Slashdot Mirror
Apple Under Fire For Backing Off IPv6 Support
alphadogg writes "Apple Computer came under fire for back-pedaling on its support for IPv6, the next-generation Internet Protocol, at a gathering of experts held in Denver this week. Presenters at the North American IPv6 Summit expressed annoyance that the latest version of Apple's AirPort Utility, Version 6.0, is no longer compatible with IPv6. The previous Version, 5.6, offered IPv6 service by default. While home networking vendors like Cisco and D-Link are adding IPv6 across their product lines, Apple appears to be the only vendor that is removing this feature."
is all the world will need for the next 20 years, right?
Apple is secretly working on IPv7, where there's just a single light-weight packet type, and is exclusively available on the AT&T backbone (at a premium rate).
Apple is a company where non-engineers make the rules, which allows them to create the best user experience, but in cases like this it would be better to have someone with a technical background in the lead.
I'm sure slashdot readers are entirely unaware of what goes on when a program is rewritten. And naturally assume that when it happens, 100% of all features and abilities are reproduced without any complications in a couple months. Just look at photoshop - its been such a breeze to rewrite for adobe.
I'm sure no company would ever think about building a rewrite with enough features and polish to ship, then add in feature parity as updates later.
Actually, the expertsare divided on whether IPv4 addresses will be exhaused. There may be many more addresses hidden out there. Before this is properly investigated it is too early to take action on IPv4 exhaustion. The idea that addresses are running out is only scare-mongering spread by the left-wing media. We should focus more on the controversy and less on IPv6 support.
Steve Jobs gone, so we can do whatever we want with Apple!! :P
Nothing here... So... SHOOO!!!
The internet protocol for enhanced experience, the new revolutionary: iPee
Every big firm wants, above all, to get rid of the quaint notion that the Internet is a network of intelligent peers. Much better to have dumb terminals all locked in to your service.
Sticking with IPv4 and the resultant multi-NAT hell is a good technical step in this direction.
It's like Google pretending to champion IPv6 then setting absurd conditions for their IPv6 services. So ISPs which offer native IPv6 by default, such as England's Andrews&Arnold, have to jump through artificial hoops before they're "supported". And it's no coincidence that half of abusive SixXS is half-run by a Google employee.
Oddly enough - and this'll get me the mod to oblivion - only MS has historically shown neutral support for IPv6, neither trying to control it nor eschewing it. That's because, I expect, Microsoft was traditionally about the powerful desktop and local server (running NT, of course). Now it's jumped on the cloud bandwagon, who knows?
Watch carefully as I suspect Apple will "magically" add this as a bullet point feature to help sell a new iteration of the product. (Failing to mention that it was previously supported) Wankers
I'm sure the functionality will be added back in.
Airport Utility 6.0 follows the recent trend of Apple making all of their software neutered versions of iOS versions (Lion to a certain extent, iCal, Address Book, etc)--so the comments here http://www.macrumors.com/2012/01/30/apple-releases-redesigned-ios-like-airport-utility-6-0-and-an-airport-base-station-bug-fix/. So, they went from a useful program with a standard interface (old version) to one with a pretty UI that lacks major features.
The trend has been for Apple to add MOST features back in at some point, so hopefully it continues. I can't imagine Airport Utility will stay this way forever.
I just keep an old binary around...
They did not remove IPV6 at all. They new confit utility (v.6) doesn't let you configure it, but they say so right in the docs that it is one of th feature the new version does not yet support. They also give you a download link the previous 5.6 version if you want to configure those rarely used features. IPV6 is even enabled by default.
There I said it. The lack of adoption and the lack of knowledge have made it a tremendous burden with absolutely zero benefit to our organization. I'm fine with running ipv4 into the ground. I just don't care anymore. I hate ipv6.
I believe you. The loss of Steve Jobs, sadly, impacted the dedication to quality and that sense of pride surrounding their commitment to truly technically inspiring Apple products. QA is there which means untested or essentially unnecessary features can't ship, and that's good, but the fact they can't take the time to test them when it means a more beautiful and worthwhile product, that's bad.
I was obviously joking about battery life because they've used that claim to dismiss a half dozen technologies even under Steve Jobs, I was being sardonic, I think that's the word...
You know, I've been waiting for it to become "mainstream" for over a decade now. Constantly, people have said "It's coming! It's coming!". Support has been added to just about everything. The problem is still that all those pesky web sites that people want to reach haven't converted. I went cruising through the IPv6 migration sites, they show the dozens of sites that are available.
Here's a quick look.
So, if you just switch over, you can't use google.com, unless you remember to use ipv6.google.com. You can't reach Slashdot. Try all the sites you frequent. Of my daily reading list, the only one that works by its normal name is xkcd.com. Most of them are big sites.
I'd expect to see ISP wide NAT deployed before IPv6. IPv6 is a novelty that may get adopted sometime in the future, but I wouldn't hold my breath on it.
Serious? Seriousness is well above my pay grade.
Not only is this a significant increase in packet overhead, but it is highly likely that some portion will identify a person.
Without additional corroborating information all you can do with IPV4 or IPV6 is identify the originating computer. It is impossible to be 100% certain of who the person actually sitting at that computer is unless they transmit other uniquely identifying information or can be identified by third party sources such as security cameras. IPv6 is not meaningfully more useful for personal identification than IPv4.
"Not only is this a significant increase in packet overhead, but it is highly likely that some portion will identify a person.
