Sale of IPv4 Addresses Hindering IPv6 Adoption

hal9000(jr) writes "While IPv6 day was a successful marketing campaign, is anyone really moving to IPv6? On World Launch Day, Arbor Networks noted a peak of only .2% of IPv6 network traffic. It appears that IPv4 addresses are still valuable and are driving hosting acquisitions. Windows 8 will actually prefer IPv6 over IPv4. If you want IPv6, here's what to do about it."

delays ... delays ... delays... nothing but delays

Only delays the inevitable. Also all the major ISPs are working on it...

No need

[_Sharp'r_]

From the article:
"Transitioning to IPv6 will take much, much longer than anyone expects, mostly because there is no clear reason to move to IPv6 anytime soon."

Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet. It'd be great if it was all just transparent, but it's now.

Re:No need

[sneakyimp]

I'm mostly wondering what to do about my iptables in linux. I have this vague feeling that some day I will be assigned an IPv6 address by my ISP and suddenly I won't be allowed into half my servers. I'm also wondering how to reconfigure my firewall to use IPv6 internally.

Re:No need

[lindi]

You probably already have a link-level ipv6 address. If your ADSL modem is in bridged mode you have probably already exposed some services to your ISP :)

Re:No need

[LilBlackKittie]

ip6tables is a doddle to use, and assuming you have a new enough kernel pretty much all you'll need will be a variation upon:

ip6tables -A FORWARD -i lo -j ACCEPT
ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT
ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
sysctl net.ipv6.conf.all.forwarding=1

(NB: you probably want more than that, but assuming your $lan_if and $upstream_if have appropriate IPv6 subnets on, and everything is routing correctly, then you get "the same behaviour you used to" when you had your IPv4 NAT... only now you have "real" end-to-end connectivity)

Re:No need

[sneakyimp]

I'm not pretending to be any expert here, but I'm not using DSL and thus don't have an ADSL modem. I do see that my ubuntu workstation's eth0 interface has an IPV6 address assigned and I suspect that you are suggesting my services are exposed to requests via IPV6 because I have not explicitly blocked/managed them using iptables. This is rather alarming! Got any useful links?

Re:No need

[vlm]

I'm mostly wondering what to do about my iptables in linux.

The good news is that ipv6 has been available on linux for I donno a decade or so, and ipv6 tunnels have been available, etc. The ipv6 land rush is very much like people in 1997 talking about that "brand new" internet thing, and just like the great ipv4 rollout its a good thing there's a decade or so of sound traffic engineering experience out there already for ipv6.

1) I guess it depends a lot on your distro.
2) Some terms to google for beyond the obvious are "ip6tables".
3) nobody needs NAT on ipv6 which inherently provided stateful firewalling on ipv4. TCP is pretty easy, SYN packets only allowed in one interface...
4) Personally I find it easiest to make two firewall scripts a ipv4 and a ipv6. If for no other reason than totally screwing up ipv6 will not mess up your ipv4 access and vice versa making it simpler to recover from mistakes.
5) Good luck wrapping your head around the concept of "every host is a multihomed host" aka "link-local addresses". Please don't attempt to route LL out on the greater internet, mkay, they're for mdns / bonjour type stuff.
6) Good luck with dynamic addresses and revdns. If you never used BIND's ORIGIN lines well you best learn how, and quickly.
7) Please block all RH0 aka rt-type 0 packets they're the ipv6 evil bit
8) Go to Hurricane Electric (they rock in general, BTW) and become a sage ipv6 dude. I found this quite easy when they initially rolled this out several years ago, maybe its harder now. You need to do this "course" to learn the ropes and glossary before you can learn to firewall or you'll turn all sorcerers apprentice.

http://ipv6.he.net/certification/

9) Once you know ipv6 you could do worse than to start at

http://www.sixxs.net/wiki/IPv6_Firewalling

SIXXS is kind of like a major cell phone company, in that everyone's opinion of them seems exclusively driven by their local sixxs pop or their local cellphone tower quality. So you'll get meaningless comments all over the map about how they rock or suck based on the little neighborhood the commenter lives in. That said if you live in range of the Chicago pop, it rocks, although it had some exciting momentary outages a couple years ago. I use them on a dynamic endpoint and HE's tunnelbroker on a static endpoint and I'm very happy with both... your mileage may vary...

Re:No need

[vlm]

Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet.

That list is ridiculously short. Even my half decade old brother laser printer supports ipv6. The only barrier at this time in "my organization" is my openafs fileserver cluster doesn't support ipv6. Other than that...

Re:No need

[sneakyimp]

I appreciate this. Given my relatively modest iptables skills, i'm don't entirely understand everything you've said but it does make some sense. I'd greatly appreciate a slightly more basic introduction if anybody knows one.

Re:No need

[sneakyimp]

Bless you, kind sir. I want so badly to be a good internet citizen and will do my best to spread the IPv6 gospel once I know a little more. Speaking of ipv6 land rush. How do I get me some ipv6 addresses?

Re:No need

[egamma]

IP6 addresses I think they are free.

Re:No need

[vlm]

How do I get me some ipv6 addresses?

That's kind of toward the end of my epic long post... to restate... what worked for me when I last set this up years ago. Both services are free.

Your ipv4 addrs is static -> Go to hurricane electric aka tunnelbroker.net no hassle just works very quick mostly painless.

Your ipv4 addrs changes every Fing time the cablemodem reboots, or so it seems -> Go to sixxs and they put you thru quite an amazing hassle to sign up but eventually you have perfect automatically re-connecting dynamic service.

You can just do the tunnelbroker service on a dynamic address, perfectly good for short term learning purposes. But its going to be a hassle once you rely on it... Then again tunnelbroker is easier to sign up, or at least it used to be, so maybe you Should start there.

I simply cannot recommend he.net highly enough as a happy yet former customer. Whenever their name comes up here, "everyone on /." agrees they rock.
SIXXS on the other hand is a volunteer org and response time is... what you'd expect from a volunteer org, but they try their best and do a pretty good job given that constraint.

Re:No need

[jawtheshark]

If the IPv6 starts with fe80, don't worry too much about it.

Re:No need

[lucifuge31337]

Not everything works with IPv6 yet. Most stuff does, but most organizations still have some stuff that doesn't quite yet.

That list is ridiculously short. Even my half decade old brother laser printer supports ipv6. The only barrier at this time in "my organization" is my openafs fileserver cluster doesn't support ipv6. Other than that...

Unless you work in VoIP. Then then that list is "most of your non-commodity equipment and none of your carriers."

Re:No need

[arttulaine]

For quality IP6 connectivity, you also need to accept the multicast address space in INPUT chain, or at least parts of it. Good old ICMP is also nice, your policy allowing:

    ip6tables -A INPUT -d ff00::/8 -j ACCEPT # Multicasts are necessary and nice
    ip6tables -A INPUT -p icmpv6 -j ACCEPT # ICMPs make us all quite happy

For example, the IPv6 replacement of IPv4 ARP is performed using IPv6 link-local multicast, among other thingies.
Firewall policies on (even the upstream) links must understand the IPv6 specific requirements for accepting inbound multicasts for the fullest IPv6 experience.

When your local ISP still does not offer native IPv6 addressing and traffic, a good way to start using IPv6 is to get a free 6to4-tunnel from Hurricane Electric .

Re:No need

[jawtheshark]

My nearing a decade (8 years, think) old laser printer doesn't. I have no intention to replace a small-office class printer that cost an arm and a leg back in the day. Besides, it prints perfectly fine and it should easily work for another 5 to 10 years.

Re:No need

[_Sharp'r_]

I work in a messaging/transmissions service that interfaces with pretty much the whole world, one way or another. We recently did a survey and ... 80% of the software products out there in actual use with our products didn't quite support IPv6 fully yet. Oh, most were coming "soon", or in the next release, or in the roadmap for X .... but not yet.

Network level devices, routers, switches, firewalls, LBs, servers, storage, etc... have done a much better job of current revisions supporting IPv6. Now consider all the software out there that may need to be configured with an IP address configuration, setup to bind to a network port, etc... that was built when it was assumed an IP address was X.X.X.X ?

That's a much bigger and older world than a router running the latest network vendor OS.

So then you're back to running mixed IPv4 and IPv6, which means a lot of hassle and transition period, etc... without all the benefits.

Re:No need

Equipment is probably the reason the carriers don't. My provider says:-

"Our call servers theoretically support IPv6, but we are having problems finding equipment to test against."

Re:No need

[darkonc]

It's pretty easy to explain to anybody with even a minial understanding of iptables:

-i X means 'if the packet is inbound on interface X'
-o Y means 'if the packet will be forwarded (outbound) on interface Y
$lan_if and $upstrea_if are variables to which you've assigned the proper names for the interfaces conected to the LAN side and the Internet side (respectively)

# accept anything originating at localhost (this machine/router)
ip6tables -A FORWARD -i lo -j ACCEPT
# Allow outbound connections to be initiated by machines on the inside net.
ip6tables -A FORWARD -i $lan_if -o $upstream_if -j ACCEPT
# allow packets associated with aformentioned connections to come back in.
ip6tables -A FORWRRD -i $upstream_if -o $lan_if -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop anything else.
ip6tables -P FORWARD DROP
# Turn on packet forwarding of IP6 packets between interfaces. (off by default)
sysctl net.ipv6.conf.all.forwarding=1

This effectively gives you the same protections as an IP4 NAT setup -- but with none of the disadvantages. -- Like the fact that each machine on the inside gets it's own (external) IP address. This means that if you want you can give machines on the inside the ability to be servers (acccept inbound conections to the machine and port) without the NAT thing of also having to assign each machine an inbound (non-standard) port number.

Re:No need

[lucifuge31337]

Equipment is probably the reason the carriers don't.

Yes, like I said "most of your non commodity equipment". While I could set up signaling with IPv6 using OpenSIPs or similar, the idea of running a bi-lat with a major carrier that way is laughable. Not to mention the fact that you'll pretty much have to B2BUA traffic going from v6 to v4 (since none of your other carriers support v6) or it will be an even bigger support nightmare. And as far as support nightmares go......none of the packet capture and analysis tools commonly used support v6.

VoIP (real carrier voip.....not you nerds with an Asterisk box in your house) is a long way away from being v6 ready.

Re:No need

[Anrego]

This means that if you want you can give machines on the inside the ability to be servers (acccept inbound conections to the machine and port) without the NAT thing of also having to assign each machine an inbound (non-standard) port number.

It also means if you screw up.. your box is open to the net.

NAT acted as a pseudo-firewall because you had to explicitly forward to your box .. rather than the IPv6 approach of having to explicitly block.

Re:No need

[amorsen]

NAT acted as a pseudo-firewall because you had to explicitly forward to your box .. rather than the IPv6 approach of having to explicitly block.

This only works if the attacker cannot send packets to the internal addresses, which is a dangerous assumption. I have seen several firewalls where only NAT was keeping them from being fully open. Standard security scans won't show anything wrong, but any attacker who can get onto the outside network has complete access to the inside. Suddenly your outside modem and/or router become your security perimeter, and they often fail miserably at that task.

Re:No need

[Anrego]

I guess, but the same people who don't firewall at the box level are the same who arn't going to set up their gateway/firewall properly with IPv6.

I don't trust my cheap d-link router, but I like that if I screw up my shorewall config (I'm not cool enough for iptables direct) .. traffic probably isn't getting out of my network segment.

Re:No need

[Zaelath]

Yeah, ok. Now show me allowing a particular trusted subnet.

And why do I want "end to end connectivity"?

I still think the problem w/ IPv6 is it has moved addresses from "recognisable with repetition" length to "incomprehensible" length.

