Slashdot Mirror
Major Sites To Join ‘World IPv6 Day’
netbuzz writes "Facebook, Google, and Yahoo are among the major sites on board with what the Internet Society is dubbing 'World IPv6 Day,' a collective trial scheduled for June 8. 'It's an exciting opportunity to take IPv6 for a test flight and try it on for a full 24 hours,' says Leslie Daigle, the Internet Society's Chief Internet Technology Officer. 'Hopefully, we will see positive results from this trial so we will see more IPv6 sooner rather than later.'"
A site seems to be missing from the participants, but I just can't put my finger on it /.
www.eFax.com are spammers
It's precisely BECAUSE something could go wrong. A full day on a site like Facebook is more than enough time to see any major issues crop up, yet isn't long enough to deeply impact their service*.
*I know, I know..."Facebook" and "service" in the same sentence. Hurpadurp.
Living With a Nerd
I dont understand why they wouldnt just make this change permanent. If this is the protocol we're going to, make it stick. One day is just toying with us.
This is not the penguin you're looking for.
That's because the average slashdot user isn't savvy enough for this, whereas your average facebook user is... i mean, these people run their own FARMS, for chrissakes!
soylentnews.org Go there to enjoy the people!
It's precisely BECAUSE something could go wrong. A full day on a site like Facebook is more than enough time to see any major issues crop up, yet isn't long enough to deeply impact their service*.
*I know, I know..."Facebook" and "service" in the same sentence. Hurpadurp.
The juvenile side of me wants to make a joke off of "long enough" and "deeply impact", but I'd rather just say this: A full day on facebook is also a lot more likely to cause thousands of grandma's and others to claim the internet is broken if something goes wrong. I hope ISPs are going to be ready for support calls.
Isn't it about time News for Nerds got a 128bit address? You know it makes sense!
Resistance is futile. Reactance buggers it up.
Having an "IPV6" day is not such a big deal for these sites as they have already more or less prepared themselves for IPV6 already. The challenge is getting ISPs and OEMs ready to supply IPV6 links and IPV6 equipment. I think that making a big deal of "IPV6 day" will push these companies into getting their asses into gear to offer IPV6, if consumers and businesses can keep pushing them "We need IPV6, are your links going to be ready for IPV6 day?" and "We need IPV6, are your firmware updates going to be ready for IPV6 day?" even if this is only a marketing campaign.
What is important here is that we give ISPs and OEMs a deadline because at the moment the precise date for NEEDING IPV6 is up in the air and they are reluctant to do anything until a deadline is put in place (or even to START until the customers are complaining- when it is too late)
The operator of one of the biggest German web sites, the Heise publishing house, held its own IPv6 day on the 16th of September 2010. Their domains got AAAA records in addition to the IPv4 A records and the web servers responded to IPv4 and IPv6. Long story short: The test produced much fewer problems than expected and two weeks after the test, Heise.de enabled IPv6 permanently. The story is here (in German).
... it's because IPv6 uses UTF-8 encoded addresses.
You mean the one that has no Unicode support?
So you're admitting there are not enough addresses for every cell in every person's body. Didn't anybody think about the future?
Use a tunnel broker service. There are at least 2 free tunnel brokers, SixXs and Hurricane Electric
While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home. For a limited time only, I'm offering, direct to the consumer, the latest and greatest in home security, a little invention I like to call "curtains". Yes, now people won't be able to see into your home anymore, which obviously makes it impossible for them to rob you. Act fast though, these babies will sell out quickly.
They won't turn IPv4 off for probably many years. But if you actually want to try IPv6 without ISP support, you can try a free tunnel broker.
Dilbert RSS feed
Amputations are a matter of national security!
And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.
I won't, since I don't think anyone is going to port scan me.
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
Also, a firewall is simpler than a NAT, and doesn't have the disadvantages of NAT, so you can just do that instead.
Because not everything behind a router needs a public address?
Um, why? Here's a resource that is inherently by design non-scarce, but you prefer to act as if it were? The "hair shirt" brigade might approve but the rest of us kinda laugh.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Actually, you will still be able to reach those resources just fine, with patience. What happens is (and always has when OSes started blindly enabling IPv6) the connection waits for the IPv6 connection first. If that doesn't get established, it falls back to IPv4 and you get your content. What everyone found is well, pages took forever to load as you had to wait for the IPv6 TCP session to return an error first before the IPv4 fallback.
