If You Think You Can Ignore IPv6, Think Again

wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."

ISP

[0racle]

Until my home ISP or the ISP for the company I work for offers IPv6, I think it's going to be very easy to ignore IPv6.

Re:ISP

[Kenshin]

Or you could get ready now, so when they flip the switch you're good to go.

Re:ISP

[Lord+Ender]

ISPs won't support it until customers demand it. This requires government action: use stimulus money to make free porno available to all over IPv6 only. And not just any porno: the kinkiest, highest-resolution, full-length nastiness the Feds can commission.

Your U-Verse box will have a v6 address within a week.

Re:ISP

[tysonedwards]

There are *many* 6 year old Cisco routers and switches out there that are still covered under support contracts that won't be getting IPv6 support as they have been End-of-Life'd. Consider for a moment that many of these same ISPs are the ones who elect to throttle their users to 256Kbps if they go above their 5GB monthly usage limit. Smaller ISPs are already going in and double-natting their customers as well to further over-subscribe their network and get by with less. Home ISPs will likely continue ignoring this problem for years to come, until the eventual hardware swaps enables them to support IPv6 and then have a reason to start billing their customers more for "now with public IPs to improve your gaming performance".

Re:ISP

[Spad]

The amount of *new* networking kit and software that still doesn't support IPv6 is frankly depressing. Microsoft's Forefront TMG (Their ISA replacement), for example, requires Server 2008/2008 R2 (which have full IPv6 support out of the box) but doesn't actually support IPv6 routing itself and it's only ~1 year old.

Re:ISP

[Anrego]

Too much could change between now and then (then probably being in about a decade or so).

I'm with OP, when my ISP gives me one.. i'll deal with it.

Re:ISP

[spinkham]

You make IPv6 support a requirement for new equipment and software.

It's not quite yet the time to retrofit IPv6 everywhere, but it is definitely time to build support into your new development requirements.

Just like y2k, if you coded software that used 2 digit date fields in 1995, you had only yourself to blame for needing to rush around in 1999.

Re:ISP

[Red+Flayer]

And not just any porno: the kinkiest, highest-resolution, full-length nastiness the Feds can commission.

Have you ever plumbed the depths of usenet? Or /b/?

I don't think having people gouging out their eyes with grapefruit spoons is the best way to handle this.

Re:ISP

[simcop2387]

That's just it, nobody offers NATv6 because it *shouldn't* be needed. instead you use a real firewall and you get the same protect you got with NAT but with an ip for every computer. if you don't like the idea of having a globally route-able address for every computer turn on the privacy extensions and then your ip will change so that the addresses are useless to anyone else. As it is, people are used to having a "router" to connect multiple computers and have wireless already. this device would change into just a firewall + AP. if you want to get rid of that device and just have an AP, every modern OS comes with a firewall built in that should suffice. NAT doesn't give you security, it just makes it harder to route packets ("security" through obscurity), a proper firewall can also prevent things outgoing for security also.

Re:ISP

[tysonedwards]

With Cisco, End-of-Life and End-of-Support are two wildly different things... To Cisco, End-of-Life means "no more updates", while End-of-Support means "you can call us up for help, and we will provide you with a replacement unit if yours fails". End-of-Support is typically 5 years after the End-of-Life announcement, however there are the random exceptions like their VPN Concentrators.

Re:ISP

[tweak13]

I'd rather have NAT for v6 too

Why?

There are always so many people saying they want NAT, but if addresses are plentiful then it serves absolutely no purpose. I think that most people who see it as necessary are confusing its function with a firewall. You do not need NAT to do the same things your home router does today. You can still block all incoming connections to a computer and allow all outgoing connections. You can still allow specific ports to be opened to specific machines.

Using a public address on your internal network doesn't automatically mean that you need to just allow any traffic in. Use a firewall to "stealth" every port and there will continue to be no evidence that you have a computer there.

Re:ISP

It's been done: http://www.ipv6experiment.com/ (NSFW). Didn't work, unfortunately.
My captcha: "banged"

Re:ISP

[dave562]

You're right. Unless you are a business that is offering internet based services, you can probably ignore IPv6.

Re:ISP

[LVSlushdat]

As I type this in a Starbucks on an AT&T wifi node, DHCP issues both a v4 AND a v6 address.. I've tried to connect to some of the test places via v6, but as of this moment, no joy.. Now if I could just get my home isp to make the jump (Cox)....

Re:ISP

[tqk]

It's not quite yet the time to retrofit IPv6 everywhere, but it is definitely time to build support into your new development requirements.

Just like y2k, if you coded software that used 2 digit date fields in 1995, you had only yourself to blame for needing to rush around in 1999.

And just like in y2k, after we get IPv6 everywhere and nothing blows up, we'll be blamed for running a con job just like in y2k. "Sheesh, nothing happened, and we spent all that money on getting you to fix a non-problem!"

I say, let's let it blow up this time.

Re:ISP

[anboni]

I doubt that any of those tunneling services would offer me 80mbps up/down for free.

Actually, from what I've read, the Hurricane tunnel (http://tunnelbroker.net) gave someone their full 100mbps through the tunnel.

Re:ISP

[NoKaOi]

Another good reason for NAT is that you don't have to pay your ISP for multiple IP addresses. Do you think ISPs will off unlimited IP addresses for free when they start using IPv6? I don't. Without NAT, does this mean we'll have to pay a few extra dollars per month for each device in our house? Let''s see, in my household of 3 people, I've got 3 desktops, 2 laptops, a Wii, an Apple TV, 2 iPhones, and Blu-Ray player. That's 10. Let's say I get one for free, and my ISP charges an extra $5 per IP address, that's an extra $45 a month. I may have a few more devices in my house than a lot of people, but still, people would only put up with not having NAT if they don't have to pay extra for additional IP addresses. Or is it a bad assumption that ISPs will still want to charge for extra IPs?

Re:ISP

I work in a small office. You know what the reply I get when I ask for someone's IP address sounds like?
"16"

That's because we have internal addresses, and use NAT for anything external.
If we change offices, only one place needs to know the new IP, and nothing else needs to change: we all use internal addresses, with NAT for anything external, so the rest of our network is not dependent on the whims of which ISP we feel like paying next month.