It's like that change to the 999 number in the IT Crowd:

TV Advert Narrator: [Voicing an Emergency Services advert] Has this ever happened to you? :[The old woman on the advert twists her ankle and falls down stairs, gets up and falls down second flight of stairs before picking up her phone and trying to dial 999] From today, dialing 999 won't get you the Emergency Services, and that's not the only thing that's changing! [upbeat music starts, followed by close-ups and shots of new emergency vehicles and team] Nicer ambulances, faster response times and better looking drivers mean they're not just the Emergency Services, they're your Emergency Services. So, remember the new number! :[upbeat voice singing to jingle] 0118 999! 88199, 9119 725! [short pause] 3! That's [number is repeated in similar style whilst the old woman dials the number and waits]

Everyone can instantly see the stupidity of the above, but not why changing 192.168.1.25 to 2001:0db8:3c4d:0015:0:0:abcd:ef12 is just as stupid.

Re:No need

[jroysdon]

IP addresses were never meant to be used by the masses - and guess what, the masses don't use them.

Memorizing IPv6 addresses is a snap. First you learn you prefix (mine is something like 2600:103:b00[0-f]::), and then you have network blocks inside that. Yes, it's longer, but it's also globally unique.

Here's a "wasteful" but useful trick - imbed your VLAN IDs and IPv4 addresses inside your IPv6 addresses and then there is really nothing new to learn beyond your prefix.

Example: 2600:103:b001:53:10:250:250:1
2600:103:b001 is a prefix we use for DMZs. 53 is the VLAN number of our nameserver DMZ. You can probably guess what 10:250:53:1 is and what the corresponding IPv4 internal address is.

Another example: 2600:103:b000:207:10:2:7:156
2620:103:b000 is the prefix for one of our main sites. 207 is the VLAN (second floor, 7th VLAN on that floor, VLAN'd by department/use).

So long as you use IPv6 logically, it's really not hard to remember and recognize.

SLAAC/DHCP addresses should be registering in DNS (well, all of it should be). Use DNS for those semi-random hard to remember addresses. We have 100K+ electric meters with IPv6 addresses (small electric utility). I can look at the prefix and tell you if it is from our AMI NAN, WAN, LAN, or server networks, and what substation the meter is routing through. Natually I'll never memorize the SLAAC-based NIC portion of the meter address. DNS using the service point name is all I need.

[jason@its5156 ~]$ traceroute6 -n ami-jjr.mid.org
traceroute to ami-jjr.mid.org (fd7f:a4b6:4ee6:4:213:5001:0:6ac9), 30 hops max, 80 byte packets
  1 2600:103:b000:207::1 0.651 ms 0.618 ms 0.882 ms
  2 2600:103:b00f::1 2.085 ms 2.073 ms 2.487 ms
  3 fd69:f556:4dba:4:213:50ff:fe02:23cd 76.485 ms 115.080 ms 165.136 ms
  4 fd7f:a4b6:4ee6:4:213:5001:0:6ac9 2014.907 ms 2055.036 ms 2084.870 ms

fd69:f556:4dba:4:: is a LAN address going to substation 4
fd7f:a4b6:4ee6:4:: is a WAN address routed through substation 4's AP to my meter at my house.

Re:No need

[marka63]

He.net works with dynamic connections, just update the tunnel configuration using /etc/dhclient-exit-hooks. The following is a FreeBSD example.

ifconfig gif0 create >/dev/null 2>&1
ifconfig gif0 tunnel $new_ip_address 128.66.128.82
ifconfig gif0 up
ifconfig gif0 inet6 2001:DB8:1F00:FFFF::5A1 2001:DB8:1F00:FFFF::5A0 prefixlen 128
route add -inet6 default 2001:DB8:1F00:FFFF::5A0
# md5 hash of password
pass=XXXXXXXXXXXXXXXXXXXXXXXXX
# user id from main page
user_id=YYYYYYYYYYYYYYYYYYYYYYYYYY
# global tunnel id.
tunnel_id=9999999
args="ipv4b=$new_ip_address&pass=$pass&user_id=$user_id&tunnel_id=$tunnel_id"
tunnel=`/usr/bin/fetch -q -o - "https://ipv4.tunnelbroker.net/ipv4_end.php?$args"`
$LOGGER "IPv6 TUNNEL $tunnel"

Re:No need

[marka63]

I've been running dual stacked for 8+ years now. I don't see any hassles. If the device I want to connect to has a IPv6 address then I connect over IPv6. If it has a IPv4 address I connect over IPv4. My router handles both address types. My old IPv4 only Netgear router happily acts as a access point and passes both IPv4 and IPv6 packets.

The benefits of running dual stack is that you don't need use NAT64/DNS64 or similar transition technology to get to IPv4 only servers or have to suffer the additional breakages that occur over running straight NAT. IPv4 and IPv6 are ships in the night at the moment and I'll try to keep them as such as long as possible. If/when my ISP makes my connection IPv6 only I'll use DS-Lite or similar as the home net will most probably be dual stack for another decade unless vendors make available firmware upgrades to the existing equipment in the house.

Re:No need

[amorsen]

Those who accidentally use only NAT but no firewalling don't know they have a problem; tests and security scans will make them believe that everything is fine. Without NAT, they would likely discover their problem and fix it.

Not that firewalls are doing much good anymore. The days when you could root any random Windows box are over. Hosts are getting very good at protecting themselves, leaving printers as the only vulnerable device in many networks. Network printers in small installations should probably not be given a real IPv6 address anyway, link local + bonjour/zeroconf is perfect for them.

Re:No need

[Antique+Geekmeister]

Don't use them. Get behind a reasonably effective NAT and firewall, and block external traffic from ever entering your local network. The fragility and instability of hand-maintaining your own individual host firewalls is a constant drain on your personal time and your system resources. I've not seen a single company in the last 5 years use IPv6 internally, and very few bother with firewalls on individual hosts for Linux or UNIX systems.

For laptops or firewall devices, yes, firewalls are very handy and deserve some use and attention.

Re:No need

[bill_mcgonigle]

You mean the NAT allows traffic from the outside interface to the inside interface so the upstream router(s) are effectively the access control?

Re:No need

[Creepy]

with IPv6 firewalls on every machine become essential again unless you NAT your IPv6, and of course the IPv6 team will come to your house and whack you with a wet noodle if you do that. They despise NAT because it allows you to hide your identity (the IP you use isn't unique), favoring knowing exactly who is on both ends (which is important for security). Privacy isn't a concern for them. On the plus side, anyone with any knowledge of IPv6 knows part of the key is generated off your MAC address, so change that, regenerate the IP, then when you're done undo the changes and you at least get semi-anonymity (provided you are leeching on a network like an internet cafe).

Re:No need

[Creepy]

All IPv6 addresses are essentially static IPs, though you can change them by changing your MAC address on your machine. You can wipe the machine and regenerate the IP and it will generate the same IP (note that this doesn't affect VMs - they have their own virtual MAC address, so will get a different IP).

Re:No need

If the address begins with fe80:, it is a *link local* ipv6 address and is not routable over the public internet.

If it begins with 2, then it is a routable, public ipv6 address.

If you wish to build an ipv6 firewall, the linux tool for that is ip6tables, which should be available in every major distribution. The syntax and rules function exactly like standard iptables, only you should not have need for any NAT/MASQUERADE rules. Also, don't block ICMP; it's used for important control information in ipv6 and blocking it can cause subtle bugs.

Re:No need

[amorsen]

Exactly. The NAT router allows traffic from the outside to e.g. 192.168.1.0/24 or whatever the LAN is; firewalling is disabled. It is a surprisingly common misconfiguration. It is harmless as long as the upstream router is secure.

Re:No need

[amorsen]

Sorry, but everything you say is wrong.

Most common IPv6 implementations use privacy addresses by default, generating a new address every so often. This is of course useless, because the /64 is enough identification anyway and corresponds perfectly to the single public IP address you used to get with IPv4. NAT only hides which particular machine you are using within the subnet. When is that useful? If you're worried about the police, they will just grab every computer in the house to search for evidence if they can't pin it on a specific one. If you're worried about what you're doing being used against you somehow, again, getting the right house is generally enough for the bad guys. Both are legitimate concerns but IPv4 and IPv6 are equally bad. You can use Tor or VPN for a bit of real protection.

This bit:

with IPv6 firewalls on every machine become essential again

makes no sense and you do not even attempt to justify it, preferring instead to rant about how the IPv6 team is taking away your right to keep and bear NAT.

Re:No need

Anyone who learns an IPv4 address won't have too much trouble learning their IPv6 address, and if they really have a problem with it, they can statically assign good addresses. The first 3 or 4 blocks will no doubt be rather arbitrary, the last block can carry some significance, and the interviening blocks can be set to 0, allowing the :: shortcut.

slashdot

[lemur3]

ipv6 is coming to a slashdot near you.. soon!

Re:slashdot

[sxpert]

seems like this one will take a while... all IPv4 from here, apart from google analytics

Re:slashdot

Yeah, about the same time they get https, unicode character support, and editors.

Re:slashdot

[Andrew+Lindh]

I guess the easiest way to "support" IPv6 is by name alone...

ipv6.slashdot.org = 216.34.181.48

No IPv6 AAAA record for ipv6.slashdot.org

Re:slashdot

It's called wildcard aliasing...

$ dig +short ip-over-avain-carriers.slashdot.org
216.34.181.48

I don't think /. "support" RFC1149 (yet).

Buy an IPv4 Address Here!!

For sale, one barely used 127.0.0.1 ip address. $5000. First come first serve!

Re:Buy an IPv4 Address Here!!

[sick_uf_u]

That address is like the village bicycle... or like all the villagers' bicycles.

Re:Buy an IPv4 Address Here!!

[jd2112]

For sale, one barely used 127.0.0.1 ip address. $5000. First come first serve!

I'll show you. I'm going to launch a DDOS attack against that IP and then we'll see how much you can sell it f[NO CARRIER]

Re:Buy an IPv4 Address Here!!

Man down! I'll help this attack by launching a smurf attack on that IP. That'll teach you a lesson!

Re:Buy an IPv4 Address Here!!

[RaceProUK]

Everyone knows lower numbers are better - I'm selling 10.0.0.1 for $500 :)

Re:Buy an IPv4 Address Here!!

[Skapare]

Just root it. Then you can install a nice trojan.

Re:Buy an IPv4 Address Here!!

Hey, their root password is the same as mine. Who knew hunter2 was such a common password?

Re:Buy an IPv4 Address Here!!

[antdude]

I have one too! I will sell it for $4999.99!

Re:Buy an IPv4 Address Here!!

Wanna get your message out to everyone at once? I'll sell ya 255.255.255.255 for just $255000!

Re:Buy an IPv4 Address Here!!

For sale, one barely used 127.0.0.1 ip address. $5000. First come first serve!

You can have this one 198.18.0.0/15 I don't need it anymore.

Re:Buy an IPv4 Address Here!!

For sale, one barely used 127.0.0.1 ip address. $5000. First come first serve!

It was worth more prior to 2008. You'll be lucky to get 75% of that now.

Re:Buy an IPv4 Address Here!!

Pshaw, I have an entire CLASS B network block for sale. 192.168.0.0/16. $1,000,000 or best offer.

Re:Buy an IPv4 Address Here!!

[Antique+Geekmeister]

I've got bulk rates for you: a set of /16 addresses at 127.1.0.0/16, 127.2.0.0/16, 127.3.0.0/16, etc. Only $50,000 each, and each is guaranteed reachable from every machine you own, even if the wireless isn't working.

Re:Buy an IPv4 Address Here!!

I just bought 192.168.1.0/16 from my neighbor. Only $250. I think I got a good deal.

