Slashdot Mirror
Sale of IPv4 Addresses Hindering IPv6 Adoption
hal9000(jr) writes "While IPv6 day was a successful marketing campaign, is anyone really moving to IPv6? On World Launch Day, Arbor Networks noted a peak of only .2% of IPv6 network traffic. It appears that IPv4 addresses are still valuable and are driving hosting acquisitions. Windows 8 will actually prefer IPv6 over IPv4. If you want IPv6, here's what to do about it."
Only delays the inevitable. Also all the major ISPs are working on it...
From the article:
"Transitioning to IPv6 will take much, much longer than anyone expects, mostly because there is no clear reason to move to IPv6 anytime soon."
Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet. It'd be great if it was all just transparent, but it's now.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
ipv6 is coming to a slashdot near you.. soon!
For sale, one barely used 127.0.0.1 ip address. $5000. First come first serve!
That last link doesn't have one spec of advice. It merely describes the problem again. FAIL.
Scan your network topology from anywhere in the world?
See also: stateful firewall. NAT is not a firewall.
As an individual user... why? This should be something that I shouldn't have to worry about and the change should be transparent.
There are still vast ranges of unused addresses that have not been monetized, so there's no incentive to change. The cost of conversion is higher than the cost of addresses, therefore we will keep using them and developing software that doesn't support IPv6 until costs escalate.
Beyond this, how many of your ISPs offer native IPv6? This will be a prerequisite to widespread consumer adoption.
Yes, I think worrying about someone scanning the 18,446,744,073,709,551,616 addresses in your /64 is a valid concern.
In response to 3 - or we no longer need dynamic IP's and can give everyone their own address, at which point it no longer matters what ISP you are using.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
On point 1 and 3, that is mainly not "NAT" but "routing".
You can put all your internal stuff in a Private IPv6 address range, then have one router in the network of the ISP that gives you your internet connection. Routing is a basic functionality of both IPv4 and IPv6, NAT is an ugly hack.
That I won't see those same damn bots that scan the entire IPv4 range all the damn time as often.
Hope they enjoy scanning the entire IPv6 range.
Admittedly they might get better results as NAT won't be causing as many problems with detecting actual hosts.
Sometimes I just feel like messing with them.
Until some new technology that everyone wants comes along and requires IPv6, no one will care about it. It makes no sense for businesses to pay thousands on larbor to reconfigure their entire network for IPv6, and see no beneficial gain. Not to mention a lot of legacy hardware still don't support IPv6, like network printers/copiers, camera systems, security systems, etc. It also complicates maters worse when you try to network across long distances.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
Not true. Linux has a NAT implementation for IPv6 already. There's nothing about IPv6 that inherently prevents NAT. It just isn't necessary in nearly as many places.
Probably because in practice, encapsulation is "good enough".
Only if you aren't using NAT. Besides, with service discovery and SLAAC, chances are you won't have to reconfigure anything anyway.
No more so than any other piece of OS-level code.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Each and every one of you reading this is a customer of service providers and equipment vendors. It's time to use your voice and demand an IPv6 migration strategy that you can plan on.
On my walk in to work, there is this beautiful historic stone fence with cobblestone walk way for about a 2 block stretch... and demanding an IPv6 migration strategy I can plan on from it would likely be a better use of my time...
The article does nail the obvious problem on the head... the fact that IPv6 offers no benefit anyone cares about (we've learned to work with nat and even come to love it) except a solution to a problem that hasn't actually hit yet. Thing is this is the easy part. We all _know_ why IPv6 isn't being adopted. The hard part is how do we change that.. and "call up your ISP" is a really silly answer.
IPv6 works well at T-Mobile USA https://sites.google.com/site/tmoipv6/lg-mytouch
I thought IPv4 was gone, all the IPs handed out willy-nilly for free?
Oh wait, the free market is allocating them more efficiently now that they are all quasi private property?
Better pull out the legislation to stop this and force IPv6 to go faster just cause we want it to.
I always wondered why the ISP I worked at could just be handed a /16 for free with unverified supporting documentation!
Disclaimer: I like IPv6, but I am preempting any comments proposing we stop this IPv4 "black market".
1: No NAT, so an intruder can fire up a scan and find your network topology from anywhere in the world. Only way to deal with this is to tunnel to IPV4 then back again, which is a hack.
Maybe you should install FreeBSD then, it's pf has supported IPv6 NAT since 2010 (at least).
2: No support for packet level encryption. It is mentioned, but it is an option that vendors don't need to follow or bother with.
Which is how ipsec works now. In other words, you and your partner obtain compatible implementations and it works.
3: no address independence
See nat66 (or freebsd).
4: Unknown 0-day security holes. Just what we want... to relive the days of pings of death, land, teardrop, smurf, SYN flooding and other attacks.
Now it's true that there are probably buggy implementations, after all the implementations have only been around a decade or so and only 0.2% of the internet has used them. That's what, 10 people?
If I have been able to see further than others, it is because I bought a pair of binoculars.
My ISP already supports IP6RD if I had a modem with the firmware updated need I'd be on it already. At least it looks like my ISP has been trying to get their supported modems upgraded. They went from only having 1 modem that supports it to now having 3 modems. In a year or two I'll ether have a new modem that supports it or I'll have a upgraded the firmware. Upgrading to IP6 will take time since their is a lot of IP4 only hardware still out there that needs to be purged.
Lots of people talk about IPv6 and how they are "ready" etc. But nobody I've seen gives exact instructions on how I would configure IPv6 for my SOHO setup. What equipment do I need? What configuration do I need to set exactly? And, after I do all of this, can I get to IPv4 places or am I in the 1% as they say?
