Slashdot Mirror

← Back to Stories (view on slashdot.org)

IETF Mulls Working Group For IPv6 Home Networking

Posted by timothy on from the router-vendors-salivate-copiously dept.

alphadogg writes "The Internet Engineering Task Force is considering establishing a working group to smooth some of the impending issues around setting up and maintaining IPv6-based Internet connections in homes. 'A collection of protocols needs to be agreed upon, so vendors of equipment used in home networks will have an interoperable suite of protocols available,' said Ralph Droms, a distinguished engineer for Cisco and among those who want to form the IETF working group. Home networking is a fairly new area for the IETF. Many of its standards were designed for large-scale organizational networks, rather than home use."

75 of 104 comments (clear)

  1. Huh? by XanC · · Score: 2

    Having read the article, I remain uninformed about exactly what it is they're talking about standardizing. Also, why does a publication called "Network World" assume that I know zero about networking?

    1. Re:Huh? by mellon · · Score: 5, Informative

      The idea is to come up with a standard for what home routers for IPv6 ought to look like. We'd like to preserve end-to-end transparency, which current home routers break, but at the same time we'd like to avoid creating serious security risks for people who are accustomed to the current home router security model. Support for things like DNSSEC and multihoming are also on the proposed charter.

      Home Networking working group description is here.

    2. Re:Huh? by GofG · · Score: 2, Funny

      Readers be aware, please, that the parent has a 4-digit UID and if Appeal to Authority were not fallacious, this user's word would be fact.

      --
      GFA/M/S d-- s: a--- C++++ UBL++$ P+ L+++ !E- W++ N+ !o K- w--- !O !M !V PS++ PE Y+ PGP+ t+++ 5- X+ R tv@ b++ DI++++ D+ G
    3. Re:Huh? by TheReaperD · · Score: 3, Informative

      Yes, all of that and one major point you are missing: Doing all of this with as little to no interaction with the user. The current standards assume a network tech to configure the router. With the home user, that is almost never going to happen. They want to create a set of "defaults" that everyone can rely upon for the auto-configuration.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    4. Re:Huh? by perlchild · · Score: 1

      It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market. (Some of those risks can be lessened by default configurations, proper web based configurators and the like). And the last slashdot discussion of ipv6 lef me with the certitude that LTE at least, was IPv6 based.

      On the other hand, it could just mean that IPv6 has failed, as it's the first time the IPv6 model has been presented as "not good enough for the home". Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

    5. Re:Huh? by slashmydots · · Score: 1

      Really? That sounds logical and all but it sounds to me more like they just want people to have to get a new phone, laptop, and Xbox when they buy a new router. I don't need IPv6 inside my house. That's pointless and some of my devices don't support it. I'm concerned that my ISP needs to get me a modem that can take an IPv6 address and start issuing them to it but that gets forwarded to the department of not my problem. They're the ones running out of addresses, not me. My home network is doing fine lol.

    6. Re:Huh? by Old+time+hacker · · Score: 2

      It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market.

      As far as I know, most of the home routers today are based on open source platforms. [Yes, I know that some models use proprietary operating systems as it allows less RAM to be provided on the box]

      I'm just about to install networked thermostats into my house. The current model is that it connects to a central server somewhere, and, in order to control my thermostat, I also have to connect to that site. This is crazy. I should be able to talk directly to my thermostat (over v6) from my smartphone (without needing to type in a v6 address!) Somehow my home firewall (without configuration) has to know that it can let my traffic in, but not other people who want to change the setting on my thermostat.

      The trick is finding a way to make this happen securely and without configuration. On the face of it, this seems like a challenging task.

      Philip

    7. Re:Huh? by Darinbob · · Score: 1

      Anywhere that IPv6 is not good enough for the home, IPv4 will also not be good enough.

    8. Re:Huh? by mellon · · Score: 1

      Yup, that's correct.

    9. Re:Huh? by mellon · · Score: 1

      Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity. Anyway, based on your use of idiom, I suspect you live in the U.S., or possibly Canada, so you will be able to continue using IPv4 at least until your current set of networked devices wears out and stops working. The world on the whole is quite a bit different that it might seem from where you are sitting—there are places where an IPv6 address is going to be a *lot* more useful than an IPv4 address, in the very near future. Not your problem, but still work worth doing.

    10. Re:Huh? by 0123456 · · Score: 1

      The trick is finding a way to make this happen securely and without configuration. On the face of it, this seems like a challenging task.

