Slashdot Mirror
Apple Under Fire For Backing Off IPv6 Support
alphadogg writes "Apple Computer came under fire for back-pedaling on its support for IPv6, the next-generation Internet Protocol, at a gathering of experts held in Denver this week. Presenters at the North American IPv6 Summit expressed annoyance that the latest version of Apple's AirPort Utility, Version 6.0, is no longer compatible with IPv6. The previous Version, 5.6, offered IPv6 service by default. While home networking vendors like Cisco and D-Link are adding IPv6 across their product lines, Apple appears to be the only vendor that is removing this feature."
Apple is secretly working on IPv7, where there's just a single light-weight packet type, and is exclusively available on the AT&T backbone (at a premium rate).
I'm sure slashdot readers are entirely unaware of what goes on when a program is rewritten. And naturally assume that when it happens, 100% of all features and abilities are reproduced without any complications in a couple months. Just look at photoshop - its been such a breeze to rewrite for adobe.
I'm sure no company would ever think about building a rewrite with enough features and polish to ship, then add in feature parity as updates later.
The input boxes/fields became to big considering the maximum size/length of an ipv6 address. UI design just doesn't allow such huge elements.
Actually, the expertsare divided on whether IPv4 addresses will be exhaused. There may be many more addresses hidden out there. Before this is properly investigated it is too early to take action on IPv4 exhaustion. The idea that addresses are running out is only scare-mongering spread by the left-wing media. We should focus more on the controversy and less on IPv6 support.
Steve Jobs gone, so we can do whatever we want with Apple!! :P
Nothing here... So... SHOOO!!!
The internet protocol for enhanced experience, the new revolutionary: iPee
Every big firm wants, above all, to get rid of the quaint notion that the Internet is a network of intelligent peers. Much better to have dumb terminals all locked in to your service.
Sticking with IPv4 and the resultant multi-NAT hell is a good technical step in this direction.
It's like Google pretending to champion IPv6 then setting absurd conditions for their IPv6 services. So ISPs which offer native IPv6 by default, such as England's Andrews&Arnold, have to jump through artificial hoops before they're "supported". And it's no coincidence that half of abusive SixXS is half-run by a Google employee.
Oddly enough - and this'll get me the mod to oblivion - only MS has historically shown neutral support for IPv6, neither trying to control it nor eschewing it. That's because, I expect, Microsoft was traditionally about the powerful desktop and local server (running NT, of course). Now it's jumped on the cloud bandwagon, who knows?
I'm sure the functionality will be added back in.
Airport Utility 6.0 follows the recent trend of Apple making all of their software neutered versions of iOS versions (Lion to a certain extent, iCal, Address Book, etc)--so the comments here http://www.macrumors.com/2012/01/30/apple-releases-redesigned-ios-like-airport-utility-6-0-and-an-airport-base-station-bug-fix/. So, they went from a useful program with a standard interface (old version) to one with a pretty UI that lacks major features.
The trend has been for Apple to add MOST features back in at some point, so hopefully it continues. I can't imagine Airport Utility will stay this way forever.
I just keep an old binary around...
I was really puzzled about this, so I went to 'investigate' the issue a bit. Turns out Airport is not a router, but a sort of wireless switch (no modem). So this is probably another speed optimization as packets are 96bit smaller and your home network probably isn't filled with more than 4294967296 devices.
The first thing that comes to my mind is how in the hell this is going to work when you want to access the internet in such a configuration. The utility or physical Airport station probably converts this. I don't think Apple is that retarded...
Here be signatures
They did not remove IPV6 at all. They new confit utility (v.6) doesn't let you configure it, but they say so right in the docs that it is one of th feature the new version does not yet support. They also give you a download link the previous 5.6 version if you want to configure those rarely used features. IPV6 is even enabled by default.
There I said it. The lack of adoption and the lack of knowledge have made it a tremendous burden with absolutely zero benefit to our organization. I'm fine with running ipv4 into the ground. I just don't care anymore. I hate ipv6.
You know, I've been waiting for it to become "mainstream" for over a decade now. Constantly, people have said "It's coming! It's coming!". Support has been added to just about everything. The problem is still that all those pesky web sites that people want to reach haven't converted. I went cruising through the IPv6 migration sites, they show the dozens of sites that are available.
Here's a quick look.
So, if you just switch over, you can't use google.com, unless you remember to use ipv6.google.com. You can't reach Slashdot. Try all the sites you frequent. Of my daily reading list, the only one that works by its normal name is xkcd.com. Most of them are big sites.
I'd expect to see ISP wide NAT deployed before IPv6. IPv6 is a novelty that may get adopted sometime in the future, but I wouldn't hold my breath on it.
Serious? Seriousness is well above my pay grade.
I guess I'll try one more time. Whether in this *specific* case it's a good or bad thing, remember that most of us are running small IPv4 networks. IPv6 adds needless complexity and simply isn't needed.
