Slashdot Mirror
Google Deploys IPv6 For Internal Network
itwbennett writes "Google is four years into a project to roll out IPv6 to its entire internal employee network. At the Usenix Large Installation System Administration (LISA) conference in Boston last week, Google network engineer Irena Nikolova shared some lessons others can learn from Google's experience. For example: It requires a lot of work with vendors to get them to fix buggy and still-unfinished code. 'We should not expect something to work just because it is declared supported,' the paper accompanying the presentation concluded."
"'We should not expect something to work just because it is declared supported,' the paper accompanying the presentation concluded."
I think that if something is declared "supported", it is perfectly reasonable to expect it to work. If it turns out it doesn't work, I think the problem is more that the vendor hasn't done as good a job as they should have than that your expectations were too high.
Please correct me if I got my facts wrong.
assignment of smaller blocks may have extended the life of IPv4 addresses however, there are physically not enough addresses for the devices we currently have. While, there may be enough at the moment, there wont be soon.
What is IPv4; 4.3 billion addresses. There are over 6 billion people on earth and many people in the western world have numerous devices. My household of 2 has 8 devices that are nearly always online. (Computers, Phones, Top-set Boxes, printers, etc....) This number does not take into account either one of our work sites which probably add another 1-2 addresses to that number.
And no, NAT is not a solution.
Something no one would need if proper assignment of IP ranges had been done.
No point asking what you mean, since you evidently speak from ignorance. Even with optimal assignment of IPv4 addresses, it would only delay the inevitable shortfall. Sooner or later, the number of addressable end-points on the internet would exceed 4 billion. NAT is an unfortunate workaround to delay the effects of the shortfall; it should be a freely-chosen option, not an enforced requirement.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Right, if decades ago the inventors of the internet had realized that it would scale from 10s of users to billions. I'd say the address space length that they used still makes it outrageously overengineered for the time, and we're lucky they had the vision that they did. To criticize them is preposterous.
"Each campus or office got a /48 address block, which meant that it was allotted 280 addresses. In turn, each building got a /56 block of those addresses (or about 272 addresses) and each VLAN (Virtual Local Area Network) received a /64 block, or about 264 addresses."
a /48 block is 65536 subnets for each campus. A /64 has 18,446,744,073,709,551,616 IP addresses.
The RFCs on this type of thing are RFC 6177 which replaced 3177 and RFC 5375. For a itworld/usenix article, fact checking is really low.
Yes, because with a total of 4 billion IPv4 addresses and the fact that an ever increasing number of people are having more and more devices connected to the internet this is not something that would eventually be bound to happen.
You must be from a first world country, to be able to waste your time in Slashdot. How many IP addresses are you responsible for yourself? Phones? Tablets? Routers? E-book readers? Multiply that by everyone else in a first world country and that's a ton of IP addresses, and we are not even counting companies, the public sector or any non-first world country in the planet...
How many Chinese and Indians have a phone which needs an IP address? Is the number gonna get smaller anytime soon?
Screw IPv6, let's all use NAT... it's such a wonderful thing!
Simple solution, bump it up a notch.
My octets go to 257. Solved.
Every vendor is short on delivery.
The only reason they have some support is because of the U.S. Federal Government mandate that all vendors support basic IPv6 by (i forget the year its somewhere between 2008 and 2012)
Now, that doesnt mean its a comprehensive solution (those cost even more development dollars). They simply did the least amount of work needed to still sell the product to the government.
It wont be until the rest of us demand proper support any vendor will put the time and money into a proper solution
For example: It requires a lot of work with vendors to get them to fix buggy and still-unfinished code. 'We should not expect something to work just because it is declared supported,'
In other words, business as usual in all other areas of IT. Glad to see there is nothing "special" about ipv6 deployment.
And while the current versions of most OSes support IPv6, they do not do so by default.
What are those OSes? Its been a long time since I turned on ipv6 at home. As I recall I had to do little other than turn it on. There is a difference between "activate" which is kind of like setting the sound mixer output to a comfortable level no big deal, vs searching on the internet to install 3rd party drivers and/or recompiling kernels.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
2^32 - 2^24 - 2^16 - 2^20 - 2^16 - 2^28 = 4008574976. That's if you put them all on one giant flat network from hell, and so didn't use any for network or broadcast addresses. Yes, 2^16 in there twice - don't forget APIPA. The 2^28 is reserved for multicast.
I'd say the address space length that they used still makes it outrageously overengineered for the time, and we're lucky they had the vision that they did.
Not really. Don't forget there is a HUGE difference between the old classfull and VLSM/CIDR/classless numbering. That gain is the whole point of spending all that effort implementing netmasks. There really were not that many possible classfull lans compared to the number of minicomputer owning businesses in the world, etc.
For the post-92ish noobs, a really simple one line explanation is the netmask used to be stored inside the address itself, so for example if the first octet was 0 to 127, that meant that LAN had to be a (presumably giant bridged) /8, first octet 128-191 meant the netmask had to be a /16, not defaulted or was a pretty good guess, but operationally "had to be".
The early years of VLSM were pretty entertaining, old timers lecturing us how a LAN addressing scheme like 1.2.3.0/24 was "impossible" and so forth.
Without VLSM we would have to have done the ipv6 conversion years before the dotcom boom, rather than a decade or so after. Not entirely sure if we'd all be better off now, or not.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Even I am kind of curious to see what would happen if we set a week in the future to switch everyone over. I say a week, not a day, because vendors will need at least 72 hours to issue emergency firmware upgrades after sections of the internet disappear, and allowing for different time zones and what not, of course.
Does anyone know if all the major service providers have upgraded their equipment to ipv6 yet? Any laggards?
I am John Hurt.
> It requires a lot of work with vendors to get them to fix buggy and still-unfinished code.
Google should be used to that. They could always lazily stick 'beta' next to the product name, I guess.
NAT has improved protocol design a lot though. Before NAT, there were things like FTP, with inband port signaling. Most modern protocols avoid mentioning port numbers in the payload and can run on any port, through multiple port forwardings if necessary. Notable exception and bad example: SIP. I expect more bad protocol design once people again assume that end-to-end IP addressing is universally available.
There is a lot of stuff that does not have IPV6. Do they have some kind of NAT for the older IPv4 stuff?
Why is that bad in the absense of NAT?
And for the post-1980s noobs, the original idea was that the first octet would be the network part and the last three would be the host part. Since 250 or so networks was 10 times what was expected. Classful addressing is a jonny-come-lately.
And yes, the fact that IP was expandable from 250 subnets to the present day shows that the initial engineering was phenomenal, but we're well past time for the next version of IP. If people spent a quarter of the time they spend complaining about IPv6 just implementing it, we'd be in a much better Internet.
-Kevin
Just think how long it would take companies without access to virtually unlimited funds and brain power. It's no wonder everyone is reluctant to make the move.
Oh man, what I would have given to be there for that conversation.
"How many addresses do you figure we need?"
"Couple billion I guess."
"But what if we need more?"
"Dude, okay, let's just say one per person. 4 and a half billion or so. Now everyone on the world can have one."
"But what if, you know, there ends up being a few more people than that in the future?"
"Jesus Christ man, it's not like 3 billion extra people are gonna pop up out of nowhere in the next 30 years!"
Random Thoughts From A Diseased Mind (Not For Dummies)
Firewalls
And that's the rub, the hosting companies probably won't provide it until they absolutely have to as the ISPs are generally not providing access. And the ISPs won't be providing it until after the customers demand it. The customers mostly think that the internet is Youtube and probably Facebook and probably won't ever request it unless those sites go unavailable.
I have an SIP phone at home, that is connected to my company's PBX through the internet.
When I call a landline number, the PBX sets up a data path directly from the SIP provider to my phone, without it being relayed through the PBX.
How would you implement that without in-band address signaling?
Given the Google has absolutely no shortage of capital and brain power as noted before, I am surprised Google didn't just build its own routers, wireless access points, etc. Linux and BSD have come along way in their routing capabilities. Heck, Vyatta sells an open source router that probably competes very favorably. If I were Google, I would have opted for the open source methodology and contributed back to the community. You pay a vendor and expect quality, you don't beg them to improve their product. They should be jumping through hoops to help you.
IPv6 is cool, I get it. But how many ISPs are offering it to their consumers? If I want to build a web presence, would I settle for only IPv6 address space? If not, how much would I pay to buy into the IPv4 space so I can reach all my potential customers?
Loading...
I thought there was an announcement that the IPv4 address space is now totally exhausted. Or at least there are no new blocks to be assigned. The tunnel broker, Hurricane Electric indicates that IPv4 is exahusted.
I would have made the protocol single-port and I would have made the reinvitation address a higher level address (SIP URI) instead of an automatically allocated port number at an automatically detected address. Skype has a business because setting up SIP is so complicated unless you run it on public IP addresses, and SIP is so complicated because of network addresses in the payload.