      Philip

      I believe you mis-spelt 'impossible'.

      Somehow you need to configure your thermostat to tell it which devices to accept connections from, or you have to open it up to everyone. Otherwise you're expecting magic.

      And the last thing I want is random IPV6 devices opening holes in my firewall by themselves; UPnP is a security disaster zone.

    11. Re:Huh? by mellon · · Score: 1

      Eh? The IPv6 model hasn't been presented anywhere as "not good enough for the home." The problem is that IPv4 home gateways evolved kind of in the same way that layers of barnacles evolve, and we'd like it if IPv6 home gateways had a standard they could check off on their feature list that actually meant something. You know, "Supports RFC8192," where RFC8192 specifies behavior that will work well in the home environment, and won't invalidate all the work that's been done to date to make IPv6 an actual improvement over IPv4.

    12. Re:Huh? by mellon · · Score: 1

      Actually, this builds on a bunch of work done by Apple, who have been shipping IPv6 support for quite a long time. All of your bonjour are belong to IPv6, for example, and if you have a Time Capsule or Airport Extreme, that supports IPv6 as well. Apple got a bit burned a while back because they enabled 6to4 by default, so at this point I'd say they have a fair amount of street cred in the IPv6 home gateway space.

    13. Re:Huh? by tomherbst · · Score: 1

      I expect your house may be either doing or capable of doing a lot of IPv6 if the devices, software, etc are fairly current. Apple and Microsoft both use IPv6 for many functions, transparent to what the user sees. Apple has used IPv6 (linklocal) for configuring their Airport routers, for example. Many of the cloud based services like back to my mac are tunneling IPv6 in IPv4. Microsoft tunnels IPv6 for their cloud services, also.

    14. Re:Huh? by petermgreen · · Score: 2

      I'm sure some form of v4 service will be maintained for a long time to come. However due to IP shortages some users will not get public v4 IPs, instead their v4 service will will go through a NAT controlled by the ISP. Since the user doesn't control this NAT they will not be able to accept incoming v4 connections. Depending on how the ISP implements that NAT they may or may not be able to use NAT traversal techniques (or they may be able to use them but not reliably). These NATS may well be overloaded in terms of either public IP space or in terms of processing hardware making v4 service in general unreliable.

      So while we don't need to immediately replace everything that doens't support ipv6 it is prudent to make sure it is supported in new kit going forwards. The problem is that most critical work as to how IPv6 is to be deployed in the home environment has yet to be done or is still in it's infancy. In theory we could deploy it in the same way we do v4 with NAT in the home router but there are many who would like to see NAT die alongside IPv4 (whether it actually will or not remains to be seen).

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    15. Re:Huh? by XanC · · Score: 1

      I wouldn't say they got burned because they enabled 6to4 by default; I'd say they got burned because their desktop systems then preferred to use 6to4 over native IPv4, which they're not supposed to.

    16. Re:Huh? by isj · · Score: 2

      http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01 has some interesting ideas. At least it is a starting point - we don't want to end up with the same situation as for IPv4 where everything has to be piggybacked on inside-initiated HTTP connections.

    17. Re:Huh? by Obfuscant · · Score: 1

      Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity.

      Which, for most users, is a Good Thing, not A Problem. It allows most users to simply install iTunes on their peecee and turn on sharing so they can access their music library from other peecees without having to worry about someone outside scamming their music. Their "gateway" is keeping the bad guys out by "breaking end to end connectivity", at least when the initiating end is outside the home.

      It is that last item that makes "breaking" a Good Thing.

      Can you give some clues (or even be more explicit) on what mechanisms are being considered to allow "no configuration" end-to-end connectivity to occur? How does the gateway at your house know the address of your phone unless you tell it? Yes, it can know the address your phone is using, but how does it know that it is YOUR phone and should be allowed in?

    18. Re:Huh? by WaffleMonster · · Score: 1

      Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf)

      What are the "security reasons" for NAT vs SPI? What is the difference?

    19. Re:Huh? by mellon · · Score: 1

      There are a number of proposals to solve that problem on the table. Perhaps you should consider participating.

    20. Re:Huh? by mellon · · Score: 1

      That's because NATs exist to share (not save) addresses. You can get the exact same security characteristics with a firewall, if that's what you want.

