IPv6 Must Be Enabled On All US Government Sites By Sunday

darthcamaro writes "Agencies of the U.S. Federal Government are racing to comply with a September 30th deadline to offer web, email and DNS for all public facing websites over IPv6. While not all government websites will hit the deadline, according to Akamai at least 2,000 of them will. According to at least one expert, the IPv6 mandate is proof that top-down cheerleading for tech innovation works. 'The 2012 IPv6 mandate is not the first (or the last) IPv6 transition mandate from the U.S. government. Four years ago, in 2008, the U.S. government also had an IPv6 mandate in place. That particular mandate, required U.S. Government agencies to have IPv6-ready equipment enabled in their infrastructure.'"

Re:wha?

[phil_aychio]

If Romney gets elected, he'll just repeal it back to IPv4

I blame the ISPs

[GeneralTurgidson]

A lot of the government offices will face challenges with IPv6 connectivity to the internet because a very large number of US ISPs are not IPv6 ready. Especially up here in midwest, you mention "are you IPv6 ready?" and your ISP sales rep gives you a blank look and asks what you're talking about. Maybe if the governments push for this at the ISP level we might see it filter down.

Re:I blame the ISPs

[geddo]

As a consumer you do not need IPv6 unless your provider does not have IPv4 addresses to assign to you, as a service provider or Internet based company (or in this case a government agency) you do need IPv6 so that customers who only have IPv6 connections can reach you. Most business class ISP's I have dealt with are IPv6 dual-stack capable, so this is not an ISP issue. The government is doing what other companies are doing and trying to get this working now before it becomes an issue for the future. There is no blame to pass around unless an organization is putting their heads in the sand and ignoring it.

Re:I blame the ISPs

[Mathieu+Lu]

What kind of challenges will they face? It's not like they're turning off IPv4. Sites will be dual-stack, and many of them have been for quite some time already.

Google/Youtube, Facebook and many other mainstream sites have already enabled IPv6 on June 6th 2012.

PS: Comcast has been enabling IPv6 by default to some of their customers (5% ?). I was in a small US country-side hotel in March 2012, they had really broken NAT, but their IPv6 was working fine. I also have dual-stack native IPv6 at home (Canada, TekSavvy ISP). Works great, lots of fun to route public subnets to access points and routers that connect with neighbours. I even announce my address block on our neighbourhood mesh network.

Re:I blame the ISPs

[kasperd]

As a consumer you do not need IPv6 unless your provider does not have IPv4 addresses to assign to you

You do if you need to communicate with somebody else who does not have an IPv4 address. And since ISPs have been handing out fever IPv4 addresses than the number of devices to be connected for the last 15 years or so, there is actually already a lot of devices, which do not have IPv4 addresses. Unfortunately, most of those don't have IPv6 addresses either.

Re:I blame the ISPs

[fustakrakich]

Maybe if the governments push for this at the ISP level we might see it filter down.

I hope you're not pimping for a mandate there. An internal one within the government itself is fine, but don't try to force it down our throats.

Re:I blame the ISPs

[squiggleslash]

6to4 works on most ISPs too.

I actually prefer 6to4. It's less efficient, but reverse DNS is guaranteed to work - you don't have to rely on your ISP setting it up - and you can talk to pretty much any IPv6 address with it,

Re:I blame the ISPs

Yep, socialized ISPs would be a nightmare. I say fuck the 47% and don't let them have access to the IPv6-enabled sites until they pay their fair share of the tax burden.

Re:I blame the ISPs

[geddo]

Its being deployed as dual stack, and where folks have IPv6 only I understand that the providers have 6to4 translation devices. This will not scale, however my point is as a consumer you don't have a need for IPv6 addresses unless there is a service that is only available on IPv6 that you need to reach, I do not know of any significant services that we IPv4 only users are missing out on so I can't see why it would be needed as a consumer at this point. I have yet to be told by a provider that I can't get IPv6 for a business DIA circuit.

Re:I blame the ISPs

[jonadab]

> a very large number of US ISPs are not IPv6 ready

IPv6 ready, you mean, in the sense of making connectivity service available to the public using IPv6? I was not aware that there were *any* ISPs who were IPv6 ready, or planning to be. Can you name one ISP that is? I cannot.

The thing is, there's no significant demand for it, outside of a handful of industry hobbyists. In terms of the general public, nobody cares about IPv6. They just want the internet, and at this point "the internet" is effectively synonymous with IPv4.

Which in turn probably has something to do with the ratio of IPv6-only sites and services to IPv4-only sites and services, a ratio that is so close to zero you'd need scientific notation to make it fit on one line. You can't use IPv6 to access the internet, in practice: a few sites work, but bazillions of other sites don't. Even if you could access most or all of the internet with IPv6, there still wouldn't be any real concrete advantage, because, you can *also* use IPv4 to access pretty much every single thing.

Thus, IPv6 provides... no benefit whatsoever to the individual and no benefit whatsoever to businesses either. In other words, it's Blu-Ray. The advantage to releasing a popular movie in Blu-Ray format is, you can make the Blu-Ray advocates happy for twelve seconds. The advantage to releasing it on DVD is, you can sell millions of copies. Coming from the consumer side, the advantage of buying a Blu-Ray player is even less compelling. IPv6 is in the same boat.

Re:I blame the ISPs

[jhoegl]

Routers convert the protocols... like they have been doing since inception.
How do you think IPX/SPX talked with TCP/IP?

Re:I blame the ISPs

[Desler]

So you've never heard of Comcast, Verizon, or AT&T? They've been constantly expanding their IPv6 rollouts since late 2011. Time Warner has been running trials as well.

Re:I blame the ISPs

[Eunuchswear]

Winner of the all-time most clueless post on Slashdot.

Or is it a Poe?

Re:I blame the ISPs

Your BluRay statement is pretty wrong. Let's compare sales for some recent movies:

Hunger Games: 5.6 million DVD sales. 3.9 million BluRay sales.
The Lorax: 3 million DVD sales. 2.4 million BluRay sales.
Snow White and The Huntsman: 730k DVD sales. 890k BluRay sales.
Battleship: 600k DVD sales. 793k BluRay sales.

So the gap between the two is not what you would have people believe. Source is the-numbers.com

Re:I blame the ISPs

In addition to those ISPs listed by the sibling, T-Mobile's 3G gives out IPv6 addresses.

Yes, you point out the eternal chicken-and-egg problem associated with the IPv6 transition: nothing uses it because nothing uses it. Of course, if/when the transition actually happens, the internet will work better because it will mean every node can potentially act as a server making things like VOIP/video chat easier as well as other peer-to-peer applications which haven't been getting developed because everyone is stuck behind a NAT.

Re:I blame the ISPs

And how many millions of routers are they going to have to send to their customers, and how about all those mobile devices that don't get OS updates?

Re:I blame the ISPs

[jhoegl]

My bad... it just encapsulates it.
But then, it has been 15 years.

Re:I blame the ISPs

[RazzleDazzle]

The public facing resources of the government agencies need to be IPv6 enabled, not the internal and external workings of the networks within the various organizations. This simply means in most cases, inbound email servers and web servers need to be hosted on machines somewhere in the world that have full IPv6 access, then the respective DNS records need to be in place for said services, which translates to add "AAAA" records. I bet Akamai is loving this mandate because they are a popular choice for government agencies to turn to for IPv6 enabled hosting but Akamai is not the only company that will do IPv6 hosting.

Re:I blame the ISPs

None and no problem.

Re:I blame the ISPs

[DarwinSurvivor]

Good point, lets wait for the ISP's to run out of IPv4 addresses and suddenly start mandating that people's homes be IPv6 ready out of the blue. We basically have 3 choices.

1) Wait until residents do need it and suddenly give them IPv6 only because there are no IPv4 addresses left. Phone support will have hour-long waiting periods, computer shops will be overloaded with "I need this upgrade tonight so I can submit my college thesus" support requests and a large percentage of Internet users will be SOL until they get their turn in the support line. There's also a VERY good chance we will simply run out of routers, as an alarminly large percentage of consumer (and some professional) routers STILL don't support it and all those people will need upgrades.

2) Wait until we need it and start NAT'ing everyone's internet connection. This may not affect facebook users, but will be a royal PITA for anyone using remote connections, peer2peer networking, etc. If this happens we may not see IPv6 for another 15 years at LEAST.

3) Roll it out NOW in dual-stack configuration world-wide so everyone can get their computers, routers and other devices working with IPv6. ISP's can send out regular (every 2-4 months) letters to consumers still using IPv4 only to warn them about the upcoming switch and give them enough warning to switch over (like they did with digital tv broadcasting). When we finally do run out of IPv4 addresses at the ISP level (and this is ALREADY happening in some areas such as mobile, etc), the ISP's can just disable IPv4 for new customers and/or those already fully using IPv4 and experience a truly smooth transition.

If the analog-2-digial transition for TV broadcasting has taught us anything, it's that consumers need a LONG time to transition between technologies. Considering the TV transition required nothing more than plugging in 1 box with 3 wires on it and IPv6 is going to require computer/OS and router replacement in many cases, we need to start the IPv6 transition on all ISP's about 2 years ago.

Re:I blame the ISPs

[QuantumRiff]

My rural ISP has always done this.. Its a royal pain in the ass. My CPE device is 192.168.100.62, on the WAN side. Makes VOIP, hosting your own video game server on a console, bittorrent, and a dozen other things very, very much a pain in the butt. I gave up with an IPSec VPN, and use an SSL one now, but its not the same.. its client based, instead of a hardware one I wanted for my home office.

Ubiquity (a major maker of wireless ISP equipment and backhaul) still doesn't support IPv6 very well at all on the brand new devices they are selling to ISP's.. And my arguments about setting up 6rd or something similar fell on ears that responded the same as the GPP (but, IPv4 is all you need to reach everything)...

Re:I blame the ISPs

[kermidge]

In talking with a tier-2 tech yesterday on unrelated matter, he said so far as he knew TW had IPv6 (and DOCSIS 3) enabled or ready "pretty much everywhere" end-to-end, but it requires new equipment and higher service level at ~$30 more per month. I can't afford it so don't know if it's true or not (although he offered to switch me to customer service to place the order.)

Re:I blame the ISPs

Comcast has been testing IPv6 for a while now.. just like DNSSEC. I tried to sign up with the beta test they had years ago, but my area wasn't one of the test areas in the end.