It sounds like a common enough set-up that I assume IPv6 accounts for this somehow. But pretending that "security" or "hiding my internal network" is the only reason anyone would want to translate one address into another is beyond absurd.

Re:ISP

[cayenne8]

"Now if I could just get my home isp to make the jump (Cox)...."

Even if the cable companies switchover...will it make any difference to the general home user..their cable modem gets the Ipv6 connection, likely goes to a wireless rounter ipv6...but with everything already NAT'ed...people's stuff on internal networks won't really need to change anything....will they?

Re:ISP

[SmilingBoy]

With IPv6, you will get at least a /64 subnet, i.e. 2^64 addresses. Most ISPs will hopefully give you a /48 or a /56, which would allow for 65k or 256 /64 subnets.

Re:ISP

[SuricouRaven]

If it was ten years ago, that would be true. I remember the time when many ISPs forbade the use of NAT entirely, as they believed people with more than one computer should pay more. But today, that wouldn't work, and I think all ISPs are sensible enough to know it - too many households have multible computers, plus games consoles, internet-connected TVs and so on. Those customers arn't going to stand for paying extra per device unless they have absolutly no other option, and even then they are going to complain and campaign.

Re:ISP

[The1stImmortal]

He's right - NAT has useful functionality beyond just the "security" aspects.

The IPv6 internet model still only allows provider-independent addressing if you're a member of your regional NIC (with all the associated bits and pieces, like ASNs etc)

NAT is the only sane way to give your network provider independence under this system. If you're forced to renumber your network when changing ISPs, it's a real pain in the neck. Also - what if you want to do redundant internet connections? With IPv4 NAT you just set up the NATing firewall to have two connections with the same priority, enable stateful tracking, and away you go. That's flat out impossible with directly addressed IPv6 - every device would need two IP's (one for each provider subnet), and you'd need to manually configure each device to spit out some traffic with one source IP and other traffic with another source IP.

Additionally, NAT lets you do some useful stuff, like providing multiple services on multiple back-end machines via a single IP (which would of course correspond to a DNS record). For example, providing a "mail.example.com" address which provides POP3, IMAP, Webmail and SMTP submission service - POP3 and IMAP going to the mailstore machine, Webmail to a webserver and SMTP to an MX machine, without needing to configure slow port proxy services which lose valuable information (such as the source IP for connections)

As for IPv6 autoconfiguration, autoconfiguration doesn't deal with:

- Changing application settings dependent on IPv6 addresses
- Updating DNS records
- multiple internet providers/multiple subnets
- port remapping

making it an incomplete solution in itself.

Re:ISP

[idontgno]

I could see the move to IPV6 as an excuse for ISPs to charge per device for a while.

So the only ones paying the price will be the bold early adopters, the ones who take the cataclysmic tone of editors like this article's seriously.

Thanks, but no thanks. I'll turn on IPv6 as default protocol when every single route to every single address I use more than once a month is full-path IPv6, no tunneling, no NAT, and my service provider doesn't see each v6 addressed issued as a new cash cow^w^wsubscriber charge.

The relevant saying here? "You can always tell the pioneers. They're the ones laying face down with the arrows in their backs."

Re:ISP

[SmilingBoy]

Of course they are. But this only allows one network (as networks are always /64). If I want to have three networks (servers on one network, clients on another network, and my lightswitches and fridges on a third network) I will simply be able to do this. And IPv6 allows it. And because there is enough space overall, it is efficient for routing allocations to already now give enough space to everyone so that in the case of growth of an individual enduser, two or more separate entries in a routing table can be avoided.

Re:ISP

Why the heck would I want any Tom, Dick and Harry to be able to get my network topology with IPv6.

With NAT, an attacker knows I have a firewall, and might be able to use timing attacks to discover which computer is using what ports out.

Without NAT, an attacker knows what machines are talking to where. Do I want to hand out copies of my network map to anyone that asks? Hell no.

Don't forget that IPv6 has -zero- encryption support, and it has little to no testing in the real world. Guess what this means? Land, smurf, ping of death attacks just waiting to be used against IPv6 stacks. There might be yet unknown ways to get stuff running in kernel mode. At least with V4, I can use VPN software to encrypt links between branches. Good luck with this in v6 without resorting to tunneling.

Give me a protocol that isn't a giveaway to any blackhat knocking on my company's doors, and maybe it would be good to not have to be switched to it.

Re:ISP

So they can have 20 machines on their home network (and someone out there does -- myself, I've only got 11, and usually no more than 5 online at a time), without their ISP demanding they pay more.

Also, so an open AP can give plausible deniability for copyright infringement, without someone saying "but that's the same IP you've been using non-stop for other stuff -- a drive-by torrenteer would have been assigned a different IP when the infringement started".

Basically, it's a privacy thing.

And then there's the argument that NAT fails safe (no access), but firewalls fail bad (unlimited access), which though based on truth (particularly if by "fail" you mean someone pulls the relevant box out and reconnects both sides directly), is mostly ridiculous.

Re:ISP

[icebike]

wow..just..wow. You really don't know the criticality of this or the momentum moving through ISPs, do you?

Decade my ass.

It sure doesn't seem all that critical if you go by their actions.

Most haven't even started moving to ipv6, and those who have are doing so rather methodically.
Most of them appear to have all the address space they need at the moment, and are heavily nat-ed on their internal networks. Most customers don't care, because they don't need inbound connections.

Most cable/DSL providers still have not even started rolling out modem replacements (mine can't handle ipv6 per the spec sheet).

If you ask them questions about their modems like...
Do they plan firmware upgrades, or total replacements of the modems?
Will I be limited to a small number of world route-able ip6 addresses? (and therefore still need nat)
Will they handle 6-to-4 in the modem?
etc
etc ... You get nothing but blank stares.

Panic hasn't set in. Static IP prices haven't started to rise. Nobody other than Comcast even want's to discuss the issue.

Re:ISP

[icebraining]

They need to assign a /64 anyway, so the only way to limit it would be to block the other IPs in their firewalls and keep such lists updated. Too much effort.

