Slashdot Mirror
Why the Journey To IPv6 Is Still the Road Less Traveled
alphadogg writes The writing's on the wall about the short supply of IPv4 addresses, and IPv6 has been around since 1999. Then why does the new protocol still make up just a fraction of the Internet? Though IPv6 is finished technology that works, rolling it out may be either a simple process or a complicated and risky one, depending on what role you play on the Internet. And the rewards for doing so aren't always obvious. For one thing, making your site or service available via IPv6 only helps the relatively small number of users who are already set up with the protocol, creating a nagging chicken-and-egg problem.
My border router is more than IPv6 ready. It's already passing out IPv6 addresses internally to the few devices which are capable of them. Not that it matters to me though, my ISP doesn't support IPv6 so what's the point? Yea, I can touch my router from my laptop over IPv6, but what does that get me?
Who is my ISP? Why Verizon FIOS of course. Until they decide to support IPv6 and give out addresses to people like me who are ready to use it, there won't be any mass adoption of IPv6 by their customers.
Are their any ISP's out there which support residential IPv6?
Why are we revisiting? Ipv6 simply has too much overhead.
Have Facebook and/or Google go IPV6 only for website access. You will see virtually 100% adoption of IPV6 within 24hrs ...
IPv6 has a number of weaknesses:
1: No encryption. This was promised, but in reality, transport encryption is still at the SSL/TLS level.
2: Attackers can view your entire IP space. A simple nmap scan, then choosing what zero days to use... instant pwn-ership.
3: Untested stack, relatively. The IPV6 versions of land, teardrop, ping of death, and other attacks have yet to be found.
4: Support is spotty. Using IPv6 on the edge means most people around the world can't touch the websites.
I'll give up my 5 class-C addresses now, can we give it a rest?
We've been running out for the last decade and nothing's happend yet. zeesh!
There is no benefit to using IPv6 for most people. IPv4 works fine and there are enough workarounds to keep IPv4 relevant for a long time. IPv6, while it gives more address space, does not in itself really carry any benefits for either service providers or end users. That greatly reduces the motivation to switch.
ISPs are not helping. Where I live the local ISP charges extra for IPv6, it's something that needs to be expressedly added onto the account Who is going to want to pay extra to provide/access a service most people aren't using?
Oh, and there's a learning curve. Most people are like water... path of least resistance.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
Rust: incompetent programmers who leak memory, which problem can be fixed at compile time (with tradeoffs that annoy some people but not others).
Both solve very real problems, you just don't see them because they are at a level deeper than you understand. Don't worry, the 'magic' will keep working, and you can keep posting, because other people will solve them.
"First they came for the slanderers and i said nothing."
Personally I've found IPv6 to be an extremely ungainly language.
It's plain to see that there just aren't enough variable names left in the world to continue using IPv5, but for me, it's Ruby++ on Python or nothing at all.
I have IPV6 at home (took some calls to AT&T Customer Support). I don't have it at work, the migration will probably start small network endpoints (phones (apparently t-mobile has already switch), and home networks).
Link local IPV6 is already fairly broadly available - it's the fe80 prefixed address on your ifconfig output. You should be able to ping other ipv6 addresses on your network (*nix to *nix).
Google's IPv6 stats page indicates this too... https://www.google.com/intl/en... has a peculiar comb effect for the last few years. Zooming in seems to give a bit more insight. Google's count of IPv6 connections has a full 1% swing over the weekends vs the week days. Due to IPv6's addressing method, each unique device on your network appears as a unique device on the internet, vs the NATed IPv4 that we all know and love. This would also have an accelerating increase in the number of unique IPs that are visible on the weekend. I know I use more devices over the weekend (chromebook, phone, laptop, table) vs during the week.
