Slashdot Mirror
If You Think You Can Ignore IPv6, Think Again
wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."
Until my home ISP or the ISP for the company I work for offers IPv6, I think it's going to be very easy to ignore IPv6.
"I use a Mac because I'm just better than you are."
So really no big deal then?
If you completely ignore it, isn't it likely you'll continue on with no adverse effects? I thought VP4 would continue to work with no tweaking necessary, as long as you're not using broken equipment.
Not so fast:
http://cr.yp.to/djbdns/ipv6mess.html
http://marc.info/?l=openbsd-misc&m=128822984018595&w=2
ICANN's Youtube channel has the videos of yesterday's IPv4 ceremony and press conference.
if IPv6 is "a board-level risk management concern", then I certainly can safely ignore it, and so can pretty well every Slashdot reader.
If you want anyone to take this seriously DO NOT compare it to the Y2K bug.
Perhaps they should TAKE BACK all the ip6 blocks that were allocated to the big corporate pig that they don't use...
If you want news from today, you have to come back tomorrow.
for my damn IP numbers! I am not falling victim to this left-wing liberal conspiracy to artifially inflate the price of my IP numbers, the fuel of my business! There is no such thing as a global shorting of IP numbers, the scientific evidence is completely subjective and there is no hard evidence whatsoever, no measurements, of a global shorting of IP numbers . Everyone that needs one has an IP number, and there are plenty more. I myself have 192,168,000,023 IP numbers for use just here in my company. This in nothing but a left wing media conspiracy against the working people to take away our god-given constitutional right to IP numbers in black helicopters.
Build your own energy sources from scratch. http://otherpower.com/
Do we really need to have 3 ipv6 article a week on slashdot. I believe every single slashdotter knows and understands what the problem is about. So I suggest the editors to skip all the articles about "how my god we need to move to ipv6 FAST",
VRF for an IPv4 Internet Part Two anyone??????
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
Behold the formation of the InterNAT!
When things get complex, multiply by the complex conjugate.
I finally found the group responsible for IPv6 at my company, and asked about our readiness. now keep in mind, we don't need to wait for an upstream provider as we are the upstream provider, with many peering agreements in place.
The answer I got back basically amounted to two things:
1) nobody else is ready, so we don't need to be either.
2) it's not legally mandated, so it's not important.
I'm so glad we pride ourselves on our ability to innovate...
Qwest has taken care of the IPv4 exhaust issue for our residential customers at the ISP level. We are implementing the capability to communicate with contacts at both IPv4 and IPv6 addresses. This transition will be transparent to Qwest residential and business customers.
I'm not sure if the transition can actually be transparent since at a minimum I'll have to do something with my TCP/IP so it knows that IP6 is there, and from the looks of it my Modem doesn't support it ether without maybe a firmware upgrade.
You already said that here
I can double the number of IPv4 addressable machines.
UDP and TCP ports 1-512 will now be one machine, and ports 513 and higher will be another machine.
Yes we know.
Major ISP's are just now getting the ball rolling. Client software is still being perfected. The bridges for early adopters are known to be flakey. Talk to the people working on that stuff (oh, wait, you don't need to, they're already underway).
Most readers here will move along when the infrastructure is ready. We know the address space is effectively out but there's little reason to do much at this point, and anybody trying to push people to adopt IPv6 before the tools are robust is kidding themselves.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The former is a tad old and mostly fixed by NAT64.
On second:
they created a totally new problem by avoiding arp. the
benefit of their layer-2 discovery mechanism has been
absolutely zero; the best unit of measure for the cost of
that decision is "decades".
ICMPv6 neighbor solicitation at *worst* case 'degrades' to ARP-type behavior. In very well behaved layer 2 networks (almost none, admittedly) it greatly reduces load at large scale of system. I don't see why avoiding ARP costs 'decades'.
they created an entirely new and huge problem (destroying
SIOCGIFCONF backwards compat hurt IPV6 deployment in operating
systems on a massive scale) by not making their sockaddr be
a power of 2 in size.
I still haven't heard anyone explain why that is so catastrophically bad. It may be, but in practice, I haven't seen how this afflicts me.
Now I will complain that they changed some fundamentals around DHCP (DHCP at all being a near afterthought as they magically thought route advertisement, stateless addressing, and mDNS would be the cure for *EVERYTHING*). However, most of it is probably going to fall into place as soon as more practical deployments start (currently, most v6 trials that end in failure cause people to just walk away from now instead of trying to push fixes.
XML is like violence. If it doesn't solve the problem, use more.
Your first link dates from 2003, and therefore I cannot do anything but ignore it. Especially since you don't specify what part you're aiming at... As to what your other link is concerned, Theo de Raadt usually knows what he's talking about, but, he also likes to troll anybody he doesn't like. His post basically says that he doesn't like implementing an arp alternative. His other point simply means it may be a bit more difficult if you assumed all socket addresses would only ever be to the power of 2. That's his fault (hate to break it to you, theo also isn't perfect), he was the one who made the assumptions. Lastly, the problems he describes are about how to implement them in Operating Systems. Since all major OS's now have ipv6 support, I cannot see that being relevant. As for merely posting 2 links without any text: troll?
... the one where by far most of the people, even if you go just to the IT ones, ignores even what is IPv6. How many isps or carriers now are giving ipv6 as an option? Probably the most common policy now is "lets wait till everyone else already took the first step before moving a finger" (later it will be "let all scream and run in circles")
I really wouldn't go into board rooms and mention Y2K. The general public seems to think that there was nothing there and it was just a big hoax. I'm sure all of you have encountered this recently too. A few times recently I had to correct people who said something like "That Y2K thing was no big deal". My answer to them was "It was no big deal because people worked for 5-10 years to fix it, otherwise it would have been a big deal". But you all know that.