Re:ISP

[Pentium100]

Some servers track your IP when you log in. If your IP changes you might have to log in again. What if I want to be logged in from two computers?

Also, if I, say, have two servers that provide similar, but different services, I might want to make them appear as a single server that has a single DNS name. connecting to example.com at port 80 (http) would connect you to one server, but connecting to port 21 (ftp) would connect you to another server and there would be no need for www.example.com and ftp.example.com

Also, if the server fails and I have a backup one (that is not exactly the same as the primary one, maybe I have two older servers each providing a subset of the services of a newer server), I can just change the port mappings to make the backup server(s) appear like the primary one. Without NAT I can either put an identical server in place of the failed one (and assign it the same IP) or remap all DNS records (and wait for the changes to propagate) pointing to the failed server. And I don't want to have a DNS record for each service that might end up on a different IP.

Basically, I want to make my internal network a "black box" - no one should know or care what is inside it.

Re:ISP

[creepynut]

Not to mention the ISPs would very quickly exhaust their supply if IP addresses if customers weren't allowed to use NAT. It's the only reason we've lasted this long.

Re:ISP

[sortius_nod]

Yeh, it's comments like this that have caused the problem we're in. Lack of preparedness is going to cause massive problems with the switch over. Just today I asked what I can do to prepare for this with my ISP. They were quite helpful and asked if I would like to be converted today (in fact, they encouraged I do). I'm spending a bit of time doing some testing at home to ensure that my IPv6 network functions the way I want it to before being converted and to ensure that I understand all of the ins and outs.

Ignoring a freight train bearing down on you doesn't make the freight train disappear, just means you don't know what hit you when you're at the pearly gates (ie, your network is dead).

Re:ISP

[tqk]

You're retarded if you rely on a Windows Server for IPv4 routing.

And if you think he's alone in doing that, you're retarded. Earth, it's full of human mortals. We may not like it, but we have to accept it.

Re:ISP

[The1stImmortal]

ULA's aren't supposed to be routeable. That means you've got some of the problems of NAT (multiple address spaces) without its solutions (rewriting packet addresses)

Yes, you can assign multiple IPs per machine. You can do that with IPv4 too. It's an administrative nightmare generally. This will get especially bad if you've got a network with some services accessed by ULA and others by global address on Provider A's range, and yet more by global address on Provider B's range.

Oh, and one thing I forgot about NAT - it makes it REALLY easy to move publicly accessible services without interruption - just change a port forward and everyone automatically starts using the new service :)

NAT is just a really handy tool, for many reasons. It doesn't make sense to discard it for purely ideological reasons.

And lets face it - NAT is handy enough, and so entrenched, that if the IETF DOESN'T formally define a spec for it, we'll end up with vendors hacking up custom solutions in response to customer demand, which is definitely not a good thing. Let's just write a formal spec for NATv6 and let the greater internet decide whether it's a good thing or not.

Re:ISP

[adolf]

But is it a certainty that ISPs won't charge for using them?

Remember, this is a business that exists to generate profit. There's no harm in that, of course... But they also thrive on artificial scarcity whenever it can be created, in order to boost profits.

To a soulless near-monopoly for-profit entity, such games are like printing money.

And besides, I don't necessarily want people gathering data on the number of machines, and their habits, that I have on my own personal /64. Such information does seem harmless enough to me at this time, but then perhaps I'm just not clever enough to abuse this data.

Re:ISP

[John+Hasler]

And how am I supposed to troubleshoot or test my installation when there's no way to access it?

Get a free tunnel from SixXS or Hurricane Electric.

Re:"equivalent to the Y2K problem"

[Stregano]

The world, it will end

Re:Ignoring VP6

[rjstanford]

Yup. And realistically, although its not something to be proud of, there's too much money for everyone in continuing to work with IPv4 addresses for years now to force anyone over the wall to IPv6 only.

Its probably going to come down from on high - want any new routable IPs? Your ISP will force you to be fully v6 compatible. Why? Because their upstream is doing the same to them...

In the next 6-24 months though, expect a remarkable amount of horse-trading of large IPv4 blocks.

IPv6 Mess

Not so fast:

http://cr.yp.to/djbdns/ipv6mess.html

http://marc.info/?l=openbsd-misc&m=128822984018595&w=2

Re:IPv6 Mess

[SmilingBoy]

Not so fast:

http://cr.yp.to/djbdns/ipv6mess.html

I don't agree at all with this article. The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible. The IPv4 host can only send packets to IP addresses with 32 bit. Any longer number is not understood by the IPv4 host. In order to make this work, the IP stack of every IPv4 host would need to be updated. Guess what has to be done to have IPv4 and IPv6 dual stack? The IP stack of every IPv4 host needs to be updated!

Re:IPv6 Mess

[Junta]

Agreed in principle, however NAT64 enables *precisely* what djb complains about. An IPv6 only host can now meaningfully participate in an internet filled with v4-only servers.

Re:IPv6 Mess

[anboni]

http://cr.yp.to/djbdns/ipv6mess.html

I'm amazed at how much misinformation and outright bullshit someone can put into one single webpage...

Re:IPv6 Mess

[BitHive]

Reading DJB's screed just makes me sad for the man. He literally expects any IPv6 implementation plan to entail a "magic moment" where literally everyone starts using IPv6 end-to-end, simultaneously. This is the kind of "informed" stance I'd expect out of a libertarian claiming we can eliminate the income tax entirely, but not from an expert who should appreciate the absurdity of such an expectation.

Re:IPv6 Mess

[SmilingBoy]

Why is it better to update the IPv4 stack to allow for this new fangled IPv4+ protocol than to update to IPv6 in the first place?

Re:IPv6 Mess

[GooberToo]

You're talking apples and oranges. Most of your comment simply doesn't make sense.

In order for IPv4 to be compatible with IPv6, ALL IPv4 stacks would require updates and still have all of the IPv4 flaws and problems and limitations - like addressing. Or, with the same hassle, you can update to IPv6, get superior addressing, lots of additional benefits, AND backward compatibility via either dual stack (IPv4+IPv6) or technology such as NAT64 and DNS64.

