World IPv6 Launch Day Underway

A number of readers have written in with stories related to today's permanent rollout of IPv6 by several major organizations. From the looks of it, for the 1% or so of end users with IPv6 support, everything is going smoothly. For those not so lucky to have IPv6 already, an anonymous reader writes with (mostly) good news: 60% of ISPs intend to enable IPv6 by the end of 2012. For business users, darthcamaro provides some words of caution: "...the Chief Security Officer of VeriSign doesn't think IPv6 should be turned on by a whole lot of people. The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed. 'If you don't have that visibility into IPv6, you should probably consider explicitly disabling IPv6 on your systems until you can take a very concerted approach to enabling IPv6 in a secure manner,' McPherson said."

Verisign != Verisign

[tepples]

This is Verisign the operator of the .com and .net registry, not the other Verisign the certificate racket. The CA business was sold to Symantec in August of 2010. So don't mix this up with the recent news about the $99 fee to get your signed with the UEFI key that will be preloaded on every Windows 8-certified PC motherboard; that's all VeriNorton.

Re:Verisign != Verisign

Aren't both of them evil anyway?

Re:Verisign != Verisign

Ah, so, instead of the one behind the certificate racket, this is the one behind the .com/.net registry racket. Good, good, that... really makes a difference and clears up a lot of just how evil they are.

slashdot?

[pe1rxq]

So when is slashdot going to leave the dark ages?

Re:slashdot?

Pff, first you want unicode support and now this.

Re:slashdot?

[oodaloop]

I read that as unicorns at first, and I thought, "No, I just want ponies!"

Re:slashdot?

[osu-neko]

Pff, first you want unicode support and now this.

Touché...

Re:slashdot?

[Gori]

According to http://ip6.nl/#!slashdot.org it scores 1/5 stars, and calmly states that "slashdot.org isn't quite ready for IPv6 yet."

Re:slashdot?

[six]

Apparently not today.

Checking for AAAA DNS record
no AAAA record

Re:slashdot?

[grouchomarxist]

According to that site http://ip6.nl/#!google.com only gets 2/5 stars, and they are one of the sponsors of this effort.

Re:slashdot?

[DMUTPeregrine]

We had that. It was very pink.

I am the 1%

[Galestar]

With IPv6 support

Re:I am the 1%

Anonymous Coward likes this.

Re:I am the 1%

[pe1rxq]

No you are not... at most you are the 0.5% with IPv6, I have it to!

Re:I am the 1%

[Creepy]

My internal network supports IPv6 (at least the machines routed through the switch, since the 4 ethernets in the router is 8 too few for my network), but I have to wait for CenturyLink to replace the old Qwest PPPoE infrastructure to support it on my web server outside the router. I'm not holding my breath. Yeah, I could switch providers, but I live in one of the unmotivated Comcast-CenturyLink areas that is formerly Qwest where lack of competition results in no motivation to upgrade services. This is common in nearly all Comcast-Qwest space - Seattle was even building a wifi network to work around it (note: it was shut down today for budgetary reasons) and several cities I live near also have built wifi networks to work around it, but I am not in one of these (about 2 miles outside one). I could get the recently offered WiMax from Clear, but their reputation is worse than Comcast. Comcast has built some increased network, but their surcharge for not bundling pay TV keeps me away (my personal belief is that bundling services all owned by the same company for a reduced price should be illegal).

Re:I am the 1%

Centurylink provides IPv6 6rd in Seattle (at least in Fremont/Wallingford). Technically, they only support 6rd on their Actiontek Q1000. I switched my Centurylink Actiontek PK5000 to transparent bridging mode, and am using my Dlink Dir-655 for the actual 6rd and other routing goodness. Google thinks I'm in Denver now, rather than Seattle. On my "12 Mbps" link, speedtest shows about 10 actual Mbps on IPv4 and about 5 actual Mbps on IPv6. DNS lookups appear to be a little slower. I don't know if I'll keep 6rd turned on, but it's kind of interesting to trifle with. YMMV

Re:I am the 1%

I actually found out the other day that CenturyLink supports IPv6 tunneled over 6rd with their newer modems (or, if you have an older modem, like me, you put it in bridge mode and let the 3rd-party router do the PPP and 6rd). I found the prefix settings and tunnel endpoint IP buried on their website behind the help for static IPs.

Re:I am the 1%

[syzler]

You could use a free IPv6 brokering service such as Hurricane Electric or SixXS to provide IPv6 network access to your home network. I'm currently using Hurricane Electric tunnel brokering service with an Airport base station connected to DSL. It works well for browsing IPv6 sites and connecting to my Linode servers. In addition the servers at home are now available via IPv6 to the public Internet.

Re:It will be a pain in the ass to remember...

[pe1rxq]

Google for this thing called 'DNS' it has been around for a while....

Re:It will be a pain in the ass to remember...

[i+kan+reed]

Humans have different needs than computers. It's almost like we need a table of easy to remember names that can be used to look up IP addresses automatically by a computer. Then that table needs to be distributed automatically to all the ISPs in the world. That'll never happen. Sounds impossible.

Re:It will be a pain in the ass to remember...

[bersl2]

DNS, or even a hosts file if you must

Also, the hex makes it easier to make words in statically-assigned addresses.

so what is ipv6 good for?

[alen]

other than having every single device have a unique public IP that is a wet dream for google and other marketers?

Re:so what is ipv6 good for?

[pe1rxq]

Peer to peer (the way connections were intended) actually works without strange workarounds.

Re:so what is ipv6 good for?

It allows every single device have a unique public IP that is a wet dream for anyone wanting to do P2P communication. Plus, ever try to set up a web or SSH server behind a carrier-grade NAT?

Re:so what is ipv6 good for?

[gman003]

Well, no more fiddling with port forwarding to make game servers, video chat or anything else work. No more dealing with public/private IPs, or the whole NAT shitpile.

Oh, and it also makes mandatory certain things like IPsec, and should speed up packet processing by eliminating fragment reassembly (which was also, historically, a common source for security exploits).

Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*. So anyone trying to track visitors based off IPv6 address will be easily fooled by anyone who tries.

Re:so what is ipv6 good for?

[gstoddart]

No more dealing with public/private IPs, or the whole NAT shitpile.

And yet I predict internally companies will still use public/private IPs (10.x.x.x anyone?) and use NAT. My internal private network will continue to use a NAT'ed firewall.

I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.

Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*.

Which just sounds like more admin work that people won't want to do.

I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate. And I can also see a huge amount of consumer type stuff taking years before it has transitioned. IPv4 isn't going to go away overnight.

Re:so what is ipv6 good for?

[DarkOx]

Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP.

You and the grand parent are missing the obvious outcome.

For the most part home users are going to end up with /64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.

Does that mean you can put 1,50,100,1000,10000 addresses on device sure, but the network portion the addresses will be the same. That network address is going to uniquely identify your household just like your full ipv4 address does today. Marketers will just assume that each /64 subnet is unique to a user or house hold. Just like the assume on ipv4address is an entire house hold behind NAT.

It changes little to nothing with regard to track ability.

Re:so what is ipv6 good for?

[DarkOx]

I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.

Addressable and reachable are two different things. I'd love to lose all the NATs around here.

One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

Honestly it will make the firewalling and routing much more strait forward, easier to quickly understand the impact of changes on and therefore far more secure.

Re:so what is ipv6 good for?

[Dagger2]

Privacy addresses?

I mentioned them to you when you last posted that. Do you not read the replies to your own posts?

Re:so what is ipv6 good for?

[unixisc]

The first part - there will still be a need for private addresses, not for NAT, but for people who need to communicate within LANs, not the entire Internet. They'll do fine w/ link-local addresses, or as you say, be dual-stacked - be IPv4 in the inside, and IPv6 on the outside.

The multiple IP thing doesn't have to imply admin work. While people can set up DHCP6 configurations to assign certain addresses to certain computers, vary them and so on, what it means is that when a device is on a foreign network, it can easily get assigned, using autoconfiguration, a temporary but public IP address that will enable it to be as well connected as it was at home. It's not that straightforward when it's going from behind one NAT network to another, b'cos there exists the possibility of it running into an address collision w/ say, another 192.168.0.23

Re:so what is ipv6 good for?

[gstoddart]

One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

To me it seems more like you'd be leaking information out by letting that address be visible to the outside world.

If they don't have any information about your internal stuff, they can't try to figure out how to exploit it.

I can definitely see a lot of organizations deciding to see how this works out for everybody else. Changing to new technology always seems to expose some gaps people haven't really thought through.

And, on the consumer end, the overwhelming majority of home networks using a router/firewall will do nothing at all.

Re:so what is ipv6 good for?

[Short+Circuit]

Look up ULA addresses. You're going to love them.

Re:so what is ipv6 good for?

[Short+Circuit]

Look up IPv6 privacy extensions.

Also, realize that corporate environments are probably going to push you through an HTTP proxy server...which will then appear to be the origination point for traffic. Your workstations don't need to be exposed.

Re:so what is ipv6 good for?

[gstoddart]

It's not that straightforward when it's going from behind one NAT network to another, b'cos there exists the possibility of it running into an address collision w/ say, another 192.168.0.23

I definitely agree with that.

Years ago at another job someone needed more network drops in his office than were physically available. So, he bought himself a little firewall/router to use, and it defaulted to the 192.168 block.

Apparently he caused a collision with one of the really important servers and caused an outage (and an outrage).

Needless to say, that caused the need for a new policy that said "under no circumstances may you plug one of those into our network". :-P

Re:so what is ipv6 good for?

[unixisc]

Except that when one has to track, one would have to either target the complete 8 word IPv6 address, or take the 4 word address and do a scan. If they tried doing a multicast to every node on the network (since broadcasts are no longer there on IPv6), their own system would grind to a standstill. And if they tried scanning the entire subnet of 2^64, it'd take them forever.

Also, that would be quite an assumption on their part. While households that have multiple devices may want an IPv6 link, those that have just one computer that they're interested in connecting would be fine w/ any ISP that just connects a group of its customers to a single link. And if they use autoconfiguration w/ privacy extensions, or if the ISP uses DHCP6 to assign the addresses, good luck finding out which addresses are in use. They'd be getting a 99.999999999% chance of destination not reachable.

Re:so what is ipv6 good for?

[DarkOx]

You are not leaking much information of any real use.

Your routing tables beneath your gateways won't be visible to anyone outside. So they won't learn anything about your network topology.

If as I suggested you proxy everything, something you should do in a secure environment because you need to know everything that is going in and out, they won't see the address anyway! So they won't know you are using public IPs or not.

Even if you do leak that your internal addressing scheme is to use the public IPs without knowing the topology, and your company having at least a /48 it tells them exactly nothing about how to locate hosts. Think about it a /48 is still many orders of magnitude larger that then the entire RFC1918 space today. Its to big to SYN scan if they have pwnd your gateway, and they can assume you are using RFC1918 address currently not to big to SYN scan.

So even if you don't NAT they still now LESS about your network then they do on ipv4.

Re:so what is ipv6 good for?

[DigiShaman]

Wont this cause more traffic for ISPs, or will it make transfer more efficient for their network? The answer will have huge implications for adoption.

As someone that knows very little of IPv6 (I don't work with) other than the basic concept, someone please enlighten me.

Re:so what is ipv6 good for?

[Short+Circuit]

ULA addresses are good for having 'private' address ranges. Don't rely on link-local. As sexy as it sounds, a lot of tools (especially browsers) don't handle them well; they get hung up on the concept that an IP address may be valid only when combined with an interface.

Re:so what is ipv6 good for?

[DarkOx]

They don't need to 'scan' anything to track you for marketing purposes they just log where the requests are coming from. When they process their logs they simply only look first 64bits of any ipv6 address, and then enhance reliability the correlation that its the person/device using the same tricks they use now, also including the user agent string, cookies, referrers, date times, etc.

Re:so what is ipv6 good for?

[nine-times]

People won't necessarily switch over to IPv6 for their internal networks right away, since it can be a pain to reconfigure your network. However, there's not really much reason to continue using NAT if there's enough IP addresses to go around.