I just wrote an article on this for an industry trade magazine. One gem of a quote came from a vendor who makes audio-over-IP remote equipment (i.e., remote broadcast from a site away from the studios). He said, and I quote, that his company is IPv6-ready at the hardware level, but hasn't added it yet, because -- here's the quote -- "not one single customer has requested it." In fact, those who have added it get support calls from people: "why is this so slow?" "Why can't I connect?" The answer? Disable the IPv6 unless you KNOW you need it! :)
Remember: the shortage of IPv4 addresses is on the PUBLIC INTERNET. (An extremely important distinction.) A small business with maybe 10-20 devices on an internal network doesn't care about IPv6. At all. Now, those of you with hundreds of clients on a large network, might indeed want it. But for most of us, all we'll need is an IPv6-capable router/modem at the Internet gateway. Inside the facility, who cares?
Cogito, igitur comedam pizza.
Source on this? It seems to do the important parts of routing, at least for a home network configuration--assigns IP addresses, allows port forwarding, etc. And it certainly can do IPv6--the option was removed, for some reason, from the newest configuration utility. Also, it obviously works when connecting to the Internet, unless it has a really sophisticated Slashdot emulator :)
You can still download the old Utility: http://support.apple.com/kb/DL1482?viewlocale=en_US&locale=en_US
If you can't convince them, convict them.
MS seen as backpedaling on it's support for 64-bit computing over Windows 8 only supporting 32-bit CPUs in tablets.
Come on people, this isn't backpedaling, it's a completely new version of a utility that in it's initial release supports what's in use in 99% of installations. Those who are actually using IPv6 can use the older version until this one adds support (probably in the next release).
make imaginary.friends COUNT=100 VISIBLE=false
I'm getting really tired of idiots that think NAT is a security solution. It's not. It's a hack that breaks end-to-end connectivity.
The only way IPv6 can be a security issue is because incompetent fucks don't understand security.
IPv6 makes VPN a lot easier and more reliable. Many small businesses care about that so that their employees can work while at home or traveling.
I don't anticipate that ipv4 dies off as slowly as many people suggest. ipv4 is easy to understand, and addresses fit within the average technicians short term memory. Just try to remember ipv6 addresses, you brain will melt!
IPv4 never has to go away. It can be used forever in internal networks.
IPv6 Addresses can be remembered if you select your local bits rather than let the slaac monster pick them for you. Google via IPv6 for example: 2001:4860:8005::68 ... Almost the same length as an IPv4 address!!
IPv6 lets you have some hexsp33k fun..
Face book:
2620:0:1cfe:face:b00c::3
cisco dog food ipv6 day:
2001:420:80:1:c:15:c0:d07:f00d
SPRINT!!! OMFG...
2600::
> A small business with maybe 10-20 devices on an internal network doesn't care about IPv6.
IPv6 isn't only about having more adresses. For instance, stateless address autoconfiguration is interesting in a local network.
Kill all hipsters.
I have heard one paranoid assertion about IP6 which said that the reason it was being pushed so enthusiastically is that every device in the world will gets its own address. With a GUID on all traffic, everything is traceable and MAFIAA and the spooks are happy.
discuss
I'll see your Constitution and raise you a Queen.
IPv6 allows us to finally get rid of NAT by having the router request several public addresses which are handed out to the individual computers.
The "not needed" mentality doesn't solve anything, especially because they could have just added an option to disable IPv6 instead of removing it.
Inside the facility, who cares?
Patronizing, are you? What makes you think you may prescribe the type of internal addressing (size of RAM, internationalisation, etc.) to anyone and everyone?
I for one do care. Be it to work with IPv6 islands in an IPv4 shop, or student and research work. Maybe someone wants the same IP address wherever she goes?
It can be understood from your post that you say "as long as the Apple box allows a connection; by whichever means and difficulties including eventual downgrades and encumbrances, I will defend its weaknesses to the very end".
Though you could have said so.
IPv6 is actually very easy to remember when done right. Further, we have DNS for address resolution - how many of the websites you visited today do you know the IPv4 address for?
For an enterprise, once they get their allocation, it's really not that bad. I will make up an allocation as an example:
2600:123:b000::/48
With 5 more octets left (octets isn't the right term, but divisions seperated by colons), you can do a large amount of intelligent numbering, and even just reuse all of your VLAN and IPv4 numbering right inside your IPv6 addressing.
For instance, if you have a server network at 172.16.2.0/24 and it is vlan 203, you can assign 2600:123:b000:203::/64 (with the nodes getting ::172:16:2:yyy), so a given server node with 172.16.2.105 would be 2600:123:b000:203:172:16:2:105 . It's wasteful, but with IPv6, who cares?
If you have more than one site, then each site should get you your own /48. When applying for addreses, you should do so for all sites at once. We have a /44 (x:x:b000 - x:x:b00f) as we have 9 sites. We can then assign each site based on their site numbers (2600:123:b001 - 2600:123:b009). We use 2600:123:b000 for infrastructure, and still have 2600:123:b00a - 2600:123:b00f left over.