So yes, as others have said, the migration is a mess, but by in large, the only real problem is one of mindshare - not technology. And poor excuses, such as that article, only serves to slow adoption and creation problems while spreading misnomers about adoption possibilities.

I guess you could argue that articles such as that created solutions such as NAT64, but given that such solutions exist today, we don't have a reason to look back at such articles at this point.

Re:IPv6 Mess

[PRMan]

Yes, this would have been a whole lot easier if IPv4 addresses like: 76.33.45.121 became 0::76:33:45:121, for instance. Then everyone could easily do IPv6 passthrough. What were these people thinking that created IPv6?

Re:IPv6 Mess

[WaffleMonster]

I love and respect DJB but he is reacting to a common set of concerns without understanding the entire problem space and without understanding why things must be the way they are.

On his compatibility argument.. it is just not possible. You could make IPv4 a subset of IPv6 which the ::n.n.n.n and some translation technologies seek to do but this does NOTHING to address the problem of address shortage.

A very simple question remains.. What address does an IPv4 host use to respond to an IPv6 host after the IPv4 pool is exhausted? It can't be IPv4 because there are none for the IPv6 host to be assigned and it can't be IPv6 because IPv4 does not understand IPv6.. AND you can't retroactivly make IPv4 compatible with IPv6 without wholesale updates to the entire infustructure... (AKA IPv6 transition)

I wish there was another way but it just isn't technically possible to have interop without the deployment of CGNs.

At everything above L3 it doesn't matter because of DNS bindings and dualstack hosts it looks like both protocols work seemlessly together which is really all that the end user cares about.

Re:IPv6 Mess

[evanism]

As a network admin i ABSOLUTELY agree with the first article. IPv6 is going to down in all of history as the greatest disaster in IT. I can barely speak to another admin who isnt loosing hair over this.

Re:IPv6 Mess

[tqk]

http://cr.yp.to/djbdns/ipv6mess.html:

... after all, once IPv6 is working, we can move everything to IPv6, so who cares about IPv4? The problem is that this mistake has gigantic effects on the cost of making IPv6 work in the first place.

That's what's wrong, and why it's going to be a mess.

Don't create replacements that can't grandfather in what they replace. FFS.

Re:IPv6 Mess

[eelke_klein]

Actually if you read the current plan section 2.2 item 3 you would know that decimal is allowed in this case: ::FFFF:76.33.45.121

Re:IPv6 Mess

[julesh]

There is a trivial mapping between IPv4 and IPv6 addresses, very similar to the one you propose. Bernstein's attack is against a strawman version of IPv6 that doesn't contain this feature.

Re:"equivalent to the Y2K problem"

[John+Hasler]

No big deal if an equivalent amount of timely effort is put into it. In other words, It'll be what Y2K would have been had we done nothing.

Chairman of the bored

[ebcdic]

if IPv6 is "a board-level risk management concern", then I certainly can safely ignore it, and so can pretty well every Slashdot reader.

You will NOT take away or cause artificial demand

[h00manist]

for my damn IP numbers! I am not falling victim to this left-wing liberal conspiracy to artifially inflate the price of my IP numbers, the fuel of my business! There is no such thing as a global shorting of IP numbers, the scientific evidence is completely subjective and there is no hard evidence whatsoever, no measurements, of a global shorting of IP numbers . Everyone that needs one has an IP number, and there are plenty more. I myself have 192,168,000,023 IP numbers for use just here in my company. This in nothing but a left wing media conspiracy against the working people to take away our god-given constitutional right to IP numbers in black helicopters.

boring ipv6 articles

[godrik]

Do we really need to have 3 ipv6 article a week on slashdot. I believe every single slashdotter knows and understands what the problem is about. So I suggest the editors to skip all the articles about "how my god we need to move to ipv6 FAST",

Re:boring ipv6 articles

[Red+Flayer]

Yes. These submissions link to articles that we can cite when attempting to convince our PHBs or CxOs that yes, we do indeed need to budget for the ipv6 migration, and no, we can't wait a couple years to get the ball rolling.

Just wait until "ipv6 conversion specialists" are charging you $450 an hour to make sure your business is not floundering because you ignored the problem until it was an emergency.

Re:boring ipv6 articles

[couchslug]

"Just wait until "ipv6 conversion specialists" are charging you $450 an hour to make sure your business is not floundering because you ignored the problem until it was an emergency."

That doesn't argue for warning PHBs. It argues for becoming a Conversion Specialist!

Kludge coming to a network near you....

[isotope23]

VRF for an IPv4 Internet Part Two anyone??????

Re:Take Back The unused?

[Spad]

It'd barely make any difference as you need contiguous blocks and the rate at which we're using them means that even reclaiming whole /8 blocks only extends the life of IPv4 by a few months at best.

but ignoring is working so well...

[green1]

I finally found the group responsible for IPv6 at my company, and asked about our readiness. now keep in mind, we don't need to wait for an upstream provider as we are the upstream provider, with many peering agreements in place.

The answer I got back basically amounted to two things:

1) nobody else is ready, so we don't need to be either.

2) it's not legally mandated, so it's not important.

I'm so glad we pride ourselves on our ability to innovate...

Re:but ignoring is working so well...

[green1]

For competition in our area there is one other large company, their publicly stated IPv6 policies are actually worse than ours (which is quite the feat to be honest!) and a handful of small ISPs reselling our lines and using us as an upstream provider... they don't have much choice in the matter.

So about that "competitive advantage" you were talking about...

Qwest

[medv4380]

When the final set of 8's were handed out I got in contact with my ISP and this is what they said

Qwest has taken care of the IPv4 exhaust issue for our residential customers at the ISP level. We are implementing the capability to communicate with contacts at both IPv4 and IPv6 addresses. This transition will be transparent to Qwest residential and business customers.

I'm not sure if the transition can actually be transparent since at a minimum I'll have to do something with my TCP/IP so it knows that IP6 is there, and from the looks of it my Modem doesn't support it ether without maybe a firmware upgrade.

Re:Qwest

[Wingman+5]

What they said translates to "We are putting you behind a carrier grade NAT, you will no longer have a public IP unless you pay us extra for it."