Re:I blame the ISPs

[hairyfeet]

How many Americans are gonna be needing or even wanting to hook up with some address in the middle of China or Africa? All the major websites have IPV4, all the ISPs here in the states have IPV4 and if they had any brains at all they got extra IPV4 addresses so they have room to grow, its just a non issue for the average American. Then there are the security issues, how many of the software firewalls and antivirus packages have been testing to work with IPV6? How well do they perform? i don't know, i can't find any data which means i doubt anybody is even really testing this stuff except for internally.

So while I agree that governments need this because its a global WWW for consumers i'd say its not only not really needed for the average American but until I see some hard numbers showing how the various security software packages work with it I'd be leery of deploying it to my customers, just not enough data.

Re:I blame the ISPs

Nitpick: Computer shops will not be inundated. All modern OS's support IPv6 already. Yes, WinXP too.

Re:I blame the ISPs

[geddo]

Good point, lets wait for the ISP's to run out of IPv4 addresses and suddenly start mandating that people's homes be IPv6 ready out of the blue.

Not my point, just not trying to write a dissertation here. My point is the provider's of web based services need to get on IPv6 dual stack, until a large number of these providers offer their services natively through IPv6 we will have a huge scalability problem with translation. Until that happens consumers do not *need* IPv6. It's a pretty massive investment to replace the consumer footprint especially with consumers not exactly happy to pay a premium, businesses will do it because they are willing to make an investment to reach the broadest number of users.

Option 4- ISP's continue to upgrade their backbone and edge to support IPv6 and sell the service to business customers to cover the costs while rolling it out in consumer markets as the opportunities arise or the need is highest.

Re:I blame the ISPs

Hurricane Electric tunnels (or any other 6-in-4 tunnel provider) should allow them to meet this mandate even with only IPv4 available.

Re:I blame the ISPs

[spauldo]

I wouldn't mind one, if it was written right.

All ISPs with more than, say, 1000 customers are required to offer IPv6 services starting in 2016, for instance.

That gives organizations enough time to plan ahead without forcing the customer to do anything. The mom and pop shops who have less than 1000 customers won't be forced into it (by law at least - they'll have to change eventually).

Normally I wouldn't go for such a thing, but many ISPs seem willing to put it off until the crunch, and some hardware providers still aren't properly supporting IPv6. I wouldn't be surprised if my cable operator didn't try forcing us on NAT before they went IPv6.

Re:I blame the ISPs

[spauldo]

AT&T's new DSL requires you to change your router, and the new routers are IPv6 capable (in name, at least. I haven't actually tested it, but I did get an IPv6 address from one when I tried it).

Mobile devices don't last long enough to be a problem, and AT&T offers free phones when you renew your contract.

No idea about Verizon (my Mifi device I use in the truck doesn't get an IPv6 address, but that's the only Verizon service I use) or Comcast.

Also note that just because an ISP offers IPv6 doesn't mean you have to use it. IPv6 runs fine along IPv4.

Re:I blame the ISPs

[Lennie]

"If this happens we may not see IPv6 for another 15 years at LEAST"

I think you don't know how well carrier grade NAT* would scale. Which is: not so much.

* The NAT at the ISP which would a second NAT for most access customers.

Re:I blame the ISPs

[Lennie]

T-mobile in the US has it enable for their smartphone users.

Re:I blame the ISPs

[kasperd]

Its being deployed as dual stack, and where folks have IPv6 only I understand that the providers have 6to4 translation devices.

You are mixing up terminology. 6to4 is a tunnelling method. It requires both ends of the connection to talk IPv6, but the network between them can be IPv4 only. It works great as long as both ends are using 6to4. Unfortunately we don't have enough IPv4 addresses to deploy IPv6 that way, and 6to4 and native IPv6 don't play well together. The problem is that in order for 6to4 and native IPv6 talking together, you rely on third party relays. With two different relays being used for traffic in the two directions, and many of the public relays not being very reliable, you end up with flaky connectivity. I actually developed a new method for tunnelling IPv6 over IPv4, where I managed to get the best of both worlds.

But I don't think what you have in mind is tunnelling. There is this thing called NAT64+DNS64. When a client is using IPv6 only sends an AAAA query to a DNS server with DNS64 support, the DNS server can look up the IPv4 address and translate it into an IPv6 address. Then the NAT64 unit can translate all the packets to put a number of IPv6 only clients behind a single IPv4 address. That way you can run the access network as IPv6 only and still talk to IPv4 only servers. But I don't know of any protocol who works better through NAT64 than it would through a carrier grade NAT44 solution. Running dual stack on the access network with RFC1918 addresses is most likely going to be better for the users than NAT64.

But neither of those NAT methods work for anything other than a pure client-server model with the server on a public IPv4 address. Any protocol that does not fit directly into that model will break, and the best solution for that is to deploy IPv6 to all the parties that need to communicate.

Re:I blame the ISPs

[kasperd]

If this happens we may not see IPv6 for another 15 years at LEAST.

All 221 /8 networks had been handed out by February of last year. If you extrapolate the growth curve, you'll find the usage would have reached 442 in less than 10 years from now. What it is going to happen to the users who would have been in those other 221 blocks? I think a significant portion will get some sort of IPv6 access. Additionally take into account that the first /8 networks which were handed out are less efficiently utilized than the last. The growth of another 221 /8 blocks you get from extrapolation would have been with very dense utilization.

If you take all of that into account, it is very likely that 10 years from now, there will be more people on IPv6 only than on IPv4 only. And since it is much easier to get dual stack to all of those who are currently IPv4 only than to get public IPv4 addresses enough for another few billion users, deployments of dual stack will accelerate a long time before IPv6 reaches the same level of deployment as IPv4.

I don't see how IPv4 can still be relevant 15 years from now.

Re:I blame the ISPs

[kasperd]

I actually prefer 6to4. It's less efficient, but reverse DNS is guaranteed to work

What good is reverse DNS if you cannot communicate. 6to4 works great when communicating with another 6to4 address. But as soon as you communicate with a native IPv6 address you are relying on two third party relays to handle traffic in both directions. You won't even know whose third party relay you were using at the point where it stops working.

Re:I blame the ISPs

[kasperd]

All ISPs with more than, say, 1000 customers are required to offer IPv6 services starting in 2016, for instance.

2016 is way too late. Should have said 2008.

Re:I blame the ISPs

[petermgreen]

Its being deployed as dual stack, and where folks have IPv6 only I understand that the providers have 6to4 translation devices.

There are a number of approaches to for an ISP to give people connectivity to servers onf the v4 internet without giving them a public v4 address.

There is conventional IPv4 NAT. This does not require IPv6 at all and frankly it's what I see most ISPs going for. The downside is a need to manage private v4 addresses in the ISP access network (this is especially problematic for massive ISPs like comcast) and runs the risk of address conflicts between the ISP access network and the consumer network. Still frankly this is what I see most ISPs who run out of v4 addresses doing. Some are already doing it (particually mobile ISPs here).

There is NAT64 which translates v6 requests to v4 but protocol translation is generally messy, messing with DNS is required and client devices and applications need to FULLY support IPv6 even if the servers they are talking to are on the v4 internet. Maybe some mobile providers will adopt this but IMO it's the worst of the options i've seen.

There is DS-Lite which combines tunnelling with a special NAT at the ISP that can handle overlapping private networks coming in from different IPv6 IPs. In this setup the customer premisis equiment has to be upgraded to support ds-lite but the ISPs access network can be v6 only and the client devices can use whichever private v4 IPs they like. IMO this is the most elegant soloution.

There are probablly some other options too that I missed.

This will not scale

I don't see why not. There will be costs involved sure but all of the options I mentioned above can be scaled horizontally by sending traffic from different clients to different translation boxes. As I said above some ISPs already run ISP level NAT.

however my point is as a consumer you don't have a need for IPv6 addresses unless there is a service that is only available on IPv6 that you need to reach.

The big issue will be when a user who doesn't have a public IPv4 IP but does have a public IPv6 block wants to accept incoming connections they will only be able to accept them from people who have IPv6 access.

Of course sadly some ISPs may LIKE it that way :(

Re:I blame the ISPs

[squiggleslash]

But as soon as you communicate with a native IPv6 address you are relying on two third party relays to handle traffic in both directions.

Welcome to the Internet, which has worked like that since Al Gore invented it!

To the best of my knowledge, there has never been a time that an arbitrary Internet user, sending or receiving IP packets to another arbitrary Internet user not on the same ISP, has been able to avoid unknown third party relays. That's how packet switching works. The best part is, it works great.

Re:I blame the ISPs

[Randle_Revar]

Yep, I recently set up native IPv6 on my N900 (have to install the power-users kernel, and add the connection)

Re:I blame the ISPs

[kasperd]

To the best of my knowledge, there has never been a time that an arbitrary Internet user, sending or receiving IP packets to another arbitrary Internet user not on the same ISP, has been able to avoid unknown third party relays.

Wrong. There is a customer relationship between the parties who are communicating and the networks, which are forwarding the packets. Those companies aren't forwarding exabits of traffic without receiving payment for it.

You pay your internet provider for internet access. They probably don't cover the entire world with their network, so they have multiple subcontractors, who operate worldwide backbones but no access networks. The subcontractors can also have subcontractors. I think three levels is a typical depth of this hierarchy, but it could be deeper.

That way you are paying for connectivity between your computer and lots of central communication points. You don't pay for connectivity to every little corner of the world though. The parties you communicate with pay for connectivity between their computer and lots of central communication points. As long as the networks you pay for access to overlap at some place, you can communicate. That's why it works great.

Run a traceroute between your computer and any IP on the internet. Each of the hops you see on the path is paid for by one of the endpoints. In some cases there may be a bit of overlap in the middle, where one provider is receiving payment from both sides. Too much of that kind of double payment puts incentive on companies further down the chain to set up their own peerings.

Try the same with third party relays as used by 6to4 or Teredo. First of all, you don't actually have full visibility into the path the traffic takes. Secondly there can be a part in the middle, which is not actually paid for by either end, and as such has little obligation to forward the packets. But the worst part is, that when it fails, it is very hard to find out who is responsible.

Re:I blame the ISPs

[jonadab]

> So you've never heard of Comcast, Verizon, or AT&T?

I was not aware that they offered IPv6 service. This is the first I've heard of that. Must be fairly new.

By "constantly expanding", I'm guessing you mean expanding geographically. Yes?