So, site 3, vlan 405, network 172.24.5.0/24 would be assigned 2600:123:b003:405::/64 with nodes having 2600:123:b003:405:172:24:5:yyy. For workstations that use SLAAC and/or DHCPv6, you don't care about the last 64 bits and you rely on DNS. But you still know the site and VLAN if you use the same numbering. 2600:123:b002:464::/64, which is site 2, vlan 464.
All the IT staff has to do is learn that 2600:123:b000 - b00f is our assignment and explain the rest of our addressing plan. It's actually rather natural to do it this way and makes a ton of sense.
Oh, and personally I would skip doing any decimal to hex conversion where it can be avoided. For instance, I would not make vlan 165 be A5 (the hex value), but rather just 165. This does mean you'll "waste" something like 37.5% of your address space - but again, who cares? I'll take readability over maximum use any day.
I disocvered that Youtube was delivering to me via IPv6 and I didn't even realize that. The main site has no AAAA record that I can see. But the video delivery actually went over IPv6, despite me only using IPv4 for DNS. I suspect they bugged the page with a transparent image that asks for a hostname that is only on IPv6, and set a cookie or something to engage IPv6.
now we need to go OSS in diesel cars
You don't "switch" to IPv6, you add IPv6. Nobody expects IPv4 to go away any time soon. What everyone's talking about is supporting IPv6 plus IPv4. So all your old sites work, but you can also reach any new hosts that have IPv6 addresses only directly, and get the benefits of avoiding NAT. Those hosts will likely be mobile customers at first, since that's one of the first places where ISPs are having to use v6. As for those users, they will be able to talk to IPv4 sites via DNS trickery and IPv6-to-IPv4 NAT, or just via plain old IPv4 NAT.
That's bunk. NAT doesn't provide real security, and in fact a false sense of security. Your firewall should always deny/drop traffic by default, except where permitted otherwise, either explicitly or by a stateful connection originating from the inside.
If you want pseudo anonymity on the level of what you have with IPv4, then leave the global randomize identifiers on. It's on by default in Windows. You actually have to disable it with netsh interface ipv6 set global randomizeidentifiers=disabled.
Every device gets an address, but that address is not a GUID. The address is different if you go to a different network. The address changes every day. It's not useful for tracking you, at least no more so than your v4 address was.
Not much to discuss here.
http://en.wikipedia.org/wiki/Stateful_firewall
Time to learn some networking, bro.
You have the same ability to be "anonymous" as with IPv4. With IPv4, they can track it down to your gateway, but have no idea what PC inside originated the traffic. I doubt you get a unique IPv4 address each time your gateway restarts. My Comcast connection has had the same one for 8 years, through two cablemodems, because my MAC address on my router stayed the same (or rather, I told my newer routers to use the one my older one had). Even if it is different each time, like with many PPPoE implimentations, your ISP has logs where each account-to-IP-assignment is known.
With IPv6, if you leave the global randomize identifier option enabled (default in Windows), then all they can do is track it down to your network /64 which is assigned to your gateway, and not to the individual PC.
Not sure about other OS, but if being "anonymous" is important to you, you might look into it.
I don't believe, for a second, that all addresses in companies or homes need to be public addresses!
Not every IPv6 address is a "public" address - private addresses can be assigned to a local subnet, very much like RFC1918 addresses, except now called Unique Local Addresses.
and, of course, there is some security to NOT being directly touchable on the net.
I don't WANT my address to be easily and directly reachable
Second of all, I can only assume by "directly reachable" you remain the loss of NAT/PAT. Again, Unique Local Addresses invalidate your statement. Furthermore, NAT/PAT can still be implemented. Not that it gives you any security whatsoever today.
running ipv6 is about as useful, to home users, as running BGP.
You do know that BGP is a routing protocol and IPv6 is a routed protocol, right? Please take a moment and read through the Wikipedia page on IPv6. Maybe even try running it for a week or two in a virtual environment?
So here's the deal.
/60 network via a mechanism called DHCP-PD using what's called a DUID.
/64 (or multiple /64's, depending on the features of the device, I suspect just one by default unless you go into some advanced networking config), which will be used to connect your home network.
Your ISP will provide you with say, a
Your router will then provide you with a
Your end devices, such as your PC, will have the option of what's called "temporary addresses". These addresses by default on Windows are preferred for 1 day (meaning, all new connections are made using that address), and available for 7 days (as in, it will accept incoming connections on that address, but not create new ones from it).
This mechanism provides a level of anonymity because the address generation has nothing to do with any identifiable components on the device itself.
This is also something you control on your client, not controlled on the routers. If controlled on the router, one would merely use DHCP, offering the same level of "anonymity" that we have today.
So this is probably another speed optimization as packets are 96bit smaller...
Actually, an IPv6 packet can be smaller than an IPv4 packet. The IPv4 header contains a lot of garbage not required by IPv6. See for yourself.
Secondly, IPv6 addresses can be concatenated. Only if you're using an extremely complex IPv6 address will your router need to process a large source or destination header.