But if you want to be dismissed as a panic monger, bring up Y2K, otherwise, don't.
Nortel used to own 47.*.*.*, now that they are bankrupt who owns that class A license? That is a big hunk of address space that could give some extra breathing room.
Everything has mistakes built in. But DJB's article (aside from being 9 years old) simply boils down to "but who will implement it if it's not widely implemented?" The whole point of implementing it is that it'll get more widely used. That OpenBSD mailing list message was marginally more interesting, but boiled down to "it messes up my struct!"
I don't understand all the IPv6 hatred. IPv4 is not tenable (which can't really be argued otherwise), and even somehow extending the current address space would break everything anyway, so why not just do it right?
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Yes, a global law.
CC.
TaijiQuan (Huang, 5 loosenings)
On the bright side of deploying IPv6, it gives us all a chance to redesign our networks with security in mind. I'm mostly thinking about government and utility networks, though.
I've been working on a small side project building some automated testing -- is your site ready for IPv6?
http://ready.chair6.net
http://ready.chair6.net?url=arin.net
http://ready.chair6.net?url=slashdot.org
and so on...
http://bill.herrin.us/network/ipxl.html
It seems like a simple, good proposal to compatibly extend the existing IPv4 header format to give 64-bit addressing. If someone could come up with a Linux patch and DD-WRT builds for home wifi routers implementing the above, maybe we could avoid the huge discontinuity of changing to IPv6.
The only thing I ever get from any of the new address spaces is spam, so I'm sticking with IPv4.
is when desperate (or "innovating") ISPs decide to jack up the rates on static blocks. Companies that have a static /24 will see the rate to lease that block double overnight. Then if you're only REALLY using a few dozen of them, giving some of that back is going to look really attractive. Did I say double? how about x16? if you can live with 29 usable instead of 253 I bet that's an offer many can't refuse.
I've got a block of 8 myself (5 usable naturally) so I think I'm safe from the vultures for awhile. But they're also probably going to want to start pooling people inside their /24's. As it is right now I have my own network with my own router. That's 3 of 8 addresses being somewhat wasted, and I bet they don't overlook that. If the entire /24 I'm in is carved into 32 chunks of /29's, that's 93 (32*3-3) more IPs in that block alone they could resell by consolidating gw/br/net. (/29 is admittedly quite a waste of IP space) Maybe I DO need to start worrying?
I work for the Department of Redundancy Department.
How are we supposed to roll out IPv6 without NAT? Can someone explain, and without RANTING about how NAT is unnecessary?
Think about it. Let's say I set up my company with link local addresses. IPv6 forbids NAT on routers and firewalls. So how are my hosts going to talk to the Internet? Specifically, if I have a link local address of fe80::/10. That's not going to be routable from the Internet. TCP is two-way traffic, so the servers need a return route to me. How is this accomplished with NAT?
NAT is necessary so the ISP can send traffic back to my summarized address. I don't understand how this works when they forbid NAT. Someone please kindly explain how that works.
a router that talks to the Wan (WWW) with IPv6 and translates that to IPv4 on the LAN side?
is this practical & possible?
Politics is Treachery, Religion is Brainwashing
they most helpfully said:
we only offer dynamic IP addresses, therefore our service will not be changing in any way.
I Hope that this answers your query.
I did reply to the effect that sooner rather than later they'd have more customers than they had dynamic addresses to give out, but haven't had a reply.
Pretty sure I'm contracted with them until the end of the year. Dammit. Hopefully them putting me behind a carrier-grade NAT would amount to breach of contract, allowing me to get out.
Nothing helps drive a wedge between people and their money than a fear incessantly pounded into their brain like a rusty nail.
IPv6 caper should help pay off the mortgage. Then 2038 should set me up quite comfortably for retirement.
I was told by IETF members in 1998 that NAT was dead and IPv6 was at most a couple years away. IT is a business and you don't make expensive changes without good reason (and that it makes a beautiful technical solution or that it's cool is not a reason). People will start using IPv6 where they need to...on the Internet where addressing has run short. Internally, IPv4 will continue to be used extensively and translation will be used as much in the future as it is now (although we'll have to suffer all kinds of growing pains with it). The idea of a perfectly engineered Internet with everything talking to everything else on IPv6 will never happen because the Internet is an organic-like system where we'll be implementing something else before we've finished migrating away from IPv4.
We'll be running IPv4 (and IPv6) for decades, so let's stop talking about it and just implement it as needed. ISPs...you guys first!!
At least before home users can care, is a good 4 to 6 translation system. What I mean is let's say your ISP goes IPv6 and your cable modem gets just an IPv6 address. If you have a newer computer (Vista or newer, newer OS-X releases, etc) it'll just work. It can have its own public IPv6 address and everything is great.
However, what do you do about older stuff? I'm not just talking older computers, which possibly could be upgraded, but I'm talking older devices, which can't. My AV receiver is a networked device, but it only supports IPv4. I don't think that can be changed, I think that's all its DSP can handle. Even if it can, it probably won't be since it is an older model. So I still need to use that.
Well, the thing to do is have the cable modem handle it. Have an IPv4 DHCP server, IPv4 gateway, and internal IPv4 DNS server and all that in private space. Then when an IPv4 computer requests something, the DNS server gets the AAAA record and the real IPv6 IP. It translates that to a fake IPv4 IP and hands that to the computer, and handles the translation. More or less a system similar to NAT (or a stateful firewall of some types).
That way IPv4 devices can continue to work, there is no problem with going 6.