Re:so what is ipv6 good for?

Having multiple IP addresses on 1 interface is part of the standard.

Heck every IPv6 device, at a minimum is supposes to support a local-link and an internet address at the same time.

Re:so what is ipv6 good for?

[Short+Circuit]

Tracking ability is going to be driven more by browser request headers than by IP address, anyway.

I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:

• Broadcast and multicast traffic on a gigabit link doesn't risk flooding the far-slower wireless link
• It makes it trivially easy to partition off wireless clients from wired clients, reducing the vulnerability my wireless network gives me. I'll be able to do even better once I split off to two SSIDs, one for guests and one for trusted users; guests wouldn't get access to any of the rest of the network.

Heck, multi-SSID behaviors with varying trust levels are finding their way into consumer routers already (while I'm wardriving, I see a lot of -guest networks coming from residences...even a very non-technical friend of mine has a -guest network that came up by default with their consumer router.), but that can't work if the routers don't have enough address space to work with.

Re:so what is ipv6 good for?

[hjf]

policies. LOL. 802.1x is what you need.

Re:so what is ipv6 good for?

And everyone that wants to track someone downloading something that's not allowed.
They cannot longer hide behind "someone else used my IP address", because they now can track down to the device used for downloading itself..
Great huh?

Re:so what is ipv6 good for?

[nine-times]

Well, you won't need to pay ridiculous fees in order to get a static IP address.

Just to give one example, right now, if I want to be able to SSH directly into the computers on my network from the Internet, it's a pain. I have to pay $100/month extra to upgrade to my ISP's business account to get even 1 static IP address, and getting multiple can be expensive/difficult. I can use a dynamic DNS service instead, which depending on the service might be expensive or unreliable-- just another thing that can go wrong.

But even if I have a single static IP or a dynamic DNS service, I then have to set up port forwarding on my firewall to redirect different ports to different machines, and keep track of which port goes where, or else SSH into one internal server and then SSH from that server to others.

Give everything a unique IP, and I just have to open the ports on my firewall.

Besides, I'm under the impression that IPv6 has more features than just "unique IP addresses for everything" (and preventing us from running out of available IPs). I'm not a super-technical expert, but I thought there were also technical improvements in security and routing.

Re:so what is ipv6 good for?

[HappyPsycho]

I'll point out the major reason, we have kinda run out of IPv4 addresses. Not fun when you sign up for new link from your ISP and the response is "Here's your link but we have no ips for you to use it with".

Reason enough? All the other stuff are (useful) side-effects.

As to the security implications, thats the job of a firewall, of which NAT is just a dumb (although statefull) version of.

Re:so what is ipv6 good for?

[tlhIngan]

Addressable and reachable are two different things. I'd love to lose all the NATs around here.

One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).

It's still something to admin, and something that'll be a PITA to configure for gaming and what not, at which point people will just say "what does it get me?"

Hell, assuming most people will have their IPv6 machines firewalled off (they'd go to Best Buy and pick off a Linksys "firewall router" for IPv6 to prevent their PCs from getting hacked) and they'd still be poking holes in it to run some game or other, the normal user would definitely start wondering why they bothered spending another $50 on a new router when their old one worked just fine.

And marketers would love the trackability down to the PC level - sure there's the privacy IP thing, but it's defeated if there's a long-running IP connection still established (unless IPv6 has the ability to inform remote hosts that your IP was changing... which has some very interesting implications). Even so, it's usually a day's worth of tracking and a cookie can be used to bridge between days.

Sure malware has a more difficult time scanning a larger range, but htat just means scanning won't be an option. Not that it ever will be purely because firewalls or other things will prevent it from being useful in the first place. Instead they'll just adapt and figure out how to detect new IPs on a local LAN segment and proceed that way (or given the Windows majority, they'll use standard Windows browser techniques to discover).

Between UPnP, ZeroConf (Bonjour) and other methods of discovery, malware will cope just fine.

Re:so what is ipv6 good for?

[asdf7890]

Most companies will probably keep their internal network on IPv4.

Which is fine. My IPv6 hosts don't need to care. Of course they'll eventually need to ensure that they have a reliable v4-to-v6 bridge setup either locally or at their ISP, but that will most likely be easier to setup than changing their whole network to IPv6 would be.

There's no way they're going to want all of their machines with an internet addressable location.

They won't any more than they do now. Public facing routers/firewalls will simply be set not to pass through any incoming connections unless otherwise instructed, just like IPv4 routers do. NAT is a read herring here - before NAT was common things worked fine much the same way as they will work under IPv6 (just with a much smaller address space) in that regard. Most big corporate networks control outgoing connections too (which an IPv4+NAT-only setup generally won't by default) so the one incoming default "block" rule is not going to be a significant amount of extra admin.

I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate.

Certainly some will, though not all that many in the near future. I suspect it will quickly become normal for new networks to be IPv6, and IPv4 will vanish that way rather than due to mass conversions.

It may not be the case here or where you are but it is already getting to the point in some parts of the world that people will have to be IPv6 all the way as their ISPs have too few IPv4 addresses to hand out to the connecting modems. Said ISPs use some form v6-to-v4 bridging so that IP4v-only servers will be contactable, but while your website will be fine not all protocols will work well through this arrangement. I don't know how common it is, but I know people who have been in Hotels out east where the provided network connections are IPv6 only (presumably with some 6-to-4 system in place so v4 only hosts can be contacted). IPv4 may not die any time soon, but that doesn't mean IPv6 use won't grow rapidly.

The big win I see is for mobile devices like phones - it will make the job of large network providers for those devices easier.

And I can also see a huge amount of consumer type stuff taking years before it has transitioned.

Which is rather unfortunate as these devices are where one of the key IPv4 problems exist (Including phones as mentioned above).

IPv4 isn't going to go away overnight.

No, but IPv6 might grow very rapidly so you can't avoid interacting with it for long even if you stick with IPv4 internally.

Re:so what is ipv6 good for?

[unixisc]

Aside from link local, there is site local and site unique addresses.

Re:so what is ipv6 good for?

[unixisc]

People whose computers are Windows 7, rather than XP, will find that IPv6 is the default for internal networks, unless they choose to disable it for IPv4. And if they have a bunch of toys, all of which recognize IPv6, then some link local addresses will do just fine.

NAT just segments a network, and forces a handover of packets before a destination has been reached. It's true that all devices don't need to be on the internet, just being in their LANs will do. In which case, giving them a link local address is sufficient. Not switching from IPv4 however has this danger that malware will be transmitted in IPv6 tunnels over IPv4, and unless the firewall recognizes IPv6, it will be easily penetrated.

Re:so what is ipv6 good for?

You can get ULAs from here:

http://www.mutant-caterpillar.co.uk/shop/product_info.php?products_id=1001

Re:so what is ipv6 good for?

[unixisc]

You are assuming that the source addresses are permanent. However, privacy extensions to autoconfigured addresses makes them temporary addresses, so even if they log them, it's of now use. And if they just take the first 8 words of the address, either they have to know what the new address is, or they have to do a 'broadcast' (actually a multicast to all nodes in that network) or do a scan.

If they do a multicast to all nodes in an IPv6 subnet, they'll just be drowned in unreachability error messages which will bring down their system. After all, say, out of the 18,446,744,073,709,551,616 addresses on that subnet, only 10 are being used. Probability is that before any of those 10 are hit, 18,446,744,073,709,551,606/18,446,744,073,709,551,616 will fail. Do the math.

And I just took a simplified case. Let's say that if there are that many devices, the owner decides to use a DHCP6 server to assign the addresses. A certain number of them may be static, such as a web server or a mail server. A certain range may be dynamic. Let's say that the dynamic ones are assigned to the 10 toys within his network, and are configured to change, say, every 24 hours. The above probability of getting even those 10 addresses right is now reduced. And this also assumes that attacks originating from the same source (or even a network) is unlikely to go un-noticed. If anything, blocking an IPv6 link is a lot easier than attacking a /64 link, since a shield will just look at the first 8 words and block it, whereas the bullets would have to look at the entire 16 words before it can penetrate anything.

Re:so what is ipv6 good for?

For the most part home users are going to end up with /64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.

It doesn't sound like you're trolling, so I can only assume you're hallucinating. A /64? From modern home ISPs? Are you freaking kidding me? You'll be lucky if you get one IP that isn't shared with the rest of the neighborhood, just so they can hoard them and continue their "each extra IP costs $X/month" racket with the stupid parts of the population.

Wait, sorry, did I say "stupid parts"? My mistake, I meant ALL parts, given the monopoly most home ISPs have in their regions.

Re:so what is ipv6 good for?

[BigDaveyL]

In theory, IPv6 will do away with NAT so some applications/protocols won't need any special workarounds. In the end, you'll still have 4 devices streaming your Netflix in either case. I don't know of any overhead penalty for moving to IPv6, so maybe someone smarter than me can speak to that. I'd assuming routing tables will be bigger because there are more/longer addresses but could be wrong.

Re:so what is ipv6 good for?

[Bengie]

Once your local network is compromised, it all goes to hell in a hurry.

Everything you point out as "bad" about IPv6 is the same or worse for NAT.

Re:so what is ipv6 good for?

[JesseMcDonald]

Ignoring implementation details like whether their existing switches can handle IPv6 traffic as efficiently as IPv4, the change should be a net positive in terms of ISP infrastructure. ISPs which already hand out public IPv4 addresses will just do the same with IPv6. Their routing tables may get a bit simpler due to IPv6's mostly-hierarchical address structure. ISPs which currently use NAT will be able to skip it for IPv6 traffic, reducing CPU load and the management overhead of mapping private IPs onto a limited number of public IP / protocol / port triplets. The end-user has more addresses to work with in IPv6, but the ISP only has to track one subnet prefix per customer for routing purposes, which isn't any worse than the situation today.

One big hold-up is that many high-end routers currently in use offer hardware acceleration for IPv4, but can only deal with IPv6 packets in software. While that's fine so long as IPv6 remains rare, the ISPs will eventually need to upgrade to modern routers with hardware-accelerated IPv6 support.

Re:so what is ipv6 good for?

[Chemisor]

> no more fiddling with port forwarding

Uh, no. By default all your internal addresses will be blocked by the firewall on your router, so you will still have to enable them manually. Even though NAT will no longer be necessary, nobody should be leaving access opened by default. Security is done in layers. Blocking all external access to hosts that do not need to be accessed is one such obvious layer.

Re:so what is ipv6 good for?

[Just+Some+Guy]

IPv6 is hierarchical in a way that lets routing table become much, much smaller. It's a huge win in the complexity department, especially with its fixed-length headers that make hardware acceleration vastly easier to implement.

Re:so what is ipv6 good for?

[gstoddart]

policies. LOL. 802.1x is what you need.

Which is fine and lovely if your IT department is willing to implement it.

At the time when the guy was asking for this the response from IT was "we don't care, you have two network drops, that's all you get". So he said the hell with them and got himself the router. They eventually had to resolve his issue because he had about 6 computers in his office.

In many places, IT is still operating like they did in the 90's -- with users needing to beg for scraps because the IT guys just aren't willing to do anything to "their" stuff. Mostly they act like Mordac the Preventer.

Places where IT has learned it's there to support the business tend to be able to get things done better because the tail isn't wagging the dog.

Since I currently work in one of those shops, it's a different mentality -- the business users are the clients, and real business need trumps anybody getting the idea that some infrastructure component is their own little fiefdom to be ran according to their own whims. When a user comes to us, we're expected to find a solution, not tell them it's not allowed.

Re:so what is ipv6 good for?

[DarkOx]

In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).

No not really in a corporate environment you NEED to be doing application level gateway with our without NATing. Egress is just as dangerous and ingress. So you are going from FW NAT ALG ALG And marketers would love the trackability down to the PC level

As I have explained before I don't see this giving marketers more or less capability than they had before. They are going to pretty much just assume that each /64 subnet is one person or family just like they assume that each address is today. Might it make it a little easier to see discrete devices, possibly but they good ones do that pretty darn effectively now, by simply also looking at host headers, referrers, and timing characteristics. Look at what a good web analytic s package can do sometime; its not perfect but they do a pretty good job of seeing through NAT unless you are taking pretty heroic steps to stop it.

