Slashdot Mirror
After Launch Day: Taking Stock of IPv6 Adoption
darthcamaro writes "So how did World IPv6 Launch go? Surprisingly well, according to participants at the event. Google said it has seen 150% growth in IPv6 traffic, Facebook now has 27 million IPv6 users and Akamai is serving 100x more IPv6 traffic. But it's still a 'brocolli' technology. 'I've said in the past that IPv6 is a 'broccoli' technology,' Leslie Daigle, CTO of the Internet Society said. 'I still think it is a tech everybody knows it would be good if we ate more of it but nobody wants to eat it without the cheese sauce.'" Reader SmartAboutThings adds a few data points: "According to Google statistics, Romania leads the way with a 6.55% adoption rate, followed by France with 4.67%. Japan is on the third place so far with 1.57% but it seems here 'users still experience significant reliability or latency issues connecting to IPv6-enabled websites.' In the U.S. and China the users have noticed infrequent issues connecting to the new protocol, but still the adoption rate is 0.93% and 0.58%, respectively."
What a terrible metaphor. Everyone knows that IPv6 is closer to a Brussels Sprout.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
http://blogs.voxeo.com/speakingofstandards/2011/05/22/fun-with-ipv6-addresses-check-out-facebooks-aaaa-record-in-dns/
On the consumer front only just recently did home WiFi routers start shipping or start getting IPv6 support, even then finding an ISP that will provision you is next to impossible.
On the enterprise front gear has been labeled as IPv6 ready or compatible or even listed it as a feature for a long time. However if you work in security and have to implement policy control over content, you quickly see that the functionality is years behind when applied to IPv6 flows... At an enterprise level switching isn't easy without swamping out a lot of gear, or reducing expectations... IPv6 enabled deep inspection, and application layer inspection tools are only now becoming available, or only now becoming mature enough to roll out.
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
NAT isn't a security feature, that was a consequence of it breaking things to try and patch a bandaid fix on the problem IPv6 solves.
How many ipv4 nat routers are out there? How many of the big ISP's turned it on (or will by 'end of the year')?
Take my ISP for example (a pretty big one). They are just talking about turning it on this year 'by the end of the year' (which is marketing speak for next year).
Then how many consumer grade routers out there can you buy that are still only ipv4 (a lot btw). You have to go out of your way to get something with IPv6 you need to know exactly which router to get. You even had one decent sized manufacture yank the feature out for all intents and purposes so be careful which firmware you are running... Sure you can flash the firmware on many to get it. But what a pain. I dont feel like playing root my wireless access point to get a feature which should ALREADY be included... In 2005 this was understandable. In 2012 not so much anymore...
Then we can talk about the devices themselves. There are thousands of embedded devices out there sold within the past 2 years that ONLY do IPv4. TV's being the worst of the offenders... Bought a network enabled bluray a couple of months ago. IPv4 only... And both of these devices are from major manufactures...
the tl;dr ver 'it will take time not enough devices that support it yet'.
So, it sounds disgusting and nobody wants it? Cheese sauce on cake?
That would explain a lot.
Lost at C:>. Found at C.
I really tried. I tried versions of DD-WRT, OpenWRT, and Tomato on my WRT54GL. I tried using 6to4 using both anycast and tunnelbroker. The best I managed to achieve with either method was successfully pinging ipv6.google.com. I never succeeded in pulling it up in a browser on any of my computers. I thought I got radvd working, but it must not have been working well enough. Maybe next year.
Insert self-referential sig here.
I bought a business connection from my local provider, asked my salesperson if they had IPv6, they said yes. Tried to set it up for World IPv6 day. Well, their tech support says no they do not have IPv6. So, that was my IPv6 day experience.
I though tit was sad that bing.com and yahoo.com did not return a v6 address yesterday.
I've never understood this concern. With IPv6 I have, say, 2^64 addresses to use. I could use a different source IP address for each and every HTTP request I send out. Even at 1000 requests a second we'll all be long dead before you had to reuse a source address.