I've set up IPv6 to the extent possible on my equipment and the problem is that the steps (for a newbie) are complicated and unclear. How is IPv6 going to spread if one needs a degree in networking to get it all to work?
When our name is on the back of your car, we're behind you all the way!
It will only take 1,048,576 PetaBytes of 64byte ping packets!
Expensive IANA wants multiple thousands to allow us, as an ISP, to provide equivalent IPv6/48 address blocks to our customers match their IPv4 currently allocated blocks. It provides no incentive for us to give back IPv4 allocations after moving our customers to IPv6
Lacking toolsI have not seen any transition tools to allow a quick and easy remapping from IPv4 to IPv6. The existing blocks and their descriptions (you do put descriptions on your blocks don't you?) should be detected and re-tailored for IPv6. Building the address block heirarchy in an IPv4 design tools and having a script to translate it to a DHCPv6 config would go a long way to easing the pain.
Missing FOSS IPv6 DHCP GUI Microsoft has had a DHCPv6 GUI for quite a while, haw hard can it be to use it as a template? Integration with the DHCPv6 LDAP objects would be a big plus
PXE not supported in DHCPv6 So you are back to IPv4 for remote boot until you can remote configure a host for IPv6
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
The FreeBSD IPv6 "NAT" is better than IPv4 NAT. It is a 1:1 instead of 1(external):Many(internal). This makes it useful for cheap pseudo-multi-homing. It will map the same suffix no matter which prefix it comes on aka Many(external):1(internal)
Once I finish building my new-fangled quantum computing thingy, I'll be able to do that before I even realize I want to.
Vista and Windows 7 "prefer" IPv6 too... Heck even Windows XP with its crappy IPv6 stack turned on prefers IPv6.
If you read the whole cnet article what has changed is network awareness sending an IPv6 only HTTP request periodically to a Microsoft server using this to judge if IPv6 connectivity is actually available.
In other words the behavior of all windows 8 systems on the planet with regards to IPv6 usage is dictated by the availability by a single Microsoft URL. What could possibly go wrong with that? Is it not also wonderful MS having their system ping out to MS servers by default periodically without anyone knowing or providing a user choice to turn it off not involving registry hacks?
With regards to IPv6 usage I just checked the interface stats on my gateway with an HE tunnel configured. Very interesting...IPv6 Internet traffic is a full 25% of overall Internet usage over the last 145 day period. This predates the June 6th IPv6 go live day by several months.
IPv6 = 32GB
IPv4 = 129GB
ISPs are still dragging their feet lighting up IPv6.. I fear we will have to wait another two years before most large ISPs get their act together on full production deployment.
The most interesting thing seems to be the "long tail" effect reflected in my actual usage.
Given current environment where just a handful of megasites are responsible for the majority of all Internet traffic by volume huge changes in traffic patterns can tip the scales on IPv6 usage rapidly while the countless millions of other sites run by the rest take just as long to switch over as the IPv6 naysayers say it will.
NAT is useful as an economic barrier to force people to pay a premium for a static IP.
The "here's what to do about it" teaser amounts to, "complain to your ISP." Thank you so much. If only we had thought of that.
The article is useless.
"Oh, draft these standards. They're so naughty and complex."
so with a 1ms response time, it'll only take 584,942 years to scan the pathetically small /64 my ISP has given me. Go for it hackers.
IPv4 NAT can do 1:1 if you bother to set up the mapping (this is how "address independence" works: your internal 192.168.1.x network stays the same when you change ISPs, you just update the firewall with the new address mappings), and you could probably whack at iptables/conntrack on linux to get N:1 mapping in IPv4 as well (you need conntrack to get the return packet back to the right external IP). Even if it was easy, IPv4 just doesn't have the address space to do cool tricks like your automatic multi-homing example.
If I have been able to see further than others, it is because I bought a pair of binoculars.
The benefits to IPv6 are significant but I'd like to take apart your assertion that it "[solves] a problem that hasn't actually hit yet".
That's just wrong.
The world supply of IPv4 is empty. Gone. No more available. What about the regional registrars I hear you ask?
Asia. Empty. Dry.
Europe. Imminent exhaustion. 2 - 8 weeks until they're dry.
North America. They're better off. Instead of mere weeks we're up in the months range. 6 - 12 months.
South America and Africa. They're better off only because they have significantly lower burn rates not because they have . This will only stay low until it becomes economically viable to export IPs from these regions or until growth in internet devices ramps up like it has in China or India.
As the price of IPs rise there will more aggressive conservation strategies. You think people like NAT when they control the box just wait until Double-NAT, also known as carrier grade NAT, arrives. People have spent years trying to get NAT traversal working right, and still haven't gotten quite right, and now we're preparing to dial it up to 11.
We can either spend money and transition to IPv6 or spend more money managing the problem rather than solving it.
If ISPs are giving out /48's or /64's to users, I see it as a great opportunity to DDoS people again. Before, they had one IP address and if they changed their IP, you couldn't flood them off. Now, they get a whole range of IPs and you can easily get a bunch of PCs to just flood any address in that range - the bottleneck will be their connection. So unless they change their prefix (which probably won't happen too often), you could keep someone lagging out during gaming and they can't do a damn thing about it.
Quite a nice benefit to those who want to cheat at online gaming - you don't need IP addresses, just their prefixes.
The other thing is - IPv4 addresses have to get WAY more expensive first. Because IPv6 equipment is pricey if you need to upgrade at an enterprise level, and since the entire upgrade cost is bourne by the company wanting to upgrade, there's little financial incentive still. When you're talking about $100,000 worth of equipment that has to be bought brand new again... (or millions for larger companies) while their current gear still works...
at which point it no longer matters what ISP you are using.