Re:Ignoring VP6

[99BottlesOfBeerInMyF]

If you completely ignore it, isn't it likely you'll continue on with no adverse effects? I thought VP4 would continue to work with no tweaking necessary, as long as you're not using broken equipment.

But we all buy and acquire equipment. Getting a wireless router for your home, maybe you should check the specs a bit more closely now. Buying a set top DVR? You might want to do the same. Trying to decide if your old computer needs an OS update? Some will never have IPv6 support.

For end users these are concerns that could bite them down the road. For corporations, these are the kind of acquisition failures that will cost millions down the road.

Simple solution

[TheSync]

I can double the number of IPv4 addressable machines.

UDP and TCP ports 1-512 will now be one machine, and ports 513 and higher will be another machine.

Re:Simple solution

[slimjim8094]

IP has no concept of "ports". Aside from the fact that you didn't split the port space evenly, you clearly have no concept of how IP and networking works. And even if this is a serious suggestion, and could possibly be implemented, it would be at least as much (if not more) work than implementing IPv6 *anyway*.

Re:Simple solution

[Pi1grim]

Oh my god, did somebody just invent NAT?

Re:Simple solution

[geekoid]

Apparently an economist opinion about computer technology is just as good as an economist opinion on the economy.

Re:"equivalent to the Y2K problem"

[Firehed]

A massive undertaking by programmers worldwide in order to prevent a catastrophic meltdown. Completed just in time in a way that's transparent to the rest of the world, making it seem like no big deal.

Yeah, actually it'll probably be quite a lot like Y2K in that sense.

Re:"equivalent to the Y2K problem"

[Applekid]

The nice part is, unlike Y2K, is that there's no hard drop-dead date by which all work has to be done and all of a sudden there's a bunch of folks laid off. IPv4 can be a looming threat for years to come! Huzzah!

Stop already, it's getting old.

[bill_mcgonigle]

Yes we know.

Major ISP's are just now getting the ball rolling. Client software is still being perfected. The bridges for early adopters are known to be flakey. Talk to the people working on that stuff (oh, wait, you don't need to, they're already underway).

Most readers here will move along when the infrastructure is ready. We know the address space is effectively out but there's little reason to do much at this point, and anybody trying to push people to adopt IPv6 before the tools are robust is kidding themselves.

Re:IPv6 sucks

[Junta]

The former is a tad old and mostly fixed by NAT64.

On second:

they created a totally new problem by avoiding arp. the
            benefit of their layer-2 discovery mechanism has been
            absolutely zero; the best unit of measure for the cost of
            that decision is "decades".

ICMPv6 neighbor solicitation at *worst* case 'degrades' to ARP-type behavior. In very well behaved layer 2 networks (almost none, admittedly) it greatly reduces load at large scale of system. I don't see why avoiding ARP costs 'decades'.

they created an entirely new and huge problem (destroying
            SIOCGIFCONF backwards compat hurt IPV6 deployment in operating
            systems on a massive scale) by not making their sockaddr be
            a power of 2 in size.

I still haven't heard anyone explain why that is so catastrophically bad. It may be, but in practice, I haven't seen how this afflicts me.

Now I will complain that they changed some fundamentals around DHCP (DHCP at all being a near afterthought as they magically thought route advertisement, stateless addressing, and mDNS would be the cure for *EVERYTHING*). However, most of it is probably going to fall into place as soon as more practical deployments start (currently, most v6 trials that end in failure cause people to just walk away from now instead of trying to push fixes.

Re:IPv6 sucks

[freakingme]

Your first link dates from 2003, and therefore I cannot do anything but ignore it. Especially since you don't specify what part you're aiming at... As to what your other link is concerned, Theo de Raadt usually knows what he's talking about, but, he also likes to troll anybody he doesn't like. His post basically says that he doesn't like implementing an arp alternative. His other point simply means it may be a bit more difficult if you assumed all socket addresses would only ever be to the power of 2. That's his fault (hate to break it to you, theo also isn't perfect), he was the one who made the assumptions. Lastly, the problems he describes are about how to implement them in Operating Systems. Since all major OS's now have ipv6 support, I cannot see that being relevant. As for merely posting 2 links without any text: troll?

Welcome to the real world

[gmuslera]

... the one where by far most of the people, even if you go just to the IT ones, ignores even what is IPv6. How many isps or carriers now are giving ipv6 as an option? Probably the most common policy now is "lets wait till everyone else already took the first step before moving a finger" (later it will be "let all scream and run in circles")

Re:Welcome to the real world

[John+Hasler]

> How many isps or carriers now are giving ipv6 as an option?

Comcast, for one.

Exactly, don't say the Y2K word

[suso]

I really wouldn't go into board rooms and mention Y2K. The general public seems to think that there was nothing there and it was just a big hoax. I'm sure all of you have encountered this recently too. A few times recently I had to correct people who said something like "That Y2K thing was no big deal". My answer to them was "It was no big deal because people worked for 5-10 years to fix it, otherwise it would have been a big deal". But you all know that.

But if you want to be dismissed as a panic monger, bring up Y2K, otherwise, don't.

Re:IPv6 sucks

[slimjim8094]

Everything has mistakes built in. But DJB's article (aside from being 9 years old) simply boils down to "but who will implement it if it's not widely implemented?" The whole point of implementing it is that it'll get more widely used. That OpenBSD mailing list message was marginally more interesting, but boiled down to "it messes up my struct!"

I don't understand all the IPv6 hatred. IPv4 is not tenable (which can't really be argued otherwise), and even somehow extending the current address space would break everything anyway, so why not just do it right?

what's going to get annoying

[v1]

is when desperate (or "innovating") ISPs decide to jack up the rates on static blocks. Companies that have a static /24 will see the rate to lease that block double overnight. Then if you're only REALLY using a few dozen of them, giving some of that back is going to look really attractive. Did I say double? how about x16? if you can live with 29 usable instead of 253 I bet that's an offer many can't refuse.