So far I've seen nothing along these lines. Everything keeps being "Add IPv6 to an existing IPv4 network!" Ya, ya ok that works in some cases but if the issue is running out of IPv4 addresses, that isn't the long term answer. The answer is to make routers that'll let IPv4 devices talk IPv6 without them knowing. Likewise you have a 6-to-4 tunnel at the ISP if you need to communicate to old 4-only networks.
I see it as a problem involving a scarce resource, and the same thing will happen as with any other scarce resource, the price of IPv4 addresses will rise, until the cost to stick with IPv4 is higher than switching, at which point everyone switches to IPv6!
Unless I'm misunderstanding something here, its not at all like the Y2K problem. Nothing is going to suddenly stop working, there are just a lack of new IP addresses for distribution. So when someone needs an address (or a block of addresses) they will have to purchase them from someone who already has them. Is the market set up for this yet?
IPv4 was happily implemented in place of IPX, AppleTalk, etc.
The fact that we've "run out" of IPv4 A blocks and IPv6 isn't very widely deployed suggests that IPv6 isn't indeed a better solution then IPv4 (there is a lot more in IPv6 then just a larger address space, some of it can be a pain in the ass). I would suggest to the IEEE's and ITEF's of the world to think of IPv6 in that light.
The IPv6 move is not like Y2K. With Y2K there was a firm deadline when everything had to be re-coded, tested and ready, or else. With IPv6 it's more like the introduction of fax machines. You only need a fax machine if you want to communicate with someone else who also has a fax machine. Since around 98% of the Internet is still using IPv4 no one is going to want to be the first to stick their neck out and embrace IPv6. If everyone you want to talk to is on IPv4 there is no reason to migrate yet.
The idea that NAT will go away just because a network is IPv6 is a pipe dream. No sane security admin would ever allow that. The idea that the firewall is the only thing between you and the outside world is, and should be, a non starter.
IT security is all about multiple layers, and one of them is the fact that you have a DMZ between you and the internet, and that the internet can't route outside of it. That is not going anywhere.
Look, I don't want to be disrespectful to you as a person, but your understanding of network security is... limited. What the fuck does having a DMZ have to do with NAT? It's true that NAT is how the most common way to configure a segregated v4 network, but if you think that NAT is the only (or even the best) way to handle this, you're sorely mistaken.
This may strike you as heresy, but you can construct your network with public-facing addresses, a DMZ and a network of addresses inaccessible from the outside world (except under prescribed circumstances)... all using public IPv6 addresses. The secret is... wait for it... don't fucking route to them, except when you decide it's okay.
The simplest way to do this would be simply to refuse connections originating from outside your network for a designated subnet. Hey presto! All the benefits of NAT without the insanity of NAT!
My employer, a university with campuses in 12 countries, does this already with a public IPv4 block. Last I checked, it was working just fine, thank you very much.
P.S. Yes, we're IPv6-ready.
Crumb's Corollary: Never bring a knife to a bun fight.
The big mistake was not making mobile IP devices IPv6 from the beginning. Even if they had to go through a NAT at the telco. Most of the growth is in mobile devices.
Fortunately, most mobile devices respond to updates pushed from the carrier. So mobile carriers need to be encouraged to implement that transition. Carriers are in a good position for this, since they control both ends of the air link. Some of this must be happening already.
I know IPV6 is inevitable, but why wasn't IPv5 inevitable first?
The references articles seemed more like fud than any reason to get worried.
-covering ears-
LAH LAH LAH LAH
IPv6 will be very slow in coming, and there will be no crisis. As ISPs run our of v4 address space, they will offer natted rfc1918 space by default, and charge a few dollars extra for public addresses. Only a few people prefer a public address if charged $5/month for it, and they won't miss anything either. While lots of public servers will be offered in both v4 and v6 space, nothing interesting will require v6. v6 will grow slowly based on its use in purely internal networks. The things lusers need will always be available in v4 and there aren't enough clued users to create a real shortage.
How long until the classic IPV4 internet is looked upon with the likes of AOL or Compuserv? All the control, gatekeepers will force freedom to migrate to V6. It'll be the wild west of the internet all over again.
they created an entirely new and huge problem (destroying SIOCGIFCONF backwards compat hurt IPV6 deployment in operating systems on a massive scale) by not making their sockaddr be a power of 2 in size.
I still haven't heard anyone explain why that is so catastrophically bad. It may be, but in practice, I haven't seen how this afflicts me.
There are only two possibilities I can think of here. Based on the Linux definition of sockaddr_in6, word-alignment on 64-bit could be a problem in the case of large arrays, but padding by the compiler would avoid that. Otherwise, the only other possibility is that since a new API was added for querying IPv6 (and v4) addresses, a lot of programs would need to be altered to handle both types of addresses, rather than just v4.
There are some ISPs that are starting off with just a single /64 (e.g. Comcast's trial), because they've got some equipment or management software that's not bright enough to handle more complex routing than that, but the general consensus is that businesses should get /48 and residences should get at least /56. That not only allows for a couple of subnets (e.g. wired, wireless, uplink, DMZ), but it also lets you use relatively dumb routers that handle subnets by cutting their address space in 2-4 pieces, and you can stack a couple of those.
I have heard of one ISP that's only allocating a /60 for residences, but IPv6 has enough address space that most people think it's worthwhile wasting some of it to get addresses aligned on byte boundaries and not mess with nibble-aligned, much less single-bit-aligned.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Facebook, 4chan, digg, slashdot, reddit, and redtube make their sites accessible by ipv6 only (and not through v4 to v6 tunnels.) :)
They take a hit in traffic for a little while, two weeks later, every ISP is giving out ipv6 addresses and every ancient router and pc is upgraded.
Yeah, i signed up for a cheap hosting account a year ago, with one domain, and they gave me five IP addresses all my own.