Did I miss that part where home routers are all running BGP now?
Do not fold, spindle or mutilate.
Headline on the original article: What to Do About the Scarcity of IPv4 Addresses
Headline on the Slashdot post: Sale of IPv4 Addresses Hindering IPv6 Adoption
Well-played.
jhw
It really should just be a software upgrade (DD-WRT, anybody?) -- But then convincing vendors to put out an IP6 patch when they can get away with selling you a $50.000 piece of equipment with that same patch could be an uphill battle.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
NAT is not a firewall.
Of course not. However, if properly implemented, NAT can be one of the outlying parts of your firewall. If your router is set to drop all incoming connection requests, port scanners will never find your machines, making them that much safer. Yes, I understand that there are other routes in that this can't protect you from. That's why I called it part of a firewall.
Good, inexpensive web hosting
So.. you're going to flood about 2^64 addresses at the same time? "A bunch of PCs" will have to be a rather large number. Keep in mind that the whole IPv4 Internet has less than 2^32 publically reachable addresses. So even if your 'bunch of PCs" can flood the entire Internet, you'd stil be orders of magnitudes off.....
For what it's worth, the number of addresses they would need to scan (assuming you use the default "turn my MAC into my IPv6 addr) scheme is not quite as big. At worse you only need to scan 281,474,976,710,656 addresses. You could make some assumptions that would cut down the number of addresses you need to search too, like the first octect being 00 (common for physical NICs, although not a guarantee anymore).
Still, brute force scans on IPv6 are not going to be very common I think.
I read the internet for the articles.
4: Unknown 0-day security holes.
That's not unique to IPv6. Every Internet protocol, every web or database server is subject to that, along with many, many other programs. Changing to IPv6 doesn't increase the issue in the slightest, so it's not relevant.
Good, inexpensive web hosting
Most of the gear you have should already support IPv6 unless you're in some sort of computing museum. There are some things that hate IPv6 still (VPN hardware annoyingly), but it's pretty rare. Even crappy home equipment supports IPv6 a lot more often than you might expect.
I read the internet for the articles.
Oh dear. I better put my web server at the LAST address.
now we need to go OSS in diesel cars
nanoseconds FTW!
now we need to go OSS in diesel cars
Yes, it matters what ISP you are using. If you change ISPs, you change IP addresses. That's how routing works. However, you wouldn't need to change internal addresses because ipv6 allows an adapter to have multiple addresses. You can have private IPs for private use that stay the same, and public IPs that change based on ISP.
I've seen vines, ipxspx, osi etc fall by the wayside.
Really. Nobody cares about ipv6. It's not a problem, people like you are a bigger problem.
Deleted
We all know IP4 addresses don't identify a person. Will this change with IP6? With the "an IP address for every toaster" idea, will they still be dynamic enough for plausible deniability?
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Unless you are an anal meta-administrator attempting to keep yourself employed, or a repressive government trying to keep your people firmly under your jackboot, everything should be done via stateless autoconfiguration.
Personally, I know I will not miss having to set up tons of hardware that's too stupid to assign its own address correctly.
Give all the IP4 addresses away to China and other countries where botnets tend to originate most often, and make then NAT to get on the IP6 network the rest of us will live on when we don't own any of the IP4 space any more.
4: Unknown 0-day security holes
That's not unique to IPv6. Every Internet protocol, every web or database server is subject to that, along with many, many other programs. Changing to IPv6 doesn't increase the issue in the slightest, so it's not relevant.
It does when new code is written to support IPv6 and that new code contains vulnerabilities.
For mobile devices, the software is controlled by the carrier and the data path is controlled by the carrier, and the apps are controlled by the carrier or the handset maker. Mobile devices don't act as hosts. And all the growth in devices is in mobile. So why aren't they all on IPv6?
If the carrier has to do an IPv6 to IPv4 translation, they can do that at their head end.
Not to mention it encourages a one-way directional model of Internet that the major media companies would love. NAT makes things like p2p/server apps more frustrating for the average computer.
An Arbor Networks graph shows less than .2% of the traffic the company measured was IPv6. That's up from a peak of .04%, which occurred on the first Worldwide IPv6 Day in 2011; hardly a blip in a year.
That's a 5-times increase in a year.
If we pretend that we're business math students, then next year we'll see 1% -- then 5% in 2 years and 25% in 3 years -- which would be easily enough to trigger further network effects.
It all breaks down in the 4th year with 125% of traffic, but I'll just take that to mean that the remaining IP4 traffic will be encapsulated in IP6 packets by then.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
1, nat and stateful firewalls are not the same thing (although you generally need a stateful firewall to implement nat), theres no reason you cant configure a stateful ipv6 firewall to block inbound connections and allow outgoing. the stateful firewall aspect is where the apparent "security" (or in reality, hiding) comes in, nat itself is just a nuisance which breaks things.
2, and this is a problem with ipv6 how? ipv4 doesn't have such features at all, and to enable it on v6 you only need support at either end, the routers along the way dont need support so its entirely up to you.
3, annoying yes, but only your prefix changes not your local address, with with stateless autoconfig its not a huge problem.
4, and there could be 0day holes in ipv4 stacks, or in all manner of other software... ipv6 is not exactly new either, its been around for well over 10 years. microsoft actually reintroduced the land vulnerability in windows 2003 not so long ago. incidentally the design of ipv6 makes smurf impractical and syn flooding much easier to track down since a v6 stack should not allow routing of spoofed packets by default while v4 does.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The simple answer is that IPv4 was meant for a pretty small test network only. Then it spread...It was never meant to become a global address space.
