Slashdot Mirror
One Year After World IPv6 Launch — Are We There Yet?
darthcamaro writes "One year ago today was the the official 'Launch Day' of IPv6. The idea was that IPv6 would get turned on and stay on at major carriers and website. So where are we now? Only 1.27% of Google traffic comes from IPv6 and barely 12 percent of the Alexa Top 1000 sites are even accessible via IPv6. In general though, the Internet Society is pleased with the progress over the last year. '"The good news is that almost everywhere we look, IPv6 is increasing," Phil Roberts,technology program manager at the Internet Society said. "It seems to be me that it's now at the groundswell stage and it all looks like everything is up and to the right."'"
But its still difficult to get an ipv6 home connection in many areas. I can see that for years to come we will have an ipv6 backbone, ipv6 in amjor organisations but most people connected via NAT and an IPv4 isp
that it was back and to the left.
No sooner do I get over one, then you put a better one right next to me. Bastards.
Remember in 1992 when they told us that HDTV would be the standard in like 3 years, then in 1995 they said it was 5 years away. The biggest issue is that there aren't easy migration options, and there aren't, yet, many compelling reasons to switch to v6.
Yea the ability to address every molecule on the planet is nice, but I don't have internet for them right now. At best, right now, in my house, I have about a dozen ip addressable things. Only one do I trust with a publicly addressable ip, and that's my router. As we've seen the shitty security practices of the past two decades with security primarily through obscurity, we have reached a point where it would look something like Die Hard 4 if you placed all things on the internet with publicly addressable ips. No thank you.
Not a single business partner, client, or home user that I've dealt with for the last 3 year has an active IPv6 DNS registration. _None_.
The critical factor for IPv4 exhaustion was the lack of "/24" addres spaces for businesses and buildings. This has been impressively ameliorated by the use of NAT, which shares numerous intenral and protected IP addresses behind a single or pair of public addresses and should be the _default_ configuraiton in most businesses and organizaitons, simply to reduce the constant external vulnerability scanning of any host directly connected to the Internet.
The growth of high capacity load balancers for web servers and other network services has also helped tremendously, allowing a wide set of behind the scenes hosts to be serviced by a single exposed device and reducing the IPv4 footprint of these services. Also, people have learned how to economize in the ir IPv4 use: They _do no tneed_ a different IP address for their email server, their FTP server, their web server, their phone server, their chat server, and their IRC server. The services are being easily funneled through a single exposed router or firewall, far more efficiently than before.
The result has been that the great need for IPv6 simply has not yet occurred, and is unlikely to occur for another 10 years. The foundation of the need for IPv6 is basically that of ubiquitous comuputing: the idea that every single device scattered around the home or around the workplace will have its own IP address for remote communications, and they _should not have_ public IP addresses. Providing public, routable IP addresses puts them at risk of attack at all times: putting them in the unroutable, easily tracked and maintained IPv4 address space handles almost all internal network needs quie effectively and is a signigicant security advantage and eases scanning and tracking of local resources.
IPv6 is ready for hockey stick growth, as Phil Roberts (ex-Surface RT marketing manager?) points out.
What, you mean there is a correlation between global warming and ipV6 take-up?
I can't think of a better place to cite it. I mean come on, I don't even have to click through and RTFA. It's right there in the summary that no, we aren't there yet.
The Chinese government loves IPv6 because it provides extra granularity for surveillance of their citizens. Fuck that. They can kiss my shiny metal NAT.
If you don't have much stuff on the inside of your firewall it's not really any harder. Actually if you have a lot it's not really harder either since it's still all ports and addresses. The fuckup you've linked to is due to separate teams working on separate firewalls for IPv6 and v4 and is a management issue which only affects the endpoint. If you've got the network under the adult supervision of even a cheap and nasty ADSL IPv6 aware router the filtering should just work without having to care about problems due to internal empire building at Microsoft or Apple. "Block all except ports X,Y,Z" is not that hard to do on any sort of sane interface, and if you have to do it twice due to an unforgivable fault of UI design from office politics it's still not that bad.
