Comcast Carrying 1Tbit/s of IPv6 Internet Traffic

New submitter Tim the Gecko (745081) writes Comcast has announced 1Tb/s of Internet facing, native IPv6 traffic, with more than 30% deployment to customers. With Facebook, Google/YouTube, and Wikipedia up to speed, it looks we are past the "chicken and egg" stage. IPv6 adoption by other carriers is looking better too with AT&T at 20% of their network IPv6 enabled, Time Warner at 10%, and Verizon Wireless at 50%. The World IPv6 Launch site has measurements of global IPv6 adoption.

Saying something good about ComCast hurts my brain

[gewalker]

In actual fact, the ComCast internet service is not too bad. It is just their customer support, pricing, monopoly status and general arrogance that make them among the most hated company in existence.

The other interesting thing in the article was Google showing their IPv6 traffic was now around 4% up looked the perhaps the upward bend at the beginning of an s-Curve.

Advantages?

[ArchieBunker]

So any advantages to running an IPv6 tunnel other than so say you use IPv6?

Re:Advantages?

[CAPSLOCK2000]

The big advantage is that all my computers are reachable through the internet, no more NATting port 80 and port 22 to strange ports because you can use every port only once.
A secondary advantage is that port 25 is not filtered, although that's not inherent to IPv6, just a lucky benefit of my current tunnel-provider.

Re:Advantages?

[OzPeter]

The big advantage is that all my computers are reachable through the internet

Depending on your point of view, that may also be considered as a down-side.

Re:Advantages?

Um, no. The whole "NAT is security" argument is bullshit. KISS: I'd rather have a simple firewall which either blocks or does not block ports/IPs (or connections, if stateful) than a complex firewall which also has to rewrite packets.

Re:Advantages?

No. That in itself is never a downside. If you don't want rest of the internet connecting to your computer/network, you filter it at your firewall (usually router). Personally I wouldn't mind if it was a requirement that all routers meant for home usage had a factory default that only established/related connections were allowed to LAN side from WAN port(s). Of course that should be configurable, but just sticking the router in would give reasonably secure default.

Re:Advantages?

[CAPSLOCK2000]

Instead of a poor man's firewall, why don't you use a real firewall? It's much easier to configure than NAT.
If you use Linux, like every residential internetrouter sold in the last 10 years, NAT is a part of the firewall code.
As it is more simple a "real" firewall is cheaper than your "poor man's firewall".

Re:Advantages?

[CAPSLOCK2000]

This is Slashdot, News for Nerds. Not News for Grandma's that are afraid of configuring their router.

Re:Advantages?

[Ksevio]

It works for a little while, but it still depends on the network having a public IP. A lot of ISPs, especially in Asian countries, have started implementing NAT level IP which means no UPnP and not even manual port forwarding.

Re:Advantages?

[Rising+Ape]

The problem with that is how many home users know how to configure the firewall? There are legitimate reasons to have incoming connections. Unless you want to reinvent uPnP for v6, but that would be needlessly complex and probably have security flaws of its own.

Frankly there's no excuse for any modern software to be vulnerable even if connected directly to the internet with no firewall. This isn't 2003 any more, and in any case it's commonplace for computers to be connected to all sorts of untrusted networks such as public wifi. So anything that assumes "a firewall will take care of it" is utterly irresponsible.

Re:Advantages?

[mrchaotica]

Do you really expect the average user to know about IPs, ports, TCP/UDP etc.? That's not very realistic.

No, I expect users who want to run services that listen on ports (which makes them not "average!") to know about those things.

I don't agree that a safe alternative is impossible - there's no magic power that packets have to hack a computer. Any failings are due to poorly written software.

It's even less realistic to expect software -- especially the crap software the "average user" uses by default -- to become any less poorly written in the near future.

Re:Advantages?

[WaffleMonster]

So any advantages to running an IPv6 tunnel other than so say you use IPv6?

None, turn it off and get a real IPv6 connection unless you need it for something.

When content sees higher latency and lower throughput from crappy tunnels it only serves as a disincentive for continued adoption.

Re:Advantages?

[laie_techie]

Frankly there's no excuse for any modern software to be vulnerable even if connected directly to the internet with no firewall. This isn't 2003 any more, and in any case it's commonplace for computers to be connected to all sorts of untrusted networks such as public wifi. So anything that assumes "a firewall will take care of it" is utterly irresponsible.

I think you misspoke. It's irresponsible to think an external firewall will take care of it, so every computer / virtual machine should have its own. However, it's asking for trouble to allow untrusted traffic to arrive to any software. Just being accessible opens it up for a DDoS attack.

Re:Advantages?

[laie_techie]

If an application doesn't need to listen for connections, it shouldn't open a port. A firewall won't make any difference here. If an application does need to listen for connections the firewall will need to let them through. Again, the firewall doesn't help - at least not at the level of sophistication you'd see in a home router's firewall.

Except I want my legal music collection to be accessible to computers within my home (DLNA server), but if external computers have access (without use of a VPN), I may be guilty of illegal sharing. Ditto for other things which should be available on a LAN, but not be public facing.

Re:Advantages?