Open to other insights, but our homes will be likely IPv6 before our offices are. (Of course aggressive tech companies like google and facebook are likely already IPv6).
few things
Microsoft windows XP
Microsoft windows server 2003
Microsoft windows server 2005 ( without the non MS patch )
will NEVER use ipv6 they are forever stuck on ipv4
and the idiots at Comcast !!!!!!!!!
whenever is enable ipv6 on SUSE or RHEL6 and using Xfinity
the modem runs into a ram overflow VERY FAST
Comcast says they support it but it is one F'ED up version of something that almost resembles IPv6
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Add HTTP/2 and https everywhere.
I think that in countries with many ipv4 addresses per internet user, we won't see any change soon, they still can support one ip per home. The US is one of those. It has tons of IPs. In countries without much ipv4 addresses, the companies (especially new ones, which don't sit on millions of addresses) will see the pressure, and will run a carrier grade NAT & native ipv6 approach.
I can do IPv6 from my ISP since last November. My issues so far have been:
On the other hand, IPv6 was doing fine 12 years ago, on the IPv6 backbone from the university.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
I wonder how many IPv6 unready appliances do we have. For instance, I do not trust my ISP to have given me an IPv6 compatible router. And I cannot easily replace this router, Huawei HG253s V2, due to the fact that is needed for the optical trasducer.
With the current incantation of Amazon Web Services (VPC),
IPv6 support is currently not available for load balancers in Amazon VPC (EC2-VPC).
http://docs.aws.amazon.com/Ela...
So there goes lots of the internet....
http://cr.yp.to/djbdns/ipv6mess.html
The writing has been on the wall for quite a while now. I think it was first discovered written underneath "As I sit here all brokenhearted..."
This has been written in a very pro-selldata approach:
For example, if the proxy that’s providing a user’s address is located in a different city from that user, then location data that could aid in targeting ads would be unusable, he said.
So, should ipv6 be enabled because it kills privacy? This article is stupid shit. I really don't like if internet protocols are designed with "targeting ads" in mind. This is where the google involvement into internet standardisation has brought us to: an internet built to spy on us. Google is not very much more than that: a company getting billions from running the most profitable internet ad network in the world (visit this, and search for "Advertising revenues"), and running other services in order to show those ads on.
Why do ppl hate rust so bad? curious
T-Mobile supports IPv6, so I use IPv6 on my phone. Cox doesn't so I can't use it with the devices that generate the most traffic.
I would switch, but then I'd have to rewrite my hosts files.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
C# and Java also solve the leaky memory problem and are much more popular.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
You know what NAT defeats? End-to-end connectivity.
CLI paste? paste.pr0.tips!
And 99.9% of people don't care.
I have come to believe that end-end connectivity is the problem that a lot of people think NAT solves.
Nullius in verba
You know what else solves the "not enough IP addresses" problem? NAT.
And it's a lot less of a change than switching to IPv6.
OK, perhaps some reading would help you to understand how NAT is fine for very small networks, for the most part is a huge pain in the ass for large networks. And there's no end-to-end connectivity. NAT is a layer of obfuscation that often adds to errors for Net-Ops.
That the point at which end users like us need to be proactive. ...or just move to a country with pervasive IPv6... :-P
Setup tunnels (like Sixxs and other similar IPv6 brokers), open tickets at your provider asking for 6rd support, etc.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
C# and Java also solve the leaky memory problem and are much more popular.
But not at compile time, and you can't use them in systems' programming on general hardware.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Are you one of those people who got suckered into believing that if you zipped the zipped zip file enough iterations you could store everything in just one byte?
There's only so much NAT can do and it's doing it now.
You know what else solves the "not enough IP addresses" problem? NAT.
It's a short-term quick hack which might make some problem seem to disappear, but creates ton of other problems.
NAT creates layers of indirection, and NAT makes machines not directly addressable.
Require hole punching and the like even for very basic functionality (like VoIP).
The internet was envisioned as a distributed network with all being equal peers, but NAT is contributing to the current assymetry of having a few key content distributor and every body else being a passive consumer.
And it's a lot less of a change than switching to IPv6.