    21. Re:Huh? by hairyfeet · · Score: 2, Insightful

      That brings up something I've been wondering for awhile...how long should a government allow "designed for the dump" products be brought in before saying no? Because IIRC they had rules with regards to digital tuners in TVs for a decent amount of time before the switch, yet here we are officially out of IPv4 addresses and still the vast majority of routers on NewEgg have NO IPv6 and most likely never will. In fact short of the expensive Apple offerings I don't think there is a single consumer router on NewEgg that supports IPv6.

      Now since we know that when the switch does finally happen these routers are landfill fodder, shouldn't the government step in and "just say no" to bring in this crap? Because from the looks of it until the government does step in the sub $60 routers are gonna be strictly IPv4.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    22. Re:Huh? by Stupendoussteve · · Score: 2

      Get rid of NAT and the gateway has to work as a real firewall, that is all. That is not some security nightmare, unless companies do not actually put a worthwhile default firewall policy into the gateway. Things like port forwarding would not be needed, but only allowing connections on specific ports could still be controlled pretty well and locked down by default, the gateway just doesn't forward the traffic through to the internal interface. The upside is you could allow multiple devices to be accessed on the same port, rather than being forced to use different ports as it is today.

      If your gateway is working correctly as a router, it should not be broadcasting things like iTunes outside the network anyway.

      For your phone bit... a gateway can tell what interface traffic is coming from. If traffic with the correct address is coming from the correct interface, it's a good chance it is an authorized device. If not, then you've probably got bigger problems than someone outside on the internet. If you are speaking of a phone on the external network, it would have to do what any device should have to do with port forwarding today, the phone would have to authenticate to whatever machine it wanted to connect to. It's not like you're giving unfettered access to the entire network just because you remove NAT, if you wanted the phone to have that access then you should use a VPN.

    23. Re:Huh? by Stupendoussteve · · Score: 1

      The security reasons for using NAT are easily overcome with a real firewall, which at this point is not outside of the processing limits of home routers.

    24. Re:Huh? by asdfghjklqwertyuiop · · Score: 1

      The IETF has consistently and adamantly refused to accept that NATs exist for security reasons

      And that's because it doesn't.

    25. Re:Huh? by sjames · · Score: 1

      It won't happen without a change of firmware on the thermostat. Even starting fresh, there would have to be some configuration, especially since your prefix is subject to change over time.

      As for security, a pairing would be needed. For example, the app on your phone could generate a random key. To pair them, you contact the thermostat with the phone and then approve the connection on the thermostat itself to prove you have physical access.

    26. Re:Huh? by jrumney · · Score: 1

      UPNP IGD works over IPv6. Even if you are not NATed, it seems it would be a good idea to block all incoming ports at the router unless a client inside the local subnet specifically asks for it to be forwarded. Apple messed up badly on this one by making their equivalent Bonjour based protocol specific to NAT.

    27. Re:Huh? by knorthern+knight · · Score: 1

      Howsabout a home server that accepts ssh connections (key-only, no passwords to brute-force). Connect the thermostats to your home box as "the central server", and ssh to your server when you want to do stuff.

      --

      I'm not repeating myself
      I'm an X window user; I'm an ex-Windows user
    28. Re:Huh? by davester666 · · Score: 1

      Don't forget, they also need a way to definitively link an IPv6 address with a name, address, home phone number and current drivers license photo.

      --
      Sleep your way to a whiter smile...date a dentist!
    29. Re:Huh? by TBBle · · Score: 1

      That's last year's similar effort. This article's talking about the new WG proposal under the same name, described at http://www.ietf.org/mail-archive/web/homegate/current/msg00821.html

      --
      Paul "TBBle" Hampson
      Paul.Hampson@Pobox.Com
    30. Re:Huh? by sjames · · Score: 1

      That's probably still going to be a firmware update to make the central server configurable.

    31. Re:Huh? by shtrom · · Score: 1

      Stuart Cheshire, the Apple guy behind the mDNS and DNS-SD (a.k.a. Bonjour) Internet-Drafts, is currently involved in the Port Control Protocol (PCP) Internet Draft: http://tools.ietf.org/html/draft-ietf-pcp-base-13.

      “The Port Control Protocol allows an IPv6 or IPv4 host to control how
            incoming IPv6 or IPv4 packets are translated and forwarded by a
            network address translator (NAT) or simple firewall, and also allows
            a host to optimize its outgoing NAT keepalive messages.”

    32. Re:Huh? by sonamchauhan · · Score: 1

      Hah. that's so old school. I started with a modern, 6-digit UID myself. I understand some really cutting-edge folks use 7-digit ones.