Yes, yes, I know there are lots of things the ISPs _can_ do to under IPv6 preserve anonymity. Most will not"
It isn't the job of the ISP do generate random ipv6 addresses, it is pu to the user:
http://tools.ietf.org/rfc/rfc4941.txt (nearly 5 years old though)
MS seen as backpedaling on it's support for 64-bit computing over Windows 8 only supporting 32-bit CPUs in tablets.
Come on people, this isn't backpedaling, it's a completely new version of a utility that in it's initial release supports what's in use in 99% of installations. Those who are actually using IPv6 can use the older version until this one adds support (probably in the next release).
make imaginary.friends COUNT=100 VISIBLE=false
Would you maybe care to explain just what it is that you're on about? Seriously, not a single thing you've written makes any sense.
Google's DNS servers only return IPv6 addresses if they believe you're capable of reaching them over IPv6:
http://www.google.com/intl/en/ipv6/
I'm getting really tired of idiots that think NAT is a security solution. It's not. It's a hack that breaks end-to-end connectivity.
The only way IPv6 can be a security issue is because incompetent fucks don't understand security.
I don't anticipate that ipv4 dies off as slowly as many people suggest. ipv4 is easy to understand, and addresses fit within the average technicians short term memory. Just try to remember ipv6 addresses, you brain will melt!
IPv4 never has to go away. It can be used forever in internal networks.
IPv6 Addresses can be remembered if you select your local bits rather than let the slaac monster pick them for you. Google via IPv6 for example: 2001:4860:8005::68 ... Almost the same length as an IPv4 address!!
IPv6 lets you have some hexsp33k fun..
Face book:
2620:0:1cfe:face:b00c::3
cisco dog food ipv6 day:
2001:420:80:1:c:15:c0:d07:f00d
SPRINT!!! OMFG...
2600::
I have heard one paranoid assertion about IP6 which said that the reason it was being pushed so enthusiastically is that every device in the world will gets its own address. With a GUID on all traffic, everything is traceable and MAFIAA and the spooks are happy.
discuss
I'll see your Constitution and raise you a Queen.
It's being adopted now. Verizon ran out of IPv4 addresses for their cell phone network. They're using NAT right now but that creates a huge headache not only because it requires more hardware, but also because an IP address no longer identifies a single cell phone on their network. They're forcing anyone who wants to talk directly to their cell network to be IPv6 capable in the very near future. NAT is fine for networks where there is a well-defined connection point between 2 different networks (like your internal home network and the rest of the internet), but it's not very nice to work with as soon as you have to have 2 devices within the same network that have to use the same IP. As soon as you put NAT there you can no longer connect to the device from the outside, the device must initiate the connection, which makes a whole class of programs much more difficult to make work well.
I don't anticipate that ipv4 dies off as slowly as many people suggest. ipv4 is easy to understand, and addresses fit within the average technicians short term memory. Just try to remember ipv6 addresses, you brain will melt!
That's what DNS is for. DNS never really caught on in small private networks, but network equipment is increasingly making use of it. WHS 2011 can be accessed as "http://homeserver", most routers/APs support it as well... It's by far the least of anyone's worries
IPv6 is actually very easy to remember when done right. Further, we have DNS for address resolution - how many of the websites you visited today do you know the IPv4 address for?
For an enterprise, once they get their allocation, it's really not that bad. I will make up an allocation as an example:
2600:123:b000::/48
With 5 more octets left (octets isn't the right term, but divisions seperated by colons), you can do a large amount of intelligent numbering, and even just reuse all of your VLAN and IPv4 numbering right inside your IPv6 addressing.
For instance, if you have a server network at 172.16.2.0/24 and it is vlan 203, you can assign 2600:123:b000:203::/64 (with the nodes getting ::172:16:2:yyy), so a given server node with 172.16.2.105 would be 2600:123:b000:203:172:16:2:105 . It's wasteful, but with IPv6, who cares?
If you have more than one site, then each site should get you your own /48. When applying for addreses, you should do so for all sites at once. We have a /44 (x:x:b000 - x:x:b00f) as we have 9 sites. We can then assign each site based on their site numbers (2600:123:b001 - 2600:123:b009). We use 2600:123:b000 for infrastructure, and still have 2600:123:b00a - 2600:123:b00f left over.
So, site 3, vlan 405, network 172.24.5.0/24 would be assigned 2600:123:b003:405::/64 with nodes having 2600:123:b003:405:172:24:5:yyy. For workstations that use SLAAC and/or DHCPv6, you don't care about the last 64 bits and you rely on DNS. But you still know the site and VLAN if you use the same numbering. 2600:123:b002:464::/64, which is site 2, vlan 464.
All the IT staff has to do is learn that 2600:123:b000 - b00f is our assignment and explain the rest of our addressing plan. It's actually rather natural to do it this way and makes a ton of sense.
Oh, and personally I would skip doing any decimal to hex conversion where it can be avoided. For instance, I would not make vlan 165 be A5 (the hex value), but rather just 165. This does mean you'll "waste" something like 37.5% of your address space - but again, who cares? I'll take readability over maximum use any day.