So is it something along the lines of "the trial area where it is possible to buy this access now encompasses significant parts of Silicon Valley, plus Lower Manhattan and downtown Chicago", or is it more like "if you live in a city of a hundred thousand people or more, there's a good chance you might be able to get it, especially if you're on the east or west coast"?

(Not that the difference matters to me. I live in a city of eleven thousand people in the Midwest.)

> Time Warner has been running trials as well.

Sure, and Google is running *trials* of driverless cars, but you can't actually buy one, nor is there yet a timeframe for when you will be able to do so.

Re:I blame the ISPs

[DarwinSurvivor]

There is a surprising number of people still using pre-XP computers, there are also a lot of embedded systems such as older game consoles, some cell phones and many routers that do not, and may never, support IPv6. These devices are going to need compatibility layers installed like the digital TV's do.

Re:I blame the ISPs

[Aqualung812]

What about all of the network admins that need to learn IPv6?

Most of us learn by doing. If I'm going to support IPv6 at the Fortune 500 I work for someday (years from now, I bet), I'd like to have years of USING IPv6 on my home network first.

Sure, I can setup an isolated network, but nothing speeds up my learning process like breaking my home network & having my wife & kids upset that nothing works.

Re:wha?

If Romney gets elected, he'll just repeal it back to IPv4

Get rid of this crap.

Nice to see

[jbolden]

I've been following the federal government on this. It is wonderful to see the government taking the lead and helping to drive a technology. We often talk about complaints with government but they deserve kudos for doing some hard and doing it right.

Re:Nice to see

[Medievalist]

Given a choice, I'd rather see them stop forcing private citizens to use proprietary formats (like Microsoft Word) instead of organizing large payouts of taxpayer dollars to favored tech companies.

Re:Nice to see

[jbolden]

Given that Microsoft is an American company I'd say it is doubtful there is going to be a huge USA led shift away from Microsoft. Probably better looking at Europe to lead the way for desktop, there and things didn't go so well with the European initiatives. OTOH Apple and Google are both American companies so you might see iOS/Android being the ticket.

Re:Nice to see

[DarwinSurvivor]

It's kind of pointless though if they aren't mandating ISP's to at least provide dual-stack support for both protocols. What's the point of government websites being IPv6 if the country is still stuck on IPv4?

Re:Nice to see

It's kind of pointless though if they aren't mandating ISP's to at least provide dual-stack support for both protocols. What's the point of government websites being IPv6 if the country is still stuck on IPv4?

To enable a smooth transition. By making sure that all government websites are IPv6 compatible it will be safe for consumers to make the transition without having to worry that they will be locked out from vital services.
The problem is that unless there are IPv6 only hosts there is no point for consumers to make the transition and without a lot of IPv6 only consumers it makes no sense for hosts to invest in IPv6 servers.
This is pretty much the government taking a step to move society out of a hen-egg deadlock.

Re:Nice to see

[jbolden]

ARIN which is quasi governmental is handling that part of switching over ISPs. But there is a chicken and egg problem some people have to go first.

Re:IPv6 too complex

Um, ASIC logic isn't that simple. Try a little harder.

Too Complicated

IPv6 is too complex, which is what has hampered its slow adoption from the beginning. Instead of simple address space extension, the brains behind it decided to add all sorts of fun features to it that just aren't necessary, thus leading to people not wanting to put the effort in to figure it out. Since those features have died off, it's getting less terrible, but now it's a moving target.

KISS would have gotten us to IPv6 5 years ago.

Re:Too Complicated

[kasperd]

IPv6 is too complex, which is what has hampered its slow adoption from the beginning.

IPv6 is simpler than IPv4.

Instead of simple address space extension, the brains behind it decided to add all sorts of fun features to it that just aren't necessary, thus leading to people not wanting to put the effort in to figure it out.

That's just a lame excuse. There are some new features, but those are mainly important to the endpoints. For routers in between, the job they need to do became simpler. And it is the network, which has been lacking, not the endpoints. The excuse that it is too complicated has mainly been used by those who didn't need to deal with the complexity.

Since those features have died off, it's getting less terrible, but now it's a moving target.

Name one change that affected a network provider, who just has to move packets between two endpoints.

KISS would have gotten us to IPv6 5 years ago.

No. There were only two approaches that could have speeded it up. Top down regulation or customer demand. But both of those were in the hands of people who won't understand the problem until they can no longer get online. Actually, there is one other thing that could have speeded it up. If we had never gotten any sort of NAT for IPv4 in the first place, then the transition would have gone faster.

Re:Too Complicated

[j2.718ff]

IPv6 is too complex, which is what has hampered its slow adoption from the beginning.

IPv6 is simpler than IPv4.

True, but dual stack is more complex than either.
I don't see flipping a switch and transitioning from IPv4 to IPv6. Instead, I see living with a dual-stack environment for a while. It will not be pretty.

Re:Too Complicated

I agree dual stack is twice as much management overhead. Every firewall policy requires 2 entries. That being said, it is really unavoidable until all the ISPs get off their duffs and re-invest some of those millions/billions in profit back into their infrastructure. That, however would cut into their excutive vaction funds.

Re:Too Complicated

[unixisc]

Dual stack will only be around as long as IPv4 is. Once IPv4 runs out of addresses, the need for dual stack will be gone.

Re:Too Complicated

[kasperd]

True, but dual stack is more complex than either.

True. But dual stack would have been the simplest way to transition from IPv4 to IPv6, as long as it was done before IPv4 addresses ran out, and all sorts of workarounds got in the way. The fact that dual stack is more complicated than running just one protocol by itself is of course a contributing factor to people hesitating with deploying IPv6. But you cannot blame that on the design of the IPv6 protocol. Nobody have provided a serious suggestion for a better design.

I see living with a dual-stack environment for a while. It will not be pretty.

We could have had dual stack for a while and then dropped IPv4 support before the IPv4 addresses ran out. That would not have been as ugly, as what we can expect to see now. There is one good thing to say about dual stack though. If you mess up while changing network configuration remotely, you have a fallback, since misconfigured IPv4 can be fixed by logging in over IPv6 and vice versa.

Re:Too Complicated

[kasperd]

Once IPv4 runs out of addresses, the need for dual stack will be gone.

In the ideal world, that would be true. In the real world, IPv4 addresses have run out in some parts of the world already. And yet more than 95% of the Internet is still IPv4 only.

Re:Too Complicated

[allo]

nope.
The address-space expansion is the only problematic part. if you want to support more addressspace, you need to go incompatible.
the other stuff would not break compatibility, and was added, so there is more reason to migrate than just "we need more addresses", because with only "we need more addresses", you cannot motivate the people who still have enough addresses to migrate as well.

Re:Too Complicated

[AK+Marc]

IPv6 is simpler than IPv4.

It's simpler in a more complex way. "You no longer have to worry about unicast, multicast, and broadcast, it's now just unicast and multicast." Simpler, one less thing. Other than all-points multicast is the exact same thing in a different manner. So they "simplified" it by changing it to so the same thing in new and different ways. Sounds like change for change's sake to call "broadcast" "all-points multicast" when they are functionally identical.

Or am I just not getting it?

Re:Too Complicated

[kasperd]

"You no longer have to worry about unicast, multicast, and broadcast, it's now just unicast and multicast."

If you are a system administrator, just pretend it's the same thing. It will probably be several years before you need to know the differences. If you are actually implementing code to handle IPv6 packets on Ethernet, then you need to lookup the details now.

Sounds like change for change's sake to call "broadcast" "all-points multicast" when they are functionally identical.

They are functionally identical if you are running it on switches that don't know the difference. In 20 years when you have gotten rid of all the broadcast traffic caused by IPv4 and your switches know to only send multicast packets to nodes that need them, then you can grow the network segments to a much larger number of nodes.

This is one of those changes, which may help us at some point in the future. For now you can ignore it as it introduces no operational difference compared to what you have been used to.

I can think of one place where there has been a naming change, but where IPv4 and IPv6 are actually identical. It is the TTL field from IPv4, which is called hop limit in IPv6. The point is that the TTL field as it was originally specified was basically impossible to implement. Thus actual IPv4 implementations deviated a little bit from the spec. With IPv6 the spec was changed to match what everybody have been doing, and the field was renamed accordingly.

Re:Too Complicated

[AK+Marc]

I was trying to do something with the Flow Label in IPv6, and I found that no two makers of equipment implement it in the same way, and generally do so in a manner that makes it useless to use to differentiate flows. As implemented, it's essentially a sequence number, in a massively over-sized field. I wanted to use it for ToS (which also mostly doesn't exist anymore, as people have gotten used to not identifying the service, as that has always been a fail in IPv4, but instead identify QoS class only, and use ToS as a QoS feature). At no point was I going to perform QoS on the Flow Label, I just wanted to be able to so something fancy, like convert the DSCP markings used in IPv4 to differentiate services (most specifically, voice > video > other, with 2 or 3 queues depending on the intermediate systems). But I couldn't set the Flow Label at all in any end device (I presume it is being set, but in an automatic way with no adjustability. I can set DSCP arbitrarily on just about anything these days, but nothing would do the same with flow labels).

Despite its age, it's still immature.

US Gov't a leader

[fa2k]

This makes the US government a technology leader, at least in one respect. Try to go v6 only some time, and watch all the "Cannot connect to server" messages.. Only big ones like Google and Facebook seem to be available on IPv6 (it certainly cuts down on distractions to remove the IPv4 default route, but I can't even get to my email)

Re:US Gov't a leader

[unixisc]

I agree w/ this. Also, Going IPv6 only for a business could mean forcing employees to use only the essential intranet services they need, and only going to websites that have an IPv6 presense, and dealing only w/ those organizations that do. The US government is one of the few organizations big enough to do this.

And on Monday, the headline will be

[SmurfButcher+Bob]

..."At least 2,000 US Federal Government sites were hacked when it was discovered that they were not behind a NAT anymore."

Re:And on Monday, the headline will be

[heypete]

Why would a publicly-facing web server be behind NAT? That doesn't make any sense. NAT offers no security benefits.

Please note that "NAT" != "stateful firewall", though the two functions are often combined in a single piece of hardware.

My home network has been dual-stack for years (with NATed IPv4 and IPv6). All the systems on the network are behind a stateful firewall and even though my internal devices have globally-unique IPv6 addresses none of them are accessible from the outside world.

Re:And on Monday, the headline will be

[cbhacking]

I can't tell if you're a troll or just spouting off about things you don't understand in the least, but...