Re:so what is ipv6 good for?

[POTSandPANS]

You do realize you can cut up the /64 into several smaller subnets, right?

Re:so what is ipv6 good for?

[unixisc]

The standard, the way it's currently written (and w/ which I disagreed above - see my post above Varying Links), supports either /128, or /64 or less. There is no way one can have b/w /128 and /64, unless an ISP decides to break the standard and write a router that recognizes boundaries somewhere other than the half way mark.

Comcast is currently going the /128 route, where it's giving a single address to every household, assuming that that's all it needs. There is no router there or anything, and from Comcast's POV, the good thing is that it would allow their firewall to filter all traffic, and not be dependent on bad firewalls downstream failing. But if any household has a router that it wants to use to connect to 2 or more, then Comcast has to give them a /64. If an user, like the above poster who stated that he has different subnets for wired & wireless, or different SSIDs, wants more than a single /64, they'll sell it.

As far as the pricing goes, the RIRs only sell /64 or less - you can't get a /128 from an RIR, whereas you can get a single address from them. So hoarding addresses doesn't make much sense. But like I said above, any ISP could have a 3 tiered pricing structure or even more. If they want to put a router in every home, they could price /64 competitively, whereas if they want to offer just single node connections, they might price their /128 lower. Depends on what they think makes more business sense. Ideal would be the customer get their own router and then only get the connection and addresses from them.

Re:so what is ipv6 good for?

That is what IPv6 Privacy Extensions are for.

Re:so what is ipv6 good for?

[Ichijo]

Why did he use a router? A hub should have sufficed.

Re:so what is ipv6 good for?

[DarkOx]

I think we are talking about different things. I am trying to get at marking droids attempting to answer questions like,

How many unique visits to our website did we get?
How many people who visitied our flagship site ultrap0rn.com also visited our FaceSpace page?
How many days a week did Jon Doe surf ultrap0rn.com?
Did John Zoogle ultraDildos after visiting ultrap0rn.com

I don't think in practice ipv6 is going to make this significantly easier or harder for them to do, or have much impact on the quality of their data; for the reasons I have mention.

Re:so what is ipv6 good for?

[unixisc]

The beauty of this whole thing is that if you have a /64 and DHCP6, you can configure it to give yourself a whole bunch of static IPs for each of your servers. Furthermore, you could define a pool range that would be dynamic addresses used by all the computers in your network - including visiting family members. If you have multiple virtual web hosts, each one can have its own IP address - no need to share anymore. Same for if you have a mail server, an ftp server or any other server.

Also, since NAT is no longer there, the ports can be used for their original purposes, rather than as packet handovers from one network to another. Really useful for mapping applications, for instance.

Re:so what is ipv6 good for?

[Short+Circuit]

You have to have multicast routing set up between you and the networks you want multicast to go to...and the clients have to 'subscribe' to your multicast group. They won't hear anything from you until they tell their local multicast router they want to talk to you.

So, yeah, multicast doesn't generally work unless you're on the same subnet. That said, here's a fun one to run under Linux:
ping6 -c2 ff02::1%eth0

Any hosts configured to respond to ICMP6 echo requests will send a reply. I once counted several hundred hosts on my VPS provider's network that way.

Re:so what is ipv6 good for?

[BigDaveyL]

Thank you for the clarification. I remember seeing something regarding the headers when flipping through one of the O'Reilly IPv6 books. I was planning on going back though the books to get a better handle.

Re:so what is ipv6 good for?

[firewrought]

You're talking about RFC 3401, which (if I read it right) randomizes the 64 low bits of the address. DarkOx's point is that ISP's are likely to assign each household a (static, semi-permanent) network with the same 64 high bits. If I'm a web-tracking firm, I'd expect that to be similar to but more reliable than the (temporary, high turnover) IPv4 address that basically identifies a household today.

Re:so what is ipv6 good for?

[Short+Circuit]

You do realize that breaks SLAAC, right?

Re:so what is ipv6 good for?

There are fewer than 300 million unassigned v4 addresses left. The remaining addresses have already been allocated to the five regional registries (ARIN, RIPE, APNIC, LACNIC, AfriNIC), so depending on your location, your RIR (regional internet registry) has already run out of v4 addresses to assign or will soon run out, or you're in a third world country.

Re:so what is ipv6 good for?

[DarkOx]

You CAN cut a /64 into smaller subnets but you really should not do that. That goes double for things like an 'untrusted sid' where you don't control the clients. It work fine if you are doing all manual addressing or DHCP6 allocation but you will break the MAC based auto configure; which assumes the subnet is at least a /64.

Re:so what is ipv6 good for?

[compro01]

And I can also see a huge amount of consumer type stuff taking years before it has transitioned. IPv4 isn't going to go away overnight.

And the trees will take 20 years to grow, which is why we need to start immediately.

Re:so what is ipv6 good for?

[yahwotqa]

"And marketers would love the trackability down to the PC level - sure there's the privacy IP thing, but it's defeated if there's a long-running IP connection still established (unless IPv6 has the ability to inform remote hosts that your IP was changing... which has some very interesting implications). Even so, it's usually a day's worth of tracking and a cookie can be used to bridge between days."

Except that (especially with privacy extensions) it is normal to have several IPv6 addresses on a single interface. So e.g. google will see you connecting from one address, facebook from a different address (within same network prefix, of course), and another google search few minutes later will have yet another source address.

Sure, tracking cookies and all that can help them figure it out, but that problem is already there if your network has DHCP-assigned IPv4 addresses.

Re:so what is ipv6 good for?

[unixisc]

MAC based autoconfigure should preferably not be used, but aside from that, breaking a /64 into smaller subnets creates configurations that deviate from the standard and may not be recognized by all routers. As I argued above, a smaller interface ID of /80 or /96 would have been better, but if the standard doesn't currently support it, better not to throw in that new variable into something that's already pretty new to start w/ - for most people.

Re:so what is ipv6 good for?

[yahwotqa]

Port forwarding to a private address behind NAT is not the same as allowing traffic to a port at a public address. With NAT, you can only have port X exposed for only one internal device (unless you forward it under different port numbers for different hosts, which is ugly as balls).

Re:so what is ipv6 good for?

[Cramer]

And RISC was supposed to change the world...

IPv6's hierarchical routing was dead about 4 hours after the first real world deployment. That's what IPv4 used to call "classful routing". Anyone attempting to push that crud today is a documented idiot. IPv6 routing tables will be (and are) larger -- much larger. Count up the number of PI /48's and ISP /32's... each of those is an independant entry in the global routing table.

Re:so what is ipv6 good for?

[Cramer]

They'll still track you... cookies, breadcrumbs, etc. Oh yeah, and your IPv6 /64 network prefix. sure, they won't be able to follow the exact machine, but that's no different than today's NAT'd IPv4 networks.

Re:so what is ipv6 good for?

[Cramer]

Yes. And I don't care. (the "prefix-length === 64" requirement should've been dropped a decade ago.)

Re:so what is ipv6 good for?

[Cramer]

Comcast (and other ISPs) use the /128 as the CPE router, and then route a /64 or /56 towards it. I'm not sure what you have to do to get Comcast to assign a /56 to you, but that's what they've said they were going to do. (it might also be a /56 internal allocation, but they're only actively using a /64 at the CPE.) This is all still "highly experimental."

(The agreed upon path is /56 per residential connection and /48 per business, but I'm not surprised to see /64's everywhere.)

Re:so what is ipv6 good for?

[Short+Circuit]

Why?

Re:so what is ipv6 good for?

[TheCarp]

First, static IP? I use dynamic DNS to get around that... you don't even have to run your own DNS servers, though I do.

As for $100, for half that or less you can get an external VM with a static IP and more bandwidth than you would need to make a jump box, then just open a permenant VPN to the jump box.

My favorite solution was to use my own dynamic dns to find my house, then VPN in to the house server.

Re:so what is ipv6 good for?

[Cramer]

It's stupid and unnecessary. Almost everything supports privacy extentions which means it has duplicate address detection capabilities already -- and honestly, DAD is trivial, it won't add bloat or significant complexity to an IPv6 device. Picking an address and seeing if it's in use is not that difficult. (like, say, requiring a complete ipsec engine. they have finally dropped that -- it's a "SHOULD" not a "MUST" now.)

Re:so what is ipv6 good for?

[nine-times]

Clearly I'm aware of dynamic DNS-- I mention it a couple of times in my post. However, it's not always the best solution, and it creates another thing that can fail. For example, I've had occasional problems in the past where a dynamic DNS provider changed their update mechanism, or the client-side updater stopped working, and the DNS stopped being updated. There are also problems, for example, with email getting send from a dynamic IP address, being more likely to get blocked or marked as SPAM.

Dynamic DNS is a big of a kludge to cope with situations where getting a static IP is difficult or expensive. It's not a great all-around solution.

As far as using external hosting, that's a great solution in a lot of cases. In some cases, it's not. Either way, again, it's a bit of a kludge.

Is it really so weird to say, "I don't want to deal with strange hacks, and I don't want to set up work-arounds. I just want to be able to have several computers on my network have static IP addresses without spending hundreds of dollars per month to make that happen."

Re:so what is ipv6 good for?

[Short+Circuit]

You are aware that all major IPv6 stacks have IPSec support? Forget that the standard doesn't explicitly require it...Linux, *BSD and Windows have long shipped with working versions.

You still haven't given any technical reason why "prefix-length === 64" should be dropped; you've called it stupid and unnecessary, and the best you've done is indicate you don't care that doing so would break SLAAC. I like and use SLAAC, which depends on that 64-bit minimum subnet size; your 'unnecessary' argument doesn't hold in that context.

Re:so what is ipv6 good for?

[Bengie]

He's saying that companies will just track the first 64bits. Privacy extensions and autoconfig only change the last 64bits. Since the destination network doesn't change, one can safely assume it's the same end-user. No different than tracking an IPv4 address with a NAT. You may not know which exact computer/person, but you can tell it's the same network.

Re:so what is ipv6 good for?

[Bengie]

Many of the early adopter ISPs have been giving out /64s by default, /56s on request, and /48s if you can show need. The IPv6 recommendations are /56 by default.

Re:so what is ipv6 good for?

[Cramer]

The reason for the hard limit was to make address selection "trivially simple" to facilitate IPv6 stacks on memory constrained devices. That originated nearly 20 years ago. (and the limit was 80 then... using the 48bit ethernet mac. that has since been moved to 64 to support EUI-64 (bluetooth, firewire, etc.)) It was a lame excuse then, it's an even worse excuse today. The code size and complexity to support alternate address selection and duplicate address detection do not create a burden for any modern "memory constrained device" (none that will ever see IPv6 support any way.) We're talking about things like print servers, access points, power switches, weather monitors, etc., etc. I'm not talking about your PC or cellphone or game console -- all things that have plenty of storage, RAM, and cpu. The hard coded prefix-length was a compromise that was never necessary. (esp. with all the other "bloat" required to meet all the specs.)

There is no reason for a hard limit. A classless addressing system having a defacto classful network/host boundary is an oxymoron. And it promotes completely incorrect assumptions about people's networks. (this has *already* come up several times.)

Re:so what is ipv6 good for?

And site local addresses were deprecated.

Re:so what is ipv6 good for?

[Short+Circuit]

Reasonable points, though I think it was more about easing hardware implementations of the stack than about dealing specifically with memory-constraints. That said, I would still protest anything that breaks SLAAC; SLAAC is very useful. If you want to describe how SLAAC would operate in a completely classless system, I wouldn't mind discussing it.

What are these incorrect assumptions you describe, and can you point to some of the examples of them coming up? (Just honestly curious)

Re:so what is ipv6 good for?

[Bengie]

Not the core route tables

Hierarchical routing: 1234:: all go to the same route
IPv4 routing: 123.456.789.0 has a different route than 123.X.Y

Arin

> > "route table fragmented and inflated by IPv4"??? Let see:
> > IPv4 has 32 bits, IPv6 has 128bits. Which is going to inflate
> > the route table most? Each route is 4 times larger, and we
> > expect more IPv6 routes.
>
> We do? We've been consciously designing allocation policies so that the
> number of IPv6 routes per AS will be significantly lower than with IPv4.

