Slashdot Mirror
After Launch Day: Taking Stock of IPv6 Adoption
darthcamaro writes "So how did World IPv6 Launch go? Surprisingly well, according to participants at the event. Google said it has seen 150% growth in IPv6 traffic, Facebook now has 27 million IPv6 users and Akamai is serving 100x more IPv6 traffic. But it's still a 'brocolli' technology. 'I've said in the past that IPv6 is a 'broccoli' technology,' Leslie Daigle, CTO of the Internet Society said. 'I still think it is a tech everybody knows it would be good if we ate more of it but nobody wants to eat it without the cheese sauce.'" Reader SmartAboutThings adds a few data points: "According to Google statistics, Romania leads the way with a 6.55% adoption rate, followed by France with 4.67%. Japan is on the third place so far with 1.57% but it seems here 'users still experience significant reliability or latency issues connecting to IPv6-enabled websites.' In the U.S. and China the users have noticed infrequent issues connecting to the new protocol, but still the adoption rate is 0.93% and 0.58%, respectively."
What a terrible metaphor. Everyone knows that IPv6 is closer to a Brussels Sprout.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
http://blogs.voxeo.com/speakingofstandards/2011/05/22/fun-with-ipv6-addresses-check-out-facebooks-aaaa-record-in-dns/
On the consumer front only just recently did home WiFi routers start shipping or start getting IPv6 support, even then finding an ISP that will provision you is next to impossible.
On the enterprise front gear has been labeled as IPv6 ready or compatible or even listed it as a feature for a long time. However if you work in security and have to implement policy control over content, you quickly see that the functionality is years behind when applied to IPv6 flows... At an enterprise level switching isn't easy without swamping out a lot of gear, or reducing expectations... IPv6 enabled deep inspection, and application layer inspection tools are only now becoming available, or only now becoming mature enough to roll out.
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
NAT isn't a security feature, that was a consequence of it breaking things to try and patch a bandaid fix on the problem IPv6 solves.
How many ipv4 nat routers are out there? How many of the big ISP's turned it on (or will by 'end of the year')?
Take my ISP for example (a pretty big one). They are just talking about turning it on this year 'by the end of the year' (which is marketing speak for next year).
Then how many consumer grade routers out there can you buy that are still only ipv4 (a lot btw). You have to go out of your way to get something with IPv6 you need to know exactly which router to get. You even had one decent sized manufacture yank the feature out for all intents and purposes so be careful which firmware you are running... Sure you can flash the firmware on many to get it. But what a pain. I dont feel like playing root my wireless access point to get a feature which should ALREADY be included... In 2005 this was understandable. In 2012 not so much anymore...
Then we can talk about the devices themselves. There are thousands of embedded devices out there sold within the past 2 years that ONLY do IPv4. TV's being the worst of the offenders... Bought a network enabled bluray a couple of months ago. IPv4 only... And both of these devices are from major manufactures...
the tl;dr ver 'it will take time not enough devices that support it yet'.
Calling IPv6 broccoli is a horrible analogy. IPv6 is chocolate, vanilla, cake, topped in cheese sauce. The only reason it is not being widely used is that IPv4 is working for the vast majority of people and they are not willing to invest time or money on equipment in switching to IPv6. Hopefully, this will change.
The day my ISP and my home hardware (MacOSX, Roku, iPhone, Android) support IPv6, I am using it.
Linux O Muerte!
I don't know much about IPv6. Does it not allow private networks?
I read TFA and all I got was this lousy cookie
I wonder how a quick fix approach would have been accepted. Something simple like slapping another 32bits on an "extended" IPv4 address and assuming leading zeros on any packet with an old 32 bit address.
I really tried. I tried versions of DD-WRT, OpenWRT, and Tomato on my WRT54GL. I tried using 6to4 using both anycast and tunnelbroker. The best I managed to achieve with either method was successfully pinging ipv6.google.com. I never succeeded in pulling it up in a browser on any of my computers. I thought I got radvd working, but it must not have been working well enough. Maybe next year.