Obviously it's not THAT big of a problem.
I think NAT will still exist but for a different reason. How many v6 IPs will an ISP give you? 1? 10? 100? 1000? Maybe they'll give you 10 but I don't then 10 will be enough.
Even if you switch to a pubic IPv6 address, all your internal stuff will still be IPv4. My home print server and IP telephony adapter are all IPv4. The problem with IPv6 is that you can't entirely switch to it and just shut down IPv4. You have to run dualstack for the foreseeable future. That's why every IT consultant and IT manager and CIO I've spoken to says they don't give a crap about IPv6 because every adopter of IPv6 will have to be backward compatible with IPv4 so why bother running dual stack. Even after all the addresses are assigned, not a single IPv4 device or network will stop working.
The choice is between IPv4 single-stack or IPv4/IPv6 dual-stack. Given those as the only choices, people are choosing the former instead of the latter. There is no possibility of running IPv6 single-stack. IPv6 will essentially become the new "private IP addresses" that have to translate to "public" IPv4 addresses used by 99% of the IP devices in the world. The only difference is that IPv6 devices will be able to talk to each other without a NAT across organizations.
Next thing your going to say admins regularly drop the enterprise pants down around the enterprise ankles and no one notices.
Lets get into an example.
What if an eTailer hosted by DelusionWireless business builds out a Next Gen website. Lets say DelusionWireless admins open the un patched, non hardened site infrastructure to the net. How is the impact different between Natted IPV4 and IPv6, example scenarios.
For IPv4, Well for one thing another mistake involving port forwarding would have to be made, Port forwarding changes are from A defined external and usually static IP to a single Internal IP. The Admins would be beaten for the change without change control and left to heal no real risk as the only IP's forwarded were semi trusted people in the first place.
In the IPv6, example any random yahoo who happens on the virgin bent over infrastructure can breech every device, assuming the IPv6 addresses are sequential or discoverable from the first IP. The pending lawsuit's result in the Admins getting Fired then beaten and flogged.(or they cover it up and dodge a bullet)
Yea that's basically the difference for the Admin ankles scenario.
The much more likely scenario is an intruder already inside or insider changes the firewall config.
Now in this case to have internal devices initiate shells to the hackers network is traditionally done by exploiting listening ports for running services. Mitigating controls include patch management.
In the case of IPv4 natted example the enterprise wide attack can only happen from the inside, and requires clawing through each devices exploitable hole.
In the IPV6 example, the attacker will be well served in mapping the infrastructure first then dropping the firewall and attacking every device simultaneously from the internet.
This is really going to drastically reduce the time to complete cluster fucked from hours to minutes after the infrastructure is mapped and the attack primed.
Also going to reduce the attackers exposed fingerprint for 97% of the intended impact impact.
In English, this means once a breech is in progress, a companies only hope will be to air gap its self from the internet in less than 300 milliseconds or later be forced later to rebuild every device in the environment after about 5 minutes of the attack.
Huge and different impact potential.
the Now the intruder dropping the firewall from the inside based on compromising a machine
Look, you're getting a subnet that's big enough for just about anything you can imagine doing at home, not just the things you can actually figure out how to do. If you're like to split your /56 into 256 different subnets and do different things on them, go ahead. You can do that without breaking the end-to-end principle.
NAT breaks stuff right and left today, for two main reasons
- lots of protocols, including FTP and newer protocols, put the IP address inside the data packets, not just in the packet headers, and doing NAT properly requires ripping the packets apart, changing the addresses, and fixing up any checksums that got damaged in the process. It's even worse if you've got protocols that use crypto, either for information hiding or just simply for authentication. It's very hard to get them right, especially if people design protocols the firewall doesn't know about.
- stateful NAT makes it hard to establish connections through the firewall. Sometimes this is intentional, blocking unwanted connections for security reasons, but if two people behind NAT want to communicate, neither one can talk until the other one has talked to them first. There are products like Skype that are popular because they go to a lot of trouble to work around the different broken NAT implementations out there.
Putting a firewall box in front of your computers isn't a bad thing - you just need one that's IPv6-aware instead of IPv4-only. You're not getting the security from NAT, you're getting security from having a stateful packet inspection box in front of your computer, and that's not going to change. If you want to offload packet inspection from your 2GHz CPU down to your 200 MHz SOC-based firewall, go ahead; about a quarter century ago, Van Jacobson figured out how to tune the BSD TCP/IP stack so you could do wire-speed file transfer on 10 Mbps Ethernets using a Sun 3/60, so you should have plenty of spare CPU horsepower left to inspect your packets.
There's no particularly good reason for your computer to look like a single computer to anybody outside your network, and simple address-munging isn't enough to solve the problem. My laptop has different addresses depending on where it's plugged in, home, work, coffeeshop, etc., and the address isn't enough to tell them anything definite. When I'm at work, I occasionally have trouble reaching sites because many other users behind my corporate firewall are accessing them at the same time, so they want me to do a CAPTCHA to verify I'm not a bot abusing their system. However, if anybody does want to track your address, with IPv 6 they'll probably do it by tracking your /56 or /48. Also, there's the IPv6 address privacy mode, which lets your computer use a different host-part address on every connection, so it's not using the same MAC address every time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I've been running IPv6 on my home network and have had IPv6 tunneling running through HE.net for the past year.
My Apple Time Capsule allows IPv6 tunneling and allocates addresses to my machines on the network for me. I even set up a AAAA record in my DNS service to allow people to see my personal web site over an IPv6 address.
I can hold up my hand and say that I'm ready to go as soon as my ISP gets off it's butt. It will be nice to be able to shut-off all that annoying NAT crap some day!