'"The good news is that almost everywhere we look, IPv6 is increasing,"
Every time we measure it the mean distance between the Earth and its moon is increasing. Wooooo Hoooooo.
IPv6 has gone "live"? First I've heard of it! :-O
actually, Comcast is offering a very good 6RD service to its customers. 6RD is my favorite IPv6 tunneling technology as it is more or less as good as native. It gives you your own globaly routed /64 v6 prefixes from you ISPs v6-pool and if configured correctly it is as effective as native v6 would be.
I work at a major ISP in Sweden and we are currently looking in to deploying 6RD to be able to deliver IPv6 to all of our customers within the near future.
More about Comcasts 6RD here: http://www.comcast6.net/index.php/6rd-config
Me: "Hello, big boss! I'd like to go to IPv6 soon!"
BB: "What will that take?"
Me: "Oh, probably a couple of months worth of completely dedicated work from your best network folks. If you don't exclusively task them, could take a year."
BB: "Sounds complex. Is it risky?"
Me: "Absolutely! We could totally drop off the internet or lose internal connectivity for quite a while if we mess it up."
BB: "What, exactly, am I getting from this expensive and risky thing?"
Me: "More or less what you have now. The features it does you don't really care about."
BB: "So it's expensive and risky and I get nothing out of it."
Me: "Yep! When can I start?"
*doorslam*
Ack!
IPv4 is the backbone of nearly all networked systems and applications; to expect EVERYONE to switch over to IPv6 immediately is a bit naive. It's not just the service providers (Quest, Lightbound, AT&T, Verizon, etc) that have to update their WHOLE infrastructure, but applications and operating systems have to natively support IPv6. Many home users cannot afford to upgrade their hardware and software on a whim and won't have a budget to do so for a few more years (mostly due to slow economy and unemployed consumers). I suspect it will take five to 10 years before we start seeing IPv6 make its way into mainstream services. I have a VM with Rackspace and it has a public IPv6 address, but the only service that I've found useful (or even readily available) are the primary Debian mirrors. Having worked as an IT Consultant for small businesses, a SysAdmin in the ISP vector (gaining insight from a vendor aspect) and now as a SysAdmin for a software company (consumer aspect), I have first hand experience at witnessing the readiness from two different ends of the spectrum. The insight I've gained tells me that NO ONE is ready to simply flip a switch; it's going to be a painful, multi-year migration.
IS that "latency impact" comparing v4 and v6 connections from the same user (and ignoring users who only used one type of connection) or is it comparing all v6 packets to all v4 packets.
In the latter case it could just be that those on bad connections are more likely to lack IPv6 support.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I recently took an exam that covered IP6, so I was *determined* to get it working through a tunnel broker or some such means, just to say I did. I fired up test-ip6.com and...I was already on it.
My shared office had recently upgraded their modem from AT&T, which apparently supports v6 out of the box. Absolutely zero manual config on the router or client. Found out later, it's the same with Comcast where I live (northern California).
OTOH, I work at an ISP that has IP6 nowhere on its radar. I haven't raised the issue yet because I'm so new, but I have a few guesses:
So, it comes down to huge cost with little to no appreciable gain (for our organization). Sure, routing gets simpler, no NAT overhead, but it's not like v4 is going to disappear overnight. Dual stack is the way it's going to be for a very, very long time. My grandkids may see widespread native v6. Maybe.
[1] http://samsclass.info/ipv6/proj/flood-router6a.htm
FTFS:
it all looks like everything is up and to the right
I'm confused, is up and left an option? I'd love it if my graphs with negative slope indicated time travel instead of a decrease over time!
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
I have been looking at the IP v6 specs for enterprise level hardware, top of the line products from Cisco and the likes. The last I check, a few months ago, the accelerated routing on their top of the line Layer 3+ switch had about 1/2 the aggregate routing for IPv6 as it did IPv4, and older hardware is much worse.
