Comcast Begins Native IPv6 Deployment To End Users

First time accepted submitter Daaelarius writes "Comcast has begun deployment of Native IPv6 access to end users. The deployment is starting out small with a single market, but is expected to expand rapidly. They have provided ... more in depth technical details." Finally; native dual-stack IPv6 for home customers. Perhaps we can avoid a post-exhaustion future of NAT-upon-NAT and use restrictions.

Yeah right

[bugs2squash]

until every light switch and toaster has its own /64

Re:Yeah right

[nepka]

Personally I think not being directly connectable (ie., behind NAT) is good security wise. It acts as a nice and easy firewall.

Re:Yeah right

[characterZer0]

Unless you want to be directly connectable.

Re:Yeah right

[BlueParrot]

People underestimate the address space in IPv6 when they make remarks like this.

In principle IPv6 could hold more than 10^38 addresses. Now due to structuring and various reservations and so on there is considerably fewer. So for the sake of argument, let's say it is "only" 10^20. That's still enough that for every present IPv4 address you could add an entire internet and still have addresses left over.

What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.

Re:Yeah right

And why would anyone but an idiot want to be directly connectable to others on the Internet at large?

Re:Yeah right

Wouldn't you want to have your Android/Iphone alert you via SMS while you are in the shower (with phone on the sink counter) that your toast is about to burn? :)

Re:Yeah right

Maybe if you know what your doing securitywise and would like to connect to your own devices at home without the assistance/knowledge/intrusion of your ISP or third party intermediary?

Re:Yeah right

1) being able to serve content
2) easy remote desktop

Re:Yeah right

[vlm]

not being directly connectable (ie., behind NAT)

WRONG.

on ipv4 NAT is generally implemented as a stateful firewall that also rewrites addresses.

There is absolutely nothing preventing a firewall on ipv6 that is stateful, that leaves addresses alone.

The security gain comes from the stateful firewall, not the rewriting addresses.

Re:Yeah right

Personally you think that, and as a good person that should be good enough, right?

You should -- personally, that is -- reconsider that position. NAT was just a horrible horrible crutch until we got to IPv6. NAT does *not* provide *any* security that other solutions can't provide better.

To provide for typical home-user level NAT security with IPv6, all a firewall needs to do is allow outgoing connections and deny incoming connections. Very simple. Heck depending on the tradeoffs you want to make, such a firewall can be stateless (read: you can power cycle it all day long and your download won't be interrupted).

You can have BOTH security *and* not break TCP/IP networking with NAT-free IPv6. All we need to do is re-educate the brainwashed masses who presume NAT == security.

Re:Yeah right

[Klync]

If you can't cook toast, then you probably shouldn't be bringing your phone in the shower with you, either.

Re:Yeah right

[gman003]

That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong. Shut down or secure any unneeded port-bound services, and install a basic firewall on the router to only let the ports you need out (just port 80 may be enough).

Plus, just finding a device on IPv6 can be hard. Given a 64-byte ICMP packet and a gigabit ethernet connection, it would take just under 300,000 years to ping every potential host in a /64. You want security through obscurity? Set your DHCP server to spit out addresses from some random offset instead of from ::1.

Re:Yeah right

[Fujisawa+Sensei]

Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.

Re:Yeah right

So protocols like bittorrent actually work.

Re:Yeah right

[bugs2squash]

Well that's my concern in a nutshell. That this huge address space will be fragmented to the point where it will be unable to cope with demand for the next generation of networks, not a rehash of the internet that we know and love, but a new world with new and radically different requirements. It's all well and good having a new system that does a much better job of what we do today, but suppose I want a network for each item of clothing I wear, or each particle in my intelligent dust cloud.

Re:Yeah right

[dpilot]

No, I'd want my toaster to alert me, not my phone. I'd want my phone to alert me that YOU are trying to call me while I'm in the shower, giving me the pleasure of knowing that I'm not answering your call.

Re:Yeah right

[BlueParrot]

I should add, that my "for the sake of argument" of 10^20 is an EXTREMELY conservative estimate. In practice the IPv6 address space has an amount of addresses that is greater than the number of stars in the universe.

Re:Yeah right

[nepka]

What does NAT have to do with ISP? Just forward the ports you need to.

Re:Yeah right

NAT is never good. A default firewall rule that only allows in established connections is the proper way.

Re:Yeah right

You do know that IPv6 uses autoconf, not DHCP, right?

Re:Yeah right

If you personally had 4B IP addresses and had 100,000 articles of clothing, each article could have 40,000 IP addresses. I don't forsee a problem.

Re:Yeah right

[JDG1980]

Do you really think the average end-user has any idea what a stateful firewall is? Hell, I work in the IT field, but generally don't deal with this side of things and couldn't give a detailed breakdown on the difference between a stateful and non-stateful firewall.

Currently, non-technical users can get reasonably decent protection just by plugging in an off-the-shelf router, since it does NAT and this requires a firewall by default. If IPv6 leads to users plugging unsecured devices directly into the public Internet, it will be step backward in security, not forward. Technobabble doesn't change that.

Re:Yeah right

[Bill,+Shooter+of+Bul]

If my toaster is smart enough to realize that the toast is burning, and communicate that fact to another device, it should be capable of not burning the toast in the first place.

Re:Yeah right

My ISP assigned a /48 IPv6 subnet to my home DSL: that's wasting at least 99.9999999999999999999 %

Re:Yeah right

More importantly, the most common implementation of NAT in front of end user networks, the Linux kernel, cleanly separates the NAT functionality from the firewall functionality. NAT does not prevent packets from being addressed directly to the local hosts with private addresses. Without the firewall configured, most routers will happily allow external hosts to connect straight through to inside hosts. If you can route these packets to the external interface, NAT is not going to get in the way.

Re:Yeah right

[digitalsushi]

http://www6.ietf.org/rfc/rfc3315.txt

Autoconf currently doesn't assign a prefix delegation.

Re:Yeah right

[digitalsushi]

What does that even mean?

Re:Yeah right

[Bookwyrm]

The bigger problem is because of the ideological dead-end-to-dead-end design, when every one's toaster and light bulb have an IPv6 address, and the anti-NAT zealots have one, is that upgrading to the next generation of networks will be impossible. The inertia caused by having to have everyone upgrade every light bulb and toaster to a new standard will block any advancement in networking technology.

Re:Yeah right

[tchuladdiass]

And what makes you think that the IPv6 off-the-shelf routers won't default to a stateful firewall? In fact, I can't see any vendor not enabling that by default, and advertizing it in big bold letters (not the techno-jargon, but "Buy this box and keep the hackers out"). And the ISPs are likely to include such functionality in their cable/DSL modem, since they could benefit from fewer zombies on the network.

Re:Yeah right

[digitalsushi]

It seems wasteful, but it's a convenient boundary to assign to a customer. v6 makes heavy use of 64 bit subnets. An ISP dolling out 48 bit prefixes can expect their customers to use 16 bits for subnetting information, so customers can reasonably have 65,000 networks to do with as they please.

Look at a 6to4 address: 2002 + your v4 address + ABCD (whatever the heck you want) + 64 bits chosen by your computer.

Re:Yeah right

[dch24]

Mod parent up.

Additionally, many other carriers are already seeing IPv4 exhaustion (due to their own wastefulness in the RFC1918 address space). They are co-opting DoD /8's within their network to try to overcome the problem. [source]

I'll skip the obvious stupidity of "stealing" IPv4's from the DoD. But instead of deploying Carrier-Grade NAT, they're divvying up the internet. In one place, 28.0.0.0/8 takes you to one machine, in another place it takes you somewhere else.

It sounds like the IPv4 internet is going to fall apart simply due to negligence. How's that for an IPv6 killer app?

Re:Yeah right

[Grave]

Sorry, union regulations prohibit the toaster from ejecting until the timer gives approval.

Re:Yeah right

Read the Darwin Awards sometime, they you'll see how absolutely brilliant some idiots can be. They're always finding ways to work around safeguards getting themselves evicted from the gene pool.

Re:Yeah right

[0123456]

That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong.

How are you going to hack into my webcam when it has no publically visible IP address? In order to hack it you need to already be on my internal LAN, so my security is already toast.

Re:Yeah right

And for the sake of argument, how much more expensive will searching that address space be? And don't tell me LISp is going to fix it.

Re:Yeah right

If I have multiple computers on my home network, how do I connect to the one that I want?

Re:Yeah right

[Hognoxious]

I do. What if you allocated 3,999,999,999 IP addresses to one sock?

IIRC this happened in the early days of the internet, except the sock was MIT.

Re:Yeah right

[Hognoxious]

I like my toast burnt, you insensitive clod!!!!

Re:Yeah right

[silas_moeckel]

And anything that can do nat can do state-full fire-walling. I'm tunneled ipv6 at my home it's just as secure as my comcast connection since it's using the same firewall rules. Just because nat requires a firewall to function does not make it a good idea. Lets also remember where nat has one IP thats exposed to be attacked, a ipv6 user is given 1*10^24 IP's finding IP's to attack at random is neigh impossible if the firewall has any intelligence. Sure you can attack IPv6 boxes by finding the IP via other methods. There are already standard being developed so that desktops can grab lots of random IP's used for a short time for there outbound connections to help thwart that.

Re:Yeah right

[Eggbloke]

Surely port forwarding can forward to a specific IP address?

Re:Yeah right

I upmodded two of vlm's posts today. Am I having a stroke?

Re:Yeah right

[jc42]

Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.

Nah; the ISPs already know just how to do it, and it doesn't require an idiot. All they need to do is use the same method they've used with IP4: They only accept one address at your site, and discard any packets that didn't come from that address or is sent to that address. If you want N addresses, you'll have to pay N x $X, where $X is their current price for a routable address.

It really doesn't matter how many gazillions of addresses IPv6 makes available, you will only get one. Addresses are a commodity, to be leased for a profit.

The phone system has worked this way since the beginning of phone numbers, and nobody ever complained. The phone system also has "extension" numbers, which in the IP world are called "port" numbers. But the ISPs have caught onto this, and most of them now block lots of your port numbers. They can do the same with IPv6, with the code they already have. So if they like, they can also charge you extra for not blocking a port. They do this with IPv4 around here, where you have to pay double for a "home business" account if you want ports 21 or 25 or 80 or anything >1023 unblocked.

Can you think of any reason they can't implement exactly the same limits with IPv6 that they currently have with IPv4?

(It is sorta funny that the old phone companies never caught onto this. They could have signed you up for a phone, and then when you complained about blocking, they could say "Oh, you didn't say you wanted to accept incoming calls. That'll be another $45/month. Shall I sign you up?")

Re:Yeah right

[neonKow]

I agree. There's almost nothing you need to do right now that requires you be directly connected, even in a commercial environment, much less a home environment. You don't need to be directly connected to the internet to host webpage or for bittorrent to work. You only need a single port for each of those, and sticking those behind a gateway/bastion host is fantastic.

Maybe if IPv6 takes off, we'll want to be able to configure all our devices remotely, but that is not the case for most home users today. We're suffering from too much access to machines, not too little.

Re:Yeah right

Fuck you, you're the problem. Use an outbound-only firewall if you want a firewall. Don't break end-to-end connectivity because you read a oneliner in an online security article.

Re:Yeah right

[Grishnakh]

Exactly, this is really quite trivial, and AC seems to be rather ignorant. Just set up port 23 for computer A, port 24 for computer B, port 25 for computer C, etc. Then ssh to 111.222.333.111:24 when you want to connect to computer B.

Re:Yeah right

[GPLHost-Thomas]

That's reverse thinking. If you need a firewall, setup a firewall, don't setup NAT instead.

Re:Yeah right

[cyborg_monkey]

you are a complete moron.

Re:Yeah right

[silas_moeckel]

They still need a box at there end just like the box they use for nat now. IPv6 will not lead to bridged networks to you ISP. You you have two options plug one pc directly into the box or get a CPE router this is the exact same choice they have now IPv6 is changing nothing. Hell in some ways it's better since the newer telco CPE gear is generally configured as a router with firewall and moving to IPv6 will require new cpe gear for most. One of the big reasons for giving customers more than one public subnet is so they can have multiple routed subnets that just work. Ever seen that scary friend that plugs a netgear into a airport into an AT&T dsl box? 3 distinct layers of nat sometimes overlapping IP address ranges 192.168.0.x plugged into 10.0.0.x plugged into 192.168.0.x and wonders why things do not work? Tried finding a straight wired switch of a wireless bridge? 5 port + wireless cpe routers are dirt cheap, you average clueless customer buys those they have statefull firewalls.

Re:Yeah right

[noems]

lol

Re:Yeah right

[Tuan121]

So what you are saying is that we'll have to do a NAT behind the Sun once ipv6 is allocated to every solar system in the universe?

Fuck.

Re:Yeah right

What does that even mean?

I won't get into what that means (it seems pretty obvious to most, I'd say), but what YOUR reply means is that you clearly don't deal with people much at all, ever, up to and including the point where you cloister yourself away from the real world and only ever converse with a very limited set of people who share all your interests and talents.

In short, you're the sort of person who gave internet users a bad name. In the 90s.

Re:Yeah right

[cayenne8]

They can do the same with IPv6, with the code they already have. So if they like, they can also charge you extra for not blocking a port. They do this with IPv4 around here, where you have to pay double for a "home business" account if you want ports 21 or 25 or 80 or anything >1023 unblocked.

Hmm...I only pay $70/mo for my 'business' account I have at home. I get static IP, no ports blocked, no data caps, can run any servers I want...etc.

I think its a pretty good deal....with decent speeds. $70 is double what most people pay for normal consumer access at home these days? I thought it was a bit more than $35/mo.....?

Re:Yeah right

You just sit and wait...

Re:Yeah right

[SomePgmr]

That's an entirely common and functional hack that exists to deal with the scarcity of IP addresses. And simply that.

I'm not exactly all gung-ho on the ipv6 thing (yet), but having to deal with a purely digital resource as a limited thing is kinda silly, and needs to be corrected eventually.

Re:Yeah right

[silas_moeckel]

Better yet some OS's can generate temp IP's so the IP you used to connect to a web site 2 seconds ago is already turned off and a new one used. OS level fire walling can automatically firewall all inbound to these temp IP's. Meaning you do not ever have to use your real IP for outbound connections. When a computer advertises a local service through something like bonjour or DNS it uses it's main IP. Sure people sill know it's all coming from the same /64 and apps will track it like they track nat ip's now.

Re:Yeah right

Your post is hilarious, because you somehow think the widespread use of NAT helps facilitate the advancement of network technology.

Re:Yeah right

[polarsd]

I remember people saying this at the approx 2*32 address space of IP back in the 80s, and I thought, "that's not going o be enough". I'll say the same thing now.

Re:Yeah right

[GPLHost-Thomas]

Addresses are a commodity, to be leased for a profit.

That's what many ISP and hosts are trying to let you believe. In reality, when you get your IPs from APNIC / ARIN / RIPE, that's not the way it works. You wouldn't pay more if you were needing more IPs.

Re:Yeah right

Eh, no.

The security gain from NAT comes from the fact that addresses behind the NAT don't exist on the Internet. I could have an unpatched copy of Windows 2000 with every service imaginable running behind a NAT and nobody would be able to attack it from the Internet because it simply wouldn't be addressable from the Internet. I'd have to manually set up port mapping before a request to my real Internet address knew how to get to machine. The fact that there isn't a relationship between the real address and the private address unless explicitly defined is where the security comes in.

Re:Yeah right

[lordholm]

Easy firewall???

Seriously... NAT is not easy to configure (at least not in any of the routers I tried it). An IPv6 firewall however is dead easy, a home router typically defaults to turning off all incoming traffic to IPv6 anyhow.

Re:Yeah right

[QuasiEvil]

Well partially, but I'd argue the addresses have a lot to do with it, too. My home subnet is 192.168.77.0/24. My firewall blocks anything coming from the outside world bound for 192.168.77.0/24. That's nice, but doesn't really ever do anything because damn near every router between me and a potential attacker drops packets that are to or from the reserved networks, because it has no idea where to send them. About the only way it would be a viable attack is from somebody who had control at my upstream ISP.

A non-NAT scheme depends - almost entirely - on my firewall not sucking. I try, but I have in the past screwed that up when changing rules and haven't realized it for days until something seems to be a bit wonky. My motto is if you can't get a packet to it, you can't attack it.

Re:Yeah right

[GPLHost-Thomas]

Yeah, and by the way, Apple owns a patent on toasters that "realize that the toast is burning", so you can't make one (even though Apple didn't release the iToaster yet).

Re:Yeah right

That's the recommended size to be allocated to ISP customer networks. 65536 times as many networks of that size as there are IPv4 addresses can be assigned with IPv6. More than 200000 billion.

IPv6 allocation policies are heavily geared towards making sure that no single entity will ever need more than one prefix, to simplify routing. The "wastefulness" has a purpose. The address space is designed to be used that way.

Regarding the initial comment: Of course light switches, which are not routers but leaf nodes of the network, will not get 2^64 addresses. Each light switch (and light fixture, toaster, etc.) may get one of the 2^64 addresses in each of the 2^16 networks under the 2^48 prefix.

Re:Yeah right

[Bucky24]

Who is your provider? You're paying less than I pay for consumer grade internet...

Re:Yeah right

You do know that IPv6 uses autoconf, not DHCP, right?

10 years ago you would have been right. DHCP has been part of IPv6 for quite some time now.

Re:Yeah right

[gtbritishskull]

How do you hack into a webcam through a firewall that does not allow incoming connections? I'll tell you how, and its the same way you would do it if were behind NAT (with no publically visible IP). You compromise another computer on the network (or that computer) and have it make the connection to you so you get through the firewall, then use that computer to compromise other computers on the network. That is usually accomplished by getting the dumbass who owns the computer to run a program that you send to him. Its all social engineering, regardless of whether it is NAT or IPv6.

Re:Yeah right

[bakuun]

It doesn't matter whether you're on ipv4 or ipv6 if you want to have a firewall (on a NAT or not). The only difference security-wise is that ipv6 gives better security through the higher number of ip addresses. Currently, bots performing port scans in the ipv4 space have a reasonably chance of hitting something if they choose a random ip address. That problem doesn't exist in ipv4: the sheer number of possible ip addresses means that servers connected at difficult-to-guess ipv6 addresses are very unlikely to be located by these scattershot approaches.