There are other ways to find the machines on your subnet besides scanning, though it is nice that scanning will become harder. If you've got a known brand of ethernet card, there are only 24 bits worth of possible MAC addresses, and what's 16 million scanning packets between friends? Multicast works by default, though your firewall might block it, and they can still do phishing to get you to go to their web page so they can get your address. (IPv6 address privacy mode is a Good Thing, though corporate networks might block it internally so they can track which machines are doing what for auditing and debugging purposes.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
here we have carrier grade Nat and a whole class B, I think that we can ignore it for a while
I don't know about the rest of you, but my biggest problem with IPv6 is that the format of the addresses is plain ugly. Why didn't they just add another 8 bits and keep the same format? Instead of 24.232.5.19, we'd only have to adjust to another digit - like 14.24.232.5.19. That would increase the address pool by 256 times and I could remember that number. I can't remember fe80::7c7e:2fb8:12e6:63a%10 - and it's nauseating to look at.
What I have seen on my firewall and I think there are plenty of IP addresses that botmasters, spammers and other criminals have used to hit my network. If ISP, and network administrators looked at all of the DHCP, unallocated IP address that comes from their networks they would have thousands of IP address they re-allocate to proper people or systems. Proper accounting of IP address by ISP needs to be priority before we can really say we ran out IP addresses.
NRO (Number Resource Organization) had a press conference on 3rd Feb where they formally handed out the last 5 /8 blocks of IPv4 space to the regional bodies. For anyone who missed the live stream, the recorded video can be viewed here:
http://www.nro.net/media-center/video-archive-3-february-2011
I was referring to the usual home setup of a router and a home network of multiple computers, not a webpage hoster and when it comes to home routers it makes a big difference if only your router is available to the public or every computer (frequently unpatched) in the network.
For a business it's a case of looking at upcoming purchases, and to either require that new purchases are capable of IPV6 out of the box, or otherwise have business units accept the lack of conformance and prepared to write the equipment off sooner.
Once vendors start seeing requests for IPV6 compatible equipment, they will either need to supply it, or watch business go to their competitors.
As far as 'board level governance goes', for the moment it's simply having a strategic plan that leads the organisation towards IPV6, an indicative date to aim for (say 5 years from now - little to fear now), and a statement that the detailed technical work needs to wait until there is enough technology and expertise on site to plan and implement the cutover. Unlike Y2K there's plenty of time to do this without too much shock or fear - but ample time to get infrastructure and skills.
What ever happened to IPv5?
And how do we know v7 or v8 won't be better?
Be seeing you...
Some ISPs are already supporting IPv6. Admittedly, only a handful of residential ISPs are there yet.
Comcast is doing trials now and will probably be adding IPv6 for most customers by the end of the year.
If your ISP isn't doing IPv6 yet, it's time to start asking them about it.
RIRs will be out of IPv4 before the end of the year. That means ISPs that want to keep adding 30-50,000 customers per day to the internet are going to have to do something different from what is being done today. IPv6 is the solution to that problem and it will roll forward rather quickly after IPv4 runs out.
You can plan for it now, be proactive about preparing, and be ahead of your service provider and others, or, you can stand on the tracks waiting until you hear the train coming around the curve. I guess which one you choose depends on how fast you can run and how confident you are in your hearing.
I don't think normal user gives a piss what the ip is it lol
Jack of all trades,master of none
In 1995 IPng was to be implemented ASAP.
Now 16 years later we're still talking about it.
DNSSEC was also being promoted/talked about in 1995 to protect against exploits found 5 years earlier.
It was also ignored as a problem.
Maybe, finally., the cost of not implementing these has finally become greater than ignoring them..... but I somehow doubt it. ISPs can make more $$$ off the scarcity of IP4 addresses than they are likely to make pushing IPng/IPv6.
IPng/Ipv6, DNSSEC and "Duke Nukem Forever" have far more in common than they should.
If customers don't demand these they won't happen just like they've only been marginally implemented over the last 16 years.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
That's true if you're using protocols that can survive NAT64 translation - couch potatoes reading HTTP pages will be just fine, if their ISP does NAT64 translation for them (or gives them RFC1918 addresses and does NAT44.) And if you're in the business of serving IPv4 web pages, and don't need much more than that, then you might be ok, or you might want to add your own NAT64 server so that outsiders can reach your IPv4 address even if their ISP doesn't do NAT64 for them.
But what if you're using their address for something, like tracking repeat visits, or security, or using geolocation to serve them targeted ads? Do you mind if 80% of your customer visits are now arriving from one of ten big consumer ISP NAT blocks instead of their individual IPv4 or IPv6 addresses?
And then what happens once you decide to accept native IPv6 connections. Is it as simple as asking your ISP for dual-stack, which your routers are new enough to use by now, and telling Linux and Apache "oh, also use IPv6"? Sure, that's cool if you're trying to get a Hurricane Electric IPv6 certification, which is a good idea.
But is your web server farm big enough to need load balancers, and if so do they support IPv6? Do your firewalls allow IPv6 traffic at full speed, or are they 80% slower because they have IPv4-tuned ASICs and need the CPU to do IPv6? Do your accounting programs that keep track of user visits and print out nice shiny reports store their address data in uint32 fields, and print them out in dotted-quad formats? What about your attack/fraud detection programs that are trying to keep people from cracking your web servers and stealing your user data - do they know how to recognize an anomaly from IPv6 land and warn you about it, or does it all look like uint32 to them too?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This in nothing but a left wing media conspiracy against the working people to take away our god-given constitutional right to IP numbers in black helicopters.
Why would anyone have a constitutional right to IP numbers in black helicopters?!