> > I think it won't be long until IPv4 takes up a small fraction of
> > router memory: 200,000 IPv6 routes take up more memory than 200,000
> > IPv4 routes.
>
> Of course. However, if we have 200k IPv6 routes, one would expect 2M+
> IPv4 routes, and IPv4 will still end up taking more memory.

Re:so what is ipv6 good for?

[Bengie]

Last time my dept ask IT for some more ports, they gave us a 96port 1Gb chassis with a teamed 1Gb fiber uplink. Time for a new IT dept.

Re:so what is ipv6 good for?

[Bengie]

By default all your internal addresses will be blocked by the firewall on your router, so you will still have to enable them manually

UPNP. Same thing that opens ports on a NAT.

Re:so what is ipv6 good for?

[Bengie]

Easy to claim it was a temporary address that you have no idea which machine/person used.

Re:so what is ipv6 good for?

[Cramer]

It's something every remotely modern IPv6 stack already supports... Privacy Extensions. Even the Windows XP IPv6 statck supports PE. The host is already making up an address and ensuring no collisions. Yes, it's more computation than prefix + MAC, but it also don't take 250KB of code to do it.

There have been discussions on NANOG (and a few other lists / forums) where people have started down the "64bit network" path, where they incorrectly optimize their route tables and routing logic (some of it in hardware) to only look at 64 bits instead of the entire 128. This is absolutely WRONG. And it's entirely rooted in this BS from SLAAC... "well 64 bit prefix is as small as you'll ever see." That is so wrong, words cannot express how flaming wrong it is. The longest prefix one can have in a routing table is 128 bits -- it is perfectly legal to have host specific routes.

Re:so what is ipv6 good for?

[Short+Circuit]

OK, I follow you now. The only gripe I still have is with dependence on privacy extensions; I like that my machines have deterministic addresses, and I like the diagnostic details from seeing the MAC addresses. You're advocating complete randomization. That, I don't like.

Re:so what is ipv6 good for?

[Cramer]

I'm advocating *necessary* randomness. When the prefix-length isn't 64 (eg. 96), there isn't room to put the MAC in there. If the length is 64, then yes, do the normal "slacker" thing. (think of it as something beyond SLAAC. SLAAC is designed for one very specific situation. if you deviate in any way, your only option is dhcp -- or static assign every address.)

Re:so what is ipv6 good for?

[Short+Circuit]

OK, now that doesn't make sense.

First off, you're really not guaranteed that there's going to be a decent source of random numbers[1]. And there's not a need for truly random numbers; you don't want to consume them if you don't need to. Besides...I like deterministic addresses I can see traffic on my network and immediately know which machine it corresponds to, without having to use something stateful like DHCP. If your network has fewer than ten nodes on it, it doesn't long at all to get to know it.

So instead take the SHA1 hash of the MAC address (or perhaps the MAC address appended to the prefix), and use the first N bits. Then, at least, you have a deterministic method to generate the IP address.

[1] Believe me, this is a problem I'm trying to provide solutions for. My etools/entmesh package has been stagnant for a while, but that's because I've been getting prepping for getting married, getting married, doing the honeymoon thing, and dealing with other life surprises. Happens.

Re:so what is ipv6 good for?

[bn-7bc]

Well IPv6 is hierarchical at least until every business with more than 50-60 people decide to get there own PI space, so the don't have to change internal config every time they change isp, but don't worry I'm certain that ISPs and carriers will get routers with sufficient TCAM space by the time the IPv6 routing table explodes

Re:so what is ipv6 good for?

[unixisc]

If one insists on using the entire layer 2 address of one's network card, or a SCSI address, or some such thing, 64 bits are needed. But why are they essential? Just take a subset of that, process it some way or another, and then use it for the SLAAC.

There are good reasons why the global prefix, instead of being 48 bits, should have been the entire top 64 bits. Multihoming methods tend to use a lot of addresses, currently going as low as /29. If the entire top half was the global prefix, even w/ multihoming, or w/ address intensive transitioning technologies such as 6rd, IPv6 could have been a lot smoother.

The subnet address - which is the 16 bits just before the halfway mark - could have been either the following 16 or following 32 bits. Had it been the following 16 bits, your SLAAC would still have been good for EUI-64, dropping the fffe in the middle. In many scenarios, 65536 subnets is pretty adequate, so this part is not a problem. However, some organizations, especially ones that have presense in several cities and campuses, might want a hierarchical organization of the subnet address, in which case, 4 hex digits may not be enough. For this reason, I think that a 32-bit subnet might have been ideal.

That then brings up the question of the interface ID, which for 32 bits would then be 4 billion devices. Even if one wants SLAAC, it can still be smoothly implemented, albeit w/ just a truncated MAC address, or something else. It's worth noting that no single subnet in the world is likely to have anything even close to 4 billion users. In fact, even 65536 users, which is what one would have if only the least significant word was used for the interface ID, would be adequate for this, but then 48 bits for the subnet would be clearly overkill.

Therefore, if the global prefix was fixed at the first 4 words, the subnet the next 1 or 2 words and the interface ID the remainder, that would have been ideal. The IETF could do that if they decide after the 2000s are gone that its usage hasn't been too great.

Re:so what is ipv6 good for?

[unixisc]

You want SLAAC - why not do this? Assuming that the global prefix is 64 bit, the subnet next 16 and the interface ID the remaining 48. In this case, the MAC address can still be used, but why not mask some of the bits? Use a checkerboard or an inverse checkerboard pattern, such as 10101010.... or a 01010101... to mask the ultimate MAC address you get. It's a fixed and deterministic result that doesn't depend on any randomness, such as a time stamp, and you're off to the races. That's assuming that you're using a static address, which is what your SLAAC is when you don't use the privacy extensions.

Even if you had the prefix_length = 96, you could still do this - take the bottom portion of your MAC address, do the same masking that I described above, and then make that your static address for good. Currently, the SLAAC is programed to just use the MAC address, but one could add in the masking part, and get a perfectly good address. No randomness or anything. (Actually, some randomness is good, but I can see where you're coming from if you want a static, rather than a dynamic address).

It's not what I'd prefer - given all the addresses available, I'd much rather use a DHCP6 server to lay out the address mapping rules. Some things will have static addresses, and some dynamic. The only time SLAAC would be used is if someone was a guest on my network - say a friend or relative came in w/ his/her tablet, and wanted to access the internet through my network. In such a case, SLAAC would be the way to go.

Re:so what is ipv6 good for?

[unixisc]

The IPv6 recommendations themselves have been /48, and that's what ARIN seems to be going w/. However, APNIC clearly offers /56 to its customers, and RIPE looks like doing the same thing. Dunno about the other 2.

Re:so what is ipv6 good for?

[unixisc]

How can a /128 go to a router? IPv6 doesn't have NAT, so it's not like it will be translated there. At the router, a /64 would have to come up - if the customer has a /56, that just means that that customer can theoretically have up to 256 different networks on his premises. In reality, it's to support for situations like the customer using different subnets for different SSIDs, one subnet for wired and another for wireless, etc.

Comcast was only offering /128 for customers who need just one connection to one device - their computer.

Re:so what is ipv6 good for?

[unixisc]

Particularly, if it's set up that way under dhcp6, and the customer can validly claim that he has no idea which device downloaded it, unless a log is kept of which IP address mapped to which MAC address at all times. But if the customer is the owner of the entire /64 i.e. you're not talking here about a Comcast offering a /128 to people, then it's easy to just charge him w/ theft. But that could have been done even earlier w/ IPv4 - trace back who those packets went to.

Re:so what is ipv6 good for?

[swalve]

I'm not trying to be snarky, I'm being sincere. Why would anyone anywhere need more than a /64? Isn't that 2^64 addresses? Or is there something about ipv6 that is different than ipv4 where it doesn't like to route networks smaller than /64? (IE, you can't easily subnet your /64 like you could subnet an ipv4 /16 allocation into say 254 networks of 254 hosts?

Re:so what is ipv6 good for?

[unixisc]

Nobody needs more than /64, but the subnet addresses fall outside the lower half of the entire IPv6 address. Aside from all the devices, a customer may want different networks, such as different SSIDs on the router, or different networks for wired and wireless so that one doesn't get slowed down by the other, or one for a high speed and one for a low speed. If an ISP assigns a /60, it should be fine - the last hex digit in the subnet address can then be used to address different networks within the home.

And the latter part of your question is right - subnets smaller than /64 are currently not supported in the IPv6 standard, so not all routers will recognize them. Changing that this early in the adaptation is likely to introduce incompatibilities that make adaption even more difficult. I agree that having a 4 word interface ID was overkill, but since it's there, the ISPs have to work w/ it.

Re:so what is ipv6 good for?

[Antony-Kyre]

I haven't read all of your post, but I caught the part about mobile phones. I strongly agree. I agree so much I feel Congress should enact a law mandating all cell phones to be IPv6 enabled by default. That's not to say they can't switch to IPv4, but the less phones that rely on IPv4, the more IPv4 numbers we have freed up for those who cannot transition.

Some legacy devices don't work with IPv6.

In other news, I found out about IPv6 when www.google.com wouldn't regularly load, and doing a ping in cmd.exe resolved to a weird number. Looks like I'm stuck with IPv4 at least with my browser, and hence my whole machine. Although, I don't know if it's really my computer, or some hardware, or my ISP, down the line.

Re:so what is ipv6 good for?

[Short+Circuit]

FYI, your SLAAC still is static (if you're not using Win7 or Vista...and their quirk there can be configured out of them, too), even in the case of privacy extensions. Privacy extensions use a combination of a static IP and continually-changing temporary IPs.

Otherwise, I like most of what you describe. Still, you shouldn't use a simple masking pattern. At one end of the MAC address, entropy is reduced because of the presence of manufacturer ID information. At the other end of the MAC address, entropy is reduced because of the serial nature of their generation; when I see motherboards with two NICs, those NICs typically have adjacent numbers for MAC addresses. I've seen similar patterns with MAC addresses assigned to virtual machines.

That's why I suggested SHA1; every bit in the input data gets spread across every bit in the output data. Generate the SHA1, and then take however many of the bits you need off of one end or the other. Deterministic, yet sufficiently unlikely to result in a collision.

Re:so what is ipv6 good for?

[Short+Circuit]

(most of this, I respond to in comment #40244507)

I shouldn't think it necessary to point out that the reason for /48s was to reduce the size of a full routing view.

Re:so what is ipv6 good for?

[asdf7890]

I agree so much I feel Congress should enact a law mandating all cell phones to be IPv6 enabled by default.

Please no! We don't want technical issue to be subject to legislation unless absolutely necessary (or where the technical issue has public safety implications) - it will only complicate matters.

Re:so what is ipv6 good for?

[PlusFiveTroll]

UPNP has any number of serious issues dealing with security so hopefully whatever automated system for IPv6 becomes standardized deals with issues like

host $x is really host $x and not host $y trying to open a port to host $x.
host $g belongs to security group $a with access to features $f while host $h belongs to security group $b and only has the limited features of $b.

There is this, http://tools.ietf.org/html/draft-bnss-v6ops-upnp-01 , but I can't say that I've read it all.

Re:so what is ipv6 good for?

[hjf]

Sounds like you're just bitter at an incompetent IT department. None of your excuses cut it for me. IT doesn't need to "support" the business. It's 2012. IT is part of the business. "Getting things done" is not how it works, because that only ends up with desktop switches in a tangle of cat5. Planning is how it works.

And the whole argument is stupid, because: how did the user end up with 6 computers in his offices and only 2 drops? Didn't IT provide the computers? Did the guy decide to get random computers from somewhere else? Why does he need 6 computers? IT isn't supposed to support computers they didn't provide.
If IT did provide the computers, why didn't they provide network drops? They are just incompetent if they did.

IT is there to keep the business running. Not to keep users happy by doing whatever they want.