It's a hell of a lot easier to find a vulnerable machine behind NAT than it is to find one across a search space 40 bits wide (which is wider than the entire IPv4 search space, and less than a cube root of the search space of IPv6 as a protocol).

NAT is not a security measure. You can (and should) still have a firewall with IPv6; your firewall box just won't also have to perform NAT. That's fine, though; a NAT has a maximum search space of 24 bits (10.0.0.0/8) while IPv6 has enough addresses to assign one to every atom in the solar system, and no, that's no an exaggeration, guess, or line of BS.

Re:And on Monday, the headline will be

[squiggleslash]

NAT is not a firewall. And anyone deploying IPv6 should be doing so on a machine modern enough to have a strong, centrally administered, software firewall.

Re:And on Monday, the headline will be

[bytesex]

Yes it is. Because inverse NAT requires you to specify where to send the traffic *to*. I'm a great proponent of IPv6 myself, but this argument of the IETF is bogus. Besides, 'centrally administered firewall' on each machine ? I think I see a flaw in your method.

Re:And on Monday, the headline will be

[bytesex]

Your argument is all about the lack of bits in an IPv4 address, not about NAT per se.

Re:And on Monday, the headline will be

[bytesex]

Besides that, NAT *is* effectively a security measure - it masks your source address. It's like half-tunnel mode.

Re:And on Monday, the headline will be

LOL. If NAT *is* effectively a security measure it is a terrible one. Easier to break them Windows 95.

Re:And on Monday, the headline will be

You should look into this. Hacking a device that is only behind a NAT, hard to find these days since most routers have build in firewalls also, is not much more difficult than a system directly connected to the network. NAT is easy to bypass without a firewall.

Re:And on Monday, the headline will be

[bill_mcgonigle]

Why would a publicly-facing web server be behind NAT? That doesn't make any sense.

When you have more services than public IP's. I have 5 IP's at the office, and run over a dozen services from them. These days, you spin up a VM for each service, for isolation, and NAT the ports where they need to go.

Re:And on Monday, the headline will be

[rjr162]

you could use link local and site local IPv6 address to help with this.. or better yet setup your router, switch (if managed), and/or firewall to do this for you.

Re:And on Monday, the headline will be

When you have more services than public IP's. I have 5 IP's at the office, and run over a dozen services from them. These days, you spin up a VM for each service, for isolation, and NAT the ports where they need to go.

Which of course doesn't apply in the case of IPv6, since you can't possibly have more services than IPv6 addresses.

Re:And on Monday, the headline will be

[unixisc]

If you need the services to run on routable IPs, you have the routable addresses. If you need them to run on non routable IPs, you can use either the link-local or the unique local addresses. Either way, you won't be short.

Re:And on Monday, the headline will be

[unixisc]

Masking the source address is less of a solution than blocking an entire link from the attacker's nodes.

Re:And on Monday, the headline will be

[Compaqt]

I'm as much a fan of IPv6 as the next guy (and disagree with the guy saying just keep on IPv4 forever).

But I hate the IPv6 fundamentalists who won't allow any deviation from the IPv6 dogma.

Come on, just let people have their NATs, why don't you?

Re:And on Monday, the headline will be

[Lennie]

These are websites, you don't use NAT for websites.

The websites are port 80 (http) or port 443 (https). If you have 5 public IP-addresses, then you have 5 ports 80.

What you can do use a HTTP/1.1 virtual hosts or a reverse proxy/loadbalancer so you can choose to redirect requests based on URL or domainname.

To bad some older systems don't support the same for HTTPS (called SNI) so you can have is 5 websites with HTTPS.

Re:And on Monday, the headline will be

[Lennie]

It isn't that people don't want others to run their networks as they see fit.

The argument you hear a lot is: NAT is more secure then just a firewall.

Which is something a lot of people disagree with, it only adds some obfuscation.

And obfuscation does not make it more secure.

Re:And on Monday, the headline will be

[Azghoul]

The headline should be "there's well over 2,000 Federal government agencies and we can't find any worth closing".

Re:And on Monday, the headline will be

[kasperd]

Come on, just let people have their NATs, why don't you?

NAT wasn't part of the IPv4 standard. It got implemented anyway. Some standards got written at some point. But vendors can still produce IPv4 NAT solutions however they please and ignore the standards. Nothing stops vendors from producing IPv6 NAT solutions. There aren't any written standards. But in reality IPv6 is better suited for NAT solutions than IPv4 was.

• IPID field was eliminated from the IP header. I am not aware of any IPv4 NAT even trying to handle that field correctly. It's a good thing it isn't in the IPv6 header.
• In those rare cases where you need an IPID field it is in an extension header and twice the size of what it was in IPv4. That reduces the risk of collisions.
• RFC1918 addresses have no method for avoiding collisions. RFC 4193 is designed to reduce risk of collisions.
• With IPv4 you'd often need to NAT behind a single IPv4 address, and often one which was simultaneously assigned to the node doing NAT. This dual use of the single address introduces conflicts. With IPv6 you could NAT with a /64 range, and you can avoid using the address assigned to that node for NAT. That avoids conflicts due to two usages of the same address. And with enough IPv6 addresses available, you can use port preserving on the NAT.

When an IPv6 NAT can be so much better why aren't they widely used? My guess is nobody wants them. I think the people who ask for NAT with IPv6 just wants an excuse to not have to work on upgrading their network. If NAT was available for IPv6, they'd have found another excuse. Those who really do want IPv6 and will take the effort to upgrade will want to avoid the additional complexity of NAT. And nobody really have a usecase where NAT between IPv6 and IPv6 is making anything easier.

NAT where you have IPv4 on one side and IPv6 on the other side can make sense in some scenarios. If your LAN is IPv6 only and you want to communicate with servers on an IPv4 backbone, you can use DNS64+NAT64. If your LAN is IPv4 only and you want to communicate with an IPv6 backbone, there are fewer options. (I decided to actually go and implement one.)

Re:And on Monday, the headline will be

[Compaqt]

> I think the people who ask for NAT with IPv6 just wants an excuse to not have to work on upgrading their network.

I'm not one of them. And I wasn't saying that I wouldn't want IPv6 without NAT, just that the IPv6 fundamentalists won't allow people to say that NAT has been useful in some circumstances.

I.e., I just want people to advocate for IPv6 without feeling that they have to defend the anti-NAT ideology 100%.

I think I'm in the vast middle of Slashdotters who really want to move to this cool new thing except that: 1) ISPs don't support it, 2) cheap router manufacturers don't support it AFAIK, and 3) tools are sort of lacking.

E.g., why do you have to do ping6? Why not just have ping check the format of the passed argument and call classic ping or ping6 appropriately? Why force a human to do what a computer can?

Re:And on Monday, the headline will be

[Compaqt]

Also, I think your's is a pretty moderate response: that you can have NAT on IPv6, but the vendors haven't supported it yet.

By contrast, on /. IPv6'ers usually take the line of "Don't do NAT." That would be like Windows users saying, "How can you do X on Linux", and the response being "Don't do X."

Also, doing SSH to IPv6 hosts named in /etc/hosts has been problematic for me to the extent that I've just forgone my initial attempts at local IPv6. scp even works differently than ssh in this regard. In one or the other of the two, you can't do luser@[IPv6], although luser@1.2.3.4 works just fine.

Re:And on Monday, the headline will be

[kasperd]

And I wasn't saying that I wouldn't want IPv6 without NAT, just that the IPv6 fundamentalists won't allow people to say that NAT has been useful in some circumstances.

It has been useful. But I think with IPv6 I think there are better solutions in every situation, where you would use NAT66. If a customer came to me asking for NAT66, I would try to reason with them. I don't want customers to deploy an inferior solution due to being uninformed. But if a customer who understands what the options are still want NAT66, I'd be happy to implement it, if they would pay.

When I go to an internet provider, I would like them to treat me the same way. And that means I don't want them to tell me I don't need IPv6. They can tell me they don't think it is ready, and why, but if I with all the information at hand still want it, it's not their job to tell me out of it. I also don't like how some internet providers think they should take extra high payments from those customers, who are willing to be guinea pigs.

As for the rest of the internet, who I do not have any customer relationship with, I don't care how they handle their own LAN and the connectivity between their LAN and the backbone. But I do care about the protocol being used on the backbone, because those only doing IPv4 there are holding back the development of the internet for the rest of us. For all of those people I'd rather see them use NAT66 than NAT44.

There is nothing in the IPv6 protocol preventing NAT66, there are less obstacles in the protocol than with IPv4. And you are free to use it, if you want to. But you will have a hard time convincing me that you know what you are doing, if you decide to deploy NAT66. But then again, the majority of companies on the internet will have a hard time convincing me that they know what they are doing anyway.

why do you have to do ping6? Why not just have ping check the format of the passed argument and call classic ping or ping6 appropriately?

That does not have anything to do with the IPv6 protocol. That is entirely an implementation question, and I believe some systems have a ping command, which does IPv4 and IPv6. I don't think the minor differences in command lines between different operating systems have any influence on the speed at which IPv6 is being deployed.

That would be like Windows users saying, "How can you do X on Linux", and the response being "Don't do X."

It works the other way too. Back when I was in a job, where I was forced to use Windows, I would often ask questions about, how do I do X in Windows. I wasn't told don't do X, I was just told, you cannot do X in Windows.

Also, doing SSH to IPv6 hosts named in /etc/hosts has been problematic for me to the extent that I've just forgone my initial attempts at local IPv6.

I haven't actually tried that. Rather I went the way of putting my hosts in DNS. In those cases where I need to access a host, which I did not put in DNS yet, I have a zone, which automatically generates AAAA records. That way I can do such stuff as 2a00-1450-400f-800--100e.aaaa.kasperd.net, and it works.

scp even works differently than ssh in this regard. In one or the other of the two, you can't do luser@[IPv6], although luser@1.2.3.4 works just fine.

Yeah, that is a bit annoying. But most of the time i do ssh to hostnames anyway. I rarely do ssh to an IP address.

Re:And on Monday, the headline will be

[Compaqt]

> I don't think the minor differences in command lines between different operating systems have any influence on the speed at which IPv6 is being deployed.

The clumsiness of IPv6 tools (ping, ssh, scp, and others) and basically the whole ecosystem working together acts as a stumbling block to those admins (and even devs and power users) who just want to get their feet wet. When they get their hands burned (ok, mixed metaphor), they back off because they perceive that you have to become an IPv6 guru (like you) in order to merely connect two hosts.

For you, a DNS server is nothing. You've probably got 20 of them running in your labs. The 21st is no big thing. For small networks, config for the 1st one is.