Large Scale NAT
... and it wasn't that wrong for a lot of people until yesterday, either, and won't be until APNIC runs out of space this summer and RIPE this fall, but it doesn't matter.
The IPv4 address space is used up, and we're rapidly sailing toward the point on the map that says "Heer Be Dragons!", and the only solutions we've got are IPv6 and Not-Really-Carrier-Grade-NAT to get us across the bleeding edge.
So if you're not ready for IPv6, it's going to hurt. If you're just an end-user with a dynamic IPv4 address, it won't hurt a lot until your ISP starts giving you a 10.x address, and those cool websites you used to use don't look as cool, and that gaming application you're using for voice talk with your friends while you're killing zombies suddenly can't reach 20% of them, or maybe 80% of them, and maybe your next mobile phone will only have an IPv6 address. But if you're a content provider, you're not only going to either lose a small but growing percentage of your users, or support native IPv6, you're also going to have all those applications that tracked them by location or IP address stop working so well, and your reporting software that keeps track of comment spammers isn't going to know where they're coming from so well, and eventually you'll need to give in and make sure all your firewalls and load balancers are working. And of course, if you're an ISP, you've spent the last couple of years realizing how much this is just going to hurt all over, and if you haven't, you're planning on going out of business Real Soon Now when all your customers ditch you.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And I am.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Egypt can ignore IPv6
No, IPv4 won't entirely be turned off in a decade, and there are probably still machines running Netware IPX and definitely IBM SNA, and there's probably even X.25 on barbed wire somewhere in the world; I think I've seen DECNET within the past year. But if you're not dealing with IPv6 now, you're not going to be in the web or internet or security or telephone or computer business by late next year, because your job or company will have died by then.
Yes, businesses will make all reasonable accommodation to allow IPv6-only end users to reach their websites, and businesses that open new offices that can't get an IPv4 address from the local ISP in that country at the regular price will either pay them a lot more money or else run some ugly V4-over-V6 tunnel back to headquarters, and they'll be able to squeak by for a while, but it's going to get increasingly ugly and expensive.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
MOD PARENT UP.
IPv5
I'm sure they will be when the machines develop and implement them for us in a thousand years or so (and they will probably bitch about how those stupid humans made the transition harder than necessary with their stupid design of IPv6.)
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
The shift will probably happen overnight (a chron job with a check at boot time to insure the IPv6 protocol will be up and running,) but when its supposed to happen it will.
To confirm this, boot up your Mac in verbose mode.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Kollsnes Gas refinery in Norway has a control system running entirely on DECNET :p
Mostly because it is almost impossible to get them to upgrade because the damn servers are so fecking stable.....
They have 6 servers and have had less than a handful of crashes since 1996.... It is quite scary :p
I propose latitude and longitude embedded into IPv6 - that way - everything can map into a unique location
Sorry, djb's rant is just bs. Was he just venting because he didn't invent IPv6 or something?
Nothing prevents a server from simultaneously serving both v4 and v6 clients. DNS publish both A and AAAA records, clients pick whatever they support.
It's a one-time setup for admins (but yes, too bad, they have to configure those IPv6 addresses somewhere).
Even easier for end users, most won't have to do anything. The "magic box from the ISP" one day answers DHCP (v4), rtsol (v6) and DHCP6 requests, so v6-capable devices (all recent OSes) get v6 connectivity; no change to the v4 part... except more NATing over time probably.
Doesn't look like a particularly painful transition if you ask me.
Granted, it would be better if it didn't require collaboration from ISPs, esp in the US...
"The secret is... wait for it... don't fucking route to them, except when you decide it's okay."
Which is all very well and good, but that requires that everyday people learn how to configure routers to do that. Guess what? That ain't gonna happen. People want a plug-and-play solution, not one where they have to learn crap they don't care about when all they want to do is read email or browse the web.
Which, believe it or not, is all that a *VAST* majority of people do.
When people want more, they can either use another globally visible IP, situating the device on the global side of their NAT, or else they punch holes in their NAT if they can't get another IP address. With IPv6, there will simply be no need for the latter. That doesn't mean that NAT wouldn't be useful.
File under 'M' for 'Manic ranting'
It had better be 1000 times faster and secure than now.
How the hell do you even filter ipv4 and ipv6 at the same time?
iptables -L -n | more
iptables6 -L -n | more
forget the "anonymity of the ipv4" (yeah right)
what the fuck do the new numbers even mean? (okay smartypants you answered that but now how can you type those real quick in irc?)
On a server or firewal or routerl how many exploits does it open up?
Is there cross ipv4 to ipv6 exploits? e.g. fuck the man?
Is there possible cross ipv6 to my ipv4 exploit right now? e.g. fucked by the man
it's good questions long dodged, I hope many puke their guts out learning, it's already making me sick.
So, my VDSL home router (AVM 7270) is fully IPv6 capable. So are my Win7 PCs. Now what?
Pragmatism tends to win in the end. As I said, some kind of 4 to 6 thing will be needed if ISPs want to start handing out only IPv6 addresses. Well they are going to want to do that. They'll run out of IPv4 addresses and want to use IPv6. If ISPs are demanding hardware that can do this, such hardware will be delivered by Cisco or Juniper or Motorola or whoever. The geeks can scream and cry but the companies that make network gear will give their customers what they want and their customers, the ISPs, want their customers to be able to use the Internet and not have to understand what IP is, much less the versions of it.
But what if you're using their address for something, like tracking repeat visits, or security, or using geolocation to serve them targeted ads? Do you mind if 80% of your customer visits are now arriving from one of ten big consumer ISP NAT blocks instead of their individual IPv4 or IPv6 addresses?