IPv6 here. No it's not that complicated, and can be made automated. (e.g.: you don't even need to setup DHCP. your router just hands out prefixes, and the devices on the net autonomously decide their address by appending their mac address).
With NAT, you'll end up needing to fumble with your router and open / redirect ports anyway, just to be sure that everything works as it should.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Att uverse at work supports ipv6 Verizon wireless claims to support ipv6 but you can't route to their addresses stateful firewall or something So i can connect to equipment at work with either ipv4 or ipv6 but if i need to connect to anything on vzw I'm sol because the ipv4 is nat'ed and the ipv6 is firewalled
Minimum threshold fixed. Thanks!
That why solution like 6rd.
ISP can keep their current IPv4 gear, and just offer an IPv6 tunnel that the clients can use over the IPv4 infrastructure.
No need to immediately replace all the components, and meanwhile, IPv6 is already available.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And 99.9% of people don't care.
There are a lot of things 99.9% of people don't care about. If that's your justification...
Me personally, I'd love my end-to-end connectivity back.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Actually, in the process of solving the one problem it's supposed to solve, they created about 14 trillion other problems, stuck their head in the sand refusing to learn from history or listen to the industries that use the technology -- *cough*DHCP*cough*, didn't give a single second to privacy or security, and finally simply gave up without ever trying when it came to any type of transition policy/mechanism.
We might as well be converting the internet to Appletalk. While they share a few characters in their name, IPv4 and IPv6 are radically different technologies. From an application programming level, there's not much difference, but that's never been much of a hindrance to IPv6 adoption.
Something we've gone out of our way to intentionally break (read: FIREWALLS) on purpose for decades.
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
The problem with IPv6 is that alternate solutions to the IP shortage issue such as NAT are currently far less trouble and much less expensive to implement than IPv6.
Where I work we have a LOT of computers (low-mid 6 figures) behind NAT. For the most part it works pretty well.
I spoke with our network design engineer about IPv6 a few months ago and he said IPv6 isn't even on his radar at this time for the reason stated above. If he were implementing a network at a new company with no legacy technology to deal with he might go IPv6 but he doesn't see it much in established networks anytime soon.
Any insufficiently advanced magic is indistinguishable from technology.
The original article adds no insights to the real issue, but Dan J. Bernstein outlines the issue
nicely in http://cr.yp.to/djbdns/ipv6mess.html
Choice quote: " Unfortunately, the straightforward transition plan described above does not work with the current IPv6 specifications. The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space. "
Hah! Can you say "reference leak"? I knew that you could. (it's actually *easier* in Java/C# to leak memory, because you have no way to explicitly destroy an object, so programmers never think about it.)
...I'd be more incline to do the move myself. The problem is when you ask if or when it will be available, you get the long pause and the "We don't know". My ISP, who shall remain nameless at this point, doesn't appear to have a plan. FOr the size of their organization, you would think they have a plan or at least are looking at it but their front line makes them look amateur-ish.
I will not name my ISP but I'm in Canada and they are based out of Toronto...lol. (This should tell you who they are...)
We should start calling them once a day and politely request IPv6 support once a day every day. (Politely because I'm canadian...lol)
Windows and networks can run both side by side just fine. I think the one issue is typing the addresses, no fun at all.
So if one wants to allow a particular protocol through the firewall that is a typical carrier grade NAT rollout, how does one go about it?
you don't even need to setup DHCP. your router just hands out prefixes, and the devices on the net autonomously decide their address by appending their mac address
If you don't set up DHCP, then how do devices on the net bootstrap enough service to be able to resolve www.example.com. into an IPv6 address? Does each machine need to run its own recursive resolver or rely on 2001:4860:4860::8844?
just wait for ISP's to bill you per IP / outlet and ban / lockout NAT.
Right now ISP like Comcast may a lot of outlets fees on there TV side and when TV starts to really die down the last thing you want to have is to have it like the old phones days where they made for pay / rent EACH PHONE. Right now the cell phones provides make you pay per line to use the same shared pool of data / minutes and make you pay more to unlock tethering.