That's what firewalls are for. The fact that NAT and firewall often go together in IPv4 does not mean it has to be that way. Just set your IPv6 firewall to deny by default, and you'll have the same security setup you usually get with NAT+firewall on IPv4, but with more flexibility.
IPv6 addresses are not concatenated within the packets. The concatenation is only a display feature. Each packet contains all of the bits in each IPv6 address. While the router may display fe80::10 the packet actually contains fe80:0000:0000:0000:0000:0000:0000:0010
You block ping too? God, you're two kind of idiots at once.
Apple didn't back off on anything. The version of Airport Utility discussed is the pretty, dumbed-down version of the application intended for folks who just barely understand what a router is about. It matches the similar version deployed on iOS.
The "previous version" isn't. The feature-complete 5.6 was released at the same time as the simple version, and has the same support for IPv6 as it ever did.
A.
...bringing you cynical quips since 1998
I guess I'll try one more time. Whether in this *specific* case it's a good or bad thing, remember that most of us are running small IPv4 networks. IPv6 adds needless complexity and simply isn't needed.
No, NAT adds needless complexity and simply isn't needed if we could all just start using IPv6! Incomplete appliance support is an extreme hinderance to that.
Remember: the shortage of IPv4 addresses is on the PUBLIC INTERNET. (An extremely important distinction.) A small business with maybe 10-20 devices on an internal network doesn't care about IPv6. At all. Now, those of you with hundreds of clients on a large network, might indeed want it. But for most of us, all we'll need is an IPv6-capable router/modem at the Internet gateway. Inside the facility, who cares?
I happen to work in broadcasting, so I know your anecdote is a bit of an edge case. Few people in broadcasting even use DNS or DHCP, much of the time, IP networks are simply replacements for whatever proprietary bit of telco comms preceded it.
But of course no end user asks for IPv6. The mere idea that an end user should need to care about what happens on the transport layer for improvements in transport layer tech to be a Good Idea is flabbergasting. These things are supposed to be transparent. Technicians should realize they have a social responsibility to implement it, because the net gain is dependent on almost everyone getting it into place, so it can reach a critical mass so that we don't have to deal with the gigantic, internet-breaking kludge that is NAT.
The main point is: There should be no distinction in addressing, there should be no NAT. One address should be able to reach another address no matter what network each host is on. That's kind-of why it's called an inter-net.
toresbe
"can be smaller", but won't.
IPv4 header: "Variable length of 20-60 bytes, depending on IP options present." (if you don't use any options, 20 bytes).
IPv6 header: "Fixed length of 40 bytes. There are no IP header options." (if you don't use any options either, 40 bytes)
IPv6 is terrible if those "20 bytes more" are relevant for your application.
Src: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzai2%2Frzai2compipv4ipv6.htm
5.6 is not the previous version! 6.0 and 5.6 were released simultaneously! The problem lies with their product naming, not versioning. That is, 6.0 really should have been called Airport Utility Lite or something like that. 5.6 could have been Airport Utility Pro or something like that. 5.6 is very much the latest version. Want all the features? Use 5.6. Want a simplified interface? Use 6.0.
Why wouldn't they? ISPs get blocks in the /20 to /32 range, and end-users get /48s. That's plenty enough bits to do routing with, for both the ISP and for the end-user.
A /60 isn't generous, it's downright stingy. Not quite as bad as the ISPs that only give a single /64 (or the ones that fail to understand routing and don't give you anything at all), but there's plenty of space to give everyone /48s. Why go smaller? Especially all the way down to /96; you'd end up breaking SLAAC and subnetting for your users for no gain whatsoever.
Any argument revolving around what most people understand or need is silly in IPv6. Some people will need it or understand what to do with it, and the address space is large enough to allocate the same large block size to everyone, including the people who won't use it. What advantage is there in not doing that?
I was really puzzled about this, so I went to 'investigate' the issue a bit. Turns out Airport is not a router, but a sort of wireless switch (no modem). So this is probably another speed optimization as packets are 96bit smaller and your home network probably isn't filled with more than 4294967296 devices.
The first thing that comes to my mind is how in the hell this is going to work when you want to access the internet in such a configuration. The utility or physical Airport station probably converts this. I don't think Apple is that retarded...
If you investigate further, you'll see it's just the Admin tool that lost support when they rewrote it, and it has nothing to do with the actual Airport device. Just like Final Cut Pro X, I'm sure Apple will re-add features over time.
E pluribus unum
Apple is not in the "serious business" business. They aren't. They make "consumer gear" now. I love the Mac Pro. I love the Mac Mini. I think they are great machines. The problem? They aren't focusing on those any more. They care about iThings for people to throw away in favor of the next one.
And when some great F/OSS stuff makes implementing IPv6 easier, they will absorb it and pretend they invented it like they always have.
