Slashdot Mirror

← Back to Stories (view on slashdot.org)

If You Think You Can Ignore IPv6, Think Again

Posted by Soulskill on from the that-presupposes-thinking dept.

wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."

23 of 551 comments (clear)

  1. ISP by 0racle · · Score: 5, Insightful

    Until my home ISP or the ISP for the company I work for offers IPv6, I think it's going to be very easy to ignore IPv6.

    --
    "I use a Mac because I'm just better than you are."
    1. Re:ISP by Kenshin · · Score: 3, Insightful

      Or you could get ready now, so when they flip the switch you're good to go.

      --

      Does it make you happy you're so strange?

    2. Re:ISP by simcop2387 · · Score: 3, Insightful

      That's just it, nobody offers NATv6 because it *shouldn't* be needed. instead you use a real firewall and you get the same protect you got with NAT but with an ip for every computer. if you don't like the idea of having a globally route-able address for every computer turn on the privacy extensions and then your ip will change so that the addresses are useless to anyone else. As it is, people are used to having a "router" to connect multiple computers and have wireless already. this device would change into just a firewall + AP. if you want to get rid of that device and just have an AP, every modern OS comes with a firewall built in that should suffice. NAT doesn't give you security, it just makes it harder to route packets ("security" through obscurity), a proper firewall can also prevent things outgoing for security also.

    3. Re:ISP by dave562 · · Score: 3, Insightful

      You're right. Unless you are a business that is offering internet based services, you can probably ignore IPv6.

    4. Re:ISP by The1stImmortal · · Score: 5, Insightful

      He's right - NAT has useful functionality beyond just the "security" aspects.

      The IPv6 internet model still only allows provider-independent addressing if you're a member of your regional NIC (with all the associated bits and pieces, like ASNs etc)

      NAT is the only sane way to give your network provider independence under this system. If you're forced to renumber your network when changing ISPs, it's a real pain in the neck. Also - what if you want to do redundant internet connections? With IPv4 NAT you just set up the NATing firewall to have two connections with the same priority, enable stateful tracking, and away you go. That's flat out impossible with directly addressed IPv6 - every device would need two IP's (one for each provider subnet), and you'd need to manually configure each device to spit out some traffic with one source IP and other traffic with another source IP.

      Additionally, NAT lets you do some useful stuff, like providing multiple services on multiple back-end machines via a single IP (which would of course correspond to a DNS record). For example, providing a "mail.example.com" address which provides POP3, IMAP, Webmail and SMTP submission service - POP3 and IMAP going to the mailstore machine, Webmail to a webserver and SMTP to an MX machine, without needing to configure slow port proxy services which lose valuable information (such as the source IP for connections)

      As for IPv6 autoconfiguration, autoconfiguration doesn't deal with:

      - Changing application settings dependent on IPv6 addresses
      - Updating DNS records
      - multiple internet providers/multiple subnets
      - port remapping

      making it an incomplete solution in itself.

    5. Re:ISP by Anonymous Coward · · Score: 2, Insightful

      Why the heck would I want any Tom, Dick and Harry to be able to get my network topology with IPv6.

      With NAT, an attacker knows I have a firewall, and might be able to use timing attacks to discover which computer is using what ports out.

      Without NAT, an attacker knows what machines are talking to where. Do I want to hand out copies of my network map to anyone that asks? Hell no.

      Don't forget that IPv6 has -zero- encryption support, and it has little to no testing in the real world. Guess what this means? Land, smurf, ping of death attacks just waiting to be used against IPv6 stacks. There might be yet unknown ways to get stuff running in kernel mode. At least with V4, I can use VPN software to encrypt links between branches. Good luck with this in v6 without resorting to tunneling.

      Give me a protocol that isn't a giveaway to any blackhat knocking on my company's doors, and maybe it would be good to not have to be switched to it.

    6. Re:ISP by Anonymous Coward · · Score: 2, Insightful

      So they can have 20 machines on their home network (and someone out there does -- myself, I've only got 11, and usually no more than 5 online at a time), without their ISP demanding they pay more.

      Also, so an open AP can give plausible deniability for copyright infringement, without someone saying "but that's the same IP you've been using non-stop for other stuff -- a drive-by torrenteer would have been assigned a different IP when the infringement started".

      Basically, it's a privacy thing.

      And then there's the argument that NAT fails safe (no access), but firewalls fail bad (unlimited access), which though based on truth (particularly if by "fail" you mean someone pulls the relevant box out and reconnects both sides directly), is mostly ridiculous.