Until the hardware ASIC's are acellarated as much for IPv6, I think businesses will lag unless they need to use IPv6 due to contract requirements (military and the likes). Why would they pay more for modern hardware that is slower than what they have to adopt IPv6 when IPv4 is satisfying their needs, even if NAT is a gimped solution. It still works, and is pretty fast.
To home users, it provides a whole host of IP addresses that can be used to enhance their security. For instance, if someone sets up a DHCP to pool a certain set of addresses to his laptop, that would exceed anything that was available when IPv4 was not in such a shortage. For instance, one could set it up so that the laptop would pool 65,536 addresses within a certain range, while addresses outside that can be static for certain devices.
To business users, plenty, since it blows up the number of routable IP addresses available to set up a whole host of things, from IP phones to varous servers and so on. A company located in a single site with just a single /64 would have all the addresses it would ever need for every internet facing service that it uses.
If you buy a router that supports IPv6, it is a waste if the network provides a NATed IPv4 connection. But if they provide a dual stack connection, you can through that link have every internet device that you own connected directly to the internet.
10% is the tipping point when a new technology "explodes" is use. So by year 4/5, IPv6 will be nearly everywhere.
How would IPv6 expose one's intranet? Just like you have local addresses in IPv4, you have link-local addresses as well as site-unique addresses in IPv6 that achieve the same thing. And just b'cos every node has a public IPv6 address does not imply that it has to be accessable - it'll still be behind a firewall. Also, if one doesn't want a certain computer to access the external internet, one can simply not assign it any routable IPv6 address, but just assign it the link-local address and be done with it.
Also, scanning that /64 address space would take forever, but even without that, a good DHCP set-up would enable the user to have a pool of any number of dynamic addresses within the /64 space, and keep changing it at regular intervals (say 1 hour) making it practically impossible to breach.
....IPv6 day this year as well? What did they do different from the last 2 years, if anything?
In theory, you are correct. In practice, the home router firmware is a lousy piece of work and is seldom, if ever, updated. A bug in the NAT implementation will usually cause things to to not connect. These bugs are obvious and get fixed. A bug in the stateful firewall can easily leave it open. The bug is not as obvious. It will never get fixed.
Yoghurt
$ nslookup -type=AAAA google.com
Name: google.com
Address: 2a00:1450:4007:80a::1001
$ nslookup -type=AAAA slashdot.org
Name: slashdot.org
$
From what I've read, privacy extensions seems to be IPv6's equivalent of dynamic addresses in IPv4. Essentially, it's one alternative to using EAU-64. But a better idea is to configure a DHCP server so that services that need static IP addresses have them, and services that need dynamic IP addresses have them as well.
"Switch over to IPv6" is a concept that detractors have pulled out of thin air, as it bears no relationship to how IPv6 rollout was planned and expected. Adding the word "immediately" just makes the misconception worse.
IPv6 was always intended to run alongside IPv4 for the foreseeable future, because old IPv4-only equipment will be around for decades until it rots and it will need to be reachable until it is replaced. So, please don't talk about needing to "switch over" to IPv6. Wherever you got that idea from, it's wrong. Talking about it is propagating an invalid concept, and calling the expectation "naive" is just knocking down a straw man.
IPv6 service merely needs to be enabled (without touching IPv4) on an IPv6-capable dual stack home router, and ISPs who offer IPv6 provide routers with it already enabled so you just need to plug them in. (If it's an old router then you'll have to enter the new IPv6 address info that the ISP gives you of course.) Simple home systems don't even need user configuration for IPv6, because IPv6 router advertisements then handle everything. It's as simple as USB for the home user, totally plug'n'play, which IPv4 never was.
And once enabled, IPv6 works totally happily and transparently alongside IPv4 in the home network and at the server end, so there are no "switch over" issues. IPv4 continues to work exactly as it did prior to enabling IPv6. Browsers in particular just use IPv6 by default on a site that has it, and IPv4 if not. It's completely seamless for the end user.