None of this is we shouldn't move to IPv6, merely that obstacles in the way are part of what are delaying it.

Re:And on Monday, the headline will be

[kasperd]

For you, a DNS server is nothing. You've probably got 20 of them running in your labs.

Only 19. But then again, this is a one man company, and I don't have a big lab. What I really like about working with IPv6 is that whenever I need to add a component to my system, I just assign another IPv6 address to it without even having to think twice, because I know there will be enough IPv6 addresses. 11 of the DNS servers I have running at this time are authoritative DNS servers, which I actually run IPv6 only. On each domain I host on those, I have some special feature I need on that domain. I don't need to worry about interaction between those features, because I run each server as a separate process. That is something I couldn't have done, if I had been using IPv4, because there are just not enough addresses.

Re:IPv6 too complex

ahahaha good troll

Public facing only...

[Bugler412]

Recently worked in a govt facility on a project, they are just as far as most everyone else from being ipv6 ready internally, perhaps a lot farther away than many. Additionally, as you might expect, no one is budgeting for the replacement of infrastructure (like 20 year old printers for instance) that need to go to make it happen. Even though they have a mandate to be ready internally in two years. That mandate ain't gonna fly.

Re:Public facing only...

[Dagger2]

There's a difference between IPv6-ready and IPv6-only. Those 20-year-old printers that only work on v4 will continue to work on the v4 part of the dual-stacked internal network; replacing them isn't a requirement for deploying v6. (It is a requirement for removing v4, but that's the long-term goal, not the immediate one.)

Re:IPv6 too complex

Twice as long? Why bother with that when there are all those wasted numbers ager 255!

Re:IPv6 too complex

[kasperd]

That joke was funny April 1st of last year. http://packetlife.net/blog/2011/apr/1/alternative-ipv6-works/

parent = troll

i see you trollin. that 47% meme is getting lame and sarcasm is unfunny no matter what your nerd friends tell you. inb4 pro-romney. like a lot of other slashdot hipsters i'm anti-obama, anti-romney, pro-flavor of the day which happens to be gary johnson. ron paul is like so yesterday.

Re:parent = troll

[nobaloney]

In my neck of the woods the CMT and FOX News cable networks are on adjacent channels. So when I noticed that Roseanne Barr and Mike Huckabee had shows on at the same time, I set up my picture-in-picture and switched between them.

Roseanne's show was meant to be funny, and though much of the humor was dated, it succeeded. Huckabee's show was, well you, a typical Huckabee show.

I finally know whom to vote for.

Slashdot and IPv6

Z0MG!!1! I pinged www.slashdot.org and it returned an IPv6 address!!! ... then I woke up..

This time it really is happenning

[kevmeister]

I work for the NSP for a large number of government research facilities. Our network has had full IPv6 support for several years, but no IPv6 customers (other than ourselves). The prior IPv6 mandate was primarily satisfied by bring up an IPv6 connection with the customer and their pinging our router, then deconfiguring the IPv6. That was really all the mandate required.

This time we are bringing up full IPv6 connectivity with them. It really is happening this time and it mostly seems to be working.

The mandate is also pressing other providers to get IPv6 up and running. Under the mandate, if you have a provider that can't support IPv6 on Oct. 1, you need to change providers. In simple terms, the general public must be able to access your web services and all publicly linked pages as well as DNS via IPv6 if they have IPv6 connectivity to the Internet. (Admittedly, this is a fairly small subset of Internet users.) The federal governments is a rather large customer of several major providers, so this has probably been the biggest cause of several of them getting IPv6 running, though some still don't offer IPv6 to non-governmental customers.

Between the U.S. Government and Comcast, IPv6 seems to really be happening. Traffic is clearly increasing rapidly, though still very tiny compared to IPv4.

Re:This time it really is happenning

Traffic is clearly increasing rapidly, though still very tiny compared to IPv4.

On my gateway, I use a IPv6 tunnel to get my IPv6 address. My IPv6 usage is not "tiny" anymore. It was few months ago, but it is growing quite quickly.

In August, total traffic was 20GB and 2GB (10%) was IPv6.
In September, total traffic was 17GB so far and IPv6 was 35% or almost 6GB.

This is primarily due to IPv6 website availability. Heck, yesterday 50% of all traffic was IPv6.

The sad part is, my ISP does not even have IPv6 on their internet backbone, never mind providing IPv6 to their customers.

Re:This time it really is happenning

[j2.718ff]

The mandate is also pressing other providers to get IPv6 up and running. Under the mandate, if you have a provider that can't support IPv6 on Oct. 1, you need to change providers

Yes, this sort of thing does actually have some effect. I work for a company that sells to the government. They are requiring that our products support IPv6. They admit they aren't likely to be using them on an IPv6 network any time soon, but if we don't support IPv6, they won't buy from us.

Re:This time it really is happenning

HAHAHAHAHA.. "My IPv6 usage is not tiny".. "I used 6gb of bandwidth this month"

HAHAHA

Re:This time it really is happenning

I've been asking for IPv6 transit since I started working at my local government employer two years ago. We're small potatoes with just a DS3 to each provider, but we're still a paying customer. AT&T basically offered to sell us consulting services, but couldn't offer any transit or even give a guestimate as to when they could. VZN said, "We're upgrading your POP soon," but that was over a year ago.

Re:This time it really is happenning

[Lennie]

He meant in comparison to his IPv4 traffic.

Re:This time it really is happenning

Did you even read his post? He's comparing ipv4 traffic to ipv6 traffic over two months.

You're a fucking idiot.

If I don't convert, what will you do?

[Compaqt]

That's the question which a lot of overworked federal agency heads might be asking.

I.e., "What's in it for me?"

And, "If we miss the deadline, what will happen." It would be nice if every federal agency just did whatever they were told to do, as if they were merely the organs of one single body. But actually, they are multiple bodies. And if the answer to the question is "nothing", then some wily agency heads will choose to simply ignore the directive.

Re:If I don't convert, what will you do?

[kevmeister]

This is an Office of Management and Budget (OMB) mandate. They can reduce or completely halt funding. It has been made very clear that, while there will be failures and missed dates, they better not be because you were not trying. Oddly, management tends to take the possibility of losing funding very, very seriously.

Re:If I don't convert, what will you do?

[Nivag064]

"Oddly, management tends to take the possibility of losing funding very, very seriously."

Why?

Re:If I don't convert, what will you do?

[Azghoul]

Yeah right. As if any program in this Federal government was seriously in danger of being defunded. They'd just go whine to a Congressional staffer who will get that nonsense squashed.

Re:If I don't convert, what will you do?

Find me one example of this happening. You can't because OMB has never defunded someone for non-compliance with a mandate.

Re:wha?

Romney or IPv4?

Dueling mandates

[winmonster]

Some people are saying, "Yeah, providers will give you IPv6 addresses for your DIA circuits. I don't see an issue." But they aren't fully aware of other mandates that influence civilian agencies' abilities to meet the IPv6 mandate. Namely, this one: http://www.dhs.gov/trusted-internet-connections-tic. None of the TIC provider's are offering IPv6 connectivity that I'm aware of, but they are all in various stages of getting there. The agencies that are ready most likely host their own MTIPS offering or (more likely) using hosting companies to get there.

Re:Dueling mandates

[geddo]

From a link on the website you posted- The following vendors have been approved to offer TIC compliant MTIPS services through the Networx contract: AT&T, CenturyLink (formerly Qwest), Sprint, Verizon Business. Last I checked AT&T, CL and Verizon all offer IPv6/4 dual stack DIA, I don't know about Spint's offering but that's 3 options. In any case, no one is saying its easy but it is a good first step for the government to mandate this stuff, no one really took it seriously until they said all IPv6 hardware and software they bought had to be compliant (loosely quoted), then every company that wanted to do business with the government took it seriously.

Re:Dueling mandates

[winmonster]

You can get IPv6 DIA from them, but not IPv6 TIC. They are not the same. All of the agencies that moved to provider-based TIC cannot get IPv6 service in time for the mandate.

Re:Dueling mandates

[sfprairie]

You can get IPv6 DIA from them, but not IPv6 TIC. They are not the same. All of the agencies that moved to provider-based TIC cannot get IPv6 service in time for the mandate.

That is very correct. We will not be compliant with our own hosted sites because of our TIC provider can not support ipv6 yet. The sites that are hosted on Akamai are ipv6 compliant and have been for some time. I think there are about three, maybe four comments here from people who know what the actual civilian Fed requirements are capabilities are, and are familiar with TIC. All the other comments are from people who have no idea.

Re:wha?

If Romney gets elected, he'll just repeal it back to IPv4

What the fuck ever. Romney has his flaws and there's no way in hell I'm voting for him (I don't agree with his lassiez-faire style capitalism and rich white guy syndrome), but as a tech enthusiast, I can appreciate the strides he made to push technology forward. Six years ago, Slashdot couldn't get enough of this guy for moving Mass. to use ODF only, and spending a shit-ton of money on tech investments.

http://slashdot.org/story/06/06/30/1849245/MA-Senator-Decries-OpenDocument-Decision
http://tech.slashdot.org/story/06/01/31/0349223/romney-continues-odf-support-with-new-appointee
http://politics.slashdot.org/story/05/11/17/1653221/ma-governor-wants-more-new-tech

Re:Romney sez

No, Romney says you can only have it after you've been driven half way across the country in a crate lashed to the top of his luxury vehicle. But don't worry, he'll hose the shit and vomit off you when you get there, and you'll be as good as new!

Romney is such a complete tool. It floors me that *anyone* would vote for him; but I'm grateful, because it identifies the OTHER tools out there, and there's no way in heck he can win anyway.

Re:IPv6 too complex

All they had to do was make Internet addresses twice as long 0.0.0.0.0.0.0.0 to 255.255.255.255.255.255.255.255 and it would have fixed the problem

Yes it would but IPv6 addresses are more fun and easier to remember. You get to use hex sp33k and the zero compression schemes get rid of unecessary zeros. My public 16-octet IPv6 address is much smaller and easier to remember than your 8 octet solution.

Device makers could easily update the logic to do that in future products as well.

It does not matter if it is a single extra bit or 96 extra bits the cost and global effort is the same.

Plus, you can use IP4 addresses at the same time by making software see them as 192.168.0.1.0.0.0.0

::192.168.0.1 is valid IPv6 and looks less complex than your 8-octet version. Just because you can do something does not mean there is a valid reason to do it. There is no benefit to playing this subset superset game. This is an operational nonstarter.

cheerleading?