Re:so what is ipv6 good for?

[unixisc]

The simple masking pattern that I used was only as an example. Use any pattern you like for masking. And yeah, it's static - that's what EUI-64 is as well, and I was proposing an alternative to that which doesn't just leak the MAC address. But if you want a dynamic address, just take EUI-64, add it to a selected function of the date-time stamp, and then run it. Whenever it needs to expire, or get updated, repeat the process.

Incidentally, all that can be done statefully as well, in a dhcp6 server. Also, you can assign a pool of addresses - however large you like - to act as dynamic address. Also, the 4 word blocks in the address - if you weren't using SLAAC - can be assigned different functions in a PAM software, such as the first block stating whether the address should be static or dynamic (and other variations), the fourth block the port address of whatever that IP is being used for (if it is an http server address, call the 4th word 8080, if it is an IMAP secure mail server, call it 993 and so on.) Use the second word as a serial counter to switch from device to device, and reserve the third word for any other functionality you can think of.

That way, the entire address means something to the user, but since only a handful of them will be used, the chances of being attacked are low.

Re:so what is ipv6 good for?

[Bengie]

Some private company in Europe used multi-cast to send IPTV to a bunch of people in Australia over the general Internet with no special setup. Sounds to me like they want multi-cast working for everyone.

Re:so what is ipv6 good for?

[Short+Circuit]

That private company (or their ISP) needed a special transit or tunnel setup between their AS and the AS their customers sit on so that intermediate networks didn't simply drop the packets. I expect the fan-out happened at the ISP in Australia; Australia doesn't have a very good connection to the rest of the Internet.

I suspect you don't have all the details. I know you haven't done anything in-depth with IPv6, based on your previous comments.

Re:so what is ipv6 good for?

[Short+Circuit]

The simple masking pattern that I used was only as an example. Use any pattern you like for masking. And yeah, it's static - that's what EUI-64 is as well, and I was proposing an alternative to that which doesn't just leak the MAC address. But if you want a dynamic address, just take EUI-64, add it to a selected function of the date-time stamp, and then run it. Whenever it needs to expire, or get updated, repeat the process.

Sure. I was discussing the particulars (particularly in case anyone else comes along and and decides to implement that mask concept). I wasn't trying to be combative.

Incidentally, all that can be done statefully as well, in a dhcp6 server. Also, you can assign a pool of addresses - however large you like - to act as dynamic address.

Again, I really don't like adding more moving parts to a system. It might work fine for a wired Ethernet link with few clients, but it falls over quickly in wireless environments like apartment buildings and hotels. (It's ugly, but perhaps one in twenty DNS queries fail for me on my laptop at home, with the packets apparently lost between my laptop and my AP twenty feet away.)

Yes, I know about DHCP-PD. Using it to specify a pool of addresses to source from is an interesting idea. And, yes, if you use DHCP, you can push all kinds of configuration into a client.

But, again, I like SLAAC, because it's more reliable and generates less network traffic for me.

Re:so what is ipv6 good for?

[TheCarp]

No its not weird to say. of course you want that. I want that too. However, the cost is prohibitive, and its actually cheaper to get a hosted box and have dynamic ips at home. Its also less layers of protection between individual nodes and the big bad internet. I just like extending my private IP space to where I am, and letting everyone else pound sand.

I have never had those dynamic dns issues, because I setup and run my own DNS. The home system has a script that occasionally checks its own external IP and publishes it using normal bind keys to authenticate.

That said, if I ran the vpn on the remote system, even dynamic DNS isn't needed, just generate a certificate for each machine.

Re:so what is ipv6 good for?

[nine-times]

However, the cost is prohibitive, and its actually cheaper to get a hosted box and have dynamic ips at home.

Only because we're running out of addresses, which is a problem that IPv6 solves.

I have never had those dynamic dns issues, because I setup and run my own DNS.

Great, so you've just introduced a chicken-and-the-egg problem that in order to circumvent the need for a static IP, you need a DNS server with a static IP. Easily solved, or we could get rid of the problem for everyone by using a system that makes sense, instead of a bunch of hacks.

Re:so what is ipv6 good for?

[Antony-Kyre]

Should we just let the problem get worse until we reach the breaking point?

All mobile devices with the intent of being a phone intended to be sold in America, but manufactured perhaps 18 months after the bill passes, would be required to be IPv6 enabled by default with or without the option for IPv4. Waivers available for companies that would feel an undue hardship.

Re:so what is ipv6 good for?

[asdf7890]

Should we just let the problem get worse until we reach the breaking point?

That is better than opening it to legislation and the related lobbying. Just imagine all the time wasted as companies plough effort into trying to add/reword clauses such that they have a small advantage or just to water it down. The end result won't be pretty, and it would most likely be toothless (and therefore pointless) in the end anyway.

Breaking point will hopefully hit for the manufacturers before us as consumers, as networks and sites switch over to IPv6 there will be a point when not having it will be a disadvantage so the business of those not supporting it will suffer as people avoid those products for fear of compatibility issues.

IPv6 multi-homing status

[Bookwyrm]

Did folks ever get IPv6 multi-homed routing straightened out?

It always felt like conflicting goals at work -- on one hand, people wanted to simplify and shrink the size of the backbone routing tables, but on the other, a purely hierarchical routing space removes redundancy. That is, a tree graph has the property that there is only *one* path between any two nodes, which means a purely hierarchical routing arrangement would mean that the idea of 'routing around censorship' would go into the waste bin because there are no alternative routes possible. (Note that I am differentiating this from redundant *physical* links -- this is a matter of administrative links. If there is no multi-homing and the upstream provider is blocking/filtering/limiting traffic, there is no network route around it, physical redundancy not withstanding.)

So any current best practices for IPv6 multihoming for small ISPs/businesses?

Re:IPv6 multi-homing status

[Fez]

The purists hate NAT, but for SOHO, NPt can help with that.

http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6

Re:IPv6 multi-homing status

Its called BGP. Get a block direct from ARIN (or whomever) and have your ISPs put it in their table with what ever weight you want. Or, peer with them.

IT sucks though, A lot of SOHO IT folk who want to multi-home are going to have to learn actual routing and not rely so much on some shiny, often over priced, firewall "security" device

Re:IPv6 multi-homing status

[Fez]

The cost for PI space and peering is still rather high, even at the "discounted" time-limited rates that are supposed to encourage adoption. I doubt many SOHO operations are going to want to shell out several thousand per year extra for that.

Sure that is the "right" way, but there are other ways (see my other post under this parent).

Re:IPv6 multi-homing status

[Short+Circuit]

Set up an application-layer proxy on a host with both addresses, same as you would with IPv4.

So, set up a machine running Squid, where that machine has IPs from both your upstream ISPs. All your internal clients can use that Squid proxy to get out. SIP? No problem; use a SIP proxy.

Since you're pushing the 'logical, not physical' link angle, you can go one step further and set up a tunnel to another endpoint on the Internet, and use that as another possible route. (i.e. I have IPv6 access because I use a proto41 tunnel from Hurricane Electric)

If you don't want to go that route, have radvd announce both prefixes on your internal network, and allow clients to select which source address they use. Use short 'preferred' lifetimes, and you can have some daemon tweak your radvd configuration whenever you decide you want to favor one prefix over the other.

But, really, an application-layer proxy is your best option.

Re:IPv6 multi-homing status

[WaffleMonster]

Did folks ever get IPv6 multi-homed routing straightened out?

No change of any kind except more bits of TCAM wasted per route on fools who do not need to be multi-homed in the first place.

So any current best practices for IPv6 multihoming for small ISPs/businesses?

Small businesses, mapa ISPs and rich dudes with more money than sense don't need to be multi-homed PERIOD. All your doing is bloating the routing table at the expense of the network in exchange for zero benefit to yourself and others.

If there is no multi-homing and the upstream provider is blocking/filtering/limiting traffic, there is no network route around it

When they say the network routes around censorship this is a myth. The network itself is capable of no such thing. It takes human intervention and brain power to make it happen.

Re:IPv6 multi-homing status

[bbn]

There are three options:

1) Order internet from two different ISPs. Get a router from each. Connect both routers to your internal network. Done.

Yes for most people and small business nothing more is required. What will happen is that every computer will get two IP-addresses, one from each ISP. As part of IPv6 every computer monitors the routers and automatically chooses one that is responsive. If you unplug a router every computer will start using the other with a failover time of maximum 30 seconds.

This option does not provide backup if you want to host a web server. But it will work with a mail server because SMTP allows you to simply publish both IP-addresses. Many private persons and small business have no need for a local server so this could be a good and easy solution.

2) Get your own /48 address range from your RIR and get service from two different ISPs. Use BGP to advertise your range. This is exactly the same way as you do dual homing with IPv4.

3) Use LISP. This is not quite ready for primetime yet, but I think it will be there in about a year. It is backed by Cisco et al. http://www.lisp4.net/

LISP is the most interesting option. You get your own /48 just like the BGP option, but LISP allows you to split that up into as many units you want. You can use some of it at the office and give each employee a /64 for their home office. There are no scalability problems.

4*) Other home-made solutions. Some people will try to sell you a NAT66 based solution. Just say no. You could also build a primitive LISP like solution yourself by using a tunnel to a server somewhere.

Re:IPv6 multi-homing status

[Fez]

1) Is out for people who want automated failover
2) Is prohibitively expensive for most
3) Is interesting, but still early
4) Works fine, now, and provides functional multi-homing. Why discard it? NPt isn't pure evil. It's not ideal, but it gets the job done without requiring all of that extra setup or dynamic routing protocols on top.

Re:IPv6 multi-homing status

[HappyPsycho]

The splits for traffic engineering would never be as bad as it is in the IPv4 world, at least until we reach the same state with IPv6 that we are currently in with IPv4. We have 4 different allocations from LACNIC, from 3 different class A's, we can't summarize them even if we wanted.

We can still take the IPv6 /32 we got from LACNIC and split it for the purposes of traffic engineering but at most we would be splitting it based on the number of uplinks we have vs the number of allocations we get.

I don't think they were specifically after a full tree, just to try to get as close to a tree as was reasonable by removing the need for unnecessary fragmentation (from the view of the global routing table), Seeing an ISP advertizing one of their /18s as /24s makes me really wonder what the new segmentation limit will be for IPv6.

Re:IPv6 multi-homing status

Then they don't need to multi-home. The cost to multi-home really hasn't changed.

Re:IPv6 multi-homing status

[bbn]

1) has automated failover.

Re:IPv6 multi-homing status

Which Soho, London or NYC?

Re:IPv6 multi-homing status

[bbn]

4) NAT66 is more complicated without providing anything that is not already there with solution 1. The better question is why bother? And I think most people wont which means it will be rare. Which again means software will not be expecting it.

With IPv4 NAT is so prevalent that all software knows how to do NAT traversal. With IPv6 NAT will be so rare that most software will not be implementing NAT traversal. For sure no software currently has that feature for IPv6. Things like STUN is not even defined for IPv6.

NAT66 might have specialized uses. I am not arguing that it should not exist. I am only arguing that it will be uncommon and that if you are considering it, you might want to ask the experts for other solutions before you go ahead. There might be something really simple, like the fact that they buildin automatic failover into the protocol itself. A fact few people know.

The buildin automatic failover works like this:

Your computer monitors traffic to the router. If 30 seconds has passed without receiving anything from the router, the computer will probe the router three times (ping it) with 1 second delay between probes. If probing fails the computer will look for another router. The computer will use the prefix associated with the chosen router, so switching router also means using the other prefix. Active TCP connections can not survive this but the NAT66 solution has the same problem.

The router also monitors upstream the same way. If upstream stops responding the router will withdraw the prefix from the network. This will in turn cause all computers to go look for another router.

This makes pseudo-multihoming with IPv6 so easy that anyone can do it. My mother could do it. There is absolutely no configuration required. You do not even need to enable it somewhere or buy some special router. Just order from two different ISPs, connect the routers and you are flying. It might not be perfect but it will work for most people.

For more advanced setups I am betting on LISP. This will be true multihoming with load-balancing. LISP is what will bring multihoming to everyone. I agree that BGP is too expensive and too hard.