Insert self-referential sig here.
I bought a business connection from my local provider, asked my salesperson if they had IPv6, they said yes. Tried to set it up for World IPv6 day. Well, their tech support says no they do not have IPv6. So, that was my IPv6 day experience.
I though tit was sad that bing.com and yahoo.com did not return a v6 address yesterday.
I've never understood this concern. With IPv6 I have, say, 2^64 addresses to use. I could use a different source IP address for each and every HTTP request I send out. Even at 1000 requests a second we'll all be long dead before you had to reuse a source address.
IPv6 gives you loads of room to hide. This is my concern - address based blocklists will quickly become infeasible.
I'd like to know who's the users in China with IPv6. There's no provider, ADSL or otherwise, that provides IPv6. The only place where you could find IPv6 would be universities. And what's funny with it, is that it shows that the Great Firewall of China doesn't cope with v6 at all. All sites that would normally be blocked are wide open. So until the GFW is "patched", I don't think IPv6 will come. That's quite a shame, because I've read multiple times that the big ISPs backbones are already IPv6 capable.
Not quite. Your ISP still assigns you a /64 (typically) so all your requests would have to come from within that - and the other end could easily recognize this. The only real privacy implication of ipv6 is that it'd be possible for a server to tell via IP address which computer in a household a request came from, rather than just the house - so it could make different profiles for the teenage daughter to see lots of clothes and music ads while the mother gets lots of furniture and household products advertising. But even without ipv6, this is trivial anyway - it just needs to be done by cookies, which is how every major profile-building ad network does it already.
1 bil 64byte packets per second is almost 500Gbit/s, and that doesn't include the HTTP payload or the hand-shakes. You won't really need to worry about your IP addresses getting scanned until the average person has a 1Tb/s internet connection, even then you're talking about 500+years.
/64, one would need ~54.5Pb/s of dedicated bandwidth between the two networks.
To make an effective scan of the first half of a
It's actually even better than that. The official recommendation is a /48 per end-site. As far as I have been able to tell, I think ISP's are generally following that. I had heard something about using /56 per end site for residential users. That still gives people plenty of room to have multiple subnets though.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
No, they won't. It would be more work for them to give out a single IPv6 address than to give out a block. The official recommendation for residential customers is a /56, in Comcasts trials so far they've been giving out /64s. That's 18,446,744,073,709,551,616 addresses for each home. I don't think you remotely understand the size of the IPv6 space. NAT will die.
It allows everything IPv4 did. People like the grandparent are just malfeasant temper-tantrum throwers screaming "I'll show you!"
Absolutely nothing forbids private networks (in fact, there's a massive fc00::/7 address space dedicated to roughly the same purpose as 10.*, 192.168.* etc with a bonus pseudorandom prefix to make VPN address collisions less likely).
Likewise, absolutely nothing forbids you from having a firewall that blocks incoming connections.
Just unplug your internet connection. Voila, a private network.
There is nothing interesting going on at my blog
There can be a real difference between "Can do IPv6" and "Can do IPv6 with realistic traffic." Most high end Cisco gear, even older stuff could be updated to support IPv6. However the problem is that it is all in software, all on the rather small CPU. So sure it'll work if you have only a couple IPv6 flows, however if everything went IPv6 it'd fall over. You need support in the ASICs for it, and that means buying new hardware.
Of course being high end it isn't so cheap. We upgraded all our stuff on campus to do IPv6 and it was millions to get all the hardware needed. Now we are large, but not compared to many ISPs. So it isn't so easy to just say "Oh buy a bunch of new equipment to replace the perfectly good stuff you already have."
IPv6 is coming, slowly, but it isn't going to be a fast process and anyone who things people, ISPs, etc should "Just do it," hasn't spent any real time looking at what is involved.
Mostly because a lot of enterprise IT departments have serious issues with anything new and thus "scary" and "untested". Hell, I know places that still critical production systems on NT4 and think Subversion is too new and untested to be used as a production VCS so they just stick to CVS since "everyone knows it and it works".