You're breaking the internet because you don't understand it. There's not really a nicer way to say it. Every host is *SUPPOSED* to be addressable. It's called the end-to-end principle. The fact that NAT prevented unsolicited connections was a consequence of its design, not a feature. Firewalls do it better, and with more control. They even do it by default! The reason the iptables authors are religiously opposed to it is because the internet isn't meant to be like that, and there are perfectly good solutions (in iptables!) to do what you want without a broken end-to-end principle.
For what it's worth, I've been running IPv6 at home for a few years without the slightest trouble. My clients get NATted IPv4 addresses, and a public IPv6 address. They have the same security, since the firewall prevents unsolicited connections. But since it's a firewall and not shitty NAT, I have three SSH servers on port 22 and two webservers on port 80 that are publicly routable. Try doing that with NAT
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
:) As one of the original authors of some of the software that makes this Internet run (you probably are using it too, at least indirectly) I have a vague idea :)
Not every host is supposed to be addressable. There is a very specific reason private non-publicly-addressable subnet ranges were created, for example. So, your claims are false - you simply don't know what the Internet is "supposed" to be like.
And IPv6 can do better, without all the ugly side-effects of NAT: https://www.rfc-editor.org/rfc/rfc4941.txt
Kill all hipsters.
In addition - I don't have any publicly accessible servers at home and do not plan to ever get such. My servers are hosted in a dedicated facility and have publicly addressable IPs (of course :) ).
At the same time, I am strongly opposed to all the possible devices on my home network being visible/enumarated by hosts they need to access on the public Internet. These devices are only for me to know, and I go to great lengths to make sure that externally all access from my home network appears uniform and indistinguishable (for example, right now my web browser tells this web site that I am running Firefox 3.0 on the same Windows XP box :), irrespective of which computer or device I am using). Try doing that *without* "shitty NAT" :)
The comments to the original article pointed out that Apple didn't remove any IPv6 functionality, just the configuration tools for now. Those who need to configure IPv6 should continue using ver. 5.6. Presumably, the configuration tools for IPv6 will be added later.
If I used a sig over again, would anyone notice?
Indeed, I was assuming privacy addressing was turned on. This is the default in Windows XP/Vista/7/8, so it's not an unreasonable assumption. It's still off by default in Linux, although that's nothing a sysctl or two won't solve.
Smart phones, tablets etc could be pretty much taken care of if Android, iOS and Windows Mobile enable privacy extensions by default. I'm not sure what they actually do at the moment; I think they default to off with a few isolated devices that have it turned on.
The v6 address space is so enormously huge, you can't enumerate all hosts. Even if you could, it's trivial to block ping scans at the firewall in the same way as unsolicited connections. Furthermore, the Privacy Extensions (made possible by the address space!) give you a different address every few minutes, for the same net effect (it's the same prefix, but a different host portion every time, which is analogous to one NATted public address).
Regarding your earlier post, the internet is in fact supposed to have end-to-end connectivity. Private address spaces were supposed to be non-routable, organization-internal addresses using the IP as a convenience - not bridged to the "real" internet with a nasty hack. The nodes in the middle are supposed to be "dumb", since that's how IP was designed to function. I don't know what software you wrote, but it doesn't change the facts. And yes, I have read the papers.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
The Airport Utility 6.0 actually has a whole lot less administration features than the 5.6 utility. In fact Apple has a download on their site for 5.6 if you want to use some of those features that are missing. As far as I can tell 6.0 is pretty much a Beta version. It's got an entirely different interface philosophy than 5.6 and most other router administration panels. I suspect that a lot of the missing functionality will be added soon, including ipv6.
Turns out Airport is not a router, but a sort of wireless switch (no modem).
Your terminology is not quite standard.
So this is probably another speed optimization as packets are 96bit smaller and your home network probably isn't filled with more than 4294967296 devices.
My comparatively ancient and underpowered WRT54G manages IPv6 just fine.
But more to the point, the Airport Extreme itself is perfectly capable of routing IPv6, so your point is moot. It's just that IPv6 support is no longer included in the configuration utility.
Dewey, what part of this looks like authorities should be involved?
"OK, Mom, now click the 'Block ICMP' checkbox. Yep, with the left mouse button. Great! All set."
Dewey, what part of this looks like authorities should be involved?
The only "security" NAT provides is *exactly* the same as a stateful firewall. No more, no less. It makes no sense to talk about NAT providing some different kind or amount of security than a stateful firewall.
There are all sorts of IPv6->IPv4 proxies available. Virtually every load-balancing appliance and proxy software project with any IPv6 support provides such capabilities. All you need to make your IPv6-only internal network compatible with an IPv4-only website, or visa versa, is a copy of squid. Plus no one is suggesting that IPv4 should be shut off immediately when you enable IPv6. Depending on your environment that may make sense, but generally speaking dual-stack configurations are likely to be around for a while, at least on publicly-accessible hosts.