OK, but that's not very clear. I can see why a program that picked a completely random port might be awkward to get to work with a firewall. But restricting the range of ports that it can use, then permitting those, would work wouldn't it?
I'm not sure it's a good idea to restrict protocol flexibility in that way anyway. There's a fundamental issue with NAT or firewalls in that they need to know details of what the users behind them want and don't want to do. This may be true for a business with a central IT department who can configure the device as necessary, but it's not true in general. If my ISP runs a NAT to conserve IP space, am I supposed to contact them to forward whatever ports are necessary? I don't think that'll work well. I just hope IPv6 actually does get rolled out before that becomes necessary.
I think the conversation would continue a little more like this...
"Yeah, well Not EVERYONE is going to be on the internet.... This is DARPA. Only the government is going to use it. Mostly Military. What do you think the D stands for?"
"True. Well, I don't think the politicians see the point of what we can do with this. I think they're going to cut our research funding soon."
"OK, lets get some schools and scientists on board for funding. I don't mind if we let a few schools use this thing... We can handle over a thousand people from there. It's not like the whole world will be on this thing. This is America!"
"Yeah, you're right. It's not like people are going to connect directly to the internet with their Apple II... Besides, you are going to need Mainframe or Minicomputer access. Where are they going to get access to one of those?"
"Good point. Nobody has enough money or room for their own mainframe or Mini. 4 Billion IP's sounds almost excessive..."
That is because nobody will do squat about the squatters. Little known fact only 15% or so if the IP V4 addresses are actually being used by honest to God websites, the rest are either really old companies that got a shitload of numbers because they got there first and are now sitting on them, and of course the traditional squatters with an Adsense page hoping to make enough off of typos.
So if one were to do something about al the squatters we would have 85% free which we could in turn hand out and buy us some time to do the next IP version right, which means backwards compatibility along with offering free education and tax credits for those willing to go into networking to learn the new IP. Because as it is the flyover states are gonna severely fuck ALL of you friend, all of it goes right through those states sooner or later and the pay in right to work states suck so frankly nobody has bother to learn the new IP V6. When things go wrong which would have taken a couple of hours on IP V4 you'll be looking at days or even weeks simply because most of the old guard only know IP V4 and nobody is going into networking or IT anymore thanks to offshoring.
Any way you slice it thanks to no BC and no workers trained in the new protocol the switch is gonna be one giant clusterfuck. But hey this is what happens when you base a whole society on the race to the bottom and don't protect your workers from offshoring and H1-Bs, nobody wants a job where they don't know if they are gonna even have a job next week. I predict lots of breakage and middle America pretty much being a network dead zone where if anything breaks you are well and truly fucked. I personally haven't taken more than a glance at IP V6, I mean why should I? Nobody offers it here, pretty much every SMB and home router will have to be shitcanned and replaced with a router that may or may not work correctly unless you spend more money than its worth to buy an Airport, and in the end thanks to NAT it really doesn't offer my customers anything they don't already have, and of course no BC which means double the setup and double the hassles. No thanks.
ACs don't waste your time replying, your posts are never seen by me.
Remember the mini-computer didn't even exists then.
So a computer was a large machine which took up a room.
And it was just an experiment, the experiment never ended.
If you want to know more about what the original creators thought, you should look up talks by Vint Cerf:
http://www.youtube.com/results?search_query=vint+cerf+ipv4+ipv6+depletion
For example this video:
http://www.youtube.com/watch?v=LcXCieD5YKE
New things are always on the horizon
Nah, from what I have read the conv went something like this:
RC : "... well there's two in my office, one in yours, the Synchrocyclotron requires fifteen and the LEP guys requested four dozen."
TBL : "so, what do you say? 4 or 8 per network?"
RC : "No no no, they all are to have a common address pool, weren't you listening?"
TBL : "common address pool, listen to yourself and who is going to build that then?"
RC : "no, that is the idea. I was thinking of two bytes of address space in the packet header, that is 65k addresses"
TBL : "weeeell, this experiment isn't going to work anyway...."
RC : "..."
TBL : "..."
RC : "Hey, lets give them 4bytes and brag that the address space in infinite!"
-- no sig today
The quote below is from the he.net website, that doesn't seem all that great.
But people are starting to deploy it now, look at the growth of the number of BGP route entries in the routing tables:
http://www.flickr.com/photos/23667510@N03/6493294453 (IPv4)
http://www.flickr.com/photos/23667510@N03/6493294527 (IPv6)
And that is even though we need less IPv6 entries than IPv4 per network, because one IPv6 entry is much larger than one IPv4 entry. A lot of networks that now have 4 or 10 IPv4 entries, might now only need 1 or 2 IPv6 entries.
____
Networks Running IPv6
We can measure the percentage of networks running IPv6 by comparing the set of ASes in the IPv6 routing table to those in the combined set of IPv4 and IPv6.
IPv4 and IPv6 RIBs Last Parsed: Sun Dec 11 01:07:46 PST 2011
IPv4 ASes: 39706
IPv6 ASes: 4923
ASes using only IPv4: 34893
ASes using only IPv6: 110
ASes using IPv4 and IPv6: 4813
ASes using IPv4 or IPv6: 39816
Percentage of ASes (IPv4 or IPv6) running IPv6: 12.4%
New things are always on the horizon
I think you probably have that number backwards.. the vast majority of addresses are held/assigned to various ISPs and being used for peer devices, home internet, mobile devices etc. Most small-medium businesses are using 1-8 addresses. Most of the unused IPs are in the mid-large businesses that aren't using all they've been assigned, though segmenting an address block may, or may not be possible.
I would suggest that anyone with even a class B should probably be encouraged to break them up and return unused blocks. That will only help for so long. With 4 billion addresses (maybe 3.5 billion usable) and 6 billion people and counting, more and more with multiple devices, it wil only go so far. I really think that mobile companies should be among the first on IPv6 with IPv4 access via NAT & proxy. Just my $.02
Michael J. Ryan - tracker1.info
Nice random hit on H1B's there. Blame ignorance and lack of initiative on the foreigners -- that always works out!
you see, the good thing is not the NAT, but the firewall dropping packets from outside, again. As always, the people say the security comes from NAT, and really mean the requirement of having a firewall which drops packets coming in, because there is no mapping to which internal ip they should be routed.
I'm lucky enough to use an isp that offers native ipv6.
This coupled with a nifty firefox plugin (IPvFox) enables me to determine with some certainty that somewhere between 95-99% (tongue in cheek) of all ipv6 traffic on the internet is googles.
They are pretty much the only company using it.
(O.K. rss.slashdot.org... kudos to you guys).
Something no one would need if proper assignment of IP ranges had been done.
No point asking what you mean, since you evidently speak from ignorance. Even with optimal assignment of IPv4 addresses, it would only delay the inevitable shortfall. Sooner or later, the number of addressable end-points on the internet would exceed 4 billion. NAT is an unfortunate workaround to delay the effects of the shortfall; it should be a freely-chosen option, not an enforced requirement.
I'm tempted to say pot - kettle - black here as far as speaking from ignorance goes. NAT allows devices behind the wall to be addressed by port, sharing a single IP address. At an extreme you could have 65535 addressable devices behind a NAT firewall, exposed to the public internet as one IP address. There are many reasons that this is not a good idea - primarily it would involve NAT at ISP level, leading to "double NAT" issues to people with home routers, but the number of IP addresses available is not an issue.
Decades ago, the engineers did in fact consider 128 bit addresses, but in the end they went with 32 specifically because v4 was not considered a "production" version. There's a link on the wikipedia page for ipv6 to a video with vint cerf explaining exactly that.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
needs to be IPV6 so it can be like NAT is just need to make the out side stuff work with IPV6 and the in side can still have the older IPV4 only stuff.
Early large-scale adopters like Google have suffered the leading edge of vendors trying to get ready. In terms of the problems Google ran into, I'd wager a large chunk of them won't be inflicted again by the same company. Once kinks are worked out for even one customer, they are generally worked out for all customers.
That said, while I've seen a large amount of increased IPv6 capability from vendors (showing they have expertise *somewhere*), it's still an arcane art for almost everyone at these companies still yet relative to IPv4.
XML is like violence. If it doesn't solve the problem, use more.
Have your SIP phone initiate the data connection.
That's probably what's happening already. If not, it would not work with almost all home routers.
While I anticipate Google to have one of the most complex networks, they also probably have a more reasonable organizational structure populated by more talented individuals on the whole. I say this not because I think Google is magic, but I optimistically *hope* they aren't as bad as some of the companies I have dealt with. Most companies have a technical staff either not talented enough, bound up in an impossibly convoluted organizational structure that paralyses them in any efforts to technically advance the state of things, or some combination of the two.
XML is like violence. If it doesn't solve the problem, use more.