Re:Yeah right

[Imrik]

I can only think of a few ways we could run out of IP addresses with IPv6. First and most likely, if they are allocated in blocks far too big for any reasonable use. Second, if we develop an interstellar network. Third, if we develop nanotechnology to the point of making self replicating machines, each with their own IP.

Re:Yeah right

[Obfuscant]

What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.

And yet, according to the Comcast announcement, if you are paying for just one device, you get just one IPv6 address. They call it "directly connected CPE". Yes, on my home network, I have one directly connected device -- the NAT router.

I'm also confused by their statement that the device must understand "stateful DHCP6". Why? The cable modem gets assigned one IPv6 address on the cable side, and it serves one IPvX address via DHCP to the CPE. What changes? Why not make the cable modem the IPv6 to IPv4 gate and simply use good old DHCP on the CPE side?

Re:Yeah right

[NetDog_CO]

Agreed.. NAT is not a firewall, and that is reverse thinking. I dont know how many times I have to say that to home users that dont really understand.

Re:Yeah right

DNS rebinding or any other form of reflection attack. Or if I happen to be on the same broadcast domain as the external interface of your NAT device, I'll just address your camera directly.

NAT allows your devices with private addresses to borrow your external address. That's all it does. NAT enables more connections, not fewer. If you want to prevent some communication, use a firewall.

Re:Yeah right

It acts as a SHITTY and easy firewall. The security NAT offers is better than nothing at all, it's true, but unless you're completely braindead about security you're going to have to have another firewall on top of it anyway, so what's the point?

Re:Yeah right

[Dagger2]

I think you might not have quite gotten your head around just how much bigger 2^128 is compared to 2^32.

There are 5000 /48s per person on the planet -- out of 2000::/3 alone. (Remember that a single /48 has 80 bits of addresses in it. You could take the 2^32 addresses in IPv4, copy them 2^32 times and still only use 1/65536th of the space in a /48.)

If we do somehow manage to allocate the entire of 2000::/3, there are an additional five completely unused /3 blocks available, in which we can simply start over with tighter allocation policies.

It's going to be enough.

Re:Yeah right

[JDG1980]

And what makes you think that the IPv6 off-the-shelf routers won't default to a stateful firewall? In fact, I can't see any vendor not enabling that by default, and advertizing it in big bold letters (not the techno-jargon, but "Buy this box and keep the hackers out"). And the ISPs are likely to include such functionality in their cable/DSL modem, since they could benefit from fewer zombies on the network.

Hopefully you are correct.

Re:Yeah right

What are you talking about? I use Linux every day. I use Linux iptables every day!! Linux NAT and Firewall are the same code.

ip6tables -A FORWARD -i ppp0 -m conntrack --ctstate NEW,INVALID -j DROP

Oh wow, finished my "stateful" firewall setup for IPv6. Need stateful IPv4? Replace ip6tables with iptables. Need NAT? Then you need at least 2 more lines in iptables! Stateful firewall is much easier to setup for IPv6 than IPv4 precisely because there is no need to dick around with -j NAT in addition to -m conntrack.

Secondly, if you really want, SNAT and DNAT work just fine in IPv6. But there is absolutely no reason to use it unless you want to setup some sort of connection balancing gateway.

Re:Yeah right

[cayenne8]

Who is your provider? You're paying less than I pay for consumer grade internet...

Cox Cable Business.

$69/mo....static IP, no caps, all the servers I want to run, basic level SLA (and the few times I've had to call, even in middle of the night, they had a guy out on the pole to look things over in less than an hour)...good service. I'm happy. Speeds are roughly 13-14 Mbps down, and 4-6 Mbps up...the upload used to be faster before I moved and had the service moved with me...

Re:Yeah right

[Piata]

That even if you make something idiot proof, eventually we'll encounter a better idiot.

Re:Yeah right

[Bucky24]

Oh... I don't think they provide service out where I live :(

Re:Yeah right

You wouldn't be hired here for a number of reasons:

1. You conflate "addressability" with "reachability"
2. You are fine with NAT-ing everything, without showing at least a grasp of its drawbacks,
3. You think running Windows 2000 unpatched behind NAT is "good security."

If you have such a hard-on for NAT and your other completely boneheaded "security ideas," please stay on IPv4. Forever.

Re:Yeah right

[Z00L00K]

So you want every idiot on the net to toggle your light switch?

Re:Yeah right

Can't answer for cayenne8, but my Comcast 20/5 business connection with 5 static ips is $99/month.

Re:Yeah right

[Rising+Ape]

How is that better than simply having each address correspond to a unique machine? Seems more of a hack to me, and of course you can't use a "standard" port (e.g. 80) on more than one machine.

Re:Yeah right

IPv6 has little to do with number of address spaces, though that is a benefit. IPv6 is all about routability of the pockets. /48 is basically dedicated for internet routes. /48 - /56 - is virtually dedicated for internal ISPs routes /56-/64 - customer routes

Routers don't have to dick around with 1MB routing tables. That is critically important on the backbone with 100+GBps traffic on a router. It can just switch based whether one specific bit is set or not. That is very fast. Currently, the switching is a bitch with IPv4 not just because of route clusterfuck but also due to design of IPv4 pockets themselves. For example, the IPv4 header checksum has to be recalculated every single time TTL is reduced - that's every router on the internet!! In IPv6, there is no header checksum as it is quite useless, this makes processing packets much faster. And if your pocket gets corrupted, well, it is discarded anyway.

There is also no packet fragmentation in IPv6 unlike IPv4 mess. Packets too large are discarded and error returned that packet was too large, make it smaller at the server/client side, not at protocol later. This means more efficiency.

There are other simplifications and improvements, but I would like to keep this to 1 volume for now :)

So there you have it. You want faster, less latency, higher throughput internet? IPv6 is the way. You want public addresses? IPv6 is a solution too.

IPv6 is not just to address lack of address space. IPv6 is what IP should have been like in the first place.

Re:Yeah right

That didn't help matters, but was not the real cause of the problem. There are more than 4 billion people in the world, so regardless of allocation method, there aren't enough addresses. As long as we aren't completely stupid about allocation (e.g. don't give people more than *one* IPv4 Internet unless there's a good reason) we should have no problem for the foreseeable future.

Re:Yeah right

[Rising+Ape]

It really depends on your computers, IP toasters and whatever not sucking. There's *no* good reason for a modern home device to be vulnerable out of the box just by being connected to a network, separate firewall or not. These issues have been known about for a long time. Even Microsoft have got the hang of it now.

Re:Yeah right

the math is still pretty hard core against said hacking.
it would take 300+ thousand years to find it, and being publicly accessible would give incentive to put a decent firewall on the damned thing (you can run a full statefull firewall on 40 MHZ with a wopping 8 megs of ram. a birthday card has more processing power)

the NAT security thing is just IT sour grapes.

Re:Yeah right

[DarkOx]

Okay smarty pants, now imagine your home NAT is behind a NAT your ISP is running, which probably uses and address pool rather than a single address. They won't forward ports for your because that is all they'd do all day, if they did and tricks like hole punching and STUN won't work reliably because there is nothing to ensure a new connections have the same visible source address on the *real* Internet.

Also NAT is not security at all at least in the PC world, as I can get you to make an outbound connection to me, lots of ways.

Re:Yeah right

[makomk]

We've been heading to ISP-level NAT with no way to forward ports for a while, actually - a lot of mobile providers already have it, both for phones and tablets and for their mobile broadband offering, and I think in some areas of Asia all ISPs use it.

Re:Yeah right

[Grishnakh]

It's better because it doesn't require the entire world to suddenly change the way it's been doing things all along and switch to a completely incompatible system. Eventually, we might get there, but last I heard even Google wasn't too keen on IPv6, and that would be a big problem.

And yes, you can use a standard port on more than one machine. The NAT router takes care of translating the ports. You can have 10 machines all listening for ssh on port 22, and the router will take care of translating 22..31 to each machine appropriately. Of course, you have to remember which port goes with which machine when you're sshing in from the outside, but then again how many home users actually do anything like this?

Re:Yeah right

[Grishnakh]

They won't forward ports

They already forward ports; they just don't do any special configuration. So if you initiate traffic from the outside to port 4264 on your internal network, your iSP will forward that on to you at the same port. They don't need to do special configuration; that's your job.

Also NAT is not security at all at least in the PC world, as I can get you to make an outbound connection to me, lots of ways.

No, you can't. If my webcam is sitting behind NAT, and never initiates any connections, there's no way for you to make it initiate an outbound connection to you.

Re:Yeah right

[muon-catalyzed]

Stateful firewall? Give me a break, 90% of users do not even password protect their wi-fi router, they DHCP everything, plug&play. Now this good old 'NAT by default' on ip4v is the only thing physically protecting us from the zombie PC botnet apocalypse.

Re:Yeah right

NAT is a terrible hack, and its usefulness was never particularly welcome in the first place.

it's you who sounds like the zealot, friend.

Re:Yeah right

I regularly deploy boxes where the *only* open ports are things I want the public at large to connect to (or in the very rare case I want to open a port but lock it down, I use something like tcpd's hosts access lists).

I want things to be secure, and I want things to *work* so naturally, there is *no* NAT.

Re:Yeah right

Even Microsoft have got the hang of it now.

lolrelevant: http://technet.microsoft.com/en-us/security/bulletin/MS11-083

Re:Yeah right

[TheRaven64]

2^32 is not enough for everyone on the planet to have one IP address. If you're allocating /48s, then it's enough for everyone on the planet to have about fifty thousand /48 subnets. Or, to put it another way, it's enough for every building to have one /48 and still have sparse (and easily routable) routing tables. If every building has one /48, then you've got enough addresses for every component in every man-made artefact in the building to have its own IP address, without denting the address space. You've probably got enough addresses for every atom in the building to be individually addressable.

Re:Yeah right

[SScorpio]

Third, if we develop nanotechnology to the point of making self replicating machines, each with their own IP.

That's probably a good limitation.

http://xkcd.com/865/

Re:Yeah right

[Chris+Mattern]

That's what many ISP and hosts are trying to let you believe. In reality, when you get your IPs from APNIC / ARIN / RIPE, that's not the way it works. You wouldn't pay more if you were needing more IPs.

That's great...if you're getting your IPs from APNIC / ARIN / RIPE. If you're getting your IPs from your ISP, you'll pay what they say they cost or you can just stay offline.

Re:Yeah right

[Bookwyrm]

It's not about running out of IPv6 addresses, it's about what comes after IPv6 in terms of protocols.

Unless you believe the IPv6 is the ultimate protocol and there will never ever be anything any better than IPv6, of course. Feel free to inform all the schools and tech companies that there is no point in any further R&D in this field.

If you might happen to believe that maybe some day someone will come up with something that is just an inherently better designed protocol than IPv6, then deploying IPv6 with the anti-NAT zealot brigade is stupid, because should something better come along, doing the network migration from an IPv6 network is going to take forever.

And that is a step backwards for network design. It should be easy to migrate *from* a network to new technologies, not get locked into a dead-end-to-dead-end addressing scheme.

Re:Yeah right

[Drishmung]

Can you think of any reason they can't implement exactly the same limits with IPv6 that they currently have with IPv4?

ISPs will give you an address block, not just one address. IPv4/32 --> IPv6/56 (most likely). What you won't get is a /128. And as for why? Well...

• a whole lot of RFCs, including http://tools.ietf.org/html/rfc4941, which is turned on by default in Windows.
• Also, economically, you can only charge a premium for a scarce resource if it is indeed scarce. IPv6 addresses are not a scarce resource.
• Handing out a single IPv4 address only works in practice because customers can use IPv4 NAT (NAT44). IPv6 NAT (NAT66) does not exist.
• Residential gateways (cf standard TR-124 of Oct 2010) as now being built assume an address block, not a single address.
• It would cost the ISPs more to do this than to do the sane, obvious and standards compliant thing, for no likelihood of extra revenue

That's theory...what about practice?

If you hang out on the IETF v6ops list, which representatives of all the world's major ISPs do, you will see that none of them have any intention of offering customers a single /128.

Re:Yeah right

[SuricouRaven]

Until you want to use some form of VoIP other than Skype (Which has sophisticated counter-NAT measures) or transfer a file in an IM client or IRC, or use FTP, or host a game server for friends to play on, or even just get your new game console to do voice chat right. NAT, even with UPnP, is still fiddly to set up right.

Re:Yeah right

As usual, every IPv6 thread has its own cretins who think that NAT equals security, despite the fact that every application that needs to have direct end to end connections penetrates it and goes about its business anyways.

Re:Yeah right

[unixisc]

The average user has no idea what NAT is either. All s/he does is take down the IP addresses that the ISP gives her/him, check that it connects, and gets to work. Enabling the firewalls that come either w/ the OS, or other Internet Security utilities, is what completes the security set-up of the configuration.

Re:Yeah right

[omnichad]

So that we have an "Internet."

Re:Yeah right

[Lokitoth]

Not to mention that UPnP essentially reduces your NAT "security" to nil.

Re:Yeah right

[nepka]

Also NAT is not security at all at least in the PC world, as I can get you to make an outbound connection to me, lots of ways.

Go ahead and please demonstrate. How will you make create outbound connection to you?

Re:Yeah right

[unixisc]

Since they are running out of v4 addresses, all that NAT is no good, since it can't connect your 192.168.23.45 anywhere outside your LAN. If they DHCP everything in IPv6, they can do so (depending on how they do it) and yet keep their nodes protected by having dynamic addresses, which wouldn't be trivial to scan for. Yeah, it would be better if they did password protect their wi-fi routers, but not moving to IPv6 just b'cos they don't is the lamest excuse I've heard for not moving.

Re:Yeah right

[unixisc]

Autoconf is optional. Sure, some OSs (like BSD) have made it their default, but it needn't be. DHCP6 has been a part of IPv6 for a while now, and is likely to be a part of any IPv6 set-up even if auto-conf is used. Also, the reason Autoconf doesn't assign a prefix delegation is that it only creates the lower 8 bytes of the address, whereas the prefix delegation comes from ICMP6.

Re:Yeah right

[Obfuscant]

If you hang out on the IETF v6ops list, which representatives of all the world's major ISPs do, you will see that none of them have any intention of offering customers a single /128.

Oh?

For directly connected CPE, we will allocate an individual IPv6 address (/128), since we know that only a single device is connecting, with no additional need to subnet.

-- from the horse's mouth, so to speak.

Re:Yeah right

[shoehornjob]

Since Comcast started deploying DOCSIS 3 modems before the IPV6 pilot program started and because there's still quite a variety of modems from different manufacturers in the ecosystem I'd be really surprised if they put stateful packet inspection in the modem. That would require a HUGE firmware deployment and all the potential problems associated with it. Most decent routers already have stateful packet inspection onboard so it makes sense to not do this. And SPI can't protect you from driveby attacks because the user has already been tricked into accepting the connection so the packets are valid. Truth in posting: I am a Comcast employee.

Re:Yeah right

[omnichad]

Seems like a good argument for running services like SSH on a different IP from everything else.

Re:Yeah right

[unixisc]

Actually, let's split this. Since IPv6 has its top half as the Network address and the lower half as the interface ID, it allows for 281,474,976,710,656 (i.e. 2^48) networks and 18,446,744,073,709,551,616 (2^64) addresses within any network. Now the latter is the number of addresses one could have behind a switch, or a wi-fi router, which, DHCP'ed properly, can ensure that IP scanning malware can't detect it. What's important - it exceeds all the addresses available from a NAT by at least a factor of 2^56, completely burying the number of addresses even a NAT can free up. The former - just within any RIR, you'd have close to 4.3 billion networks, which is more than the total number of publicly available IPv4 addresses available today.

Re:Yeah right

[jc42]

For directly connected CPE, we will allocate an individual IPv6 address (/128), since we know that only a single device is connecting, with no additional need to subnet.

-- from the horse's mouth, so to speak.

Heh. So much for ISPs implementing standards.

We might also note that, for most people, their ISP is a local monopoly. If you don't like their Terms Of Service, you can move. Or live without Internet access.

It'd be nice if your local government would enforce the Internet standards. But we should all know the likelihood of that ever happening in any jurisdiction.

(Actually, it is conceivable that various courts might decide that offering "Internet service" means supplying all the capabilities in the RFCs. To my knowledge, this has never happened in any court. But it might be something to keep in mind, and push for if you're ever in a situation where you can explain it to the court. After all, offering "Internet service" and denying some capability in some RFC really should constitute "consumer fraud" in any honest courtroom. But I wouldn't hold my breath waiting for this to happen. ;-)

Re:Yeah right

[Bengie]

"It really doesn't matter how many gazillions of addresses IPv6 makes available, you will only get one. Addresses are a commodity, to be leased for a profit."
"Can you think of any reason they can't implement exactly the same limits with IPv6 that they currently have with IPv4?"

I can. Every OS/Router assumes you have full access to AT LEAST a /64 or WILL BREAK. So.. yes, ISPs will give you at least /64s if they want IPv6 to work with any major OS.

Re:Yeah right

[Bengie]

"That this huge address space will be fragmented to the point where it will be unable to cope with demand for the next generation of networks"

Since IPv6 routing is hierarchical, the actually physical routes would also have to be fragmented just as badly.

Re:Yeah right

Oh, any number of ways: you download a trojan, DNS spoofing, heck I can post to a forum you regularly use that lets me add arbitrary tags to posts.

Again, your NAT zealotry is misplaced. There is no polite way to say this, so I'll just say it: You are factually wrong. Just.. wrong. You may as well be arguing the sky is green, or 2+2=5.

You can man up and just say "I am wrong." No one is going to hurt you.

Re:Yeah right

You can configure NAT without configuring firewall functionality and vice versa. They're clearly separate functions of the kernel, even though they certainly share code (connection tracking, etc.).

The important aspect that needs to be understood is that NAT does not in any way limit inbound connections. NAT enables connections. The firewall restricts connections.

Re:Yeah right

[Pseudonym+Authority]

That's not security at all. It only servers to kill the peer-to-peer nature of networking.