I've got a block of 8 myself (5 usable naturally) so I think I'm safe from the vultures for awhile. But they're also probably going to want to start pooling people inside their /24's. As it is right now I have my own network with my own router. That's 3 of 8 addresses being somewhat wasted, and I bet they don't overlook that. If the entire /24 I'm in is carved into 32 chunks of /29's, that's 93 (32*3-3) more IPs in that block alone they could resell by consolidating gw/br/net. (/29 is admittedly quite a waste of IP space) Maybe I DO need to start worrying?

All aboard the next gravy train

[geekpowa]

Nothing helps drive a wedge between people and their money than a fear incessantly pounded into their brain like a rusty nail.

IPv6 caper should help pay off the mortgage. Then 2038 should set me up quite comfortably for retirement.

Re:Can someone explain IPv6 without NAT?

[bsdnazz]

You have a link local address AND a different global address. It's the global address that will be routed.

Link local addresses are useful locally. There's even a link local system for IPV4 but hardly anyone seems to know about it. From Wikipedia and various RFCs - "In IPv4, the block 169.254/16 is reserved for this purpose, with the exception of the first and the last /24 subnet in the range. "

Also what is really needed

[Sycraft-fu]

At least before home users can care, is a good 4 to 6 translation system. What I mean is let's say your ISP goes IPv6 and your cable modem gets just an IPv6 address. If you have a newer computer (Vista or newer, newer OS-X releases, etc) it'll just work. It can have its own public IPv6 address and everything is great.

However, what do you do about older stuff? I'm not just talking older computers, which possibly could be upgraded, but I'm talking older devices, which can't. My AV receiver is a networked device, but it only supports IPv4. I don't think that can be changed, I think that's all its DSP can handle. Even if it can, it probably won't be since it is an older model. So I still need to use that.

Well, the thing to do is have the cable modem handle it. Have an IPv4 DHCP server, IPv4 gateway, and internal IPv4 DNS server and all that in private space. Then when an IPv4 computer requests something, the DNS server gets the AAAA record and the real IPv6 IP. It translates that to a fake IPv4 IP and hands that to the computer, and handles the translation. More or less a system similar to NAT (or a stateful firewall of some types).

That way IPv4 devices can continue to work, there is no problem with going 6.

So far I've seen nothing along these lines. Everything keeps being "Add IPv6 to an existing IPv4 network!" Ya, ya ok that works in some cases but if the issue is running out of IPv4 addresses, that isn't the long term answer. The answer is to make routers that'll let IPv4 devices talk IPv6 without them knowing. Likewise you have a 6-to-4 tunnel at the ISP if you need to communicate to old 4-only networks.

Re:Also what is really needed

[Chemisor]

That's called NAT-PT and I've just had a huge flamewar about it on the last IPv6 article. Basically, all the v6 geeks here hate NAT and think nobody should be allowed to have such a thing. Hence, the RFC has been deprecated and nobody is even trying to implement it.

Not like Y2K

The IPv6 move is not like Y2K. With Y2K there was a firm deadline when everything had to be re-coded, tested and ready, or else. With IPv6 it's more like the introduction of fax machines. You only need a fax machine if you want to communicate with someone else who also has a fax machine. Since around 98% of the Internet is still using IPv4 no one is going to want to be the first to stick their neck out and embrace IPv6. If everyone you want to talk to is on IPv4 there is no reason to migrate yet.

Re:Can someone explain IPv6 without NAT?

[borcharc]

How are we supposed to roll out IPv6 without NAT? Can someone explain, and without RANTING about how NAT is unnecessary?

Think about it. Let's say I set up my company with link local addresses. IPv6 forbids NAT on routers and firewalls. So how are my hosts going to talk to the Internet? Specifically, if I have a link local address of fe80::/10. That's not going to be routable from the Internet. TCP is two-way traffic, so the servers need a return route to me. How is this accomplished with NAT?

NAT is necessary so the ISP can send traffic back to my summarized address. I don't understand how this works when they forbid NAT. Someone please kindly explain how that works.

Sorry to rant at you and not answer your question.

Have we stopped learning/teaching about routing, forwarding and firewalls because the magic NAT box does all of that for us? This is a sad state for the world of networking that such a question must be asked.. repeatedly... by people who should know better.

Re:NAT will never go away

[grcumb]

The idea that NAT will go away just because a network is IPv6 is a pipe dream. No sane security admin would ever allow that. The idea that the firewall is the only thing between you and the outside world is, and should be, a non starter.

IT security is all about multiple layers, and one of them is the fact that you have a DMZ between you and the internet, and that the internet can't route outside of it. That is not going anywhere.

Look, I don't want to be disrespectful to you as a person, but your understanding of network security is... limited. What the fuck does having a DMZ have to do with NAT? It's true that NAT is how the most common way to configure a segregated v4 network, but if you think that NAT is the only (or even the best) way to handle this, you're sorely mistaken.

This may strike you as heresy, but you can construct your network with public-facing addresses, a DMZ and a network of addresses inaccessible from the outside world (except under prescribed circumstances)... all using public IPv6 addresses. The secret is... wait for it... don't fucking route to them, except when you decide it's okay.

The simplest way to do this would be simply to refuse connections originating from outside your network for a designated subnet. Hey presto! All the benefits of NAT without the insanity of NAT!

My employer, a university with campuses in 12 countries, does this already with a public IPv4 block. Last I checked, it was working just fine, thank you very much.

P.S. Yes, we're IPv6-ready.

The big mistake was not making mobiles IPv6

[Animats]

The big mistake was not making mobile IP devices IPv6 from the beginning. Even if they had to go through a NAT at the telco. Most of the growth is in mobile devices.

Fortunately, most mobile devices respond to updates pushed from the carrier. So mobile carriers need to be encouraged to implement that transition. Carriers are in a good position for this, since they control both ends of the air link. Some of this must be happening already.

Re:TFS: Sarbanes-Oxley compliance

[camperdave]

I had to google Sarbanes-Oxley compliance. Never heard of it before. Apparently it's some sort of irrelevant foreign legislation regarding accounting. How they managed to equate that to the hard technical limits like Y2K and IPv6 is beyond me.

Re:Can someone explain IPv6 without NAT?

[bbn]

How are we supposed to roll out IPv6 without NAT? Can someone explain, and without RANTING about how NAT is unnecessary?

Ok, not a word about NAT.

Think about it.