      Back in the 90's, it had become obvious that the 4-digit range was going to run out one day... it was just a matter of time.

      Unlike ipv6, the geniuses at slashdot designed their ID system such that a 6-digit and 4-digit ID can communicate directly!

    33. Re:Huh? by TheReaperD · · Score: 1

      Though being paranoid about such things, especially in the MAFIAA controlled US, never seems to be as tinfoil hat as it should these days, it won't matter. Faking an IPv6 address will be a trivial task for even a script kiddie and won't be to hard for anyone willing to read an article they Google. The stupid will still get caught but, the cops have always enjoyed the low hanging fruit of the criminal world to make it look like they do actual work.

      Before anyone gets offended, I know and have met honest, dedicated and smart cops. Sadly they're usually the exception, not the rule. Criminal enterprise has always paid better so they tend to get the better talent as morals don't pay the bills.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    34. Re:Huh? by baerm · · Score: 1

      Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf)

      Perhaps, many within the IETF understand that NATs exist to generate more address space and they also provide some firewall-like security features. Perhaps some of them might even think that when the additional address space needs are unnecessary, the use of NATs as a firewall is also unnecessary. You might even just use, I don't know, something that is explicitly a firewall and not bother NATing.

      If you really want security, having a device which functions explicitly for security might be better than, "Hey, I'm doing this NAT thing because I want more address space at home instead of that stinking single static (most people dynamic, sigh) IP my ISP is giving me. But now that I have 18 quintillion IP addresses at home I can't possibly get rid of NAT and use a firewall that blocks incoming connections because, ..., Bueller?"

  2. Re:IPv4 all gone? by SuricouRaven · · Score: 1

    IPv4 should have run out by now, but its dominance is being prolonged by many organisations doing whatever they can to postpone the very difficult and very expensive upgrade process. Eventually there will come a point where the difficulty of continuing to keep IPv4 running through scarce addressing and multi-level NAT will grow so great that switching to IPv6 will seem easier, but that point is many years away. For now, it's always easier to buy time with a little more improvisation.

  3. Not necessarily "failed". by khasim · · Score: 2, Interesting

    Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

    IPv6 has a section for private use.

    FD00::/8

    So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

    Beyond that, it's just a matter of phrasing. The techs designing the home routers/firewalls know what the technology can do. The issue is phrasing that in a way that the home user can make an informed choice on what options they want to enable for which of their machines (connecting to which machines on the Internet).

    1. Re:Not necessarily "failed". by tlhIngan · · Score: 1

      IPv6 has a section for private use.

      FD00::/8

      So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

      Bingo, you've just hit the major problem with IPv6. Despite NATv6 being proposed, no one really wants to implement it even though it would basically mean a plug-and-play installation - remove your IPv4 only router, put in your new NATv4/v6 router, and be done with it. Bonus points for implementing NAT-PT as well.

      After all, one of the nice things with NAT is it means my internal network addresses don't change on the whim of my ISP. They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

      Sure the nice thing is having end-to-end connectivity (only to have firewalls break it), but why can't there be a choice? Those who want full end to end connectivity can have it, those who want to put up with the issues with NAT but have their internal network addressing remain stable, can have it too. We have that choice with IPv4 these days - if we want NAT, we get a router, else we get a switch and get issued a new IP for the other device.

      Besides, the same NAT traversal tricks already exist, so even existing software doesn't have to care. Then there's always port forwarding which is well understood.

    2. Re:Not necessarily "failed". by mikkelm · · Score: 1

      After all, one of the nice things with NAT is it means my internal network addresses don't change on the whim of my ISP. They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

      If "full" IPv6 is used, then surely your local addressing will be handled using FD00::/8 addresses, and no local issues will arise when you're issued new global unicast addresses by your ISP. It's only a PITA if you do it wrong.

    3. Re:Not necessarily "failed". by knorthern+knight · · Score: 1

      > There's also the possibility that some ISPs might end up giving static IP address blocks
      > to all customers. Given the HUGE address space they're being assigned, they have
      > plenty of addresses available to do that. There's no longer a justification for dynamic
      > addresses (reusing oversubscribed addresses).

      That was the thinking when the original internet had /8 addresses handed out. Some people never learn. Fercryinoutloud, a /64 is 2^64 addresses. China's current population is approx 1.4 billion. Assume it grows to 4 billion later this century, a /64 would still supply every man/womand/child in China with 4 billion addresses each.