Re:Yeah right

[hairyfeet]

And what do you do about the scanners looking for holes to punch? looking at the firewall logs its pretty much constant hits from China looking for past OS vulnerabilities which like it or not NAT does keep them from doing more than just slamming up against the firewall.

And IP V6 is fine and dandy if your corporate, but what about home users? the ONLY IPV6 router i've seen is the Apple one and at $100 is not only overpriced for the average home frankly its way overkill, with tons of features they'll never use. meanwhile the $25-$50 home routers are ALL IPV4, even on Newegg there is nothing but IPV4 as far as the eye can see.

I've said it before and I've said it again, IP V6 is gonna be a royal clusterfuck. Not having backwards compatibility, no way to set up an easy NAT for home users, sure we have to switch but its gonna be ugly and I wouldn't be surprised if networks are flaky as hell for awhile, especially stuff in the flyover states. finally this'll also be a gold mine for the *.A.A who have wanted one IP address per person for awhile for their John Doe lawsuits.

Re:Yeah right

[unixisc]

With IPv6, any ISP is expected to provide you w/ a /64, not a /128. For a business, that can go to your router (preferably a level 3 switch) which can then be connected to all the workstations in your network. So if the 5 static IPs you have provide one end of a NAT, you'd be needing just a single /64, which may not cost the same as your 5 static IPv4 addresses. And even if they are going to 5 PCs, you can still have 5 static addresses out of the /64, and plenty left over as you add more terminals.

And the above was just a worst case. In reality, ISPs are likely to offer, depending on their policies, /60, /56 or /48, so that businesses that need different subnets can use them for that purpose. So if the business is such that you need different subnets for different physical locations, or different departments, or whatever the network layout is, you have anything from 16 to 65,536 subnets, which can be worked w/ the ISP depending on the size of the business. If the #subnets needed exceeds even that, then an ISP might avail /44 or less, and at the most /32 (which would allow one 4.3 billion subnets). So even if ISPs don't drop their fees for IPv6 equivalents (which they may, since they too would want to move customers away from IPv4 where they have a shortage and have to haemorrage cash), one would still be getting far more for equal or less.

Re:Yeah right

[unixisc]

Precisely, and once a home gets a single block, of even a /64, they have all the static and dynamic addresses they'll ever need. They do need to configure their gateway DHCP to assign addresses in a way that they can't be easily scanned (like don't use ::1 for the first node and so on) Unlike in the case of IPv4 where they'd have had to pay for every static IP that they got to support their PAT overloads, that wouldn't be the case here.

Re:Yeah right

[Drishmung]

If you read on, you'll see that they will in fact be allocating a /64 for the benefit of residential gateways. I.e., this is an interim solution.

Read the statement carefully "For directly connected CPE, we will allocate an individual IPv6 address". I suspect that if you have a switch, and multiple devices behind that, that EACH of them will be given their own address.

What is happening is this: They are using DHCP, in fact, they are insisting upon it. When your device asks for an IP address, it wants just that, an IP address. So, Comcast do that for you. They hand out an IP address. Your device asked for an address---it got one. Start communicating and be happy. Now, if you have multiple devices, Comcast needs to hand out another address to each one. The idea is to support gateways, where they hand out an address block and the gateway then supports DHCP (or SLAAC) and hands out individual addresses to the devices. Makes the ISP's life simpler. Again, for "directly connected CPE", where the customer doesn't have a gateway, the CPE wants just a single address.

To put it another way: Comcast are supporting IPv6. They'll hand out individual IP addresses themselves from the outset, but they won't have support for prefix delegation to gateways until later.

Re:Yeah right

[ardeez]

Trick you into installing a trojan that then controls your
webcam via a service that periodically makes an outbound connection.

And getting back to the topic, uses Teredo (http://en.wikipedia.org/wiki/Teredo_tunneling) to do the chatting. All on IPV6

Re:Yeah right

[unixisc]

Actually, the way IPv4 addresses were assigned to different classes was the problem:

• Class A: 125 blocks of 16,777,216 hosts each
• Class B: 16,128 blocks of 65536 hosts each
• Class C: 1,966,080 blocks of 256 hosts each

So if you add the above numbers up, you get 1,982,333 possible networks - without any CIDR. CIDR was what was needed to break up some of the Class A, B & C networks so that there could be more. All in all, there are only 3.7b, not 4.3b addresses. Each one of them would have to be NATed @ all ends to support, not the world's population, since the bulk of it is w/o internet access, but rather, all of the world's networked devices, for which all manufacturers and carriers worldwide have plans for expanding well beyond the above numbers.

Re:Yeah right

[unixisc]

It can't be, b'cos of the way IPv4 headers are defined. The moment one adds even a single bit to the source and destination address lengths (let's say they made them 33 instead of 32), they'd still need to update every router to recognize the new protocol, which would be the same amount of effort. Which is why the IETF put together all the improvements that could be made to networking technology, and bundled it under IPv6. So you could have kept your precious NAT, but w/ the need to upgrade/update every router in the world, the costs would have been just as high, but w/ little to show for it. In case of IPv6, you have end to end addressability restored, hierarchical routing, improved support for multicast and anycast, introduced support for site-local addressing (which in IPv4 is conflated w/ link-local addressing) and so on.

Re:Yeah right

[Pseudonym+Authority]

[(2^128 * .0000000000000000000001) / (7 * 10^9)] still gives 4,861,176 addresses for everyone. They only ones who may fuck it up are the NAT fools.

Re:Yeah right

[lgw]

All of those ways are one extra step beyond just hitting an inbound port, and that's what security is. There is no such thing as "an attacker can't do X", just layers that make it more difficult for an attacker to do X. It's nearly trivial to "bump" the deadbolt lock on my apartment door, but I'm sure glad I have one, vs not having any lock.

Re:Yeah right

[lgw]

If I were selling a toaster, why would I pay for extensive security testing, or, really, any security testing at all? I would expect any cheap device to be vulnerable, comes with the "cheap". And, frankly, I care a lot more about the toaster being UL listed.

Re:Yeah right

[unixisc]

I actually agree that this is wasteful, although not to that magnitude. For residential users, who are not likely to need more than 16 networks, a /60 should be adequate. A business, depending on how many subnets it needs, could be assigned a /48 to a /60. This is b'cos the first block of 1 word belongs to the IANA, the 2nd is assigned to the RIR, which in turn assigns it to a member country, and the 3rd is assigned to a corporation or an ISP. The 4th is the subnet.

Although I prefer IPv6 to IPv4 easily, I happen to disagree w/ the way it was segmented. I think the first block should have been assigned to the RIR, the second to a member country, the third and fourth to any corporation within the country - ISP or whatever. That would have been the top 4 blocks. The next 2 blocks of 16 should have been for subnets. No, no organization is likely to need 4 billion subnets, but what this would have allowed would have been up to potentially 8 levels of nested subnets. That would have left the last 2 blocks of 32 bits to allow for 4 billion addresses within any subnet.

Now, I know that the reason the above scheme was chosen due to the desire to have autoconfiguration, but that should have been done differently. If one thinks about it, no network is likely to have anything even close to 4 billion nodes/hosts - the congestion would just grind it to a halt. So 4 billion addresses for any subnet should have been enough, and different autoconfiguration schemes could have been adapted to use the interface ID. And in the case that DHCP6 was used, it could be configured to assign addresses to those 2 blocks in the interface ID.

Re:Yeah right

[unixisc]

I don't fully agree w/ the GP, but given how this is hierarchically organized, I don't agree w/ your assessment about the magnitude. As far as allocations go, what is being allocated is the Global prefix part of the address. The top block is 0x2001, or one of the IANA addresses of the RIRs (0x2400 for APNIC, 0x2600 for ARIN and so on), the next one is typically assigned to the RIR (0x2001:0200 for APNIC, 0x2001:0400 for ARIN) but may be free if 2400 is already the first block, the next block would be assigned to a corporation within that region. So within the 2001:0458, you would have only 65,536 corporations, if they are giving out /48s to their end customers. That's why some countries, like Australia, are planning on giving out /56 instead, and making businesses justify needing more. And the RIRs do require that a corporation shows that a decent percentage of its addresses (I'm talking network IDs) are being used.

Summary - there are too many interface ID addresses, but not enough network addresses (given the way it is laid out).

Re:Yeah right

[FireFury03]

How are you going to hack into my webcam when it has no publically visible IP address?

You're making a faulty assumption. How do you know the IP address isn't publicly visible? If the external side of your NAT box is plugged into an untrusted broadcast network (frequently the case with cable modems) and is running no firewall then your webcam's IP can very easily be visible to people on that untrusted network.

On the other hand, if you have a stateful firewall, your webcam is protected irrespective of whether you are using NAT or not.

Re:Yeah right

[Pseudonym+Authority]

That's still 1208925819614629174706176 possible subnets. We could pass out /80s and there would still be 65536 times as many subnets as there are IPv4 addresses.

Re:Yeah right

[FireFury03]

All they need to do is use the same method they've used with IP4: They only accept one address at your site, and discard any packets that didn't come from that address or is sent to that address. If you want N addresses, you'll have to pay N x $X, where $X is their current price for a routable address.
The phone system has worked this way since the beginning of phone numbers, and nobody ever complained. The phone system also has "extension" numbers, which in the IP world are called "port" numbers. But the ISPs have caught onto this, and most of them now block lots of your port numbers.

Ok, I have no idea what crazy world you're living in, but:
1. AFAIK telephone numbers are handed out by the regulator for free. If your telco doesn't supply numbers for free then go elsewhere, there are plenty of places that do (my business doesn't pay for any of its inbound DDIs)
2. Who on earth are you getting your internet connection from? I've never come across an ISP that charges per IP address. My EntaNet business account gives me a /29 IPv4 subnet and a /56 IPv6 subnet and costs me about 20gbp/month. Prior to that I had a PlusNet home account and that also gave me a /29 IPv4 subnet. If I want more IPv4 addresses, I just fill out the RIPE form justifying my need, and I'll be handed more addresses for free. The same goes for all my customers, who have business accounts with all sorts of ISPs - I've not once heard of them being charged extra for extra IPs (although occasionally you find an ISP, such as Virgin, that doesn't support giving customers small subnets instead of single IPs, in which case you just have to switch ISP).
3. What ISPs block "lots of ports"? Sure, some ISPs have taken to firewalling commonly abused ports (e.g., 25) by default, but you can always phone them up and ask them to unblock them (for which they don't charge). This is actually pretty sensible.

Can you think of any reason they can't implement exactly the same limits with IPv6 that they currently have with IPv4?

Well, other than the fact that they generally _don't_ do what you claim, in my experience... Oh, and the fact that the ISP has little control over what IP address your devices get. You need at least a /64 subnet, otherwise stateless autoconfiguration won't work, within that network, all the devices pick their own address, so the ISP would find it very hard to restrict you to a single address, especially since some of the autoconfiguration protocols involve assigning a new random address every so often.

Re:Yeah right

This is crap. It is true a scary number of people who should know better conflate IPv4 NAT with firewalling and some kind of security solution, and this makes people like you mad. On the other hand, people like you irritate the hell out of us, by refusing to accept that there can be some security value to NAT in addition to all the other routing and firewall tools. You IPv6 people are like some bad joke of nerd bible-thumpers and any kind of address translation technique (stateful or stateless) seems to be your version of homosexual embryonic stem cells. Go fuck yourselves.

Re:Yeah right

[FireFury03]

If you might happen to believe that maybe some day someone will come up with something that is just an inherently better designed protocol than IPv6, then deploying IPv6 with the anti-NAT zealot brigade is stupid, because should something better come along, doing the network migration from an IPv6 network is going to take forever.

Migrating From IPv6 to something new is no harder than migrating from IPv4 to IPv6. In either case, existing widespread NAT doesn't really help you. Lets look at the current situation with IPv4 as an example: Most internet connections have a bunch of IPv4 devices behind a NAT. When migrating from IPv4 to IPv6 the whole network isn't going to upgrade in one go, so we need some way for new devices and old devices to talk to each other. Your IPv4-only device is not going to be able to connect to an IPv6-only device, because the IPv4 device has no way of specifying what IPv6 address it needs to connect to. Whether or not you use NAT is irrelevant here. Connecting the other way is possible through the use of NAT64, but that doesn't fall into the category of "existing widespread NAT" - NAT64 is something you put in *specifically* to help with migration, not something that is already there.

It should be easy to migrate *from* a network to new technologies, not get locked into a dead-end-to-dead-end addressing scheme.

I'd be curious to hear your solution to this problem...

Re:Yeah right

[Koutarou]

And how exactly do you plan on portscanning a /64, something as large as the the IPv4 internet would be if every IP address had another internet NATted behind it? The sparse nature of v6 addressing renders dumb scanning moot.

And every home router I've had for the last 8 years has been v6-capable. (Yamaha RT54i, Yamaha RTX1000, NEC BL172HV)

Re:Yeah right

[WaffleMonster]

The bigger problem is because of the ideological dead-end-to-dead-end design, when every one's toaster and light bulb have an IPv6 address, and the anti-NAT zealots have one, is that upgrading to the next generation of networks will be impossible. The inertia caused by having to have everyone upgrade every light bulb and toaster to a new standard will block any advancement in networking technology.

I guess I suffer from a lack of imagination. Will humanity ever need more address than IPv6 provides? When the answer is yes will your question still even be relevent? Wouldn't I just ask my nano bots to upgrade all light bulbs for me?

The only reason IPv4 is being replaced is because there was not enough phone numbers for everyone in the world wishing to have their own phone number. The format of the IPv6 packet is evolvable. The only core issue requiring global coordination to change is the question of addressing and allocation of address space.

The topology of the Internet is not stopping you from doing dbus for all of your lightbulbs to a central server within your dwelling. There is nothing forcing you to use an end-end design. If people see value in other designs that option is available to them.

Re:Yeah right

[Dagger2]

You're right, and I omitted that consideration from my post. (You're misunderstanding the allocations though -- APNIC have 2001:0400::/23, which is 2001:0400:0000:: through to 2001:05ff:ffff::. They also have 2400::/12, which is 2400:0000:0000:: though to 240f:ffff:ffff::. Also, if you look at the list of allocations, they've obviously been left the whole of 2400:0000:0000: up until 25ff:ffff:ffff:: to expand into. Even the smaller /23 block has room for more than 65,536 corporations, let alone the /7 reserved block.)

The allocations are being done sparsely like this in the interest of route aggregation. The idea is to issue an ISP a /32, for example, but then skip the next 7 /32s. This means that the ISP can expand right up to a /29 while continuing to take up only a single routing table entry. If you want to put a negative spin on it, you could claim that this is only "12.5% efficient", or that it "wastes 87.5% of addresses", but this is not true: the gaps are being used to minimize routing table fragmentation.

How does this affect my assessment? RFC 3194 is required reading here. It defines the "H-density ratio", as a means of measuring how painful address allocation is becoming in a network with a hierarchical structure. Even if we take the low-end 80% used in that RFC, that would still be 70 billion /48s, or 10 per person on the planet. It's reasonable to expect some people to admin more than 10 networks and thus need more than 10 /48s, but I feel that it's unreasonable to expect that to be true of every single person on the planet.

For comparison, it looks like IPv4 passed its HD ratio of 80% (51 M hosts) in about 2000 or so. Clearly a network can continue operating beyond 80% if necessary; it just means that you have to start sacrificing route aggregation for a higher allocation percentage.

(Once again, I did these calculations for the 45-bit space in 2000::/3. The "we can start over in one of the other five /3s" argument is just as valid here too.)

Re:Yeah right

[mattventura]

You're making the same error as 90% of the people in this discussion. A home NAT router does stateful firewalling. There is absolutely no reason you couldn't configure that same firewall to do the same firewalling minus the NAT. I bet you that when home IPv6 routers become common, the default in most of them will be to disallow incoming connections.

Simply put, NAT doesn't give security, it just implies firewalling which gives security.

Re:Yeah right

[mattventura]

As others have said, a stateful firewall would be ON by default on home routers and would be set to block incoming connections. Device manufacturers aren't stupid.

Re:Yeah right

[hairyfeet]

The same way they do it now I suspect, by splitting the job amongst their zombie hoard. After all we are talking about 4 BILLION address with the current Internet so you'd think it wouldn't be worth the effort NOW wouldn't you? But they do it, all damned day. my guess is when they don't have anything better for the zombies to do they just have them take a section and get to knocking just to see what is there.

Must be nice on the router, now try Newegg and Tiger, look at everything under $60, what do you see? IPV4 as far as the eye can see. Why do they even allow them to bring new ones in? Talk about designed for the dump!

Re:Yeah right

[mattventura]

The solution to that is to do native dual stack. That way you don't break any IPv4 compatibility while using a clean approach to IPv6. Then, in the future, you stop giving IPv4 addresses once IPv4 falls out of use. The "IPv6 only" devices you speak of either don't exist or are completely niche, and they will continue to be uncommon until IPv4 dies out.

Re:Yeah right

[yahwotqa]

Totally. And I hope this will become a standard practice in the ipv6 future. Alas, it will require a change of thinking among security people, so the resistance might be great.

Re:Yeah right

[FireFury03]

The solution to that is to do native dual stack. That way you don't break any IPv4 compatibility while using a clean approach to IPv6. Then, in the future, you stop giving IPv4 addresses once IPv4 falls out of use. The "IPv6 only" devices you speak of either don't exist or are completely niche, and they will continue to be uncommon until IPv4 dies out.

Dual-stack doesn't work when you've run out of v4 addresses...

Re:Yeah right

[marka63]

What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.

And yet, according to the Comcast announcement, if you are paying for just one device, you get just one IPv6 address. They call it "directly connected CPE". Yes, on my home network, I have one directly connected device -- the NAT router.

But you have lots on indirectly connected equipment. This stage if for customers that only have directly connected CPE equipment.

The next stage is for those that have routers as their CPE equipment. The routers, after getting themselves a IPv6 address, will request a prefix (using DHCPv6) and Comcast's DHCPv6 servers will return a /64 prefix for use on the internal network. The router will then configure itself to send router announcements (RA) to the internal network with this prefix. Your internal machine will see these RAs and given themselves a IPv6 address (using SLAAC) and point the default IPv6 route to the router. Alternatively you will configure your router to use stateful DHCPv6 internally for address assignment , the router will send RA with the M bit set to 1, and your machines will then talk DHCPv6 to the router to get a address similar to IPv4.