You can certainly deal with it, but it's a complication. Every protocol you use requires administration of the firewall. Every administration of the firewall introduces a possibility of introducing human error into things and accidentally leaving a hole in your firewall you didn't intend. Plus it's more work :P
you see, that wasn't the point. What has happened is that NAT killed the idea that the end point of the connection has the same IP address that an external node would address packets to to reach that end point. That lack of end to end connectivity has made protocol designers create better protocols with less inband signaling. Firewalls alone would not have had that effect.
What happens when both end-points are behind a hide-NAT? ... ...
Many-to-one NAT by nature breaks the bi-directional model of TCP and UDP communications. You can workaround it by using dynamic port mappings ala uPNP, but it's a ugly hack really.
:. Ultimate Control Dedicated/VM Servers
And no, NAT is not a solution.
Well, since IPv6 just will not happen, it's the best (which is not hard, because it's the only one) solution we have.
yes
Michael J. Ryan - tracker1.info
I really think that mobile companies should be among the first on IPv6 with IPv4 access via NAT & proxy.
AFAICT the majority of mobile companies - at least in the UK - already are. Plug a USB dongle into your laptop or check the IP address on your phone, there's a good chance it's in RFC1918 address space and they're NAT'ing you.
It's about routability, stupid should be the quote used for IPv4 vs. IPv6. Who cares if you have unused IPv4 if you can't route them? The entire point of IPv6 is to fix routing problems on the internet. Finally, most of the address space (eg. /32) will almost exclusively be dedicated to routing and not assignments. In IPv4, the routing bit was "suppose to be" /8-/16, but that didn't work out very well. Internet routing is basically broken for the last decade+, but according to "everyone" it is A-OK!
And dikes don't keep out the ocean forever. But Amsterdam has been doing quite well with it for centuries.
No inband addressing would certainly make the IPv4 to IPv6 transition easier.
Of course sometimes its still necessary, avoiding that just isn't as flexible.
SIP/H323 are a good example as the media has to be sent in a separate RTP connection. If it's not immediately obvious why that's the case RTP has to be sent as UDP to avoid latency/loss making a call unusable which TCP would. SIP can use TCP and H323 always does, so you can't send the media in the same connection.
Plus a lot of telecom environments don't have the same server handling the media as the signalling. One such use case is sometimes you get the phones to bypass the server and talk directly. That means less latency and less bandwidth used at the server, but it is only possible where end-to-end connectivity between the phones is is possible and NAT almost always breaks that.
that article is drawing to conclusions way to fast.
-- no sig today
I think you made a mistake in your link.
I'm sure you meant to link to an announcement from the IETF and ISOC that they're calling off the whole thing, or at least a post from Google saying that they won't go through with that whole IPv6 thing at all, but it appears you accidentally linked to yet another blog claiming that IPv6 will never take off because it actually requires work on the part of the implementers instead of using magic pixie dust to "just add more numbers".
This despite that the very FA shows that Google remains committed to getting 100% IPv6-compatible, and that large ISPs like Comcast are initiating IPv6 trials this year.
The ARPANET was built on minicomputers. Specifically, the Honeywell DDP-516. Which naturally is a red-link on Wikipedia, because no doubt the first computers that were used to build the internet weren't "notable".
I knew there was a language issue. Had they only realise that in manager speak "it still have some issues" means "ship it" ...
Speaking as a Canadian on an H-1B:
Blame Canada...?
Vodafone in new zealand was putting their users behind a nat since at least 2003, probably since they provided internet over their gprs network. You had to configure different AP's if you wanted a public IP
And no, NAT is not a solution.
nevertheless, NAT is our future, like it or not.
65k devices you say, you seem to know very little about NAT you need to have a unique port at the NAT box per unique ip/port/ip/port tuple, I've seen far more devices than that overloaded onto a single IP in corp networks, that said a lot can depend on the devices your using to perform NAT (PAT realy but that's a whole other debate). NAT still breaks things that should work SIP and FTP being the prime examples realy anything that can find 3 or more way communications useful. It makes sense for my phone call to go between phone A and B in my house even though were using a outside PBX, it makes sense to be able to copy files from server a to server B but getting instructions and authentication from client C. NAT was a hack that got the job done it's far from the optimum.
The whole debate is mute we need to move to a new addressing platform, 4 billion addresses are not sufficient for 7 billion people. I've got 40 ish IP's in use at my home alone and as everything become connected I expect that number to go up. I expect that the number of network to increase Bluetooth pans, zigbee and others can all link devices together including ip traffic. Is my refrigerator supposed to NAT for my coffee maker or the other way around? I do want my hypothetical coffee maker to talk to my alarm clock and hot water heater letting them know I've trying to get up at 5:30 not 7:30 and to get things ready,
No sir I dont like it.
NAT breaks the internet, and it isn't a solution to running out of IP addresses.
The real issue is that in their eagerness to make sure we never run out again, they made it too complicated. It would've been far more sane to add a fifth set of numbers. That way all existing IP's would've been 000.XXX.XXX.XXX --> essentially not requiring ANY renumbering at all. And they still would've been in a format that people could relatively easily memorize or manually enter.
NAT killed one of the basic principles of the internet and you're trying to make it look like a good thing.
Most computers will use Dual-Stack for the foreseeable future for precisely this reason.
Which naturally is a red-link on Wikipedia, because no doubt the first computers that were used to build the internet weren't "notable".
It appears that no one has ever bothered to make said article. There's nothing in the deletion log.
upon the advice of my lawyer, i have no sig at this time
Weirdly, my 3 dongle gives me an IP address in the 188.28.x.x or 188.29.x.x range, but uses 10.64.64.64 as a gateway. I can only assume it's NATted, but since 188.x is a public address owned by 3, they must be doing something odd.
"It wont be until the rest of us demand proper support any vendor will put the time and money into a proper solution"
Precisely. Here at the coyote.den, I've been NATing all my stuff to a 192.158.xx.xx scheme and will never ever use even the last block of 254 addresses fully. But that is whats forced on the home user because his ISP only gives us one address.
ALL of the existing, can be purchased from Amazon, reference books are both quite a few years old now, and damned expensive in dead tree formats, too damned expensive. Yes, you can get the e-book versions for a $20 bill, but Amazon won't sell it to you without the kindle itself logging in somehow. So they are not accessable without first dropping the card for the Kindle at $200 and up. That's bull shit but it won't grow any corn where I come from.
Amazon should make up their mind, either sell books, or Kindles but not both.
Then, figuring if I could buy the e-book I could read it with Calibre, but figured I had better check out the e-pub compatible reader (an Aluratek Libre!) that I bought the missus for Christmas last year (which supposedly came with a 1 year warranty that has about a week to run), I pulled it out and discovered it is deader than a 5 year old mouse. Plugged its charger in, no response. Plugged the charger into one of those universal usb powered read/write anything adapters, one that when plugged into a normal usb port, lights up the whole room with an erie blue light. Nothing, charger is dead.
Plug the reader into a usb port, which Aluratek claims can charge it in 8 hours. 16 hours later, still dead. Now, since I am a C.E.T., I open the thing up, a 3.7 volt battery reads 4.7 _millivolts_but even with power on the usb plug, no charging current is getting to the battery. So, it appears to me that the charger may have gone wild before it failed completely, and let the magic smoke out of the internal charge regulation parts, but very close inspection with a very high powered magnifying lens doesn't disclose anything that looks to be damaged, and a simple ohmmeter test of the transistors says they are good. I wrote Aluratek at their email support site asking, but of course its the weekend, and by the time a reply gets here, the warranty will be fini.
I might buy another, but the warranty had better read damned good before I drop the card.
Back to ipv6: The relatively elder age of the available books on the subject means they will cover only the RFC's for it, and likely zero content will actually address what, where & how we should attack the problem with our favorite editors, in my case vim.
So, the bottom line is this: Google needs to write an e-book documenting how it is actually done, and likely make it available in a non-drm'd format for a $20 bill. At that point, ipv6 might take off, perhaps at 1% of the ISP's in the next year.
Until such time as the implementation details are actually published at an affordable by Joe & Jill Lunchbucket price, google may well find they are virtually the only ones in this truly humungous ipv6 pond. The rest of us, ISP's included, will go about the daily business without worrying about it until the address crunch really happens. Since most ISP's have 3 to 20 times the address space assigned than they are actually using, TPTB simply cannot see any reason to spend even a $20 bill on ipv6. And at the end of the day, I see no real reason to call mine up and do anything more than ask when ipv6 services may become available. I did that shortly before that national test last summer, and got a "what's ipv6?" reply.
Anyway, since folks are saying it, so will I. That's my $0.02 on the subject. Adjust for inflation though, it only took $0.05 to buy a loaf of bread when I was born.
Cheers, Gene
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
My web page: <http://coyoteden.dyndns-free.com:85/gene>
Most people eat as though they were fattening themselves for market.
-- E.W. Howe
Just imagine the amount of funds and brain power that is available to me...