Frankly, the problem with IPv6 is the lack of a simple drop-in router replacement that works as well as current NAT routers. I don't care to have 3 IPv6 IPs on every IPv6 capable device on my network (nevermind all the IPv4-only gear I have). Yes, 3 IPv6 addresses, because you'll have a link-local (always present), your internet IPv6 address (you get a prefix that's usually /64, so all the PCs will use that prefix and add a suffix, and that will get you to the router), and since entering random numbers and letters is annoying, and a private set of IPv6 addresses (FC00:: prefix (/64) is for private networks, akin to 10/8 and other IPv4 private space). Why can't I have a NATv6 box that can have 192.168.0.1 and FC00::1, and keep everything going the way it is? Bonus to handle IPv4-to-IPv6 translation as well (there are tricks that you can do to have IPv4-only devices support IPv6 addresses, like ipv6-literal.net virtual domain Windows has to support IPv6 CIFS and IPv6 address entry).
That's what people want - a simple box they can drop into their network without having to reconfigure their intranet immediately that works just like their existing NAT router.
Apple Airport Extremes can do ipv6. I know this cause Charter in my area gives out ipv6 addresses as well as v4.
OMG... I have a sig?
Here's a hint: "No NAT" doesn't mean "no firewall".
Not only that, but you could give about 7 IPs to every atom in the body of every human alive on Earth! Taking the number of stars in the observable Universe, each star could get about a quadrillion IP addresses. So yeah, there's plenty of IPs for your toaster :)
Two days earlier and it would have been June 6, or 6/6. Rolling out IPv6 on 6/6 would have been biblically ordained to take over the heavens and the earth. Now it's just... another day, another test.
Why not?? In the *real world* everything has a public address. I know people don't "get it" when it comes to networking, but this is just FUD and is getting ridiculous.
NAT is like having a chaperone, where all communication happens through a 3rd party. It increases network traffic, it makes peer-to-peer internet impossible. And it is not security. You only need to trick inside device to connect to outside device, and there goes NAT as security! And that is quite easy.
Firewall is like having a security guard monitoring traffic. A firewall is actually designed to handle security, not illusion of security. This can actually catch and prevent unsanctioned communication. And if you want to use Skype, you can actually allow inbound connections.
Skype went down because of NAT. If the internet was IPv6, there would be no need for "supernodes". People could actually communicate, peer-to-peer instead of through their chaperones.
Finally, when I was young and stupid, I believed that NAT was a cool thing. When I asked a network admin at local university why they don't do more NAT and all departments gets /24 or larger, the answer was quite simple. Security. I didn't understand that answer for a few years, but now years later, it is as plain as night and day. NAT creates more problems than it's worth. And if someone brought some shitty SPAM relay (virus), it becomes a challenge just trying to identify where the rogue program is communication from.
Traceability and accountability and transparency and security is what public internet brings. NAT gives you an illusion of anonymity and security.
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?
OK. 5000 £1 coins, spread randomly over a suitable area. But what is a suitable area?
£1 coins have area 4*pi*11.25*11.25 mm^2. Multiply by 0xFFFF,FFFF,FFFF,FFFF to get about 10^16 m^2.
Ringworld will do nicely.
whether is has a public or private address is nothing to do with scarcity of IP but need and suitability and there a lot of IP device's that do not need a public address, my printer for starters, don't need to manage it from the outside, don't need to print to if from outside. Plain old private IP4 seems to work fine and dandy.
But using a separate address space makes your work WAY more complicated and less reliable.
All public scenario: Your stateful firewall prevents incoming traffic to your printer, just like it prevents incoming connections to anything else that you haven't specifically allowed. One address range everything reaches everything. Everything on one happy layer 2 LAN. Simple dynamic (re-)addressing.
Public plus private scenario: You still need a configured stateful firewall for all your other devices but now you have the joy of adding a statically configured LAN. How do the two networks reach each other? Route thru your slow firewall? Or multiple static and dynamic addresses on every device in your LAN? The time you spend complicating the heck out of your LAN, is time you're not spending securing it at the network and device layers.