On a similar note, these are the kind of places that mandate that all database queries be made as stored procedures (T-SQL, of course) since that's the only "safe" way of accessing a database. Bring up parameterized queries and they look at you like you're mad. In places like that they have working security put in place 10 - 15 years ago and they have no intention of changing anything until they absolutely have to. In their world security "needs" NAT (because that's what their equally old firewall appliance needs).
Greylisting is to SMTP as NAT is to IPv4
I've never understood this concern.
Me either.
IPv6 gives you loads of room to hide. This is my concern - address based blocklists will quickly become infeasible
It it won't be that much different with v6 and a slight change in mindset. Instead ofblocking an IP you go after the prefix instead.
For example an ISP customer is abusing my service and I want to block him. I don't go after his IPv6 IP I go after his entire /64, /48 prefix or whatever it is his ISP allocated to him. He can change his local bits all he wants he is still blocked.
There are other examples where it is difficult such as blocking some computers on the same /64 segment as others you want to allow however when we look at this problem today all we see most of the time is a NAT for the whole network with a single IP.
The address space is bigger and there is more room to hide yet allocation is still hierarchical and we still know what blocks are allocated to who via SWIP or working an ISPs abuse channels.
Sure, there's ways of addressing IPv6 with link-local style addresses, these tend to start fe80::, but if you want your packets to be routed out onto the big wide Internet and back, they'd better have proper addresses. IPv6 doesn't do NAT, but if you really need to renumber your network (say, if you've changed ISPs, and have got far too much statically configured kit, and don't know how to do a simple search and replace on some configs), you can do a network prefix translation thing, which is a bit of a bodge, in the same way that NAT is a bodge.
Not to mention that software-wise if you truly wanted to use your entire /64 (or /48) to stay somewhat anonymous it shouldn't be extremely hard to hack up an IPv6 stack that uses one address per remote host. So facebook.com sees one address, slashdot.org sees another, google.com sees a third. Doesn't even have to be sequential.
Greylisting is to SMTP as NAT is to IPv4
Remember - we're comparing IPv4 with NAT against IPv6.
Yes the ISP allocates the IPv6 prefix, but then again with NAT every source packet has the same IPv4 address. The real difference is that with IPv6 every single request can be given a different source address. If the source addresses are picked randomly from the /64 pool then it should be impossible to identify individual hosts within the /64 based solely on IP address information. As you rightly point out there are other effective ways of doing this already, but that's not an argument against using IPv6.
In one pot, put some kale, some olive oil, water, a little salt and pepper, and let simmer on low heat. In another pan, brown up some ground beef, with some chopped onions, green peppers. Add in a can of salsa or crushed tomatos. If desired, some hot sauce or jalapenos can be added. While that's cooking, do up some Kraft Dinner according to the directions on the box. When the KD is ready, add in the ground beef mix, and serve. Throw out the kale.
Note: This recipe works well for broccoli, Brussels sprouts, cauliflower, spinach, and many others.
When our name is on the back of your car, we're behind you all the way!
Hey, cool, facebook now resolves to an IPv6 address by default :)
As for my point, how will regular consumers deal with firewalling? Modern OSes have to have good firewall protection, because people take laptops to all kinds of insecure networks. Stil, I'm not sure it's a good idea to make all devices directly accessible over the internet, it's kind of like begging for a wormpocalypse. On the other hand, we have UPnP for NAT-ed IPv4, allowing applications to specifically request incoming ports. This is crucial for many applications. What should we do for v6 then? (I run without a separate firewall, even for a windows laptop, but this may not be a great idea on a large scale)
IPv6 most certainly does NAT: http://tools.ietf.org/html/rfc6296
Dilbert RSS feed
Why isn't slashdot accessible over IPv6?
What privacy concernts ?
In Windows XP (if IPv6 is enabled), Windows Vista, Windows 7, newer Mac OS X, newer iOS, Android, newer Ubuntu IPv6 privacy extensions are all enabled by default.
So it is pretty much the same privacy-wise as IPv4.