Nat is defiantly a solution. There are so man devices connected directly to the Internet, consuming precious ip's that,frankly have no real reason for doing so. I worked at a publishing company some time back, thousands of employees, each with an accessible public ip address. So we're talking gobbling up thousands of ip's when through services like NAT, etc they could have shrunk their footprint to 10 or 15 public ip's. Widen that policy across the entire Internet and we'd likely be using a sliver ofthe ip4 space and not even need to contemplate ip6
Take the fridge of the future. It "needs" to be able to look up product information by barcode or RFID, send order requests to the grocer (or most likely to amazon), send diagnostic info, retrieve software updates, and maybe poll the power company to find out if it should ratchet down its energy consumption. All of that can be accomplished while sharing the same public ip address of every other device in the house. Or even every other device in the neighborhood.
I guess decisions weren't just made for sake of projected size, but also for overhead. That said, even when ipv4 was created they should have had the imagination to assume that at least every human would be connected with at least one device, and at least double that to be sure. I think they could have easily done a cost/benefit calculation and check to see how much more expensive it would be to implement something like that back then, instead of waiting for the ipv4 pool to run out before changing equipment. Although, having people change equipment of course benefits the equipment producers.
The sad thing is, considering how old IPv6 is, we're still running on IPv4... :(
Note that the deletionists can make it so you would never know an article existed. (unless you have super-secret access to the wikipedia backend.)
Capacha: Overdone
Each home is supposed to get a /48 from the IPv6 ISP. Then the residential subscriber can provision up to 65 thousand subnets. The remaining 64 bits are left for the autoconfigured MAC address.
Because of privacy concerns, the MAC address can be obfuscated. That way, nobody will be able to tell for sure which physical device in your home posted the controversial contribution.
The talk about 2**128 IPv6 addresses are rubbish. The address allocation schemes have carefully been designed to support about as many addresses as there are MAC addresses, that is, in the range of 48 bits. It's much better than IPv4 but only by 5 orders of magnitude.
You should be aware that due to my attention deficit due to extreme computer usage i cannot read all your post.
Thank the internet-based attacks. I've had the pleasure of plugging in a fresh Windows XP (before SP3/firewall) computer to get security updates and have it infected 30 some odd seconds later.
Nat is defiantly a solution.
Yes, but its defiance is actually part of the problem.
Your publisher example wouldn't be a problem if we were all using IPv6. In such a scenario, running out of addresses would be inconce- er, hard to conceive. Unfortunately, silly, awkward shims like NAT give hardware manufacturers the excuse they need to avoid moving to the new standard.
As to your fridge example, before you share your fridge's address with every other fridge in the neighbourhood, I'd recommend you study man-in-the-middle attacks a little more carefully.
Crumb's Corollary: Never bring a knife to a bun fight.
Sure, but that's the fault of Windows, not the network protocol.
In fairness, modern WIndows versions are better. I left my Vista box with a public IP and no separate firewall for months and nothing bad happened.
The Google guys need one of these: http://www.ipv6buddy.com/ :-)
Why does the soon-to-be-defunct USPS need a /8?
http://xkcd.com/865/
Which means it's also the worst solution we have.
I thought there was an announcement that the IPv4 address space is now totally exhausted. Or at least there are no new blocks to be assigned. The tunnel broker, Hurricane Electric indicates that IPv4 is exahusted.
The announcement - http://www.nro.net/news/ipv4-free-pool-depleted - was made when IANA, the central authority, ran out of addresses to give to the five regional internet registries. These regional registries will run out at different speeds. Geoff Huston's graph is very useful to see how fast this will happen - http://www.potaroo.net/tools/ipv4/plotend.png
No I'm able to actually add. let me put it THIS way: Do you honestly think if your HS football team went against the Chicago bears they would have a shot?
They pay on average $4500 a degree while YOU pay $50K+, this means they will ALWAYS be able to undercut you, same as there is no way with current safety and health regulations you can compete manufacturing against China where they can dump the waste in the river and pay peanuts for wages.
Its simply math friend, they can afford to take jobs for pay that wouldn't even cover your student loan payments, much less put food on the table or a roof over your head. With the corps in a race to the bottom and videos like "How NOT to hire an American" which i'm sure if you've seen it you'll agree that against poorly paid foreign labor the American hasn't a prayer, there is simply no point in going into IT because you'll be fighting with 300 other guys for the scraps if they don't just follow the video and not give any of you a shot.
I mean do you HONESTLY think if we tried to flood India's market with OUR IT workers they'd put up with that shit? they are spending billions on their Aerospace just so they won't have to buy anything from the USA! But as long as corps ONLY care about how much the worker costs then Americans would have to be insane to take IT in college, same as its nuts to go into construction anymore because there is one white guy and a shitload of illegals. You should yell "Immigra!" around a construction site sometime, i swear they scatter like deer.
ACs don't waste your time replying, your posts are never seen by me.
You could argue it's very much the fault of the prevalence of NAT too - most of the time it simply wasn't a problem, but not for any good underlying reason (i.e. USB key or drive-by download type attacks then propagating via RPC vulnerabilities on internal networks).
I mean, silver-lining of NAT, whatever, but I don't think it's been remotely worth it.
Right now I'm running a free IP v6-over-v4 tunnel from my router to Hurricane Electric. I got assigned my own v6 LAN range. Mac OS X works fine, hits the v6 version of a website if it exists, the v4 version otherwise. Doesn't always work, I know. The DNS part is the problem to figure out. The larger infrastructure DNS servers (comcast, at&t, verizon, etc) need to support IPv6. Comcast has just begun rolling it out to end users, so hopefully they've got dnsv6 servers that work now and still return the correct regionally sorted IP addresses for cloud services like akamai.
Its not typically a matter of the home user.....
nat can be quite useful in that situation
The problem is ISPs are starting to build networks that nat, behind nat, behind nat behind nat
Its a total kludge
Why is this part of the problem....Think of Spam email.
If you have 3 layers of NAT for a home ISP, how do you block 1 bad host.
You may block 1 IP address but you could be blocking 1,000 or 10,000 or 1,000,000 legit costumers all at the same time.
so instead of being able to block the 1 bad host, you are faced with the choice of
1.) Choke down the data and hope it doesn't break your server
2.) block 1 ip address which could knock off an unknown number of paying customers.
NAT killed the concept that evey host is accessible via routing. That is not a bad thing, as some "troublesome" protocols are deprecated or somewhat rewritten to work around NAT. Someone mentioned SIP, an abortion that should never be routed without encryption on a public network. Almost the same as FTP.
IPv6 will be very important next year... ... so we are told for 15 years now.
It will just never happen.
Running out of IPv4 addresses internally... give me a break - who believes that?
NAT is the answer delivered for a long time now. And it will remain there forever. Amen.
So your anecdote has become data?
A sample size of one in your study is somehow important?
Hand in your geek card.
New Orleans not so much so YMMV
Apocalypse Cancelled, Sorry, No Ticket Refunds
I didn't realise I was publishing a scientific paper. I *thought* I was responding to one anecdote with another.
The "OMG you don't have a NAT you're going to get pwned" fearmongers are fond of using anecodes of unpatched XP boxes being hacked within seconds. If that was still such a problem, it shouldn't have been possible for even a single user such as myself to have an out-of-the-box Windows install connected directly to the itnernet for months without being hacked. Simple statistics should say that if there's a significant chance of getting hacked in minutes, the chances of surviving for months must be utterly negligible, to the point where a single counterexample *is* relevant.
LOL .I'm still waiting for my flying car and my in basement nuclear fusion power generator.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Wrong 'n' epic fail.
'phone numbers == IP addresses. In telephony your number is your identification. On t'internet your IP address is simply that - a number. Your A record is your identification and that does not really care about your IP address.
IPv6 will happen. Just not overnight.
Why did you bother linking that article?
Cheers
Jon
As to your fridge example, before you share your fridge's address with every other fridge in the neighbourhood, I'd recommend you study man-in-the-middle attacks a little more carefully.
No man stands between me and my fridge!
When our name is on the back of your car, we're behind you all the way!
While the rest of the world can use their instant messenger software to share files or make calls, you are stuck on IPv4 and must use slow 3rd party servers to proxy data between you and your other IPv4 friends because your NAT won't allow them to connect directly. I'm sorry, but the problem is not about running out of IPv4 addresses internally, it is about connectivity with the rest of the world.
The 3 MIFI dongle will allow a DMZ host - ie forward all ports to an internal machine of your choice. The IP is of course, dynamic, but works well enough with dyndns.
Why can't women be like Hedy Lamarr - beautiful, talented and inventors of frequency-hopping spread-spectrum techn
http://download.wsusoffline.net/
WSUS Offline Update. For those who can't/won't run a Microsoft WSUS Server but have enough machines to need one. Can be run on Linux.
'We should not expect something to work just because it is declared supported, . . ."
Why should IPv6 be different than any other feature a vendor documents?
> Each home is supposed to get a /48 from the IPv6 ISP. Then the residential subscriber can provision
> up to 65 thousand subnets. The remaining 64 bits are left for the autoconfigured MAC address.
