Slashdot Mirror
Comcast Begins Native IPv6 Deployment To End Users
First time accepted submitter Daaelarius writes "Comcast has begun deployment of Native IPv6 access to end users. The deployment is starting out small with a single market, but is expected to expand rapidly. They have provided ... more in depth technical details."
Finally; native dual-stack IPv6 for home customers. Perhaps we can avoid a post-exhaustion future of NAT-upon-NAT and use restrictions.
Personally I think not being directly connectable (ie., behind NAT) is good security wise. It acts as a nice and easy firewall.
Unless you want to be directly connectable.
Go green: turn off your refrigerator.
Right after they test with the current demographic -- people with one computer that is directly connected to the cable modem.
This should go quickly, since every one of those people is already a zombie spam-bot.
Learning HOW to think is more important than learning WHAT to think.
People underestimate the address space in IPv6 when they make remarks like this.
In principle IPv6 could hold more than 10^38 addresses. Now due to structuring and various reservations and so on there is considerably fewer. So for the sake of argument, let's say it is "only" 10^20. That's still enough that for every present IPv4 address you could add an entire internet and still have addresses left over.
What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.
The idea is that the end user is still going to keep all his devices behind a firewall so everybody on the internet can't probe them. But since your toaster has its own actual address, it can connect directly to the Online Toasting Database server without having to kludge all that traffic through a NAT.
Ita erat quando hic adveni.
not being directly connectable (ie., behind NAT)
WRONG.
on ipv4 NAT is generally implemented as a stateful firewall that also rewrites addresses.
There is absolutely nothing preventing a firewall on ipv6 that is stateful, that leaves addresses alone.
The security gain comes from the stateful firewall, not the rewriting addresses.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
If you can't cook toast, then you probably shouldn't be bringing your phone in the shower with you, either.
----
Not to be confused with Col.
That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong. Shut down or secure any unneeded port-bound services, and install a basic firewall on the router to only let the ports you need out (just port 80 may be enough).
Plus, just finding a device on IPv6 can be hard. Given a 64-byte ICMP packet and a gigabit ethernet connection, it would take just under 300,000 years to ping every potential host in a /64. You want security through obscurity? Set your DHCP server to spit out addresses from some random offset instead of from ::1.
Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
I should add, that my "for the sake of argument" of 10^20 is an EXTREMELY conservative estimate. In practice the IPv6 address space has an amount of addresses that is greater than the number of stars in the universe.
If my toaster is smart enough to realize that the toast is burning, and communicate that fact to another device, it should be capable of not burning the toast in the first place.
Well.. maybe. Or Maybe not. But Definitely not sort of.
http://www6.ietf.org/rfc/rfc3315.txt
Autoconf currently doesn't assign a prefix delegation.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Windows 98
And what makes you think that the IPv6 off-the-shelf routers won't default to a stateful firewall? In fact, I can't see any vendor not enabling that by default, and advertizing it in big bold letters (not the techno-jargon, but "Buy this box and keep the hackers out"). And the ISPs are likely to include such functionality in their cable/DSL modem, since they could benefit from fewer zombies on the network.
Mod parent up.
/8's within their network to try to overcome the problem. [source]
Additionally, many other carriers are already seeing IPv4 exhaustion (due to their own wastefulness in the RFC1918 address space). They are co-opting DoD
I'll skip the obvious stupidity of "stealing" IPv4's from the DoD. But instead of deploying Carrier-Grade NAT, they're divvying up the internet. In one place, 28.0.0.0/8 takes you to one machine, in another place it takes you somewhere else.
It sounds like the IPv4 internet is going to fall apart simply due to negligence. How's that for an IPv6 killer app?
I like my toast burnt, you insensitive clod!!!!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I've seen plenty of people plug their cable modems right into the back of their computer with no firewall of any kind. Thankfully, most operating systems ship with a software firewall - it's better than nothing. Most of these types of customers bought a nat box, not due to security concerns, but to get wireless connectivity.
IPv6 direct connectivity will be a problem ONLY if end users plug all of their devices into a switch and those devices lack a software firewall. I don't know of any "non-technical" home users that have such a switch. Everyone seems to have a "nat box" simply for wireless connectivity. I suspect people will not go buy a dumb switch and access point, simply because they do not know what they are.
I suspect most people will go buy an "IPv6 capable" firewall/switch with built in access-point. End users will have no idea that they no longer use nat - hell most probably don't even know they have it now.
-ted
Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.