Re:IPv6 multi-homing status

Automated failover for 1 is possible if you buy routers that support nsrp, or have another router with two weighted routes.

Re:IPv6 multi-homing status

[swalve]

I think the idea is that ipv6 flattens the tree, so that routers can make more assumptions instead of having to "memorize" exceptions. Like the old classful routing. If I have a physical link, then I by definition have an administrative link, because addresses were allocated to make sure of that. With classless routing, just because I have a connection to 10.30.20, it doesn't necessarily mean I have a connection to 10.20.50. But with classful routing, I do know that.

I think.

REally....

[Lumpy]

"The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed."

Funny, The ones here do. In fact the last firebox update said it covered ipV6.

What out of date garbage are people running out there that will not scan ipV6?

Re:REally....

symantec

Re:REally....

That's not network security... That's a toy from hasbro that silly people think actually does something.

Re:REally....

Hardware routers, firewalls, and the like. The big boys like SonicWALL released updates to support and/or manage IPv6 traffic, but the older things... good luck.

Re:REally....

[gman003]

What out of date garbage are people running out there that will not scan ipV6?

Norton '95.

Re:REally....

Truth be told, SonicWall doesn't actually support IPv6 (at least when i looked 6 months ago). It will function as a stateful IPv6 Firewall but all those other "fancy" features people rave about......nope, no luck there.....

Re:REally....

[jandrese]

Symantec's IPv6 support was recently upgraded from broken to incomplete.

Re:REally....

[jrumney]

Network security devices that don't support IPv6 don't scan IPv6. How anyone is going to turn on IPv6 on such a device is anyone's guess. This is just pure FUD. Verisign is probably worried that their systems won't cope with a sudden onslaught of IPv6 traffic, so is trying to discourage everyone from switching at once.

Re:REally....

"The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed."

Funny, The ones here do.

All the security devices made and sold by competent vendors support IPv6. This of course defines who is competent, not what supports IPv6. The real issue is that the IPv6 support in those devices isn't as well tested as the IPv6 support because nobody turns it on because of FUD from (presumably) incompetent vendors.

Test your stuff, switch it on, stop worrying.

why we need IPv6

a great article about why wee need IPv6 : http://www.forbes.com/sites/firewall/2012/06/05/why-we-need-ipv6-now-and-what-it-means-for-network-security/

The issue isn't just addresses. IPv4 was never meant to be a global business network. It is an experiment that was never turned off.

I've had IPv6 for years

I don't know why everyone is freaking out about remembering addresses... really really easy

12-16 hex digits, That is it... assign static address after that.

Mine: 2001:470:8xxx
that is my /48
then for my /64 networks, I use my VLAN ID

2001:470:8xxx:vlan::1 == router
2001:470:8xxx:vlan100::1 == router

etc...

easy

Define "enable?"

[Shoten]

For example, when I look at Comcast's site, I see "When Comcast decided to participate in World IPv6 Launch, we committed to enabling at least 1% of our customers with IPv6 by June 6, 2012." So, how does that figure into the 60%? If there are 50 ISPs in the world, but Comcast has 5% of the subscriber base, is that 2% out of the 60%? Or is it 5% Or is it .002%? I'm curious how this 60% number was calculated.

Re:Define "enable?"

60% of ISPs intend to enable IPv6

The summary does not specify anything about how much of the customer base needs to be IP6ed to qualify the ISP. The link in the summary does not clarify either, although it does give a more detailed breakdown of where the IP6ing is happening.

As for your % subquetion, count all ISPs, divide IP6ing ISPs by total count, find percentage. Ignore actual population details.

Re:Define "enable?"

[nxtw]

I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.) Most consumer routers that are currently deployed don't support IPv6 and some older ones that do might not work properly with prefix delegation. They may only enable it for modems that they have certified for IPv6.

Re:Define "enable?"

[Andy+Dodd]

It seems like the threshold for an ISP to be part of the "launch" is for only 1% of their customers to have IPv6 service.

Yes, you read that right - only 1%.

Making this "World IPv6 Launch Day" nothing but a bunch of marketing hype so slacking internet service providers can make themselves look a lot better than they really are.

1% of your customers isn't a launch - it's severely limited test marketing.

Re:Define "enable?"

[slamb]

I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.)

More or less. The Comcast blog says "To meet this goal, we launched and enabled IPv6 in over one-third of our broadband network ... we observe roughly 5% of users can take advantage of this. That percentage can increase dramatically if vendors act to enable IPv6 by default in software updates for existing devices and in newly shipping devices."

From what I saw on some Comcast page recently (which I can't find again, sorry), there's no prefix delegation yet, although they claim it's coming.

FWIW, I seem to be in the 1/3rd. Today I switched my Netgear WNDR3800's Advanced/IPv6 setting to "Auto Config" (as opposed to "Auto Detect", which uses 6to4...ugh) and it (somewhat oddly) doesn't show a WAN IP but does show a LAN IP of 2601:9:yadda:yadda:yadda/64. Seems to actually work, and once I disconnected my Mac from the wireless network and reconnected, it had an IPv6 address as well in the same subnet. "ping6 www.google.com" works with round trip times around 20 ms, and Chrome actually uses IPv6 - www.comcast6.net says my IPv6 address at the top of the page where it used to say my IPv4 address.

Re:Define "enable?"

[slamb]

Today I switched my Netgear WNDR3800's Advanced/IPv6 setting to "Auto Config" (as opposed to "Auto Detect", which uses 6to4...ugh) and it (somewhat oddly) doesn't show a WAN IP but does show a LAN IP of 2601:9:yadda:yadda:yadda/64. Seems to actually work

It looks like picking "DHCP" also works...sort of. There's the important caveat that OS X apparently doesn't support DHCPv6. If set my "Internet Connection type" to "DHCP", the laptop I'm typing on doesn't get an IPv6 address with the "LAN Setup" set to either choice, "Use DHCP Server" (unsurprising) or "Auto Config" (which maybe requires the upstream to be using "Auto Config" as well? that smells like a bug in my router's firmware rather than anything more fundamental). So WAN Auto Config / LAN Auto Config is the way to go for me, for now.

Re:Define "enable?"

[slamb]

Ahh, not quite right. My Netgear router creates two wireless networks, a 2.4 GHz one and a 5.0 GHz one. IPv6 only works on the 5.0 GHz one; perhaps with prefix delegation unsupported by Comcast and possibly also by my router, they had to choose just one. (Though for IPv4 it uses the same subnet for both...I suspect if the firmware were a bit more sophisticated, the same might be possible for IPv6.) If I'm on the correct wireless network, IPv6 works regardless of how the Netgear is configured - DHCP vs SLAAC on the WAN, DHCP vs SLAAC on the LAN. But if the router uses DHCP, it gets a different subnet than with SLAAC. The laptop uses SLAAC regardless, and it seems to be something just passed through from Comcast rather than provided by the Netgear, as the laptop always uses the SLAAC subnet provided by Comcast rather than whatever subnet the router is using.

Re:Define "enable?"

My home computer is on AT&T U-Verse network (Motorola NVG-510 router) and I was surprised that today both ping6 worked and www.comcast6.net showed my IPv6 address. We are already living in the future!

Re:Define "enable?"

[rhook]

Lucky you. The U-Verse 2Wire equipment I got is ipv6 compatible but no firmware is out for it that supports IPv6.

Re:Define "enable?"

[slamb]

The future is buggy. :-( I just had to disable IPv6. It seems that the Netgear WNDR3800 V1.0.0.32 firmware is buggy: when IPv6 is enabled, it adds its LAN-side link-local address to my /etc/resolv.conf, and I can't ping6 it. With 1 working DNS server (its LAN-side IPv4 address + its LAN-side link-local IPv6 address), browsing the web is pretty flaky.

If by any chance a Netgear developer reads this, see freshly-filed support case 18723430...

Re:Define "enable?"

[Just+Some+Guy]

I signed up with Comcast a month ago. When I got home last night, I configured my Airport Extreme to work as an autoconfigured IPv6 router. After rebooting it, my laptops had native IPv6 addresses. I was kind of embarrassed of how geekily excited that made me.

Re:It will be a pain in the ass to remember...

[zill]

"Google" won't help him. He needs to go to 74.125.226.64.

Is there a list of ISPs...

[John+Hasler]

...that are going to enable IPv6 for all customers by the end of 2012? Does it include CenturyTel?

Re:Is there a list of ISPs...

centurytel? those pathetic inbred swamp dwellers? not a fucking chance.

Re:Do not want

[Chrisq]

I will not use it at my home. I have an IPv4 address, and always will.

I'm still hanging on to NCP you insensitive clod!

Re:It will be a pain in the ass to remember...

Thanks smartass, but some of us who run large scale networks and use computers for more than porn and Facebook need to access things by IP, need to be able to look at a routing table and have it mean something, need to look at traffic capture and know what we're looking at, and about a million other ways in which I use IPs on a daily basis. Doing a reverse lookup for every goddamn IP I ever see would be completely impractical. I do recognize the need for it, and realize it's going to happen eventually, but for a lot of us, the non humanreadability of IPv6 is a massive massive headache. Hopefully I'll be out of this shit industry before it becomes prevalent.

Working great here for 1yr

[Fez]

I've been using IPv6 via he.net tunnels on pfSense 2.1 for over a year now, and it's working great.

Really happy to see my Netflix streaming going over IPv6 this morning, too.

Re:Working great here for 1yr

[daniel23]

Had to look into my tunnelbroker.net account: it's already 4 years of running it. About once a year there is some hiccup at their Frankfurt node, I 'll write a mail to their support stuff then and about 20 mins later some friendly supportnic asks me to check if I can still repro the problem...
And free dns server (ipv6-ready, with glue records), and free ipv6 training & certification - HE has been really helpful for me,

Re:It will be a pain in the ass to remember...

[Thud457]

ixnay on the ostshay ilefay talk!

Re:It will be a pain in the ass to remember...

[Creepy]

you don't even need large scale networks - I need to remote desktop to VMs on a LabManager server - currently every single one of those is an IPv4 IP and I don't think we'll switch to IPv6 anytime soon, but I dread the day we do, since currently all I really need to do is remember the last number and have the first three memorized (the IPv6 auto generation by MAC address will likely make me have to memorize more or all of the IP). All of these are accessed by IP and all of these require hand editing files and injecting the IP into them (so they correctly serve client machines outside of the VM, and these have to be outside the VM because they need hardware graphics acceleration on the head).

Re:It will be a pain in the ass to remember...

[christianT]

You are welcome to leave at any time. We won't be sad to see you go. I heard McDonalds is hiring burger flippers. You may be qualified for that.

Re:It will be a pain in the ass to remember...

[pe1rxq]

Wait.... you are running a 'large scale network' and looking at packet captures... yet are unable have your tooling do the reverse lookup automaticly?

Re:It will be a pain in the ass to remember...

[unixisc]

For such things, it would only be a 64-bit address you'd be looking at, since half the address falls within subnets. So if one wants to check up routing tables, then only the top half of it is what would matter.

Re:It will be a pain in the ass to remember...

[DarkOx]

You have many options, DHCP6, you don't have to use autoconfigure you can still assign all nice consecutive address to each machine if you like. Setup DNS that actually works and use the host names. Best yet and actually probably the easiest to do and still be secure both (dhcp6 server can do the DNS updates so the hosts don't need to).

This is not that difficult, and if you think it is you are in the wrong industry.

Re:It will be a pain in the ass to remember...

[saveferrousoxide]

You could define your subnets to be 120 bits so you only have to remember the 8 bit number at the end (like now) or you could use the IPv4 in IPv6 notation (x:x:x:x:x:x:d.d.d.d) which is not so different really from using 120 bits as your subnet prefix.

Need IPv6 at home?

[aglider]

Run OpenWRT on your router, then.

Re:Need IPv6 at home?

[synapse7]

I'm trying to decide if i'm being overly paranoid running some kind of scripted firewall or if I should just use client firewalls which I hate, for some reason.