I disocvered that Youtube was delivering to me via IPv6 and I didn't even realize that. The main site has no AAAA record that I can see. But the video delivery actually went over IPv6, despite me only using IPv4 for DNS. I suspect they bugged the page with a transparent image that asks for a hostname that is only on IPv6, and set a cookie or something to engage IPv6.
now we need to go OSS in diesel cars
You don't "switch" to IPv6, you add IPv6. Nobody expects IPv4 to go away any time soon. What everyone's talking about is supporting IPv6 plus IPv4. So all your old sites work, but you can also reach any new hosts that have IPv6 addresses only directly, and get the benefits of avoiding NAT. Those hosts will likely be mobile customers at first, since that's one of the first places where ISPs are having to use v6. As for those users, they will be able to talk to IPv4 sites via DNS trickery and IPv6-to-IPv4 NAT, or just via plain old IPv4 NAT.
That's bunk. NAT doesn't provide real security, and in fact a false sense of security. Your firewall should always deny/drop traffic by default, except where permitted otherwise, either explicitly or by a stateful connection originating from the inside.
If you want pseudo anonymity on the level of what you have with IPv4, then leave the global randomize identifiers on. It's on by default in Windows. You actually have to disable it with netsh interface ipv6 set global randomizeidentifiers=disabled.
Every device gets an address, but that address is not a GUID. The address is different if you go to a different network. The address changes every day. It's not useful for tracking you, at least no more so than your v4 address was.
Not much to discuss here.
Actually, the main google.com site does return IPv6 proper (so does Youtube and all of their services) assuming you use a whitelisted DNS server.
On June 6th, however, this will no longer be a requirement and ALL DNS servers will return Google's public IPv6 addressing, including over your v4 servers.
http://en.wikipedia.org/wiki/Stateful_firewall
Time to learn some networking, bro.
You have the same ability to be "anonymous" as with IPv4. With IPv4, they can track it down to your gateway, but have no idea what PC inside originated the traffic. I doubt you get a unique IPv4 address each time your gateway restarts. My Comcast connection has had the same one for 8 years, through two cablemodems, because my MAC address on my router stayed the same (or rather, I told my newer routers to use the one my older one had). Even if it is different each time, like with many PPPoE implimentations, your ISP has logs where each account-to-IP-assignment is known.
With IPv6, if you leave the global randomize identifier option enabled (default in Windows), then all they can do is track it down to your network /64 which is assigned to your gateway, and not to the individual PC.
Not sure about other OS, but if being "anonymous" is important to you, you might look into it.
mDNS is quite common on small LANs now. Each computer can advertise its own name, so there is no need for central configuration.
I am TheRaven on Soylent News
So here's the deal.
/60 network via a mechanism called DHCP-PD using what's called a DUID.
/64 (or multiple /64's, depending on the features of the device, I suspect just one by default unless you go into some advanced networking config), which will be used to connect your home network.
Your ISP will provide you with say, a
Your router will then provide you with a
Your end devices, such as your PC, will have the option of what's called "temporary addresses". These addresses by default on Windows are preferred for 1 day (meaning, all new connections are made using that address), and available for 7 days (as in, it will accept incoming connections on that address, but not create new ones from it).
This mechanism provides a level of anonymity because the address generation has nothing to do with any identifiable components on the device itself.
This is also something you control on your client, not controlled on the routers. If controlled on the router, one would merely use DHCP, offering the same level of "anonymity" that we have today.
I think what they were referring to is that the ISP presently gives out dynamic IPv4 addresses. The correlation in this case would giving out a dynamic IPv6 /64 to each network that connects. While this could be done, there are many reasons not to do so as it would require constant renumbering (which can be done, but it's confusing for the end-user).
Either way, it's all bunk, as the ISP will keep track of the address assignments to the network level either way. Both IPv4 and IPv6 have a way to "anonymize" the end-PC (IPv4 NAT, IPv6 random IPv6 addressing) - but it's very easy to fingerprint the PC without the IP address.
>>With IPv6 likely to become mainstream soon, About the same time the last corp is off IE6
Facts take all of the premium out of arm waving - T. Reynolds
More likely you will get a /96 at best. In those fixed 96 bits, there can easily be static UID portions. Right now with IPv4, the "tightness" of addr space means very few users have static bits in their addr, and most pay heavily for the privilige because they need it for incoming traffic.
You block ping too? God, you're two kind of idiots at once.
Apple didn't back off on anything. The version of Airport Utility discussed is the pretty, dumbed-down version of the application intended for folks who just barely understand what a router is about. It matches the similar version deployed on iOS.
The "previous version" isn't. The feature-complete 5.6 was released at the same time as the simple version, and has the same support for IPv6 as it ever did.
A.
...bringing you cynical quips since 1998
So everyone has to add IPv6 to IPv4. How does that fix the fact that the world is ending on ... ummm .. Sometime in 2008, 2009, 2010, 2011, and the beginning of this year, later this year, or maybe 10 to 20 years from now.
Wake me up when it's globally adopted.
I'm not *against* going to IPv6. I'm actually all for it. I got my block assigned quite a while ago. I just don't run around saying "The sky is falling, we're out of IPs, we have to switch now!" or even "Oh my gosh, vendor X forgot to include Y! "
Serious? Seriousness is well above my pay grade.
NAT is a security solution just as much as disconnecting or shutting off your computer is a security solution.
It's not useful for tracking you, at least no more so than your v4 address was.
That's implementation-specific - some systems (is Linux still doing that by default?) by default include the MAC address in the IPv6 address for some reason.
(Note: this is completely different from using the MAC address in your local network as you usually do with IPv4. On IPv4 the MAC address is not visible outside of the local network, on IPv6 it is - unless you replace it by enabling privacy addressing.)