Nah; the ISPs already know just how to do it, and it doesn't require an idiot. All they need to do is use the same method they've used with IP4: They only accept one address at your site, and discard any packets that didn't come from that address or is sent to that address. If you want N addresses, you'll have to pay N x $X, where $X is their current price for a routable address.
It really doesn't matter how many gazillions of addresses IPv6 makes available, you will only get one. Addresses are a commodity, to be leased for a profit.
The phone system has worked this way since the beginning of phone numbers, and nobody ever complained. The phone system also has "extension" numbers, which in the IP world are called "port" numbers. But the ISPs have caught onto this, and most of them now block lots of your port numbers. They can do the same with IPv6, with the code they already have. So if they like, they can also charge you extra for not blocking a port. They do this with IPv4 around here, where you have to pay double for a "home business" account if you want ports 21 or 25 or 80 or anything >1023 unblocked.
Can you think of any reason they can't implement exactly the same limits with IPv6 that they currently have with IPv4?
(It is sorta funny that the old phone companies never caught onto this. They could have signed you up for a phone, and then when you complained about blocking, they could say "Oh, you didn't say you wanted to accept incoming calls. That'll be another $45/month. Shall I sign you up?")
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I agree. There's almost nothing you need to do right now that requires you be directly connected, even in a commercial environment, much less a home environment. You don't need to be directly connected to the internet to host webpage or for bittorrent to work. You only need a single port for each of those, and sticking those behind a gateway/bastion host is fantastic.
Maybe if IPv6 takes off, we'll want to be able to configure all our devices remotely, but that is not the case for most home users today. We're suffering from too much access to machines, not too little.
Exactly, this is really quite trivial, and AC seems to be rather ignorant. Just set up port 23 for computer A, port 24 for computer B, port 25 for computer C, etc. Then ssh to 111.222.333.111:24 when you want to connect to computer B.
That's reverse thinking. If you need a firewall, setup a firewall, don't setup NAT instead.
They still need a box at there end just like the box they use for nat now. IPv6 will not lead to bridged networks to you ISP. You you have two options plug one pc directly into the box or get a CPE router this is the exact same choice they have now IPv6 is changing nothing. Hell in some ways it's better since the newer telco CPE gear is generally configured as a router with firewall and moving to IPv6 will require new cpe gear for most. One of the big reasons for giving customers more than one public subnet is so they can have multiple routed subnets that just work. Ever seen that scary friend that plugs a netgear into a airport into an AT&T dsl box? 3 distinct layers of nat sometimes overlapping IP address ranges 192.168.0.x plugged into 10.0.0.x plugged into 192.168.0.x and wonders why things do not work? Tried finding a straight wired switch of a wireless bridge? 5 port + wireless cpe routers are dirt cheap, you average clueless customer buys those they have statefull firewalls.
No sir I dont like it.
So what you are saying is that we'll have to do a NAT behind the Sun once ipv6 is allocated to every solar system in the universe?
Fuck.
That's an entirely common and functional hack that exists to deal with the scarcity of IP addresses. And simply that.
I'm not exactly all gung-ho on the ipv6 thing (yet), but having to deal with a purely digital resource as a limited thing is kinda silly, and needs to be corrected eventually.
That group of people isn't going to be subject to lock-in because it's so easy to get IPv6 connectivity from tunnel brokers.
Addresses are a commodity, to be leased for a profit.
That's what many ISP and hosts are trying to let you believe. In reality, when you get your IPs from APNIC / ARIN / RIPE, that's not the way it works. You wouldn't pay more if you were needing more IPs.
Well partially, but I'd argue the addresses have a lot to do with it, too. My home subnet is 192.168.77.0/24. My firewall blocks anything coming from the outside world bound for 192.168.77.0/24. That's nice, but doesn't really ever do anything because damn near every router between me and a potential attacker drops packets that are to or from the reserved networks, because it has no idea where to send them. About the only way it would be a viable attack is from somebody who had control at my upstream ISP.
A non-NAT scheme depends - almost entirely - on my firewall not sucking. I try, but I have in the past screwed that up when changing rules and haven't realized it for days until something seems to be a bit wonky. My motto is if you can't get a packet to it, you can't attack it.
How do you hack into a webcam through a firewall that does not allow incoming connections? I'll tell you how, and its the same way you would do it if were behind NAT (with no publically visible IP). You compromise another computer on the network (or that computer) and have it make the connection to you so you get through the firewall, then use that computer to compromise other computers on the network. That is usually accomplished by getting the dumbass who owns the computer to run a program that you send to him. Its all social engineering, regardless of whether it is NAT or IPv6.
