at least they're starting to make them. As more ISP's role out IPv6, the OEMs will start putting out more devices that support it. I think the problem right now is that there's virtually no demand for IPv6 support from customers, because no ISPs are offering IPv6 connectivity (that too will be changing, probably, soon - I think Comcast and a small number of other ISPs are starting too look into IPv6).

Is it really done yet?

[jimfrost]

I dunno about everyone else, but last time I tried turning on ipv6 I discovered that Comcast didn't route it and a bunch of the internet turned into a black hole.

Derp.

Exactly when did it become vogue for no-nothing IT dorks to insist multiple layers of security, of various strengths, is somehow a bad thing?

Problem is DHCPv6

[nemesisrocks]

Unfortunately, I'm one of those "very few" sites who experiences slowdowns with IPv6 enabled. I don't know if it's just because I'm a retard or something, but I have not been able to find a DHCPv6 client for Linux that works reliably.

I've tried Wide-DHCPv6-Client, and Dibbler. Both seem to occasionally have a hissyfit and crash. When DHCPv6 crashes, you lose IPv6 connectivity -- so the browsers on your network think they still have connectivity and try-and-wait for ages until the connection times out. Restarting the client always fixes the issue.

I for one, consider IPv6 to still be an "experimental" technology. I certainly won't be deploying it out to my clients' sites any time soon.

Re:Problem is DHCPv6

[marka63]

Unfortunately, I'm one of those "very few" sites who experiences slowdowns with IPv6 enabled. I don't know if it's just because I'm a retard or something, but I have not been able to find a DHCPv6 client for Linux that works reliably

Any you have reported the bug to the developers? Remember you are comparing 10 year old software which has had millions of users exercising it to code which has a couple of thousand users exercising it.

I've tried Wide-DHCPv6-Client, and Dibbler. Both seem to occasionally have a hissyfit and crash. When DHCPv6 crashes, you lose IPv6 connectivity -- so the browsers on your network think they still have connectivity and try-and-wait for ages until the connection times out. Restarting the client always fixes the issue.

Well complain to you browser vendor. Multi-homing support has be part of host requirements for more than 20 years. The only reason you are seeing problems is that your browser vendor cut corners and didn't code the product to support multi-homed servers.

I for one, consider IPv6 to still be an "experimental" technology. I certainly won't be deploying it out to my clients' sites any time soon.

IPv6 is still dead

Publicity stunts like this are like getting the head of the UN to give a speech in Esperanto. It isn't going to make anyone who doesn't already speak it convert. There's no payoff. Lots of pain for the conversion, buggered up security, incompatibility with 99% of the internet, and no net gain whatsoever for those already ensconced in IPv4.

C'mon already, let's all admit that IPv6 is DEAD, and move on to IPv7. This time make it backwards compatible with IPv4, and throw in isochronous delivery for voice and video, and then you'll have a REASON for people to adopt it. STOP BEATING a DEAD HORSE!!!!!

Re:A site seems to be missing from the participant

[TBBle]

Isn't that what "+1 Insightful" is for?

nat will continue with ipv6

private networks will remain private and internal addresses will not be made public whether they are routable or not .

Quote FTFA

[EmagGeek]

"Less than 5% of IPv4 addresses are left unallocated to the regional Internet registries, which in turn dole them out to network operators. Experts say the free pool of IPv4 addresses will be depleted in a matter of weeks."

Weeks? For how many YEARS have we been hearing this? Oh yeah, I am sure they REALLY mean it this time, too.. just like the last dozen times...

Re:A site seems to be missing from the participant

embarrassing, to put it mildly.

But it is my understanding that /. has a major problem wrt ipv6 since the slashdot engine is written in perl.
Compare http://www.personal.psu.edu/dvm105/blogs/ipv6/2008/07/perl-considered-harmful.html

(hopefully typed this link right as /. won't let me copy/paste the url, at least not from debian/kde)

Stop spreading FUD

[RichiH]

> It starts with the fact that your internal IP addresses will be determined by what your ISP gives you. What if you change ISPs? This means renumbering everything. Changing ISPs didn't used to mean that. What's the solution

The solution is to use FC00::/7 like you are supposed to: http://tools.ietf.org/html/rfc4193

That, or use the prefix mechanisms of IPv6.

> All well and good, but acquiring PI addresses still requires you to become a member of your local RIR

Bullshit. PI was invented precisely to avoid having everyone and their mom who needed their own address space join the RIRs.

If you are within the EU, I can send you a contract with _us_, not RIPE, that fits on a beer coaster. You send me proof that your company exists and, as the policy wrt IPv6 is pretty much "HERE! TAKE IT!", not even a real numbering plan. Also, you will need to tell me, and thus RIPE, why you need multi-homing. I will give you an IPv6 PI prefix in return. No hassle, no need to join a RIR, no nothing.

> With IPv6, medium and small companies will also have an urgent requirement for PI space.

No, they think they need it as they are as misinformed as you are.

> Now, of course, once so many more organisations are using PI addresses, what does this mean for the size of the global routing table?

Not very much, assuming they don't go announcing every /48 they have. But without a real need for multi-homing, you will not get PI space either way. Matter of fact, IPv4 is a lot more fragmented than IPv6 because there are so few addresses.
Some companies announce every /24 from different locations because they allocated in an agressively-address-saving manner.

With IPv6, I have a /32. I announce a /40 per POP, in the /36 per city. That means almost zero fragmentation. And if I ever need another /32, thanks to sparse allocation, I can simply go to RIPE and the /32 right above mine will still be free. So I will then end up with a /31. A continuous /31. No (forced) fragmentation.
Customers get /56, i.e. 256 /64, and, thanks to sparse allocation, I can easily up them to /55, /54, etc. 65k customers in one POP is a limit I will not reach any time soon. And if I do, I can just use one of the other 15 /40 in the same city. Yay for planning.

> Can anyone more experienced in IPv6 than me refute these points?

Seriously, you should have put that first, not last.

By the way, you are totally ignoring that changing ISPs with IPv4 PA space today means total renumbering whereas with IPv6 PA, you merely need to switch out the prefix.

Re:Stop spreading FUD

[Doug+Neal]

That's pretty much the info I was looking for, but why the confrontational tone? I'm not "spreading FUD", I'm putting forward my concerns in the hope that someone can address them, and that's pretty clear from my wording.

Re:Stop spreading FUD

[RichiH]

> That's pretty much the info I was looking for

Great :)

> but why the confrontational tone? I'm not "spreading FUD", I'm putting forward my concerns in the hope that someone can address them, and that's pretty clear from my wording.

True. I can't offer much in ways of explanation other than "you get tired hearing the same 'issues' again and again" and that you caught me in a grumpy mood. That, and the level of people spouting nonsense seems to be high even for /., lately. None of this concerns you, so: Apologies; I should have re-read what I wrote and edited it.

In either case, I hope I could get you going in the right direction. If you need more details, poke me on freenode, OFTC or IRCnet or reply here.

Re:Stop spreading FUD

[Doug+Neal]

Apology accepted and thanks for the offer, I may well take you up on it depending on how much time I get to spend on IPv6.

It's a shame there hasn't been more written about this. There is not much in the middle ground between "blog posts about IPv4 running out" and "wading your way through every RFC". Probably why you hear the same issues so much.

Yes, it's real

[RichiH]

IANA will run out within less than a month: http://www.ipv4depletion.com/?p=557

You not informing yourself does not mean it's not happening :)

Woot

[ReederDa]

Oh, this is going to be so cool! I'll be waiting to try it out.