    7. Re:ISP by sortius_nod · · Score: 2, Insightful

      Yeh, it's comments like this that have caused the problem we're in. Lack of preparedness is going to cause massive problems with the switch over. Just today I asked what I can do to prepare for this with my ISP. They were quite helpful and asked if I would like to be converted today (in fact, they encouraged I do). I'm spending a bit of time doing some testing at home to ensure that my IPv6 network functions the way I want it to before being converted and to ensure that I understand all of the ins and outs.

      Ignoring a freight train bearing down on you doesn't make the freight train disappear, just means you don't know what hit you when you're at the pearly gates (ie, your network is dead).

    8. Re:ISP by The1stImmortal · · Score: 3, Insightful

      ULA's aren't supposed to be routeable. That means you've got some of the problems of NAT (multiple address spaces) without its solutions (rewriting packet addresses)

      Yes, you can assign multiple IPs per machine. You can do that with IPv4 too. It's an administrative nightmare generally. This will get especially bad if you've got a network with some services accessed by ULA and others by global address on Provider A's range, and yet more by global address on Provider B's range.

      Oh, and one thing I forgot about NAT - it makes it REALLY easy to move publicly accessible services without interruption - just change a port forward and everyone automatically starts using the new service :)

      NAT is just a really handy tool, for many reasons. It doesn't make sense to discard it for purely ideological reasons.

      And lets face it - NAT is handy enough, and so entrenched, that if the IETF DOESN'T formally define a spec for it, we'll end up with vendors hacking up custom solutions in response to customer demand, which is definitely not a good thing. Let's just write a formal spec for NATv6 and let the greater internet decide whether it's a good thing or not.

  2. boring ipv6 articles by godrik · · Score: 4, Insightful

    Do we really need to have 3 ipv6 article a week on slashdot. I believe every single slashdotter knows and understands what the problem is about. So I suggest the editors to skip all the articles about "how my god we need to move to ipv6 FAST",

    1. Re:boring ipv6 articles by Red+Flayer · · Score: 4, Insightful

      Yes. These submissions link to articles that we can cite when attempting to convince our PHBs or CxOs that yes, we do indeed need to budget for the ipv6 migration, and no, we can't wait a couple years to get the ball rolling.

      Just wait until "ipv6 conversion specialists" are charging you $450 an hour to make sure your business is not floundering because you ignored the problem until it was an emergency.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    2. Re:boring ipv6 articles by couchslug · · Score: 4, Insightful

      "Just wait until "ipv6 conversion specialists" are charging you $450 an hour to make sure your business is not floundering because you ignored the problem until it was an emergency."

      That doesn't argue for warning PHBs. It argues for becoming a Conversion Specialist!

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  3. Re:Take Back The unused? by Spad · · Score: 3, Insightful

    It'd barely make any difference as you need contiguous blocks and the rate at which we're using them means that even reclaiming whole /8 blocks only extends the life of IPv4 by a few months at best.

  4. but ignoring is working so well... by green1 · · Score: 5, Insightful

    I finally found the group responsible for IPv6 at my company, and asked about our readiness. now keep in mind, we don't need to wait for an upstream provider as we are the upstream provider, with many peering agreements in place.

    The answer I got back basically amounted to two things:

    1) nobody else is ready, so we don't need to be either.

    2) it's not legally mandated, so it's not important.

    I'm so glad we pride ourselves on our ability to innovate...

  5. Re:IPv6 Mess by SmilingBoy · · Score: 5, Insightful

    Not so fast:

    http://cr.yp.to/djbdns/ipv6mess.html

    I don't agree at all with this article. The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible. The IPv4 host can only send packets to IP addresses with 32 bit. Any longer number is not understood by the IPv4 host. In order to make this work, the IP stack of every IPv4 host would need to be updated. Guess what has to be done to have IPv4 and IPv6 dual stack? The IP stack of every IPv4 host needs to be updated!

  6. Re:"equivalent to the Y2K problem" by Applekid · · Score: 3, Insightful

    The nice part is, unlike Y2K, is that there's no hard drop-dead date by which all work has to be done and all of a sudden there's a bunch of folks laid off. IPv4 can be a looming threat for years to come! Huzzah!

    --
    More Twoson than Cupertino
  7. Stop already, it's getting old. by bill_mcgonigle · · Score: 5, Insightful

    Yes we know.