And I'm still not sure what so many people want to do with DHCPv6. Router announcements and default DNS servers cover a very significant portion of DHCP uses under IPv4. There are some things that need additional configuration -- any sort of netboot arrangement for example, probably needs additional configuration data -- but those are all specialized applications, and given self-configured IP networking, quite easy to do without DHCP or at least without DHCP-based address assignment (i.e. just use DHCP for configuration of the non-IP-network parameters). And I have no idea what you mean by "buggy or exploitable" -- both IPv6 stateless autoconfig and DHCPv4 can be disrupted or hijacked by any host on the same broadcast segment, and even at that IPv6 has better recovery modes because the refresh interval is typically orders or magnitude shorter.
It does not give you privacy. Assuming it does, now *insert evil entity here* only knows that occurrence X happened on your network, not on your computer. For all practical purposes, even IF NAT worked as a "privacy shield", you're still on the hook for whatever you did.
Knowledge of the network is often just as useful as knowledge of the machine behind it.
By the way, the "uh ... OK" in my reply is mine. For some reason the editor decided to join it to your quote. Sorry about that.
But while I'm on a roll, let's see: hmm, umm ... My Dial Global satellite receiver uses both DNS and DHCP. It's IPv4-only, too. My Westwood One "Max" receiver, my XDS-Pro receiver and my Comstream (used for corporate feeds) is IPv4-only. The first two use DNS and obtain their address by DHCP by default. The Comstream was designed before gravity and dirt, so it's merely IPv4-only.
At my transmitter sites, there are racks containing remote controls, HD Radio exciters and other equipment that are IPv4-only. These use both DNS and DHCP by default, because vendor's Websites might change addresses and they automatically log in to receive updates and scheduling info.
How many more "edge" cases do you want? :)
Cogito, igitur comedam pizza.
You have obviously never had to build site to site VPN's to other customers/departments.. It completely loses any argument about 'private addresses that can't be reached' and in fact, makes it much, much worse.
Source and destination NATing on an IPSEC vpn is a royal pain in the ass, but is necessary, because people seem to think NAT is a security feature, so they run their company on the same 10.10.x.x or 192.168.1.x subnet as everyone else.
btw, how on earth do you use NAT without relying on a statefull firewall for your security? Isn't that a requirement to do NAT? do you scan and deny all outgoing traffic by default?
What are we going to do tonight Brain?
Hush, you are getting in the way of the Apple hate! If people realized that the 6.0 utility was a rewrite with many features still in development, only containing the most commonly used ones, and released at the same time as the 5.6 utility so that people who do use those configuration features still can... well, that would get in the way of the "Apple sheeple are destroying the our internet!' narrative.
In an interview one of the designers of IPv6 admitted that they should have made it backwards compatible. Hindsight being 20/20 and all that.
... it depends (the issues there being more human than technical).
The impression I get (since I'm part of the group that runs the network for a major southeastern university) is that everyone should be running dual-stack for a while. Any infrastructure equipment you get that runs v6 should also be able to run v4 fairly easily. Any time we upgrade all the equipment in a building, or put in a new building, the addressing for the switches gets done via IPv6. For a majority of desktops, dual stack is available. For servers
But we have the money available to us to have IPv6 capable equipment. At home, FiOS has yet to provide me anything that provides IPv6 connectivity natively (ignoring tunneling). From what I've ready recently, say what you will about Comcast, at least they're deploying it.
The impression I get from your post is that you have equipment (both infrastructure and otherwise) that's more than 10 years old. I feel for you; we do, too. To a large extent, I'm not so sure you want an OS that old to have any kind of Internet access anyway. From a "It makes me feel good" stand-point, it would be nice if there were an easily implemented v4-v6 translation method available, but there just isn't.
So, what am I trying to say? Well, I've never talked to the "IPv6 crowd," but I don't doubt that they can be obsessive. But need to maintain an internal IPv4 network? Oh my, that can't be that hard. IPv4 isn't going away any time soon, and I seriously doubt there's anything out there on the services side (IE, a website) that you couldn't easily get to via IPv4 (unless it's an IPv6 proof of concept site).
It's going to be outside-in. Until all the major providers of home internet are providing at least a majority of their customer base IPv6 access, it's not going to be that big a deal. And even after they're doing that, you've got to assume that they'll be dual-stacking it, too. At least for a while.
I talk about stuff.
Far more additional complexity.
A) You need an extra length field to specify the length in bytes so it doesn't accidentally start reading other data as part of the IP address.
B) Makes routing more difficult. You can use bitmasks and so on to help with routing when it is in binary form. You'd need to expand everything to the binary form anyway.
C) The vast majority of packets would be drastically larger. E.g. IPv4 ips are a 32bit long in a packet. 4 bytes. 255.255.255.255 is a whopping 15 bytes. Multiply that for a 128 bit (only 16 bytes) address.
D) In some instances, IPv6 addresses are based on MAC addresses. No 'compression' there.
existing solutions work just fine with ipv4.
Really? Because I had to renumber my home network because I happened to conflict with one of my employers non-routable networks. I had established a peer VPN with an associate, but he had to renumber his network to do it. There are numerous departments I have had to deal with, but I can't connect to all their VPNs at the same time. Why? Because half of them used 10.0.0.0/8 as 'their' network.