At this stage you internal machines will have both a IPv4 address and a IPv6 address. The IPv4 address will be a RFC 1918 address. The IPv6 address is a globally unique address. When you talk to a machine over IPv4 you will use the IPv4 address. When you talk to a IPv6 machine you will use the IPv6 address. By default, if the machine you are trying to talk to has both IPv4 and IPv6 address you will attempt to use IPv6 then, if that fails, IPv4.

I'm also confused by their statement that the device must understand "stateful DHCP6". Why?

Because Comcast is not supporting SLAAC for address assignment to CPEs. They are doing managed address assignment.

The cable modem gets assigned one IPv6 address on the cable side

This is a management address for the modem. It has nothing to do with addresses assigned to customers

, and it serves one IPvX address via DHCP to the CPE. What changes? Why not make the cable modem the IPv6 to IPv4 gate and simply use good old DHCP on the CPE side?

This change does not remove IPv4. It just adds IPv6. At some point in the future Comcast will stop handing out IPv4 address to customers
and you will need to use something like DS-Lite or DNS64/NAT64 to reach IPv4 machines but this is still a while off. All Comcast is trying to do at the moment is to bring up IPv6 in parallel to IPv4.

Re:Yeah right

[unixisc]

No, just connect all the devices on your home network - your laptop, your iPhone, your relatives computer, et al to it. Also, IPv6 makes it easier for remote control apps like GoToMyPC.com, since it would just access your static PC address. Given the pool of /64 addresses, one can have as many static and dynamic addresses as one wants, while paying only for a single /64. Or /48 - whatever the ISPs offer. You don't have to connect your light switches or toaster to the internet - just the things you might want to control remotely. Like your home door from your cellphone if your spouse is stuck outside the house w/o the key while you are @ a conference meeting.

Re:Yeah right

[FireFury03]

Not to mention that UPnP essentially reduces your NAT "security" to nil.

Not really... But the NAT bit is irrelevant here - UPNP can poke holes in stateful firewalls and NATs alike.

The reason why UPNP doesn't really reduce security in a home environment is because once you have malware inside your network, you don't need UPNP to open up holes in your firewall for more evil to flow through. Firewall traversal (and NAT traversal) are quite trivial procedures that don't require UPNP.

Re:Yeah right

The number is the prefix length, not the remaining bits ("the network size"). Smaller numbers make bigger subnets. An /48 is a 48-bit prefix, of which there are 2^16 * 2^32, which is 65536 times the number of IPv4 addresses.

Re:Yeah right

[thoromyr]

Technically you are right. Now, point me to an implementation.

Re:Yeah right

[thoromyr]

that tripe about the scanning size is just nonsense because of autodiscovery. A compromised box will have a pre-built list of all nearby targets. No need to do any scanning at all, just do direct to target attacks. This is more efficient than traditional worms and harder to detect. (Infection in a new "subnet" is readily achievable through other means, all of which is old hat to malware writers at this point in time.)

The only saving grace is that operating systems have gotten much better about external attacks. But the so-called inability to scan in IPv6 is meaningless and unhelpful.

Re:Yeah right

[thoromyr]

IPv6 is structured specifically to where this fragmentation you fear is a non-issue. It is definitely not a re-hash of IP4. Its funny, but your final requirement is part of the silly requirements of IPv6. The *smallest* possible network is 2^64 addresses. You aren't going to run out of address space until you give each molecule of your body and personal articles its own (inherently globally addressable) IPv6 address.

Re:Yeah right

Don't be silly - they're able to fuck this up without taking any time at all...

Re:Yeah right

[Aqualung812]

A non-NAT scheme depends - almost entirely - on my firewall not sucking

So does a NAT scheme. If a firewall is allowing traffic from the public interface to the private one without an ACL or a statefull connection, there is a word for that: broken.

You seem to think that the firewall having to do more work somehow makes it more secure.

Re:Yeah right

[EvilJoker]

Most PCs have, for a long time, had BIOS support for SMART detection. Until recently, it was disabled by default.
I suspect this is because it created a few more support calls, even though they were completely necessary. If that firewall will create more support calls than disabling it, it will be disabled by default. The only exception will be if it loses sales, because people/reviewers/etc refuse to recommend it on that basis.

Re:Yeah right

[Bookwyrm]

Sigh. It's not about more addresses. It's about better protocols. There's a difference.

So, you are correct. You do suffer from a lack of imagination.

Re:Yeah right

[unixisc]

No, what I suggested was growing the global prefix from /48 to /64, and letting the subnets take the next 32 bits. That would have left enough space for all organizations, hierarchically organized, it would have allowed 8 levels of nested subnets instead of 4, and it would have allowed up to 4 billion nodes per subnet, which is already too much for a single subnet, but it accomodates a network in terms of static & dynamic addresses, stateful and autoconfigured addresses, and what have you. I wasn't suggesting growing the subnet area from bit 49 to bit 96.

Re:Yeah right

[Bookwyrm]

The initial move is to stop demonizing NAT.

I mean, seriously. We have networking traffic that moves from optical to wired to wireless, across all sorts of protocols and encapsulations, constantly. No one freaks out, no one complains. Suddenly, if the specter is raised of changing the sacred IP Address, everyone freaks out. NAT only impinges the functionality of software because the software and protocols are badly designed -- i.e. they insist on using IP information inside application level protocols instead of application-level identifiers (i.e. hostnames rather than IP addresses.) If applications had been properly separated from the network information to start with, then the migration from IPv4 to IPv6 would have been even smoother because the applications and protocols would never have had to be re-written.

If the applications never deal with IP addresses and instead have the operating system/network API handle the details, then the applications become independent of the network protocol, just like applications (generally) do not have to care about the difference between wired and wireless ethernet. At that point, it is possible to implement protocol to protocol conversions and translations at the network level that does not impact the applications or their functionality.

If applications do not break or fail to work because my traffic switches from wireless to wired to optical data transport, or because the encapsulation changes (ethernet frames vs. ppp vs. ATM vs. frame relay), then they should also not break because the network protocol changes (i.e. IPv4 to IPv6 and back again.) People blame NAT for the problems, but it is not that NAT *breaks* the applications, it is that the applications were *already broken* in design, and NAT just reveals the flaws.

I am not enthusiastic about how the response to the flaws of badly written applications has been to make a huge address space instead of fixing the design of the application and protocols. That's kind of like saying the answer to a memory leak is to add a petabyte of RAM to a computer.

If we worked on fixing the applications and protocol stack instead (i.e. pushing IP handling completely into the OS layer and keeping it out of the applications), then applications would not have to care about dual stack, triple stack, NAT, etc. at all. This means that it would become much easier to migrate to new network technologies without disrupting the applications. This would also allow people to run specialized or experimental networking protocols on their own networks for their own purposes while still using the same applications.

If applications and protocols continue to be developed where they expect "IPv4 or IPv6 formatted address only", then that locks them in. They have to be rewritten whenever something changes at the network layer (i.e. NAT, new versions of IP, etc.) If the applications stayed out of the network layer, then only the operating system would have to be updated to support new networking technologies, which is easier than updating every application everywhere.

Re:Yeah right

[unixisc]

You are correct about the allocations - the 2001:/16 really allow only the 3rd block for the organization, whereas the 2400:/12 option allows for the 2nd and 3rd block to be used for an organization within a region, which is better. I agree that allowing any corporation headroom to grow by reserving the next 7 or 15 blocks is a good idea.

My disagreement, which I voiced elsewhere in this thread, was regarding the breakdown. I had suggested:

Although I prefer IPv6 to IPv4 easily, I happen to disagree w/ the way it was segmented. I think the first block should have been assigned to the RIR, the second to a member country, the third and fourth to any corporation within the country - ISP or whatever. That would have been the top 4 blocks. The next 2 blocks of 16 should have been for subnets. No, no organization is likely to need 4 billion subnets, but what this would have allowed would have been up to potentially 8 levels of nested subnets. That would have left the last 2 blocks of 32 bits to allow for 4 billion addresses within any subnet.

Now, I know that the reason the above scheme was chosen due to the desire to have autoconfiguration, but that should have been done differently. If one thinks about it, no network is likely to have anything even close to 4 billion nodes/hosts - the congestion would just grind it to a halt. So 4 billion addresses for any subnet should have been enough, and different autoconfiguration schemes could have been adapted to use the interface ID. And in the case that DHCP6 was used, it could be configured to assign addresses to those 2 blocks in the interface ID.

In short, instead of the IETF's Global Prefix:Subnet:Interface ID::48:16:64, I had suggested that it be 64:32:32. That would allow one to have something like 2001:RIR+country code:Organizational ID for the global prefix alone, w/o going into 2400, 2600 and so on. Every country would have 4 billion organizational IDs, which is plenty. Each such ID would have 8 levels of nesting, far exceeding the 4 allowed by IPv4. Then, within the interface ID, it would allow 4 billion nodes.

IMO, a much better allocation of resources.

Re:Yeah right

[mattventura]

I'm pretty sure that they have enough foresight to enable it. The millions of hacked PCs that would result from that would definitely be enough to make them enable the firewall by default. Even if the early devices don't, manufacturers would take advantage of the situation and would advertise the firewall feature.

Re:Yeah right

[FireFury03]

The initial move is to stop demonizing NAT.

NAT has its uses, but it also has its problems. If there is no IP address shortage then *most* (not all) NAT suddenly has no use, leaving nothing but the problems. So in these use cases it makes sense to remove NAT since it is no longer doing anything useful and is a potential source of problems. This is not "demonising", this is simply looking at it in an objective way and realising that things can usually be improved by removing NAT from the equation.

I mean, seriously. We have networking traffic that moves from optical to wired to wireless, across all sorts of protocols and encapsulations, constantly. No one freaks out, no one complains.

There is a huge difference here. What you're talking about is encapsulation - this does not modify the packets a user's application is sending, it mearly puts them inside other packets. No information is destroyed - you can always get all the original data out by simply unencapsulating them again. And indeed, this is exactly what happens - an application sends an IP datagram and it arrives at the destination unaltered. The application has no need to care what has happened in the middle because any encapsulation that has happened gets undone again before it gets to the recipient. On the other hand, NAT destroys the original addressing information - what the recipient sees is *not* what the sender sent.

NAT only impinges the functionality of software because the software and protocols are badly designed

That is fundamentally not true. The protocols you are talking about (SIP is a common example) were specifically designed to do exactly that. It was not a design flaw, it was intentionally done that way because in a network that has end to end connectivity (which is the type of network SIP was designed to be used in) this actually has some big advantages, such as reduced latency requirements (this was a *really* important criteria for the use cases SIP was designed for), reduced infrastructure and bandwidth requirements (you don't need honking great servers forwarding media between peers).

Anyone interpreting these features as "bad design" is demonstrating a lack of understanding of the design goals for these protocols.

-- i.e. they insist on using IP information inside application level protocols instead of application-level identifiers (i.e. hostnames rather than IP addresses.)

Host names don't help. You can't magically route a packet to a host that is behind a NAT by knowing its hostname.

If applications do not break or fail to work because my traffic switches from wireless to wired to optical data transport, or because the encapsulation changes (ethernet frames vs. ppp vs. ATM vs. frame relay), then they should also not break because the network protocol changes (i.e. IPv4 to IPv6 and back again.)

Lets be clear on this: applications do *not* break if their IPv4 packets get encapsulated within IPv6 packets for part of the journey and then unencapsulated again. In fact, this is exactly what 6to4 tunnels do, but in reverse - IPv6 packets are encapsulated within IPv4 when traversing parts of the network that have no IPv6 support; applications do not need to know or care that this is happening since the data that comes out is the same as the data that goes in.

People blame NAT for the problems, but it is not that NAT *breaks* the applications, it is that the applications were *already broken* in design, and NAT just reveals the flaws.

Occasionally, yes, but in the vast majority of cases where NAT breaks things this is completely untrue. An application requiring the ability to send packets directly to a specific machine is not a "broken" design, rather, it is a design that has a lot of advantages. The disadvantage with this design is that it requires the remote host to be addressable, which i

Re:Yeah right

[Bookwyrm]

NAT has its uses, but it also has its problems. If there is no IP address shortage then *most* (not all) NAT suddenly has no use, leaving nothing but the problems. So in these use cases it makes sense to remove NAT since it is no longer doing anything useful and is a potential source of problems. This is not "demonising", this is simply looking at it in an objective way and realising that things can usually be improved by removing NAT from the equation.

Counter-argument: That is essentially "Since I don't need X now, I will design so I will never be able to use X in the future." That's a *big* assumption. I disagree with this. You may believe it, but I do not.

There is a huge difference here. What you're talking about is encapsulation - this does not modify the packets a user's application is sending, it mearly puts them inside other packets. No information is destroyed - you can always get all the original data out by simply unencapsulating them again. And indeed, this is exactly what happens - an application sends an IP datagram and it arrives at the destination unaltered. The application has no need to care what has happened in the middle because any encapsulation that has happened gets undone again before it gets to the recipient. On the other hand, NAT destroys the original addressing information - what the recipient sees is *not* what the sender sent.

The disagreement is whether or not the recipient needs to know *IP* addressing information. Sending application level data across the network 'encapsulates' the data in an IP packet. IP packets are NOT the application. You may disagree. You may think that IP is, in itself, an application. I do not. I view it as transport, just like any other lower layer in the network.

If you feel that the structure and information of an IP datagram is inherently part of the application data, then the IP network design is a lock-in design because the applications are being written to use IP network information. I feel that applications should be separate from the network. You may disagree.

That is fundamentally not true. The protocols you are talking about (SIP is a common example) were specifically designed to do exactly that. It was not a design flaw, it was intentionally done that way because in a network that has end to end connectivity (which is the type of network SIP was designed to be used in) this actually has some big advantages, such as reduced latency requirements (this was a *really* important criteria for the use cases SIP was designed for), reduced infrastructure and bandwidth requirements (you don't need honking great servers forwarding media between peers).

Anyone interpreting these features as "bad design" is demonstrating a lack of understanding of the design goals for these protocols.

Do not get me started on SIP. I've worked with SIP since 1999. It's really bad.

Please note -- if you are serious about VoIP and SIP, IPv6 sucks. The larger header size per packet can really hurt RTP stream bandwith, because it can make a noticeable (10%+) size increase per RTP packet for voice.

Host names don't help. You can't magically route a packet to a host that is behind a NAT by knowing its hostname.

Actually, people could, but they don't. What it would require would be to take something like SRV records. A server behind NAT would have to inform the NAT device that it is offering service X on port Y for domain Z. The NAT server would have to server up a NAT rule for an outside port A to map to the inside server on port Y. Then it handles DNS requests for domain Z and returns SRV records (or similiar) saying that if you want to reach service X for domain Z, connect to the NAT server on port Y.

This isn't an impossible problem.

Lets be clear on this: applications do *not* break if their IPv4 packets get encapsulated within IPv6 packets for part o

Re:Yeah right

[FireFury03]

Counter-argument: That is essentially "Since I don't need X now, I will design so I will never be able to use X in the future." That's a *big* assumption. I disagree with this. You may believe it, but I do not.

Eh? No it isn't. I don't need NAT now so I'll remove it so it doesn't cause problems. No reason why I can't add it back in the future if I either discover I need it for something or I go completely insane.

The disagreement is whether or not the recipient needs to know *IP* addressing information.

In the cases where NAT is a problem, the answer is an emphatic "yes", the recipient does need to know IP addressing information.

Sending application level data across the network 'encapsulates' the data in an IP packet. IP packets are NOT the application.

IP packets are not the application's data, no. But the IP addressing information is often needed so that it knows where to send data to. It doesn't matter whether you handle the IP addresses in the kernel or in the application, *something* needs to know where to send the data. If the destination machine is on the other side of a NAT then you're out of luck - you can't trivially send data to it (there are NAT traversal mechanisms but they aren't reliable for a number of reasons that are beyond the scope of this discussion).

Actually, people could, but they don't. What it would require would be to take something like SRV records. A server behind NAT would have to inform the NAT device that it is offering service X on port Y for domain Z. The NAT server would have to server up a NAT rule for an outside port A to map to the inside server on port Y. Then it handles DNS requests for domain Z and returns SRV records (or similiar) saying that if you want to reach service X for domain Z, connect to the NAT server on port Y.

You've now delved into the realms of redesigning NAT from the ground up - that's a silly discussion to have because the whole issue is that we're stuck with protocols that were not designed to cope with the current situation. If we were designing the internet from scratch with the knowledge we now have, we would have a bigger address space and NAT wouldn't be required... oh wait, that's one of the reasons we're migrating to IPv6.

I don't understand why you seem to want to hold onto NAT - I'm not saying "NAT is evil", on the contrary - it serves some very useful purposes. But when we switch to IPv6, most of that usefulness evaporates. Why would we want to hold onto a layer of complexity that is no longer serving a purpose?

Lets be clear on this: application data should *not* break if it's encapsulated in IPv4, and then unecapsulated, then re-encapsulated in IPv6. The application data should be separate from IP information just as it is separate from other encapsulation.

In simple protocols between a client and an a server you are correct. And in those cases, applications *don't* break if you do this. On the other hand, if your application needs to somehow tell the remote machine to go send data to somewhere different (which peer to peer protocols need to do, such as SIP, Bittorrent, etc) then you *are* going to need to communicate the appropriate addresses to the remote machine.

The ability to write directly to the memory of a data structure may be considered advantageous in some situations. Yet, a lot of people prefer object-orientated programming or styles with getters and setters which can manage this access. You may disagree.

And yet programming isn't exclusively object orientated. There are situations where object orientation would produce too much overhead. Hell, sometimes we still program in raw assembler! Same goes for the internet - the protocols that are broken by NAT are the protocols that cannot sensibly incur the overheads associated with running in a strict client/server architecture.

Re:Yeah right

[gman003]

That relies on them compromising a box first - which NAT won't protect you from, either.

The huge address space of IPv6 is just as much a security feature as NAT - ie. effectively none. You can crack a box behind NAT, you can crack a box in IPv6.

Re:Yeah right

[Bookwyrm]

Counter-argument: That is essentially "Since I don't need X now, I will design so I will never be able to use X in the future." That's a *big* assumption. I disagree with this. You may believe it, but I do not.