IPV6 == no security

Part of the reason is that IPv6 has a number of security issues:

1: No NAT, so an intruder can fire up a scan and find your network topology from anywhere in the world. Only way to deal with this is to tunnel to IPV4 then back again, which is a hack.

2: No support for packet level encryption. It is mentioned, but it is an option that vendors don't need to follow or bother with.

3: Change ISPs? All your internal IPs have to change. Again, no NAT, so you can't just leave your internal 10.x.x.x network as it is and just let the routers deal with the new external stuff.

4: Unknown 0-day security holes. Just what we want... to relive the days of pings of death, land, teardrop, smurf, SYN flooding and other attacks.

IPv4 sucks, but if I'm worried about security, I'll keep my ticket to admission, thank you very much.

Re:IPV6 == no security

[LilBlackKittie]

Scan your network topology from anywhere in the world?

See also: stateful firewall. NAT is not a firewall.

Re:IPV6 == no security

[ftp+coward]

Yes, I think worrying about someone scanning the 18,446,744,073,709,551,616 addresses in your /64 is a valid concern.

Re:IPV6 == no security

[armanox]

In response to 3 - or we no longer need dynamic IP's and can give everyone their own address, at which point it no longer matters what ISP you are using.

Re:IPV6 == no security

[aix+tom]

On point 1 and 3, that is mainly not "NAT" but "routing".

You can put all your internal stuff in a Private IPv6 address range, then have one router in the network of the ISP that gives you your internet connection. Routing is a basic functionality of both IPv4 and IPv6, NAT is an ugly hack.

Re:IPV6 == no security

[dgatwood]

No NAT

Not true. Linux has a NAT implementation for IPv6 already. There's nothing about IPv6 that inherently prevents NAT. It just isn't necessary in nearly as many places.

No support for packet level encryption.

Probably because in practice, encapsulation is "good enough".

Change ISPs? All your internal IPs have to change.

Only if you aren't using NAT. Besides, with service discovery and SLAAC, chances are you won't have to reconfigure anything anyway.

Unknown 0-day security holes.

No more so than any other piece of OS-level code.

Re:IPV6 == no security

[Qzukk]

1: No NAT, so an intruder can fire up a scan and find your network topology from anywhere in the world. Only way to deal with this is to tunnel to IPV4 then back again, which is a hack.

Maybe you should install FreeBSD then, it's pf has supported IPv6 NAT since 2010 (at least).

2: No support for packet level encryption. It is mentioned, but it is an option that vendors don't need to follow or bother with.

Which is how ipsec works now. In other words, you and your partner obtain compatible implementations and it works.

3: no address independence

See nat66 (or freebsd).

4: Unknown 0-day security holes. Just what we want... to relive the days of pings of death, land, teardrop, smurf, SYN flooding and other attacks.

Now it's true that there are probably buggy implementations, after all the implementations have only been around a decade or so and only 0.2% of the internet has used them. That's what, 10 people?

Re:IPV6 == no security

It will only take 1,048,576 PetaBytes of 64byte ping packets!

Re:IPV6 == no security

The FreeBSD IPv6 "NAT" is better than IPv4 NAT. It is a 1:1 instead of 1(external):Many(internal). This makes it useful for cheap pseudo-multi-homing. It will map the same suffix no matter which prefix it comes on aka Many(external):1(internal)

Re:IPV6 == no security

Once I finish building my new-fangled quantum computing thingy, I'll be able to do that before I even realize I want to.

Re:IPV6 == no security

[shentino]

NAT is useful as an economic barrier to force people to pay a premium for a static IP.

Re:IPV6 == no security

[gbjbaanb]

so with a 1ms response time, it'll only take 584,942 years to scan the pathetically small /64 my ISP has given me. Go for it hackers.

Re:IPV6 == no security

[Qzukk]

IPv4 NAT can do 1:1 if you bother to set up the mapping (this is how "address independence" works: your internal 192.168.1.x network stays the same when you change ISPs, you just update the firewall with the new address mappings), and you could probably whack at iptables/conntrack on linux to get N:1 mapping in IPv4 as well (you need conntrack to get the return packet back to the right external IP). Even if it was easy, IPv4 just doesn't have the address space to do cool tricks like your automatic multi-homing example.

Re:IPV6 == no security

[tlhIngan]

If ISPs are giving out /48's or /64's to users, I see it as a great opportunity to DDoS people again. Before, they had one IP address and if they changed their IP, you couldn't flood them off. Now, they get a whole range of IPs and you can easily get a bunch of PCs to just flood any address in that range - the bottleneck will be their connection. So unless they change their prefix (which probably won't happen too often), you could keep someone lagging out during gaming and they can't do a damn thing about it.

Quite a nice benefit to those who want to cheat at online gaming - you don't need IP addresses, just their prefixes.

The other thing is - IPv4 addresses have to get WAY more expensive first. Because IPv6 equipment is pricey if you need to upgrade at an enterprise level, and since the entire upgrade cost is bourne by the company wanting to upgrade, there's little financial incentive still. When you're talking about $100,000 worth of equipment that has to be bought brand new again... (or millions for larger companies) while their current gear still works...

Re:IPV6 == no security

[lucifuge31337]

at which point it no longer matters what ISP you are using.

Did I miss that part where home routers are all running BGP now?

Re:IPV6 == no security

[darkonc]

It really should just be a software upgrade (DD-WRT, anybody?) -- But then convincing vendors to put out an IP6 patch when they can get away with selling you a $50.000 piece of equipment with that same patch could be an uphill battle.

Re:IPV6 == no security

[techno-vampire]

NAT is not a firewall.

Of course not. However, if properly implemented, NAT can be one of the outlying parts of your firewall. If your router is set to drop all incoming connection requests, port scanners will never find your machines, making them that much safer. Yes, I understand that there are other routes in that this can't protect you from. That's why I called it part of a firewall.

Re:IPV6 == no security

So.. you're going to flood about 2^64 addresses at the same time? "A bunch of PCs" will have to be a rather large number. Keep in mind that the whole IPv4 Internet has less than 2^32 publically reachable addresses. So even if your 'bunch of PCs" can flood the entire Internet, you'd stil be orders of magnitudes off.....

Re:IPV6 == no security

[jandrese]

For what it's worth, the number of addresses they would need to scan (assuming you use the default "turn my MAC into my IPv6 addr) scheme is not quite as big. At worse you only need to scan 281,474,976,710,656 addresses. You could make some assumptions that would cut down the number of addresses you need to search too, like the first octect being 00 (common for physical NICs, although not a guarantee anymore).

Still, brute force scans on IPv6 are not going to be very common I think.

Re:IPV6 == no security

[techno-vampire]

4: Unknown 0-day security holes.

That's not unique to IPv6. Every Internet protocol, every web or database server is subject to that, along with many, many other programs. Changing to IPv6 doesn't increase the issue in the slightest, so it's not relevant.

Re:IPV6 == no security

[jandrese]

Most of the gear you have should already support IPv6 unless you're in some sort of computing museum. There are some things that hate IPv6 still (VPN hardware annoyingly), but it's pretty rare. Even crappy home equipment supports IPv6 a lot more often than you might expect.

Re:IPV6 == no security

[Skapare]

Oh dear. I better put my web server at the LAST address.

Re:IPV6 == no security

[Skapare]

nanoseconds FTW!

Re:IPV6 == no security

[swalve]

Yes, it matters what ISP you are using. If you change ISPs, you change IP addresses. That's how routing works. However, you wouldn't need to change internal addresses because ipv6 allows an adapter to have multiple addresses. You can have private IPs for private use that stay the same, and public IPs that change based on ISP.

Re:IPV6 == no security

4: Unknown 0-day security holes

That's not unique to IPv6. Every Internet protocol, every web or database server is subject to that, along with many, many other programs. Changing to IPv6 doesn't increase the issue in the slightest, so it's not relevant.

It does when new code is written to support IPv6 and that new code contains vulnerabilities.

Re:IPV6 == no security

Not to mention it encourages a one-way directional model of Internet that the major media companies would love. NAT makes things like p2p/server apps more frustrating for the average computer.

Re:IPV6 == no security

[Bert64]

1, nat and stateful firewalls are not the same thing (although you generally need a stateful firewall to implement nat), theres no reason you cant configure a stateful ipv6 firewall to block inbound connections and allow outgoing. the stateful firewall aspect is where the apparent "security" (or in reality, hiding) comes in, nat itself is just a nuisance which breaks things.

2, and this is a problem with ipv6 how? ipv4 doesn't have such features at all, and to enable it on v6 you only need support at either end, the routers along the way dont need support so its entirely up to you.

3, annoying yes, but only your prefix changes not your local address, with with stateless autoconfig its not a huge problem.

4, and there could be 0day holes in ipv4 stacks, or in all manner of other software... ipv6 is not exactly new either, its been around for well over 10 years. microsoft actually reintroduced the land vulnerability in windows 2003 not so long ago. incidentally the design of ipv6 makes smurf impractical and syn flooding much easier to track down since a v6 stack should not allow routing of spoofed packets by default while v4 does.

Re:IPV6 == no security

[amorsen]

If your router is set to drop all incoming connection requests, port scanners will never find your machines

This is true whether you NAT or not. It is completely independent of NAT.

Re:IPV6 == no security

[Anderu67]

At least Windows 7 (not sure if Vista) has IPv6 privacy extensions on by default. Sadly, my Galaxy S II not only does NOT have them on by default, but they didn't even compile it into their kernel. On my Linux box I turned it on with a config file. But still, brute force is still unfeasable, it's good for avoiding tracking between networks I suppose.

Re:IPV6 == no security

[sjames]

1. It is trivially easy to configure a firewall that gives all of the advantages of NAT without the downsides.

2. Packet level encryption isn't mandatory in IPv4 either.

3. Use autoconfig like you're supposed to.

4. as opposed to what? Everything potentially has 0-day vulnerabilities.

Re:IPV6 == no security

[techno-vampire]

True. Consider it mostly a brain phart. However, it's also harder to target a specific machine on a LAN if none of them have routable IP addresses, which was probably what I was thinking of. I did tech support for an ISP for a number of years and had to explain this sort of thing to callers, but it's been almost ten years since that stopped and my memory wasn't quite as good as I thought it was.

Re:IPV6 == no security

[Anrego]

You don't need to flood the whole range.. just one...

This is effectively like giving everyone static IPs.. as the prefix will likely be static.

Re:IPV6 == no security

[Guspaz]

That assumes that the addresses are not predictable. I believe that one proposal is to use the MAC address of the machine as part of the address. The OUI is fairly predictable based on market share (for example, realtek sells a rather lot of NIC controllers), so if you assume that the target is using a realtek NIC (or if you know what manufacturer they use), that knocks off 24 bits right there. That gets you down to 40 bits, and require only 1TB of bandwidth to scan. That is fairly cheap to do with a botnet or cloud service.

Let's assume you want to scan for that Realtek auto-configured NIC using Amazon EC2. We'll assume a target timespan of one hour, since I believe that's the minimum time slice. We want to pump out 1TB of bandwidth total, and let's say you don't want to push more than 100 megabits per second to any instance. That would require roughly 24 instances, which gives us $120 in bandwidth, and ~ $0.17 in instance time (spot instance micro price).

Say you want to do it faster, in one minute: you're still at only about 1400 instances, still $120 in bandwidth, and roughly $10 in instance time...

Of course, if you know nothing about the topology, scanning 2^64 addresses would likely exceed the capacity of Amazon's entire cloud, not to mention your wallet ;)

Re:IPV6 == no security

[rs79]

"Even crappy home equipment supports IPv6 a lot more often than you might expect."

Old crappy software, still in use doesn't. And there won't be new versions.