[Sanians]

I don't want anyone being able to discern anything about what should be my *internal* network.

The so-called "privacy extensions" address this, though seemingly not by design, but simply because the dumb fucks behind "privacy extensions" provided something useful. Basically, in Linux for example, the kernel will choose a new random IPv6 address every day, and keep old ones for seven days. It always uses the newest one for outgoing connections, but will accept incoming connections on any.

The supposed benefit of this is that you no longer have one static address and so you're harder to identify, but that's bullshit since anyone looking to identify you is only going to look at the first 64 bits of the address. Where it actually helps is that, because of the random addresses, someone from the outside can't count how many machines are on your internal network, or even know if they're talking to the same one as the day before. They know they're talking to a machine on your network, because the first 64 bits of the address are the same, but they knew that with IPv4 too.

Of course, it kind of ruins the fun of having a static IP address if the address keeps changing all of the fucking time, which is why I think the people behind "privacy extensions" are morons. The problem wasn't the static IP. People have had static IPs with IPv4 and no one cared before. The problem was that the IPv6 addresses were based on the interface's MAC address. If they'd simply made the machine choose a random address and stick with it, that would have been fine.

Anyway, the solution is DNS. I have a script that each machine runs that keeps the DNS server updated when it chooses a new IPv6 address. Since each address is good for seven days, it doesn't require a short expiration time on the DNS server. However, if you reboot the machine, it'll choose a new address immediately. So the script also has to detect this and manually assign the last few address it updated the DNS server with to the interface as well.

Also, you have to be sure to set up an ip6tables rule to block connections to the MAC-based address, since even with privacy extensions enabled the kernel will still accept packets to that address, which reveals the machine's presence to anyone on the outside who happens to find out its MAC address. Personally, I think it's a bug that the kernel accepts packets on the MAC-based address at all. That anyone thought that IP addresses should ever reveal any fact about the hardware is insane. Must have been someone working for the NSA I guess.

...and now that I see it has taken me six paragraphs to explain why IPv6 isn't so bad, you know what? Fuck it, stick with IPv4. Wait until IPv6 has been in wide use for a decade and maybe they'll have worked all of the bullshit out of it by then.

Re:Advantages?

[Sanians]

The difference is like this:

With NAT, say you want to open port 22 so that you can SSH to a machine on your LAN from the internet. So you forward that port to that machine. Next month you find you need to do the same for a second machine on your LAN. Your choices are to either forward the port to the new machine, which means it is no longer forwarded to the old one, or to forward some other random port and tell whomever wants to access that machine "OK, it's open, but you have to use port 122 instead."

With a real firewall, the firewall by default blocks any connections to any ports on any of the machines on your LAN. However, you can tell it to allow any of those connections that you want to allow. So if you want to allow two machines on your LAN to accept SSH connections, you just tell the firewall to do so. There's no conflict because each of those machines is accessible via its own address.

Personally, rather than having a dedicated firewall, I find it much easier if each machine simply has its own firewall. It's pretty trivial to simply firewall all of IPv6 and leave IPv4 completely open, which is all that you have to do since the machines on your LAN don't have IPv4 addresses. Just because IPv6 exists doesn't mean you have to start using it on your LAN. Use those nice short IPv4 addresses to communicate with machines on your LAN and save the hassle of IPv6 for when you're communicating with machines on the internet.

Re:Being a site for geeks...

[OzPeter]

Slashdot can't be far behind, right?

I've heard that you can only get ipv6 connections if your comments are in uni-code.

Their implementation sucks.

Their implementation of DHCPv6-PD blows. It's incompatible with openWRT, Netgear, pfSense router firmware. You'll get your prefix, but it will get either dropped or changed within several hours. Then this premature change of the lease will fall out of sync with radvd on the routers then you will completely lose IPV6 connectivity. With all the IPV6 address space available, why not give out a static IPV6 prefix, but no, they want to change it frequently. This is completely contrary to their IPV4 DHCP servers which will basically give you the same IP address forever until you change the MAC address on the router.

So screw Comcast's IPV6. I'll stick with my hurricane electric tunnel and it's static IPV6 prefix until my router breaks. Maybe be then Comcast's implementation will actually work with most of the routers on the market that support IPV6.

Re:Their implementation sucks.

[WaffleMonster]

Their implementation of DHCPv6-PD blows. It's incompatible with openWRT, Netgear, pfSense router firmware.

There seems to be problems with Comcast IPv6 that I can see.

Lease query is fucked up/does not work at all so if your cable modem reboots while the lease is still valid the CMTS has forgotten all about it and won't let any traffic pass until you transmit a renewal request for your PD. It seems some consumer router gear uses Ethernet/media detection to notice the link has bounced and refresh the lease...otherwise your basically SOL and have to manually do it.

I don't think it is fair to blame Comcast for a systems shitty/buggy support for DHCPv6 prefix delegation. Comcast is not doing anything magical or non-standard. Vanilla ISC DHCPv6 client has worked flawless for me.

Incidentally have maintained same IPv6 prefix for over a year now since they turned up v6.