The pain and angst of "switch over" that you describe simply doesn't exist, because switching over was never planned, expected, nor even desired.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I read that Comcast was providing DS-lite, which is the best, in that it sets up the underlying infrastructure as IPv6, and only provides private IPv4 nodes at the end behind public IPv6 addresses for only those IPv4 nodes that for some reason can't use IPv6. That sounds to me like the best solution, in that it uses zero public IPv4 addresses, and only uses the abundant IPv6 addresses or the reused IPv4 local addresses, which don't cause any issues.
Me and my 255 friends are still on IPv1, you insensitive clod!
Get free satoshi (Bitcoin) and Dogecoins
What's the AAAA record for slashdot.org?
I was going to post this exact thing. Hey... slashdot...
$ dig www.slashdot.org aaaa | grep "ANSWER SECTION"
$
Whassupwiddat?
Jason Van Patten
http://en.wikipedia.org/wiki/Betteridge's_law_of_headlines "No."
The only case I can think of would be if an especially nasty ISP deliberately gave you exactly one IPv6 address in order to cripple your connection to one device only.
It used to be a fairly common practice for ISPs to forbid the use of NAT routers in their t&c, back when most families were lucky to have one computer for the household, because they'd specced their networks and business on the 'one customer, one computer' assumption. Those people running multiple computers on one connection were taking far more capacity than had been anticipated. I can imagine that in the IPv6 age ISPs might have similar business reasons to limit the addresses they make available - to stop tech-heavy households from running their six IPTVs all day streaming video, or prevent people from getting together with their neighbours to share one domestic connection between several households.
You're right, I was going for a joke. What you're showing me is I'm doing a bad job of explaining the benefits of IPv6 and probably need to do more reading.
In my defense, there are probably more "gotchas" to this than you may be giving credit for. Doing "IPv6 to IPv4" translation is, as you say, easy. I don't consider that to be "using" IPv4, though. What I have read has given me some pause - firewall rules need updating, some security concerns need addressing, etc.
I'm not a network guy, just a UNIX sysadmin, so my comments should be taken with a grain of salt the size of my igorance.
Ack!
Here's one way: http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker
Since pfSense runs on the FreeBSD stable point releases, it tends to be behind the current, which means pfSense was a little slow to the IPv6 party, but is getting lots of support now.
Grammar nazi: "this should HAVE happened 10 years ago". For some reason people have lately started using "should of".
I can imagine that in the IPv6 age ISPs might have similar business reasons to limit the addresses they make available
They have to make available at least a /64 as the IPv6 standard requires it. Not handing out 2^64 address to each customer would cause Windows/Linux/MacOSX to break.
Probably American Telephones & Telegraphs, or AT&T. Although I wonder whether they still do telegrams?
Me: "Hello, big boss! I'd like to go to IPv6 soon!"
BB: "What will that take?"
Me: "It will take a few minutes to remotely update the network configuration of all employees. This we will do only after testing the IPv6 capabilities of our ISP"
BB: "Sounds simple, any catch to it?"
Me: "No, b'cos we'll still be dual stacked, meaning have both IPv4 and IPv6. So initially, in the event that IPv6 doesn't work, we still have IPv4, and can get IPv6 to work. Once IPv6 works, we'll have a dual stacked network, and only let go of IPv4 once the rest of the world also lets go of it"
BB: "So why are we doing this now?"
Me: "So that we aren't left scrambling when we actually do run short on IP addresses, or need to run services that work badly using NAT, which is what IPv4 requires. However, we can pace our budgeting so that we only buy IPv6 specific equipment when absolutely needed"
BB: "So what benefits will we be getting out of it?"