    Major ISP's are just now getting the ball rolling. Client software is still being perfected. The bridges for early adopters are known to be flakey. Talk to the people working on that stuff (oh, wait, you don't need to, they're already underway).

    Most readers here will move along when the infrastructure is ready. We know the address space is effectively out but there's little reason to do much at this point, and anybody trying to push people to adopt IPv6 before the tools are robust is kidding themselves.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Welcome to the real world by gmuslera · · Score: 4, Insightful

    ... the one where by far most of the people, even if you go just to the IT ones, ignores even what is IPv6. How many isps or carriers now are giving ipv6 as an option? Probably the most common policy now is "lets wait till everyone else already took the first step before moving a finger" (later it will be "let all scream and run in circles")

  9. Exactly, don't say the Y2K word by suso · · Score: 3, Insightful

    I really wouldn't go into board rooms and mention Y2K. The general public seems to think that there was nothing there and it was just a big hoax. I'm sure all of you have encountered this recently too. A few times recently I had to correct people who said something like "That Y2K thing was no big deal". My answer to them was "It was no big deal because people worked for 5-10 years to fix it, otherwise it would have been a big deal". But you all know that.

    But if you want to be dismissed as a panic monger, bring up Y2K, otherwise, don't.

  10. Not like Y2K by Anonymous Coward · · Score: 2, Insightful

    The IPv6 move is not like Y2K. With Y2K there was a firm deadline when everything had to be re-coded, tested and ready, or else. With IPv6 it's more like the introduction of fax machines. You only need a fax machine if you want to communicate with someone else who also has a fax machine. Since around 98% of the Internet is still using IPv4 no one is going to want to be the first to stick their neck out and embrace IPv6. If everyone you want to talk to is on IPv4 there is no reason to migrate yet.

  11. Re:NAT will never go away by grcumb · · Score: 5, Insightful

    The idea that NAT will go away just because a network is IPv6 is a pipe dream. No sane security admin would ever allow that. The idea that the firewall is the only thing between you and the outside world is, and should be, a non starter.

    IT security is all about multiple layers, and one of them is the fact that you have a DMZ between you and the internet, and that the internet can't route outside of it. That is not going anywhere.

    Look, I don't want to be disrespectful to you as a person, but your understanding of network security is... limited. What the fuck does having a DMZ have to do with NAT? It's true that NAT is how the most common way to configure a segregated v4 network, but if you think that NAT is the only (or even the best) way to handle this, you're sorely mistaken.

    This may strike you as heresy, but you can construct your network with public-facing addresses, a DMZ and a network of addresses inaccessible from the outside world (except under prescribed circumstances)... all using public IPv6 addresses. The secret is... wait for it... don't fucking route to them, except when you decide it's okay.

    The simplest way to do this would be simply to refuse connections originating from outside your network for a designated subnet. Hey presto! All the benefits of NAT without the insanity of NAT!

    My employer, a university with campuses in 12 countries, does this already with a public IPv4 block. Last I checked, it was working just fine, thank you very much.

    P.S. Yes, we're IPv6-ready.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  12. The big mistake was not making mobiles IPv6 by Animats · · Score: 4, Insightful

    The big mistake was not making mobile IP devices IPv6 from the beginning. Even if they had to go through a NAT at the telco. Most of the growth is in mobile devices.

    Fortunately, most mobile devices respond to updates pushed from the carrier. So mobile carriers need to be encouraged to implement that transition. Carriers are in a good position for this, since they control both ends of the air link. Some of this must be happening already.

  13. You can't "flip the switch" for decades by George_Ou · · Score: 4, Insightful

    Even if you switch to a pubic IPv6 address, all your internal stuff will still be IPv4. My home print server and IP telephony adapter are all IPv4. The problem with IPv6 is that you can't entirely switch to it and just shut down IPv4. You have to run dualstack for the foreseeable future. That's why every IT consultant and IT manager and CIO I've spoken to says they don't give a crap about IPv6 because every adopter of IPv6 will have to be backward compatible with IPv4 so why bother running dual stack. Even after all the addresses are assigned, not a single IPv4 device or network will stop working.

    The choice is between IPv4 single-stack or IPv4/IPv6 dual-stack. Given those as the only choices, people are choosing the former instead of the latter. There is no possibility of running IPv6 single-stack. IPv6 will essentially become the new "private IP addresses" that have to translate to "public" IPv4 addresses used by 99% of the IP devices in the world. The only difference is that IPv6 devices will be able to talk to each other without a NAT across organizations.