> Because of privacy concerns, the MAC address can be obfuscated. That way, nobody will be able
> to tell for sure which physical device in your home posted the controversial contribution.
Well... like... whoopee. Marketeers (e.g. Fecesbook) will love it. It'll still let them know that certain web requests are coming from the same home. They'll be able to aggregate all your web browsing, etc, regardless of how much you spoof your mac address, because it's just a matter of seeing which /48 it's in. I prefer dynamic IP addresses thank you. Those l33t h@x0r d00ds out there who want to run your own public webservers are more than welcome to ask your ISP for static addresses.
And WTF are they thinking, handing out that many addresses per account? That's 9.022 * 10^14 addresses for every man+woman+child in China or 1.727 * 10^14 addresses for every man+woman+child on this planet. A /96 should be enough to run an ISP anywhere except China or India.
25 years from now, we're going to run into an unexpected shortage, and we're going to have to scrap a whole bunch of routers, etc which are hardcoded to expect /48's, and replace them with routers, etc that expect slightly smaller blocks. The Ciscos of this planet will love it.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Oh, I completely agree about the newer versions of Windows being better.
However, after being burned once, I don't ever plug any Windows machine directly into the internet. It's not worth the pain of reinstall and hours of Windows Updates and reconfiguring everything. I also seem to recall that there is a point between Windows bringing the network interface up and setting the firewall to active where it could be vulnerable. I just don't take that risk anymore.
I thought there was an announcement that the IPv4 address space is now totally exhausted.
IP allocation is heirachical. The IANA assigns IPs to the RIRs, the RIRs assign IPs to ISPs and big companies, ISPs assign IPs to their customers and so-on.
Currently the IANA have run out and APNIC have run-out. The other RIRs still have IPS to hand out for now (not for much longer though).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
They had grandiose ideas with IPv6 about improving routability but afaict it never really panned out that way. Afaict the idea of multihomed sites running multiple IP ranges in paralell has been pretty much abandoned and the RIRs have started handing out v6 IP blocks directly to such sites. There will be some gains as they can give an AS a bigger block at once (so less routes per AS are likely) but each routing table entry will be bigger.
Oh and of course in the transitional period (which I'd expect to be at least a decade) routers will have to handle both the IPv4 table and the IPv6 table OUCH.
Afaict hardware capabilities have grown faster than the v4 routing table so the system has kept on working. The only real problem is it's quite expensive to get a router that can import the entire table so smaller multihomed sites have to import a subset of the table and route the rest to default.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I worked at a publishing company some time back, thousands of employees, each with an accessible public ip address. So we're talking gobbling up thousands of ip's when through services like NAT, etc they could have shrunk their footprint to 10 or 15 public ip's.
And then someone sends them a network abuse complaint. Unless the sender of the complaint had the forsight to record port information AND the nat saved a log of port mappings they would have no idea who the compalint was directed against.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
try having two IP's on the 'outside' of nat forward the same port to the same server (ie, port 80 on both IP's to your web server).. I have yet to find a single vendor that can do that, since it would not be able to figure out source traffic..
My ISP is a rural wireless ISP that does NAT at their POP. (I don't have much choice in Providers, its them, dial up, or satellite) Their whole wireless infrastructure is a 192.168.168.x network. All client sites sit behind another NAT device (the CPE router) that then translates that to a 10.10.x address.. I can't use any service that needs to address a certain port.. (people in my area get mad they can't host games on their WII's.. things like "whatsMyIP.com" are useless, so is dynamic DNS, since the public IP is a box serving thousands of customers.. This is the future of NAT, as IP's get scarce.
What are we going to do tonight Brain?
Windows 7 requires you to configure the firewall on first run, right off the bat. Its initially on until that step, and what happens after that step is up to you. Its not labeled as such, Windows asks you what type of net you're connected to, Work, Home, Public, and picks some basic settings based on which one you choose.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
NAT is by definition, ONE to ONE.
It is NETWORK ADDRESS translation.
What you are refering to is PAT:
PORT and ADDRESS TRANSLATION.
But hey, why know what you're speaking about when telling others how it is.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
You can have an internal gateway on private address space and still talk to the Internet using your public one.
This is extremely common, you give your customer a real address so they can do anything they want on the Internet, but you put ALL of your own internal infrastructure that doesn't have to directly communicate with external hosts on private address space. Makes it far harder for external entities to talk to your network equipment directly and saves you a lot of address space and reassignment issues as blocks need to be moved around.
the 10/8 network being private is a imaginary thing, theres nothing that prevents it from being fully routable other than no one is announcing it out via BGP ... and if they did, others would just filter it out (big/competent ISPs already DO filter out these nets to prevent problems)
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Well, sure, but now most residential ISPs block incoming connections to some ports (http and smtp comes to mind) as well as some Windows-related services so it's probably not nearly as big a factor as it was. This wasn't done when there was a few major outbreaks and it spread like wildfire. NATs are good for the end user who doesn't know (or generally doesn't give a shit? The ignorance of some people I've met...) about having a malware-infected computer.
While dealing with the blocked ports is a pain (especially if you're a geek and want to run http and smtp) the greater good is definitely there for the 99.9999% of residential customers that don't use it. I shudder to think of what infections there would be if the ISPs didn't actively stop blocking some traffic to save people from themselves...
OSI vs TCP/IP - check out OSI Addressing, it would have coped much better but TCP/IP and 4 octets won out. IPv6 is a retrofit to a wider space...but its much more...no more broadcasts. Its cool but the Hex will get clunky as the addresses get eaten up.
This has precisely nothing to do with it.
Whether you add another 8 bits or another 256 bits, the reality of the problem is the fact that for anything to work you have to upgrade pretty much the entire routing infrastructure of the internet, and solve a chicken and egg problem.
That the addresses are complicated is irrelevant. There's nothing particularly nice about an IP address, we're just used to them.
One of the advantages I see of IPV6 is that every device can have a unique ID which makes it addressable from the everywhere without port forwarding. Is this correct?
You've got to be kidding. Were you just looking for some way to criticize his post?
I mean do you HONESTLY think if we tried to flood India's market with OUR IT workers they'd put up with that shit?
India would love to have more qualified people, it'd help their growing economy. So, yes, I think they would gladly accept them (although I doubt most would like being paid in peanuts).
they are spending billions on their Aerospace just so they won't have to buy anything from the USA!
Maybe if the USA wasn't such an asshole with their planes that wouldn't be necessary. They downgrade the exported hardware (for military; no idea about civilian planes) whenever they feel like, of course that'd make people a bit pissed off.
And this usage will increase hugely when Internet of Things as promoted by IBM and others will be more real. Don't forget that number of devices like TVs, cars, and refrigerators that people use is massive when compared with computers.
"If fifty million people say a foolish thing, it's still a foolish thing."
Something no one would need if proper assignment of IP ranges had been done.
Or if IPv4 had been defined @ 128 bits the first time around, instead of 32. Only allowance I'd give is that in the 70s, nobody imagined that computers would be as inexpensive and widely available as they are today, or that a whole list of new devices would go digital and start needing IP addresses, not just some huge servers in some 50 big organizations in the US.
That is a bloated figure - the actual number is something like 3.7 billion. I had calculated it in a previous thread on IPv6 on /. - take 2^32, subtract all the private addresses of class A, B, C, subtract all the class D & E addresses as well, and also lose all the network and broadcast addresses. The number comes down to 3.7 billion. Even that is somewhat approximate, since it doesn't count all the classless configurations that are there, which would haemorrage even more network and broadcast addresses. I detailed the calculations there - don't feel like re-doing it here.
Bottom line - the total #IP addresses would amount to 1 for every 3 devices today, and going to be even less going forward. Even a 64-bit wouldn't have helped, since in some cases, more than 1 level of NAT is required, so a minimum needed would have been 96 bit. No, structurally, IPv6 is the best laid plan out there. Yeah, I can think of ways in which it could have been better, but I'm impressed w/ what is there.
Oh, and I'm glad that Google is planning to transform its network into IPv6. Once the big hitters - Google, Facebook, and others take the lead, the reasons to migrate to IPv6 will get more compelling.
The difference with IPv6 is that the address space is big enough, that even if we were incredibly shortsighted and not able to see the future coming and squandered every single /48 except for one with inefficient assignment and we end up needing more than we predicted, we'll still have 2^80 addresses left to work with. Placing them under a new addressing scheme, assigning them more frugally, that's a hell of a lot more than 2^32 where we are today.
A small address space such as 2^32 has shown to be practical to manage, since this is how the Internet works today. It stands to reason that 2^80 would not be impractically small to be managed using similar techniques.
Over time, it's reasonable to assume that more old large assignments can be reclaimed (as we have seen in IPv4 - although in IPv4 returning a single net block won't have nearly the same impact as in IPv6), giving us virtually limitless potential for expansion.
To put it all in perspective, I for one wouldn't really mind if my home got a IPv6 /120 rather than a /48 - say. I doubt many people run a home network that requires more than 256 addresses. That's still a hell of a lot better than the single IPv4 address I get now.