Eh? No it isn't. I don't need NAT now so I'll remove it so it doesn't cause problems. No reason why I can't add it back in the future if I either discover I need it for something or I go completely insane.

You can't add it back in if it's just going to break all the applications that continue to depend on knowing more about the network than they need to.

IP packets are not the application's data, no. But the IP addressing information is often needed so that it knows where to send data to. It doesn't matter whether you handle the IP addresses in the kernel or in the application, *something* needs to know where to send the data. If the destination machine is on the other side of a NAT then you're out of luck - you can't trivially send data to it (there are NAT traversal mechanisms but they aren't reliable for a number of reasons that are beyond the scope of this discussion).

No, *something* is needed so that the other application knows where to send the data to. That identifier does not and should not be a network specific implementation in my opinion.

You've now delved into the realms of redesigning NAT from the ground up - that's a silly discussion to have because the whole issue is that we're stuck with protocols that were not designed to cope with the current situation. If we were designing the internet from scratch with the knowledge we now have, we would have a bigger address space and NAT wouldn't be required... oh wait, that's one of the reasons we're migrating to IPv6.

I don't understand why you seem to want to hold onto NAT - I'm not saying "NAT is evil", on the contrary - it serves some very useful purposes. But when we switch to IPv6, most of that usefulness evaporates. Why would we want to hold onto a layer of complexity that is no longer serving a purpose?

The point is when we switch *from* IPv6.

Let's say this guy call FireFury03 is struck with a brilliant idea and comes up with a new version of IP, IPvFF, that is simply *awesome*. It fixes stuff people never thought about, it ends world hunger, it solves privacy issues, etc. It's simply an amazing step forward!

Except, it's not IPv6 compatible.

Now what?

The point of supporting/having NAT is to allow the network to be modular/segmented, so you aren't stuck waiting for a the last few people on the other side of the world to upgrade to the latest protocol, or having to wait for them to upgrade every one of their applications which depends on having 'IP addresses'. It's so people can run what they want on their networks and still use applications that work across heterogeneous networks. It's so people can experiment with IPv6.1.5 in their LANs and still communicate across the network.

It's so people needing really tight performance could use something with a smaller address space for their LAN to minimize wasted bytes, but still get out when they needed to. It's so we there doesn't have to be a single mono-culture network that can be hamstrung by things like the IANA, ICANN, etc.

Part of the value of the digital age has been that data can be translated from one format to another -- speech to text, text to speech, images to bytes, etc. Searched, edited, copied, etc. Nearly every activity of value involves the ability to transform or migrate data -- and things like DRM which prevent that are a nuisance that degrade value. I want to see the ability to translate between protocols supported because I think the ability to adapt old data/protocols to new forms is very useful and important.

And now we're back to redesigning NAT. Redesigning NAT is fundamentally a waste of time because it is not needed any more. You

Re:Yeah right

[FireFury03]

No, *something* is needed so that the other application knows where to send the data to. That identifier does not and should not be a network specific implementation in my opinion.

Then what do you suggest that identifier is? Can't use DNS because there is absolutely no guarantee that a host has correct DNS records (when was the last time you saw a home user create public DNS records for all their workstations?). And even if you could guarantee that the DNS records are correct, it still doesn't help when there is NAT involved since your DNS lookup (or whatever identifier you use) is going to have to resolve to a globally reachable network address, and no such thing exists when machines are hidden behind a NAT on local scope addresses.

The point of supporting/having NAT is to allow the network to be modular/segmented, so you aren't stuck waiting for a the last few people on the other side of the world to upgrade to the latest protocol, or having to wait for them to upgrade every one of their applications which depends on having 'IP addresses'.

You're not talking about network address translation. You're talking about protocol translation, which is rather different. And also isn't really possible to do in the way you're suggesting. Lets look at the IPv4 to IPv6 migration as an example:

Alice is on IPv6, Bob is on IPv4 (12.34.56.78), Charlie is on IPv6.

So Alice wants to connect to Bob. Since they have different protocols, there will need to be a protocol translation system involved (NAT64). As IPv6 has a larger address space than IPv4, a chunk of that address space can be mapped 1:1 to IPv4 addresses. So Alice takes Bob's IPv4 address and shoves the designated NAT64 prefix on it to turn it into an IPv6 address - ::ffff:0:12.34.56.78. Alice sends a packet to that address, the NAT64 box gets the packet and translates it into an IPv4 packet. But Alice's address is IPv6 so can't go in the IPv4 packet so the NAT64 box puts its own IPv4 address on the packet and sends it along to Bob. When Bob sends a reply, it goes back to the NAT64 box, which looks up the IPv6 address associated with the connection (Alice) and is then able to translate the packet back to IPv6 and forward it along. So far so good, and all this really does work in practice and is in common use today - it works pretty well for simple client/server protocols such as HTTP.

Now, Alice needs to tell Bob to send some data to Charlie (pretty common in peer to peer applications). Here's where you hit a problem - there's no way that Charlie's address can be encoded within an IPv4 address. This means that no matter how you pass that addressing information within the protocol, when it is eventually translated back into an IP address to connect to, it is nonsensical - Bob has no idea how to connect to Charlie's IPv6 address. It didn't matter whether you passed an IPv6 address within the application's data stream, or a hostname that Bob's OS resolved to an IPv6 address - either way, Bob can't connect.

I'm sure you could invent a protocol extension whereby Bob can know to connect to the NAT64 box when he sees an IPv6 address and somehow hand the NAT64 box Charlie's address. But that requires Bob to know about IPv6, so it pretty pointless - if you're forcing Bob to implement new protocols like that then you may as well force Bob to upgrade to IPv6 properly.

Another option is that you could invent a protocol so that Alice can tell the NAT64 box to expect a connection from Bob and to forward it to Charlie. But now Alice needs to know lots of information about the NAT64 box's addresses (which you claim is always a bad thing), and more importantly, the NAT64 box could well now be subject to having to forward lots of traffic between two third party networks! That's not satisfactory.

It's so people can run what they want on their networks and still use applications that work across heterogeneous networks.

Re:Yeah right

[Dagger2]

I agree that, going by number of hosts, 64 bits for the interface ID is excessive. There are other reasons to want more than 32 bits though: a 32-bit subnet with 50,000 hosts using privacy addresses would have 400,000 addresses in use at any one time, and would get on average 5 address collisions every time the hosts generate themselves a new address -- even though 99.98% of the addresses on the network are unused. It's feasible to argue that a network that regularly sees collisions is one that's too small.

But more importantly, I'm just not convinced that allocation needs to be any better. I feel that reaching even the HD=80% point of 10 /48s per person in 2000::/3 is going to be difficult, and as such even the current 48:16:64 split will leave us with plenty of space. Finally, if 2000::/3 does fill up, we can switch to 4000::/3 using 64:16:48 or your 64:32:32 without any hassle, so there's definitely no need to make any changes to the allocation policies in 2000::/3.

Re:Yeah right

[jc42]

Ok, I have no idea what crazy world you're living in, but:

I'm in the US, and yes, it's pretty crazy around here at times. Where do you live, that's more sane? (Or maybe you're just accustomed to your local flavors of craziness.)

1. AFAIK telephone numbers are handed out by the regulator for free. If your telco doesn't supply numbers for free then go elsewhere, ...

I've had phone service in the US since the 1960s, and I've never heard of a telco that gives out phone numbers for free. Sure, they'll tell you that the first one is "free", as in it comes with the package that you pay for. But if you want a second line, it is typically 50% - 80% of the monthly price for the first line. Businesses buy packages of phone numbers, and you pay more for more numbers (though there's generally a smaller per-number price for larger quantities.)

2. Who on earth are you getting your internet connection from? I've never come across an ISP that charges per IP address.

Again, in the US, I've never heard of one that doesn't. You get one IP address when you sign up. If it's a "home" account, you get a dynamic address that may change at any time, and you configure your machine to use DHCP to check the address several times a day. When the ISP changes your address, it can take a day or two for the DNS system to understand the change and no longer direct clients to your previous address. If you want a "static" IP address, you have to pay more (typically double) for a "business" account. If you want a second static IP address, you pay more, typically $5 to $10 per month. I've heard that the rules are different in other countries, but that's how it works here.

I've occasionally wondered how the postal system would work if the local (private) post office could change your street address at will, and you'd have to first discover this, then ask them for your new address, then send it out to everyone you communicate with. At least the DNS system can take care of it in a couple of days. ;-)

3. What ISPs block "lots of ports"?

Around here, we have the luxury of three actual ISPs: Verizon, Comcast and RCN. All three block ports 21, 25 and 80, and usually a few others, for "home" accounts. They usually also block ICMP ("ping") packets. Again, in some neighborhoods you can pay double for a "business" account, and get this restriction relaxed. But sometimes they block ports anyway, somewhat at random. This may be due to incompetence. It takes a long time to get through to a support person who admits to knowing what "port blocking" means.

Our local unix/linux "geek" club has occasionally documented the constantly-changing situation with port blocking. It tends to come and go at random, on a weekly basis. With a bit of cooperation and some network debugging software, we can usually document just where packets are being dropped, and show which machine inside the ISP is blocking which ports. The ISPs normally deny it, and give us a runaround.

Actually, the "home business" account is something relatively new. In much of the US, you couldn't get business-class Internet access in most residential neighborhoods until a few years ago. It took a fair number of lawsuits from people running home businesses to get this changed. But now the ISPs are mostly offering it, because they understand that they can charge double and do less (such as no blocking or DHCP). And they can get away with the same crappy "support" that they always provided.

We don't expect IPv6 to change any of this.

Re:Yeah right

[Bookwyrm]

No, *something* is needed so that the other application knows where to send the data to. That identifier does not and should not be a network specific implementation in my opinion.

Then what do you suggest that identifier is? Can't use DNS because there is absolutely no guarantee that a host has correct DNS records (when was the last time you saw a home user create public DNS records for all their workstations?). And even if you could guarantee that the DNS records are correct, it still doesn't help when there is NAT involved since your DNS lookup (or whatever identifier you use) is going to have to resolve to a globally reachable network address, and no such thing exists when machines are hidden behind a NAT on local scope addresses.

Sorry, I already explained how it would be possible to take things like SRV records and deal hostname resolution through NAT. It's certainly possible to do. Now you are dismissing DNS as not usable. I'm not sure if there's going to be fruitful discussion.

You're not talking about network address translation. You're talking about protocol translation, which is rather different. And also isn't really possible to do in the way you're suggesting. Lets look at the IPv4 to IPv6 migration as an example:

Alice is on IPv6, Bob is on IPv4 (12.34.56.78), Charlie is on IPv6.

So Alice wants to connect to Bob. Since they have different protocols, there will need to be a protocol translation system involved (NAT64). As IPv6 has a larger address space than IPv4, a chunk of that address space can be mapped 1:1 to IPv4 addresses. So Alice takes Bob's IPv4 address and shoves the designated NAT64 prefix on it to turn it into an IPv6 address - ::ffff:0:12.34.56.78. Alice sends a packet to that address, the NAT64 box gets the packet and translates it into an IPv4 packet. But Alice's address is IPv6 so can't go in the IPv4 packet so the NAT64 box puts its own IPv4 address on the packet and sends it along to Bob. When Bob sends a reply, it goes back to the NAT64 box, which looks up the IPv6 address associated with the connection (Alice) and is then able to translate the packet back to IPv6 and forward it along. So far so good, and all this really does work in practice and is in common use today - it works pretty well for simple client/server protocols such as HTTP.

Now, Alice needs to tell Bob to send some data to Charlie (pretty common in peer to peer applications). Here's where you hit a problem - there's no way that Charlie's address can be encoded within an IPv4 address. This means that no matter how you pass that addressing information within the protocol, when it is eventually translated back into an IP address to connect to, it is nonsensical - Bob has no idea how to connect to Charlie's IPv6 address. It didn't matter whether you passed an IPv6 address within the application's data stream, or a hostname that Bob's OS resolved to an IPv6 address - either way, Bob can't connect.

I'm sure you could invent a protocol extension whereby Bob can know to connect to the NAT64 box when he sees an IPv6 address and somehow hand the NAT64 box Charlie's address. But that requires Bob to know about IPv6, so it pretty pointless - if you're forcing Bob to implement new protocols like that then you may as well force Bob to upgrade to IPv6 properly.

Another option is that you could invent a protocol so that Alice can tell the NAT64 box to expect a connection from Bob and to forward it to Charlie. But now Alice needs to know lots of information about the NAT64 box's addresses (which you claim is always a bad thing), and more importantly, the NAT64 box could well now be subject to having to forward lots of traffic between two third party networks! That's not satisfactory.

Wow. You are very IP address-centric. Have you ever considered that there are other network types out there?

Try this:
Alice wants to talk to Bob. She puts a universal i

Re:Yeah right

[Lord_Breetai]

http://en.wikipedia.org/wiki/DHCPv6#Implementations

Re:Yeah right

[Lokitoth]

Agreed, with one caveat - it is a lot easier to driveby a piece of malware that just needs to be able to make HTTP connections than it is to driveby other malware, especially if behind a NAT/Firewall. After that you open the appropriate remote-exec port to point to the right machine, and commence partying.

Re:Yeah right

[Bengie]

Next time we have to upgrade, we will just run dual stack like we do now. The only difference is I will only be able to access my light bulbs and toasters remotely if I'm in the same galaxy. Once I leave my local galaxy, then I will have to VPN in using the new inter-galactical protocol, to access my lights bulbs and toasters.

Re:Yeah right

[Vrtigo1]

I guess I will be the one to ask the obvious question here.

With IPv4, people buy routers because ISPs only give you one IP address, so you need something that does NAT in order to connect more than one device to the Internet. With IPv6 there will be no such need, so the question is not if IPv6 routers will have stateful or stateless firewalls, it seems to me that the real question ought to be, why the heck would anyone even need a router with IPv6 to begin with? Just plug your modem into a switch or wireless access point, everything ought to connect just fine with no router, no NAT, no firewall.

Of course not having a firewall is indeed bad as has been pointed out, but the point I am raising here in this comment is the fact that without a router being an absolute necessity as they were with IPv4, you will see people start to do with out them.

Re:Yeah right

[Vrtigo1]

NAT is dead simple. It's on by default in just about every IPv4 consumer level router. Want to turn it on in an enterprise router, sure no problem: interface fastEthernet 0/0 ip nat outside ! interface fastEthernet 0/1 ip nat inside ! It is equally easy to turn on in enterprise firewalls.

Curious what else will accompany it

[ackthpt]

So you get a new box .. does it have anything sponsored by *IAA or DHS to keep tabs on your traffic?

Of course I'm paranoid - I read Slasdot!

Re:Curious what else will accompany it

[digitalsushi]

Well, Dual Stack Lite is going to be their long term IPv4 availability, which removes NAT from the CPE and shifts it up into the ISP layer. So all of your transactions will be manipulated inside the ISP's AFTR element, which would be a very convenient place to mine your data stream for goodies. But that would be paranoid to think they would do that. Especially when they could do it anywhere else just as easily!

Re:Curious what else will accompany it

[ackthpt]

Well, Dual Stack Lite is going to be their long term IPv4 availability, which removes NAT from the CPE and shifts it up into the ISP layer. So all of your transactions will be manipulated inside the ISP's AFTR element, which would be a very convenient place to mine your data stream for goodies. But that would be paranoid to think they would do that. Especially when they could do it anywhere else just as easily!

I'm just thinking ahead - perhaps the next box delivered to me for DSL could very well have some memory they could upload instructions to, to sniff on the spot and report back what it spots, rather than requiring the provider to sniff at their end.

With net neutrality going in and out of legislation (or directions to/from FCC) I'm not taking things for remaining status quo.

So, as an end user...

[cayenne8]

...what all do I have to do and change to use this?

I'll not still use NAT for my home network for all my devices that I authorize to use the wireless router...etc?

What does the regular user have to do to use this...and what exactly is going to push him to change his whole home network along with all the devices he currently has on there (tv's, ipads, laptops, desktops, toasters...etc)?

Re:So, as an end user...

[tuffy]

The idea is that the end user is still going to keep all his devices behind a firewall so everybody on the internet can't probe them. But since your toaster has its own actual address, it can connect directly to the Online Toasting Database server without having to kludge all that traffic through a NAT.

Re:So, as an end user...

[scubamage]

Most modern OS's already have dual stack support (windows vista forward on the windows side, I know red hat had it as far back as version 5) so there shouldn't be any change there. But because it is a dual stack deployment, your average home user wont have any issues or need to swap out any equipment - at least for the time being.

Re:So, as an end user...

The idea is that the end user is still going to keep all his devices behind a firewall so everybody on the internet can't probe them. But since your toaster has its own actual address, it can connect directly to the Online Toasting Database server without having to kludge all that traffic through a NAT.

When all the toaster's heavy lifting is done in The Cloud it will revolutionize the way we toast bread.

Re:So, as an end user...

[marka63]

Windows XP has dual stack support. You just need to enable it. There are a couple caveats, like it needs access to a IPv4 recursive nameserver as it doesn't make DNS queries over IPv6, but for the most part it "just works".

Re:So, as an end user...

The idea is that the end user is still going to keep all his devices behind a firewall so everybody on the internet can't probe them. But since your toaster has its own actual address, it can connect directly to the Online Toasting Database server without having to kludge all that traffic through a NAT.

Behind a NAT or a firewall, what's the difference? Everything is still going through a single device/port before hitting your internal net. Same bottleneck different name.

Timing

[rednip]

That's what I call timing, I just swapped back to Comcrast from Fios, Yay!

Re:Timing

I can see where that would be a nice consolation prize... FIOS pretty much sucks, with all the filtering and restrictions of servers, but Comcast is even worse.

Yes, I've had both. At the same time, briefly... I'm on FIOS now because the effective bandwidth is better. Comcast's useable bandwidth went down every time they raised my absolute bandwith, because their worm farm was able to slam my firewall harder. Pretty much every box on my segment was totally owned and was hammering away at the rest of Comcast's customers 24/7. Comcast offering antivirus to people who were already completely rooted didn't help much, either.