It's not like V4 is ever going away, and de facto, there will always be programs that only run on the V4 network, the parallel and completely independent V6 network may as well not exist as far as they're concened.

At 20 years in I frankly don't have much hope that 20 years from now V6 traffic will have even doubled since now.

Re:IPV6 == no security

[thegarbz]

3: Change ISPs? All your internal IPs have to change. Again, no NAT, so you can't just leave your internal 10.x.x.x network as it is and just let the routers deal with the new external stuff.

My internal IP addresses change daily. They are DHCP assigned. Nothing breaks, everything works. Even my server doesn't have a static IP. For services with port forwarding they are configured via UPNP. All computers are addressed by some kind of a name, you know like all computers on a home network since about windows 95. I could go into my router (which actually has a lot of default settings including the way DHCP is setup) right now and change the assignments to the 10.x.y.z subnet and nothing would break once all PCs refresh their IPs.

I kind of wonder what a horrendously bad network configuration you have that makes you dependant on computers knowing each other's IP address. But given your fear of an attacker scanning some 18 million billion addresses I don't think you know much about networks.

Re:IPV6 == no security

[someones]

So say, all your machines have only have one internal adress and all the multihoming/loadbalancing and natting is done at the firewall... WHERE it the benefit of ipv6 where i need to assign all my machines multiple adresses killing many sorts of loadbalancing and exposing my internal topology to the world? also any isp migration requires more than some straight forward changes at the firewall? Srsly, I dont see the benefit of ipv6 ;)

Re:IPV6 == no security

[someones]

Linux has only adress range nat and not a per address nat, making it useless for topology hiding and some cases of load balancing

Re:IPV6 == no security

assuming you use the default "turn my MAC into my IPv6 addr

You forgot that your MAC address is only used to create the link-local address, which is not-internet routable. If someone was scanning for this address, they would already have to have access to your internal network.

Re:IPV6 == no security

1) 2^64 would exceed the capacity of the internet as a whole, and will remain true for quite a few years.
2) You do realize that your 24 100Mb instances will not be the choke point when scanning most target networks. Not many people/places have a 2.4Gb internet connection.
3) Not many companies with a 2.4Gb internet connection wouldn't notice the scanning effort.
4) You still have to purchase the Amazon service, which makes it quite easy to contact to find out while Amazon is sending 2.4Gb/s of ping packets.
5) Your MAC address theory only works if you have a node on the local network. The MAC is used for link-local, which is only accessible by other devices on the local-link.

Re:IPV6 == no security

Enterprise level Network Admins love IPv6. I've heard nothing but good things from friends/family who admin datacenters or large companies. They wish IPv4 would just die.

Re:IPV6 == no security

[unixisc]

Maybe you can, but the only reason that NAT is needed in IPv4 in the first place is to expand the number of addresses. Had 1:1 been used, there would never have been NAT in IPv4. In the case of IPv6, the only reason such a thing is being considered (the IETF has by no means endorsed it) is for some rare uses, such as load balancing. It's not done to get rid of peer to peer networking.

Re:IPV6 == no security

assuming you use the default "turn my MAC into my IPv6 addr

You forgot that your MAC address is only used to create the link-local address, which is not-internet routable. If someone was scanning for this address, they would already have to have access to your internal network.

The IPv6 address page on Wikipedia says you're wrong:

...
Although DHCPv6 exists, IPv6 hosts normally use the Neighbor Discovery Protocol to create a globally routable unicast address: the host sends router solicitation requests and an IPv6 router responds with a prefix assignment.
...
The lower 64 bits of these addresses are populated with a 64-bit interface identifier in modified EUI-64 format.
...
A 64-bit interface identifier is most commonly derived from its 48-bit MAC address.
...

Re:IPV6 == no security

That assumes that the addresses are not predictable.

And indeed they are not. Or was that sarcasm?

Re:IPV6 == no security

5) Your MAC address theory only works if you have a node on the local network. The MAC is used for link-local, which is only accessible by other devices on the local-link.

It's also used by the Neighbor Discovery Protocol to create a globally scoped IPv6 address.

Step 1) Flip the 7th bit of the MAC-address. 00:11:22:33:44:55 becomes 02:11:22:33:44:55.
Step 2) Split the result in two and put "FF:FE" between the two parts, i.e. 02:11:22:FF:FE:33:44:55.
Step 3) Prepend IPv6 prefix. So Google could end up with e.g. 2A00:1450:400F:801:0211:22FF:FE33:4455.

Here's a traceroute to that address using HE's Looking Glass. Looks routable to me...

Re:IPV6 == no security

[dgatwood]

Either way, there's nothing inherently preventing it, and if there's enough demand, someone will implement it.

Re:IPV6 == no security

[Qzukk]

Maybe that's why it was invented, but once it was invented, we found all sorts of cool uses for it. Like load balancing, multi-homing, relocating networks between ISPs without having to renumber everything internally, etc.

Re:IPV6 == no security

[unixisc]

OK, 585 years in that case ;-)

Re:IPV6 == no security

[unixisc]

Using EUI64 the way it's currently defined would be inane. Ideally, a router should be set up to assign the addresses according to some preset rules. It would also help if all nodes on the network had static AND dynamic addresses, as assigned by a DHCP6 server.

Re:IPV6 == no security

[unixisc]

The MAC address is also used to generate EUI64 based autoconfigured addresses, which is what I believe the Guspaz was refering to.

Re:IPV6 == no security

[unixisc]

Dynamic IPs are useful if you're just a client and don't want to accept inbound connections. But giving everybody their own address - people don't get it out of nowhere - it's usually connected w/ an ISP or an organization that brings them their internet connection. The global prefix is provided by the ISP, and a customer may usually get anything from a /64 to a /48. The lower half of the address is what the customer can configure.

But unless somebody has directly gotten an address from ARIN or whichever RIR they're using, their address is not going to be independent of the ISP.

Re:IPV6 == no security

[Guspaz]

It wasn't: not everybody will use the privacy extensions, and there may be a flawed implementation that causes problems.

Re:IPV6 == no security

The MAC address is also used to generate EUI64 based autoconfigured addresses, which is what I believe the Guspaz was refering to.

Step 1 and 2 in my post turns the MAC-address into a modified EUI-64 format. Are we talking about the same thing or do you mean link-local IPv6-addresses (fe80::...)?

If Guspaz was referring to link-local addresses, his post doesn't make any sense at all, so I think we should assume that isn't what he's referring to.

Anyway, I was only commenting on point 5 in an AC post that made it sound like MAC-addresses was only used to generate link-local addresses. They're not, as you can see in my post.

Re:IPV6 == no security

[unixisc]

Yeah, we are talking about the same thing here. You are right - it's not the only way to generate either link-local, nor unique addresses using autoconfig. Any algorhythm can be used to create a 64-bit ID that is unique, and from which the MAC address cannot be traced back.

"here's what to do about it?!!!"

[sneakyimp]

That last link doesn't have one spec of advice. It merely describes the problem again. FAIL.

Re:"here's what to do about it?!!!"

[Galestar]

I was thinking exactly the same thing. Article is fail

Why?

[grumpyman]

As an individual user... why? This should be something that I shouldn't have to worry about and the change should be transparent.

Re:Why?

[DigiShaman]

There's profit in scarcity. Some ISPs may start offering IPv6 only to mobile devices while public IPs (both static and dynamic) will require either a premium or business account. That means that home users get double-NATed. That in of itself breaks all sorts of network functionality including VPN and hosting/sharing files from home. So yes, the scarcity of IPv4 might rear its ugly head that will bite both the consumer and corporate America in the ass.

Re:Why?

[slimjim8094]

It will be, if you have a reasonable router (AirPort is one, but not the only, example) and your ISP uses something like DHCPv6 with prefix delegation. One day your ISP will say "hey, here's a v6 subnet!" and your router will go "alright, you guys (your devices) go ahead and pick one from this range". And it'll just work. If you don't have a new enough router, this won't happen, but it shouldn't affect v4 connectivity.

FWIW I've been running v6 at home for 5-6 years (through a tunnel), my university has it for all wired and wireless connections, and there's not a problem. Not one, literally, anywhere that I've heard about. It just uses v6 for any enabled service, and falls back to NATted v4 otherwise.

Re:Why?

[Hatta]

The consumer had to worry about the transition from leaded gas to unleaded gas. The consumer had to worry about the transition from analog TV to digital TV. The consumer had to worry about the transition from 7 digit phone numbers to 10 digit phone numbers (where applicable). Why shouldn't the consumer have to worry about IPv6?

Re:Why?

[rs79]

That's different. In all those examples the old one went away. That isn't the case here, the V6 network is a separate network from the V4 network and the V4 core network is never going away - some things will never work with V6 and people need to use those tools.

Widespread adoption is far off

[undefinedreference]

There are still vast ranges of unused addresses that have not been monetized, so there's no incentive to change. The cost of conversion is higher than the cost of addresses, therefore we will keep using them and developing software that doesn't support IPv6 until costs escalate.

Beyond this, how many of your ISPs offer native IPv6? This will be a prerequisite to widespread consumer adoption.

Re:Widespread adoption is far off

[shentino]

Actually, the cost of the address is not really proportional to the cost of giving it up as it is to the value that can be extracted from a desperate buyer.

Prices are high because demand is high and early adopters with a large hoard of addresses are effectively a cartel.

Want to know what I am going to love the most?

That I won't see those same damn bots that scan the entire IPv4 range all the damn time as often.
Hope they enjoy scanning the entire IPv6 range.

Admittedly they might get better results as NAT won't be causing as many problems with detecting actual hosts.
Sometimes I just feel like messing with them.

Re:Want to know what I am going to love the most?

[undefinedreference]

It reminds me of the early-mid 90s where basically every connected computer had a public IP address. It was glorious.

No one cares!

[na1led]

Until some new technology that everyone wants comes along and requires IPv6, no one will care about it. It makes no sense for businesses to pay thousands on larbor to reconfigure their entire network for IPv6, and see no beneficial gain. Not to mention a lot of legacy hardware still don't support IPv6, like network printers/copiers, camera systems, security systems, etc. It also complicates maters worse when you try to network across long distances.

Re:No one cares!

[mlts]

Businesses will switch when IPv4 addresses get so expensive that there is no other option, and the ugly hack on ugly hack to maximize the use for them gets to a point where it isn't worth doing.

Call me crazy, but NAT, ugly as it is, may still be a useful tool. It isolates the internal fabric, so that regardless of what the external routers are talking to, packets get out. Does it improve security? NAT by itself doesn't, but that is what SPF, a good IDS/IPS, and proper segmenting is for.

IPv6 has been around for a long time now. You can't buy an IPv4 only device pretty much, as almost anything that has Net capabilities has at least a dual stack.

Re:No one cares!

[na1led]

There are other tools besides NAT, like vlan's and vpn that can extend local networks.

Re:No one cares!

[WaffleMonster]

Until some new technology that everyone wants comes along and requires IPv6, no one will care about it.

The killer app for IPv6 is maintaining a global network of PEERS. It's what you or others don't have to worry about loosing which makes a transition more appealing than accepting status quo for eternity.

Content extracts value by reaching everyone directly without having to worry about degregation through additional hops/congested CGNs.

Service providers extract value by not having to operate expensive CGN.

Governments and LEA extract value by not having to deal with multiple devices cloaked behind a CGN.

Even partial deployment provides some value to all stakeholders.

It makes no sense for businesses to pay thousands on larbor to reconfigure their entire network for IPv6, and see no beneficial gain.

Nobody is suggesting they do. All they need to do is make their *external* presence accessible via IPv6. They can keep IPv4 internally forever for all anyone cares.

Not to mention a lot of legacy hardware still don't support IPv6, like network printers/copiers, camera systems, security systems, etc.