Fun addresses

[Powys]

$> dig facebook.com aaaa

Re:It will be a pain in the ass to remember...

You're doing it wrong if you're flipping burgers at McDonalds. They switched to timed hot presses a while ago.

Re:It will be a pain in the ass to remember...

[daniel23]

This is IPv6 Launch day. He needs to go to 2a00:1450:4016:801::1000

Re:It will be a pain in the ass to remember...

[DigiShaman]

but for a lot of us, the non humanreadability of IPv6 is a massive massive headache.

There's an app for that.

Google Fu KICK!!! Ha haaa

If Nagios fails to ping google..

[RaBiDFLY]

..or other hostnames with AAAA records:

Add -4 to ping_check command, restart nagios and carry on.
Dan

IPv6 Gateways look forward

To the dozens of new hosts worldwide.

pFSense support for IPv6?

[unixisc]

I'm glad to see you mention that. While under the FreeBSDs, Monowall has supported BSDs for a while, the same hadn't been true about pFSense. I wanted to know whether pFSense 2.1 supports IPv6 or not. Checking out their site, it stated

Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.

Incidentally, which version of FreeBSD does pFSense 2.1 correspond to?

Re:pFSense support for IPv6?

[Fez]

[Disclaimer, I am a pfSense developer, employee, and book author so I'm a bit biased] :-)

pfSense is based on FreeBSD 8.3 with quite a few things patched in the kernel and base system. We've been doing quite a lot of work lately on getting the last few bits of IPv6 going along with some other features we have in the chamber for 2.1. IPv6 support is the main focus of pfSense 2.1 so changes in other areas have happened but they have been minimal in comparison.

Here is a spreadsheet covering the current status of IPv6 in various areas of pfSense. Some of those will have to wait for pfSense 2.2.

We just got one key feature holding back 2.1 from being released solved, and there are a few more bugs left but progressing rapidly.

Re:pFSense support for IPv6?

[unixisc]

When will pFSense 2.2 be out? And will it still correspond to FBSD8.3, or 9? Also, in FBSD9, there is an IPv6-only option that can be installed, so that developers can test whether their applications really work w/ IPv6. Would any version of pFSense have that, just in case anybody wanted an IPv6 only router and firewall but not any IPv4?

Also, would pFSense come w/ a built in DHCP6 server?

P.S. Typo in my GP post - I sould have said 'Monowall has supported IPv6 for a while'

Re:pFSense support for IPv6?

[Fez]

When will pFSense 2.2 be out? And will it still correspond to FBSD8.3, or 9? Also, in FBSD9, there is an IPv6-only option that can be installed, so that developers can test whether their applications really work w/ IPv6. Would any version of pFSense have that, just in case anybody wanted an IPv6 only router and firewall but not any IPv4?

2.2 will be a bit far out yet, not sure. We'll be targeting FreeBSD 9.1 or so for that. We wanted to be on 9.x for pfSense 2.1 but we had far too many issues and backed down to 8.3 which was much easier to adapt. Since 2.0 took so long to get out, we decided to try and do more frequent releases, about every 6 months or so. That's slipped a bit, but we have had some security releases for 2.0.x since 2.0 came out (2.0.2 is coming out in 1-2 weeks) so it hasn't looked like such a long gap as we had between 1.2.3 and 2.0. Using that logic, I'd expect 2.2 sometime before or near the end of the year. It depends on what all we decide to add for it.

If you want IPv6 only, you can do that on pfSense 2.1 now. We have a developer that has a v6-only circuit in .nl and pfSense 2.1 is routing it fine, that's how we've debugged some of the issues. If you want v6 only, you can configure only v6 IP's on interfaces (and set v4 to 'none') or block v4 in firewall rules. What FreeBSD 9 does better there is that you can completely remove it at the OS level as well for things like localhost, which isn't quite so important in a routing role as it would be for a client platform.

Also, would pFSense come w/ a built in DHCP6 server?

Sure, it does Router Advertisements as well as DHCPv6, and they can be configured to work complimentary to each other. Of course since it's wrapped in a GUI there may be certain scenarios you can't do (yet) with DHCPv6 but most things that most people want to do are possible.

Re:It will be a pain in the ass to remember...

[bbn]

That thing is broken. Even the default values is transformed wrong. It transforms 127.0.0.1 to 0::7f00:1 but the correct answer is ::1. Then it transforms ::1 to 0.0.0.1. And 0.0.0.1 becomes 2002::1 (WTF?).

What good is it if does not know about the special cases?

Re:It will be a pain in the ass to remember...

You do realize that inside of a subnet, just like with ipv4, only the very last part of the number actually changes, so if you're able to make sense of the numbers for one, the other isn't that big of a difference?

Seriously, all it takes is a bit of practice, and a willingness to try, rather than "I fear change, and I shall keep my bush."

Re:It will be a pain in the ass to remember...

You really know how to do this - you're an ex-employee of the month at McDonad's?

Re:It will be a pain in the ass to remember...

[petermgreen]

I think the simple answer is if you need to address a machine by IP you shouldn't be using stateless autoconfiguration for it. IMO stateless autoconfiguration should be used only for client machines where it doesn't matter much that the addres is hard to remember or that the address changes when the network card is replaced.

Come on slashdot

Why isn't /. participating ?

Re:It will be a pain in the ass to remember...

[bobcat7677]

What you meant to say is that "there are workarounds for the difficulties". Any way you slice it, it is still a PITA...either to deal with it directly or implement the workarounds. I wish they could have come up with a more sane implementation.

Re:It will be a pain in the ass to remember...

[bn-7bc]

Or you are free to actually configure ipv6 addresses manually, so people would only need o memorise a prefix and the last 2-4 characters Prefix : 2001:0DB8:D:1::/64 VM1 2001:0DB8:D:1::100 VM2 2001:0DB8:D:1::101 etc ok a bit more to remember but the users you refereed to only have to learn the prefix and the part after the last : Will your users grumble a bit? yes, people don't realy like change Will the cope? My guess is yes, a few will have problems the first week or so but after that .....

Re:It will be a pain in the ass to remember...

[WaffleMonster]

Those long IPv6 addresses are a pain in the ass to remember. So, I'm not looking forward to this.

Use the for..err dns... or manually select your 64-bits of id and things aint soo bad.

It's auto-configured SLAAC addresses which are impossible to remember but it need not be that way if you don't want it to.

Use manual configuration or DHCPv6 to assign reasonable addresses.

Some lucky stiffs have IPv6 addresses shorter than anything possible with IPv4.

Sprint for instance...
http://2600/

IPv6 home router?

Ok, which home router support IPv6 ? does it support IPv6 WIFI ?

I go to Frys, and mention which router support IPv6 for both internet and Wifi - all I get is a
blank stare.

Re:IPv6 home router?

[Fez]

Anything you can put *WRT or similar on can do it (as others have mentioned in this post). Or if you want to run a software firewall on some spare hardware, pfSense (2.1 beta), m0n0wall, and some others support IPv6 also.

I have seen some ZyXel routers that had IPv6 support in their GUI, which gives me hope. Though I don't recall the specific model. Wikipedia> and Sixxs have lists of routers that do support IPv6 out of the box.

Re:IPv6 home router?

[heypete]

The new Linksys E-series home routers do (my folks have an E3200 which works fine). I've seen some Netgear ones on the shelf at local shops that have IPv6 support listed on the box.

I have a WRT54GL running Shibby's Tomato firmware mod with IPv6 GUI support, and that works great.

Re:IPv6 home router?

[Just+Some+Guy]

Airport Extreme supports it out of the box, and routes IPv6 over Wi-Fi.

Re:It will be a pain in the ass to remember...

[WaffleMonster]

Some lucky stiffs have IPv6 addresses shorter than anything possible with IPv4.

Sprint for instance...
http://2600/

Ok you know what if slashdot insists on living in the past and sitting on its thumb when it comes to IPv6 deployment so be it...but for godsake munging valid IPv6 URLs into invalid IPv4 addresses is crossing the line.

I entered 2600:: and slashdot posted 0.0.10.40...

Re:It will be a pain in the ass to remember...

[KiloByte]

He needs to go to 2a00:1450:4016:801::1000

That's not a correct URL. You need to enclose it in brackets for any uses that don't expect a bare IP address. Oh, and Slashcode destroys IPv6 literals in <a>.

Re:It will be a pain in the ass to remember...

[KiloByte]

Except that thanks to IPv6 you will have one IP per server to memorize (and this means you can put it in DNS). It's only in IPvCrap that you need to manually configure layers upon layers of VPNs just to connect to something in a remote network.

IPv6 is the final solution to the NAT question.

Re:It will be a pain in the ass to remember...

[Bengie]

All of my Datacenter admin friends told me how wonderful IPv6 is to setup and manage. They told me that they wish IPv4 would just die already. Large network admins love IPv6, other than the learning curve and setup, because routing is clean again.

Varying links

[unixisc]

Tracking ability is going to be driven more by browser request headers than by IP address, anyway.

I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:

• Broadcast and multicast traffic on a gigabit link doesn't risk flooding the far-slower wireless link
• It makes it trivially easy to partition off wireless clients from wired clients, reducing the vulnerability my wireless network gives me. I'll be able to do even better once I split off to two SSIDs, one for guests and one for trusted users; guests wouldn't get access to any of the rest of the network.

This I agree w/, and I think that ISPs could probably have a 3 tiered choice to offer customers:

• /128 service, where a home has only one computer, or only a need for a single computer to be publicly connected
• /64 service, where the connection goes into a single router, and all the devices in that household are connected to that network
• /60 service, where a customer gets 16 subnets, and can use different ones for things like wired vs wireless, multiple SSIDs, or low bandwidth vs high bandwidth connections

On this issue, I've argued that the IPv6 address space has been less than optimally allocated. They allocated the first 48 bits for global prefix, next 16 for subnet, and remaining 64 for the interface ID. In the meantime, for features like multihoming, /32 or lesser addresses are needed. That puts a squeeze on the upper half of the address space, host density ratio arguments notwithstanding. Instead, had the first 64 bits been totally dedicated to the global prefix, the next 16 or 32 bits to the subnet and the last 48 or 32 bits to the interface ID, it would have been far more optimal. The first word would have still been fixed, the next 2 words could have been used for things like PI addresses and so on, while the last word would have been given to the ISPs.

That way, ISPs could give their customers anything from 16 to 65536 addresses w/o feeling the pinch. If 32 bits were assigned to the interface ID, it would be plenty, since no network is likely to ever have that many nodes. It would allow for hierarchical subnetting. OTOH, if the entire 48 bits were desired for ethernet autoconfiguration, the subnet could have been just 16 buts, and still been plenty.

Re:Varying links

[Short+Circuit]

Just curious: Where do you fit privacy extensions in that scheme?

Re:Varying links

[unixisc]

Privacy extensions would work just like in the previous cases - take the interface ID, randomize it and give it a fixed lifetime. That is one implementation. Another, which I would think would work as well, would be to take an autoconfigured address, then mask some of the bits (so that it cannot be used to determine things like the Layer 2 address of the host) and then use that permanently, if a static IP was desired.

But better still, I'd just use DHCPv6 whenever possible, so that the address assignment policies can be laid out independently of any autoconfig algorhythms.

Re:Varying links

[Short+Circuit]

To begin with, DHCPv6 runs counter to privacy extensions. That rather sucks. Also, I recommend actually reading RFC 4941. There's more to privacy extensions than it appears you realize.

It's also worth noting that those 16 bits between your MAC address and the width of a /64 are used for encoding type information. That makes it a useful diagnostic, and not something to be discarded lightly.

Re:Varying links

[unixisc]

Why - in DHCP6, can't one, like in DHCP4, set an address to expire after time t, as would be the case w/ dynamic IP addresses? The privacy extensions in IPv6 don't create static IPv6 addresses - what they do is make what might be a permanent address under EUI-64 a temporary address. If one wants to assign any static addresses in DHCPv6, one can - they'd be like setting it manually. Also, those 16 bits are for assigning subnets. If one wants to encode type information or other things, one can. At any rate, I never suggested getting rid of them, I suggested moving them to the lower half of the address, and possibly even expanding them.