As the only suggested alternatives to large-scale IPv6 adoption are effectively either (1) putting all consumers behind huge ISP NAT blocks with IPv4 between them and the NAT routers rather than IPv6 and (2) abandoning the 1-1 allocation of addresses to users and performing routing using some of the bits in the port number, you're going to get these problems anyway. At least IPv6 allows a solution (switch to a pure IPv6 implementation, rather than staying on IPv4); the alternative just make such schemes impossible.
Now that the last IPv4 address blocks have been allocated
Last article I read on this subject, only a couple of weeks ago, suggested the final blocks were still to be allocated and weren't expected to be handed over until March at the earliest. Has something happened I haven't heard about?
A static IP is already, effectively, a premium option for ISP customers, and the world hasn't ended. 99% of users don't need a public IP, many ISP customers are already perfectly happy with a dynamic IP, business/university users are already firewalled to hell (making a public IP largely useless) many "user oriented" applications already use proxy-based solutions to cope with this (skype, dropbox, games etc.) - and if you're on ADSL you're not going to want to do any serious serving. As long as you can shop around for a static IPv4 and/or v6 ISP if you need it I dont see a problem.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
Which people will get, because the people who don't care will buy consumer level devices which will just have the default firewall configured to block all incoming connections, thus providing the exact level of security they presently get with NAT.
You could even throw UPnP on top of that to selectively allow inbound ports to particular IPv6 addresses to accept connections.
Just wait until they face the IPv16 problem, because those stupid humans only used four bits for the version number ...
The Tao of math: The numbers you can count are not the real numbers.
apple, us postal office, ford motor company, hp to name a few companies hoarding 16,7 millions ip-addresses each.
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
- To understand recursion, we must first understand recursion -
A couple of interesting conclusions:
1 - you will have some time left, because the migration must logically happen from the backbones inwards, and may stall at the gate (your front end router) where you will NAT to IPv4 for quite some time to come.
2 - however, if behind the gate/firewall you already have a large network (as an ISP, or the aforementioned club with a class B block) you bite the bullet best sooner than later because it's a lot of work (and here too you'd migrate from WAN backbones inwards).
3 - a lot of operating systems and hardware has already been supporting IPv6 so it's not causing a full scale tech refresh. However, there will also be parts that may need isolation because they cannot migrate. Depending on how critical the machinery is, this is probably the last chance to buy some IPv4 spares at a sensible price. That $20 network card will be worth a lot more money in the future..
4 - security will be a challenge. IPv6 has facilities such as extensible headers that could be used as covert channels. You will need to take a decision what features are useful and which are a risk, and hope firewall manufacturers catch up with this asap..
5 - it will be a headache remembering your public IP address :-)
6 - As Japan didn't have many IPv4 addresses to start with, they moved to IPv6 quite a while ago. I suspect Japanese network engineers will be very much wanted for a while as they alone really have credible experience in IPv6 deployment.. That game starts more or less now, because I do agree with the original article premise: IPv6 is now a CTO level issue.
Insert
http://www.google.com/trends?q=ipv6,+ipv4&ctab=0&geo=all&date=all&sort=0
What are you all complaining about?
when IP4 was created in 1980 people thought it will never end :) now just after 30 years IP6 lol
Javin
fix protocol tags and specification
NoClassDefFoundError
A transition period will always have issues, there simply is no way around it. The point of NAT64 is indeed for people doing browsing from their house. Sure, the target loses some granularity in tracking if using IP (though I wonder if geo-ip might still work if the NAT64 gateways tend to be close to the end-user), but every 'answer' for the problem messes with that anyway (if not NAT64, carrier grade NAT would happen and you are back to square one).
If you have significant datacenter presence, it's probably unavoidable to refesh networking equipment and software to cleanly support IPv6. As mentioned before, you can defer this by staying v4 until your budget allows at the expense of talking to some hosts via NAT64. Of course, if IPv6 takes off in NAT64 mode, the NAT issues will probably confuse your attack/fraud detecion too.
XML is like violence. If it doesn't solve the problem, use more.
Only six servers and they have a crash every few years? On a control system? Scary is right.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
And how do you make sane rules deciding what is on your network and what is not when every machine in your network has a globally routable IP address? And don't point me at the horribly busted RFC 4193.
IPv6 is the IT equivalent to a large, bureaucratic government's programs.
It's something that is a technically legitimate fix for a certain problem - but due to the political nature of the implementation (in this case, "technically pure"), it ignores the reality of the status quo.
In this case, the problem has to do with people not knowing IPv6 - everyone from managers on down to the cable people, and the programmers who write things like VoIP software or the myriads of 'network appliances'. How many appliances are there out there which (say) run Linux and have IPv6 built in, but the UI has a type constrained IPv4 address for interface configuration? A hell of a lot. Nothing is ready, and many many people use IP addressing for infrastructure, still. (The smaller the network, the more likely it is, so the cost for compliance is disproportionately burdensome on smaller companies.)
The problems will be a marked increases to IT costs, incompatibility, and general "growing pains". No, most infrastructure is not "IPv6" ready. Most people do not know how to work with it. And no, companies do not want to pay for what most in IT see as more pain than it's worth (let the 3rd world rot in obscurity).
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
The HMI system is separate from the control function of the underlying control system.
Hardware issues happen. Sometimes badly when the hardware is old. That is why there is redundancy. It is a bit hard to recover from a failed raid controller though without taking the server down. The 6 servers are doing the same job, so one going down is expected but extremely rare.
A 'crash' also happens if someone loads borked data onto the servers. This has happened in the past and is why there are redundant servers :p
We always load new configurations to a certain server to test and after it is validated it is loaded on the rest.
It's all very well and good to talk about what's theoretically possible, but unless people actually make it happen, it's only so much bullshit.