      --

      I'm not repeating myself
      I'm an X window user; I'm an ex-Windows user
    4. Re:Not necessarily "failed". by suutar · · Score: 1

      or even just the link-local addresses (fe80::/10). They're based on MAC addresses so they should be pretty stable, no?

    5. Re:Not necessarily "failed". by mikkelm · · Score: 1

      If your network will only ever span a single segment, and if you don't plan on connecting via VPN, sure. Link-local addresses don't route, so if you'd need layer 3 forwarding, you'd need FD00::/8 addresses.

    6. Re:Not necessarily "failed". by suutar · · Score: 1

      Good point. I only have one segment now, and I don't see that changing, but if it did, link local would no longer suffice. (I'm not sure VPN would be helped by FD00::/8, though. Since I'm presumably VPN'ing from outside, wouldn't I need to use a non-private address anyway?)

    7. Re:Not necessarily "failed". by mikkelm · · Score: 1

      The problem with VPN is that, IIRC, the spec requires that traffic destined for link-local addresses not assigned to an interface on which it is received be dropped. If that's so, a device serving VPN clients should drop any traffic received on a LAN interface with a link-local destination address assigned to a remote VPN client. I'm sure it's possible to find implementations that hack around that issue, but since it's perfectly possible to do it the right way to similar effect (FD00::/8 with EUI-64,) those hacks should be ignored.

    8. Re:Not necessarily "failed". by suutar · · Score: 1

      Oh, I see. I didn't know that about VPN. Thanks!

  4. This does not inspire confidence by Marrow · · Score: 1

    "Home networking is a fairly new area for the IETF." -- this statement does not inspire confidence. The majority of the networks in the world are small NAT based networks. Small businesses based abound a NAT firewall are indistinguishable from these home networks. And now they say they are just getting around to thinking about the vast majority of networks?

    1. Re:This does not inspire confidence by Zombie · · Score: 1

      Residential networking has been booming lately, and we're only scratching the surface compared to what's about to come. We want to make sure that the home has all the goodness of properly configured, secure, scalable networking without any of the administration overhead. I may be my family's IT department, but I shouldn't have to be. Stuff should just work. That's what this is about.

    2. Re:This does not inspire confidence by petermgreen · · Score: 1

      The thing is with NAT they don't need much thinking about because a NAT box looks like a router with a fixed configuration to it's clients and looks like an end device to the ISP. Therefore no special protocols are needed to make everything work automagically (beyond configuring login details etc if the WAN side is PPP).

      However the powers that be have decided (rightly or wrongly) that NAT is evil and not an option for v6 deployment. In the absense of NAT the task of a home router gets quite a lot more complex since it must receive a somewhat dynamic* block of IPs from the ISP and supply those IPs to it's clients. A more complex firewall administration system is also needed (the default policy of the firewall will presumably be outgoing connections allowed, incoming connections denied to match the behaviour of existing NAT boxes)

      * exactly how dynamic is likely to vary from weeks to years.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    3. Re:This does not inspire confidence by upuv · · Score: 1

      I honestly can't believe that NAT will not be implemented by vendors of home equipment.

      Of course it will.

      All it will take is a ISP to issue a ridiculously small range to home users and Boom NAT comes into existence as a means of getting around the issue. ISP's are going to try and make money as they do today from issue static ip ranges to users. You can make more money if you make the ranges small. It's obvious that a money grab will cause home NATing.

      Secondly small devices in the home will be connected as well. I mean everything from alarm clocks to dishwashers. It strikes me as insanity to expose these devices addresses to the network at large with out going through some sort of internal filter mechanism. The filter being a combination of firewall / NAT / Data aggregation. These small devices are a rich target space for hackers. As they are going to be basically little Trojan horses in every household inside the protect home network. I most definitely will want them masked behind NAT and a lot of other obfuscating technology.

      So will there be a need for home networking protocols? Absolutely. Stuff that doesn't exist today? Yep. The reason is that more and more minor devices are going to be networked. Stuff that we do not think of as needing it today will be. Most likely all of it wirelessly too. If I can bring home a clock radio that I only ever have to plug into the wall and it magically connects to the home network to get time sync, my favourite music stations, my work calendar and the weather. I'm fairly positive that I don't want hackers into this now smart device that now has access to important personal data. At the same time I want this to magically work when I bring it home.