Sorry, my speciality is graphics + optimizations not networking. Question for the /. crowd ...
If I have a ipv6 address how do I guarantee all my "old" ipv4 games work ?
Is this a non-issue? I realize ipv6 doesn't have NAT, but are there any special configurations I need to do on the router if I switch my entire home network over to ipv6 ?
Thanks.
There's only one scheme for encoding IPv4 in IPv6, and it isn't changing because it's built into the BSD Sockets IPv6 extension API, published eons ago. What is uncertain is how to route those addresses. Part of the "confusion" is that some lazy developers would prefer to be able to bind to a single port and receive IPv4 and IPv6 connections, especially when upgrading old software. But for this desire, there'd be no issue whatsoever. Best practice, however, is to bind to two separate ports. And if you do this there are and will be no issues to worry about concerning ports and addresses.
Likewise, people are confused about DNS and making client connections. But as long as you use getaddrinfo(), there isn't any real problem (excluding optimization obsessions).
People get confused when they think too much about it. But if they stick to the published APIs, then all will be fine. That's because if anything needs to be changed (unlikely), almost certainly it'll be done in a way transparent to those using the published APIs.
If your router is set to drop all incoming connection requests, port scanners will never find your machines
This is true whether you NAT or not. It is completely independent of NAT.
Finally! A year of moderation! Ready for 2019?
When our name is on the back of your car, we're behind you all the way!
At least Windows 7 (not sure if Vista) has IPv6 privacy extensions on by default. Sadly, my Galaxy S II not only does NOT have them on by default, but they didn't even compile it into their kernel. On my Linux box I turned it on with a config file. But still, brute force is still unfeasable, it's good for avoiding tracking between networks I suppose.
Please give me your name, address, your phone number, and your bank account number so that I can deposit this in there. And then I will call you to finish the transaction.
There's only one scheme for encoding IPv4 in IPv6, and it isn't changing because it's built into the BSD Sockets IPv6 extension API, published eons ago.
This is not true. There is the ancient ::x.x.x.x which has since been nixed. A number of NAT systems are mapping IPv4 domain to an arbitrary IPv6 prefix and fudging DNS to make IPv4 universe accessible as if it were native IPv6.
IPv4 mapped IPv6 addresses are NOT used for encoding IPv4 in IPv6 for transmission.
What is uncertain is how to route those addresses.
They have no meaning outside the socket layer of the local computer. See RFC 2553.
Part of the "confusion" is that some lazy developers would prefer to be able to bind to a single port and receive IPv4 and IPv6 connections
There is nothing wrong with being lazy if it gets the job done. What is with issue with dualstack sockets?
Best practice, however, is to bind to two separate ports.
Says U..its sockets not ports.
I predict a new market for IPv4 addresses for individual businesses. Large hosting companies will buy up IPv4 addresses in bulk from ISPs to sell to server customers, pushing the ISPs to switch to IPv6 allowing the servers to be dual stack with a static IPv4 address. Once the ISPs get onto IPv6 the value of IPv4 will drop, but still be held with some regard for a while while the remaining stragglers and ISPs with huge NATs are forced to convert for their clients that want to access private websites that would start popping up on peoples ISP connected servers.
Might not happen that way, but it seems as likely a prediction as any other.
Hmm, the humour and sarcasm seem to have been be lost on you.
1. It is trivially easy to configure a firewall that gives all of the advantages of NAT without the downsides.
2. Packet level encryption isn't mandatory in IPv4 either.
3. Use autoconfig like you're supposed to.
4. as opposed to what? Everything potentially has 0-day vulnerabilities.
True. Consider it mostly a brain phart. However, it's also harder to target a specific machine on a LAN if none of them have routable IP addresses, which was probably what I was thinking of. I did tech support for an ISP for a number of years and had to explain this sort of thing to callers, but it's been almost ten years since that stopped and my memory wasn't quite as good as I thought it was.
Good, inexpensive web hosting
Perhaps somebody has an (expert) answer here to this question: Why was IPv4 even allowed or implemented in the first place? Did this have to do with computing and/or memory limitations back in the day (1974 to 1981) that nobody every thought could be overcome or even required? I know hindsight is 20/20.
I find it hard to understand how the researchers developing the IP protocol could think that 4.29 billion address would be sufficient given the scale of possible adoption in the future.
First things first: due to all of the reserved address ranges, particularly (what were once called) Class D and E addresses, there are fewer publicly routable internet addresses than ~4.29 billion. The number is ~3.70 billion addresses once you take the various reserved address ranges out.
With that out of the way, the world was a vastly different place back in the 1970's when IPv4 was first defined. The idea of everyone carrying a telephone with them everywhere was science fiction, and the notion that such devices would feature processing functionality that would be able to take advantage of being network-enabled probably wasn't even conceived. The personal computer revolution hadn't happened yet either. As you said, hindsight is 20/20. It's easier to see how we got to now from there than the other way around.
It's also worth keeping in mind that when IPv4 was standardized in 1981 ([RFC 791]), computers were not particularly powerful; a state of the art desktop machine of the era would have little RAM, an 8 bit processor, and would run at less than 5Mhz. A device with an 8 bit processor would require at least 4 LOAD instructions to load an address from memory into registers, plus whatever processing would be required against the address (particularly for routing). Newer 16 bit processors (such as the 8088 and 8086) could do the same sort of processing with only two MOV instructions, but using a 128 bit address like in IPv6 would have required 8 bit systems to do a lot of processing just to handle the addresses -- you'd have to run 16 LOAD instructions just to read every part of the address into registers. This would be very significant processing wise for the time; I'd venture to say you'd need a supercomputer just to act as an IPv6 router back in 1981 (even with the limited number of hosts actually on the network). Memory would be a consideration as well -- 16KB fills up pretty quickly, so squeezing every byte out that you can would have been advantageous.