Then build your own network.
and big business want to have INTERNAL only networks as well VPN's that let you get into stuff that you want to lock down to be inside only. A VPN with username / password does more then just basic firewall rules.
If you're behind CGN, then by definition you aren't allowed to run "servers" -- i.e. services that require outside systems to initiate connections toward you. (www, smtp, bittorrent, etc.)
wow. i don't know if you're really familiar with ipv6. at all.
there is some additional machinery around route assignment, and some dodgy bits in recursive assignment. but that
stuff really is supposed to help the manageability and route aggregation for the entire network over time. not sure
if would i want to abandon it.
otherwise its pretty much the same old thing. maybe you could be a little more concrete in your criticism?
Also... to make things like IPSEC work through NAT involves all sorts of bastard hackery (IPsec NAT-T) that is of dubious security impact. Basically, we can perform all sorts of bastardization on every protocol to try and make it work through NAT, or we can fix the problem with adequate address space.
With Blackjack! And Hookers!
NAT is not a solution to the IP address shortage. it is a Band-Aid on a sucking chest wound. Anyone who has ever tried to join corporate networks together that are on the same fucking 10/8 network for example knows this (oh fuck, we need to re-address all the things!). Sounds like your network design engineer is an idiot. IPv6 should be on everyone's radar at least, and any new equipment procured should have IPv6 support as a mandatory feature.
If you're behind CGN, then by definition you aren't allowed to run "servers"
Customers ought not to stand for inability to run servers. Therefore, customers ought not to stand for being stuck on carrier-grade NAT. Therefore, with more people than IPv4 addresses, IPv6 is a requirement.
How about the deprecation of broadcast+arp on a subnet, and the use of router advertisements? There is a lot in those two concepts that actual people running actual networks *really don't like*.
RA, aka. ICMP router advertisement. Abandoned circa 1970 as a "bad idea". It was a colossally bad idea in the 90's, and f'ing suicidally bad in 2000+. Yeah, let's trust whoever the f*** on the cable claims to be a router and send it our traffic. Oh, to protect my network(s) from that brain damage, I have to buy new switches that support "RA Guard".
They didn't like DHCP. So "no f***ing DHCP in IPv6!" DHCPv6 is a bolt-on, staple-on, and bandaid addition to IPv6. It's a horribly incomplete shadow of DHCPv4, and still requires an RA tell you to use it.
SLAAC... originally 80bit prefix plus 48bit MAC. They ignored the fact that ethernet is not the only technology in the universe. That was later amended (breaking older stacks) to 64bits. The entire purpose for the vast over-simplification of address selection (for tiny embeded systems with limit RAM/ROM/CPU) became moot 7sec into the IPng committee's existance -- IPSec shoots all three in the head, repeatedly, with artillery. Everything supports privacy extensions these days, so the logic for random address generation and duplicate address detection is there -- and rather trivial. Yet it, and SLAAC, demands the prefix-length be 64. Just to put that silliness in perspective, that's a single LAN with every ethernet device ever created (that will ever be created) in it 65,536 times over.
This leads nicely into the blindness to history... a 64bit LAN is pure lunacy. Today and likely for several decades. But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite". Sure, we can change the way we do things "with the next ::/8", but that dooms us to live with the colossal stupid of this ::/8 for ever. Again, dooming us (and our children's great grand-children) to live with our bullshit. We did a lot of stupid things with IPv4; and we're doing them all over again with IPv6.
My ISP is IPv6 capable but customers are configured for IPv4 by default. Making the change is just a matter of logging in to your account settings to enable IPv6 and making sure it is enabled on your router and devices on your home network.
Most local ISPs do not support IPv6 so end to end IPv6 isn't really an option. There were also some strange issues with a few websites after making the switch. There were no measurable performance improvements. After trying IPv6 for several months, I couldn't see any benefits so disabled it on my account and went back to IPv4. It means a lot to those limited by public address availability but not much to the average Internet user.
You can't be serious.