IPv6 gives you loads of room to hide. This is my concern - address based blocklists will quickly become infeasible.
Except of course everyone would still need to upgrade to versions which would work with that.
Which would be just as big as getting to them to upgrade to IPv6. Probably even bigger since nobody has ever written code to handle your solution.
I don't think there's anything "quick" about your solution.
Lost at C:>. Found at C.
I'd like to know who's the users in China with IPv6. There's no provider, ADSL or otherwise, that provides IPv6. The only place where you could find IPv6 would be universities. And what's funny with it, is that it shows that the Great Firewall of China doesn't cope with v6 at all. All sites that would normally be blocked are wide open. So until the GFW is "patched", I don't think IPv6 will come. That's quite a shame, because I've read multiple times that the big ISPs backbones are already IPv6 capable.
Routers and end systems would still need to be taught how to speak a new protocol; machines that only know how to construct and decode packets in IPv4 format would be unable to deal with your "extended addresses". What exactly would you gain?
Also, IPv6 is much more than just an extension of the addressing space. I won't bother listing all the niceties here since it has been done before (and you can find them easily). But to think that everything IPv6 has to offer is a lot more addresses is extremely narrow-minded.
Score: i, Imaginary
Not quite. Your ISP still assigns you a /64 (typically) so all your requests would have to come from within that - and the other end could easily recognize this. The only real privacy implication of ipv6 is that it'd be possible for a server to tell via IP address which computer in a household a request came from, rather than just the house - so it could make different profiles for the teenage daughter to see lots of clothes and music ads while the mother gets lots of furniture and household products advertising. But even without ipv6, this is trivial anyway - it just needs to be done by cookies, which is how every major profile-building ad network does it already.
No, they won't. It would be more work for them to give out a single IPv6 address than to give out a block. The official recommendation for residential customers is a /56, in Comcasts trials so far they've been giving out /64s. That's 18,446,744,073,709,551,616 addresses for each home. I don't think you remotely understand the size of the IPv6 space. NAT will die.
All your Apple gear has supported IPv6 out of the box for a few years now. I think Windows supports it out of the box, and probably your Android phone too, though I'm less sure about that. Most likely the missing link is your NAT box (unless you have an Apple box, which as I said is IPv6 ready), and your ISP.
Rule of Slashdot #0: You and people like you are not representative of the larger population. - A.C.
I think he's implying that the cheese sauce is the effort needed to implement it. IPv6 sounds ever increasingly delicious, that is until you get to where you actually need to lift up a finger to add it to your network, in which case then that delectable chocolate vanilla cake has been soured by the cheddar of corporate laziness.
There can be a real difference between "Can do IPv6" and "Can do IPv6 with realistic traffic." Most high end Cisco gear, even older stuff could be updated to support IPv6. However the problem is that it is all in software, all on the rather small CPU. So sure it'll work if you have only a couple IPv6 flows, however if everything went IPv6 it'd fall over. You need support in the ASICs for it, and that means buying new hardware.
Of course being high end it isn't so cheap. We upgraded all our stuff on campus to do IPv6 and it was millions to get all the hardware needed. Now we are large, but not compared to many ISPs. So it isn't so easy to just say "Oh buy a bunch of new equipment to replace the perfectly good stuff you already have."
IPv6 is coming, slowly, but it isn't going to be a fast process and anyone who things people, ISPs, etc should "Just do it," hasn't spent any real time looking at what is involved.
Mostly because a lot of enterprise IT departments have serious issues with anything new and thus "scary" and "untested". Hell, I know places that still critical production systems on NT4 and think Subversion is too new and untested to be used as a production VCS so they just stick to CVS since "everyone knows it and it works".
On a similar note, these are the kind of places that mandate that all database queries be made as stored procedures (T-SQL, of course) since that's the only "safe" way of accessing a database. Bring up parameterized queries and they look at you like you're mad. In places like that they have working security put in place 10 - 15 years ago and they have no intention of changing anything until they absolutely have to. In their world security "needs" NAT (because that's what their equally old firewall appliance needs).