NAT has improved protocol design a lot though. Before NAT, there were things like FTP, with inband port signaling. Most modern protocols avoid mentioning port numbers in the payload and can run on any port, through multiple port forwardings if necessary. Notable exception and bad example: SIP. I expect more bad protocol design once people again assume that end-to-end IP addressing is universally available.
But there are apps like Google maps that need several ports, and if you have NAPT, which is the most common type of NAT out there, then it ends up eating up more ports, particularly for larger networks. Was IPv4 that bad before NAT came along, when everybody had a flat address space in which to lay out their network architecture?
Little known fact only 15% or so if the IP V4 addresses are actually being used by honest to God websites
It's funny how the network is designed so that multiple clients can access a single server.
Talk about misusing numbers in furtherance of an argument! I'd expect the number of servers to be relatively low in any network -- servers are typically designed to be shared resources, and (in general network topography terms) only really make sense when there are multiple clients to access it.
Little known fact: there are currently enough people on this planet to overwhelm the IPv4 address space if we just gave every person one address. And this doesn't include even having any web servers with independent addresses. Nor any SMTP servers, POP3/IMAP/Exchange servers, FTP servers, NTP servers, DNS servers, nor any other sorts of servers you care to imagine. Nor any routers (they each need an address) or other infrastructure devices.
So even if your number is correct, so what? Would we want to live in a world where 100% of IPv4 addresses are used by websites, with none left for actual clients? Websites are hardly the most voluminous nor the most important part of the Internet. Anyone with half a brain would expect that clients and other systems would make up the most voluminous parts of the network; claiming that only 15% of addresses are used for the web and then trying to intimate that the other 85% are just "wasted" is completely non sequitur.
Yaz
Where did you get that number of 15%? All these kludges that IPv4 has used over the years - be it CIDR, NAT - has been b'cos they have been running short on addresses for a while now, and hence had to juryrig the protocol for these 2 fixes ever since they discovered that purely classful routing is limiting them, and then no matter how they slice and dice their address space, they're still running short. And IPv6 has been developed over the last 10 years, and is now pretty much ready, and being rolled out. Yeah, since it's new, there may be hiccups that early implementors may find, but the 6bone and KAME projects have been testing it over that time. It's not exactly something as brand new as Windows 8 will be.
Also, do you have any idea of whether a compatible protocol is even possible in the first place? Obviously not, since you haven't taken a glance @ it, as you admit. It's not possible to have a compatible protocol, which is why the IETF came up w/ a totally overhauled Internet Protocol. Why can't it be compatible? Simple reason - the number of address bits - 32 - is defined in the IPv4 header. The moment you change even one bit and made it, say 33, to allow for 8 billion users instead of 4, then you'll need to redefine the IP header so that the number of source and destination address bits get to change. Then guess what - every router on the face of this planet would need to be reprogrammed in order to recognize this new standard, no matter what you called it. The IETF saw this pretty early, and decided that since they'd have to go through this magnitude of effort anyway, they might as well throw in everything they've learned about protocols from the shortcomings of IPv4, so that the new protocol is not likely to have to change for a considerable while. To be fair, IPv4 has been around since the 70s, and so it's not unreasonable to tell society at large that it's over, and out of address space, and that the next thing should last at least the next 1000 years.
Since we are getting close to running out of IPv4 addresses - squatters or no squatters - it's pretty much going to be Hobson's choice for everyone out there - either IPv6, or no connectivity. For a while, equipment will be dual stacked, and probably, in that timeframe, most will migrate, since that will come automatically when old equipment is replaced w/ new. In the long run, ultimately, all equipment will be IPv6 only, just like one sees little support for IPX or AppleTalk or DECnet these days. At that point, those who want to avoid moving b'cos of any resentment towards H1Bs and offshored businesses and all can enjoy having no connectivity at all to begin w/. This migration is a lot more necessary than past migrations to Windows 95, Windows 2000 or even the Y2K fix. It's not a case of Chicken Licken - there actually won't be addresses to dole out, and unlike in the case of money, which governments can print, there is no way 2^32 can end up equaling a number greater than 4,294,967,296.
I worked on the IPv6 support in some of Cisco's products.
I can confirm that the only reason we did this was for JITC conformance. There is simply no incentive on the market to support it otherwise.
While you may not believe it, there are companies with over 17 million devices that need to be connected and directly addressed. Once you get up to those numbers RFC 1918 no longer is big enough to address all the machines (RFC 1918 covers 17891328 addresses). Add to that the need for rational sub netting and you can start to run out of address with less that a million machines.
I thought there was an announcement that the IPv4 address space is now totally exhausted. Or at least there are no new blocks to be assigned. The tunnel broker, Hurricane Electric indicates that IPv4 is exahusted.
The original such announcement came from APNIC I think a year ago, when they indicated that they were out of IPv4 address assignments to their ISPs. More recently, they changed their transfer policy so that even if 2 organizations want to undergo a transfer of IPv4 addresses from one to the other, the recipient has to justify their requirement for IPv4. In short, getting IPv4 is getting more difficult in this region.
/22s, while AfriNIC was supposed to have run out by August 11 but their status is unclear and not current. LACNIC too seems to be @ an end of its allocations.
ARIN so far seems to have pretty much the same policy that it had months ago - nothing has changed, even if Comcast and HE are indicating that they are out of IPv4 addresses. RIPE will be distributing
Given all that, there is no reason why any ISP shouldn't start forcing the move to IPv6, since that's the only place where all the addresses really are.
No, I don't believe that...
The NAT traversal problem has been solved by a lot of services/applications. And instead of asking the entire world to change their home routers and throw away their embedded devices, NAT solves most issues more or less. IPv6 introduces a lot more problems than it solves. And privacy concerns is one of them.
Note that Asia is for all practical purposes already out of addresses, they've been in a special last-block allocation mode now since April where no regular user will get a IPv4 address, just ISP-wide NATs and such. In reality they're already millions of addresses short.
Live today, because you never know what tomorrow brings
You may not believe it, but it part of my day job to support such companies.
Oh and of course in the transitional period (which I'd expect to be at least a decade) routers will have to handle both the IPv4 table and the IPv6 table OUCH.
Why would that be necessary, and indeed, if we are running out of IPv4 addresses, how does that help at all? I'd think that Dual Stack Lite would be the way to salvage things - have IPv6 routing happening in between CPEs, and at the customer ends, assign them w/ IPv6 or private IPv4 addresses. The beauty of DS-lite is that for IPv6, it's a native IPv6 network, while for IPv4, it's IPv4 tunnelled over IPv6, and @ the ISP end, the IPv6 address is decapsulated once it gets to the customer premises, and there, the IPv4 address of the customer's box takes over.
/32), one can get in a customer block (a /56) and finally into a subnet (/64). It all seems to be a case of drilling down. What's it that I'm missing here?
I'm not getting why routability didn't improve? The whole idea of having such a huge space is that within an RIR, you'd have the ISPs, within the ISP, you'd have the subscribers, within the subscriber, you'd have the subnets, and within the subnets, the interface ID. Once one is within an ISP (say a
NAT allows devices behind the wall to be addressed by port, sharing a single IP address. At an extreme you could have 65535 addressable devices behind a NAT firewall, exposed to the public internet as one IP address.
In most cases, NAT allows multiple clients behind the address translation, but does not necessarily allow multiple servers, since each service typically can handle only one or a few ports. For instance, how many ftp servers or http servers can you have behind a NAT router? Hint: it's not a large number.
Here's another example of where NAT breaks down: to access our work VPN from home, you connect to an outside box, which sends a token to a third box. That third box then sends an unsolicited packet on port 500/ISAKMP to the IP of the first box. With NAT, the router cannot know where to send this unsolicited packet, since it is sent to the router's IP address. We have to designate a particular internal node as the recipient for unsolicited port 500 packets, and then it works - for that machine. Here's the rub: we have two PCs which we'd sometimes like to connect to the VPN simultaneously (my wife works for the same employer as me), but NAT allows only one to do so at a time, so NAT breaks this function. Port 500 is the standard port used for key exchange in secure VPNs.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Precisely! As I pointed out above, if they had added even one bit to make it 1.xxx.xxx.xxx.xxx, they'd have broken IPv4, since the header would now have to support 33 source and destination address bits. Every router on the internet would have needed a workover.
As far as ease of notation goes, one option might have been to use only octal numbers, and make the address 96 bits instead of 128, and bunch 4 octal numbers together. Keep the old IPv4 like notation alive, like only have something like 1234.5670.7654.3210.1234.5670.7654.3210. The first 3 bits would have been the various RIRs (2-6) while 0 & 7 would have been reserved for things like multicast, and other experimental usages by the IETF, the next 3 for the RIR to reserve for future growth, the next 6 the various countries within each RIR (no RIR has more than 63 countries),so only the first 12 bits would have been eaten that way. The next 12 bits would have gone to ISPs within a country, and the following 12 to its subscribers. The next 24 could have gone to subnets, which would have allowed 8 levels of subnetting, and following that, the remaining 36 bits could have been used for the interface ID.