It's a start

[talexb]

Kudos for Comcast for finally getting the ball rolling on IPv6. A /128 address gets their foot in the door, and as their post says, they can expand it later.

Re:It's a start

Currently, the RFCs (and e.g. RIPE) recommend that LIR should provide a /48 subnet for their customers (end sites)... the absolute minimum is a /64 net.

5.4.1. Assignment address space size

End Users are assigned an End Site assignment from their LIR or ISP. The size of the assignment is a local decision for the LIR or ISP to make, using a minimum value of a /64 (only one subnet is anticipated for the End Site).
http://www.ripe.net/ripe/docs/ripe-523#lir

Re:It's a start

Are they doing IA_NA (/128 address assignment) or PD (prefix delegation)? The way you avoid NAT is by delegating a household a range of addresses to give out to all its hosts. Giving a cable modem a single /128 doesn't remove the need for NAT any more than a /32 ipv4 address does.

Re:It's a start

[unixisc]

Precisely, and since there is no NAT in IPv6 for pure IPv6 connections, an ISP cannot assign a /128. A cable modem or a wi-fi router would have to get a /64, after which it can support all the nodes within that household.

Re:It's a start

[mattventura]

I think its more for when you only use a single device. Believe it or not, there ARE people that connect their computers directly to a modem.

Re:It's a start

[mjwx]

Kudos for Comcast for finally getting the ball rolling on IPv6. A /128 address gets their foot in the door, and as their post says, they can expand it later.

My ISP has been running dual IPv4 and IPv6 stacks for a year now... I just need to update my router to an IPv6 capable model.

Internode FTW.

Available in my area?

[tmc3]

When is it going to be available nationally instead of a couple of markets?

Re:Available in my area?

[chill]

Right after they test with the current demographic -- people with one computer that is directly connected to the cable modem.

This should go quickly, since every one of those people is already a zombie spam-bot.

Re:Available in my area?

[93+Escort+Wagon]

Right after they test with the current demographic -- people with one computer that is directly connected to the cable modem.

I wish they'd broken that out as a percentage of their userbase. I can't imagine it's very large - most of even my non-techie friends still have some sort of wireless or wired router on this side of their cable modem.

Kudos

[IamTheRealMike]

It's rare to see companies take such a long term view of their business, but Comcast sure is doing it now. I know from seeing it being done at work, huge IPv6 deployments are not trivial things!

Re:Kudos

[characterZer0]

Rolling out IPv6 could have been considered taking a long term view a decade ago. With IPv4 exhaustion looming, starting the roll-out now is just short of required. Sadly, looking out past the end of the current quarter is considered "long term" nowadays.

Re:Kudos

[Hes+Nikke]

If cabletown was a thinking long term, they wouldn't have bought that buggy whip manufacturer that calls itself NBC.

Static IP?

[timeOday]

With IPv6 addresses being so plentiful, does that mean it should never have to change? I've been running a webserver and mailserver on my Comcast account since it was an @Home account (10+ years) and my IP rarely changes, but occasionally it still does.

Re:Static IP?

[digitalsushi]

IPv6 addresses change all the time. They're really good at it. You should learn how DNS works, because it's going to be your new best friend if you ever want to find your needle in the v6 haystack. Even better, you can have a pile of v6 addresses on a single interface, instead of the paltry one v4 address.

Re:Static IP?

[laffer1]

You could always get a business class account like I did. Then you get 5 static IPs allocated to you that never change. I've even moved and they ported the IPs with my account. Not to mention it's faster and you get more upstream bandwidth.

Re:Static IP?

[Karl+Cocknozzle]

Even better, you can have a pile of v6 addresses on a single interface, instead of the paltry one v4 address.

Who told you an interface could only have one ipv4 address? This is just flat-out incorrect.

Re:Static IP?

[Wonko+the+Sane]

Who told you an interface could only have one ipv4 address?

Windows 98

Re:Static IP?

[digitalsushi]

How do you do it without aliasing the interface?

Re:Static IP?

[Dagger2]

# ip addr add 127.0.0.2/8 dev lo
# ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
inet 127.0.0.2/8 scope host lo
inet6 ::1/128 scope host valid_lft forever preferred_lft forever

ifconfig can't handle displaying them, but if you will insist on using an obsolete piece of software, don't complain when you bump into its limitations.

Re:Static IP?

[GPLHost-Thomas]

Simple:

ifconfig eth0 add YOUR-IP-V4 netmask A-NETMASK

But that's a bit retarded. You should use "ip" and not "ifconfig" (and shame on me, I never remember the syntax of "ip").

Re:Static IP?

[c2me2]

You do realize you're talking about software that's 13 years old. You know, back when you were still watching Fraggle Rock. (And it's not even true.)

Re:Static IP?

It was very easy to assign multiple ipv4 addresses to one interface in Windows 98. You could even have DHCP and static at the same time in Win9x, but seems to be impossible since Windows 2000.

Re:Static IP?

[unixisc]

Based on the DHCP configuration, one could assign static addresses to web servers, while assigning dynamic addresses to the workstations in the network

Re:Static IP?

How does dynamic ip solve the problem at all? Everyone still needs an ip address (just asking).

Re:Static IP?

We need to get away from thinking about addresses and start thinking about how do I find the service or person I want to communicate with. I have heard it expressed "IP addresses are an accident of network topology" by Clark Gaylord. Addresses change all the time, especially for mobile devices. What we need to be working on is not a way to give everyone a static address but a better way for people to find what they want to talk to and then have that service tell them what address is currently available for the device.

Re:Static IP?

You can do the same with ipv4. You're basically creating "virtual" interfaces, even though it still gets pushed through the same port. Used a lot in hosting environments.

Re:Static IP?

[unixisc]

Depending on what one wants/needs, one can have as many static and dynamic addresses as one likes, since the entire 64-bit space belongs to the customer. If one needs a static address for a webserver, a mail server, an ftp server and so on, one can assign a different one to each, and still have enough to mark out a range of addresses to be dynamically assigned so that the usual advantages of dynamic addresses are also preserved. The key thing to remember about IPv6 is that a box can have several IPv6 addresses (some, like ::, ::1, multiplexed address groups (ff00::/16) are automatic, and then one assigns link-local (fe80::/16), site local (fd00::/8) and global addresses.

Re:Static IP?

[unixisc]

Technically, it may well be possible to have multiple IPv4 addresses on a node. Only problem - the shortage of IPv4 addresses. So the only way dynamic addresses can be assigned is behind a NAT, while the global routable address is probably static (again, due to the shortage of addresses, rather than any inflexible configurations of tools).

Yea!

[twmcneil]

IPv6 deployment - Yea! Wait, it is Comcast. Ok, what's the catch?

Re:Yea!

The catch? It's comcast. That's the catch!

At least it isn't verizon, though...

Loved FiOS, hate verizon.

Re:Yea!

[digitalsushi]

The catch is that they ran out of 10/8 space for their Internal network and weren't stupid enough to overload it. They deployed v6 to manage the cable modems, and then cable modems needed to be v6, and that was convenient since they're starting to run out of public space addresses, too. Those addresses can't be helped, and they're going to get sucked back into the ISP on the NAT level. Yes, all that malarkey about sharing public v4 addresses with your neighbors is a mathematical inevitability. Read through some current RFCs for a public conversation they are having on the topic of how many customers can you fit on a single v4 address.

Re:Yea!

[janeuner]

I've been using Comcast's IPv6 6rd since it launched over a year ago. In the first few months, there were several instances with parts of the IPv6 global network were down, but those problems were corrected within a couple days.

All said, Comcast has been out in front of this compared with the other US ISPs. They should be commended (on this issue, at least).

Re:Yea!

The catch is that they ran out of 10/8 space for their Internal network and weren't stupid enough to overload it.

We also ran out of 172.16 :(. You have no idea how much of a PITA it is to get an internal adress around here. And yes Comcast has been a huge pusher for IPv6 for quite some time now, both through cable labs and directly thought our vendors.

Re:Yea!

IPv6 deployment - Yea! Wait, it is Comcast. Ok, what's the catch?

Next generation Internet addressing fee. ($29.99 / mo.)

How are they going to charge for this?

[JonahsDad]

Extra charge for allowing you access to IPv6?
Extra charge for staying with IPv4?
Extra charge for keeping your IPv4 if you also want IPv6?

Re:How are they going to charge for this?

[Samantha+Wright]

All three! Think of it less as an extra charge and more like "a way to customize what your new, bigger bills say". :)

Re:How are they going to charge for this?

[janeuner]

IPv6 6rd has been freely accessible since early 2010.

Re:How are they going to charge for this?

Here is the link to setup 6to4 on the Comcast network

http://www.comcast6.net/6to4-config.php

Re:How are they going to charge for this?

[unixisc]

Maybe, but Comcast has migrated from 6rd to Dual Stack Lite, where the entire network is IPv6. IPv4 only nodes, if they exist (think of the XP computers that ain't IPv6 enabled as yet) are NATed in the ISP layer instead of the CPE, where a routable IPv6 address is mapped on to a local IPv4 address and then routed. If the node supports IPv6, it gets a direct connection w/o going through NAT. In the long term, when there is less support for IPv4 on equipment, this is likely to be the standard way to support the old protocols.

As far as charges go, I'd think one would pay for an entire /64 block what one paid for a single /32 IPv4 address. Only that instead of NATing it, DHCP can assign an address to the interface ID.

From another perspective...

[dpilot]

It's lock-in. Once you've gone IPV6, who's going to want to go back. You'll be a Comcast customer until FIOS, DSL or whatever other competition might actually exist catches up.

Re:From another perspective...

[Wonko+the+Sane]

Once you've gone IPV6, who's going to want to go back.

Do you think a significant proportion of their users actually would know or care what the difference is?

Re:From another perspective...

Providing a better service with an open standard is not lock-in: it's being better. Lock-in would be doing IPv6 some sort of Comcast-only way.

Re:From another perspective...

[janeuner]

Charter was about a year behind with IPv6 6rd, but they are likely to catch up quickly.

Re:From another perspective...

[dpilot]

If they neither know nor care, they never would have signed up for the pilot.

Re:From another perspective...

[Wonko+the+Sane]

That group of people isn't going to be subject to lock-in because it's so easy to get IPv6 connectivity from tunnel brokers.

Re:From another perspective...

[dpilot]

True, it's kind of like trapping oneself, really.

Re:From another perspective...

Most of us are already stuck with Comcast anyways. I've never been anywhere were DSL has been fast enough to support more than one user at a time. FIOS and U-Verse are not readily available.

Re:From another perspective...

[nine-times]

Why is it lock-in? It's not like going with IPv6 makes it impossible to go back and connect to a network using IPv4. From a user perspective, it should be a relatively transparent change. What am I missing?

Re:From another perspective...

[iggymanz]

not lock in at all, you can have IPV6 even if you move to ISP with only ipv4. I do it through a tunneling router to ipv6 provider (several do it for free and give you monstrous static ipv6 subnet), and I can saturate my adsl line with ipv6 traffic so no bottlenecks by tunnel. it's nice having static addresses even though my ipv4 connection is dynamic!

Re:From another perspective...

Competition? The fuck is that?

Re:From another perspective...

We're still waiting for Cox to deploy this in the southwest. Supposedly their internal deadline is the end of 2012. Just as well for me I guess... pfsense doesn't yet support ipv6 so unless I rolled my own router distro together I couldn't use it anyway.

Re:From another perspective...

[Fez]

pfSense does support IPv6 in the 2.1 branch, see here and here.

Re:From another perspective...

[grumpygrodyguy]

Once you've gone IPV6, who's going to want to go back. You'll be a Comcast customer until FIOS, DSL or whatever other competition might actually exist catches up.

Speed is useless if they disconnect your connection for using it.

Unlimited 1.5/256 DSL > than any of Comcrap's 250GB capped plans.

Re:From another perspective...

[unixisc]

Comcast, by going w/ Dual Stack Lite, is ensuring that it will have to do this only once, and not invest again in IPv6 equipment. ISPs that depend on transition mechanisms like tunneling are ultimately going to need to upgrade their equipment once their IPv4 addresses run out, or as they see sites or networks that are IPv6 only. But those who go w/ either full Dual Stack or Dual Stack Lite (which is IPv4 on IPv6) won't need to go through that headache, if they've done it now. In fact, given Comcast's experience, even Dual Stack makes less sense than Dual Stack Lite, since the former would continue to need more IPv4 addresses, while the latter won't.

Re:From another perspective...

[magamiako1]

What exactly are you talking about with "dual stack lite"?

Comcast is going completely native dual stack. They are maintaining both an IPv4 and an IPv6 infrastructure separate at the IP layer.

Old-tech solution

[SuperKendall]

My solution has always been to bring the toaster into the shower with me so I do not require a notification.

Or at least that's my plan now, I'll implement that right awaZORCH

$5-$8 Per IPV6 IP just like cable boxes

$5-$8 Per IPV6 IP just like cable boxes

Re:$5-$8 Per IPV6 IP just like cable boxes

Per /64 or /128?

There will be no IPv6 transition

[RoLi]

The problem is that there is no benefit in using IPv6 as long as there are no IPv6-only services.

Therefore, it is unlikely that IPv6 can be rolled out successfully.

Re:There will be no IPv6 transition

[neiko]

Just like there weren't any IPv4-only services in the beginning? What kind of an argument is that?

Re:There will be no IPv6 transition

[NetDog_CO]

There are content providers starting to use Dual-Stack so they are supporting both IPv4 and IPv6. Here are just some of them: http://www.v6.facebook.com/ http://ipv6.google.com/ http://www.comcast6.net/

Re:There will be no IPv6 transition

[Karl+Cocknozzle]

The linked article echoes what I've been saying for years now: IPv6 is lab technology, cool, interesting but essentially pointless as anything other than a conversation piece in real life. Converting all of the internet would require 40,000 man-years of labor to complete... Conservatively. And that doesn't count even a second of work for changes to internal networks to get to an "All IPv6" network so we can actually have "end-to-end" connectivity. Honestly, who wants it? Who needs it? If I need end-to-end connectivity between two sites I use a VPN or use a private WAN service. Even if I could flip a switch instantly turning the entire internet into perfect IPv6 harmony, and every workstation/laptop/mobile device on earth instantly into perfect configuration, we still wouldn't have "end-to-end" connectivity because nobody in their right mind actually wants that.

Re:There will be no IPv6 transition

[Karl+Cocknozzle]

Just like there weren't any IPv4-only services in the beginning? What kind of an argument is that?

A good one. It's your response that isn't a good argument... There were no IPv4 services prior to the Internet. But there ARE legacy services prior to the IPv6 internet. And the popularity of these legacy services mean implementing a forklift-upgrade to IPv6 is simply economically impossible for the reasons listed in the linked article, specifically:

• Just Internet Infrastructure is 40,000 man-years of work to complete.
• Internetal business networks could run into the trillions of man-years to complete.
• Even if we did all of this, end-users still don't have a clue what we're talking about, and don't want to change their internal networks that they worked so hard to make work in the first place. Until you can get the end-users changed over, the infrastructure and business network changes will never happen.

Re:There will be no IPv6 transition

[GPLHost-Thomas]

First of all, that's bullshit. There are some IPv6 only services (google for it if you don't trust me). Then, having so many IPs at home for your own use *IS* convenient. I have my wife's laptop IPv6 in my /etc/hosts, so when she need, I can ssh from work to her laptop, and do apt-get dist-upgrade for example. Yes, I know, I could have also setup a port forwarding on my router, but why should I remember the port and all? It's just more convenient to just ssh the standard port isn't it?

Re:There will be no IPv6 transition

[DigiShaman]

It's the classic chicken or the egg problem. It will be at least another 2 years before IPv6 is fully deployed and a total of 15 years (I pulled reasonable rough estimate out of my ass) before it completely replaces IPv4. Get used to the dual stack for a very very long time my friend.

Re:There will be no IPv6 transition

[hawguy]

Converting all of the internet would require 40,000 man-years of labor to complete... Conservatively

Is that a lot? There must be hundreds of thousands of CCNA's out there. Plus hundreds of thousands more network professionals without a cert.

So when you have a few hundred thousand people to spread the work around to, 40,000 man-years doesn't seem like much work, it could easily be done in a few years.

Why wouldn't someone want end-to-end connectivity across the internet? I have 3 webcams at home, I'd love to just access them directly with a simple IP address instead of having to deal with PAT on my edge router. Granted, I don't necessarily need to connect to every device on the internet, but there are a few specific devices that I *do* want to connect to, and I want to connect to them no matter where I am whether at work, via mobile, or while traveling. When mom calls, I don't want her to have to install a private WAN link (which is rather expensive) or set up a VPN connection just to show her the cat sitting on the back deck.

Re:There will be no IPv6 transition

[unixisc]

Once IPv4 addresses start running out - which already seems to be in acute shortage @ Comcast - whether IPv6 has exclusive services or not won't be an issue. Besides, dual stack lite, as opposed to dual stack, is a long term solution, as the networking equipment will support IPv6, while servers @ the ISP would NAT it for IPv4 as long as it is needed.

Re:There will be no IPv6 transition

[WaffleMonster]

Just Internet Infrastructure is 40,000 man-years of work to complete.
Internetal business networks could run into the trillions of man-years to complete.
Even if we did all of this, end-users still don't have a clue what we're talking about, and don't want to change their internal networks that they worked so hard to make work in the first place. Until you can get the end-users changed over, the infrastructure and business network changes will never happen.

I must say I'm very impressed by the evolution of v6 clue on slashdot esp in the Area of NAT vs SPI.

A few comments on this perspective. CPEs don't last forever. Eventually the power brick will fizzle out or get toasted in a lightning strike.. and you will buy a new better one. The new CPE will come standard with IPv6.

In terms of the end user they currently don't know/care what IPv4 is. IPv6 won't be any different. They will simply plug in the ethernet plug or connect up wireless - IPv6 will be auto-configured and just work like IPv4 does today.

In terms of businesses switching their complex internal networks to IPv6... Why is that *EVER* necessary? All they actually need to do is IPv6 enable their external presence. Large content companies have been there done that. They are telling us it is not a big deal.

Was just looking at my NTP queue today and wouldn't you know it I'm synched with some IPv6 time servers. I didn't ask for or configure that... It just happened.