Then this premature change of the lease will fall out of sync

To be fair if the client is fucked up and not properly renewing lease sometime before it expires I don't see how that's Comcast's fault. If you don't ask for renewal you won't get one.

With all the IPV6 address space available, why not give out a static IPV6 prefix, but no, they want to change it frequently.

Exactly they should hand out addresses or at least make them very sticky so that anything short of some kind of reorganization/renumbering does not result in a new prefix. It really sucks even if radvd is sync'd there are still implementation problems with the zero lifetime pulling and hosts if using SLAAC locally.

This is completely contrary to their IPV4 DHCP servers which will basically give you the same IP address forever until you change the MAC address on the router.

If you allow your IPv4 lease to expire good luck getting the same address back. At least on the two occasions I've had my system down long enough for it to happen and was greeted with a new address. It may very well be certain areas are configured differently and so mileages vary.

So screw Comcast's IPV6. I'll stick with my hurricane electric tunnel and it's static IPV6 prefix until my router breaks.

The HE tunnels were awesome. I was sad when I shut mine down.

Nice graphics at Cisco

[CAPSLOCK2000]

Cisco has nice graphics of the IPv6-deployement in the world. It's based on the same measurements but presented with nice graphs instead of a boring table of numbers. Look up your own country at http://6lab.cisco.com/stats/in... .

Re:Saying something good about ComCast hurts my br

[eli+pabst]

In actual fact, the ComCast internet service is not too bad.

Their cable TV service is another story. I'm reading this article right now because my cable box is busy rebooting...again.

Re:Crap Traffic

[CAPSLOCK2000]

Better start learning now, while you can afford to make mistakes. The bigger IPv6 gets the more those little mistakes will hurt you.

Re:Crap Traffic

[jbolden]

How does blocking work when everybody can have a trillion addresses?

You block a range. And it actually works because there is no NAT!

Can people have a trillion addresses?

Far more. The minimum subnet is a /64 which is 1.8 million trillion.

Do they have a block allocated to each user/system?

Yes.

Re:Saying something good about ComCast hurts my br

[jslaff]

Hurts my brain, too, but... I really have to admit that in the past 25 years with Comcast, first just for TV, then internet, then phone, I've had pretty much zero complaints. In fact, I get discounts off my bill for asking (minimal, yes, but $10 a month off $180), upgraded boxes for free for the asking (true, just one of their old SD DTAs to an HD DTA), and actually got a few hundred bucks for signing up my VERIZON cell phone through Comcast. In fact, the one company that I will never go back to for anything major is Verizon. I was one of the original DSL customers where I live in Montgomery County, Md., and saw my speed grow as the years went by. I had Verizon DSL for about 10 years when, all of a sudden, it stopped working. Cold. Swapped out DSL modems, swapped out my old router for a new one, different PCs, nothing. I KNEW it was their equipment. I called, and they said they would send someone out...in 2 weeks. (And of course, that would do no good, since it was on their end. We also had a Verizon land line, which worked perfectly.) I said I had been a Verizon customer in some manner all the way back to Bell Atlantic and Nynex days--2 weeks. I had a Comcast coax line in my office for a TV that I wasn't using anymore. Went to Best Buy, got a Motorola cable modem, called Comcast to register it, and in 10 minutes I was up and running. No problems at all. For less money than Verizon DSL. When I called Verizon to cancel everything, they said that had I said the magic word--Retention--they could have fixed it the next day. In a word, aaargh.

Re:IPv6 How will it happen?

[Tim+the+Gecko]

How do you [Slashdot users] see IPv6 transition actually happening?

Will each internet user have dual stack?

Yes. They will have a dual stack with the IPv6 address being used for a bigger and bigger proportion of traffic. Meanwhile IPv4 will probably traverse some NAT.

Once IPv4 is the minority of traffic (many years in the future), it will turn into a legacy PITA to administer separately. But that is a while away.

IPv6 is much more complex, how will companies support users who barely understand IP addressing when IPv6 is going to seem like a long string of meaningless characters?

Those 30% of Comcast customers aren't calling a helpdesk and reading out hexadecimal digits. If DNS is working they will say things like "www.facebook.com". If DNS isn't working then they can't fix it by reading out or typing those "meaningless characters".

Do you see something like a dynamic IPv6 to IPv4 DNS/NAT translator to hide IPv6 complexity from the user a viable solution?

Not viable. It wouldn't help more than a single digit percentage of users anyway.

Re:IPv6 How will it happen?

[jbolden]

How do you [Slashdot users] see IPv6 transition actually happening?

a) Carriers and ISP have support (mostly done)
b) Cellular (mostly done)
c) Default is switched for home / small business (mostly not done). Then they have a shared pool of v4 addresses for v4 traffic rather than one address per location.
d) Enterprises start running dual stack
e) v4 is mostly retired

Will each internet user have dual stack?

Probably each carrier. You'll see the v4 address space living inside some subnet at an IP address inside your ISP's allocation.

IPv6 is much more complex, how will companies support users who barely understand IP addressing when IPv6 is going to seem like a long string of meaningless characters?

What do end users care? How do companies support their end users not understanding all the details of ARP vs. IP addressing. They don't they just make is seamless.