It will be interesting to see how internet-enabled device which you don't completely control - like smart phones - will handle this in the future.
5.6 is not the previous version! 6.0 and 5.6 were released simultaneously! The problem lies with their product naming, not versioning. That is, 6.0 really should have been called Airport Utility Lite or something like that. 5.6 could have been Airport Utility Pro or something like that. 5.6 is very much the latest version. Want all the features? Use 5.6. Want a simplified interface? Use 6.0.
Part of the point of ipv6 is that technicians won't have to remember addresses at all. It works basically like having a well configured DHCP and DNS server on ipv4. IPv6 just forces that on you. I think.
Why wouldn't they? ISPs get blocks in the /20 to /32 range, and end-users get /48s. That's plenty enough bits to do routing with, for both the ISP and for the end-user.
A /60 isn't generous, it's downright stingy. Not quite as bad as the ISPs that only give a single /64 (or the ones that fail to understand routing and don't give you anything at all), but there's plenty of space to give everyone /48s. Why go smaller? Especially all the way down to /96; you'd end up breaking SLAAC and subnetting for your users for no gain whatsoever.
Any argument revolving around what most people understand or need is silly in IPv6. Some people will need it or understand what to do with it, and the address space is large enough to allocate the same large block size to everyone, including the people who won't use it. What advantage is there in not doing that?
Apple is not in the "serious business" business. They aren't. They make "consumer gear" now. I love the Mac Pro. I love the Mac Mini. I think they are great machines. The problem? They aren't focusing on those any more. They care about iThings for people to throw away in favor of the next one.
And when some great F/OSS stuff makes implementing IPv6 easier, they will absorb it and pretend they invented it like they always have.
I am a security consultant and I can honistly say I have seen maybe 2 customers running IPv6 besides that everyone else is still on IPv4 with Apple targeting the home use market I think adding IPv6 Support is a waist of Apples time and money.
http://www.thetechnologygeek.org
Not only is this a significant increase in packet overhead, but it is highly likely that some portion will identify a person.
Theres an RFC for that... RFC 3041. On windows hosts privacy addresses are enabled by default. Apple users have to switch it on manually if they want it.
Yes, yes, I know there are lots of things the ISPs _can_ do to under IPv6 preserve anonymity. Most will not, and of the few remaining, a few unfriendly chats from the telecommunication regulators will persuade most.
ISPs will have more prefixes to play with.. very reasonable to assume users will end up keeping their IPv6 prefixes longer or even have them statically attached to their accounts. My current ISP is dynamically assigning IPv4 addresses but I've had the same one for more than a year.
Broadband and "always on" put an end to dialup era short term assignment.
Indeed, I was assuming privacy addressing was turned on. This is the default in Windows XP/Vista/7/8, so it's not an unreasonable assumption. It's still off by default in Linux, although that's nothing a sysctl or two won't solve.
Smart phones, tablets etc could be pretty much taken care of if Android, iOS and Windows Mobile enable privacy extensions by default. I'm not sure what they actually do at the moment; I think they default to off with a few isolated devices that have it turned on.
I like Spaces better in Lion. At first I was annoyed that my precious 4x4 grid was now a line, but I like better how the spaces and windows within them are combined with exposed and displayed.
I also really like full-screen support, I don't use it all the time but it's better than not having it.
Mail is also better.
Time Machine is, for me, less buggy.
I agree with iCal being terrible though, and the odd shift from Save As to Duplicate is rough - but that one I can chalk up to my having been used to how things are, and I'm willing to ride out that change to see if it's really better. The CS person in me thinks it is better because it's Apple baking version control into every document, which is pretty compelling if support becomes widespread.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Even if you could, it's trivial to block ping scans at the firewall in the same way as unsolicited connections
You have five minutes to have your mom accomplish that task, it being trivial and all.
Go.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Nobody expects IPv4 to go away any time soon.
Actually, I do. Around the time that everyone realizes that removing legacy support is the only way that IPv6 will ever get any actual traction. Also, we know the fantastic advantages and painlessness of legacy support from the windows world, right?
IPv4 needs to die or IPv6 will remain a footnote in history.
Europe switched to the Euro not by adding it and waiting if the local currencies die out, but by adding both the Euro and a deadline for local currencies. Today, the old local currencies aren't legal tender anymore (though the central bank will convert them in case you find any old notes in your grandmothers socks or something).
Without that, I'm sure we'd still be having a mix of currencies today.
Assorted stuff I do sometimes: Lemuria.org
Hosts which are not supposed to be (publicly?) addressable can just remain within a LAN. In case of IPv4, they'll have private addresses like 192.168.0.1, while under IPv6, they'll have a link-local address like fe80::1. NAT is just an address translation from the public internet to a private network. But if a host is not supposed to be addressable, why connect it to the public internet via a NAT?
If any host needs to connect to the internet, it ought to get a routable address. Let the firewall have its rules for which addresses are allowed and which are disallowed, be it via IPtables or PF. But making it jump through hoops via a NAT is ridiculous - either make it publicly accessable end to end, or don't make it publicly accessable at all.
Too many people are conflating NAT w/ private addresses. Any host can exist within a private network - no problems there. But if it needs to be a part of a public network, don't use the private network to connect the host to the public one - connect it directly, but w/ all the firewall rules in place.
