Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPv6 Must Be Enabled On All US Government Sites By Sunday

Posted by Soulskill on from the anybody-taking-wagers? dept.

darthcamaro writes "Agencies of the U.S. Federal Government are racing to comply with a September 30th deadline to offer web, email and DNS for all public facing websites over IPv6. While not all government websites will hit the deadline, according to Akamai at least 2,000 of them will. According to at least one expert, the IPv6 mandate is proof that top-down cheerleading for tech innovation works. 'The 2012 IPv6 mandate is not the first (or the last) IPv6 transition mandate from the U.S. government. Four years ago, in 2008, the U.S. government also had an IPv6 mandate in place. That particular mandate, required U.S. Government agencies to have IPv6-ready equipment enabled in their infrastructure.'"

22 of 179 comments (clear)

  1. Re:wha? by phil_aychio · · Score: 2, Funny

    If Romney gets elected, he'll just repeal it back to IPv4

    --
    obvious redundancy is obvious
  2. I blame the ISPs by GeneralTurgidson · · Score: 4, Interesting

    A lot of the government offices will face challenges with IPv6 connectivity to the internet because a very large number of US ISPs are not IPv6 ready. Especially up here in midwest, you mention "are you IPv6 ready?" and your ISP sales rep gives you a blank look and asks what you're talking about. Maybe if the governments push for this at the ISP level we might see it filter down.

    1. Re:I blame the ISPs by geddo · · Score: 3, Interesting

      As a consumer you do not need IPv6 unless your provider does not have IPv4 addresses to assign to you, as a service provider or Internet based company (or in this case a government agency) you do need IPv6 so that customers who only have IPv6 connections can reach you. Most business class ISP's I have dealt with are IPv6 dual-stack capable, so this is not an ISP issue. The government is doing what other companies are doing and trying to get this working now before it becomes an issue for the future. There is no blame to pass around unless an organization is putting their heads in the sand and ignoring it.

    2. Re:I blame the ISPs by Mathieu+Lu · · Score: 2

      What kind of challenges will they face? It's not like they're turning off IPv4. Sites will be dual-stack, and many of them have been for quite some time already.

      Google/Youtube, Facebook and many other mainstream sites have already enabled IPv6 on June 6th 2012.

      PS: Comcast has been enabling IPv6 by default to some of their customers (5% ?). I was in a small US country-side hotel in March 2012, they had really broken NAT, but their IPv6 was working fine. I also have dual-stack native IPv6 at home (Canada, TekSavvy ISP). Works great, lots of fun to route public subnets to access points and routers that connect with neighbours. I even announce my address block on our neighbourhood mesh network.

    3. Re:I blame the ISPs by squiggleslash · · Score: 2

      6to4 works on most ISPs too.

      I actually prefer 6to4. It's less efficient, but reverse DNS is guaranteed to work - you don't have to rely on your ISP setting it up - and you can talk to pretty much any IPv6 address with it,

      --
      You are not alone. This is not normal. None of this is normal.
    4. Re:I blame the ISPs by DarwinSurvivor · · Score: 5, Insightful

      Good point, lets wait for the ISP's to run out of IPv4 addresses and suddenly start mandating that people's homes be IPv6 ready out of the blue. We basically have 3 choices.

      1) Wait until residents do need it and suddenly give them IPv6 only because there are no IPv4 addresses left. Phone support will have hour-long waiting periods, computer shops will be overloaded with "I need this upgrade tonight so I can submit my college thesus" support requests and a large percentage of Internet users will be SOL until they get their turn in the support line. There's also a VERY good chance we will simply run out of routers, as an alarminly large percentage of consumer (and some professional) routers STILL don't support it and all those people will need upgrades.

      2) Wait until we need it and start NAT'ing everyone's internet connection. This may not affect facebook users, but will be a royal PITA for anyone using remote connections, peer2peer networking, etc. If this happens we may not see IPv6 for another 15 years at LEAST.

      3) Roll it out NOW in dual-stack configuration world-wide so everyone can get their computers, routers and other devices working with IPv6. ISP's can send out regular (every 2-4 months) letters to consumers still using IPv4 only to warn them about the upcoming switch and give them enough warning to switch over (like they did with digital tv broadcasting). When we finally do run out of IPv4 addresses at the ISP level (and this is ALREADY happening in some areas such as mobile, etc), the ISP's can just disable IPv4 for new customers and/or those already fully using IPv4 and experience a truly smooth transition.

      If the analog-2-digial transition for TV broadcasting has taught us anything, it's that consumers need a LONG time to transition between technologies. Considering the TV transition required nothing more than plugging in 1 box with 3 wires on it and IPv6 is going to require computer/OS and router replacement in many cases, we need to start the IPv6 transition on all ISP's about 2 years ago.