      There is no standard for this sort of thing today. ( This is where someone brings up some esoteric reference to a standard no one really uses. ) Remember the standards are not just around communication protocols. It will also have a direct influence on the simple user interface conventions. Why? Well simply put we need a method of adding a device to the home network in a very easy and intuitive way. This method must provide a level of trust and security. It must also somehow be able to proxy the users authority. Since many home devices will belong to different individuals in the home each device will most likely have to be branded to a user or set of users. So in the end if there is no standard around these interfaces and protocols there will be a reduction in the quality, usability and security of home networks.

      Back around to the parent post. So I absolutely see a need for home networks to NAT. NAT as just one of many tools used to secure and personalise the home network.

  5. hardware needs updates for IPV6 and software as we by Joe_Dragon · · Score: 1

    hardware needs updates for IPV6 and software as well.

    lot's of routers can't do IPV6 and others say we are working on IPV6 updates.

  6. Cisco has its own interoperability issues by linuxwebadmin · · Score: 1

    I've run Cisco SOHO devices such as RV042, RV082, RV016, RVS400, RVL200, and WRV210. In my experience setting up VPNs and firewalls on these devices, they often have interoperability issues between themselves. Also, I've worked with a SRW208 whose web management interface requires you to use IE to manage the device. Based upon these experiences, I'd suggest that Cisco needs to work on interoperability between their own devices before they can provide guidance to others on how to make interoperable devices for home users.

    --
    Show me packet captures and log entires, or it never happened.
    1. Re:Cisco has its own interoperability issues by Relayman · · Score: 1

      Isn't it time to look for an alternative to Cisco? I left them after a customer paid $2,500 for a 16-port switch.

      --
      If I used a sig over again, would anyone notice?
  7. Re:Nessesity of it all by 0123456 · · Score: 1

    I think the point is to do away with NAT entirely.

    The question is why that's considered to be a good thing. I like the fact that random web site can't tell which device in my house is connecting to it becuase they all have the router's IP address.

  8. Re:Nessesity of it all by WaffleMonster · · Score: 2

    Why not maintain the IPv4 for the home scale devices (5 port routers) with a IPv6 WAN side connection?

    What would the point of that be? Some of us care about using P2P services like Skype and don't particularly want random people on the Internet to be intermediaries for our traffic just because you are adverse to change. The cold hard fact there is zero security difference between SPI and NAT. If you count the crap folks are able to pull off in the state machines of 1:many ALGs SPI is MORE secure.

    It seems very overkill to push IPv6 to the home level even with "network light bulbs" how many can one house have?

    As many as we fricking want!

    Also for a tech perspective can you imagine the support calls with customers rattling of IPv6 addresses all the time?

    I can't imagine end users ever needing to. LLMNR, DNS, ND, DHCP autoconfig... I don't ever have to manually configure an IP Address to get to or do anything in the IPv4 world today. Why would that change for IPv6?

  9. Re:Nessesity of it all by WaffleMonster · · Score: 1

    The question is why that's considered to be a good thing. I like the fact that random web site can't tell which device in my house is connecting to it becuase they all have the router's IP address.

    Like web sites have any trouble doing that today with fingerprinting and (flash) cookies.

  10. Issue #1 by Megane · · Score: 1

    Get the ISPs to provide IPv6 to their customers.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    1. Re:Issue #1 by tftp · · Score: 1

      Get the ISPs to provide IPv6 to their customers.

      That's the chicken's side of the problem, and IETF just suddenly realized that the egg is also somehow involved. ISPs can't deploy IPv6 because:

      1. There are too few managed (or otherwise) routers that they can use to provide dual stack services.
      2. There is no understanding who does what. For example, who provides DNS for my toaster? I'm not going to enter the IPv6 address each time I want to ping it.
      3. Who is doing the IPv6 autoconfiguration?
      4. Finally, how the customer is going to transition?

      In my dreams I envisioned a box that could have been sold years ago; the box is IPv4 and IPv6 capable, can do IPv6 NAT, can do IPv6 firewall, can do tunnelling if there is no WAN IPv6. Such a transitional box could be deployed right now, and it would work in all networks, and if one day the ISP enables IPv6 the box would simply switch from a tunnel to a proper link.

      I believe such box is required, and I posted here several times stating that. IETF just now started thinking about it; that is fairly late, don't you think? I can live with a VMware appliance, just give me that image and I will embrace IPv6. My LAN is already IPv6, since my last XP boxes are ready for the landfill. My server is already IPv6, and that's how I like it. But I have no Internet connection via IPv6. I was looking at pfSense and other things, they look good, but honestly I don't have time to mess with them - I have my own work to do.