This is something that would be easily achieved w/ the use of static vs dynamic addresses. For things like websites or ftp servers which one may want others to connect to from outside, use static addresses. For things that you don't want enumerated by hosts, use dynamic addresses. It's easier w/ IPv6, since you now have 2^64 - s, where s is the #static addresses you'll want/need.
To set all that up, in IPv4, you need DHCP, and in IPv6, you need DHCP6. Set up your address assignment configuration rules, and you're good to go.
IPv6 NAT only exists for links b/w IPv4 and IPv6 nodes. There is no such thing as NAT66 or NAT666.
just because IPv6 includes the mac in the address, when you follow the stateless autoconfiguration procedure without privacy extensions, it does not mean, your ethernet/wifi will not use MAC addresses anymore. This remains unchanged.
and the MAC in the ip has one big advantage: if you know your hardware, you know the ip the computer will get. prefix:computed-suffix.
of course, the reasonable default is, be reachable via :mac-suffix, but surf via :PE-suffix. And use another pe-suffix with a much longer validity for long connections like instant-messaging and such stuff.
There is no reason to have IPv6 just on LAN. The address shortage is in the public internet space, not the private ones. I have yet to hear of any LAN for which class A private addresses 10.x.x.x was inadequate. In the meantime, depending on which RIR one is talking to, the address shortage is pretty critical.
In all likelyhood, things will start off as dual stack, since nobody will want to upset existing IPv4 connectivity. In the long term, things will all be IPv6 nodes connected to each other via IPv6 networks, and IPv4 would have to use dual stack lite i.e. tunnelled over the IPv6 network. Things like NAT 464 or NAT 46 or NAT 64 are unlikely to be deployed.
The only OS that I've heard doing that are the BSDs, particularly FreeBSD and its derivatives. I too wonder whether Linux does it. I agree that the EUI-64, as it is called, is a bad idea in an otherwise great protocol. The best thing to do is use a DHCP6 to configure the network as per one's network topology map.
Actually the value being widely recommended is a /56. See RFC 6177. That allows the user quite a few subnets, more than most homes and small businesses will likely use. Those with larger requirements should have no problem requesting a larger block.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
If that's what they wanted to do, why not revive Appletalk?
That's why I double NAT.
~S
I'm just doing this for fun, but wouldn't it be a couple clicks and 'disable ICMP' radio button in DD-WRT? :)
Yes of course.
Now think of a real person attempting to do this. Without your input. They are screwed.
NOW think of a real person attempting to do this, with your input, YOU are screwed, and I can almost certainly guarantee a home visit by yourself to do this in the end.
I myself like to enjoy the company of people I visit, not the company of their router interfaces (which very rarely serve cheeses I enjoy).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Easy peasy.
You can't handle the truth.
Precisely, even my relatively ancient D-Link routers support it (though they don't advertise it much), as does pretty much everything I've bought/assembled recently
I'd expect to see ISP wide NAT deployed before IPv6.
Too late. Although they default the configuration of the modems they ship to having IPv6 disabled, this will soon not be the case. So when that happens and you sign up to this ISP and buy a modem along with it, you'll get IPv6 by default.
LOAD ".SIG"
PRESS PLAY ON TAPE
You've never heard of bait'n'switch? Get you lusting after a /48 and all hot-to-go, then get a /72 or less? Tell me -- if you were Big Sis and wanted to clamp down on the Internet, what would you do? Do you think Crisco and other router mfrs are gonna complain with more routing bits?
I have one use case that I haven't seen addressed yet (ha, ha): reverse proxy for high availability.
Okay, let's say I have two internal servers that I want to expose externally via a single IP in order to facilitate reachability in a scenario where one server goes down. I am aware of round-robin DNS for load balancing, but that doesn't address the scenario wherein a client has a previously-established end-to-end connection and the server they are explicitly addressing goes offline. For simplicity's sake, we can assume we are discussing a stateless app server, but the concept applies the same in application clusters that share session state among the cluster.
With v4, I can have the NAT device handle failover so that subsequent requests from the client are seamlessly rerouted to the other server at the network layer—all behind the abstraction layer that NAT provides.
I've read a little about RFC 6296 (NPT), but it's not entirely clear to me that this would solve my use case. As far as I know, the simplest/best solution is to insinuate a proxy between the public IP and the private IP, because interface bonding doesn't fix the scenario where the app server has gone down but the server host is still up. In an interface-bonding configuration traffic can still be sent to the host with the downed app server (FAIL).
I have read that some people are attempting to hack NAT on top of IPv6, but I have seen many posts over the past few years claiming that "NAT is never the solution/breaks the internet/causes cancer/etc"; therefore, I am wondering what the best practice actual solution is in this case.
/48 was the originally envisioned minimum end user allocation. It has been changed to /56 because some ISP's are afraid of running out of addresses. A typical ISP is assigned a /32 unless they ask for more, so that is "only" 65000 customers. However, large ISP's have been assigned up to /19, which leaves room for half a billion subscribers, even with /48 assignments. Going to /56 bumps that to 137 billion subscribers...
Finally! A year of moderation! Ready for 2019?
Because 4,294,967,296 addresses ought to be enough for everybody,.
V6 is Betamax and will never be adopted.
Some other really clever protocol will pop up and gain widespread commercial acceptance. It will not come from the IETF.
Mark my words.
Need Mercedes parts ?
There is a lot of confusion here from people who have obviously never configured Airport devices.