(Just checked and Fedora does NOT enable privacy extensions, not sure why)
New things are always on the horizon
Then what makes you think advertisers/data-gathers will not start assume that all requests from the same /64 block come from the same person?
There is already something called IPv6 privacy extensions, which is enabled by default on most operating systems, and it will create a random IPv6 address ones every 24 hours which it uses to connect to other hosts.
New things are always on the horizon
Which computer,..? Well, with IPv6 privacy extensions enabled (which is the default in most operaring systems) a new random IPv6 address will be generated at every startup or every 24 hours.
So that is hardly useful at the server to distingues between client computers.
New things are always on the horizon
He never mentioned anything about privacy, only about the 1 IP address comment. Tracking Ip address doesn't matter much anyway, except for geolocation. One's browser fingerprint is unique enough to track.
There is actually a reason for eating broccoli with a cheese sauce - the fat from the cheese helps to dissolve the vitamins contained in the broccoli, and our bodies get more out of it!
Since blocks are hierarchical and sequential, it should be quite easy to block countries almost entirely. Don't like Russia/China connecting to you? Get their ranges.
Maybe people it relative.
Comcast is the largest access provider in the world and they are busy rolling out IPv6 to more and more customers as we 'speak'.
New things are always on the horizon
On the Google IPv6 statistics, it says in Romania IPv6 is faster than IPv4.
New things are always on the horizon
Actually, it's fe80::/10 that's dedicated to the same purpose as private addresses, and can be assigned in anyway one feels like. fc00::/7 is supposed to be globally unique, but unroutable. Looks like they couldn't figure out how to implement this, so left it unimplemented, but really, it would be great for connecting VPNs, for instance.
Uh, private addresses need to be assigned as well. Private addresses for IPv4, and Link-local addresses - fe80::/10 for IPv6.
The official recommendation is /48, but only ARIN and LACNIC seem to be following that. APNIC very clearly states that they'll assign /56, and if one wants more, they have to justify it. I believe the same policy is being followied by RIPE.
As was mentioned in the previous IPv6 thread yesterday, for things like multiple SSIDs, having wired and wireless on different networks to prevent collisions, and so on, a customer may need more than one subnet. Since the ISPs aren't going to split them by bit, chances are they'll either assign a nybble or a byte. If the last hex digit of the subnet address is assigned to a customer, that gives them 16 networks to play w/, which is presumably enough for a household. I think most ISPs may have a tiered plan for /128, /64 and /56 or /60.
Can someone please inform the media that a standard that came out in Dec 1998 is not NEW?
250% of a rounding error is still a rounding error. How many years has it been?
When all you have is a hammer, every problem starts to look like a thumb.
...my Linux box tends to hang up after about 30 minutes of being connected to a IPv6 network via WiFi... as far as I can make out NetworkManager does some stupid things...
NetworkManager is demon spawn.
When all you have is a hammer, every problem starts to look like a thumb.
As far as I can tell, it looks like we'll still have NATs by default in our Cicso/LinkSys/whoever home routers and wireless access points. NAT works just fine with IPv6, and our ISP service providers would prefer that it remain difficult to impossible for P2P applications to work at all.
Celebrate failure, and then learn from it - Nolan Bushnell
Steam! Steam will save your Broccoli!!
Also, there are some genetic differences that make broccoli and many other cabbages taste bitter to some people. (And similarly, there are genes that affect whether cilantro (aka coriander leaf) tastes really bad to some people.) I love the stuff, but President Bush was well known to be one of those people who hated broccoli, and most people have been kind enough to attribute it to genetics rather than his having been a spoiled child.
If you hang out with genetics geeks, eventually they're going to hand you pieces of blotter paper and see how they taste to you. If suddenly the whole world turns shiny, please introduce me to your friends, but usually they're either going to taste like paper or they're going to taste like really nasty bitter stuff, depending on which versions of several flavor-tasting genes you've got.