    2. Re:Issue #1 by upuv · · Score: 1

      How about my ISP providing ipv6 DNS at all. You would be stunned to find out how few actually do.

      Without DNS providing ipv6 addressing ipv6 is a dead end.

      Note DNS for your toaster would most likely have to come from your own personal router. As the toaster would be using your home ipv6 prefix. It only makes sense that with in the address block the sub domain names would be supplied internal to your home. So the name would be like "4slicetoaser.419rigwaystreet.Chicago.us". Where you home domain is "419rigwaystreet.Chicago.us".

    3. Re:Issue #1 by DarkOx · · Score: 1

      Great plan, would be crooks can get a complete inventory of my home electronics, just by doing a zone transfer. This will make burglary sooo much more efficient.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  11. Because its written for CIOs? by Marrow · · Score: 1

    Just a guess. :)

  12. Re:why? How can you send to IPv6 from within LAN? by yoghurt · · Score: 1

    Assume that you get an IPv6 address assigned to your router. Assume that a computer on your LAN wants to talk to a internet host with IPv6. The NAT box can translate replies from the internet host to IPv4. But how are you going to talk to the IPv6 host? How can you send a packet to an IPv6 address if all you got is IPv4 on your LAN?

    I suppose the NAT box could run DNS and make a look-up table mapping IPv6 internet addresses to IPv4 for your home computer to use. This seems a bit of a kludge and it doesn't help you with raw IPv6 addresses.

    Clearly, we are stuck with IPv4 for legacy devices for at least 10 years (estimate based on time for floppy to die after it became somewhat useless). Assuming IPv6 does come (I am not certain we won't be living with some awful kludge instead), you will want to also do IPv6 within your LAN.

    --
    Yoghurt
  13. Re:hardware needs updates for IPV6 and software as by SuricouRaven · · Score: 1

    That would be the 'very expensive' part of the upgrade process.

  14. Re:Nessesity of it all by 0123456 · · Score: 1

    Like web sites have any trouble doing that today with fingerprinting and (flash) cookies.

    Yeah, because that's so much easier than just looking at the IP address.

    Nor will they have a great deal of luck when all the computers in the hosue run the same OS and clear flash crap every time they reboot.

  15. Re:Nessesity of it all by not-my-real-name · · Score: 1

    With IPv6, you could have the router come up with a new IP address for each connection. So instead of everything looking like it comes from the same IP address (as with NAT), you could have every connection look like it comes from a different address.

    --
    un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED
  16. Re:Nessesity of it all by cjb658 · · Score: 1

    I wonder if we'll start seeing ISPs billing you extra for every additional device you connect to your home network.

  17. How much of IPv4 is really gone by billstewart · · Score: 1
    • IANA has given out all of its IPv4 space to the Regional Internet Registries (RIRs.)
    • Some of the RIRs still have one or two /8s they haven't given out to ISPs and End-Users yet, and APNIC will probably run out this fall; they're all giving it out more slowly now.
    • Existing ISPs mostly have some space left to give out to End Users, and maybe they can get a bit more from their RIR, but not much, and small ISPs may be able to get a bit more from their upstream ISPs.
    • End Users will have a much harder time getting Provider Independent space from their RIRs, and may have to get Provider Assigned space from their ISPs instead. But many end users do have enough space for their existing sites, as long as they're not trying to open new sites.
    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:How much of IPv4 is really gone by SuricouRaven · · Score: 1

      They can NAT, then double-NAT. If they really need addresses, they can buy from someone else who has some left over. Now that IPv4 addresses are in shortage, they become a commodity.

  18. Re:Nessesity of it all by WaffleMonster · · Score: 1

    Yeah, because that's so much easier than just looking at the IP address.

    Site owners use tools written by others who have done all the difficult work for them. They have no reason to care about a distinction between easy and easier.

    Nor will they have a great deal of luck when all the computers in the hosue run the same OS and clear flash crap every time they reboot

    Do you really clear cookies every time you reboot? Why not just turn on IPv6 privacy extensions?

  19. Re:Or just let IPv6 die by Gerald · · Score: 2

    How old is your data? It's about 3.2% on my servers and growing. I'm going to pop open a bottle of champagne when the percentage of IPv6 users exceeds the percentage of IE6 users.