I don't believe, for a second, that all addresses in companies or homes need to be public addresses!
Even if you believe that, ULA in IPv6 is really quite nice. Instead of conflicting with everyone using 10.0.0.0/8 because everyone likes having a fake class A, I have a 1 in 1^40 chance of conflicting with private addresses.
I don't WANT my address to be easily and directly reachable.
Everyone knows the address of the white house. That does not mean a gunman can walk through the front door just because he knows where to find it. Firewalling rules are still viable even if you aren't NATing.
XML is like violence. If it doesn't solve the problem, use more.
The only "security" NAT provides is *exactly* the same as a stateful firewall.
As much as I agree with the sentiment, I will play devil's advocate for a moment. In an ideal world they are 100% equivalent. However, I think security people may consider NAT to be more 'failsafe'. If a NAT fails to apply its capabilities correctly, you have an outage and a problem, but it failed in a way that more likely than not still doesn't let foreign traffic in. For a stateful firewall, a failure is more equally likely to cause unwanted traffic to flow. Or, if being more pessimistic, cheap home routers stop bothering to set up rules as they aren't needed and naive consumers don't care.
And I'm still not sure what so many people want to do with DHCPv6
At the very least life is a bit more straightforward/familiar. I know a lot of people are content with RA for routing and mDNS for service discovery. Sometimes people like managing the address space a little differently. Having things more predictive and centralized also opens up the opportunity for things like trust relationships with DHCP servers in a way that's a bit more manageable than analagous meausers to mDNS. Also, RA by itself doesn't lend itself well for a non-routable network (I have networks with no current 'router' I'm DHCP managing with ULA, optimistically assuming I might get connected to other islands one day and not have to fret the nightmare of private address conflicts). I will add to your point that IPv6 has another nice characteristic. If your legitimate network management tracks the LLA, even if rouge DHCPv6/RA disrupts things, you actually have a shot at remotely recovering systems through their LLA.
I think one of the biggest enemies of IPv6 adoption has been the attitudes of some of the architects behind it. You don't have to look for in various IETF mailing lists or similar places to see people making an earnest effort to adopt IPv6, but hitting roadblocks. They very specifically identify their problem and identify some behavior that could be brought forward from IPv4 to make their lives easier, and architects will rebuff them thoroughly. The most blatant example to come to mind is the refusal to put 'chaddr' from BOOTP into DHCPv6, or if it were even allowed as an option insist that it *must* not be used the way it was in BOOTP/DHCP. I'm content with client identifiers instead of interface identifiers and in fact my life is actually easier that way (well, after RFC 6355 at least). However some people have legitimate need and even among those that could change their thinking if they tried hard enough, why should they bother? The reason against chaddr seems more 'religious' than anything, which is a bad point to be stubborn on in the face of overwhelming demand.
XML is like violence. If it doesn't solve the problem, use more.
Just because a host is not directly addressable does not mean it should not be able to actually communicate with hosts outside. But I certainly don't want it to be "visible" or known.
Just like I don't want anyone to be able to tell by looking at my home from the outside what brand of refrigerator I have or what's in my stove or dishwasher (even though they are connected to public utilities too), I don't want anyone to be able to (easily, at least) tell what network-connected devices I am using in my home. It's a basic tenet of privacy and security. Providing any type of unique per-device addressing defies this objective.
Think of it in terms of real world addresses. My house has one, but not each bedroom or item of furnishing. They are "things within the house" and the only way someone gets to talk to them is by mailing a letter to "Attn. : Commode, John Doe, 123 Main st, New York, NY 10001".
The only "security" NAT provides is *exactly* the same as a stateful firewall. No more, no less. It makes no sense to talk about NAT providing some different kind or amount of security than a stateful firewall.
Um, no. A NAT hides the internal network topology from the outside, and won't uniquely identify a client to an outside server.
The remote end of the socket has no business knowing whether it's the same device that connects for to separate sockets. Ad revenue based companies like Google and Facebook as well as *AA and DHS will rejoice over the possibilities this will give them. That is a security concern whether or not you are willing to see it.
Don't know why they header doesn't specify the address in the same way that utf8 specifies numbers.
Because with fixed-length address fields, I can implement routing with NAND gates.
Dewey, what part of this looks like authorities should be involved?
I guess the same can be said for the people that hate Apple. Why would someone that has absolutely no interest in a subject feel so compelled to click the article, read it along with all the comments (so they can pick out just the right one to respond to) and then spread the hate. I really don't like eggplant but I can't remember the last time I trolled an eggplant forum.
I don't think Apple is that retarded...