File under 'M' for 'Manic ranting'
The general plan is for ISPs to give people /56 or /48 and let them chop *that* up, either by hand or having their routers do it automatically, and /56 is big enough that the automatic stuff can be wasteful instead of efficient. If you've got a /64, you're perfectly free to chop it up by hand, but all the autoconfiguration stuff assumes that /64 is one subnet, big enough to use your equipment's EUI-64 link layer address as the host part of the IPv6 address. (EUI-64 is an extended version of MAC, designed so that the Layer 2 people never have to run out of addresses either - if you've got equipment with regular Ethernet-like MAC addresses, you create the EUI-64 by shoving some standard bits into the middle, in ways that look unnecessarily ugly to me but are the standard now.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Your NAT example that forwards example.com:80 to one machine and example.com:21 to another is at least interesting, though IPv6 gives you enough addresses that you can just as easily forward www.example.com to your web server and ftp.example.com to your FTP server. IPv6 doesn't stop you from doing a 6-6 NAT if you want, but the default behaviour should be that it's never necessary, and seldom implemented.
For most people, the important things about NAT are that it's something cheapass firewall appliances do so they can plug multiple computers in to their LAN, get addresses handed to the computers without needing to manually configure them, and get some semblance of security, and most stuff just works. If they're gamers, they probably need to mess with the firewall by hand anyway, unless kluges like uPNP are good enough to do the job without it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yup. That's why this is under the "If you think you can ignore IPv6, think again" discussion :-)
Using port numbers for a few bits of tracking is very interesting - probably not too hard, and of course cookies give you an alternative method, for people who accept them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
About 10 years ago I was ready to experiment with IPv6 in order to be "IPv6 ready". Tunnels were used then and it seems they are used even now. Mostly by geeks. The more books I read about it, the more I knew about it made sure it won't arrive overnight.
IPv6 needs to be an extension to IPv4 but it's not. Providers have to provide for both versions and users have to configure for both versions. But because of the existence of IPv4 the "switching to IPv6" won't happen. I'd say during several years the switching is complete (when no IPv4 is available), however this switching should have happened already 10 years ago.
Because of the pain of switching to IPv6 and its slowly growing user space, there will be more and more reasons to stick to IPv4. IPv4 and NAT are still the easiest and ready to implement solutions when the ISPs address space is not running out.
There is a lot of wrong information about "IPv4 death" around. Articles such as "bye bye IPv4" mostly make me laugh (not really laugh after reading these for 10 years, mostly making numb).
I bet many people believed IPv4 was dropped when the address space got "full". It's possible that during the transition phase some small-to-medium size ISPs will start to NAT IPv4 more than ever before.
Given that NAT accomplishes exactly this, there's no reason to think why IPv4 routers would although most also include a default security firewall one can turn on which does do this. It's a single button push.
The market has currently evolved with NAT working "well enough" for most people though - but it certainly didn't until UPnP came along - which was in response to a need for things to "just work" for the home user. For the longest time with NAT, they certainly didn't (unless, as I did when I was younger, you just routinely tossed your computer in the DMZ when you needed to use something).
There's no reason to think (and certainly no reason to criticize) that a (very simple) adaptation doesn't exist, and so instead we clearly need to add in a system which has been consistently breaking things left, right and center - and certainly preventing things from "just working" for the home user - when the fix is literally just changing a default setting.
It's an indisputable fact that NAT works "good enough" for most people, and whether or not it "breaks" things is wholly irrelevant to that point. With IPv6, at least people who are frustrated with NAT are not in a position where they must use it, because they can easily obtain a globally visible IP anyways. I also don't argue that NAT breaks a whole lot of stuff, but the simple fact is that not enough people actually give a crap about that to realistically expect that people are going to be comfortable with it just going away. Finally, I don't argue that NAT alone is not what any security expert would consider adequate, but it's still better than no security at all... and to the best of my understanding, the only way an outside user can get access to systems behind a NAT at all anyways is if administration has been done on the NAT to poke holes in it. Whether or not manufacturers could theoretically design a consumer system with a firewall that is as completely maintenance-free as NAT is nowhere near as relevant as the fact that no such beast actually exists at present (installed on consumer devices that is), and there is no significant incentive to make one for the average consumer when NAT works good enough for most people, coupled with the fact that, to the best of my knowledge, the only significant security issues with NAT would also arise with any firewall that duplicated its net effect, since the same people who poke holes in their NAT would be poking similar holes in the firewall, allowing exactly the same sort of stuff through. In terms of the amount of security that they could offer out-of-the box for most consumers, they would be so close to equal that it simply makes more sense to continue to have it available as an option for people who want it than to try to offer a different solution that is better only on a technical level that most people don't care about.
File under 'M' for 'Manic ranting'
So basically you're saying: there is no difference.
Which makes the design decision not to specify a NAT protocol for IPv6 an excellent one, since we won't end up with the hacky workaround which is NAT being implemented - the path of least resistance (after not using IPv6) is to actually implement proper default firewalls.
Whereas I'm suggesting that the path of least resistance will be for home consumers to continue to use NAT, since it's what a majority of people already have and are satisfied with, even if only because they don't know how much more they could do with a globally visible IP.
Of course there's also no doubt that the transition to IPv6 will spark a demand amongst a certain segment of internet users for globally visible IP's, which in turn would be the impetus for home router manufacturers to make it very easy for people to situate any device they connect to it to be optionally NAT'ted or not (with the default likely being NATted).
File under 'M' for 'Manic ranting'
Could ISPs (in league with governments and the MAFIAA) use this 'insurmountable technical problem' as an excuse to deeply inspect, record, and route every single packet, turning the average user's internet access into Mother May I?