Re:Varying links

[Short+Circuit]

First, using a centralized box to continually shuffle client IP addresses adds a significant degree of complexity; you're either adding moving parts to an otherwise static system, or you're forcing existing moving parts to move much faster.

Neither is a good idea.

Second, IPv6 privacy extensions work by generating a permanent IP, as well as one or more temporary addresses that are used for outbound connections, and those temporary addresses are deprecated, expired and generated by the host itself...but it still keeps a permanent address. (Windows Vista and 7 use a full random permanent address, but other stacks use deterministically-generated permanent addresses.)

Third, the 'type' information I was referring to discusses how the IPs are generated. You can tell a SLAAC IP from a privacy-extension IP just by looking at them. That's different from keying on subnet.

Re:It will be a pain in the ass to remember...

[compro01]

IPv6 is the final solution to the NAT question.

Now we just need a cure to the people who have been beating their heads against a wall long enough that they think that NAT is/was a good thing.

Re:It will be a pain in the ass to remember...

[IAN]

Doing a reverse lookup for every goddamn IP I ever see would be completely impractical.

Hyperbole much? Recognizing IPv6 addresses is not that different from recognizing IPv4 ones, especially if you assign local parts manually, which you should do for the servers instead of relying on autoconfiguration, for reasons which should be obvious. So, 2001:db8:0:1001::4 is...?

• 2001:db8::/32 is your organization's prefix. You're supposed to know it by heart.
• 0:1001 is, say, Accounting. You know your network's addressing plan, right?
• ::4 is their print server.

With a bit of practice, parsing the IPv6 addresses you deal with frequently will become second nature. If it doesn't, then maybe you're not such a hot network admin.

Re:Do not want

[HappyPsycho]

If you used DHCPv6 to hand out addresses and your machine just magiclly pulled IPv6 instead of IPv4 them and your connection "Just worked" why would you care which protocol was being used? This will cover 90% of home installs and is still quite simple, fc00::1 doesn't seem that much more complicated than 192.168.0.1, gives you allot more breathing room too (http://en.wikipedia.org/wiki/Private_network#Private_IPv6_addresses)

Also I highly doubt your ISP will give you a full publicly routable subnet (not initially anyway), that would cut into the business segment of sales. You run whatever you want internally and IPv6 runs on the CPE to talk to the internet. It will make sense to switch your internal network to IPv6 once the list of services only available over IPv6 starts to grow, not like you are losing access to anything, IPv4 is accessible via IPv6 but not vice-versa.

The problem is the services can't move first otherwise they lose customers (and also have to run dual stack for a while), so the stalemate will continue until the consumers are unable to get v4 addresses. The good news is this will hit consumers before it hits web site operators because ISPs require wayy more address space than hosting services use (simple one server to many clients dynamic). Hosting providers have more options to deal with the issue as well because they know what traffic is using their ips (reverse proxys, etc.), no carrier wants to run large scale NAT if it can be avoided (the stateless nature of routing is what allows it to scale).

Re:It will be a pain in the ass to remember...

[Anomalyst]

I have to wonder, how useful is a network of large scales really? Unless your verifying the weights of trucks in convoys.

Re:It will be a pain in the ass to remember...

[Anomalyst]

the hex makes it easier to make words in statically-assigned addresses.

This message brought to you by the DEAD BEEF CAFE

Re:It will be a pain in the ass to remember...

[lister+king+of+smeg]

can't you just use ipv4 internally and save ipv6 for external? or you could assign them both an ipv4 and ipv6 addresses? i mean i realize that ipv4 has a limited number of available addresses but for internal use i doubt that you would run out well ever inn the conceivable future.

Re:It will be a pain in the ass to remember...

[jgrahn]

What you meant to say is that "there are workarounds for the difficulties". Any way you slice it, it is still a PITA...either to deal with it directly or implement the workarounds. I wish they could have come up with a more sane implementation.

If you see DNS as a workaround ... then, yes.

Some solutions:

[JSBiff]

Well, others have already mentioned some, but let's try to get a list of possible solutions to this problem listed:

* DNS, access machines by name
* For frequently accessed machines, assign "short numbers", e.g.
1234:5678::25 (where 1234:5678 is your IPv6 prefix). For a little bit of added convenience, assign your network prefix to an environment variable, and you can, e.g.

$ ping ${IP6_Prefix}::25

* Run IPv4 *internally* as well as IPv6, then you can access machines on the local network using the EXACT SAME IPv4 private network addresses you've been using for the last 20 years. IPv6 is most useful for accessing hosts on OTHER networks on the global internet, no reason you can't use IPv4 for internal networking.

* If you use IPv6 auto-config based on Mac addresses, and you have a database of mac addresses on your network, I bet vendors will be releasing tools which allow you to automatically parse out the mac address from an IPv6 and show you which machine the address belongs to. That's good enough for machines you don't need to frequently lookup (like individual workstations of employees). For servers, printers, etc, assign "short numbers" as described above, in blocks (e.g. routers and switches might be ::1 through ::100, printers ::200-::300 , servers ::500-::600, etc, then you just have to remember what the short numbers of frequently used devices are.

Re:It will be a pain in the ass to remember...

[Mitchell314]

The DNS is workaround for our memory-leak-ridden brain software. :P

great. decade old tech finally out

[NickGnome]

Can you say sclerosis?

A criticism from VerySlime is reason to adopt it, because it must mean it hampers at least some of their privacy violation schemes.

Re:It will be a pain in the ass to remember...

[Skapare]

Indeed it is broken. I also found IPv6 is broken at BIT.LY, too :-(

And watch your latency rocket

[JSBiff]

Yeah, maybe things have improved, but I played with IP6 tunneling for a short time. It was kind of cool, but on IPv4, my typical ping times are 20-80ms to reach most hosts. On IPv6 with tunneling, the latencies were typically >100-300ms. Which, is mostly fine for web browsing, but sucks for other applications.

Re:It will be a pain in the ass to remember...

No, all of those examples are correct. There are no special cases.

(Well, the last one might be odd if you didn't ask for a 6to4 conversion.)

Re:It will be a pain in the ass to remember...

[bryan1945]

You could, but I'd rather just get the pain over with earlier rather than later in switching over to 6. But I am a guy who likes to front-load his work, so... meh?

Re:It will be a pain in the ass to remember...

[bbn]

You sir needs to read up a little on the subject: http://en.wikipedia.org/wiki/IPv6_address

Let me simply quote a few things for you on that page.

"::1/128 — The loopback address is a unicast localhost address. If an application in a host sends packets to this address, the IPv6 stack will loop these packets back on the same virtual interface (corresponding to 127.0.0.0/8 in IPv4)."

So 127.0.0.1 should become ::1.

Alternatively, if you do not want to actually use it for anything, it could be converted into the prefix:

"::ffff:0:0/96 — This prefix designated an IPv4-mapped IPv6 address. "

Instead it was translated into this:

"The 96-bit zero-value prefix ::/96, originally known as IPv4-compatible addresses, was mentioned in 1995[38] but first described in 1998.[44] This class of addresses was used to represent IPv4 addresses within an IPv6 transition technology. Such an IPv6 address has its first (most significant) 96 bits set to zero, while its last 32 bits are the IPv4 address that is represented. In February 2006, the Internet Engineering Task Force (IETF) has deprecated the use of IPv4-compatible addresses."

I did not ask for a 6to4 conversion but even if I did, it would be wrong: http://en.wikipedia.org/wiki/6to4

"For example the global IPv4 address 192.0.2.4 has the corresponding 6to4 prefix 2002:c000:0204::/48."

So 0.0.0.1 would be 6to4 translated into 2002:0:1:: but instead they made it 2002::1.

So in fact, everything that happens on that page is simply broken.

IPv6 Infographic - usage in Top 1 Million Sites

[hackertarget]

I did this analysis back in March, here is a quick summary of sites found with AAAA records:
* 1% of total sites
* ~5% of sites in Germany and Russia
* 0.38% of sites in the USA
* 90% of sites are running Apache or Nginx
* 4% of sites are running IIS


In July, I am planning on a follow-up to see if there is any major change in the numbers.
http://hackertarget.com/ipv6-in-top-sites-infographic/

Re:It will be a pain in the ass to remember...

[thePowerOfGrayskull]

or even a hosts file if you must

Are you TRYING to resurrect APK?

VMs one of the best reasons for IPv6

[unixisc]

you don't even need large scale networks - I need to remote desktop to VMs on a LabManager server - currently every single one of those is an IPv4 IP and I don't think we'll switch to IPv6 anytime soon, but I dread the day we do, since currently all I really need to do is remember the last number and have the first three memorized (the IPv6 auto generation by MAC address will likely make me have to memorize more or all of the IP). All of these are accessed by IP and all of these require hand editing files and injecting the IP into them (so they correctly serve client machines outside of the VM, and these have to be outside the VM because they need hardware graphics acceleration on the head).

For this particular case, IPv6 is even better than IPv4. With IPv4, if you are already getting a NATed service, then there is no way you can assign new addresses to those VMs w/o another level of NATing. In IPv6, that's not even an issue - you can either configure DHCP6 to assign a certain set of addresses to the VMs that you create, or you could manually assign them yourself, but from the same network. So each VM would have its own direct link to the internet, whereas in IPv4, they are likely to be behind multiple NAT levels.

Why were compatibility/mapped addresses deprecated

[unixisc]

Isn't IPv4 mapped address all but deprecated as well? It's support varies according to the platform. Incidentally, why were IPv4 compatible addresses deprecated? Seems like they could have been allowed as a shortcut way to assign addresses, particularly to those who wanted NAT. I also never understood the need to have both IPv4 compatible and IPv4 mapped addresses.

Re:It will be a pain in the ass to remember...

[unixisc]

Right now, both are being supported in all operating systems, but at some point in the future, OSs are likely to want to not support such older protocols and may simply drop support for IPv4 altogether. At that point, one would have to use IPv6 for internal networks. Not to mention that Windows 7 uses IPv6 as its default internal IP protocol.

Re:It will be a pain in the ass to remember...

[unixisc]

Actually, it should have been [2600::1] or whatever. Incidentally, 2600 belongs to ARIN, so if Sprint bought an entire /32 from them, that might explain it. Incidentally, I ran the above address in a whois on ARIN, and response came up blank. So it's questionable whether the entire 2600 has been assigned to Sprint.

Re:It will be a pain in the ass to remember...

[swalve]

1- You don't have to us the IP autogeneration with the MAC address.

2- All you have to do is have your clients tell the DNS server their name when they ask for an IP address.

3- If you are putting ip addresses in by hand, you won't be rolling out ipv6 any time soon.

4- There are things that ipv6 will confound, but naming shouldn't be one of them. Using bare IP addresses these days is as silly as using bare mac addresses.

Re:It will be a pain in the ass to remember...

[swalve]

I was at a restaurant that tested one of the new types of those clamshell grills. It was a huge pain in the ass to those of us who were really good at the old way. But the kids liked it and they give much more consistent results. A bitch to clean though.

Re:Why were compatibility/mapped addresses depreca

[swalve]

I think because of the routing problem.

Re:It will be a pain in the ass to remember...

[unixisc]

Now, if only I had a list of all 4 or fewer letter words that only used A-F ;-)

ISPs are already giving routable subnets

[eladts]

to their customers, for example Comcast is already doing that. Otherwise, there is not much point in IPv6.

Re:It will be a pain in the ass to remember...

[grimm26]

Boy, I miss the good old days when I could just tell the operator a 4 digit phone number and they would connect me. Now we have area codes that overlap and my neighbor could have a completely different area code and exchange than I do! Now I have to remember 10 digits and type them in myself!

Re:It will be a pain in the ass to remember...

Humans have different needs than computers. It's almost like we need a table of easy to remember names that can be used to look up IP addresses automatically by a computer. Then that table needs to be distributed automatically to all the ISPs in the world. That'll never happen. Sounds impossible.

Ow how smart you are. How about connecting to PC on local network. Or like to many local servers on which you have to deploy stuff.
Even now it is rare for them to have a dns assigned to them ...