The above would have had a notational advantage, and its difference from IPv4 would have been obvious that whereas IPv4 has only 3 dots between the number groups, this one would have 7. One would still easily recognize it as an IP address, not have to worry about colons or [brackets] or a-f. That aside, though, it would have no other advantages on the current IPv6 notations.
The 4 billion world population is not a relevant argument today, but that can change anytime, and there's no acceptable reason not to be prepared for it. Yeah, between the US, Europe, Australasia, you have 1 billion people, and between India & China, there are around half a billion internet users - since there are 2 billion people in these 2 countries, assume that tops 1.5 billion people can potentially have them - on phones. So worldwide, the number of people on the internet is tops 2 billion. Out of a possible 3.7 billion routable addresses.
However, the real issue is not the number of people, but the number of devices, and that's where IPv4 falls short now. And once Internet penetration increases not only in the BRIC countries but also in Africa and Latin America, there is no way there will be enough. And speaking of NAT, they will soon need multiple levels of NAT to support everybody, and that will screw up protocols already crippled due to having to go around NAT even more.
There are a host of good IPv6 books here, all reasonably priced.
Why would that be necessary, and indeed, if we are running out of IPv4 addresses, how does that help at all?
The IPv4 internet isn't going away any time soon whatever some people might want. so during the transitional period core/border routers at major ISPs (which are the only ones that need the full internet routing table now) will need to have both the IPv6 and IPv4 tables.
They could have two totally seperate sets of core/border routers for v6 and v4 but most places will probablly want to be able to run both on the same infrastructure.
I'd think that Dual Stack Lite would be the way to salvage things
DS-lite for home users and conventional tunnels for those who need real v4 IPs would save v4 addresses allow the access network to be v6 only but the core network still needs to support v4 so that the AXFR elemements and other tunnel endpoints can talk to servers on the v4 internet.
The whole idea of having such a huge space is that within an RIR, you'd have the ISPs, within the ISP, you'd have the subscribers, within the subscriber, you'd have the subnets, and within the subnets, the interface ID. Once one is within an ISP (say a /32), one can get in a customer block (a /56) and finally into a subnet (/64). It all seems to be a case of drilling down. What's it that I'm missing here?
No medium-large buisness wants to rely on a single ISP for their connectivity, to be forced to run multiple addresses in paralell for different ISPs or to be forced to change IPs when they change ISP. When one of their connections goes down they want their IPs to stop being advertised on that connection so that traffic is re-routed to their remaining connections.
The number of entries in the v6 routing table probablly will be lower than the v4 table simply because there is less legacy cruft but we are still looking at a bloody big table. Exactly how big I don't think anyone will know until deployment is complete.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
17 million devices? Nah! Bad subnet planning; yes!
Or more likely, Dual-Stack lite. Dual Stack won't be an option if one is out of routable IPv4 addresses.
So me mentioning "devices" in the first line and phones, tablets and other internet connected devices on the rest of the text wasn't enough to make it a post about devices?
No medium-large buisness wants to rely on a single ISP for their connectivity, to be forced to run multiple addresses in paralell for different ISPs or to be forced to change IPs when they change ISP. When one of their connections goes down they want their IPs to stop being advertised on that connection so that traffic is re-routed to their remaining connections.
But isn't that what the concept of provider-independent IPs is all about? Company X gets a /48, or even a /52 from some ISP, splits it between say 4 ISPs, and assigns each of them, say 64 subnets each. That way, the solution you are alluding to gets achieved.
The reason for spending billions on their Aerospace industry is that if they were to buy stuff from the superpowers, they'd be at their mercy when it comes to the sale of spare parts, and I'm not talking about the price of those things, but whether the country would be authorized to even buy it in the first place, or if they paid for it, whether it would be delivered. That's why they do it.
As for IT workers, a number of Americans and other foreign IT workers can be seen in Indian tech hubs like Bangalore, Pune, Hyderabad, et al. If an American tech worker is willing to accept what are market salaries in India and move and work there, it's easier for them to get a work visa and job than it is for an Indian to get an H1B, which is capped for workers from India and China, but unlimited from countries like Mexico, Somalia, Saudi Arabia, Iran, Lebanon, et al.
Your post seemed to suggest some 1:1 mapping between the world's entire population and devices, which is why I brought that up and pointed it out.
You mean you can't even count to 10? It's not really that hard, you even have eight fingers and two thumbs to help...
No, I'm not kidding. It's all about readability. It takes him way less time to type in 3 commas, than it takes people to count digits.
testing out my trending skills
It's all about readability. It takes him way less time to type in 3 commas, than it takes people to count digits.
testing out my trending skills
If you had a firewall that wouldn't have happened. No NAT needed.
Do you have any idea how expensive it is to continually re-size networks just so you can fit all your machines into a allocation that is in reality too small for your company? The fact that you say:
Bad subnet planning; yes!
means you just don't understand. One really shouldn't have to think about subnet sizes. That is one of the advantages of IPv6. You don't have to think about subnet sizes. You just subnet at the /64 and you have a subnet big enough for any conceivable use. No more juggling, No more getting it "wrong". No more renumbering because you need more space.
I agree that it's a hassle. But the hassle of using IPv6 is a _lot_ bigger. It's plainly stupid to try and fix a problem by creating a bigger problem.
Have you actually been in a company that has deployed IPv6 internally and externally? I have.
Have you run a dual stack network? I have.
Have you dealt with the issues involved in moving from IPv4 only to IPv4 + IPv6? I have.
Have you dealt with the issues of run numbering networks? I have.
I will tell you this. I would much rather deal with the minor issues of bring up IPv6, than to repeatedly have to deal with the issues of renumbering. At least with IPv6, once you fix the problem it stays fixed.
The problems people are seeing with IPv6 are mainly lack of planning issues. Failures to build in IPv6 initially despite it being the only viable solution to address exhaustion. Failures to make IPv6 support a requirement. We are playing catchup at the moment, trying to cram what should have been 10 years of incremental development into 1 or 2 years.
For most applications that deal with IP addresses or sockets they cost to support IPv4 and IPv6 is actually minimal or zero when the application is being developed.
Most machines actually support IPv6. There are a few, memory limited, machines that can't but overall they are in the minority and are also relatively inexpensive machines to replace.
I would actually recommend that every company bring up IPv6 at the network level today and connect to the global IPv6 with a firewall that only allows reply traffic in initially. Don't add AAAA records for your servers initially. Do add them for your workstations. Add corresponding PTR records. You will find that IPv6 isn't as scary as you think it is. It also gives you a environment where you can test your servers, by adding AAAA records to the host file of the machines involved in the test. When the service is working you then add the AAAA records to the DNS and remove them from the host files. Don't forget to open up the firewall to allow external connections to the service if appropriate.
An extra screen in the config box to set a static IPv6 address on an embedded device? Not seen one yet... Why? Because these embedded boxes are typically run in a seperate VLAN in the company.
Corporate requirements for IPv6 are close to nonexistent, so nobody cares, nor will. It's not that I'm against IPv6, but one has to be realistic about what to expect from the rest of the world - and a drastic change without a game-changing urgent need is not one of these things.
And I'm still waiting for an example of any organization _ANY_ organization who needs to have in the order of 16 million directly communicating devices on their private network. Just a million will do as well. Probably Google is the only organization which comes close to that order.
And even for them, there is not really an important reason why their infrastructure could not be split up between the google search cloud as one 10.x.x.x range and the gmail infrastructure as another one, for example, as direct communication between the two is probably unnecessary and managed by separate teams anyway.
One could argue that the 'renumbering' is difficult. Yet the cluster which Google build handles server failover, swap-in and swap-out and data partitioning as one of the major features. Fail to see why they couldn't implement it on the 'private IPv4'-level either...
While I agree that on their scale, such an experiment might be valid, my guess is that it will remain as such;... an experiment with a lot of problems:
1) increased latency because of IPv6 tunneling - and Google is very latency conscious 2) less proven technology leading to exotic problems which show up even more at the Google scale - because nobody uses it
And for what? ;)
To solve the 'we are too lazy to write a stupid IPv4 pool re-numbering/re-partitioning'-problem? While it can be done with a very small shell script(TM)?
Really? Please back up your statements with some arguments. The NAT traversal problem has not been solved by a long shot. Sometimes software can configure the the NAT remotely (UPnP) but that obviously doesn't work when your ISP starts NATting you.
To me it looks like you miss some basic information about how client-server networking actually works and why NAT is a serious hindrance to correct internet functionality.
Care to elaborate on why IPv6 introduces more problems than it solves?