Me: "A wholesale improvement in all the internet services within the company. Like each Business Unit can have its own separate website, and one going down doesn't necessarily imply that another will. Our VPNs will work better and a lot smoother, and easier to set up. It will be easier to give each department its own segregated network, and vary the access levels that each one has. Our e-mail servers, our web servers, our file servers and all other servers will all be segregated and dedicated, so that one going down doesn't necessarily imply that the other will, and also, as we increase our servers, it'll be a lot painless moving certain things to certain servers. While the thing that's forcing us to do all this is the shortage of IPv4 addresses, where we have to pay more per addresses, all these other advantages are benefits that come with it."
BB: "Okay, then go for it, but let me know what budgetary implications it has. Oh, and add it on your MBO."
I forgot to mention - if the company uses IP phones, or services like Skype, IPv6 works a lot better with that than IPv4, due to the requirements of making that service work w/ NAT. With IPv4, getting as many routable IPv4 addresses would be expensive, whereas w/ IPv6, a single link can potentially service all the IP phones that the company uses.
One question - in IPv6, is there a need for VLANs? In IPv4, there is, since people may be arbitarily demarcated within subnets, but there may be a need to pull out members of different subnets and put them under a common virtual network. But in IPv6, since a host can have multiple IPv6 addresses, does it make sense to have VLANs there? Since there is no upper limit (2^64 is not a limit that's ever likely to be reached), does it make sense that one would have VLANs in IPv6? Yeah, one could, in the same way that it's there in IPv4 and there is no difference in implementation of a lot of things b/w IPv4 and IPv6, but there are some things that are necessary in IPv4 that are just not needed in IPv6. So is it a good practice to continue it in IPv6 just to keep the paradigms consistent?
Surely, this is the year of the Linux Desktop^W^W the really long and unwieldy IP addresses.
No, they could just hand out /128, giving every one of their subscribers on a link exactly 1 address, and they'd be just fine. In fact, that was how Comcast's first IPv6 rollout looked.
How is it that none of the networking companies - Cisco, Brocade, Juniper, Foundry, et al have thought it worthy of taking a lead in this potential market in IPv6 by creating custom ASICs that are specialized for IPv6 accelarated routing in their Layer 3+ switches?
The way I imagine it, they could make their initial solutions available on FPGA, which would help them avoid fabing custom ASICs before the market size hits critical mass. Then, once the early adaptors have taken it and it reaches critical mass, they could spin ASICs from those designs thereby achieving cost reductions due to volume, and then grab marketshare there. Then they could either become the next Brocade or Foundry, or get acquired by one of the above companies, thereby getting it made!
What are we discussing here - businesses, or home users? For home users, yeah, the case is weak, depending on the usage. For business users, it's certainly not the case.
If one has a business and uses IP phones, having unlimited routable addresses for each of them, no matter how many, is a godsend. Similarly, if that business has VPN connections for its employees and similar tie-ups w/ partners, again, IPv6 is invaluable: using site-local addresses, the organization can avoid situations akin to IPv4 where 2 orgs have the same 192.168 addresses for different networks. While in IPv4 it's a pain to set-up, in IPv6, due to site-local or site-unique addresses, it would be a breeze.
Similarly, if the organization servers have multiple virtual machines running on them, each of them can have a separate, routable connection to the internet independent of the host box, and therefore not depend on the connection of the host box. Also, if the organization has different e-mail, web, file servers, each of them can have independent IP addresses that can be set up to be either publicly accessible, or have limited public distribution.
In short, if a business thinks that it doesn't need IPv6, in a lot of cases, they may simply not know that they actually do.
Comcast is doing nothing more than hand-wavey marketing BS. "See, we support IPv6" *micro print*to 0.001% of our customers, in 2 markets, if they go to a hidden, unpublished website to sign up, and then configure it themselves*micro print*
AT&T Uverse is just as bad with their complete and utter bull**** of 6rd tunnels. And that's their internally and externally documented plan for the future. At least Comcast realized tunnels are completely wrong.