I'm sure I'll be modded flamebait for this, but I take it you don't have much dealing with Apple products in a support capacity. They can be pretty retarded. Little things like:
* Improper grounding on wifi cards in the macbook air
* Driver/kernel integration with DHCP
* Signed binaries becoming corrupt requiring a full reinstall (or similar)
* Removing features and adding steps to perform basic tasks while calling it 'streamlining'
* Removing compatibility for no apparent reason (eg. samba removal)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Apple actually does ipv6 right. I run ipv6 at home, and all of my OSX systems handle it flawlessly. Win7 requires me to kill ipv6, because there's no good way to tell the system to prefer ipv6. It ALWAYS tries to do lookups via ipv6 first. I've tried all the registry hacks and I've yet to get it to change that behavior. Because of that, queries always fail, and shit randomly breaks. This is the *wrong way* MS. Let me easily set priority of v4 vs. v6.
The problem with Apple is the oversimplification shit has gone too far on this one. They wanted airport utility to match the iphone utility, and the iphone utility is completely crippled. They should've found a way to increase functionality in the iphone app instead of removing it from the standalone.
Thanks for the reply. However, what you described appears to be effectively identical to basic NAT inasmuch as it provides address translation/rewriting behind a router and serves as an abstraction layer between external & internal IPs.
Have I merely misunderstood the semantics in the v6 NAT debate?
Actually its this kind of stupidity that has always had me hating IPV6. Frankly they should have included backwards compatibility with IPV4 private networks because who in the hell is EVER gonna have more devices than a class A private address can provide?
Which brings us to the second stupid ass move with IPV6 the removal of NAT. That was stupid because it relies on what i call "Star trek thinking" where they only see the bright side of life, never the dark. engineer: "With IPV6 you'll have so many addresses you won't NEED NAT so everything can just be online!" Me-What about those of us who don't want to have everything online ALL the time, but don't want to switch back and forth between private and public addresses? What about the security risk as now I'll have to worry about the possibility of security weaknesses in every damned device like TVs, game machines, PMPs, etc? Engineer: "-------". Whether you love it or hate it you have to admit NAT WORKS, it makes it a hell of a lot harder to target an individual device on a network.
NAT is a retarded way of being online, always intended as a temporary solution and forced due to the shortage of IP addresses. If you don't want certain things to be on the internet, then simply assign them private addresses, but not public ones. In IPv6, any device can have multiple IP addresses, but that doesn't mean that they have to. If you don't want a device, such as your console, to be online, simply disconnect it from the external network - say if you want your kids to play w/ each other within the LAN, but not connect w/ someone in Moscow or Seoul playing the same game. There is no reason why the protocol has to be crippled in order to accomodate it.
If the console needs to be online, just let it fetch a public IP address (one of the 2^64 addresses on your link), and directly connect online. Worried about security? Just set up your firewall accordingly, and you then determine what traffic is allowed and what ain't. If you don't want your console to be online, but just want to connect to the other consoles, PCs and netbooks in the house, assign a private (i.e. link local) address to the toy, and be done w/ it. But there is no reason that the private network needs to be the vehicle to connect to the public network - it's like one is currently using a bicycle to get to BART, and taking the train from that point, and later, when one gets a car, complaining that there isn't the capability to use the bike to get to the car.
But Apple has probably figured out what I could have told them years ago, that without backwards compatibility getting IPV4 and IPV6 to play nice is a giant PITA. Because so few use it either you default to IPV4 in which case you are just dragging around IPV6 for nothing, or you default to IPV6 in which case you have to wait for it to time out before switching to IPV4 which just slows every damned thing down. why they couldn't have encapsulated the IPV4 address INSIDE the IPV6 so that one could simply use IPV6 is anyone's guess but I bet Apple has done some surveys and found nobody is using the thing and it makes things more of a PITA. Considering Apple's "It just works" mantra making something a bigger PITA simply isn't on the agenda so no wonder they are scaling back support.
My guess is that Apple has just - probably for the time being - disabled the IPv6 configuration, since it just confuses people who don't know whether to use it, and how. They'd be really stupid if their long term plan was to not support IPv6 at all.
BTW everyone here should pray that IPV4 lasts as long as possible because when the switch is flipped? May God have mercy upon your data packets because frankly the flyover states is gonna be fucked. The corps have royally screwed IT for so long when it comes to pay and hours most of the older guys rather than deal with the massive headaches that IPV6 will bring are just quietly getting other jobs and because aga
For an internal network, what would be ideal would be what's called site unique addresses (fc00::/10), whereby every node in the world has a unique, non-routable address. AFAIK, It's never been implemented and the IETF also proposed a site local address (fd00::/10) where the global uniqueness wasn't required. But this is certainly a better solution than public IPv6 addresses - why would one give one's office network printer its own IPv6 address, when the only people authorized to use it are company employees?
The idea of a VPN is to connect 2 (or more) LANs so that it acts as 1 LAN - something doable using the above IPv6 address scopes. It's a PITA in IPv4, since a lot of groups do use 192.168.x.x, and chances of overlap are high to begin w/. W/ IPv6, chances are that nobody has overlapping IPv6 addresses, which makes networking them w/o using a higher layer to resolve any similarities that much easier.
Actually the airport express is a wireless AP, which can and is designed to act as a router.
The airport extreme is a wireless router with some modem functionality, it can also act as a wireless AP.
Both of these have DHCP and print/file sharing servers.
null