Most routers provide a web interface. The configuration interface is part of the router's firmware, and it can be assumed that if the configuration interface doesn't have a setting, it doesn't exist.
This is not the case with Airport devices.
Airport devices do not provide a web interface; the only way to configure them is through the "Airport Configuration Utility" which runs as an application on your PC, Mac, or iOS device. The Airport device's firmware hasn't changed - it still provides the same functionality it always has.
Second, there is a difference between between native IPv6 and running a 6to4 tunnel. One is "real" IPv6, the other is a hack for early adopters who want to gain experience with IPv6, even though their ISP doesn't provide it.
The Airport firmware hasn't removed any IPv6 support at all. As far as I can tell (and I've set it up on my home network), if an Airport device is given native IPv6 addresses & routing, it uses them and passes them along to devices that connect to the Airport network. "It just works."
The catch is that you cannot configure a 6to4 tunnel using Airport Configuration Utility 6. A 6to4 tunnel is the only way to get IPv6 for most of us, so many cry that the sky falling, etc. (Even though Apple released a new version of ACU - 5.6 - the same day as 6.0 - and 5.6 still has 6to4 tunnel configuration)
For those of us geeks that want IPv6, 6to4 is fine; we're using it for exactly the purpose it was designed for: a mechanism for early adoption.
But let's face it: 6to4 has some ugly warts: packets typically have to travel as IPv4 packets far farther than the local ISP office. A typical 6to4 packet traversal is along the lines of:
Not only does 6to4 add many unnecessary (and time-consuming steps), but network routing is much less efficient, which makes it even slower. I've yet to see a single 6to4 tunnel that had anything approaching the latency and bandwidth of the native IPv4. Having double (or more) of the latency, and considerably less bandwidth is a pretty poor user experience. In my mind, 6to4 tunnels are a hack that I'll be glad to be rid of, and one that normal users should never have to put up with.
Normal users shouldn't know or care about IPv6. Only we few should even have to think of a 6to4 tunnel, let alone use one.
For the "general case" internet user, the correct path is for the ISP's to provide native IPv6.
The real question is whether Apple is premature or simply "ahead of the curve" in deprecating 6to4 tunnels. I honestly feel the vast majority of users will never use 6to4 or its ilk - the transition will be from IPv4 only to a native dual stack - at which point the "removal" of 6to4 configuration is a moot point.
-- Sometimes you have to turn the lights off in order to see.
IPv4 never has to go away. It can be used forever in internal networks.
Exactly this. I remember routing IPX over IPv4 in the 90s so we could play Quake at LAN parties. IPv4 won't go away for a long, long time. It doesn't need to. That doesn't mean we can't start using something better in the mean time.
Dewey, what part of this looks like authorities should be involved?
Last week I was in a in a small village 2h north of San Francisco. The hotel had broken ipv4/NAT (using 200.200.200.1/32 for the internal network), but perfectly functionnal IPv6 (using Comcast).
Most ISPs already have an IPv6 deployment plan. Most north american ISPs already ship wifi/dsl routers to their customers, so they will just switch the router at some point. No big deal really.
(my home/office networks/ISPs/websites are already ipv6)
There is some kind of stupid people with communication capacity, those are the problem. We call them "media".
You see, somebody does some great research and discover that yes, the sky will fall 20 years from now. A bunch of smart people start to think on what to do. Things are great, they are able to come with a plan and everything, they just need a lot of people to do some easy thing and we a saved. Then they think "how can we send our message to that huge number of people?", and call the media. But the media isn't interested on a news that "The sky will fall 20 yeas from now!", that's not scary enough; thus, they publish that "The sky is falling!" and that is the message that gets to people like you. Then passes 1 year, then 2, then 5 years and nothing happens. People start to doubt that the sky will fall, and refuse to do that simple act that will save them. 20 years latter, the sky falls, and everybody is hurt.
The IPv4 addresses are ending earlier than expected. The people that worked at IPv6 were expecting IPv4 to last until the 2020's. For some definitions of "end", the IPv4 addresses already ended. It is not tomorrow, or next year, or in a decade; it ended last year. For other definitions it is harder to say exactly when it ends, some services are already without new addresses, those will never get any new number, for them it is over; while some other services still have some addresses available. Some continents still have unnalocated addresses. It is likely that 20 years from now there will still be unasigned addresses, but that doesn't change the fact that several devices won't get an IPv4 address anymore.
Rethinking email
Come on guys....
How many home users know that if they have an IPv6 setup at home that it will travel with them when they take their notebook to Starbucks? Did Starbucks or any other WIFI site had IPv6 setup wrong, guess what!?!? The bad guys can poke you at any hot spot that is setup wrong, once they have your IPv6 they can just have the malware reply back to the controller node when it has a valid IPv6 address. Now how is it that these Home users understand how the Internet was suppose to work.
BAM!
Is your AV software also IPv6 compatible to understand these new exploits and connectivity?
Home users expect that when they are at a hotspot they are protected. ALL the hot spot operators I know barely know hot to turn the damn thing on or when it needs to be reset.
Your Average Joe
13.0.0.0/8 Xerox Corporation
15.0.0.0/8 Hewlett-Packard Company
16.0.0.0/8 Digital Equipment Corporation Digital Equipment Corporation, then Compaq, then Hewlett-Packard.
17.0.0.0/8 Apple Inc.
19.0.0.0/8 Ford Motor Company
48.0.0.0/8 Prudential Securities Inc.