[nurb432]

I don't know if id call forced deadlines as 'cheerleading'.

public persona vs the real guy

[Chirs]

I think Romney is actually more liberal than he needs to portray himself as in order to get tea party votes. I bet if he wasn't pandering to right-wing lunatics he and Obama could actually find a lot to agree on.

Re:public persona vs the real guy

Romney's record as Governor pretty much confirms it.

Re:public persona vs the real guy

[spauldo]

I agree. It's funny, I didn't have any real issue with McCain (although his idea to shut the government down was a bit out there), and I don't have much problem with Romney based on his time in Massachusetts, but I didn't support either of them primarily because I want a Democrat with the veto stamp. (That, and the Republicans need to be punished for Bush. WMDs my ass.)

I never really cared that much for Obama - I wanted Clinton.

Not that it matters. I'm in Oklahoma, where a non-Republican vote doesn't count.

Re:public persona vs the real guy

[RockDoctor]

Not that it matters. I'm in Oklahoma, where a non-Republican vote doesn't count.

Ah, the joys of democracy. 50%+1 wins and the 50%-1 can go to the salt mines.

hybrid dual-stack

[Chirs]

Since all IPv4 addresses have a unique IPv6 representation, an IPv6-only subscriber using a device with a hybrid dual-stack can access an IPv4 address by specifying the applicable IPv6 address. See rfc3493, "Compatibility with IPv4 Nodes".

Re:hybrid dual-stack

[gmack]

That is for application level compatibility and only works if both hosts have valid ipv4 addresses. If only one side has ipv4 the ipv4 only machine will be unable to reply to the ipv6 only machine thanks to it's much larger address format.

Re:hybrid dual-stack

[unixisc]

That feature requires IPv4-mapped addresses, which is something whose support varies based on implementation. It's been more or less abandoned, while organizations have instead been exploring other transition technologies, be it dual stack, dual stack lite, tunnelling, or even LSNAT translations. Other problem here is that IPv4 mapped addresses wouldn't work in cases where that IPv4 address is a local address behind a NAT, which will often be the case,.

Re:hybrid dual-stack

[kasperd]

an IPv6-only subscriber using a device with a hybrid dual-stack can access an IPv4 address by specifying the applicable IPv6 address.

That will not work. The IPv4 only node will need to communicate with some IPv4 address, and there is none to be used for that purpose. If you read the other replies to your post, you will see that they seem to disagree with each other. That is because there are actually two different formats. There is the deprecated ::/96 prefix, and there is the currently used ::ffff:0:0/96 prefix. The later is used such that applications can use a single socket to talk both IPv4 and IPv6. It is entirely an API feature. Those addresses are never send on the wire. The actual traffic on the wire is IPv4 from one end to the other.

There are NAT solutions which will help a bit. There is NAT64+DNS64 if your LAN is IPv6 and backbone is IPv4. And I have developed a system for a LAN running IPv4 connecting to a backbone running IPv6.

Re:hybrid dual-stack

[unixisc]

Also, if one is using a private IPv4 address behind a NAT, how would either an IPv4 compatible address or an IPv4 mapped address represent it? It can't! I mean, if you have ::ffff:192.168.0.5, IPv6 can't suddently make that IPv4 address routable.

actually it's ::ffff:192168.0.1

[Chirs]

The one you quote is deprecated.

Re:actually it's ::ffff:192168.0.1

[camperdave]

The one you quote is deprecated.

... and that is why IPv6 isn't being rolled out. We haven't even gotten started, and already parts are deprecated. IPv6 is in too much of a state of flux. Is what I've learned and am learning about IPv6 even valid anymore? How can I roll out a solution if I can't know that it is the Right Way (TM) to do things? There needs to be a feature freeze so that the folks who build end user equipment can implement IPv6.

Re:actually it's ::ffff:192168.0.1

[spauldo]

It's the same with IPv4, really. Stuff gets updated all the time.

Maybe not IP and TCP anymore, but there have been lots of changed to the basic protocols in recent years.

That particular change doesn't affect you anyway unless you're a programmer. The IPv4 in IPv6 address space was only meant for applications to use internally (so you could use the same data type for IPv4 and IPv6 addresses). Those addresses aren't valid over the wire.

Re:actually it's ::ffff:192168.0.1

[unixisc]

Having a mixed notation - like 2001:456:789:2::192.168.0.1 makes it hell for software developers who'd have to support 2 notations for this, and in the end make such code bulky & unwieldy, thereby blowing up the costs of IPv6 gear. It's good that that notation was deprecated.

Note that IPv4 mapped addresses are not deprecated - IPv4 compatible addresses are (even though the local network address and the loopback address fall within the same range) However, support for IPv4 mapped addresses is not uniform, which is why even that is discouraged.

Re:actually it's ::ffff:192168.0.1

[Jeremi]

Having a mixed notation - like 2001:456:789:2::192.168.0.1 makes it hell for software developers who'd have to support 2 notations for this, and in the end make such code bulky & unwieldy, thereby blowing up the costs of IPv6 gear. It's good that that notation was deprecated.

Huh? No, it doesn't make any difference to developers how complex the string notation is, because any developer who isn't clueless or insane just calls the standard conversion functions (inet_ntop() and inet_pton()) anyway, rather than rolling his own string parsing and generation functions.

The guy who has to implement and maintain those two functions might have some extra work to do, but I have faith that he can handle it.

Re:actually it's ::ffff:192168.0.1

It's funny how even open source Firefox has problems taking a v6 IP in the address bar. It is a shame that you need to put some special character in. I first tried that about 2 years ago and got some error. I can't recall what the change was, for the life of me, which is part of the proof that this is NOT going to go well and will just get ignored.

Re:actually it's ::ffff:192168.0.1

[unixisc]

It's not about the programmers - it's about the software becoming more complicated and eating up more memory. And that doesn't even factor in human errors. As it is, people are complaining about going hex, and if you have a mixed notation that is part IPv6, part IPv4, that only helps confound things even more.

In short, it's good that this stuff got deprecated, and a major mess got averted that way. inet_ntop() and inet_pton() notwithstanding. The guy who manages them can instead write IPAM software that handles the Interface ID part of the address, allocating static, dynamic, address pools and other functionality that creates addresses where each word has an assigned meaning, such as making one word that of a port#, another a pool range, another for the particular node on the network and another that flags whether the address is static or dynamic. Things of that sort that gives us a smart DHCP6 management system

NAT implies a firewall

[Chirs]

but you can also just implement the firewall without NAT and get the same level of security.

Re:NAT implies a firewall

[Compaqt]

Except that now you know the exact address a reply is coming from, and you can do all sorts of network mapping. Do that and keep that info aside.

Next, the moment you find a vulnerability in the firewall, pull out your premade network map, and go to town.

Re:NAT implies a firewall

[Lennie]

Really ? IPv6 on Windows has privacy extensions enabled by default*, which means it will use a different randomly generated IPv6-address every day when it needs to setup a client-connection. Like for example connecting to a website.

What is there to map ?

* other operatings systems like Linux and Mac also support this, but not all versions have it enabled by default

Re:NAT implies a firewall

[Compaqt]

How do you enable this on the latest Linux kernels? Ubuntu 12.04?

Re:NAT implies a firewall

[kasperd]

but you can also just implement the firewall without NAT and get the same level of security.

I think the firewall without NAT is more secure. Getting rid of NAT means you reduce complexity a lot. Less complexity means less risk of security bugs in the implementation.

'bout time.

So when is Slashdot gonna bite the bullet?

ipv6.user@fe80::feed:babe:beef:abed

Yeah...

Not gonna happen

The university I work at...

[rjr162]

has IPv6 enabled, and things are working fine there. The exception are some of the branch campuses that have older switches and such where turning on IPv6 in Windows 7 seems to really slow the whole network at these locations down.

Most Agencies Have Made "No Progress"

[PineHall]

NIST statistics show that over half the agencies have made "no progress" in their IPv6 deployment. It is good that the government is doing this, but too many agencies are asleep at the wheel. It does no good when the agencies will not do what they are required to do.

Re:Romney sez

[camperdave]

Yes, America! Send a message to Washington and the big parties. Don't vote for either Obama or Romney. Vote for Virgil.

IPV12 Openprojects - Freenode

[NSN+A392-99-964-5927]

When I was oper on OpenProjects.net now freenode I campaigned for IPV12 or 16 pushing forward the argument that IPV6 was rather short sightedness and that was 10 years ago. Some people did not like my ideas and I was booted as my ideas were too "Outlandish".

It appears that anything descent gets "scotched" http://www.thefreedictionary.com/Scotching (please refer to definition Scotch1) "1. To put an abrupt end to: The prime minister scotched the rumors of her illness with a public appearance".

Nonetheless, this issue raises its ugly head once again.

Pols & IPv6

[unixisc]

Flamebait indeed! This initiative started long before Obama, during the Bush administration. Not to mention that neither Clinton, Bush, Obama nor Romney have the slightest idea what IPv4 is. And speaking of the GOP, if they knew that IPv6 has 3.4028236692093846346337460743177x10^38 addresses, as opposed to a mere 4,294,967,296 addresses, they'd all be champions of IPv6.

Re:wha?

[kelemvor4]

If Romney gets elected, he'll just repeal it back to IPv4

More likely, he'll switch the internet over to lantastic.

Most consumers are ready

[unixisc]

From what I understand, let's look @ the OSs that natively include IPv6 support, as opposed to those who don't:

• Windows 7 - check
• OS-X - check
• BSD - check
• Linux - check
• Android - check
• iOS - ???

So all new devices that come out w/ an OS already have iPv6 support. Older devices already have all the IPv4 addresses they need, and more likely than not, they are behind NAT and can just keep issueing local IPv4 addresses. So the analogy w/ analog to digital TV fails somewhat as far as domestic customers go - here, it's the consumers who are ready, and the ISPs who need to make the switch. And a lot of the delay is due to the fact that there still doesn't seem to be IPv6 specific routers, switches and other networking equipment that is layer 3 aware. ISPs who are IPv6 ready ought to dual stack their customers who are not still on XP as a default, and over time, just quietly remove IPv4, or start charging a premium if that is needed.