I'm also not particularly sure that the designers of IPv4 had a public Internet in mind. It wasn't until the early 1990's that the Internet was generally opened to commercial use; prior to that it was limited to government and research use. I don't think in the mid 1970's when Robert E. Kahn and Vint Cerf started work on trying to unify the various networks then in operation, that they considered that people would have a dozen or more Internet enabled devices in their homes (at current count there are 24 IP enabled devices in my home, although I certainly don't claim to be typical). That is, the "purpose" of the protocol at the time wasn't to provide a pervasive network that covered the globe, and the idea of 2^32 hosts was probably completely inconceivable. IPv4 has since invention been shoehorned into uses and purposes that were never conceived at the time of its invention. Indeed, considering how many protocols were being invented, and how quickly new iterations were being introduced, it probably wasn't expected that the world would still be using IPv4 over thirty years after it had been first defined.
IPv4 is getting to be a creaky, old technology with all sort of band-aids applied to it over the years. It is time for replacement -- the research and development community has been saying so for fifteen years or more. Unfortunately, the momentum behind IPv4 is massive, and entrenched inte
and this is a quote from...? al gore
Along with devices, ISP support and the knowledge of setting up IPv6 tunnels contribute to delays. Doesn't Windows 7 and even Vista prefer IPv6 over IPv4?
You don't need to flood the whole range.. just one...
This is effectively like giving everyone static IPs.. as the prefix will likely be static.
My company is already using IPv6 addresses. All of our sites have public addresses... as well as all of our desktops. All of our users now use Facebook and Google over IPv6. So... nothing will help me adopt it. Already done.
It is such a shame that SIXXS is such a pain to use though. I am NOT going to go to the trouble of writing a fucking essay (along with setting up a linkedin account) just to switch to IPv6.
>All of our sites have public addresses... as well as all of our desktops.
(Not directed at you, but your adminstrator): How is this a good thing?
If your company wants to make stuff available (whether to the public or to vendors), it should do so on specifically defined servers. What's the point of making every desktop a peer?
That's sort of cool in a university environment, where you're there to learn, experiment, and play. But not in a corporate environment.
I'm not a lawyer, but I play one on the Internet. Blog
As far as I can tell, yes. Or at least, they do in our office.
Help me out: Is this a joke, or real?
http://www.01189998819991197253.co.uk/
I'm not a lawyer, but I play one on the Internet. Blog
That assumes that the addresses are not predictable. I believe that one proposal is to use the MAC address of the machine as part of the address. The OUI is fairly predictable based on market share (for example, realtek sells a rather lot of NIC controllers), so if you assume that the target is using a realtek NIC (or if you know what manufacturer they use), that knocks off 24 bits right there. That gets you down to 40 bits, and require only 1TB of bandwidth to scan. That is fairly cheap to do with a botnet or cloud service.
Let's assume you want to scan for that Realtek auto-configured NIC using Amazon EC2. We'll assume a target timespan of one hour, since I believe that's the minimum time slice. We want to pump out 1TB of bandwidth total, and let's say you don't want to push more than 100 megabits per second to any instance. That would require roughly 24 instances, which gives us $120 in bandwidth, and ~ $0.17 in instance time (spot instance micro price).
Say you want to do it faster, in one minute: you're still at only about 1400 instances, still $120 in bandwidth, and roughly $10 in instance time...
Of course, if you know nothing about the topology, scanning 2^64 addresses would likely exceed the capacity of Amazon's entire cloud, not to mention your wallet ;)
Check this link: Why IPv6? Vint Cerf keeps blaming himself
"Even crappy home equipment supports IPv6 a lot more often than you might expect."
Old crappy software, still in use doesn't. And there won't be new versions.
It's not like V4 is ever going away, and de facto, there will always be programs that only run on the V4 network, the parallel and completely independent V6 network may as well not exist as far as they're concened.
At 20 years in I frankly don't have much hope that 20 years from now V6 traffic will have even doubled since now.
Need Mercedes parts ?
A good working IPv4 market and the lacking need for IPv6 might explain why IPv6 is not getting of the ground. The thing that is holding me back is the lack of practical information on a IPv6 network and the connection to the internet. I have not read any practical guide that easily explains how to setup an IPv6 network, keeping in mind that I want the same level of privacy on my LAN and the easy connection to the internet. Instead of a router/modem that speaks NAT, I need a decent firewall and modem. Please don't start with NAT is no firewall. I know that, but it has been a trench surrounding my LAN that kept the creeps outside. Or at least it gave me and the other 99% that feeling and ease of mind. It are the following practical questions that keep me from IPv6; -- Now I need a decent firewall and what is the price ? -- Do I still need a router and maybe a separate modem ? -- Is there one device that does all this ? -- What will is cost ? Even when all the above is answered ... I still have to worry about the fact that some parts will blackout once I move to IPv6.
But then I have spent my hard earned cash already.
Here's what tyo do about it - ask your ISP or employer to move to IPv6. Not very convincing, not very informative, the article was more blab than useful information. What a waste - both the situation, and the article.
Why stop at IPv6? Certainly, every forseeable limitation has been exceeded in the past, so why not instantly make the jump to IPv240,000 and be done with it til the end of time? This every 30 years needing to upgrade and update the world's computers sure does get old.
3: Change ISPs? All your internal IPs have to change. Again, no NAT, so you can't just leave your internal 10.x.x.x network as it is and just let the routers deal with the new external stuff.