    5. Re:I blame the ISPs by geddo · · Score: 2

      Good point, lets wait for the ISP's to run out of IPv4 addresses and suddenly start mandating that people's homes be IPv6 ready out of the blue.

      Not my point, just not trying to write a dissertation here. My point is the provider's of web based services need to get on IPv6 dual stack, until a large number of these providers offer their services natively through IPv6 we will have a huge scalability problem with translation. Until that happens consumers do not *need* IPv6. It's a pretty massive investment to replace the consumer footprint especially with consumers not exactly happy to pay a premium, businesses will do it because they are willing to make an investment to reach the broadest number of users.

      Option 4- ISP's continue to upgrade their backbone and edge to support IPv6 and sell the service to business customers to cover the costs while rolling it out in consumer markets as the opportunities arise or the need is highest.

  3. Re:And on Monday, the headline will be by heypete · · Score: 5, Informative

    Why would a publicly-facing web server be behind NAT? That doesn't make any sense. NAT offers no security benefits.

    Please note that "NAT" != "stateful firewall", though the two functions are often combined in a single piece of hardware.

    My home network has been dual-stack for years (with NATed IPv4 and IPv6). All the systems on the network are behind a stateful firewall and even though my internal devices have globally-unique IPv6 addresses none of them are accessible from the outside world.

  4. Public facing only... by Bugler412 · · Score: 2

    Recently worked in a govt facility on a project, they are just as far as most everyone else from being ipv6 ready internally, perhaps a lot farther away than many. Additionally, as you might expect, no one is budgeting for the replacement of infrastructure (like 20 year old printers for instance) that need to go to make it happen. Even though they have a mandate to be ready internally in two years. That mandate ain't gonna fly.

  5. Re:Too Complicated by kasperd · · Score: 5, Informative

    IPv6 is too complex, which is what has hampered its slow adoption from the beginning.

    IPv6 is simpler than IPv4.

    Instead of simple address space extension, the brains behind it decided to add all sorts of fun features to it that just aren't necessary, thus leading to people not wanting to put the effort in to figure it out.

    That's just a lame excuse. There are some new features, but those are mainly important to the endpoints. For routers in between, the job they need to do became simpler. And it is the network, which has been lacking, not the endpoints. The excuse that it is too complicated has mainly been used by those who didn't need to deal with the complexity.

    Since those features have died off, it's getting less terrible, but now it's a moving target.

    Name one change that affected a network provider, who just has to move packets between two endpoints.

    KISS would have gotten us to IPv6 5 years ago.

    No. There were only two approaches that could have speeded it up. Top down regulation or customer demand. But both of those were in the hands of people who won't understand the problem until they can no longer get online. Actually, there is one other thing that could have speeded it up. If we had never gotten any sort of NAT for IPv4 in the first place, then the transition would have gone faster.

    --

    Do you care about the security of your wireless mouse?
  6. Re:And on Monday, the headline will be by cbhacking · · Score: 4, Informative

    I can't tell if you're a troll or just spouting off about things you don't understand in the least, but...

    It's a hell of a lot easier to find a vulnerable machine behind NAT than it is to find one across a search space 40 bits wide (which is wider than the entire IPv4 search space, and less than a cube root of the search space of IPv6 as a protocol).

    NAT is not a security measure. You can (and should) still have a firewall with IPv6; your firewall box just won't also have to perform NAT. That's fine, though; a NAT has a maximum search space of 24 bits (10.0.0.0/8) while IPv6 has enough addresses to assign one to every atom in the solar system, and no, that's no an exaggeration, guess, or line of BS.

    --
    There's no place I could be, since I've found Serenity...
  7. Re:Nice to see by Medievalist · · Score: 2

    Given a choice, I'd rather see them stop forcing private citizens to use proprietary formats (like Microsoft Word) instead of organizing large payouts of taxpayer dollars to favored tech companies.

  8. This time it really is happenning by kevmeister · · Score: 4, Informative

    I work for the NSP for a large number of government research facilities. Our network has had full IPv6 support for several years, but no IPv6 customers (other than ourselves). The prior IPv6 mandate was primarily satisfied by bring up an IPv6 connection with the customer and their pinging our router, then deconfiguring the IPv6. That was really all the mandate required.

    This time we are bringing up full IPv6 connectivity with them. It really is happening this time and it mostly seems to be working.