47.0.0.0/8 Bell-Northern Research Bell-Northern Research, now absorbed into Nortel.
I'll believe there's a shortage, when those companies explain to me why they need 16.7 million addresses. Each. With a publically reachable IP.
For an internal network, what would be ideal would be what's called site unique addresses (fc00::/10), whereby every node in the world has a unique, non-routable address. AFAIK, It's never been implemented and the IETF also proposed a site local address (fd00::/10) where the global uniqueness wasn't required. But this is certainly a better solution than public IPv6 addresses - why would one give one's office network printer its own IPv6 address, when the only people authorized to use it are company employees?
The idea of a VPN is to connect 2 (or more) LANs so that it acts as 1 LAN - something doable using the above IPv6 address scopes. It's a PITA in IPv4, since a lot of groups do use 192.168.x.x, and chances of overlap are high to begin w/. W/ IPv6, chances are that nobody has overlapping IPv6 addresses, which makes networking them w/o using a higher layer to resolve any similarities that much easier.
And I'm still not sure what so many people want to do with DHCPv6. Router announcements and default DNS servers cover a very significant portion of DHCP uses under IPv4. There are some things that need additional configuration -- any sort of netboot arrangement for example, probably needs additional configuration data -- but those are all specialized applications, and given self-configured IP networking, quite easy to do without DHCP or at least without DHCP-based address assignment (i.e. just use DHCP for configuration of the non-IP-network parameters). And I have no idea what you mean by "buggy or exploitable" -- both IPv6 stateless autoconfig and DHCPv4 can be disrupted or hijacked by any host on the same broadcast segment, and even at that IPv6 has better recovery modes because the refresh interval is typically orders or magnitude shorter.
This one is easy - unlike IPv4, DHCP6 is needed if one wants stateful addresses - default DNS servers don't work in IPv6 w/o DHCP6. In IPv4, given that you have DNS and that the fact that every node is allowed only one address, DHCP4 is not as vital. But in IPv6, where a node can have any number of addresses, and where some services require that the addresses be stateful, it's a good idea to use DHCP6 to manage addresses. Using it, one should be able to distribute a link b/w stateful and stateless addresses, static and dynamic addresses and so on. An ideal DHCP6 would allow one to configure each of the segments, so that from the address, someone internally managing that network can tell whether an address is static, dynamic, belongs to a website, and so on.
Also, EUI 64 embeds the Layer 2 MAC address in a way that would enable anyone to know what it is, which is a bad idea. BSD unfortunately uses that as the default for assigning an address to a desktop. A better idea is to give the user the option of either doing an address fetch using router advertizements, or if the user is more competent, provide one w/ the option of using DHCP6 to assign the addresses of all the devices within the network.
Given that no LAN is likely to need anything greater than class A addresses, I think that that is probably the last thing that needs to migrate. The only reason to have a LAN IPv6 is that it would seem that having the same protocol for one's public and private networks would make it easier on the OS. Note that by LAN, I'm only talking about networks here that need to be isolated from the internet, not networks that form VPNs.
The thing that confuses this issue is people conflating NAT w/ a wide variety of things, from LANs, firewalls, reverse proxys and what have you. Very simply, if internet connection is needed, NAT is not the way to go about it. Firewalls do not break end to end connections. Load balancing is the only legit reason I've seen argued so far for having NAT, and even there, there's the question of whether a disruption in the continuity is required.
But yeah, even as an IPv6 advocate, I don't advocate that organizations move their LANs to IPv6 - except if they need to use them to connect VPNs.
The mobile phone companies looked into using NAT, in fact they are using NAT because there are simply not enough IPv4 addresses for them. They have hundreds of millions of customers, so they have to use multiple copies of 10.0/8 , one isn't enough.
You may want to take another peek at those numbers.
156,111,429 registered domains that they have information on.
137,146,863 (87.85%) have IPv4 addresses assigned.
3,236,871 (2.07%) have IPv6 addresses assigned.
46,385 AS counted
40,890 (88.15%) AS for IPv4
5,495 (11.84%) AS for IPv6
1,000,000 Alexa top 1 million sites.
941,619 (94.16%) with direct IPv4 addresses
11,370 (1.13%) with direct IPv6 addresses
Sorry, those numbers don't represent a majority. They don't represent a minority. That would usually be considered a fringe group. At this time, I don't know of anyone who's given IPv6 only. I've contracted for several business and enterprise class lines recently. Only one provider has offered IPv6 in any form. Theirs was a small mention, buried on their business customer help pages. Their CS knew nothing about it. If you're going to do it, you have to get your IPs delegated on your own, get your own ASN, and then ask for routing. At that point, it was still contingent on getting their permission. Doing the prerequisites is no guarantee that they actually will route your IPv6 traffic appropriately.
I brought up my HE tunnel this evening, and started bringing up sites on it.
I also discovered something rather disappointing. My brand new residential router/AP (Belkin F9K1103) does not support IPv6. It also doesn't pass the tunneled IPv6 traffic properly. I tried with HE's instructions. I tried gogoNet clients. No go there either. I went looking around for information on what residential devices *do* support it. Oddly enough, not many do. Some list it as available in the documentation, but don't advertise it as a feature or supported item. Some have it, but it's known to be flaky.