My internal IP addresses change daily. They are DHCP assigned. Nothing breaks, everything works. Even my server doesn't have a static IP. For services with port forwarding they are configured via UPNP. All computers are addressed by some kind of a name, you know like all computers on a home network since about windows 95. I could go into my router (which actually has a lot of default settings including the way DHCP is setup) right now and change the assignments to the 10.x.y.z subnet and nothing would break once all PCs refresh their IPs.
I kind of wonder what a horrendously bad network configuration you have that makes you dependant on computers knowing each other's IP address. But given your fear of an attacker scanning some 18 million billion addresses I don't think you know much about networks.
Instead of properly standartizing NAT they removed it, with the argument that there are enought adresses now. ... you are f**d with ipv6.
Well, if you used Nat for anything else than adress space expansion, like multihoming, topology hiding,
Why remove a well established feature instead of standartizing it properly?
Well and thats why i dont see ipv6 ever happen.
There will be 2 split worlds: ipv4 and ipv6 until one comes up with say ipv8 that merges both worlds again.
People talk about calling up your ISP and demanding IPv6 support as if it is simply some switch to be flipped.
Consider a software product that is multiple millions of lines of code built over a decade, that is required for business, but for the most part is underpinned by IPv4 data structures. This is not some simple "find and replace" operation to add IPv6 support to a product like this. The effort will take years worth of man-hours and tens of millions of dollars, and also require hardware four times more powerful to run (due to the increased size of the IPv6 data structure) - and in the end, offer no tangible new features.
Now, multiply this by not only one software package, but more likely several dozen, all of which are provided by outside vendors. Some of these V6 porting projects have been in the works for a very long time already, others are on hold - but they are all very expensive and DO NOT happen overnight.. they will happen when the cost justifys the enormous expenditure.
PR Stunts like IPv6 day are not going to change the situation.
So say, all your machines have only have one internal adress and all the multihoming/loadbalancing and natting is done at the firewall... WHERE it the benefit of ipv6 where i need to assign all my machines multiple adresses killing many sorts of loadbalancing and exposing my internal topology to the world? also any isp migration requires more than some straight forward changes at the firewall? Srsly, I dont see the benefit of ipv6 ;)
Linux has only adress range nat and not a per address nat, making it useless for topology hiding and some cases of load balancing
assuming you use the default "turn my MAC into my IPv6 addr
You forgot that your MAC address is only used to create the link-local address, which is not-internet routable. If someone was scanning for this address, they would already have to have access to your internal network.
1) 2^64 would exceed the capacity of the internet as a whole, and will remain true for quite a few years.
2) You do realize that your 24 100Mb instances will not be the choke point when scanning most target networks. Not many people/places have a 2.4Gb internet connection.
3) Not many companies with a 2.4Gb internet connection wouldn't notice the scanning effort.
4) You still have to purchase the Amazon service, which makes it quite easy to contact to find out while Amazon is sending 2.4Gb/s of ping packets.
5) Your MAC address theory only works if you have a node on the local network. The MAC is used for link-local, which is only accessible by other devices on the local-link.
I think the tl;dr summary of your post is: IPv4 was designed around the same time frame as storing 2-digit years. Enough said really.
The only thing that differentiates IPv4 from pretty much every other limit or system we've had to expand is that it was actually very forward thinking with room for billions of devices, so instead of having to do it "right" in the 90s when it actually hit mass market it survived the dotcom era without running out. It's only now with 7+ billion people and people using many devices (desktop/laptop/phone/tablet/etc.) that 32 bit is just not enough. Also if you look at the RIRs we're not really out yet, only Asia is out. Get an IP block anywhere else and you're still good for a little while though Europe is also empty in a few months.
Live today, because you never know what tomorrow brings
Enterprise level Network Admins love IPv6. I've heard nothing but good things from friends/family who admin datacenters or large companies. They wish IPv4 would just die.
Forget the devices as the root cause. Why do you think there aren't all that many which have support? Even industry leading, and industry standard companies are actively avoiding implementing IPv6 (at least at the forefront). I know two CCIEs who hate IPv6 and are actively doing what they can to avoid implementing it.
Why?
Because IPv6 sucks. It's a horrible idea and makes life excruciatingly difficult for those who have to actually work with it. At the technical level it has a lot of merit - but that's not what's being discussed here. Where it falls flat on its face is how horribly unwieldly it is for common applications and uses.
This is, of course, exasperated by the fact that software packages don't support IPv6 yet - never mind devices. IPv6 has a bigger hill to climb than Y2K did.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Maybe you can, but the only reason that NAT is needed in IPv4 in the first place is to expand the number of addresses. Had 1:1 been used, there would never have been NAT in IPv4. In the case of IPv6, the only reason such a thing is being considered (the IETF has by no means endorsed it) is for some rare uses, such as load balancing. It's not done to get rid of peer to peer networking.
I'm a big proponent of IPv6, but I agree w/ your second bullet. Site local addresses weren't all that difficult to implement, so there was no need to overhaul that. Somehow, it made no sense to have IPv4 compatible addresses and IPv4 mapped addresses, so it makes sense that one went. However, there are still things very much in flux, like whether to have a variation of NAT or not for things like load balancing, the issues over routing tables, the variation in assignments by ISPs of /48, /56 and /64s, and so on. There are new scopes such as sites and organizaitons, and yet, I've not seen the advantages of this get touted. Also, the fact that most 'IPv6-ready' hardware is only tuned for IPv4, but runs IPv6 slowly doesn't do any good to IPv6 causes. All these are much bigger barriers to IPv6 acceptance than IPv4 addresses in the black market.