Also, to tie this vaguely back to IPv6, eventually you're going to run out of asparagus, there won't be any more in the stores, so you'll have to eat broccoli and cabbages until the summer veggies start to come in.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The original view of IPv6 addressing was that the host portion was going to be assigned automagically based on your MAC address, similar to the way Novell Netware IPX and XNS did things, so not only would that provide trackability to individual computers for traffic from your home location, but if you took your laptop or cellphone somewhere else, the host portion would still be the same, just showing "Your laptop at Starbucks" instead of "Your laptop at home". Eventually, of course, 48-bit MACs got replaced with 64-bit EUI-64, leading to the /48-vs-/56-vs-/65 fights, and SLAAC-vs-DHCP6 fights, and to IPv6 Address Privacy Extensions, so it's a bit less of a concern, just messier.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
My ISP (Internode) has been providing opt-in dual-stack support for at least a couple of years, and enabled it by default for all new customers in January. Internode currently have about 2% of their customer base on IPv6.
Note: if you go to that page and the logo is spinning, it means you've connected via IPv6.
I get a static /56 prefix (earlier when it was still considered a trial they gave a /64 that could change when you lost ADSL connection). My router (Billion 7800N) acts as a DHCPv6 server and everything is hunkey-dory except for one minor quibble - the router advertises the upstream DNSv6 servers instead of itself, so if you've done static MAC->IPv4 mapping in the router they won't be returned when a DNSv6 request is made. The fix there is to manually set the link-local address of the router as the DNSv6 server on each of the machines.
No, NAT will not die. NAT is a good idea, not a bad one. Virtually everyone uses firewalls nowadays, most of which do NAT, which adds a level of security (not enough by itself, but it helps).
It is a critical flaw in TCP/IP architecture that the application translates the name to the address and sees the IP address. And there's never a good reason for applications to have numeric IP addresses inside them. NAT only breaks broken applications. IPv6 is Just Plain Stupid. It's ugly and it wants to die. And it will. The people who are pushing it are the kind of people who seek out authority in order to obey it blindly.
IPv6 blocklists will most likely block entire /64's instead of single addresses. This has the potential of blocking an entire organization for one user's bad behavior, but so does blocking a single IPv4 address that is the public side of a NAT.
Correct me if I'm wrong, but I believe in MySQL, at least, you can have procedures run in the context of the defining user, not the invoking user. Thus, the procedures can access tables that the user calling the procedures cannot.
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.
It's still under evaluation, but has not been officially approved by the IETF. Anything today that does IPv6 doesn't support this spec.
Come again?
Bhutan was impossible to mouse over and get the numbers. Anyway, I guess the reason is that most people there are offline, so any new internet additions boosts the numbers a great deal. Maybe their main mode of internet access is mobile services?
No, enterprise security features require a firewall. Currently NAT devices incorporate firewalls, but the NAT part isn't needed for the security part to work.
Address based blocklists aren't going to vanish, only change.
When your ISP gives you an address, they'll actually be giving you a subnet, so blocklists will do the same, block small subnets instead of individual addresses. (of course that's only if the person you're trying to block is very persistent, because just like now, they're likely to stay on the same IP they were originally given.
A nice website has been set up for this: http://test-ipv6.com/
My results on checking (I've removed my addressing for obvious reasons):
Your IPv4 address on the public Internet appears to be
Your IPv6 address on the public Internet appears to be
The World IPv6 Launch day is June 6th, 2012. Good news! Your current browser, on this computer and at this location, are expected to keep working after the Launch. [more info]
Congratulations! You appear to have both IPv4 and IPv6 Internet working. If a publisher publishes to IPv6, your browser will connect using IPv6. Your browser prefers IPv6 over IPv4 when given the choice (this is the expected outcome).
Your DNS server (possibly run by your ISP) appears to have no access to the IPv6 Internet, or is not configured to use it. This may in the future restrict your ability to reach IPv6-only sites. [more info]
blindly antisocialist = antisocial
All the address based blocklists have to do is block the whole /64 which is the smallest allocation ipv6 allocation unit.
