Slashdot Mirror


If You Think You Can Ignore IPv6, Think Again

wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."

6 of 551 comments (clear)

  1. ISP by 0racle · · Score: 5, Insightful

    Until my home ISP or the ISP for the company I work for offers IPv6, I think it's going to be very easy to ignore IPv6.

    --
    "I use a Mac because I'm just better than you are."
    1. Re:ISP by The1stImmortal · · Score: 5, Insightful

      He's right - NAT has useful functionality beyond just the "security" aspects.

      The IPv6 internet model still only allows provider-independent addressing if you're a member of your regional NIC (with all the associated bits and pieces, like ASNs etc)

      NAT is the only sane way to give your network provider independence under this system. If you're forced to renumber your network when changing ISPs, it's a real pain in the neck. Also - what if you want to do redundant internet connections? With IPv4 NAT you just set up the NATing firewall to have two connections with the same priority, enable stateful tracking, and away you go. That's flat out impossible with directly addressed IPv6 - every device would need two IP's (one for each provider subnet), and you'd need to manually configure each device to spit out some traffic with one source IP and other traffic with another source IP.

      Additionally, NAT lets you do some useful stuff, like providing multiple services on multiple back-end machines via a single IP (which would of course correspond to a DNS record). For example, providing a "mail.example.com" address which provides POP3, IMAP, Webmail and SMTP submission service - POP3 and IMAP going to the mailstore machine, Webmail to a webserver and SMTP to an MX machine, without needing to configure slow port proxy services which lose valuable information (such as the source IP for connections)

      As for IPv6 autoconfiguration, autoconfiguration doesn't deal with:

      - Changing application settings dependent on IPv6 addresses
      - Updating DNS records
      - multiple internet providers/multiple subnets
      - port remapping

      making it an incomplete solution in itself.

  2. but ignoring is working so well... by green1 · · Score: 5, Insightful

    I finally found the group responsible for IPv6 at my company, and asked about our readiness. now keep in mind, we don't need to wait for an upstream provider as we are the upstream provider, with many peering agreements in place.

    The answer I got back basically amounted to two things:

    1) nobody else is ready, so we don't need to be either.

    2) it's not legally mandated, so it's not important.

    I'm so glad we pride ourselves on our ability to innovate...

  3. Re:IPv6 Mess by SmilingBoy · · Score: 5, Insightful

    Not so fast:

    http://cr.yp.to/djbdns/ipv6mess.html

    I don't agree at all with this article. The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible. The IPv4 host can only send packets to IP addresses with 32 bit. Any longer number is not understood by the IPv4 host. In order to make this work, the IP stack of every IPv4 host would need to be updated. Guess what has to be done to have IPv4 and IPv6 dual stack? The IP stack of every IPv4 host needs to be updated!

  4. Stop already, it's getting old. by bill_mcgonigle · · Score: 5, Insightful

    Yes we know.

    Major ISP's are just now getting the ball rolling. Client software is still being perfected. The bridges for early adopters are known to be flakey. Talk to the people working on that stuff (oh, wait, you don't need to, they're already underway).

    Most readers here will move along when the infrastructure is ready. We know the address space is effectively out but there's little reason to do much at this point, and anybody trying to push people to adopt IPv6 before the tools are robust is kidding themselves.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  5. Re:NAT will never go away by grcumb · · Score: 5, Insightful

    The idea that NAT will go away just because a network is IPv6 is a pipe dream. No sane security admin would ever allow that. The idea that the firewall is the only thing between you and the outside world is, and should be, a non starter.

    IT security is all about multiple layers, and one of them is the fact that you have a DMZ between you and the internet, and that the internet can't route outside of it. That is not going anywhere.

    Look, I don't want to be disrespectful to you as a person, but your understanding of network security is... limited. What the fuck does having a DMZ have to do with NAT? It's true that NAT is how the most common way to configure a segregated v4 network, but if you think that NAT is the only (or even the best) way to handle this, you're sorely mistaken.

    This may strike you as heresy, but you can construct your network with public-facing addresses, a DMZ and a network of addresses inaccessible from the outside world (except under prescribed circumstances)... all using public IPv6 addresses. The secret is... wait for it... don't fucking route to them, except when you decide it's okay.

    The simplest way to do this would be simply to refuse connections originating from outside your network for a designated subnet. Hey presto! All the benefits of NAT without the insanity of NAT!

    My employer, a university with campuses in 12 countries, does this already with a public IPv4 block. Last I checked, it was working just fine, thank you very much.

    P.S. Yes, we're IPv6-ready.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.