No, he paraphrased the person who made IPv4. The father of IPv4 wanted it to be 128bit when it was ready to go live, but it went live before completing the prototype phase.
assuming you use the default "turn my MAC into my IPv6 addr
You forgot that your MAC address is only used to create the link-local address, which is not-internet routable. If someone was scanning for this address, they would already have to have access to your internal network.
The IPv6 address page on Wikipedia says you're wrong:
...
...
...
...
Although DHCPv6 exists, IPv6 hosts normally use the Neighbor Discovery Protocol to create a globally routable unicast address: the host sends router solicitation requests and an IPv6 router responds with a prefix assignment.
The lower 64 bits of these addresses are populated with a 64-bit interface identifier in modified EUI-64 format.
A 64-bit interface identifier is most commonly derived from its 48-bit MAC address.
The biggest barrier to my deployment of IPv6 is the edge switches and the wireless controllers. Support for first-hop security features for IPv6 is going to have to wait until we get around to paying for some rather substantial hardware upgrades, and IPv6 by itself does not justify that cost. Even if we had the money now, the actual feature sets are still not mature in the wired edge switches yet. In a competently secured campus network one does not allow old ARP/IP spoofing tricks to work, and doing so relies on the switch hardware and the wireless platform which must integrate with the DHCP servers by snooping traffic and using it to build port level access lists. IPv6 has analogous tricks that also need to be sqashed at the switchport/AP level, and while self-service address autoconfiguration seemed like a good idea to the IPv6 standards community they just don't cut it in a security-aware environment, so this support must include DHCPv6 snooping, which is still rare to find in switch feature sets these days. These are the features campus administrators will block on.
Someone had to do it.
That assumes that the addresses are not predictable.
And indeed they are not. Or was that sarcasm?
5) Your MAC address theory only works if you have a node on the local network. The MAC is used for link-local, which is only accessible by other devices on the local-link.
It's also used by the Neighbor Discovery Protocol to create a globally scoped IPv6 address.
Step 1) Flip the 7th bit of the MAC-address. 00:11:22:33:44:55 becomes 02:11:22:33:44:55.
Step 2) Split the result in two and put "FF:FE" between the two parts, i.e. 02:11:22:FF:FE:33:44:55.
Step 3) Prepend IPv6 prefix. So Google could end up with e.g. 2A00:1450:400F:801:0211:22FF:FE33:4455.
Here's a traceroute to that address using HE's Looking Glass. Looks routable to me...
Either way, there's nothing inherently preventing it, and if there's enough demand, someone will implement it.
Check out my sci-fi/humor trilogy at PatriotsBooks.
IPv6 has enough address space to make current routing logic useless before it runs out. In other words, IPv6 will be dropped for other reasons before it runs out. Those reasons cannot be anticipated with any useful amount of certainty.
The reason IPV6 is not taking off is about money. If you are a legacy IPV4, you pay a $100 fee (at least until 2013) per year for your class C IPV4. In spite of the massive increase in the number of addresses, the price for an equivalent IPV6 looks like it jumps to be over $1200! Why would you change? If you want people to go to IPV6, offer them the equivalent of their current IPV4 at the same price they are paying. Converting legacy users is about money--just don't gouge them when they move to IPV6 and they will join the party.
Maybe that's why it was invented, but once it was invented, we found all sorts of cool uses for it. Like load balancing, multi-homing, relocating networks between ISPs without having to renumber everything internally, etc.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Why stop at IPv6? Certainly, every forseeable limitation has been exceeded in the past, so why not instantly make the jump to IPv240,000 and be done with it til the end of time? This every 30 years needing to upgrade and update the world's computers sure does get old.
You can't really assume a trend of every 30 years when the only data point we have is the first significant (current) one.
You also have to remember the difference between researchers/inventors and implementors. Back in the late 1980's there was already concern in the R&D community that 2^32 addresses wouldn't be sufficient, and that a new protocol would need to be devised. Unfortunately, the implementors typically aren't interested in such concerns -- they have something that works right now, and has a significant number of existing hosts, so they use it. It's the reason why we continue to use IPv4 today.
Lastly, 2^128 addresses is colossally massive. It's 340282366920938463463374607431768211456 addresses, which is over 34 billion billion billion billion. That address space can fit 2^92 individual networks, each the size of the full IPv4 address space. It's crazy massive enough that if there were 10^19 Earths, each with a population approaching seven billion, each and every single person on each of those Earths would be able to have an entire Internet's worth of 23-bit address space, all to themselves. Or, if we decided to fill the entire area of the Solar System with computers, we could have a density of about 3.1 * 10^18 computers per square kilometre, roughly inside the orbit of Pluto. It's nearly enough to give every single atom in the solar systems its own address.
Thus, in a sense, we already have made the jump, as we've called in IPv6. Using some crazy large address size (let's say 1Kib addresses) would make processing the addresses computationally more difficult, and would give such an insane address range that every atom in the universe could have 10^228 addresses each. The computational difficulty of routing such addresses would require routers way more powerful than we currently have, would make them prohibitively expensive, and would remove a lot of smaller, low-powered/embedded devices from being able to function on the network (due to how quickly you could fill RAM with just addresses).
Yaz
It's crazy massive enough that if there were 10^19 Earths, each with a population approaching seven billion, each and every single person on each of those Earths would be able to have an entire Internet's worth of 23-bit address space, all to themselves.
I do, of course, mean 32 bit address space.
Or, if we decided to fill the entire area of the Solar System with computers, we could have a density of about 3.1 * 10^18 computers per square kilometre, roughly inside the orbit of Pluto.
In case 3.1*10^18 computers per square kilometre doesn't mean anything to you, that's 3.1 trillion computers per square metre. Filling the entire orbital plane of Pluto. This should give you a better idea of how many addresses a 128 bit value can provide.