IPv4 is not going away anytime soon. IPv6 is being added. Noone is taking away your toys. You don't have to go out and buy new stuff.

Even if the global IPv4 network went away IPv4 private networks would still be avaliable. You could still tunnel your IPv4 network over IPv6 with anyone you chose to have access to it.

It also complicates maters worse when you try to network across long distances

Having more globally unique addresses complicates matters? I won't pretend I understand how this complicates matters more than attempting to communicate with two peers both stuck behind CGNs.

Re:No one cares!

[tftp]

You can't buy an IPv4 only device pretty much, as almost anything that has Net capabilities has at least a dual stack.

IPv6 in LWIP is still experimental. Every byte counts - I don't have a 1 GB DDR3 connected to a microcontroller. I may have only 64 kB of on-chip RAM for all the networking, on a good day. I already have to count TCBs and active connections. How do you suggest I add IPv6 support to existing and new devices?

Re:No one cares!

[na1led]

You failed to take into account all the software out there still relying on IPv4. When you already have remote access, and Vpn connections setup for clients, reconfiguring to IPv6 can complicate things. Some companies are still using legacy Black Berry phones with BES servers. Switching over to a new system can be a nightmare for IT people.

Re:No one cares!

Given that IP operates at level 3 of the stack and your 'software' operates much higher up, that's not a big concern.

Re:No one cares!

[coofercat]

Businesses will switch when the money talks. The cost of IPs isn't a problem at the moment (and your competitors all need to spend the same). When they're like a million dollars a pop it might get interesting.

When end users start calling up saying "your website is down" or whatever, then they'll start moving. No business is going to spend hundreds of thousands doing the work to get IPv6 compatible if it doesn't bring them any users.

For me personally, I'll go IPv6 when:
- My ISP has an IPv6 option - they don't currently, meaning I'd have to tunnel, which seems sort of pointless except to play about (which I might, but only because I'm a geek)
- Netgear (or someone like them) makes a £50 router that supports IPv6. Right now, the best I've found is about £150 (although I haven't re-checked for about a year, so I may be wrong about that)

Once I'm IPv6, I'll be expecting services to be available on it - although I'll have an IPv4 fallback, it won't be my preferred mode of transport, so the providers will (gradually) find the time to change. I suspect sometime around 2018 at the earliest.

Re:No one cares!

Put more memory in them?

Re:No one cares!

[tftp]

How, without a redesign of the board and without using a larger MCU?

I can understand that more features require more memory, and they cost more too. But that is counter to the mantra of IPv6 proponents that the change is easy and it costs little. There are millions of Polycom IP phones out there that can only talk IPv4, for example. They cannot be upgraded.

Cost of those little chips cannot be disregarded either. The 128 kB part is $6.99 but a similar 512 kB part is $9.79, a 40% increase. The price of your product will go up by a few percent because of that. Doing that during recession, with US labor and associated costs (taxes) already going through the roof will kill a few thousand more US jobs across the industry through reduction of sales.

Lol

[Anrego]

Each and every one of you reading this is a customer of service providers and equipment vendors. It's time to use your voice and demand an IPv6 migration strategy that you can plan on.

On my walk in to work, there is this beautiful historic stone fence with cobblestone walk way for about a 2 block stretch... and demanding an IPv6 migration strategy I can plan on from it would likely be a better use of my time...

The article does nail the obvious problem on the head... the fact that IPv6 offers no benefit anyone cares about (we've learned to work with nat and even come to love it) except a solution to a problem that hasn't actually hit yet. Thing is this is the easy part. We all _know_ why IPv6 isn't being adopted. The hard part is how do we change that.. and "call up your ISP" is a really silly answer.

T-Mobile has IPv6 on 4 Samsung phones

IPv6 works well at T-Mobile USA https://sites.google.com/site/tmoipv6/lg-mytouch

Better regualte the free markets!

[Bulldozer2003]

I thought IPv4 was gone, all the IPs handed out willy-nilly for free?

Oh wait, the free market is allocating them more efficiently now that they are all quasi private property?

Better pull out the legislation to stop this and force IPv6 to go faster just cause we want it to.

I always wondered why the ISP I worked at could just be handed a /16 for free with unverified supporting documentation!

Disclaimer: I like IPv6, but I am preempting any comments proposing we stop this IPv4 "black market".

Re:Better regualte the free markets!

[shentino]

This is the price we pay for handing them out freely in the beginning and failing to force them to be treated as a public resource.

Ceding quasi-property rights in them was the big mistake that let early adopters scoop up loads of addresses for free and presently milk them for all they are worth. It's a black market that is paying monopoly profits to the hoarders of old.

This is nothing more than speculation in a cornered market.

Internet registries need to grow some balls and start seizing IP space that is being used inefficiently or being sold on the black market.

Come to think of it, I don't really think IPv6 is going to fare any better if efficiency is not enforced.

Re:Better regualte the free markets!

[shentino]

I have no problem with the free market treating them as quasi private property.

Except for the presence of early adopters that were allowed to hoard them in the days of plenty and are now collecting a windfall.

Re:Better regualte the free markets!

[lucifuge31337]

I always wondered why the ISP I worked at could just be handed a /16 for free .

They weren't. AS numbers cost money, as do IP allocations.

Re:Better regualte the free markets!

[Tim+the+Gecko]

Come to think of it, I don't really think IPv6 is going to fare any better if efficiency is not enforced.

The short answer is we have 16 billion billion networks (with many hosts on each), compared to 4 billion unique host addresses.

The longer answer (from someone at HE who has done the math): http://mailman.nanog.org/pipermail/nanog/2012-July/050298.html

The calculation shows how long it might take to use up one eighth of the possible space. Our grandchildren can always change the policies at that stage. It depends what you mean by "efficiency", but it takes a lot of effort to run out when giving out /48s to end users and businesses.

Re:Better regualte the free markets!

This is the price we pay for handing them out freely in the beginning and failing to force them to be treated as a public resource.

This is what you get for using a prototype protocol. IPv4 was meant to be 128bit, but for simple presentation reason, they showed it as 32bit as not to distract the higher-ups from being like "omg, 128bit?! that's a lot of processing on these 16bit computer"

Once I get a modem with that supports it.

[medv4380]

My ISP already supports IP6RD if I had a modem with the firmware updated need I'd be on it already. At least it looks like my ISP has been trying to get their supported modems upgraded. They went from only having 1 modem that supports it to now having 3 modems. In a year or two I'll ether have a new modem that supports it or I'll have a upgraded the firmware. Upgrading to IP6 will take time since their is a lot of IP4 only hardware still out there that needs to be purged.

Instructions?

[defaria]

Lots of people talk about IPv6 and how they are "ready" etc. But nobody I've seen gives exact instructions on how I would configure IPv6 for my SOHO setup. What equipment do I need? What configuration do I need to set exactly? And, after I do all of this, can I get to IPv4 places or am I in the 1% as they say?

Re:Instructions?

[mactard]

You need an ISP that is giving their customers IPv6 subnets (Comcast does, I'm not sure who else though), a newer router that supports IPv6 (everything that's current seems to) and Win7/WinVista/OS X post 10.1/Linux. It's zeroconfig from thereon out. I'm on IPv6 and it's been somewhat useful. I have a AAAA header on my domain so I can access my desktop without dyndns. It's really all about your ISP though.

Re:Instructions?

[marka63]

You missed Windows XP (requires a one time initialisation step).

Now that home router vendors are shipping IPv6 routers it is becoming much easier. These will come down in price to match the IPv4 only boxes soon so the only impediment to switching on IPv6 will be your ISP dragging their feet.

You .Fail It!

committerbase and WHEN IDC RECENTLY Moans and groans Usenet posts. can no longer be In posting a GNAA Jesus Up The progrees. Any recent Sys Admin

Clear Instructions?

I've set up IPv6 to the extent possible on my equipment and the problem is that the steps (for a newbie) are complicated and unclear. How is IPv6 going to spread if one needs a degree in networking to get it all to work?

Re:Clear Instructions?

How do people set up a IPv4 network without a networking degree?

Re:delays ... delays ... delays... nothing but del

[camperdave]

The sale of IPv4 addresses isn't what is delaying IPv6, but rather:

• Lack of IPv6 ready devices.
• The sense that the IPv6 specification is still in a state of flux. Site local addresses have come and gone, being replaced with unique local addresses. Unique local addresses are supposed to be randomly generated, however, there are movements to have a central registry for these. A number of schemes for encoding an IPv4 address in IPv6 have come and gone, as well as certain allocations of address ranges.

Really?

And in other breaking news, sale of large, luxury cars down due to availability of affordable, economical cars. Highlights at 6.

IPv6 cons

[Anomalyst]

Expensive IANA wants multiple thousands to allow us, as an ISP, to provide equivalent IPv6/48 address blocks to our customers match their IPv4 currently allocated blocks. It provides no incentive for us to give back IPv4 allocations after moving our customers to IPv6
Lacking toolsI have not seen any transition tools to allow a quick and easy remapping from IPv4 to IPv6. The existing blocks and their descriptions (you do put descriptions on your blocks don't you?) should be detected and re-tailored for IPv6. Building the address block heirarchy in an IPv4 design tools and having a script to translate it to a DHCPv6 config would go a long way to easing the pain.
Missing FOSS IPv6 DHCP GUI Microsoft has had a DHCPv6 GUI for quite a while, haw hard can it be to use it as a template? Integration with the DHCPv6 LDAP objects would be a big plus
PXE not supported in DHCPv6 So you are back to IPv4 for remote boot until you can remote configure a host for IPv6

Re:IPv6 cons

[darkonc]

well, PXE isn't a big problem because it's internal network only.... Unless you have cross-network connections that are necessary to boot your machines (an extreme rarity in my world .... bordering on stupid in most cases).

Re:IPv6 cons

If you're an ISP, you should be requesting address space from an LIR, not an RIR, let alone IANA, right?

Re:IPv6 cons

Sorry, I forgot LIR usually means ISP, so you should be requesting from an RIR.

Re:IPv6 cons

[marka63]

If you are a ISP you don't talk to IANA and as a ISP you will continue to need the IPv4 addresses for quite a few years more so why would you want to give them back?

As for paying more to give each customer a /48 you would pay 8.1 times more in the APNIC region. If you choose to give your customers a /56 you would pay $0 more in the APNIC region. Most residential ISP's are looking to hand out /56's or /60's. When you look at it on a per customer basis with a million customers you have:
IPv4: 1180*1.3^(20-8) = 27376.0 AUD (2c/customer)
IPv6: 1180*1.3^(28-8) = 224200.0 AUD (21c/customer)

If you are not happy with the pricing model you can lobby to have it changed.

Prefer IPv6?

[WaffleMonster]

Vista and Windows 7 "prefer" IPv6 too... Heck even Windows XP with its crappy IPv6 stack turned on prefers IPv6.

If you read the whole cnet article what has changed is network awareness sending an IPv6 only HTTP request periodically to a Microsoft server using this to judge if IPv6 connectivity is actually available.

In other words the behavior of all windows 8 systems on the planet with regards to IPv6 usage is dictated by the availability by a single Microsoft URL. What could possibly go wrong with that? Is it not also wonderful MS having their system ping out to MS servers by default periodically without anyone knowing or providing a user choice to turn it off not involving registry hacks?

With regards to IPv6 usage I just checked the interface stats on my gateway with an HE tunnel configured. Very interesting...IPv6 Internet traffic is a full 25% of overall Internet usage over the last 145 day period. This predates the June 6th IPv6 go live day by several months.

IPv6 = 32GB
IPv4 = 129GB

ISPs are still dragging their feet lighting up IPv6.. I fear we will have to wait another two years before most large ISPs get their act together on full production deployment.