    The mandate is also pressing other providers to get IPv6 up and running. Under the mandate, if you have a provider that can't support IPv6 on Oct. 1, you need to change providers. In simple terms, the general public must be able to access your web services and all publicly linked pages as well as DNS via IPv6 if they have IPv6 connectivity to the Internet. (Admittedly, this is a fairly small subset of Internet users.) The federal governments is a rather large customer of several major providers, so this has probably been the biggest cause of several of them getting IPv6 running, though some still don't offer IPv6 to non-governmental customers.

    Between the U.S. Government and Comcast, IPv6 seems to really be happening. Traffic is clearly increasing rapidly, though still very tiny compared to IPv4.

    --
    Kevin Oberman, Network Engineer, Retired
  9. Re:wha? by Anonymous Coward · · Score: 4, Funny

    Romney or IPv4?

  10. Re:If I don't convert, what will you do? by kevmeister · · Score: 4, Interesting

    This is an Office of Management and Budget (OMB) mandate. They can reduce or completely halt funding. It has been made very clear that, while there will be failures and missed dates, they better not be because you were not trying. Oddly, management tends to take the possibility of losing funding very, very seriously.

    --
    Kevin Oberman, Network Engineer, Retired
  11. Re:And on Monday, the headline will be by bytesex · · Score: 2

    Yes it is. Because inverse NAT requires you to specify where to send the traffic *to*. I'm a great proponent of IPv6 myself, but this argument of the IETF is bogus. Besides, 'centrally administered firewall' on each machine ? I think I see a flaw in your method.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  12. Re:Too Complicated by j2.718ff · · Score: 2

    IPv6 is too complex, which is what has hampered its slow adoption from the beginning.

    IPv6 is simpler than IPv4.

    True, but dual stack is more complex than either.
    I don't see flipping a switch and transitioning from IPv4 to IPv6. Instead, I see living with a dual-stack environment for a while. It will not be pretty.

  13. Re:Nice to see by Anonymous Coward · · Score: 2, Insightful

    It's kind of pointless though if they aren't mandating ISP's to at least provide dual-stack support for both protocols. What's the point of government websites being IPv6 if the country is still stuck on IPv4?

    To enable a smooth transition. By making sure that all government websites are IPv6 compatible it will be safe for consumers to make the transition without having to worry that they will be locked out from vital services.
    The problem is that unless there are IPv6 only hosts there is no point for consumers to make the transition and without a lot of IPv6 only consumers it makes no sense for hosts to invest in IPv6 servers.
    This is pretty much the government taking a step to move society out of a hen-egg deadlock.

  14. Re:IPv6 too complex by Lennie · · Score: 2

    IPv6 isn't too complex, it's just different from IPv4 and that is what you are used to.

    --
    New things are always on the horizon
  15. Re:And on Monday, the headline will be by Lennie · · Score: 2

    These are websites, you don't use NAT for websites.

    The websites are port 80 (http) or port 443 (https). If you have 5 public IP-addresses, then you have 5 ports 80.

    What you can do use a HTTP/1.1 virtual hosts or a reverse proxy/loadbalancer so you can choose to redirect requests based on URL or domainname.

    To bad some older systems don't support the same for HTTPS (called SNI) so you can have is 5 websites with HTTPS.

    --
    New things are always on the horizon
  16. Re:No Whitehouse yet by Lennie · · Score: 2

    You are kidding right ? They are just dropping ping-requests.

    It would be incredibly stupid if they added the AAAA-record and you couldn't connect to it. Older browsers would need to wait half a minute to try the address from the A-record.

    It really does work:

    $ telnet whitehouse.gov http
    Trying 2001:218:2007:2:8800::fc4...
    Connected to whitehouse.gov.
    Escape character is '^]'.

    --
    New things are always on the horizon
  17. Re:hybrid dual-stack by kasperd · · Score: 2

    an IPv6-only subscriber using a device with a hybrid dual-stack can access an IPv4 address by specifying the applicable IPv6 address.

    That will not work. The IPv4 only node will need to communicate with some IPv4 address, and there is none to be used for that purpose. If you read the other replies to your post, you will see that they seem to disagree with each other. That is because there are actually two different formats. There is the deprecated ::/96 prefix, and there is the currently used ::ffff:0:0/96 prefix. The later is used such that applications can use a single socket to talk both IPv4 and IPv6. It is entirely an API feature. Those addresses are never send on the wire. The actual traffic on the wire is IPv4 from one end to the other.

    There are NAT solutions which will help a bit. There is NAT64+DNS64 if your LAN is IPv6 and backbone is IPv4. And I have developed a system for a LAN running IPv4 connecting to a backbone running IPv6.

    --

    Do you care about the security of your wireless mouse?