  20. Internet hippies at IETF by knorthern+knight · · Score: 1

    Some people seem to live in la-la-land. I don't care about the difference between SPI and NAT, but some people do, all in the interest of "end-to-end connectivity". Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09
    > In managed, enterprise networks, virtual private networking tunnels
    > are typically regarded as an additional attack surface. and they are
    > often restricted or prohibited from traversing firewalls for that
    > reason. However, it would be inappropriate to restrict virtual
    > private networking tunnels by default in unmanaged, residential
    > network usage scenarios.

    Hello?!?! WTF should my home network be any less secure than a network at an office???

    > Therefore, this document recommends the DEFAULT operating
    > mode for residential IPv6 simple security is to permit all virtual
    > private networking tunnel protocols to pass through the stateful
    > filtering function. These include IPsec transport and tunnel modes
    > as well as other IP-in-IP protocols.

    WTF?!?! So when some manufacturer makes a bunch of fridges or toasters or washer/dryers that respond to default UserIDs and passwords over a VPN, they'll accessable to the outside world *BY DEFAULT*.

    It gets worse. http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01 says...

    >The intention is to provide an example of a security model which allows most traffic,
    > including incoming unsolicited packets and connections, to traverse the CPE...

    Ex-bleeping-scuse me. This SPI "security" is a joke. You'll pry NAT out of my cold dead fingers.

    > ...unless the CPE identifies the traffic as potentially harmful based on
    > a set of signatures (and other correlation data and heuristics)

    IDIOTS!!! One of the basic rules of internet security is to enumerate good, *NOT* to enumerate evil. There are new exploits being created all the time. You simply can't keep up with a list of exploits. You're a lot better off deciding what minimal stuff to allow through.

    > that are kept up to date on a regular basis.

    Oh boy. My ISP's router/modem will come with a 90-day trial subscription to Macafee/Norton/whatever. And when I'm watching a movie on Netflix, or whatever, I'll get get a popup warning me that the free anti-virus subscription expires tomorrow and that I *MUST SIGN UP NOW*. And the router/modem will have a quad-core processor, but still be dog slow, because it'll be continuous ly scanning packets, and looking through a list of a gazillion exploits. And just like craplets on new PCs, it'll be almost impossible to uninstall. Like I said, you'll pry NAT out of my cold dead fingers.

    I haven't been a NAT fanboi, but if the internet hippies at IETF get their way, NAT will indeed be the safest way to go.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
    1. Re:Internet hippies at IETF by arglebargle_xiv · · Score: 1

      Some people seem to live in la-la-land.

      That's certainly been true of the IETF for NAT (specifically, they're in "la-la-la-I'm-not-listening-la-la-la land"), but also for IPv6.

      Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09

      This is now RFC 6092, but your comments are still valid. It's a pretty scary read, things like:

      By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound SYN packet

      because, you know, port-scanners have to be given a chance too. There's a bunch of other longing-for-the-good-old-days 1980s hippie-isms in there as well, the only thing missing is a requirement that we all hold hands and sing kumbaya:

      Someone's SYN-flooding lord, kum-ba-ya, ...

  21. IPv6 support is easy if you do it right by arglebargle_xiv · · Score: 1

    I work for a sizeable (> 50K people) distributed organisation. On World IPv6 Day we disabled IPv6 on everything where it could be disabled (which in some cases required re-imaging machines where there was no way to turn it off completely), and disconnected/shut down anything where IPv6 couldn't be disabled. We had absolutely zero problems or incidents during the entire IPv6 day.

    It's so simple when you think about it. I really don't understand what all the fuss is about.

  22. Re:Nessesity of it all by arglebargle_xiv · · Score: 1

    I think the point is to do away with NAT entirely.

    The question is why that's considered to be a good thing.

    It's not a good thing or a bad thing, it's an IETF article of faith. To the IETF, NAT has been an abomination upon the earth for as long as it's existed, to the extent that they've designed some protocols to deliberately break NAT (why do you think IPsec via IKEv1 and AH was so hard to get through a NAT?) in the hope that it would discourage its use (of course the exact opposite happened and NAT discouraged the other protocol's use). To the IETF, NAT doesn't exist, and where they're forced to acknowledge its existence, it's only to the extent that it has to die. The histrionics over NAT in some IETF RFCs would be almost comical if they weren't so sad.

  23. Oh by all means by ThatsNotPudding · · Score: 1

    let's have Cisco at the table, even if only to act as a moral compass.

  24. Re:Or just let IPv6 die by ahtnos · · Score: 1

    What about the IE6 users coming in over IPv6?