With businesses, it's more complicated, since they have in-house applications that are IPv4, and so for them, migration would be a PITA. When they switch to Server 2008/2012, that's probably the right time to go from IPv4 to IPv6 as well, although I can see why IT departments would be reluctatnt to make 2 jumps in 1 transition. But fact remains that Server 2008 and Windows 7 have IPv6 as their native layer 3 support, as opposed to XP or Server 2003. So this transition is just the right place to go from IPv4 to IPv6.

Also, web hosting services switching to IPv6 would help a great deal as well. The bulk of websites hosted on these would go dual stack ASAP.

Re:Most consumers are ready

[Aqualung812]

FYI, Apple iOS - check. Have IPv6 on my iPad.

Note, this is on WiFi. Apple iOS 6 supports this over LTE, but Verizon has not given me a IPv6 address yet.

Dual Stack?

[unixisc]

The other thing ISPs can do is go dual-stack lite, where they set up everything in IPv6, and only provide local IPv4 behind IPv6 addresses to those who simply have to have IPv4 to communicate w/ other IPv4 nodes in the internet. After all, complete dual stack is not a solution if they are running out of IPv4 addresses.

Also, businesses and even consumers who consume a high quantity of IP addresses - which in case of IPv4 may be as low as above 16 - ought to implement IPv6 for such applications. That would include things like websites, ftp sites, messaging servers & so on. Essentially, once the high demand items go IPv6, pressure on IPv4 is that much lower, and even facilitates dual stack.

Firewall support for IPv6

[unixisc]

Where exactly do these extra addresses come from? The reason it's becoming critical now is that even w/ NAT, they're running out. And once one introduces 2 or more levels of NAT, a major overhaul would be required of NATing software, since your mapping - currently based on mapping a single layer 3 address to a layer 2 address - will have changed, since one would now have to map a combination of a layer 3 routable address and a layer 3 non-routable address to a layer 2 address. Once that level of work will be needed, one might as well go for IPv6 anyway.

The software firewalls - the ones based on BSD and Linux - things like PF and IP Tables - already support it. I think Norton is still behind the curve, and dunno about McAfee, Kaspersky, ESET or others. But at a router point, if they put in something like PF or IP Tables, they are providing a good level of security already, since they can block an entire /64 link. Beyond that, enable Antivirus and other malware, and don't bother about firewalls, until your security software supports IPv6. B'cos if you don't have an IPv4 address, there is no way any malware delivered via IPv4 can reach you anyway.

Re:Firewall support for IPv6

[hairyfeet]

How about the bazillion addresses being used as parking pages? How about the bazillion addresses being sat on by companies like HP that by buying out other old guard companies that were around when the net first went up are sitting on more class A addresses than they could possibly ever use?

And again you can't find a single page testing the popular free and pay security suites and firewalls with IPV6 and then of course there is the elephant in the room which is the corps paying IT like shit for a decade so that there are severe shortages of manpower and people actually trained to deal with IPV6 problems in the wild. And not having an IPV4 at this point would just be retarded as too many sites still don't support V6. You can blame the retarded engineers who refused to make V6 backwards compatible with V4 for that.

Finally nobody is talking about the environmental costs which are gonna be staggering. look at newegg and Tiger and you'll see the majority of the routers sold to this very day are NOT IPV6 compatible and most likely aren't able to be upgraded. you are talking about tens of millions of dollars in hardware that is gonna be sent to the dump in huge amounts, hell I don't even think my cable modem which was handed me by my ISP is IPV6 capable, that's over 30,000 units just in my area that will have to go to the dump, while nobody I know has an IPV6 router as the only one I know of being sold retail is the Airport which is overpriced.

like it or not we just aren't ready and its gonna be a clusterfuck for years to come, we are gonna have a shortage of people who can fix problems, shortage of affordable hardware that can use it, and while Linux may support it that only helps 2% of the consumer population at best and the rest are using software that we frankly don't know if it has holes you can drive a truck through when it comes to IPV6. I know there are articles showing malware already using this weakness to get past security to infect systems.

Re:Firewall support for IPv6

[unixisc]

It's not a 'bazillion' - it's a mere 4 billion. As a reference, the world's population is 7 billion. But even putting that aside, in terms of just real numbers, the public IP addresses multiplied by private IP addresses - assuming that every single one is NATed, has hit its limits. As for the ones being sat on by companies like HP or IBM, recovering them by ARIN or IANA would be a pain, and only add some 16 million or so addresses, even if HP gave up DEC's entire 16.x.x.x. Also note that those 16 million couldn't simply be given to 16 million customers - they'd have to be subnetted to at the most /30, and then distributed. That would be a nightmare to manage.

We've also addressed several times why IPv6 could not be backwards compatible, no matter what you did. Instead of going from 32-bit to 128-bit, let's say we had gone from 32-bit to even 33 bit. Even that would have broken compatibility, and caused all networking gear in the world to be changed. Essentially, the IPv4 header cleanly defines where the source address starts & ends, and where the destination address starts & ends. The moment you change it by even 1 bit, everything else in the world would need to change. This is nothing like AMD simply extending the x86 instruction set to cover 64-bit ALUs.

Some of the older routers that had lower density flash memory and where the latest router OSs wouldn't fit would certainly not be able to accommodate IPv6. But more of them can be, and if the Ciscos of the world want to horn in on the opportunity to sell millions, then it's really b/w them, the customers & regulatory authorities

Re:Firewall support for IPv6

[hairyfeet]

Sigh, do I REALLY need to spell this out? Taking those addresses back would buy us time and thanks to VMs and virtual servers one address can be the home for MANY web pages. And again BC as I was talking about was for the purposes of WEBSITES, there is nothing anybody can do about the hardware problem but replace it. On the website side it was WAY STUPID not to make it BC so that a website could use a single IPV6 address and have it cover both, or have a user with an IPV6 address easily and seamlessly get to ANY website without hassles and connection issues. Again this is software not hardware so it shouldn't have been difficult.

Mark my words and mark them well, when they do flip the switch? its gonna be a giant clusterfuck, with serious issues for months, possibly years. No matter what we do the landfills are gonna be overflowing, we don't have enough people trained to fix issues with the tech, the whole thing is an over engineered clusterfuck from hell.

Re:Firewall support for IPv6

[unixisc]

Websites are actually the least of the problems - a single IP usually covers them. In Windows, you have them laid out like http://www.microsoft.com/office, whereas in the unixes, you have virtual hosts laid out like http://qt.digia.com/ that easily share a single IP. This shortage hits offices - like when they use VoIP phones, those addresses cannot be put behind NAT, even though the laptops can be. That's where these IPs would get eaten faster than one can produce them as far as IPv4 goes, and that's where they're running into problems. Not an issue w/ IPv6, but would have remained a problem even if they had grown it simply to 48 bits or less. Websites just have to be dual stacked i.e. accessible from both IPv4 and IPv6 hosts. Virtual hosting would guarantee that every virtual host on a website gets accessed, and for IPv6, the admin has the choice of either using virtual hosts, thereby keeping the practice unchanged to avoid any learing curve issues, or else assigning different IPv6 IPs to each virtual host, making each of them a separate real host in its own right.

Your explanation that it's software and should be easy to replace just ignores the scope of what has to be changed, and in how many places. No matter what change they had made to that firmware, they'd have had to do it everywhere - make sure that every router supports it, every OS supports it, every server supports it.... No different from what's been and is being done w/ IPv6 right now. Right now, in IPv6, the main stumbling block is the core routers, which do have to be modified to do a maximum transfer of 128 bits as opposed to 32. And the edge routers need to handle the simplified routing protocols as well. Those are the new parts.

On the landfills, the router manufacturers would have to assess their policies on which of their routers are remotely or field upgradable, and which ones absolutely have to be replaced. While they may love to sell as many routers as they produced in the past, I can see them quickly getting into an allocation situation if they tried that. So the only routers that would make it to the landfills would be the ones that can NOT be upgraded, maybe b'cos they were made in the 90s. Otherwise, most routers that have adequate memory would just need to have their OSs updated and include IPv6 support in it.

Re:Firewall support for IPv6

[hairyfeet]

Sorry I didn't make myself clear, not saying it would be easy, just saying it would be doable. Doable is better than impossible which is what we have on the hardware side and from the looks of a Google search for IPV6 malware the software frankly ain't coming along too well either.

Look it took YEARS with highly trained people, people we frankly don't really have in any abundance anymore, to build what we have now and make it as secure as it is. Remember what it was like in the early days? How worms would run riot and even clicking on an email could infect the system?

Sadly it looks like that is exactly what is gonna happen all over again. the software simply doesn't know how to deal with these new addresses and so it'll just let anything on through, its gonna be a fucking mess. if we were to buy some more time while the government pushed an initiative to get people into the networking field then maybe, just maybe, we could have the hardware and software ready to go and it wouldn't be such a mess.

Instead what is gonna happen is the classic free market bullshit, they'll use ISP side NATs while those sitting on class A addresses are gonna make out like bandits selling them cut up into blocks, and by the time we have to flip the switch the men and software isn't gonna be ready and its gonna be a malware paradise, you'll have Code reds running riot, what a fucking mess. We should have started an initiative 10 damned years ago and banned hardware that didn't support both but now we've made the shit stained bed and we are all gonna have to lie in it.

Oh and the routers? Haven't look at consumer routers in awhile have you? you MAY get the corporate stuff, if its still under contract, to be upgraded but I'll be my last dollar there is no way in hell to upgrade all those trendnet/zonenet/D-Link routers, just no way in hell. We are talking 2Mb of memory and if you are lucky that much flash and 200MHz ARM chips, just no way in hell to get the weak ass gear they put in those things to even work as a switch with IPV6, just not enough memory and CPU cycles to deal quadrupling the address size, just no way.

Hell look at the stuff they are selling right now and I can tell you that's the same level of stuff you'll find in any Walmart, staples, Office max, etc. you think that CCC (Cheapo Chinese Crap) has a snowball's chance in hell of supporting IPV6? Hell I've got one of those little Trendnet routers in the shop, its cheap and does its job but they have never even released a single firmware update for the thing, think they'll care about adding IPV6 support? Its all designed for the dump and if you go to sites like WW-DRT you'll see the specs on most of thse things make it impossible to even hack them, they are so damned weak there is nothing to hack!

Comcast

[unixisc]

Is Comcast still handing out single /128s to each customer? Or are they now at least giving out links of /64?

Also, anyone knows whether Comcast does full dual stack, or did they go w/ dual stack lite instead? The former wouldn't solve the issue they had w/ an IPv4 address shortage, but the latter would.