Well RFQ 4941 addresses some of your concerns: http://tools.ietf.org/html/rfc4941
Additionally if you at worried a privacy, then put all web traffic behind a web proxy and filter out certain cookies.
Jumpstart the tartan drive.
Also worth noting that fe80::/10 is self assigned and non-routable. This means you can just connects bunch of computers together with a switch and they will have an address to speak to each other with, but you won't be using it to speak to computers outside of the net. I suppose this is roughly equivalent to the IPv4 169.*, except the IPv6 equivalent is a bit more static.
Maybe fc00::7 was a fallback plan in case NATing became necessary? First I have heard of the prefix.
Jumpstart the tartan drive.
They will.
But then we're just back to the IPv4 situation, with them only being able to distinguish between networks rather than individual machines. At that point, the original complaint of "they'll be able to distinguish between individual machines" starts looking rather silly.
I doubt it. fc00::/7 was more likely a plan to assign everyone in the world unique non routable addresses so that for applications like VPN, whereas in IPv4, one could have multiple 192.168.0.5s albeit in different networks, here, the chances that 2 computers even on different networks would have the same private address is ruled out. I guess they couldn't find a reliable algorithm that guarantees that uniqueness, and therefore went for fd00::/7, where the uniqueness is not essential.
Btw, I thought that one could manually assign link local addresses to different computers in one's network if one wanted. Anything in either the OS or the standard that stops it?
Comcast frustrates the hell out of me though. I know they've got a team working this, but if you try and contact customer support it's like talking to a wall. Questions like, "Is IPv6 available in my area?", "When will IPv6 be available in my area?", "Can I get a static IPv6 assignment?", "Can I be put on a list or something to get IPv6 enabled on my connection?" and "Do you know what IPv6 is?" are met with hours on hold while the tech asks the next level tech who also doesn't know. I appreciate that Comcast has a team working through deploying IPv6 but I'm frustrated they seem to have no interest in supporting the people who actually want to use it! (I'm running business cable so this isn't even the home support guys.)
I do security
"access through stored procedures is better because the connected users only need permissions on the stored procedures and all other objects can be inaccessible to them" yep
Actually, that shouldn't be too hard to do; just replace the initial "2001:" of your global prefix with "fc00:" and you should be done. (You could probably do something similar with 6to4, where the network prefix is defined by your external IPv4 address.)
NAT only breaks broken applications
Such as everything that needs to receive a connection from the outside, like chat, games, etc.
If I have been able to see further than others, it is because I bought a pair of binoculars.
No, people could have public IPs starting w/ 2001, 2400, 2600 and so on, so that one doesn't guarantee uniqueness. I agree though that it's not too hard, but am surprised that nobody figured out how to guarantee something to that effect.
I'd forgotten about the Sprint 2600:: address. :(
I suspect that the real answer was that fc00::/7 was created just to keep all the anti-publicly-allocated-address people happy, and was never taken that seriously. All the real connectivity would use link-local or suitably firewalled global address space. VPNs between separate companies would be handled via IPSEC, and no new addresses would be needed. Of course, that works fine in theory, but will probably never happen in reality...
You can generate your own globally-unique private networks. See, for example, http://www.simpledns.com/private-ipv6.aspx
And what is the cheese sauce needed to make it get adopted quicker?
Sure enough, the cow costume was hanging up next to the superhero outfit and sailors uniform. (S,Spud)
I haven't seen anything about manually assigning a link local address and imam not even sure what the benefit would be, since it is essentially static for a given device?
Jumpstart the tartan drive.
Benefit would be if people needed to remember their IP addresses, and therefore chose to assign it manually, so that they could have fe80::1 to fe80::10 for all their devices. If it was automatically assigned, they might get something like fe80:947d:feed:ad65::d09:95b2:f00d:f2cb, which would be tough to remember, especially if they have to enter it repeatedly in different applications that work better w/ an actual IP as opposed to a resolved name.
With things like mDNS or routers athat uto register host names, it may be more effort than it is worth?
Jumpstart the tartan drive.