Re:There will be no IPv6 transition

[FireFury03]

There are content providers starting to use Dual-Stack so they are supporting both IPv4 and IPv6.
Here are just some of them:
http://www.v6.facebook.com/
http://ipv6.google.com/
http://www.comcast6.net/

Bit of a shame they still don't publish AAAA records for their main addresses though :(

Also, v6 facebook is a bit broken - a lot of their internal links are absolute references to www.facebook.com, so you only have to click a few things and suddenly you find you're on the v4 site instead of the v6 one.

Re:There will be no IPv6 transition

Have you not read the post you are replying to? As long as there is still a IPv4 version, IPv6 offers no benefit.

Re:There will be no IPv6 transition

[mjwx]

It's the classic chicken or the egg problem. It will be at least another 2 years before IPv6 is fully deployed and a total of 15 years (I pulled reasonable rough estimate out of my ass) before it completely replaces IPv4. Get used to the dual stack for a very very long time my friend.

It'll be like the transition from dial-up to broadband. Sure in 10 years there'll still be some grandma's on IPv4, but everyone else will have moved onto IPv6. The IPv4 stack will be depreciated over years but realistically a transition for all but the worst of laggards will only take a 5 odd years. Long enough for the average Joe to buy a new modem/router. Eventually, forward thinking ISP's will simply terminate the IPv4 stack as the number of customers remaining on IPv4 wont be worth maintaining the stack in as short a time as 5 or 6 years.

Re:There will be no IPv6 transition

[Karl+Cocknozzle]

Converting all of the internet would require 40,000 man-years of labor to complete... Conservatively

Is that a lot? There must be hundreds of thousands of CCNA's out there. Plus hundreds of thousands more network professionals without a cert.

So when you have a few hundred thousand people to spread the work around to, 40,000 man-years doesn't seem like much work, it could easily be done in a few years.

Why wouldn't someone want end-to-end connectivity across the internet? I have 3 webcams at home, I'd love to just access them directly with a simple IP address instead of having to deal with PAT on my edge router. Granted, I don't necessarily need to connect to every device on the internet, but there are a few specific devices that I *do* want to connect to, and I want to connect to them no matter where I am whether at work, via mobile, or while traveling. When mom calls, I don't want her to have to install a private WAN link (which is rather expensive) or set up a VPN connection just to show her the cat sitting on the back deck.

Are you serious? If so, I'd love to get a look at your bank statements...
.
Average hourly US Rate for CCNA is $34-38/hr depending on a number of factors. Let's say $35 for our calculation. But since that's what he's paid at the end, and doesn't factor in profit for the fatcat contractor, let's say it's closer to $90/hr when all is said and done billed to the Feds.

A year with two-weeks Vacation/PTO is 50 weeks, 5 days per week. Or 250 workdays.
(250 Workdays) * (8 Hours) = 2,000 hours.
So one "man-year" is 2,000 hours.
40,000 * 2,000 = 80,000,000 hours. (80 million.)
80 million * $90 = $7,200,000,000

So that's $7.2 billion... Just for the wages of the people executing the change. Then somebody has to "architect" the project and for consultants those fees are often 25+% of the project... so let's say:
$7.2 billion * 1.25 = $9,000,000,000.

So let's say it is "only" $9 billion. This "isn't a lot" for a government, but it isn't the government who needs to pony up. It's billions of individuals and businesses who have exactly ZERO motivation to do so. Why should they? Their internet does everything they think it should. ...And if they go to IPv6 they have to take steps to access resources that "just work" today under IPv4... What's the motivation? Their staff has been cut to the bone... There's nobody left for "pie-in-the-sky this-is-how-it-should-be-done" these days: If it doesn't directly affect the bottom line, it ain't happenin.

This in no way affects the bottom line of any but a tiny smattering of businesses. Therefore, it ain't happenin.

Re:There will be no IPv6 transition

[Karl+Cocknozzle]

I must say I'm very impressed by the evolution of v6 clue on slashdot esp in the Area of NAT vs SPI.

A few comments on this perspective. CPEs don't last forever. Eventually the power brick will fizzle out or get toasted in a lightning strike.. and you will buy a new better one. The new CPE will come standard with IPv6.

Except that not everybody will replace their device at the same time... Which means unless some "nobody ever got fired" type goes against all his instincts and is willing to just hard-cut-off revenue from customers with a hard IPv6 cut-over deadline, the providers will be providing IPv4 forever... Or a few decades, which in Internet time is the same as "forever."

But your point about large internal networks never EVER going to V6 is spot-on... It's just a pointless exercise. I genuinely think we'll eventually see the Internet on V6, gateway devices NAT'ing 4to6 and back again, and life simply "going on" as it always has inside--with IPv4 networks.

Re:There will be no IPv6 transition

[hawguy]

Are you serious? If so, I'd love to get a look at your bank statements...

What if I said I had $240B in my mythical IT bank account?

So that's $7.2 billion... Just for the wages of the people executing the change. Then somebody has to "architect" the project and for consultants those fees are often 25+% of the project... so let's say:
$7.2 billion * 1.25 = $9,000,000,000.

So let's say it is "only" $9 billion. This "isn't a lot" for a government, but it isn't the government who needs to pony up. It's billions of individuals and businesses

Ok, let's say that it's $9B just in the USA (though I assume that 40,000 man-year figure was worldwide since IPv6 it doesn't do much good if only a portion of the internet converts over). Spread it over 3 years, and it's $3B/year.

You seem to be underestimating the resources that are available. Total IT spending in the USA is around $500B:

http://www.informationweek.com/news/hardware/desktop/224202347

So you're talking about 0.6% of IT budgets going to IPv6 upgrades.

Their internet does everything they think it should. ...And if they go to IPv6 they have to take steps to access resources that "just work" today under IPv4... What's the motivation?

Companies had nothing to gain from using NAT IPv4 firewalls either (and NAT introduces a lot of complexity with many protocols - IPSec, SIP, h.323, etc) yet they did it anyway. There's nothing (aside from IP address scarcity) stopping a company from using public IP's for all of their workstations with a firewall in front. Once the world starts migrating to IPv6, then there will be incentive to migrate as IPv6-only services become common.

Re:There will be no IPv6 transition

[toddestan]

What if everyone was a IPv6 source? Doing P2P when everyone is on IPv6 should be a lot easier than doing P2P when everyone is behind a NAT.

Re:There will be no IPv6 transition

[Bengie]

" It's billions of individuals and businesses who have exactly ZERO motivation to do so. Why should they?"

The chief network engineer of one of the top 5 ISPs said carrier grade NAT with IPv4 will cost more up-front and in the long run than just switching to IPv6.

The real question is "why shouldn't they?"

Anyway, 9bil is nothing. Large ISPs like Comcast pull in almost 40bil/year revenue. 9bil in additional operational costs, spread over 3-5 years is nothing. Not to mention it's almost impossible to upgrade your equipment and not get IPv6. It's not a matter of replacing IPv4 equipment with IPv6 equipment, but configuring what they already have.

IPv6

I always have mixed feelings about it. On paper, it's amazing and blows IPv4 out of the water.
However, while sure now your (everyone keep saying toaster so why not) toaster can now connect directly to the web, now also your ISP can see exactly how many devices you're attaching to the internet.
ISPs (or at least the ones in America) do anything and everything they can to squeeze more money out of the customer. I'm willing to bet it's only a matter of time before you're paying for internet per device.

Re:IPv6

[nurb432]

now also your ISP can see exactly how many devices you're attaching to the internet.

And since comcast is really just a cable TV company at its core, they will charge you per device.

I'm assuming that something like PFsense or a timecapsule will still work as a NAT device?

Re:IPv6

[digitalsushi]

That notion is very alarmist and 1990's era. An ISP can make a pretty good guess of how many lan devices you have using million dollar stat boxes, like sandvine makes. They dont care. ISPs are all media providing machines on another face and they know all your lan devices are just media consuming vehicles with credit card slots strapped on the side. They really don't care. They'll just do metered billing someday and we'll all crab together.

Re:IPv6

[characterZer0]

So set your firewall up so that your ISP cannot see your toaster.

Re:IPv6

[higuita]

nope, as you can also change the your ipv6 address, specially if you use the ipv6 privacy extension... your ISP will not know when its the same device or another device

to do that, they would need to deliver just ONE ipv6 address for you... and that goes against the goal of the IPV6 and would probably force the ISP to have a lot more work to deliver ipv6 that way than to allow a normal ipv6 range to the user...

Re:IPv6

[Fez]

IPv6 doesn't have NAT in the same sense that IPv4 does. What it has is prefix translation, which can move your devices into a different subnet, but it doesn't (at least that I've seen) have a means to hide multiple IPs behind a single address.

Not that it would be practical for ISPs to track/charge based on device anyhow...

Re:IPv6

[nurb432]

Why wouldn't it be practical? They do it now with "TVs" via the mac address on the box(s) that is attached to it. i still think that was part of the forced ( purchased by the industry ) move to digital video transmission, and the DMCA, so that they could once again get you to rent($) cable boxes, in effect that cant be legally built by a 3rd party. ( be it a real box, or a card for your TV. )

Back to 'internet acces' charges: You get charged x$ per month "basic network access" fee with a low cap, + x$ additional charge per device, perhaps raising the cap for each device..

Exactly!

And why would anyone but an idiot want a phone number or postal address that can be reached by the public at large??

Re:Exactly!

[0123456]

And why would anyone but an idiot want a phone number or postal address that can be reached by the public at large??

Exactly. Who wants to have to deal with idiot marketing calls all the time?

Re:Exactly!

[SomePgmr]

Well if we're going to get silly...

I'll take addresses and phone numbers for all of my homes and phones, without having to use post-it notes and pseudo-addresses to make everything reachable. Particularly if having those addresses affords me the same level of security as doing without.

After all, nothing about being able to address all your devices precludes the use of proper firewalling, just as you do now.

Re:Exactly!

[Obfuscant]

I'll take addresses and phone numbers for all of my homes and phones, without having to use post-it notes and pseudo-addresses to make everything reachable.

Is there a difference between having a post-it note reminding you of the IPv6 address for your toaster compared to a post-it that reminds you of the address and port?

Particularly if having those addresses affords me the same level of security as doing without.

It doesn't. Securing an address that exists requires proper configuration of a firewall and some reasonable assumption that the firewall itself doesn't have security issues. Securing an address that doesn't exist requires nothing. You cannot break into a toaster that doesn't have an internet connection.

After all, nothing about being able to address all your devices precludes the use of proper firewalling, just as you do now.

Botnets thrive because mom and pop computer users don't know better. Your "just as you do now" doesn't apply to the vast majority of home network users, because "just as you do now" for them means "do nothing". Assuming that giving every mom and pop a toaster with an IPv6 address will result in better security instead of worse is ignoring history.

YOU may know how to configure a modern firewall properly, but mom and pop won't, and they'll have their toaster on the wild and wooly IPv6 internet.

And what I expect will be a more serious problem will be all the people who know how to configure a firewall but who will wind up with equipment behind that firewall that doesn't work unless the firewall is open. Anecdotal evidence? My fancy new smartphone has an SMB app so I can get files from my Windows and Linux desktops. It uses a kind of authentication that neither of my desktops understands, so I need to leave both of them open if I want access from my phone. I know better than to open the ports on my NAT/router/firewall so the public can get to them, but mom and pop won't, and someone who really really wants to access his systems from his phone while outside the internal network may either open the firewall, or at best rely on the firewall to be configured properly and have no security holes that makes his home network swiss cheese.

Re:Exactly!

[Rising+Ape]

YOU may know how to configure a modern firewall properly, but mom and pop won't, and they'll have their toaster on the wild and wooly IPv6 internet.

Then perhaps it's about time that manufacturers put some thought into security rather than blaming something else if their devices get pwned. There's no reason why a home appliance should need a separate firewall to be secure.

Even Microsoft have got the hang of it now - I had my Vista box on a public IPv4 address for months without problems.

Re:Exactly!

[Obfuscant]

Then perhaps it's about time ...

You can rant about how things would work in a perfect world, or you can be pragmatic and deal with the way things will be done. Mom and Pop won't pay for a toaster that contains all the network security they need but don' t know about. They'll buy a cheaper toaster with the network features but no security. If the toaster has too much inherent security by default, and it doesn't work out of the box, or they can't figure out how to set it up, they'll take it back. That manufacturer loses.

Re:Exactly!

[Rising+Ape]

What "security" would it need? It just needs to not do something stupid like accept and trust connections from anywhere on the planet. That's not too hard, surely? Just don't open any ports that you don't need. If you do need it, then you'd need to port forward with a NAT too, so no security gain there.

Re:Exactly!

[SomePgmr]

It sounds like you're operating under a premise I don't quite understand. Why does switching to IPv6 imply that we must network things that shouldn't be networked, and do it poorly? Can we, should we and will we network the toaster? That's unknown. But if we did, I don't see why it would have much to do with the particular form of network addressing we use. All discussion of device security beyond that seems tangential (though not unimportant on its own).

For "mom & pop", whom everyone seems both terrified of and for, the situation should be largely the same. They'll plug their devices into a box, likely provided by their ISP. That box will do all the routing and firewalling their current box does, seemingly by magic, just as it does now. I don't see why that would change.

And in the process we'll have rid ourselves of spaghetti solutions like NAT and negotiating port forwarding for like services. Need to expose some service on your xbox? Great, it's easy now. There's no need to expose the toaster in the process, any more than there is now.

Though if there's something I'm overlooking I'd genuinely appreciate a heads-up, because it's clear that time is a-comin'.

Re:Exactly!

[Obfuscant]

What "security" would it need? It just needs to not do something stupid like accept and trust connections from anywhere on the planet. That's not too hard, surely?

So, I want to control my toaster from my bedroom and from my smartphone. And my kitchen. How do I tell the toaster what addresses to accept connections from? How do I teach mom and pop how to determine what addresses they will be connecting from using that smart phone app they just downloaded? How do I teach it what addresses are in the house and should be trusted implicitely, and which are transient in the house and should not?

Just don't open any ports that you don't need. If you do need it, then you'd need to port forward with a NAT too, so no security gain there.

This statement makes no sense. Why would I need to port forward an IPv6-addressable toaster? Isn't that the point of IPv6 and an essentially infinite number of addresses? I connect it to the net and bingo, it's on the net! Unless the default security is so tight that nobody can connect to it (the only reasonable default that will protect everyone), and then I need to know how to configure it. Not an easy task for some people.

But like I said, you can rant about what you think a perfect world would look like, or accept the fact that it won't be like that and learn from history.

Re:Exactly!

[knorthern+knight]

> Then perhaps it's about time that manufacturers put some thought
> into security rather than blaming something else if their devices get
> pwned. There's no reason why a home appliance should need a
> separate firewall to be secure.

For 99.9% of home devices, you shouldn't have them connected to the internet in the first place. Outside of a Netflix-streaming TV set, or an "internet radio", there isn't much in the way of home appliances that *NEEDS* an internet connection to function. And even those should not respond to incoming unsolicited connections.

Re:Exactly!

[Rising+Ape]

So, I want to control my toaster from my bedroom and from my smartphone. And my kitchen.

If you wanted to do this with IPv4 and a NAT, how would you do it? Rely on everything that you want to connect to it being on the LAN? You can achieve the same thing by having the device only accept connections from addresses corresponding to the LAN. This is an easy enough check for the device to do, it could work that way by default. No need for a separate firewall.

If you wanted to have it accessible from outside (on IPv4 behind a NAT) then you'd presumably have to tell the device to accept connections and the NAT to forward a port, whereas on IPv6 you wouldn't need the port forwarding. Either way, the security would be the same - an unwanted external attacker could attack both scenarios with equal ease.

New route for exploits

I find IPv6 to be very annoying with all its routing and discovery packets and such, it makes it difficult to secure because you're not sure what to let through and what can pose security problems.

I ran my primary public web server on IPv6 for a while but after having multiple attacks come in through that vector I decided to just shut it all off. Both the machine and the daemons running on it need to be carefully examined for how they behave on IPv6. I'm going to have to sit down and really go through everything to make it secure on IPv6 which is very annoying because I don't have time for that BS. I figure this is going to be a problem for many other administrators too and is probably why we're not already on IPv6 across the board. Plus the whole deal with those long hex addresses and counting colons takes a lot more mental effort to juggle than the short little IPv4 addresses. It's just a lot of work.

Re:New route for exploits

Pretty much THIS. Had to deal with the same thing myself.

Re:New route for exploits

1. The only IPv6 "routing and discovery" packets that should be flying around are local-network only. The fact that you didn't know that, and the fact that you are confused by the whole thing, suggests that the problem is with you, not IPv6.

2. More than likely, you screwed up configuring your public web server when setting it up for IPv6 (it is hard to tell, because the only information we have is you blame IPv6 for it). That suggests the problem is with you, not IPv6.

3. You need to sit down and figure out how things work, security-wise, on IPv6. That's nice... join the club? There isn't some grand conspiracy to confuse and frustrate you.

4. There was a time when people complained about remembering phone numbers that were an incredible *7* digits long. My advice to you is adapt or go get a job at McDonalds. I hear there is some sort of distributed naming system that lets you assign names to IP addresses, maybe that will help.

Re:New route for exploits

[snowshell]

1. The only IPv6 "routing and discovery" packets that should be flying around are local-network only. So that means anyone who bypasses your wireless WEP or WPA keys and has access to your local network. 2. More than likely, you screwed up configuring your public web server when setting it up for IPv6. Maybe, perhaps, I wouldn't know as I use IPSec & TCPCRYPT for my tunneling not IPv6. 3. You need to sit down and figure out how things work, security-wise, on IPv6. Oh I have and whats more I have all the tools to hack into it. 4. I hear there is some sort of distributed naming system that lets you assign names to IP addresses, maybe that will help. Bind9 and no not really that just set's you up for DNS Cache spoofing!

One IPv4 address per interface?

[janeuner]

Must be a relic of an operating system.

Re:One IPv4 address per interface?

[Ant+P.]

Yeah... even something as brain-dead as Windows 2000 supports multiple IPv4 assignment.

We already have the problem with IPv4

[zerofoo]

I've seen plenty of people plug their cable modems right into the back of their computer with no firewall of any kind. Thankfully, most operating systems ship with a software firewall - it's better than nothing. Most of these types of customers bought a nat box, not due to security concerns, but to get wireless connectivity.