You're thinking Uverse. Comcast dropped tunnels as a F'ing Bad Idea(tm). Where they do IPv6 (read: not many places), it's a native IPv6 (dual-stack) transport. There are no bandwidth wasting, latency robbing tunnels involved.
Negative. The *ONLY* thing that says "/64" is SLAAC. You can make a LAN segment any size you want. If it's not a /64, then the lame address autoconfiguration won't work, but everything else will.
That said, ISPs aren't going to make a ton more work for themselves here. So a /64 is likely the smallest thing you'll get from them. Ya' know, when they can be bothered to "do" IPv6 at all.
Sure, it might take 5s to plug it in, but it will take months to a) find that ISP, and b) get the circuit from that ISP installed, and c) get the ISP to turn up that service. (I've not managed "a" yet, but I've been through "b" and "c" too many times.)
It's p-n-p at the desktop, NOT THE ROUTER. Having unskilled morons screwing with your router(s) is a recipe for Bad Things Happening(tm).
And there's more work necessary than just the network. Any internal services will need to be dealt with as well. (esp. your internal DNS server(s))
Famous last words from someone who hasn't done a live deployment! IPv6 hosts tend to prefer IPv6 over IPv4 where both are available. So, the second IPv6 is available -- literally within seconds of the RA -- those hosts are going to start trying to make IPv6 connections. If your new IPv6 network is not 100% perfectly operational and as fast as your IPv4 network, everything is going to go to hell quickly. All of a sudden, pages that loaded instantly take seconds to *begin* to load and take minutes to finish... because it's trying to make every connection over an IPv6 network that isn't working, then it falls back to IPv4; for every connection.
Actually, I've known a great many US businesses that would prefer most of Asia wasn't on the internet! (99% of their spam and network attacks come from there, while 0% of their business does.)
Comcast just turned IPv6 on for my residential connection, out of nowhere. On the stats page it says "Modem IP mode: IPv6 only". So it almost seems like they are using IPv6 only for transport. I guess it's time to upgrade my router from Fedora 10....?
Basically any equipment upgrades Comcast makes will bring IPv6 with it. IPv6 support is required by the DOCSIS 3 spec.
upon the advice of my lawyer, i have no sig at this time
Web hosts and websites can't switch to IPv6 until all possible site visitors are on it, because simply you can't address an IPv6 website from an IPv4 address.
So neither hosts nor sites will switch until all the users are on IPv6.
Which won't happen because until all the sites/hosts ae on IPv6 there's no reason to spend the money.
Bollox. Many IP connectivity installations have exactly 1 ingress/egress router. This simply does not pass any traffic between any interfaces unless a stateful inspection rule allows it to. This matter does not change for IPv4 or IPv6.
Sure unplugging and replugging a cable can cause a device to be accessible on the Internet, but this is also true of IPv4 and your DMZ/public IP network (if so configured).
The only thing that IPv6 adds is that many IPv6 default installs might allow such an incorrectly plugged device to obtain information about the default gateway and therefore become accessible. However if this is a security concern is indeed a problem to you, then you simply do not enable Router Advertisement feature or IPv6 DHCP on the DMZ/public IP network segment. Such devices on the DMZ/public IP network might/could hardwire their default gateway (much like you already do for IPv4) or you setup IPv6 DHCP which will authenticate via MAC address (or other mechanism). But I understand router advertisement enabled on a DMZ/public IP network might be a concern (just like IPv4 DHCP would be for the same scenario of IPv4). Just turn it off!
This way any incorrectly plugged in device will not be able to obtain a default route and is therefore in accessible.
Now you have your security blanket back.
IPv6 does not make things worse in the way you describe, when you better understand the improved mechanism IPv6 bring and how to take command of the IPv6 network configuration to make it less prone to human error.
We have not even talked about IPv6 privacy extensions to fuzz/randomize/rotate the public IPv6 address used by a specific device to prevent the MAC address from being a constant source for leaking
Comment removed based on user account deletion