I am thinking.

Let's say I set up my company with link local addresses.

You will not. Link local address is something every IPv6 interface has. You can use to communicate with other hosts on the same ethernet segment. You can not use it for communicating with the internet at large.

IPv6 forbids NAT on routers and firewalls.

It does no such thing. However nobody has bothered implementing NAT (sorry I said the word) on IPv6. I am sure someday somebody will but few will use it.

So how are my hosts going to talk to the Internet?

The minimum subnet size an ISP can assign to a customer is a /64 giving you 2^64 unique IP addresses you can distribute among your computers. In fact, your computers will pick up the prefix (the first 64 bit) from the router and then select the last 64 bit automatically. You will not have to do anything, it will just work.

Specifically, if I have a link local address of fe80::/10. That's not going to be routable from the Internet. TCP is two-way traffic, so the servers need a return route to me. How is this accomplished with NAT?

I assume you are asking how it is accomplished _without_ NAT. You are confused about link local addresses. Those are not generally something you will be using. Your computers will get the first half of the IP address from the router and it will make up the last half by using your MAC or by random. All your computers will have unique public IP addresses. Since your computer already has a public IP address there is no need to translate it to something different by NAT.

NAT is necessary so the ISP can send traffic back to my summarized address. I don't understand how this works when they forbid NAT. Someone please kindly explain how that works.

You are assuming you only have one address. In fact you will have a minimum of 2^64 addresses. The ISP only needs the first 64 bit of the address to route it back to you. The last 64 bit is handled internally on your network. If you insist, you could say the first 64 bit is your "summarized address".

Most ISPs are doing /56 or /48 for residential

[billstewart]

There are some ISPs that are starting off with just a single /64 (e.g. Comcast's trial), because they've got some equipment or management software that's not bright enough to handle more complex routing than that, but the general consensus is that businesses should get /48 and residences should get at least /56. That not only allows for a couple of subnets (e.g. wired, wireless, uplink, DMZ), but it also lets you use relatively dumb routers that handle subnets by cutting their address space in 2-4 pieces, and you can stack a couple of those.

I have heard of one ISP that's only allocating a /60 for residences, but IPv6 has enough address space that most people think it's worthwhile wasting some of it to get addresses aligned on byte boundaries and not mess with nibble-aligned, much less single-bit-aligned.

Re:Most ISPs are doing /56 or /48 for residential

[Rising+Ape]

I must admit, when I first heard about the idea to give /56 or /48 to everyone, it seemed ridiculous. I suspect most people don't have more than one subnet - but since there are about 8 million times as many /56s as there are people on Earth, maybe giving a /56 to everyone isn't so daft after all.

IIRC, the IPv6 policy is that unicast is only 2000::/3 for now - if we fill that, the allocation policy will be reassessed to be less generous. Hopefully they've been clear enough that other addresses are *not* invalid, so we don't have a repeat of the IPv4 class E debacle.

Here's how to do it.

[falzer]

Facebook, 4chan, digg, slashdot, reddit, and redtube make their sites accessible by ipv6 only (and not through v4 to v6 tunnels.)
They take a hit in traffic for a little while, two weeks later, every ISP is giving out ipv6 addresses and every ancient router and pc is upgraded. :)

You can't "flip the switch" for decades

[George_Ou]

Even if you switch to a pubic IPv6 address, all your internal stuff will still be IPv4. My home print server and IP telephony adapter are all IPv4. The problem with IPv6 is that you can't entirely switch to it and just shut down IPv4. You have to run dualstack for the foreseeable future. That's why every IT consultant and IT manager and CIO I've spoken to says they don't give a crap about IPv6 because every adopter of IPv6 will have to be backward compatible with IPv4 so why bother running dual stack. Even after all the addresses are assigned, not a single IPv4 device or network will stop working.

The choice is between IPv4 single-stack or IPv4/IPv6 dual-stack. Given those as the only choices, people are choosing the former instead of the latter. There is no possibility of running IPv6 single-stack. IPv6 will essentially become the new "private IP addresses" that have to translate to "public" IPv4 addresses used by 99% of the IP devices in the world. The only difference is that IPv6 devices will be able to talk to each other without a NAT across organizations.

Re:You can't "flip the switch" for decades

[aztracker1]

I think you have those backwards.. IPv4 will continue to be used with LANs and VPNs for just the sofyware you mentioned with NAT gateways for IPv4 remote services over IPv6. And IPv6 will become ever more important publicly.

Why would you want to do those broken things?

[billstewart]

Look, you're getting a subnet that's big enough for just about anything you can imagine doing at home, not just the things you can actually figure out how to do. If you're like to split your /56 into 256 different subnets and do different things on them, go ahead. You can do that without breaking the end-to-end principle.

NAT breaks stuff right and left today, for two main reasons
- lots of protocols, including FTP and newer protocols, put the IP address inside the data packets, not just in the packet headers, and doing NAT properly requires ripping the packets apart, changing the addresses, and fixing up any checksums that got damaged in the process. It's even worse if you've got protocols that use crypto, either for information hiding or just simply for authentication. It's very hard to get them right, especially if people design protocols the firewall doesn't know about.
- stateful NAT makes it hard to establish connections through the firewall. Sometimes this is intentional, blocking unwanted connections for security reasons, but if two people behind NAT want to communicate, neither one can talk until the other one has talked to them first. There are products like Skype that are popular because they go to a lot of trouble to work around the different broken NAT implementations out there.

Putting a firewall box in front of your computers isn't a bad thing - you just need one that's IPv6-aware instead of IPv4-only. You're not getting the security from NAT, you're getting security from having a stateful packet inspection box in front of your computer, and that's not going to change. If you want to offload packet inspection from your 2GHz CPU down to your 200 MHz SOC-based firewall, go ahead; about a quarter century ago, Van Jacobson figured out how to tune the BSD TCP/IP stack so you could do wire-speed file transfer on 10 Mbps Ethernets using a Sun 3/60, so you should have plenty of spare CPU horsepower left to inspect your packets.