The most interesting thing seems to be the "long tail" effect reflected in my actual usage.

Given current environment where just a handful of megasites are responsible for the majority of all Internet traffic by volume huge changes in traffic patterns can tip the scales on IPv6 usage rapidly while the countless millions of other sites run by the rest take just as long to switch over as the IPv6 naysayers say it will.

Useless Article

[StormReaver]

The "here's what to do about it" teaser amounts to, "complain to your ISP." Thank you so much. If only we had thought of that.

The article is useless.

Re:delays ... delays ... delays... nothing but del

# The sense that the IPv6 specification is still in a state of flux. Site local addresses have come and gone, being replaced with unique local addresses. Unique local addresses are supposed to be randomly generated, however, there are movements to have a central registry for these. A number of schemes for encoding an IPv4 address in IPv6 have come and gone, as well as certain allocations of address ranges.

"Oh, draft these standards. They're so naughty and complex."

One problem?

The benefits to IPv6 are significant but I'd like to take apart your assertion that it "[solves] a problem that hasn't actually hit yet".

That's just wrong.

The world supply of IPv4 is empty. Gone. No more available. What about the regional registrars I hear you ask?

Asia. Empty. Dry.
Europe. Imminent exhaustion. 2 - 8 weeks until they're dry.
North America. They're better off. Instead of mere weeks we're up in the months range. 6 - 12 months.
South America and Africa. They're better off only because they have significantly lower burn rates not because they have . This will only stay low until it becomes economically viable to export IPs from these regions or until growth in internet devices ramps up like it has in China or India.

As the price of IPs rise there will more aggressive conservation strategies. You think people like NAT when they control the box just wait until Double-NAT, also known as carrier grade NAT, arrives. People have spent years trying to get NAT traversal working right, and still haven't gotten quite right, and now we're preparing to dial it up to 11.

We can either spend money and transition to IPv6 or spend more money managing the problem rather than solving it.

Re:One problem?

[Anrego]

Current impact to most of the populations daily life: 0

And that's what it comes down to. People en-masse are reactive, not preventative. You can have all the charts and stats and proof showing that it's _going_ to cause huge headaches for everyone.. but until it actually does, nothing will be done.

We can either spend money and transition to IPv6 or spend more money managing the problem rather than solving it.

Big time on option 2. That's just reality.

Re:One problem?

[petermgreen]

We can either spend money and transition to IPv6 or spend more money managing the problem rather than solving it.

Unfortunately IPv6 has a massive chicken and egg problem. We can't really start deploying v6 only stuff until most of the internet has moved to dual stack but there is little financial motivation to move to dual stack while there is virtually no v6 only stuff out there.

So for the foreseeable future the choice for an ISP that is short on addresses (or one that has decided that the market value of their addresses is greater than the "use value") is between deploying some form of ISP level NAT and deploying IPv6 or deploying some form of ISP level NAT and ignoring IPv6.

Re:One problem?

[WaffleMonster]

And that's what it comes down to. People en-masse are reactive, not preventative. You can have all the charts and stats and proof showing that it's _going_ to cause huge headaches for everyone.. but until it actually does, nothing will be done.

This is irrelevent. People en-masse don't know what the heck IPv4 or IPv6 mean nor do they care. They just want their shit to work.

What do you mean the IP Stack on my PC or tablet or phone was updated to support IPv6 years ago? What is a stack? What is an IPv6?

What do you mean my ISP flipped a switch, pushed firmware or configuration and now I'm on IPv6? What is IPv6? I don't see anything different.

The transition does not require action on the users part. It will just happen at some point even if that point coincides with the user throwing out an old router and replacing it with a new one after its PSU dies or it is deemed obsolete.

IPv6 is driven by the industry not by the end user ("most of the population").

Big content and large ISPs have already made their stance and desire for IPv6 clear by driving its adoption for selfish reasons.

Re:One problem?

[amorsen]

We can't really start deploying v6 only stuff until most of the internet has moved to dual stack

I used to think that, but not anymore. IPv6 only + some variant of NAT64 is likely to become more common than dual stack in just a couple of years. Particularly for 3G/4G services where you can do an IPv4 NAT'ed APN for legacy devices and give all the new stuff full IPv6 + NAT64.

For servers, I expect the same thing in reverse: they will go all-IPv6 with a load-balancer in front doing the translation from IPv4. That design frees you to build your network just the way you want without the addressing constraints of IPv4, and if you change things, all you need to do is update the load-balancer.

Re:One problem?

[petermgreen]

NAT64 seems like a horrible soloution to me, protocol translation adds a load of complexity and afaict you have to mess with dns to direct users to your nat64 gateway (which breaks dnssec). I sure hope it doesn't become the default solution to the v4 address shortage but I fear you may be right that the mobile networks will pick it to simplify things at the device end.

Re:One problem?

[Raenex]

What do you mean my ISP flipped a switch, pushed firmware or configuration and now I'm on IPv6? What is IPv6? I don't see anything different.

I actually noticed I had IPv6 when I anonymously edited a Wikipedia article and the address was IPv6. I was quite surprised.

I Saw What You Did There

[j+h+woodyatt]

Headline on the original article: What to Do About the Scarcity of IPv4 Addresses
Headline on the Slashdot post: Sale of IPv4 Addresses Hindering IPv6 Adoption

Well-played.

It's not a problem.

[Colin+Smith]

I've seen vines, ipxspx, osi etc fall by the wayside.

Really. Nobody cares about ipv6. It's not a problem, people like you are a bigger problem.

IPv6 address = person?

[gottabeme]

We all know IP4 addresses don't identify a person. Will this change with IP6? With the "an IP address for every toaster" idea, will they still be dynamic enough for plausible deniability?

Re:IPv6 address = person?

[Anderu67]

In theory what was once 1 IP you get is now a /64 block. IPv6 privacy extensions (enabled by default on Windows at least, available everywhere) make your computer generate a new IP every time you use it (still within the block), so it's sort of the same. They can prove it was in your house but not which equipment (unless it's still using the same address...)

DHCPv6 is a stupid idea

[tlambert]

Unless you are an anal meta-administrator attempting to keep yourself employed, or a repressive government trying to keep your people firmly under your jackboot, everything should be done via stateless autoconfiguration.

Personally, I know I will not miss having to set up tons of hardware that's too stupid to assign its own address correctly.

Re:DHCPv6 is a stupid idea

[Compaqt]

Wait, is there something I'm missing here?

Under DHCP, admins don't assign addresses to devices manually, the device asks for an address, and it gets one. Is that jackbooted?

What is stateless autoconfig? A device asking every other device over the entire address range "do you exist" and can I take this number?

Here's an idea...

[tlambert]

Give all the IP4 addresses away to China and other countries where botnets tend to originate most often, and make then NAT to get on the IP6 network the rest of us will live on when we don't own any of the IP4 space any more.

Question, Why was IPv4 Even Allowed?

Perhaps somebody has an (expert) answer here to this question: Why was IPv4 even allowed or implemented in the first place? Did this have to do with computing and/or memory limitations back in the day (1974 to 1981) that nobody every thought could be overcome or even required? I know hindsight is 20/20.

I find it hard to understand how the researchers developing the IP protocol could think that 4.29 billion address would be sufficient given the scale of possible adoption in the future. I'd have to imagine if everybody had a phone, for example, with an IP address back in 1974 -- which as I understand is the year of the first version implementation of the IP protocol -- the global population was around 4 billion according to wolfram alpha. In 1981, according to the same source, the population was 4.6 billion, which was the year IPv4 was finalized and is still in use today according to the Wikipedia entry; http://en.wikipedia.org/wiki/Internet_Protocol.

Now we are dealing with this IPv4 wall mess. And as far as I can tell the IPv4 is not going away anytime soon. Interesting how the telco's can upgrade networks and hardware implementation. Everyone who develops internet capable devices know most likely have implemented a dual operation mode of IPv4/IPv6 in the devices, but defaulted to IPv4. My ISP provided router has both IPv4/IPv6, but they have now documentation about future implementation or migration to IPv6.

Re:Question, Why was IPv4 Even Allowed?

[FaxeTheCat]

The simple answer is that IPv4 was meant for a pretty small test network only. Then it spread...It was never meant to become a global address space.

Re:Question, Why was IPv4 Even Allowed?

[Yaztromo]

Perhaps somebody has an (expert) answer here to this question: Why was IPv4 even allowed or implemented in the first place? Did this have to do with computing and/or memory limitations back in the day (1974 to 1981) that nobody every thought could be overcome or even required? I know hindsight is 20/20.

I find it hard to understand how the researchers developing the IP protocol could think that 4.29 billion address would be sufficient given the scale of possible adoption in the future.

First things first: due to all of the reserved address ranges, particularly (what were once called) Class D and E addresses, there are fewer publicly routable internet addresses than ~4.29 billion. The number is ~3.70 billion addresses once you take the various reserved address ranges out.

With that out of the way, the world was a vastly different place back in the 1970's when IPv4 was first defined. The idea of everyone carrying a telephone with them everywhere was science fiction, and the notion that such devices would feature processing functionality that would be able to take advantage of being network-enabled probably wasn't even conceived. The personal computer revolution hadn't happened yet either. As you said, hindsight is 20/20. It's easier to see how we got to now from there than the other way around.

It's also worth keeping in mind that when IPv4 was standardized in 1981 ([RFC 791]), computers were not particularly powerful; a state of the art desktop machine of the era would have little RAM, an 8 bit processor, and would run at less than 5Mhz. A device with an 8 bit processor would require at least 4 LOAD instructions to load an address from memory into registers, plus whatever processing would be required against the address (particularly for routing). Newer 16 bit processors (such as the 8088 and 8086) could do the same sort of processing with only two MOV instructions, but using a 128 bit address like in IPv6 would have required 8 bit systems to do a lot of processing just to handle the addresses -- you'd have to run 16 LOAD instructions just to read every part of the address into registers. This would be very significant processing wise for the time; I'd venture to say you'd need a supercomputer just to act as an IPv6 router back in 1981 (even with the limited number of hosts actually on the network). Memory would be a consideration as well -- 16KB fills up pretty quickly, so squeezing every byte out that you can would have been advantageous.

I'm also not particularly sure that the designers of IPv4 had a public Internet in mind. It wasn't until the early 1990's that the Internet was generally opened to commercial use; prior to that it was limited to government and research use. I don't think in the mid 1970's when Robert E. Kahn and Vint Cerf started work on trying to unify the various networks then in operation, that they considered that people would have a dozen or more Internet enabled devices in their homes (at current count there are 24 IP enabled devices in my home, although I certainly don't claim to be typical). That is, the "purpose" of the protocol at the time wasn't to provide a pervasive network that covered the globe, and the idea of 2^32 hosts was probably completely inconceivable. IPv4 has since invention been shoehorned into uses and purposes that were never conceived at the time of its invention. Indeed, considering how many protocols were being invented, and how quickly new iterations were being introduced, it probably wasn't expected that the world would still be using IPv4 over thirty years after it had been first defined.

IPv4 is getting to be a creaky, old technology with all sort of band-aids applied to it over the years. It is time for replacement -- the research and development community has been saying so for fifteen years or more. Unfortunately, the momentum behind IPv4 is massive, and entrenched inte

Re:Question, Why was IPv4 Even Allowed?

and this is a quote from...? al gore

Re:Question, Why was IPv4 Even Allowed?

[oobayly]

Check this link: Why IPv6? Vint Cerf keeps blaming himself

Re:Question, Why was IPv4 Even Allowed?

[destruk]

Why stop at IPv6? Certainly, every forseeable limitation has been exceeded in the past, so why not instantly make the jump to IPv240,000 and be done with it til the end of time? This every 30 years needing to upgrade and update the world's computers sure does get old.