IPv6 direct connectivity will be a problem ONLY if end users plug all of their devices into a switch and those devices lack a software firewall. I don't know of any "non-technical" home users that have such a switch. Everyone seems to have a "nat box" simply for wireless connectivity. I suspect people will not go buy a dumb switch and access point, simply because they do not know what they are.

I suspect most people will go buy an "IPv6 capable" firewall/switch with built in access-point. End users will have no idea that they no longer use nat - hell most probably don't even know they have it now.

-ted

Awesome

[jandrese]

Did you hear that Verizon? Your "next generation optical network" is now behind the clunky old cable modem guys on this issue. Where is your update? Hmmmm?

Re:Awesome

[DigiShaman]

Oh, i'm sure they have plans. They already NAT IPs for their phones though. That, and none of the cell phones on the market support IPv6 to my knowledge. Except for the iDevices and Droids, updating the OS is rarely (if ever) done over the air for any other make/model. So they must be thinking, "why the rush?".

Re:Awesome

[eladts]

Droids and iDevices do support IPv6, at least over Wi-Fi. T-Mobile has an experimental IPv6 only APN: https://sites.google.com/site/tmoipv6/lg-mytouch

Re:Awesome

It would be nice if people would stop confusing Verizon Wireless and Verizon Communications. They different companies and the GP was clearly referring to Verizon Communications which has nothing to do with cell phones.

Re:Awesome

[unixisc]

All 4G devices have to be IPv6 only - the standard doesn't allow them to be IPv4, since it was written on the presumption that IPv4 would be exhausted.

Wake me up when they start issuing /48s.

[John+Hasler]

They won't really be supporting IPv6 until then.

Re:Wake me up when they start issuing /48s.

[magamiako1]

Per more recent RFC changes the requirement has been lowered.

ISPs do not have to provide a /48, so as long as they aren't forcing you to below a /64 for stupid reasons like "we're wasting IP space".

Essentially, chances are you're going to get /56 and /60s as-needed.

Wrong

Wrong also. The security gain comes from having to rewrite adresses to be connectable. No rewrite == not connectable. This is also the weakness of being behind NAT, as you can only map adresses on a per port basis. So you can run exactly one webserver (on port 80, that is).

An IP6 firewall (regardless of statefulness) would enable you to run many servers behind it.

Re:Wrong

[omnichad]

Well, for web servers, you can run one webserver on port 80 that proxies to other web servers on different virtual hosts (at least in Apache).

Re:Wrong

[mattventura]

This is untrue. NAT simply implies some form of firewall which disallows random incoming connections, which is where the security comes from. The security of this would be exactly the same as if I had a non-NAT router which I set to disallow connections from WAN to LAN.

Personally, my router has WAN and LAN interfaces and 2 DMZs. I apply the same rules to the DMZ interfaces as I do to the WAN (no connections to the LAN). The NAT is not necessary at all. No rewriting involved.

Re:Wrong

Perhaps I should have been more clear.

In most NAT setups there is a translation from outside, Internet-routable, reachable IP-adresses to inside, non-Internet-routable adresses. This mapping has to be done implicitly. No mapping means no reachable internal computers. That provides a level of security: that which can't be reached, can't be hacked (from the outside, that is).

That a firewall is commonly available on any device where NAT is being used, is a good thing as it provides additional (and, to be honest, better) layers of security.

A firewall without NAT is (or can be) a good solution. NAT without a firewall is not a very good solution (security-) wise, but works actually not all that bad when there are no undue mappings. It is a sort of security-by-side-effect, I'll admit that readily. But it is also a very important reason the Internet isn't completely overrun by malware (any more than it already is).

But isn't that the problem?

[khasim]

I suspect most people will go buy an "IPv6 capable" firewall/switch with built in access-point. End users will have no idea that they no longer use nat - hell most probably don't even know they have it now.

The current situation provides some level of security for the end-user ... even if the end-user does not understand the concepts.

The get 1 IP address from their ISP and they buy a magic box that provides them lots of sockets to plug stuff into and wireless access. They don't know if they're running NAT or PAT or what the difference is between stateless and stateful.

But will that same behaviour have different results once they receive globally routable IP addresses for each device? I think it will.

And I also think that there will be IPv6 compatible magic boxes that do NOT have firewall capability up for sale very soon. It's just cheaper to NOT have certain functionality and that means saving $5 or so on the device. In essence, they will be just a cheap switch/wireless-bridge that plugs into the Comcast cable modem.

And those devices will, initially, appear to have MORE functionality as the end-users won't have to go through additional steps configuring the firewall to connect to other gamers / torrents / whatever.

And that's not considering the end-users who will turn off the firewall functionality of the firewall/wireless-bridge/router devices because it "makes everything work".

Re:But isn't that the problem?

[dissy]

You confuse NAT with Firewall.

IPv6 still needs a firewall, which will be done by the same device that currently does your NAT and firewall. Why would that change?

But will that same behaviour have different results once they receive globally routable IP addresses for each device? I think it will.

Why, did your current router come pre-configured to forward all of your ports to random inside IPs without you directing it to do so?
No?
Then why would an IPv6 firewall allow in a single packet from the Internet without you specifically directing it to?
It won't.

Globally routable does NOT mean you are forced to globally route anything. It makes it an Option, fully under your control. An option you typically never have right now, want it or not.

Re:But isn't that the problem?

[unixisc]

Globally routable does NOT mean you are forced to globally route anything. It makes it an Option, fully under your control. An option you typically never have right now, want it or not.

Actually, as far as secutity goes, end-to-end connectivity means that IPSEC doesn't report a problem if the address header of its encapsulated packet goes unchanged. Which it does w/ IPv6, since NAT is disallowed, but which it doesn't in IPv4, b'cos what NAT does is replace the destination address, which is the address of the NAT, with the local address that it will ultimately get to. As a result, IPSEC, which has had to be kludged to work in IPv4, works like a charm in IPv6.

Better tracking for MPAA, etc.

Of course, once everyone's on IPv6, the copyright police will be better able to tell exactly who is doing all the illegal downloading and trading. WINNING!

Re:Better tracking for MPAA, etc.

[snowshell]

Rubbish IPv6 makes it harder to track traffic, besides if your downloading stuff across various networks that distribute copyrighted content then why the hell are you downloading stuff without a Blocklist & Blacklist all those IP addresses that belong to the idiots who call themselves the copyright police. Secondly you should be encrypting all your traffic from you to the peer, that way they know you are downloading, they can see the huge spike in the network traffic, but as to what you are downloading they remain totally clueless. I await the day I get a letter from the Copyrot & Copyleft police in anticipation, perhaps it'll say "we hereby notify you that your traffic was encrypted to a military standard and we where unable to see what you where transferring and with whom, we are just writing to make you aware that we are aware and are asking you to desist from using such an impregnable form of cryptography across a distributed sharing medium over which we acknowledge that we have no control. May we have a cookie?"

around here it's also crazy expensive

[Chirs]

Like 10x a standard consumer connection.

Re:around here it's also crazy expensive

[laffer1]

I'm paying about $75 a month for it, but I don't have to worry about IP addresses changing and my wife doesn't complain anymore about her world of warcraft experience. For that alone, it's worth the money.

Once you have carrier grade NAT, does it matter?

[Chirs]

If the ISP is doing carrier-grade NAT across their whole address pool, does it matter anymore that you might technically share an IP address with others? Heck, you could be using different public v4 addresses for different connections and most people would never know.

Get a clue.

NAT is not the Devil coming to Eat your Children.
NAT can be used to source many machines from the same address, and it can also be used to source one machine from many address.
You can do all kinds of cool stuff with NAT, because NAT is a firewall concept.

But most of you dipshits see "NAT" and instantly assume it's some Draconian method of forcing you to only have a single public IP address. Yeah, sometimes it's used for that, but that's only one example and only a few ISP's actually do that in the first place. Most will give you anywhere up to a dozen, which is limited by the capabilities of the hardware they put in your house, not some nefarious plot to "keep you down, maaaan."

The problem with getting around NAT isn't NAT, it's the fact your piece of SHIT $140 "bad-ass gaming router" you bought from Fuck-Mart can only support one IP address on the public interface, and can only do LAN-side routing.

Re:Get a clue.

[FireFury03]

NAT is not the Devil coming to Eat your Children.

Correct. But NAT does cause lots of problems, so getting rid of it where it isn't needed is a Good Thing.

NAT can be used to source many machines from the same address

Correct, but why would you want to if you weren't restricted on the number of addresses you could have?

and it can also be used to source one machine from many address.

Again, correct, but you don't need NAT to do this, you can just assign those many addresses directly to the machine in question. Doing that has the advantage that the software on that machine can know which address the connection was for.

You can do all kinds of cool stuff with NAT

Yes. Although, except for temporary measures (for network migration) and alleviating IP address shortages, the only use I've ever found for NAT in my 13 years of networking experience is load balancing internet connections. This is something I'm curious to figure out if there is a good solution for IPv6 (so far I've not had to configure load-balanced IPv6 connections).

because NAT is a firewall concept.

No... no it isn't. NAT has nothing to do with firewalls other than that it depends on some of the same low level technology (namely, stateful connection tracking). NAT provides very little security in itself (if you plug your NATting router into an untrusted broadcast network then people on that untrusted network can connect directly to machines within your NATted LAN. The only way to prevent this is with a firewall.)

No, I don't.

[khasim]

You confuse NAT with Firewall.

No, I don't. And you probably mean PAT, not NAT.

IPv6 still needs a firewall, which will be done by the same device that currently does your NAT and firewall. Why would that change?

No it does not. The same as IPv4 does not require a firewall.

But, many end-users purchase an EXTERNAL firewall in order to get the PAT functionality so that they can run multiple devices (and wireless) on the single IP address that their ISP provides them.

So, in order for them to overcome the limitations of IPv4 (fewer IP addresses) they, inadvertently, purchase a firewall that improves their security.

Why, did your current router come pre-configured to forward all of your ports to random inside IPs without you directing it to do so?
No?

I have no idea what you're thinking of.

Then why would an IPv6 firewall allow in a single packet from the Internet without you specifically directing it to?
It won't.

Again, because with IPv6 there is no need for the ISP to limit the end-user to a single IP address. So the end-user can purchase different devices (such as a switch with a wireless bridge) that would allow the same PERCEIVED functionality with IPv6 as they get with IPv4 and a firewall/PAT device today.

Globally routable does NOT mean you are forced to globally route anything. It makes it an Option, fully under your control. An option you typically never have right now, want it or not.

And the point being that the end-user does NOT understand that TODAY. And cannot be expected to understand it when Comcast rolls out IPv6.

Having globally routable addresses means that if the end-user's home network is mis-configured from a security stand-point, their devices could still "work" from the perspective of the end-user. They would still be able to access the Internet.

Right now, with IPv4, that is less likely for the end-user.

Re:No, I don't.

[crdotson]

The average end user knows nothing about NAT, PAT, stateful vs. stateless firewalls, etc. I'm happy you understand these, but users are going to buy a wireless ap/router/firewall combo that is marked "ipv6 compatible" and they will be perfectly fine. And we won't have to play idiotic UDP games to fool firewalls to let in the traffic we actually want, and worry about port forwarding, "dmz mode", etc.

NAT is probably the worst thing ever to happen to the Internet.

Re:No, I don't.

[profplump]

First, put away the PAT -- your Cisco is showing, and the kind of packet mangling done by virtually all home routers does both address and port translation.

Second, while it is possible to buy a WiFi bridge that isn't a router/NAT/firewall box there are actually very few consumer-grade devices that do this -- I sometimes want one and often have to spend extra time searching for one, or even for a device that comes with NAT enabled but can be placed in a bridging mode. It also seems unlikely to me that access point manufacturers in the consumer market would quickly move to IPv6-only devices, and so long as the device is dual-stack the router/NAT/firewall functionality will almost certainly continue to be on by default.

So I'm just not seeing this is a big problem. Yes it's possible, but it's also possible now for anyone that hooks up a switch to a cable modem that will dispense multiple real addresses (more common that you might think -- my low-end consumer cable service did this for years), or who hooks up their cable modem directly to their computer, or who disabled the firewall protections provided by their router, etc. It's not clear to my why the risk would increase substantially just because there are a handful of other scenarios where users could be exposed.

And in any case if you're worried about such things the solution isn't NAT for IPv6 or IPv4, because ultimately that relies on the clueless, penny-pinching end-user you're trying to protect. The solution is an ISP-side firewall that's on by default but can be disabled by customer request. Then even directly-connected users and people who broken their local firewall or otherwise got routable addresses from any family configured on their desktop would still be protected and anyone who had a clue could still use the Internet.

Re:No, I don't.

[mattventura]

What makes you think the ISP would allow you to plug multiple things in behind the modem? Chances are, they'll give you one address, one subnet, and expect your router to do the rest. You wouldn't be able to use a switch.

they'll charge for IPs

They will probably still charge a fee for every additional IP address, so we'll still be stuck with NAT all over the place

Re:they'll charge for IPs

[unixisc]

Initially, they'll be doing this on a limited basis, and only in homes that have just one computer, where no subnetting will be required, and there, they will just issue a single /128. That /128 cannot be NATed. Later, when they introduce home networking, they would issue /64 addresses, which is what most home routers support anyway.

LIFT THE DATA CAP

[grumpygrodyguy]

Wake me when these idiots offer a plan that doesn't include a 250 GB monthly data cap.

Let me know when they support Linux

[The+One+KEA]

It looks like the initial deployments will only support recent Windows and recent OS X releases. Let me know when they take the blinders off their tech support people so that Linux folks can set their OpenWRT gateways and Linux servers up with IPv6.

Re:Let me know when they support Linux

[WaffleMonster]

It looks like the initial deployments will only support recent Windows and recent OS X releases. Let me know when they take the blinders off their tech support people so that Linux folks can set their OpenWRT gateways and Linux servers up with IPv6.

I must not be getting all of my memos. Since when do we call our ISPs for help configuring our Linux systems?

Re:Let me know when they support Linux

[marka63]

Just configure your Linux box to use DHCPv6. There are DHCPv6 clients out there. They do run on Linux and *BSD. Comcast are using bog stand protocols. This is no different than when ISP's said "We only support Windows". You would plug your Linux / *BSD box in and it would work.

Post-exhaustion future

[Daniel+Phillips]

Perhaps we can avoid a post-exhaustion future of NAT-upon-NAT and use restrictions.

Sorry, the post exhaustion NAT future already happened, and entirely because of the IPv6 design cock-up. If IPv6 had been designed for maximum compatibility with IPv4 we would have completed the transition decades ago.

I'm afraid it's going to get worse from here, too. The big question is, what use is IPv6 when there are next to no web sites serving it?

Re:Post-exhaustion future

[Daniel+Phillips]

...If IPv6 had been designed for maximum compatibility with IPv4 we would have completed the transition decades ago....

Excuse me, a decade ago, although IPv6 has been around roughly two decades now. Two words: epic fail.

Re:Post-exhaustion future

[magamiako1]

You do know that *all* of Google's services are IPv6-enabled, right? As of right now they have it specially configured to only be available to "white-listed" IPv6 DNS servers. Expect that to change over the course of 2012, then, IPv6 Google for everyone!

Facebook has www.v6.facebook.com, xbox.com is IPv6-enabled, World of Warcraft has a few IPv6-enabled game servers (only a few mostly due to datacenter and deployment limitations).

Expect a massive IPv6 push in 2012 due to the Comcast deployment.

Re:Post-exhaustion future

[Crackez]

... the IPv6 design cock-up...

You must realize that IPv6 was an attempt to fix the retarded nature of some IPv4 behavior?

Time-To-Live? Yeah that makes a lot of sense! Although that feature was co-opted to eventually become a "hop-limit" just like is in IPv6 now, but there were some really other dumb things that weren't thought through for IPv4 that were fixed in IPv6 (*cough* QoS).

Also, unrelated to IPv6, TCP and UDP are not the only protocols on the Internet. If all I can pass are TCP and UDP packets, then I do not have an Internet connection, I have a bunch of TCP&UDP connection - very much not the same thing.

Carrier Grade NAT can go translate itself in the corner. If my ISP started shoving this down my throat I would switch ISPs, and if that's not an option because you live in the sticks, then file a complaint and bitch until you get up high in the organization.

Re:Post-exhaustion future

[Daniel+Phillips]

Time-To-Live? Yeah that makes a lot of sense! Although that feature was co-opted to eventually become a "hop-limit" just like is in IPv6 now, but there were some really other dumb things that weren't thought through for IPv4 that were fixed in IPv6 (*cough* QoS).

You need a better example than TTL, which as you note was fixed without fuss and without breaking IPv4 compatibility. You are far from proving your case that the baby needed to be thrown out with the bathwater as the IPv6 committee wantonly did.

Yay for Comcast..

[snowshell]

IPv6 is a hackers paradise, thats why there are whole toolkits made for hacking it by reputable parties such as the Hackers Choice.. Backdoor deployment Enable IPv6 6to4 tunneling Run Backdoor on IPv6 address Not detected by port scanning Harder to analyze traffic IPv6 protocol exploits tools can be coded in just 5-10 lines Sounds like hacker heaven! Nat-upon-NAT!?!? I guess the phrase Double NAT escaped your notice.

Re:Yay for Comcast..

[magamiako1]

It sounds like you need to attend one of my IPv6 courses :)

IPv6 in XP?

[unixisc]

How does one enable it? Under Windows 7, if you click on Properties under Network, you have Client for Microsoft Networks, File & Printer sharing for Microsoft Networks, QoS Packet Scheduler, and Internet Protocol (TCP/IP). In Vista and 7, that line item is Internet Protocol version 4 (TCP/IP), and then there is one more item Internet Protocol version 6 (TCP/IP). That's how you get IPv6 in Vista and 7. But how does one get it in XP?

Re:IPv6 in XP?

[marka63]

You can install from the command line using "netsh interface ipv6 install".

Re:IPv6 in XP?

[marka63]

and "ipv6 install" in really early versions of XP.

TYPO

"Implicitly" should have been "explicitly", of course. When will Slashdot implement proper editing of comments? :-)