It just will not happen. Many embedded devices build today don't even enable the IPv6 stack while it's only a configurable option away in the Linux kernel. And these devices aren't even released yet. They will after release run for a decade in the infrastructure. Sure we tell people who make them to care. Yet mostly they have more important things to care about, as for example to get them working in the first place.
An extra screen in the config box to set a static IPv6 address on an embedded device? Not seen one yet... Why? Because these embedded boxes are typically run in a seperate VLAN in the company.
For some reason you seem to think turning on IPv6 precludes running IPv4 devices or being able to reach them from IPv6. IPv6 only internal networks are still a long way away.
Corporate requirements for IPv6 are close to nonexistent, so nobody cares, nor will.
It's not that I'm against IPv6, but one has to be realistic about what to expect from the rest of the world - and a drastic change without a game-changing urgent need is not one of these things.
Lots of corporate desktops talk to machines on the outside. These machines will be a mixture of IPv4 only, IPv6 only and dual stack. The need to talk to these machines alone will result in IPv6 being deployed internally. We are starting to see ISP complaining that they can't get enough IPv4 addresses to meet their needs. It won't be long before the first forced IPv6 only sites start appearing. When that happens, offices will start to adapt by enabling IPv6 to allow the desktop machines to reach these sites.
And I'm still waiting for an example of any organization _ANY_ organization who needs to have in the order of 16 million directly communicating devices on their private network. Just a million will do as well.
Probably Google is the only organization which comes close to that order.
Pick any large ISP that manages CPE equipment. These needs to be addressed.
And even for them, there is not really an important reason why their infrastructure could not be split up between the google search cloud as one 10.x.x.x range and the gmail infrastructure as another one, for example, as direct communication between the two is probably unnecessary and managed by separate teams anyway.
Multiple routing realms are additional operational complexity. Given the choice of "deploy IPv6" or "run multiple routing realms" I'm sure many companies will pick run IPv6.
One could argue that the 'renumbering' is difficult. Yet the cluster which Google build handles server failover, swap-in and swap-out and data partitioning as one of the major features. Fail to see why they couldn't implement it on the 'private IPv4'-level either...
While I agree that on their scale, such an experiment might be valid, my guess is that it will remain as such;... an experiment with a lot of problems:
1) increased latency because of IPv6 tunneling - and Google is very latency conscious
2) less proven technology leading to exotic problems which show up even more at the Google scale - because nobody uses it
Tunnels will go away and be replaced by native connections. This is a observable trend today.
The amount of IPv6 traffic world wide is growing rapidly. The bugs in equipment will be worked out.
And for what?
To solve the 'we are too lazy to write a stupid IPv4 pool re-numbering/re-partitioning'-problem? While it can be done with a very small shell script(TM)? ;)
There are lots of reasons to deploy IPv6. We are at a tipping point where staying with IPv4 will start to get more and more expensive. IPv6 will be seen as the cheeper alternative.
Now where did that come from? I do not have any routing or DNS problems and you would have no way to know if I did anyway.
Where does this blind rabid attack dog going for the messenger bullshit come from just because I dared to mention a problem on some machines that happen to have MS Windows 7?
65k devices you say, you seem to know very little about NAT you need to have a unique port at the NAT box per unique ip/port/ip/port tuple,
Which as I said, at the extreme is 65k devices, i.e. one port per device
I hear the same mantra since 1995, yet my smartphone isnt even NATed by my ISP and large corps still sit on large IP blocks for nothing.
Yes, some ISPs are now looking at IPv6, just as they are looking at NAT - I agree that there is no clear winner there yet. Though an IPv6-only ISP would still be the first... And using IPv6 on the internal corp network is an entirely different story. And just not happening.
Yes, dual stack is an option, yet it means that some parts of your infrastructure are unable to communicate - basically replacing the broken part with another broken part.
But hey, dont take my word for it. Ive been an IPv6 believer too... 15 years ago. Now Im just an IPv6 cynic ;)
Actually, I'm pretty scared of this announcement.
It basically says Google started offering public IPv6 services without the experience by running IPv6 on their own corporate network.
You need to be running IPv6 on your corporate network first (maybe not "everywhere", but at least "in most places"), so your own developers don't stick to IPv4-only code and learn what actually happens with IPv6 and your networking dept makes IPv6 an important requirement with your upstream or peering ISPs.
Your internal IT helpdesk needs to learn about IPv6 and promptly address it in a user-friendly way ("I do have trouble printing." - "Do you print via IPv4 or IPv6?" is NOT a good example), and so you do need to do this in order to educate any other customer-facing employee who may ever need to talk about IPv4/IPv6 (if you're an ISP, this also includes your customer helpdesk, your sales staff, product developers, marketing and public relations).
Another one is the often-retold stories about IPv6 being broken and being unreliable, and Google is exactly one of those companies doing a lot of publicity and buzz about it.
Probably one of the easier ways to solve this myth is by simply offering router advertisements on a workstation network and make your users actually use IPv4 and IPv6 in parallel (my employer did this a few years ago, with full management backing). So when they do come up with something like "I've heard that 30% of IPv6 connections are completely broken and IPv6 is hard to configure", prepare for seeing stunned faces when you tell them that their workstations have been running IPv4 and IPv6 for five years now.
You can get far more machines behind a single IP, the 65k limit is how many of them can talk to the same IP/port at the same time this does not limit them to that many total devices behind nat.
No sir I dont like it.
Tell me which business or government agency has filled up 10.x.x.x. IPv6 doesn't matter internally unless your a communications company. Yet it's the communications companies that are keeping it from their customers because it invites a more distributed internet.
It's trivial and easy to upgrade users, just get a new routers, upgrade the firmware on existing ones, or use simple IPv6 to IPv4 endpoint converters. So long as the internet tunnels are IPv6 there are no deployment problems. Servers want visitors which are predominantly web surfers, so they need need to be IPv6. IPv6 users can connect to IPv4 servers easily, the reverse is not true.
Speculation:
Geeks drive this technology. The reason for IPv6 is the contention for addresses. Yet the new IPv6 hands out /64's to end points like it's water... It's not like it was handing out /16's which might be reasonable. So anyone looking at this can clearly see we are being set up for failure and their will obviously need to be an IPv7 or IPv8 to fix the /64 mess. It looks like new scheme is trying to supplant/abandon port numbers.
Apparently they had the imagination in regards to device count, but not in regards to people adopting experimental tech and refusing to upgrade.
You won't believe, but there are ISPs, that offer external IP and turn on port-blocking by default, allowing more experience customers to disable that.
If everyone is hiding behind NAT, how are you supposed to initiate a connection? At the very least SIP provides a way for the callers to route their way through a gateway if both are behind NAT.
If your solution was actually possible then why does every type of P2P network require something resembling a super node to allow communication between nodes hiding behind NAT? Last I checked Bittorrent, eMule and Gnutella all require such a node to exist on the network to facilitate communication.
SIP is no more complex than any of those protocols, if anything makes it more complex it is that the P2P protocols autodetect allot of their configuration (skype is built on what they call a "type 2" P2P network hence it benefits from some of the autoconfig), and that in most P2P networks you really don't care who you connect to (under normal circumstances its a pool of clients anyway so anyone in the pool will do) so authentication requirements can be relaxed.
PAT is a subclass of NAT, hence the terms can (and often are) used interchangeably.
Given that he specified "Many-to-one NAT" which indicates the most common type which you correctly identified as PAT you aren't adding anything to his statement or even correcting it.
Not sure I completely agree with that statement, first point would be that forcing the network to know about state when it was designed to be stateless is as we all know asking for trouble.
Forcing the protocols to go through a complete connection cycle to activate a concurrent transfer is not exactly great from an efficiency standpoint. Hypothetically speaking (I know most FTP servers don't work this way), using one control connection I could transfer multiple files concurrently down to my machine without going through the full authentication cycle each time (e.g. as with SFTP). Timing attacks and man-in-the-middle would rip such an argument apart so maybe in this circumstance it can be seen as an benefit but if those problems could be resolved I believe there could be some benefit. Also if memory serves SSH in general has gotten some improvements to mitigate the effects of the repeated authentication.
Where I also see an issue is NAT forced the pull model, there is no easy way for a server which just got new mail for you to notify you about it without you constantly asking or keeping a constant connection to the server open. The former is needed by mail or dynamic web sites (think ajax) and has the downside of potentially needing lots of storage to buffer updates for the clients whereas the latter is used by games and chat and suffers from forcing the servers to maintain connections to lots of clients with the possibility of infrequent updates (obviously more an issue with chat-type-apps vs games where there is a constant stream of updates). Ironically NAT itself (or rather aggressive NAT settings) is the biggest threat to maintaining a constant connection to a server (assuming the server isn't heavily loaded).
Finally any type of "true" p2p which does not rely on "super nodes" to keep traffic flowing to peers behind NAT (which are the vast majority) can never exist as long as NAT does. You can see this as either a benefit or loss depending on your views of P2P in general. There isn't much to say on this topic as regardless of NATs existence and using in-band signaling, P2P networks not only survive but flourish.