Re:Question, Why was IPv4 Even Allowed?

[Kjella]

I think the tl;dr summary of your post is: IPv4 was designed around the same time frame as storing 2-digit years. Enough said really.

The only thing that differentiates IPv4 from pretty much every other limit or system we've had to expand is that it was actually very forward thinking with room for billions of devices, so instead of having to do it "right" in the 90s when it actually hit mass market it survived the dotcom era without running out. It's only now with 7+ billion people and people using many devices (desktop/laptop/phone/tablet/etc.) that 32 bit is just not enough. Also if you look at the RIRs we're not really out yet, only Asia is out. Get an IP block anywhere else and you're still good for a little while though Europe is also empty in a few months.

Re:Question, Why was IPv4 Even Allowed?

No, he paraphrased the person who made IPv4. The father of IPv4 wanted it to be 128bit when it was ready to go live, but it went live before completing the prototype phase.

Re:Question, Why was IPv4 Even Allowed?

IPv6 has enough address space to make current routing logic useless before it runs out. In other words, IPv6 will be dropped for other reasons before it runs out. Those reasons cannot be anticipated with any useful amount of certainty.

Re:Question, Why was IPv4 Even Allowed?

[Yaztromo]

Why stop at IPv6? Certainly, every forseeable limitation has been exceeded in the past, so why not instantly make the jump to IPv240,000 and be done with it til the end of time? This every 30 years needing to upgrade and update the world's computers sure does get old.

You can't really assume a trend of every 30 years when the only data point we have is the first significant (current) one.

You also have to remember the difference between researchers/inventors and implementors. Back in the late 1980's there was already concern in the R&D community that 2^32 addresses wouldn't be sufficient, and that a new protocol would need to be devised. Unfortunately, the implementors typically aren't interested in such concerns -- they have something that works right now, and has a significant number of existing hosts, so they use it. It's the reason why we continue to use IPv4 today.

Lastly, 2^128 addresses is colossally massive. It's 340282366920938463463374607431768211456 addresses, which is over 34 billion billion billion billion. That address space can fit 2^92 individual networks, each the size of the full IPv4 address space. It's crazy massive enough that if there were 10^19 Earths, each with a population approaching seven billion, each and every single person on each of those Earths would be able to have an entire Internet's worth of 23-bit address space, all to themselves. Or, if we decided to fill the entire area of the Solar System with computers, we could have a density of about 3.1 * 10^18 computers per square kilometre, roughly inside the orbit of Pluto. It's nearly enough to give every single atom in the solar systems its own address.

Thus, in a sense, we already have made the jump, as we've called in IPv6. Using some crazy large address size (let's say 1Kib addresses) would make processing the addresses computationally more difficult, and would give such an insane address range that every atom in the universe could have 10^228 addresses each. The computational difficulty of routing such addresses would require routers way more powerful than we currently have, would make them prohibitively expensive, and would remove a lot of smaller, low-powered/embedded devices from being able to function on the network (due to how quickly you could fill RAM with just addresses).

Yaz

Re:Question, Why was IPv4 Even Allowed?

[Yaztromo]

It's crazy massive enough that if there were 10^19 Earths, each with a population approaching seven billion, each and every single person on each of those Earths would be able to have an entire Internet's worth of 23-bit address space, all to themselves.

I do, of course, mean 32 bit address space.

Or, if we decided to fill the entire area of the Solar System with computers, we could have a density of about 3.1 * 10^18 computers per square kilometre, roughly inside the orbit of Pluto.

In case 3.1*10^18 computers per square kilometre doesn't mean anything to you, that's 3.1 trillion computers per square metre. Filling the entire orbital plane of Pluto. This should give you a better idea of how many addresses a 128 bit value can provide.

Yaz

Why are mobile devices on IPv4 any more?

[Animats]

For mobile devices, the software is controlled by the carrier and the data path is controlled by the carrier, and the apps are controlled by the carrier or the handset maker. Mobile devices don't act as hosts. And all the growth in devices is in mobile. So why aren't they all on IPv6?

If the carrier has to do an IPv6 to IPv4 translation, they can do that at their head end.

Re:Why are mobile devices on IPv4 any more?

[pipedwho]

Mobile devices don't act as hosts.

A company I've worked with has a deployed fleet of over 50,000 embedded commercial vehicle monitoring units that all allow back connections (ie. act as hosts) to request immediate status updates and send messages to the driver. Unfortunately, the majority of carriers don't have IPv6, so we're forced to play all sorts of games to handle dynamic IP address changes. And even more annoyingly, most of the carriers dynamically assign 10.x.x.x addresses to the units, so we have to jump through even more routing hoops to connect with various units.

.2% is not 'just a blip'

[darkonc]

An Arbor Networks graph shows less than .2% of the traffic the company measured was IPv6. That's up from a peak of .04%, which occurred on the first Worldwide IPv6 Day in 2011; hardly a blip in a year.

That's a 5-times increase in a year.

If we pretend that we're business math students, then next year we'll see 1% -- then 5% in 2 years and 25% in 3 years -- which would be easily enough to trigger further network effects.

It all breaks down in the 4th year with 125% of traffic, but I'll just take that to mean that the remaining IP4 traffic will be encapsulated in IP6 packets by then.

ipv6 gaming ?

[UnknownSoldier]

Sorry, my speciality is graphics + optimizations not networking. Question for the /. crowd ...

If I have a ipv6 address how do I guarantee all my "old" ipv4 games work ?

Is this a non-issue? I realize ipv6 doesn't have NAT, but are there any special configurations I need to do on the router if I switch my entire home network over to ipv6 ?

Thanks.

Re:ipv6 gaming ?

it works because you are given a small network block. Basically, your ipv4 is converted to ipv6.

Re:ipv6 gaming ?

[Dagger2]

If I have a ipv6 address how do I guarantee all my "old" ipv4 games work ?

Simple: you use IPv4. You don't "switch" your network to IPv6, you use IPv6 on it at the same time as IPv4. Your existing v4 stuff continues to work as well as it would have done if you didn't have v6 too. (This is the usual way of doing v6 deployments, called "dual-stack".)

This is basically the situation we have today with old IPX games, just we're at the beginning of the transition rather than at the end.

Re:ipv6 gaming ?

[UnknownSoldier]

Ok, I can follow that.

Scenario: User is *only* given IPV6 from their ISP.

They try to run an application that uses the IPV4 networking stack. What is going automatically "auto-tunnel" ipv4 on top of ipv6 ? Does this just work??

Re:ipv6 gaming ?

[Dagger2]

There's nothing to automatically tunnel v4 on top of v6. You're expected to do v4 beside v6, using all the existing mechanisms to automatically deploy v4 -- they already work quite well, after all.

If you really do only get IPv6 from your ISP, then you can't make v4 connections to the internet. That's not very useful, so you're not going to see IPv6-only ISPs any time soon. (You can still use v4 privately on your own LAN though, and e.g. Hamachi will work as well as it ever does, so long as you can connect to the Hamachi servers over v6.) ISPs will use NAT to continue giving people v4 addresses for quite a while yet, and presumably charge extra to people who want a proper non-NATed IP for inbound connections.

(There is a semi-exception in the form of NAT64, which maps the IPv4 space into a /96 in v6. In principle you could then NAT46 back again on your local router, and you'd have v4 access with the link between you and your ISP being v6-only. I don't think we'll be seeing much of that from home ISPs though, because it's easier to just do dual stack.)

Re:delays ... delays ... delays... nothing but del

There's only one scheme for encoding IPv4 in IPv6, and it isn't changing because it's built into the BSD Sockets IPv6 extension API, published eons ago. What is uncertain is how to route those addresses. Part of the "confusion" is that some lazy developers would prefer to be able to bind to a single port and receive IPv4 and IPv6 connections, especially when upgrading old software. But for this desire, there'd be no issue whatsoever. Best practice, however, is to bind to two separate ports. And if you do this there are and will be no issues to worry about concerning ports and addresses.

Likewise, people are confused about DNS and making client connections. But as long as you use getaddrinfo(), there isn't any real problem (excluding optimization obsessions).

People get confused when they think too much about it. But if they stick to the published APIs, then all will be fine. That's because if anything needs to be changed (unlikely), almost certainly it'll be done in a way transparent to those using the published APIs.

Re:delays ... delays ... delays... nothing but del

[camperdave]

From Wikipedia

The 96-bit zero-value prefix ::/96, originally known as IPv4-compatible addresses, was mentioned in 1995[37] but first described in 1998.[43] This class of addresses was used to represent IPv4 addresses within an IPv6 transition technology. Such an IPv6 address has its first (most significant) 96 bits set to zero, while its last 32 bits are the IPv4 address that is represented. In February 2006, the Internet Engineering Task Force (IETF) has deprecated the use of IPv4-compatible addresses. The only remaining use of this address format is to represent an IPv4 address in a table or database with fixed size members that must also be able to store an IPv6 address.

I'll buy it.

Please give me your name, address, your phone number, and your bank account number so that I can deposit this in there. And then I will call you to finish the transaction.

Re:delays ... delays ... delays... nothing but del

There's only one scheme for encoding IPv4 in IPv6, and it isn't changing because it's built into the BSD Sockets IPv6 extension API, published eons ago.

This is not true. There is the ancient ::x.x.x.x which has since been nixed. A number of NAT systems are mapping IPv4 domain to an arbitrary IPv6 prefix and fudging DNS to make IPv4 universe accessible as if it were native IPv6.

IPv4 mapped IPv6 addresses are NOT used for encoding IPv4 in IPv6 for transmission.

What is uncertain is how to route those addresses.

They have no meaning outside the socket layer of the local computer. See RFC 2553.

Part of the "confusion" is that some lazy developers would prefer to be able to bind to a single port and receive IPv4 and IPv6 connections

There is nothing wrong with being lazy if it gets the job done. What is with issue with dualstack sockets?

Best practice, however, is to bind to two separate ports.

Says U..its sockets not ports.

I Predict A New Market

[canadiannomad]

I predict a new market for IPv4 addresses for individual businesses. Large hosting companies will buy up IPv4 addresses in bulk from ISPs to sell to server customers, pushing the ISPs to switch to IPv6 allowing the servers to be dual stack with a static IPv4 address. Once the ISPs get onto IPv6 the value of IPv4 will drop, but still be held with some regard for a while while the remaining stragglers and ISPs with huge NATs are forced to convert for their clients that want to access private websites that would start popping up on peoples ISP connected servers.
Might not happen that way, but it seems as likely a prediction as any other.

Re:delays ... delays ... delays... nothing but del

[synapse7]

Along with devices, ISP support and the knowledge of setting up IPv6 tunnels contribute to delays. Doesn't Windows 7 and even Vista prefer IPv6 over IPv4?

Already There

[wasabii]

My company is already using IPv6 addresses. All of our sites have public addresses... as well as all of our desktops. All of our users now use Facebook and Google over IPv6. So... nothing will help me adopt it. Already done.

Re:SIXXS is such a pain though.

It is such a shame that SIXXS is such a pain to use though. I am NOT going to go to the trouble of writing a fucking essay (along with setting up a linkedin account) just to switch to IPv6.

Every host a peer, and chicken in every pot

[Compaqt]

>All of our sites have public addresses... as well as all of our desktops.

(Not directed at you, but your adminstrator): How is this a good thing?

If your company wants to make stuff available (whether to the public or to vendors), it should do so on specifically defined servers. What's the point of making every desktop a peer?

That's sort of cool in a university environment, where you're there to learn, experiment, and play. But not in a corporate environment.

Re:Every host a peer, and chicken in every pot

[laptop006]

How is it a bad thing?