Greylisting is to SMTP as NAT is to IPv4
I've never understood this concern.
Me either.
IPv6 gives you loads of room to hide. This is my concern - address based blocklists will quickly become infeasible
It it won't be that much different with v6 and a slight change in mindset. Instead ofblocking an IP you go after the prefix instead.
For example an ISP customer is abusing my service and I want to block him. I don't go after his IPv6 IP I go after his entire /64, /48 prefix or whatever it is his ISP allocated to him. He can change his local bits all he wants he is still blocked.
There are other examples where it is difficult such as blocking some computers on the same /64 segment as others you want to allow however when we look at this problem today all we see most of the time is a NAT for the whole network with a single IP.
The address space is bigger and there is more room to hide yet allocation is still hierarchical and we still know what blocks are allocated to who via SWIP or working an ISPs abuse channels.
Not to mention that software-wise if you truly wanted to use your entire /64 (or /48) to stay somewhat anonymous it shouldn't be extremely hard to hack up an IPv6 stack that uses one address per remote host. So facebook.com sees one address, slashdot.org sees another, google.com sees a third. Doesn't even have to be sequential.
Greylisting is to SMTP as NAT is to IPv4
Remember - we're comparing IPv4 with NAT against IPv6.
Yes the ISP allocates the IPv6 prefix, but then again with NAT every source packet has the same IPv4 address. The real difference is that with IPv6 every single request can be given a different source address. If the source addresses are picked randomly from the /64 pool then it should be impossible to identify individual hosts within the /64 based solely on IP address information. As you rightly point out there are other effective ways of doing this already, but that's not an argument against using IPv6.
In one pot, put some kale, some olive oil, water, a little salt and pepper, and let simmer on low heat. In another pan, brown up some ground beef, with some chopped onions, green peppers. Add in a can of salsa or crushed tomatos. If desired, some hot sauce or jalapenos can be added. While that's cooking, do up some Kraft Dinner according to the directions on the box. When the KD is ready, add in the ground beef mix, and serve. Throw out the kale.
Note: This recipe works well for broccoli, Brussels sprouts, cauliflower, spinach, and many others.
When our name is on the back of your car, we're behind you all the way!
IPv6 most certainly does NAT: http://tools.ietf.org/html/rfc6296
Dilbert RSS feed
Why isn't slashdot accessible over IPv6?
Then what makes you think advertisers/data-gathers will not start assume that all requests from the same /64 block come from the same person?
He never mentioned anything about privacy, only about the 1 IP address comment. Tracking Ip address doesn't matter much anyway, except for geolocation. One's browser fingerprint is unique enough to track.
Extending an IPv4 stack to use 64 bit addressing
Almost as much work as IPv6. You would still have to change out ALL of the hardware in the world and still have to update ALL of the software. If it's going to be the same amount of large scale work, just do it correctly the first time.
Stil, I'm not sure it's a good idea to make all devices directly accessible over the internet, it's kind of like begging for a wormpocalypse.
You're expected to have a stateful firewall at the very same place where you have a NAT right now. This is described in RFC 4864.
My ISP (Internode) has been providing opt-in dual-stack support for at least a couple of years, and enabled it by default for all new customers in January. Internode currently have about 2% of their customer base on IPv6.
Note: if you go to that page and the logo is spinning, it means you've connected via IPv6.
I get a static /56 prefix (earlier when it was still considered a trial they gave a /64 that could change when you lost ADSL connection). My router (Billion 7800N) acts as a DHCPv6 server and everything is hunkey-dory except for one minor quibble - the router advertises the upstream DNSv6 servers instead of itself, so if you've done static MAC->IPv4 mapping in the router they won't be returned when a DNSv6 request is made. The fix there is to manually set the link-local address of the router as the DNSv6 server on each of the machines.
NAT only breaks broken applications
Such as everything that needs to receive a connection from the outside, like chat, games, etc.
If I have been able to see further than others, it is because I bought a pair of binoculars.