It's the classic chicken or the egg problem. It will be at least another 2 years before IPv6 is fully deployed and a total of 15 years (I pulled reasonable rough estimate out of my ass) before it completely replaces IPv4. Get used to the dual stack for a very very long time my friend.
Life is not for the lazy.
How is that better than simply having each address correspond to a unique machine? Seems more of a hack to me, and of course you can't use a "standard" port (e.g. 80) on more than one machine.
Droids and iDevices do support IPv6, at least over Wi-Fi. T-Mobile has an experimental IPv6 only APN: https://sites.google.com/site/tmoipv6/lg-mytouch
You confuse NAT with Firewall.
IPv6 still needs a firewall, which will be done by the same device that currently does your NAT and firewall. Why would that change?
But will that same behaviour have different results once they receive globally routable IP addresses for each device? I think it will.
Why, did your current router come pre-configured to forward all of your ports to random inside IPs without you directing it to do so?
No?
Then why would an IPv6 firewall allow in a single packet from the Internet without you specifically directing it to?
It won't.
Globally routable does NOT mean you are forced to globally route anything. It makes it an Option, fully under your control. An option you typically never have right now, want it or not.
Okay smarty pants, now imagine your home NAT is behind a NAT your ISP is running, which probably uses and address pool rather than a single address. They won't forward ports for your because that is all they'd do all day, if they did and tricks like hole punching and STUN won't work reliably because there is nothing to ensure a new connections have the same visible source address on the *real* Internet.
Also NAT is not security at all at least in the PC world, as I can get you to make an outbound connection to me, lots of ways.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
It's better because it doesn't require the entire world to suddenly change the way it's been doing things all along and switch to a completely incompatible system. Eventually, we might get there, but last I heard even Google wasn't too keen on IPv6, and that would be a big problem.
And yes, you can use a standard port on more than one machine. The NAT router takes care of translating the ports. You can have 10 machines all listening for ssh on port 22, and the router will take care of translating 22..31 to each machine appropriately. Of course, you have to remember which port goes with which machine when you're sshing in from the outside, but then again how many home users actually do anything like this?
Per more recent RFC changes the requirement has been lowered.
/48, so as long as they aren't forcing you to below a /64 for stupid reasons like "we're wasting IP space".
/56 and /60s as-needed.
ISPs do not have to provide a
Essentially, chances are you're going to get
All of those ways are one extra step beyond just hitting an inbound port, and that's what security is. There is no such thing as "an attacker can't do X", just layers that make it more difficult for an attacker to do X. It's nearly trivial to "bump" the deadbolt lock on my apartment door, but I'm sure glad I have one, vs not having any lock.
Socialism: a lie told by totalitarians and believed by fools.
First, put away the PAT -- your Cisco is showing, and the kind of packet mangling done by virtually all home routers does both address and port translation.
Second, while it is possible to buy a WiFi bridge that isn't a router/NAT/firewall box there are actually very few consumer-grade devices that do this -- I sometimes want one and often have to spend extra time searching for one, or even for a device that comes with NAT enabled but can be placed in a bridging mode. It also seems unlikely to me that access point manufacturers in the consumer market would quickly move to IPv6-only devices, and so long as the device is dual-stack the router/NAT/firewall functionality will almost certainly continue to be on by default.
So I'm just not seeing this is a big problem. Yes it's possible, but it's also possible now for anyone that hooks up a switch to a cable modem that will dispense multiple real addresses (more common that you might think -- my low-end consumer cable service did this for years), or who hooks up their cable modem directly to their computer, or who disabled the firewall protections provided by their router, etc. It's not clear to my why the risk would increase substantially just because there are a handful of other scenarios where users could be exposed.
And in any case if you're worried about such things the solution isn't NAT for IPv6 or IPv4, because ultimately that relies on the clueless, penny-pinching end-user you're trying to protect. The solution is an ISP-side firewall that's on by default but can be disabled by customer request. Then even directly-connected users and people who broken their local firewall or otherwise got routable addresses from any family configured on their desktop would still be protected and anyone who had a clue could still use the Internet.
No, just connect all the devices on your home network - your laptop, your iPhone, your relatives computer, et al to it. Also, IPv6 makes it easier for remote control apps like GoToMyPC.com, since it would just access your static PC address. Given the pool of /64 addresses, one can have as many static and dynamic addresses as one wants, while paying only for a single /64. Or /48 - whatever the ISPs offer. You don't have to connect your light switches or toaster to the internet - just the things you might want to control remotely. Like your home door from your cellphone if your spouse is stuck outside the house w/o the key while you are @ a conference meeting.