If I 'never think about it' in C++, my memory will explode in no time. If I 'never think about it' in Java, then maybe in some cases eventually my memory might explode, perhaps. That's not what 'easier to leak in Java' means to me.
Automatic address assignment: Useless. DHCP is better.
No more NAT: Useless. NAT is part of firewalls which are still needed. It's easy, and incredibly flexible.
Better multicast routing: Useless. Multicast is dead, and will remain so.
Simplified routing: Useless. This has been implemented outside IP
QOS: Useless. The IPv6 implementation is wrong for how QOS is used now.
Larger Address Space: The only useful feature in IPv6, but it was done wrong, and should be abandoned.
We need IPv8 that does things right for the internet we have *today* not the internet we thought we'd need in 1998.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
At some point, there will be nothing but growth. It might be tough now, but time and space is rapidly running out. When all space is gone, every new user will be using IPv6 and IPv4 will be considered 'old fashioned'.
And 99.9% of people don't care.
There are a lot of things 99.9% of people don't care about. If that's your justification...
Me personally, I'd love my end-to-end connectivity back.
People who think they need end-to-end connectivity for everything don't understand networking. It's not only not required, it is undesirable in most cases.
The only thing worse than a Democrat is a Republican.
I quite like vastly increased difficulty of scanning the whole IPv6 Internet. As soon as Comcast fixes their business class remote access via IPv4 is going bye bye. Sick of looking at all this crap in my logs. If random fools want to spam me they are going to have to work for it.
I can remember the IPv4 of ~10 of my servers. With IPv6 I'd be lucky to remember just one :(
IPv6 was thought up before NAT and was the solution to theIPv4 address space problem. With NAT and cheap router that is no longer a problem. And _why_ would you want all your variables global? That is just silly.
IPv4 4ever!
THIS ^^^ a thousand times.
Indeed, IPv6 was the vision of the future as it was seen from the past. As of today, it is useless garbage. Ever watched those sci-fi movies from the 60s and 70s? Where they thought we would by now have solved space travel problems yet our computers would still be the size of a fridge with tiny monochrome screens? That's what IPv6 is.
I had mod points yesterday, but not today, so here's a reply instead of the "+1 insightful" you deserve. IPv6 does unsolve problems that already have solutions in IPv4. *cough* DHCP *cough* indeed.
You've clearly never had to talk someone through configuring a port forward on their router so that a file transfer over IM could work, or so they could host a game server. NAT mostly works, but it turns a lot of things that should 'just work' into a need to fiddle around with the router config.
With C and C++, the programmer has to keep up with it; thus they are constantly aware of memory usage. (well, those that aren't complete shits do.) In Java, the programmer has no say in it, so they don't think about it -- or for younger "programmers" (who may have never learned C/C++), don't know how.
And 99.9% of people don't care.
There are a lot of things 99.9% of people don't care about. If that's your justification...
Me personally, I'd love my end-to-end connectivity back.
Why? I'm an ex-Network Engineer. NAT served me fine for years and still does the job. IPv6 involves effort for no real reward, it can die in the ditch for all I care.
LOL. You have no real idea what that means and why you want it, aside from it just sounding cool and hip, amirite?
the 0.0001% of Nerd Customers ought not to stand for inability to run servers.
FTFY.
For those 0.0001%, there is AWS.
As someone who's not really a networking guy, this!
I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.
Is this attitude wrong? Probably. But it is also pervasive.
I doubt they'll go this route, but what would make sense to me would be to give customers the option to request a direct connection.
Between cell phones and people who have no interest in running a server (even unintentionally), there's probably only a small portion of people out there who really need a direct connection, and there are probably plenty of IPs to support them if you put everyone else on CGN.
Probably closer to 99.999%
the 0.0001% of Nerd Customers ought not to stand for inability to run servers.
FTFY. For those 0.0001%, there is AWS.
Wah wah, for some reason it needs to run on under powered hardware in an uncontrolled environment over an asymmetrical residential connection, because, for reasons!