So, at this time, and for the near future, it is not feasible to consider that it will be available as our salvation to the IPv4 problem. You'll most likely see carrier grade NAT deployed first, which will push IPv6 adoption off by decades. No residential provider wants to do a wide spread deployment, because it will cost them a fortune in new hardware. Commercial providers look at the same numbers you provided and I summarized, and say it's not worth considering at this time.
I will admit, there are more places using it now than a few years ago, but it's still nowhere near enough to consider it near mainstream.
The sky hasn't fallen. Customers can still get new IP blocks assigned. It won't be until providers are told "No, you can't have any IPs, because we don't have any to assign.", that it will become urgent. That is the business mindset. You as a hosting customer, or you as a residential customer, will continue to need to live with the providers corporate decisions.
Before that day comes, a lot of companies will reduce their IP overhead. Further aggregation and load balancing will be done with fewer public IPs. Residential customers will find the wonders of carrier grade NAT. You can say it's coming until you are blue in the face. The simple fact is, it's not happening today, tomorrow, or even this year. It probably won't reach real mainstream adoption this decade.
I'm bringing my servers up with IPv6 for the novelty of it, and the simple bragging rights. I seriously doubt I'll see more than a small fraction of my traffic coming in from IPv6 clients.
Serious? Seriousness is well above my pay grade.
So, at this time, and for the near future, it is not feasible to consider that it will be available as our salvation to the IPv4 problem. You'll most likely see carrier grade NAT deployed first, which will push IPv6 adoption off by decades. No residential provider wants to do a wide spread deployment, because it will cost them a fortune in new hardware. Commercial providers look at the same numbers you provided and I summarized, and say it's not worth considering at this time.
Packet for packet CGN costs (lots) more than a dumb L3 router. Deploying IPv6 means you pay LESS not more even if buying new hardware.
In the numbers quoted a key point is missing. There is a "long tail" in distribution of bandwidth consumption.
Only a very small handful of sites and large ISPs generate and consume the majority of overall traffic in the US. Between google, netflix, youtube, facebook and Akamai you are sadly looking at the majority of all network traffic. **ALL** of these sites are activly deploying IPv6. Millions of remaining sites consume the silver that is all remaining usage. The cost of CGN to manage the remaining sliver is managable.
ISPs have incentive to deploy because they are running out of addresses and routing costs a lot less than CGN and provides better user experience.
Content has incentive to deploy because they want to reach everyone and provide high quality service (Avoid CGNs)
There is a long tail...all the millions of small sites and thousands of smaller ISP operations will lag behind for a considerable amount of time... here I agree it will take many many years to get everyone to switch over.
I'm bringing my servers up with IPv6 for the novelty of it, and the simple bragging rights. I seriously doubt I'll see more than a small fraction of my traffic coming in from IPv6 clients.
In a few months when comcast flips the switch for all customers it will be interesting to see what happens to your traffic. I suspect you will be surprised.
Also, if being anonymous is important to you, you should be using Tor.
Otherwise most notions of "anonymity" that you have are a joke.
The command line tools needed for ports/fink/etc can be installed without all of the rest of the stuff. So now instead of your 4-8GB download, you only need a 170MB download.
190.7.206.220 is no easier to remember than 2a01:4f8:130:9101::
The catch is that you cannot configure a 6to4 tunnel using Airport Configuration Utility 6.
So far as I can see, you can't configure the IPv6 firewall with Airport Utility v6.0. That is something that is far more important, and which also impacts those who can get a real auto-configured IPv6 address range and routing.
Yaz
The only way IPv6 can be a security issue is because incompetent fucks don't understand security.
You just described 99.9999% of the people with an internet connection.
They want to see the DANCING BUNNIES!
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
# http://technet.microsoft.com/en-us/library/cc783049(v=ws.10).aspx
# default site local (FEC0) DNS server anycast addresses are:
# FEC0:0:0:FFFF::1
# FEC0:0:0:FFFF::2
# FEC0:0:0:FFFF::3
#
# IPv6 Host Address Block prefix
#sorry for the obfuscation, stupid
#XXXusingfwewerjunkcharactersusingfewerju-1
#-usingfewr-1-aa-3-bb-4-cc-6-dd-8-ee-9-ff-1
#-usingfewr-6-ee-2-ff-8-gg-4-hh-0-ii-6-jj-2
V6HABP=FDFD:DEAD:BEEF:CAFE:DEAD:BEEF:CAFE:0::
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
When Steve Jobs decided to not support Flash on iPhones, Adobe said it will not longer develop Flash on any mobile platform, Apple or otherwise (e.g. Android).
Steve Jobs managed to make Flash on mobile essentially die, right before he did.
And even though he is dead, his little tantrum and bullshit about Flash being a battery hog has hurt Android.
Spread enough FUD and you don't need to worry about your competitors supporting something you won't or can't, the vendor will just quit, and now no one
supports it so you win (and the people lose).
Flash had its problems, but it was opening up and getting better, and HTML 5 is not yet ready, and now there will be no way to play Flash games, etc on Android, since Adobe's abandonment means security holes won't get fixed and people will have to either remove it or get hacked.
IPv6 could lose support, now the The Flawless Almighty Apple (when will members of Steve Jobs cult wake up - the leader is dead!) has decreed it. Then we will all be stuck with NAT as ISPs revoke even dynamic routable IPs from customers.
Just because it CAN be done, doesn't mean it should!
Nice! A variation of the "Air Crushes Can"
http://www.youtube.com/watch?v=QVayky_b-6U
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling