If You Think You Can Ignore IPv6, Think Again

wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."

ISP

[0racle]

Until my home ISP or the ISP for the company I work for offers IPv6, I think it's going to be very easy to ignore IPv6.

Re:ISP

[Lord+Ender]

ISPs won't support it until customers demand it. This requires government action: use stimulus money to make free porno available to all over IPv6 only. And not just any porno: the kinkiest, highest-resolution, full-length nastiness the Feds can commission.

Your U-Verse box will have a v6 address within a week.

Re:ISP

[tysonedwards]

There are *many* 6 year old Cisco routers and switches out there that are still covered under support contracts that won't be getting IPv6 support as they have been End-of-Life'd. Consider for a moment that many of these same ISPs are the ones who elect to throttle their users to 256Kbps if they go above their 5GB monthly usage limit. Smaller ISPs are already going in and double-natting their customers as well to further over-subscribe their network and get by with less. Home ISPs will likely continue ignoring this problem for years to come, until the eventual hardware swaps enables them to support IPv6 and then have a reason to start billing their customers more for "now with public IPs to improve your gaming performance".

Re:ISP

[Spad]

The amount of *new* networking kit and software that still doesn't support IPv6 is frankly depressing. Microsoft's Forefront TMG (Their ISA replacement), for example, requires Server 2008/2008 R2 (which have full IPv6 support out of the box) but doesn't actually support IPv6 routing itself and it's only ~1 year old.

Re:ISP

[Anrego]

Too much could change between now and then (then probably being in about a decade or so).

I'm with OP, when my ISP gives me one.. i'll deal with it.

Re:ISP

[tysonedwards]

With Cisco, End-of-Life and End-of-Support are two wildly different things... To Cisco, End-of-Life means "no more updates", while End-of-Support means "you can call us up for help, and we will provide you with a replacement unit if yours fails". End-of-Support is typically 5 years after the End-of-Life announcement, however there are the random exceptions like their VPN Concentrators.

Re:ISP

[tweak13]

I'd rather have NAT for v6 too

Why?

There are always so many people saying they want NAT, but if addresses are plentiful then it serves absolutely no purpose. I think that most people who see it as necessary are confusing its function with a firewall. You do not need NAT to do the same things your home router does today. You can still block all incoming connections to a computer and allow all outgoing connections. You can still allow specific ports to be opened to specific machines.

Using a public address on your internal network doesn't automatically mean that you need to just allow any traffic in. Use a firewall to "stealth" every port and there will continue to be no evidence that you have a computer there.

Re:ISP

It's been done: http://www.ipv6experiment.com/ (NSFW). Didn't work, unfortunately.
My captcha: "banged"

Re:ISP

[tqk]

It's not quite yet the time to retrofit IPv6 everywhere, but it is definitely time to build support into your new development requirements.

Just like y2k, if you coded software that used 2 digit date fields in 1995, you had only yourself to blame for needing to rush around in 1999.

And just like in y2k, after we get IPv6 everywhere and nothing blows up, we'll be blamed for running a con job just like in y2k. "Sheesh, nothing happened, and we spent all that money on getting you to fix a non-problem!"

I say, let's let it blow up this time.

Re:ISP

[The1stImmortal]

He's right - NAT has useful functionality beyond just the "security" aspects.

The IPv6 internet model still only allows provider-independent addressing if you're a member of your regional NIC (with all the associated bits and pieces, like ASNs etc)

NAT is the only sane way to give your network provider independence under this system. If you're forced to renumber your network when changing ISPs, it's a real pain in the neck. Also - what if you want to do redundant internet connections? With IPv4 NAT you just set up the NATing firewall to have two connections with the same priority, enable stateful tracking, and away you go. That's flat out impossible with directly addressed IPv6 - every device would need two IP's (one for each provider subnet), and you'd need to manually configure each device to spit out some traffic with one source IP and other traffic with another source IP.

Additionally, NAT lets you do some useful stuff, like providing multiple services on multiple back-end machines via a single IP (which would of course correspond to a DNS record). For example, providing a "mail.example.com" address which provides POP3, IMAP, Webmail and SMTP submission service - POP3 and IMAP going to the mailstore machine, Webmail to a webserver and SMTP to an MX machine, without needing to configure slow port proxy services which lose valuable information (such as the source IP for connections)

As for IPv6 autoconfiguration, autoconfiguration doesn't deal with:

- Changing application settings dependent on IPv6 addresses
- Updating DNS records
- multiple internet providers/multiple subnets
- port remapping

making it an incomplete solution in itself.

IPv6 Mess

Not so fast:

http://cr.yp.to/djbdns/ipv6mess.html

http://marc.info/?l=openbsd-misc&m=128822984018595&w=2

Re:IPv6 Mess

[SmilingBoy]

Not so fast:

http://cr.yp.to/djbdns/ipv6mess.html

I don't agree at all with this article. The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible. The IPv4 host can only send packets to IP addresses with 32 bit. Any longer number is not understood by the IPv4 host. In order to make this work, the IP stack of every IPv4 host would need to be updated. Guess what has to be done to have IPv4 and IPv6 dual stack? The IP stack of every IPv4 host needs to be updated!

You will NOT take away or cause artificial demand

[h00manist]

for my damn IP numbers! I am not falling victim to this left-wing liberal conspiracy to artifially inflate the price of my IP numbers, the fuel of my business! There is no such thing as a global shorting of IP numbers, the scientific evidence is completely subjective and there is no hard evidence whatsoever, no measurements, of a global shorting of IP numbers . Everyone that needs one has an IP number, and there are plenty more. I myself have 192,168,000,023 IP numbers for use just here in my company. This in nothing but a left wing media conspiracy against the working people to take away our god-given constitutional right to IP numbers in black helicopters.

boring ipv6 articles

[godrik]

Do we really need to have 3 ipv6 article a week on slashdot. I believe every single slashdotter knows and understands what the problem is about. So I suggest the editors to skip all the articles about "how my god we need to move to ipv6 FAST",

Re:boring ipv6 articles

[Red+Flayer]

Yes. These submissions link to articles that we can cite when attempting to convince our PHBs or CxOs that yes, we do indeed need to budget for the ipv6 migration, and no, we can't wait a couple years to get the ball rolling.

Just wait until "ipv6 conversion specialists" are charging you $450 an hour to make sure your business is not floundering because you ignored the problem until it was an emergency.

Re:boring ipv6 articles

[couchslug]

"Just wait until "ipv6 conversion specialists" are charging you $450 an hour to make sure your business is not floundering because you ignored the problem until it was an emergency."

That doesn't argue for warning PHBs. It argues for becoming a Conversion Specialist!

but ignoring is working so well...

[green1]

I finally found the group responsible for IPv6 at my company, and asked about our readiness. now keep in mind, we don't need to wait for an upstream provider as we are the upstream provider, with many peering agreements in place.

The answer I got back basically amounted to two things:

1) nobody else is ready, so we don't need to be either.

2) it's not legally mandated, so it's not important.

I'm so glad we pride ourselves on our ability to innovate...

Re:Qwest

[Wingman+5]

What they said translates to "We are putting you behind a carrier grade NAT, you will no longer have a public IP unless you pay us extra for it."

Stop already, it's getting old.

[bill_mcgonigle]

Yes we know.

Major ISP's are just now getting the ball rolling. Client software is still being perfected. The bridges for early adopters are known to be flakey. Talk to the people working on that stuff (oh, wait, you don't need to, they're already underway).

Most readers here will move along when the infrastructure is ready. We know the address space is effectively out but there's little reason to do much at this point, and anybody trying to push people to adopt IPv6 before the tools are robust is kidding themselves.

Re:IPv6 sucks

[Junta]

The former is a tad old and mostly fixed by NAT64.

On second:

they created a totally new problem by avoiding arp. the
            benefit of their layer-2 discovery mechanism has been
            absolutely zero; the best unit of measure for the cost of
            that decision is "decades".

ICMPv6 neighbor solicitation at *worst* case 'degrades' to ARP-type behavior. In very well behaved layer 2 networks (almost none, admittedly) it greatly reduces load at large scale of system. I don't see why avoiding ARP costs 'decades'.

they created an entirely new and huge problem (destroying
            SIOCGIFCONF backwards compat hurt IPV6 deployment in operating
            systems on a massive scale) by not making their sockaddr be
            a power of 2 in size.

I still haven't heard anyone explain why that is so catastrophically bad. It may be, but in practice, I haven't seen how this afflicts me.

Now I will complain that they changed some fundamentals around DHCP (DHCP at all being a near afterthought as they magically thought route advertisement, stateless addressing, and mDNS would be the cure for *EVERYTHING*). However, most of it is probably going to fall into place as soon as more practical deployments start (currently, most v6 trials that end in failure cause people to just walk away from now instead of trying to push fixes.

Welcome to the real world

[gmuslera]

... the one where by far most of the people, even if you go just to the IT ones, ignores even what is IPv6. How many isps or carriers now are giving ipv6 as an option? Probably the most common policy now is "lets wait till everyone else already took the first step before moving a finger" (later it will be "let all scream and run in circles")

Re:NAT will never go away

[grcumb]

The idea that NAT will go away just because a network is IPv6 is a pipe dream. No sane security admin would ever allow that. The idea that the firewall is the only thing between you and the outside world is, and should be, a non starter.

IT security is all about multiple layers, and one of them is the fact that you have a DMZ between you and the internet, and that the internet can't route outside of it. That is not going anywhere.

Look, I don't want to be disrespectful to you as a person, but your understanding of network security is... limited. What the fuck does having a DMZ have to do with NAT? It's true that NAT is how the most common way to configure a segregated v4 network, but if you think that NAT is the only (or even the best) way to handle this, you're sorely mistaken.

This may strike you as heresy, but you can construct your network with public-facing addresses, a DMZ and a network of addresses inaccessible from the outside world (except under prescribed circumstances)... all using public IPv6 addresses. The secret is... wait for it... don't fucking route to them, except when you decide it's okay.

The simplest way to do this would be simply to refuse connections originating from outside your network for a designated subnet. Hey presto! All the benefits of NAT without the insanity of NAT!

My employer, a university with campuses in 12 countries, does this already with a public IPv4 block. Last I checked, it was working just fine, thank you very much.

P.S. Yes, we're IPv6-ready.

The big mistake was not making mobiles IPv6

[Animats]

The big mistake was not making mobile IP devices IPv6 from the beginning. Even if they had to go through a NAT at the telco. Most of the growth is in mobile devices.

Fortunately, most mobile devices respond to updates pushed from the carrier. So mobile carriers need to be encouraged to implement that transition. Carriers are in a good position for this, since they control both ends of the air link. Some of this must be happening already.

Re:Can someone explain IPv6 without NAT?

[bbn]

How are we supposed to roll out IPv6 without NAT? Can someone explain, and without RANTING about how NAT is unnecessary?

Ok, not a word about NAT.

Think about it.

I am thinking.

Let's say I set up my company with link local addresses.

You will not. Link local address is something every IPv6 interface has. You can use to communicate with other hosts on the same ethernet segment. You can not use it for communicating with the internet at large.

IPv6 forbids NAT on routers and firewalls.

It does no such thing. However nobody has bothered implementing NAT (sorry I said the word) on IPv6. I am sure someday somebody will but few will use it.

So how are my hosts going to talk to the Internet?

The minimum subnet size an ISP can assign to a customer is a /64 giving you 2^64 unique IP addresses you can distribute among your computers. In fact, your computers will pick up the prefix (the first 64 bit) from the router and then select the last 64 bit automatically. You will not have to do anything, it will just work.

Specifically, if I have a link local address of fe80::/10. That's not going to be routable from the Internet. TCP is two-way traffic, so the servers need a return route to me. How is this accomplished with NAT?

I assume you are asking how it is accomplished _without_ NAT. You are confused about link local addresses. Those are not generally something you will be using. Your computers will get the first half of the IP address from the router and it will make up the last half by using your MAC or by random. All your computers will have unique public IP addresses. Since your computer already has a public IP address there is no need to translate it to something different by NAT.

NAT is necessary so the ISP can send traffic back to my summarized address. I don't understand how this works when they forbid NAT. Someone please kindly explain how that works.

You are assuming you only have one address. In fact you will have a minimum of 2^64 addresses. The ISP only needs the first 64 bit of the address to route it back to you. The last 64 bit is handled internally on your network. If you insist, you could say the first 64 bit is your "summarized address".

You can't "flip the switch" for decades

[George_Ou]

Even if you switch to a pubic IPv6 address, all your internal stuff will still be IPv4. My home print server and IP telephony adapter are all IPv4. The problem with IPv6 is that you can't entirely switch to it and just shut down IPv4. You have to run dualstack for the foreseeable future. That's why every IT consultant and IT manager and CIO I've spoken to says they don't give a crap about IPv6 because every adopter of IPv6 will have to be backward compatible with IPv4 so why bother running dual stack. Even after all the addresses are assigned, not a single IPv4 device or network will stop working.

The choice is between IPv4 single-stack or IPv4/IPv6 dual-stack. Given those as the only choices, people are choosing the former instead of the latter. There is no possibility of running IPv6 single-stack. IPv6 will essentially become the new "private IP addresses" that have to translate to "public" IPv4 addresses used by 99% of the IP devices in the world. The only difference is that IPv6 devices will be able to talk to each other without a NAT across organizations.