You firewall it just the same, so the only change in traffic flow is the lack of NAT, and NAT is not security despite what some people will try and claim.

Re:delays ... delays ... delays... nothing but del

[oobayly]

As far as I can tell, yes. Or at least, they do in our office.

999

[Compaqt]

Help me out: Is this a joke, or real?

http://www.01189998819991197253.co.uk/

Re:999

It's a real joke site.

Practicle information and knowledge

[Felgior]

A good working IPv4 market and the lacking need for IPv6 might explain why IPv6 is not getting of the ground. The thing that is holding me back is the lack of practical information on a IPv6 network and the connection to the internet. I have not read any practical guide that easily explains how to setup an IPv6 network, keeping in mind that I want the same level of privacy on my LAN and the easy connection to the internet. Instead of a router/modem that speaks NAT, I need a decent firewall and modem. Please don't start with NAT is no firewall. I know that, but it has been a trench surrounding my LAN that kept the creeps outside. Or at least it gave me and the other 99% that feeling and ease of mind. It are the following practical questions that keep me from IPv6; -- Now I need a decent firewall and what is the price ? -- Do I still need a router and maybe a separate modem ? -- Is there one device that does all this ? -- What will is cost ? Even when all the above is answered ... I still have to worry about the fact that some parts will blackout once I move to IPv6. But then I have spent my hard earned cash already.

so...what the article says?

[destruk]

Here's what tyo do about it - ask your ISP or employer to move to IPv6. Not very convincing, not very informative, the article was more blab than useful information. What a waste - both the situation, and the article.

IPv6 Failed

Instead of properly standartizing NAT they removed it, with the argument that there are enought adresses now.
Well, if you used Nat for anything else than adress space expansion, like multihoming, topology hiding, ... you are f**d with ipv6.

Why remove a well established feature instead of standartizing it properly?
Well and thats why i dont see ipv6 ever happen.
There will be 2 split worlds: ipv4 and ipv6 until one comes up with say ipv8 that merges both worlds again.

Re:IPv6 Failed

[WaffleMonster]

Instead of properly standartizing NAT they removed it, with the argument that there are enought adresses now.

Well, if you used Nat for anything else than adress space expansion, like multihoming, topology hiding, ... you are f**d with ipv6.

To understand why this is not true requires us to parse what is meant by "NAT". Not all "NATs" are created equally.

1. NAT where 1 IP is being used by a boatload of hosts. (1:many)

2. NAT where each host has a corrosponding mapped address. (1:1)

With IPv6 only the first case is dead. The second case is still very much possible.. for example via snat target in ip6tables.

From systems perspective there is a big difference between deterministically rewriting IP headers (#2) which is quite trivial vs fancy ALG codes needed to multiplex shit and maintain state charts so that everything appears to work behind a single IP Address. (#1)

Besides there are other ways to accomplish things you cite in IPv6 without using any NAT however those knobs are still there should you need them.

People underestimate supporting IPv6

[brunes69]

People talk about calling up your ISP and demanding IPv6 support as if it is simply some switch to be flipped.

Consider a software product that is multiple millions of lines of code built over a decade, that is required for business, but for the most part is underpinned by IPv4 data structures. This is not some simple "find and replace" operation to add IPv6 support to a product like this. The effort will take years worth of man-hours and tens of millions of dollars, and also require hardware four times more powerful to run (due to the increased size of the IPv6 data structure) - and in the end, offer no tangible new features.

Now, multiply this by not only one software package, but more likely several dozen, all of which are provided by outside vendors. Some of these V6 porting projects have been in the works for a very long time already, others are on hold - but they are all very expensive and DO NOT happen overnight.. they will happen when the cost justifys the enormous expenditure.

PR Stunts like IPv6 day are not going to change the situation.

Re:People underestimate supporting IPv6

People talk about calling up your ISP and demanding IPv6 support as if it is simply some switch to be flipped.

Ah the joys of capitalism. When other ISPs in town are able to say "yes sir" rather than "blank stare" .. guess which one has the market advantage?

It should be viewed as precisely this easy from the perspective of the customer. It should not be the customers problem to know or care what the ISP actually needs to do to fulfill their request. If the ISP can't compete they will be replaced by those who can.

Consider a software product that is multiple millions of lines of code built over a decade, that is required for business, but for the most part is underpinned by IPv4 data structures. This is not some simple "find and replace" operation to add IPv6 support to a product like this.

It is impossible to make any reasonable assessment of cost based on the data you provided.

Saying millions of lines of code is like a three letter agency whining to congress about being cyber attacked millions of times a day. Neither metric convey any useful information.

The effort will take years worth of man-hours and tens of millions of dollars, and also require hardware four times more powerful to run (due to the increased size of the IPv6 data structure) - and in the end, offer no tangible new features

Four times more powerful hardware...spits out coffee... You are just making shit up and hoping it sticks.

Re:delays ... delays ... delays... nothing but del

[CAIMLAS]

Forget the devices as the root cause. Why do you think there aren't all that many which have support? Even industry leading, and industry standard companies are actively avoiding implementing IPv6 (at least at the forefront). I know two CCIEs who hate IPv6 and are actively doing what they can to avoid implementing it.

Why?

Because IPv6 sucks. It's a horrible idea and makes life excruciatingly difficult for those who have to actually work with it. At the technical level it has a lot of merit - but that's not what's being discussed here. Where it falls flat on its face is how horribly unwieldly it is for common applications and uses.

This is, of course, exasperated by the fact that software packages don't support IPv6 yet - never mind devices. IPv6 has a bigger hill to climb than Y2K did.

Re:delays ... delays ... delays... nothing but del

[unixisc]

I'm a big proponent of IPv6, but I agree w/ your second bullet. Site local addresses weren't all that difficult to implement, so there was no need to overhaul that. Somehow, it made no sense to have IPv4 compatible addresses and IPv4 mapped addresses, so it makes sense that one went. However, there are still things very much in flux, like whether to have a variation of NAT or not for things like load balancing, the issues over routing tables, the variation in assignments by ISPs of /48, /56 and /64s, and so on. There are new scopes such as sites and organizaitons, and yet, I've not seen the advantages of this get touted. Also, the fact that most 'IPv6-ready' hardware is only tuned for IPv4, but runs IPv6 slowly doesn't do any good to IPv6 causes. All these are much bigger barriers to IPv6 acceptance than IPv4 addresses in the black market.

Re:delays ... delays ... delays... nothing but del

[skids]

The biggest barrier to my deployment of IPv6 is the edge switches and the wireless controllers. Support for first-hop security features for IPv6 is going to have to wait until we get around to paying for some rather substantial hardware upgrades, and IPv6 by itself does not justify that cost. Even if we had the money now, the actual feature sets are still not mature in the wired edge switches yet. In a competently secured campus network one does not allow old ARP/IP spoofing tricks to work, and doing so relies on the switch hardware and the wireless platform which must integrate with the DHCP servers by snooping traffic and using it to build port level access lists. IPv6 has analogous tricks that also need to be sqashed at the switchport/AP level, and while self-service address autoconfiguration seemed like a good idea to the IPv6 standards community they just don't cut it in a security-aware environment, so this support must include DHCPv6 snooping, which is still rare to find in switch feature sets these days. These are the features campus administrators will block on.

IPV6, IPV4 and money.

The reason IPV6 is not taking off is about money. If you are a legacy IPV4, you pay a $100 fee (at least until 2013) per year for your class C IPV4. In spite of the massive increase in the number of addresses, the price for an equivalent IPV6 looks like it jumps to be over $1200! Why would you change? If you want people to go to IPV6, offer them the equivalent of their current IPV4 at the same price they are paying. Converting legacy users is about money--just don't gouge them when they move to IPV6 and they will join the party.

Re:delays ... delays ... delays... nothing but del

Even if we had the money now, the actual feature sets are still not mature in the wired edge switches yet. In a competently secured campus network one does not allow old ARP/IP spoofing tricks to work, and doing so relies on the switch hardware and the wireless platform which must integrate with the DHCP servers by snooping traffic and using it to build port level access lists

I find this security argument against IPv6 amusing.

IPv6 is on all yer systems already whether you have deployed IPv6 or not.makes no difference.

  IPv6 can be used to "spoof traffic" with impunity already.. Default host policy is to prefer IPv6 whether you have the money to pay for a new switch with RA Guard enabled or not.

You are acting as if you have some kind of choice to make between IPv6 and a secure network.

If most bother to RTFM they can cobble together a poor mans ra guard using existing filtering facilities in their switches.

The DHCPv6 comments are bullshit for the most part as it is bootstrapped from RA.

Re:delays ... delays ... delays... nothing but del

know two CCIEs who hate IPv6 and are actively doing what they can to avoid implementing it.
Why?

Because they are idiots? There is money to be made by network engineers from forward looking organizations pushing IPv6 adoption.

Because IPv6 sucks. It's a horrible idea and makes life excruciatingly difficult for those who have to actually work with it.

Blah blah blah...the horrible idea was limiting the size of the Internet to 2^32 addresses before most of us were fucking born. You can either piss and moan about ancient history or be part of the solution.

Where it falls flat on its face is how horribly unwieldly it is for common applications and uses.

For all "common applications" care IPv6 is the same shit as IPv4. Only difference address portion of the header is lot bigger.

All programming/socket APIs work the same way. TCP and UDP are unchanged.

It is possible following best practices for socket programming to support IPv6 with no code change or without even knowing what IPv6 is.

The OS vendors have gone out of their way to make this shit as easy as possible for application folks. I've been there done that... if you think it is "horribly unwieldly" it is time to find a management position.

This is, of course, exasperated by the fact that software packages don't support IPv6 yet

All the ones I care about do.

never mind devices. IPv6 has a bigger hill to climb than Y2K did

At least we agree on something.

Re:delays ... delays ... delays... nothing but del

[skids]

IPv6 is on all yer systems already whether you have deployed IPv6 or not.makes no difference

Tell that to my router, as you try to get off your segment.

If most bother to RTFM they can cobble together a poor mans ra guard using existing filtering facilities in their switches

IPv6 traffic on the older models of most popular brands of switches cannot be filtered. There are no ipv6 PACLs and no nbar-like facilities on mid-level access switches, only protocol, MAC and IPv4. What features are available are closely tied to the CAM logic, and so depend greatly on the hardware.

The DHCPv6 comments are bullshit for the most part as it is bootstrapped from RA

If you are an idiot and allow self-configuration, it is.

If these features are so unnecessary, then why are they starting to appear in the newer model switches?

Re:delays ... delays ... delays... nothing but del

IPv6 is on all yer systems already whether you have deployed IPv6 or not.makes no difference

Tell that to my router, as you try to get off your segment.

Who said anything about routers? We were talking about switches. IPv6 is already supported by all hosts on your network. If you do nothing about IPv6 all hosts on your network are vulnerable to spoofing whether you use IPv6 or not. ARP security is not going to prevent a bad actor on your network from operating an IPv6 proxy and spoofing all of your traffic over IPv6 while operating a tunnel to get past your router all because some "idiot" clicked on the wrong email attachment.

IPv6 traffic on the older models of most popular brands of switches cannot be filtered. There are no ipv6 PACLs and no nbar-like facilities on mid-level access switches, only protocol, MAC and IPv4. What features are available are closely tied to the CAM logic, and so depend greatly on the hardware.

I said "poor mans" .. this means hard coding filters that match specific fields of the upper layer packets.

The DHCPv6 comments are bullshit for the most part as it is bootstrapped from RA

If you are an idiot and allow self-configuration, it is.

DHCPv6 addresses are signaled by setting the Managed bit in a router advertisement whether you are using SLAAC or NOT. If you control the router advertisements you control DHCP.