Yaz
OK, 585 years in that case ;-)
Using EUI64 the way it's currently defined would be inane. Ideally, a router should be set up to assign the addresses according to some preset rules. It would also help if all nodes on the network had static AND dynamic addresses, as assigned by a DHCP6 server.
The MAC address is also used to generate EUI64 based autoconfigured addresses, which is what I believe the Guspaz was refering to.
Dynamic IPs are useful if you're just a client and don't want to accept inbound connections. But giving everybody their own address - people don't get it out of nowhere - it's usually connected w/ an ISP or an organization that brings them their internet connection. The global prefix is provided by the ISP, and a customer may usually get anything from a /64 to a /48. The lower half of the address is what the customer can configure.
But unless somebody has directly gotten an address from ARIN or whichever RIR they're using, their address is not going to be independent of the ISP.
It wasn't: not everybody will use the privacy extensions, and there may be a flawed implementation that causes problems.
Even if we had the money now, the actual feature sets are still not mature in the wired edge switches yet. In a competently secured campus network one does not allow old ARP/IP spoofing tricks to work, and doing so relies on the switch hardware and the wireless platform which must integrate with the DHCP servers by snooping traffic and using it to build port level access lists
I find this security argument against IPv6 amusing.
IPv6 is on all yer systems already whether you have deployed IPv6 or not.makes no difference.
IPv6 can be used to "spoof traffic" with impunity already.. Default host policy is to prefer IPv6 whether you have the money to pay for a new switch with RA Guard enabled or not.
You are acting as if you have some kind of choice to make between IPv6 and a secure network.
If most bother to RTFM they can cobble together a poor mans ra guard using existing filtering facilities in their switches.
The DHCPv6 comments are bullshit for the most part as it is bootstrapped from RA.
know two CCIEs who hate IPv6 and are actively doing what they can to avoid implementing it.
Why?
Because they are idiots? There is money to be made by network engineers from forward looking organizations pushing IPv6 adoption.
Because IPv6 sucks. It's a horrible idea and makes life excruciatingly difficult for those who have to actually work with it.
Blah blah blah...the horrible idea was limiting the size of the Internet to 2^32 addresses before most of us were fucking born. You can either piss and moan about ancient history or be part of the solution.
Where it falls flat on its face is how horribly unwieldly it is for common applications and uses.
For all "common applications" care IPv6 is the same shit as IPv4. Only difference address portion of the header is lot bigger.
All programming/socket APIs work the same way. TCP and UDP are unchanged.
It is possible following best practices for socket programming to support IPv6 with no code change or without even knowing what IPv6 is.
The OS vendors have gone out of their way to make this shit as easy as possible for application folks. I've been there done that... if you think it is "horribly unwieldly" it is time to find a management position.
This is, of course, exasperated by the fact that software packages don't support IPv6 yet
All the ones I care about do.
never mind devices. IPv6 has a bigger hill to climb than Y2K did
At least we agree on something.
The MAC address is also used to generate EUI64 based autoconfigured addresses, which is what I believe the Guspaz was refering to.
Step 1 and 2 in my post turns the MAC-address into a modified EUI-64 format. Are we talking about the same thing or do you mean link-local IPv6-addresses (fe80::...)?
If Guspaz was referring to link-local addresses, his post doesn't make any sense at all, so I think we should assume that isn't what he's referring to.
Anyway, I was only commenting on point 5 in an AC post that made it sound like MAC-addresses was only used to generate link-local addresses. They're not, as you can see in my post.
Yeah, we are talking about the same thing here. You are right - it's not the only way to generate either link-local, nor unique addresses using autoconfig. Any algorhythm can be used to create a 64-bit ID that is unique, and from which the MAC address cannot be traced back.
IPv6 is on all yer systems already whether you have deployed IPv6 or not.makes no difference
Tell that to my router, as you try to get off your segment.
If most bother to RTFM they can cobble together a poor mans ra guard using existing filtering facilities in their switches
IPv6 traffic on the older models of most popular brands of switches cannot be filtered. There are no ipv6 PACLs and no nbar-like facilities on mid-level access switches, only protocol, MAC and IPv4. What features are available are closely tied to the CAM logic, and so depend greatly on the hardware.
The DHCPv6 comments are bullshit for the most part as it is bootstrapped from RA
If you are an idiot and allow self-configuration, it is.
If these features are so unnecessary, then why are they starting to appear in the newer model switches?
Someone had to do it.
IPv6 is on all yer systems already whether you have deployed IPv6 or not.makes no difference
Tell that to my router, as you try to get off your segment.
Who said anything about routers? We were talking about switches. IPv6 is already supported by all hosts on your network. If you do nothing about IPv6 all hosts on your network are vulnerable to spoofing whether you use IPv6 or not. ARP security is not going to prevent a bad actor on your network from operating an IPv6 proxy and spoofing all of your traffic over IPv6 while operating a tunnel to get past your router all because some "idiot" clicked on the wrong email attachment.
IPv6 traffic on the older models of most popular brands of switches cannot be filtered. There are no ipv6 PACLs and no nbar-like facilities on mid-level access switches, only protocol, MAC and IPv4. What features are available are closely tied to the CAM logic, and so depend greatly on the hardware.
I said "poor mans" .. this means hard coding filters that match specific fields of the upper layer packets.
The DHCPv6 comments are bullshit for the most part as it is bootstrapped from RA
If you are an idiot and allow self-configuration, it is.
DHCPv6 addresses are signaled by setting the Managed bit in a router advertisement whether you are using SLAAC or NOT. If you control the router advertisements you control DHCP.