Re:Comcast

[Daaelarius]

Comcast started handing out /64s a year ago. They aren't doing dual-stack lite, either. It's DHCPv6 with IA_NA and IA_PD. www.comcast6.net for more info

Re:Comcast

[Randle_Revar]

Full dual (for now at least), and they are giving out /64

http://blog.comcast.com/2012/04/ipv6-deployment-technology.html

Ding IPv4, not IPv6

[unixisc]

You got it the other way around. Make it painful for people to haev IPv4 sites, and easy for them to have IPv6. You always tax something that you want to discourage - in this case, IPv4, and incentivize something you want to encourage - IPv6.

Legacy support

[unixisc]

Most of the home routers can take a firmware update - the ones that can't are probably already behind NAT. As for mobile devices, the more recent ones all support IPv6 - it's the older ones that don't. But given how often people upgrade their phones, chances are likely that they'll have one that supports IPv6. In fact, mobile IPv6 being adapted is likely to sink a huge portion of the demand on IPv4.

Re:Legacy support

[norpy]

Most consumer embedded devices that were built with ipv4 in mind don't have the memory to handle ipv6 adressing.

In fact last time i checked my router is actually within 10 bytes of using 100% of the eeprom

Major transition was unavoidable

[unixisc]

Problem was that even if they had increased the address to 33 bits, it would still have expanded the address space to 8 billion, would not have gotten rid of NAT, and therefore, would not have solved the problem that the internet was having. Also, the amount of effort needed would have still been the same - all routers & gateways in the world would have had to support it, all applications using layer 3 APIs would have needed to get upgraded, and so on. Which is why expanding it all the way to 128 bits gave them room to play w/, as well as lend it more structure and make a whole shitload of IPv4 problems go away. Not just NAT - simplified routing tables, multiple multicast modes of operation, link-local and unique-local addresses, and so on.

The notational issue - only thing I think is that they should have retained the period instead of replacing it w/ the colon. But other than that, had they done what you suggested, they'd have had something like 255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255. No difference from a technology POV, but pretty ugly to read. Or they could have done something like 65535.65535.65535.65535.65535.65535.65535.65535. Using hexadecimal lent some structure to it in terms of readability, but there is no reason the 65535 wouldn't have worked just as well.

Re:Major transition was unavoidable

[Kiwikwi]

Once it was decided to go with hex for IPv6 addresses, you couldn't use periods as delimiters, as the addresses would then overlap valid domain names.

Oops! If Not Now Then Not Ever

Too late. Game Over.

Given the Federal Budget and Personnel constraints it will never happen.

No Whitehouse yet

$ ping6 whitehouse.gov
PING whitehouse.gov(2600:1408:7:1:8c00::fc4) 56 data bytes
^C
--- whitehouse.gov ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 7999ms

At least the AAAA entry is there!

Re:No Whitehouse yet

[Lennie]

You are kidding right ? They are just dropping ping-requests.

It would be incredibly stupid if they added the AAAA-record and you couldn't connect to it. Older browsers would need to wait half a minute to try the address from the A-record.

It really does work:

$ telnet whitehouse.gov http
Trying 2001:218:2007:2:8800::fc4...
Connected to whitehouse.gov.
Escape character is '^]'.

Re:No Whitehouse yet

Ok, fine, but why then:

$ ping whitehouse.gov
PING whitehouse.gov (2.21.232.110) 56(84) bytes of data.
64 bytes from 2.21.232.110: icmp_req=1 ttl=53 time=47.1 ms
64 bytes from 2.21.232.110: icmp_req=2 ttl=53 time=49.4 ms
^C
--- whitehouse.gov ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 47.161/48.287/49.413/1.126 ms

Re:No Whitehouse yet

Perhaps they are not dropping the ICMPv4 echo requests at this point.

Re:No Whitehouse yet

[kasperd]

They are just dropping ping-requests.

Which will make the server inaccessible to anybody using Teredo. And that is not the only system doing something like that. I have a system which will ping the site through two different tunnels to use the most reliable path to the server.

It would be incredibly stupid if they added the AAAA-record and you couldn't connect to it.

I know of an ISP who did that for their homepage. When I questioned them about it, they said it was a deliberate choice.

But in this case of whitehouse.gov I do get responses for both ICMP echo requests and HTTP requests to the IPv6 addresses in their AAAA records. So either the GP is mistaken, or they changed the configuration on the server.

Re:No Whitehouse yet

But in this case of whitehouse.gov I do get responses for both ICMP echo requests and HTTP requests to the IPv6 addresses in their AAAA records. So either the GP is mistaken, or they changed the configuration on the server.

No, I still get the same results.

It's not my setup; google.com pings just fine:

$ ping6 google.com
PING google.com(fa-in-x66.1e100.net) 56 data bytes
64 bytes from fa-in-x66.1e100.net: icmp_seq=1 ttl=56 time=39.9 ms
64 bytes from fa-in-x66.1e100.net: icmp_seq=2 ttl=56 time=40.4 ms
64 bytes from fa-in-x66.1e100.net: icmp_seq=3 ttl=56 time=39.9 ms
64 bytes from fa-in-x66.1e100.net: icmp_seq=4 ttl=56 time=39.7 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 39.799/40.034/40.451/0.318 ms

And HTTP is equally unreachable:

$ wget -6 whitehouse.gov
--2012-09-29 17:35:08-- http://whitehouse.gov/
Resolving whitehouse.gov... 2600:1406:12:1:8700::fc4, 2600:1406:12:1:8800::fc4
Connecting to whitehouse.gov|2600:1406:12:1:8700::fc4|:80... ^C

I am connecting from Europe. Some routing issues, perhaps?

Re:No Whitehouse yet

[kasperd]

I am connecting from Europe. Some routing issues, perhaps?

A routing issue is a possibility. But I am connecting from Europe as well, and it works for me.

Through HE tunnel server in Frankfurt:

traceroute to 2600:1406:12:1:8700::fc4 (2600:1406:12:1:8700::fc4), 30 hops max, 80 byte packets
1 2a01:d0:839a:babe:d19e:266e:d66c:545c 4.919 ms 0.154 ms 0.172 ms
2 2001:470:1f0a:1e45::1 45.807 ms 49.123 ms 54.393 ms
3 2001:470:0:69::1 60.570 ms 39.561 ms 41.584 ms
4 2001:470:0:21b::2 48.480 ms 48.813 ms 48.700 ms
5 2001:470:0:21e::1 56.056 ms 65.149 ms 65.723 ms
6 2001:470:0:128::1 124.572 ms 124.899 ms 123.429 ms
7 2001:470:0:1c6::2 136.970 ms 141.566 ms 142.074 ms
8 2001:470:0:120::2 141.782 ms 141.817 ms 136.904 ms
9 2400:8800:7f02:1::2 184.937 ms 193.048 ms 194.179 ms
10 2400:8800:7f02:1::2 198.687 ms 199.216 ms 198.695 ms
11 2600:1406:12:1:8700::fc4 198.648 ms 187.428 ms 187.897 ms

When I tried again with a hostname, my tunnelling software had found a shorter route:

traceroute to whitehouse.gov (2a02:26f0:32:2:8f00::fc4), 30 hops max, 80 byte packets
1 2a01:d0:839a:babe:d19e:266e:d66c:545c 0.122 ms 0.114 ms 0.142 ms
2 2001:668:106:ffff:: 40.309 ms 40.358 ms 41.050 ms
3 2a02:26f0:32:2:8f00::fc4 39.743 ms 38.050 ms 38.344 ms

Through HE tunnel server in Stockholm

traceroute to whitehouse.gov (2a02:26f0:18:1:8d00::fc4), 30 hops max, 80 byte packets
1 2001:470:28:940:5d75:c1f4:e0a0:f8ec 0.415 ms 0.797 ms 13.577 ms
2 2001:470:27:940::1 45.053 ms 49.645 ms 43.469 ms
3 2001:470:0:11e::1 47.340 ms 21.571 ms 25.712 ms
4 2001:7f8:d:fc::170 29.475 ms 33.473 ms 34.786 ms
5 2a02:26f0:18:1:8d00::fc4 39.011 ms 35.595 ms 39.187 ms

traceroute to 2600:1406:12:1:8700::fc4 (2600:1406:12:1:8700::fc4), 30 hops max, 80 byte packets
1 2001:470:28:940:5d75:c1f4:e0a0:f8ec 0.850 ms 0.919 ms 5.134 ms
2 2001:470:27:940::1 45.167 ms 49.519 ms 49.772 ms
3 2001:470:0:11e::1 50.197 ms 29.384 ms 36.539 ms
4 2001:470:0:22f::1 74.427 ms 75.348 ms 71.452 ms
5 2001:470:0:3f::1 81.067 ms 81.173 ms 81.611 ms
6 2001:470:0:128::1 149.678 ms 150.250 ms 143.576 ms
7 2001:470:0:1c6::2 159.699 ms 139.553 ms 143.250 ms
8 2001:470:0:120::2 148.932 ms 154.046 ms 163.290 ms
9 2400:8800:7f02:1::2 212.706 ms 237.569 ms 238.143 ms
10 2400:8800:7f02:1::2 238.091 ms 239.887 ms 240.193 ms
11 2600:1406:12:1:8700::fc4 240.519 ms 253.809 ms 257.508 ms

Notice that the less than 40ms I got on one of the IPs is too low for a trip across the Atlantic, so it must be hosted in Europe or nearby. A whois on the IP addresses reveals that this is Akamai. Knowing which provider you are using and seeing a traceroute from your network may help identify where the problem is. But it sounds like it is somewhere between your provider and Akamai.

Re:IPv6 too complex

[Lennie]

IPv6 isn't too complex, it's just different from IPv4 and that is what you are used to.

Re:wha?

[kasperd]

Romney or IPv4?

Both.

Re:wha?

[gmhowell]

If Romney gets elected, he'll just repeal it back to IPv4

More likely, he'll switch the internet over to lantastic.

That is a buried Mormon comment if I ever saw one.

Lantastic->NetWare->Novell->Provo, UT

Careful...

And I wasn't saying that I wouldn't want IPv6 without NAT, just that the IPv6 fundamentalists won't allow people to say that NAT has been useful in some circumstances.

Look, man, I told you before that you only get two warnings before the anti-NAT zealots seize you and send you to a reeducation camp. Fortunately, as an anon behind v4 carrier NAT, their kick squads couldn't find me and they had to settle for viciously downmodding my comments instead.

Seriously, though, the anti-NAT zealotry is pathetic.