There's no particularly good reason for your computer to look like a single computer to anybody outside your network, and simple address-munging isn't enough to solve the problem. My laptop has different addresses depending on where it's plugged in, home, work, coffeeshop, etc., and the address isn't enough to tell them anything definite. When I'm at work, I occasionally have trouble reaching sites because many other users behind my corporate firewall are accessing them at the same time, so they want me to do a CAPTCHA to verify I'm not a bot abusing their system. However, if anybody does want to track your address, with IPv 6 they'll probably do it by tracking your /56 or /48. Also, there's the IPv6 address privacy mode, which lets your computer use a different host-part address on every connection, so it's not using the same MAC address every time.

Re:Why would you want to do those broken things?

[Pentium100]

But a lot of protocols in use today (peer-to-peer filesharing, VOIP, VPN, etc.) have had horrible kludges built into them to ensure that they can break through NAT and still work.

Breaking trough NAT without port forwarding - sure. The only reason why the protocol might not work with NAT with port forwarding is if it for some reason does not trust the header of the packet and adds a copy of the IP address in the data section (like ftp does).

So make your router (or other box) explicitly do port forwarding and/or load-balancing; it's effectively what you're using NAT for here and would likely be more flexible.

So, I can make a packet destined to 1::2 port 80 (hmm, with IPv4 I can write 1.2.3.4:80, is some other symbol used for marking the port number? 1::2:3:4:80 could be confusing?) actually go to 1::3 port 80? Great - it means I can still publish only one IP and do the port mappings, which makes this "almost" NAT.

So, the only thing that cannot be done is rewriting the source IP field on outgoing connections (not packets, since for port forwarding to work it has to work both ways)?

Re:Why would you want to do those broken things?

[Pentium100]

That's not the only reason. IPsec, for instance, has to be wrapped inside UDP (called IPsec NAT-T) to break through NATs since IPsec was designed to be run directly on top of IP, where there is no concept of ports to forward! Any attempt to go beyond TCP and UDP runs horribly afoul of NATs.

Or I can forward whatever protocol number to my VPN server. The fact that NAT is possible does not mean that I have to limit yourself to one external IP. If I have two VPN servers I can use two external IPs for them.

Simple inbound port forwarding doesn't need to be implemented as some fancy stack-level kernel feature like NAT; you just need a process listening on a port that, upon accepting, makes a connection to another IP and port and copies the data in both directions.

Which means that the server will see a lot of connections coming from the router (or whatever does the port forwarding) and will not see the actual IPs of the clients. Which makes this less useful than NAT.

It's likely a fair amount of NAT-like behavior will be written for IPv6 to support implementing transparent proxies, which do have to happen at the stack level.

Oh yea, I forgot transparent proxies. Thanks for reminding me :)

I just want the amount of NATted traffic on the Internet at large to be on the opposite end of the bell curve than it is now, since with IPv6 it will be unnecessary to "share an Internet connection" in the same way as IPv4.

What I understand is that there is not so much a problem with NAT by itself, it's that ISPs sometimes put clients behind NAT that the clients cannot control. NAT by itself can be configured however you like, especially since with IPv6 it would not have to be 1-to-many (or is it called "many-to-1"? anyway, the version with a single external IP) NAT, you can do 1-to-1 (to have constant internal IPs that do not depend on which ISP you are connected to at the moment, also to load balance between two ISPs that have assigned different IPs) or some other form.
Skype does not need to punch trough NAT if the port is forwarded, neither does P2P. Configuration will still be necessary, but instead of "forwarding a port" it will be "opening a port" on the firewall.

As for "share an Internet connection" - ISPs may try to charge the customers based on how many devices they have connected (the fact that the address space is big enough for everyone does not mean that the ISPs won't try to get a few bucks out of the customers anyway).

Re:Why would you want to do those broken things?

[Pentium100]

IPsec AH headers protect the integrity of the source and destination IP addresses (by design), so if those are modified in any way by NAT things will break.

Now that i went and read about it in Wikipedia, it seems we were both right - IPSec Transport mode does not support NAT (and needs NAT-T), while Tunnel mode (which is used for VPNs) supports NAT.

Anyway, you are clearly okay with NAT's limitations.

The only limitations of NAT that I see are those that stem from the fact that I only have one external IP (so I absolutely have to use NAT for everything). If that limit is lifted, NAT would have no problems, or rather, if you do not like it, you would not have to use it. Why would it be bad for you if I use it to mask the number of my computers, do transparent proxies and other fun stuff that is only possible when it is possible to modify the source and destination fields in the header.

Been there. Done that.

[Annorax]

I've been running IPv6 on my home network and have had IPv6 tunneling running through HE.net for the past year.

My Apple Time Capsule allows IPv6 tunneling and allocates addresses to my machines on the network for me. I even set up a AAAA record in my DNS service to allow people to see my personal web site over an IPv6 address.

I can hold up my hand and say that I'm ready to go as soon as my ISP gets off it's butt. It will be nice to be able to shut-off all that annoying NAT crap some day!

Skript Kiddi3z have other tools, unfortunately :-)

[billstewart]

There are other ways to find the machines on your subnet besides scanning, though it is nice that scanning will become harder. If you've got a known brand of ethernet card, there are only 24 bits worth of possible MAC addresses, and what's 16 million scanning packets between friends? Multicast works by default, though your firewall might block it, and they can still do phishing to get you to go to their web page so they can get your address. (IPv6 address privacy mode is a Good Thing, though corporate networks might block it internally so they can track which machines are doing what for auditing and debugging purposes.)

Re:Ugly

[John+Hasler]

If your biggest problem is a trivial matter of notation you must be pretty happy with it.

Re:NAT will never go away

[mark-t]

"The secret is... wait for it... don't fucking route to them, except when you decide it's okay."

Which is all very well and good, but that requires that everyday people learn how to configure routers to do that. Guess what? That ain't gonna happen. People want a plug-and-play solution, not one where they have to learn crap they don't care about when all they want to do is read email or browse the web.

Which, believe it or not, is all that a *VAST* majority of people do.

When people want more, they can either use another globally visible IP, situating the device on the global side of their NAT, or else they punch holes in their NAT if they can't get another IP address. With IPv6, there will simply be no need for the latter. That doesn't mean that NAT wouldn't be useful.