So, sure, if you really want, you can spend a lot more time, money and effort to get a LAN that is much harder to design, configure, troubleshoot and monitor, all while being less secure, but you would be "saving" one of the 3 x 10 ^ 38 addresses, except you actually aren't because they assigned you a /64 for your LAN so its not like anyone else could use that address anyway.
IPv6 doesn't outright prevent you from shooting yourself in the foot, but its still kinda usable.
Plus if your LAN is a corporate LAN you've now gained the nightmare of merging multiple LANs using the same private addresses. Even if FC00::/8 is mostly empty, you know most clowns are going to use network=0 / host=1 for their firewall and watch the chaos when they interconnect.
There seems to be no advantage to private ipv6 space...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Then don't give it a global ipv6 address, only give it a link- or site-local addresses.
If I had a hundred thousand acres of land where I kept my 10 cattle, I'd prefer to have just one gate into the property instead of one every mile or so. It'd be harder for people to steal my cows that way, and I could more easily maintain the gate.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
What makes you think the firewall for grandmother won't come pre-configured with exactly the same unidirectional, stateful firewall provided by NAT boxes? Why do you think she'd have to setup ACLs?
Also, how badly do you have to muck up your ACL to get the "all traffic gets through" configuration? Is "deny by default" the status quo for any firewall?
On top of that, we have an excellent way to keep your teen-age daughter from running up the home phone bill with 900 services: an unlisted number! She won't be able to make trouble if she can only make outgoing calls.
jhw
Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?
In theory, yes. In practice IPv6 addresses aren't quite that randomly distributed and often follow common patterns (DHCP handing out addresses sequentially, etc.). There was a talk about the issue at 27C3. Conclusion basically that you can find 90-95% of the servers with just a bit brute force search. This might of course change in the future when IPv6 gets more used in practice and security issues will be handled more seriously.
That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?
Your collateralised debt obligation investment scheme intrigues me and I would like to contribute to your hedge fund.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
It may be correct that your printer does not need a public IP address. However the same argument has been used for lots of devices that do need to communicate with the outside world. And there certainly aren't enough IPv4 addresses for the devices that do need a public address for proper operation.
/24 subnets, and you still avoid all the collisions that would have happened if multiple entities decided to assign the same subnet of 10/8 to things that you needed to communicate with.
Let's get back to that printer. Let's assume you will never want to print to it from computers outside of the same local network, then you can indeed assign it a link local or unique local address. This however is not an argument in the favor of NAT. That printer then should never communicate with the outside world, and those devices that do need to communicate with the outside world have their own address for communicating with the outside world.
The use of address reserved by RFC 1918 has not been without problems. There may be a lot, but there have still been conflicts. The problem is there isn't exactly one scope within which you want them to be unique. You may have a router in your home that assigns a range of RFC 1918 addresses to a local segment. Your ISP might also be using some RFC 1918 addresses for equipment that you need to communicate with as a customer, but doesn't need to be accessed by anybody outside of that ISP's network. You might also be using a VPN connection from a machine on your local network to some remote site, which makes use of RFC 1918 addresses.
These addresses are all assigned by different people and none of them know at the time they assign the addresses, which other RFC 1918 addresses you will need to communicate with. This leads to conflicts.
With IPv6 there is a replacement for RFC 1918, it is RFC 4193. With RFC 4193 there is first of all a randomly selected 40 bit site ID which reduces the risk of collisions significantly. And each such site will have a 16 bit subnet ID that you can manage locally. With that you get as many subnets as if you had split 10/8 into
So, even for the case of devices that don't need a globally routable address, IPv6 is still better than IPv4.
Do you care about the security of your wireless mouse?
Your 'gate' is your router/firewall. People can't magically get around the same exact piece of equipment that NATs today simply because they are independently addressable. Those devices need to just have a 'no unsolicited incoming traffic' firewall by default.
XML is like violence. If it doesn't solve the problem, use more.
Randomly assigned IP addresses can be static or dynamic. You assign one static to each machine and let it generate dynamic addresses on its own. For incoming connections you use the static IP of the machine. For outgoing connections you use one of the dynamic IP addresses of the machine.
Too many people with that attitude is the reason for the mess we have now.
Do you care about the security of your wireless mouse?