I'm in this weird bubble where I live. I'm currently on the city owned cable internet here in Tacoma WA. This ISP has some really shitty upstream connections depending on what site I'm trying to access. I also have Hurricane Electric's IPv6 Tunnel Broker service on my router itself, so my entire network has public IPv6 over IPv4. The route to the HE server in Seattle WA (~35mi away) seems to ALWAYS be stable. HE's backbone is also rock-solid world wide. Sites that are IPv6 enabled, I generally have a much better / faster / lower latency route to them, simply because my ISP has shit IPv4 routes leaving our local region.
Some major companies that are or are not IPv6 enabled: :face:b00c: in their IPv6 addresses)
google: yes
facebook: yes (interesting note: they always have
wikipedia: yes
mozilla.org: yes
amazon: no
AWS anything: mostly no (they have some half-assed thing on their load balancer service that sucks ass, but nothing else)
slashdot: no
twtter: no
microsoft.com: no
Yeah, the problem is though that some people then reach for NAT as the sole solution. That's the reason why my school's network is a triple NAT - 172.16/12 to 192.168/16 to 10/8.
For my computer science course I recently askd for putting a server in our school's network so we don't have to strain our outbound bandwidth (only 10 Mbit). I also considered asking for it to be reachable from the outside - but after seeing that setup, I promptly discarded the idea.
The problem of why IPv6 isn't spreading as much as its proponents would like is that it is a completely new, distinct and separate protocol.
Currently; *everything* on the Internet uses IPv4 - It is the Lingua Franca of the Internet.
IPv6 has absolutely no relation to IPv4 apart from the name. There is currently no way for IPv4 hosts to talk to IPv6 hosts easily or simply, and this is a critical flaw IMHO with IPv6.
With IPv6, you essentially have to throw away the WHOLE IPv4 Internet and start again; This is why the roll out is going so slowly; You are effectively building the Internet Mk2 from scratch, bit by bit, with this new system.
IPv4 will be around for a long time because of this for the same reason we still use x86 - There are too many current and legacy systems which only speak IPv4.
It still boggles my mind that they didn't consider interoperability at all when they were developing IPv6; If there was a standard for bridging between the two systems so IPv4 and IPv6 hosts could communicate with each other this rollout would be moving a lot faster.
And IPv6 still has the same shortsighted flaws for futureproofing as IPv4; It lacks extensibility. Sure it looks infeasibly big now, but they keep saying that and then we find we run out of space. It wasn't that long ago when a terabyte was considered unbelievably big yet now computers routinely come with drives of such capacities!
I'm still running IPv4 at home because I don't have a IPv6 firewall. My router, with NAT, shuts down my external facing ports. I've been meaning to setup IPv6 for a few years now, but I always do some research, and then drop the idea when I don't know how to secure my home network.
No. Just, no. A NAT and a firewall are entirely different things and used for different purposes. Please familiarize yourself with basic networking.
CLI paste? paste.pr0.tips!
By definition? What?
CLI paste? paste.pr0.tips!
God dammit. I see what you're trying to say, but seriously this is so wrong. It's no big deal (i.e. easy to implement) to have End-to-End connectivity and still not be "exposed" to the oh-so-hostile Internet.
It is a big deal (i.e. impossible) to actually get End-to-End connecitivity when you do need it but find yourself behind a (carrier grade) NAT.
Breaking this one fundamental principle for the added comfort of being able to just deploy a NAT and feel reasonably secure is totally not worth it. Really, stop.
CLI paste? paste.pr0.tips!
As someone who's not really a networking guy
Yeah. It's showing.
CLI paste? paste.pr0.tips!
>other people will solve them
Other people are solving the real problem of address exhaustion, just not in the way that the IETF intended.
Even the IPv6 enthusiasts accepted that adoption would have to be widespread before the regional registries started running out of IPv4 addresses if it were going to work as a solution. That hasn't happened and it's now just too late - don't forget this started 22 years ago when most of the host systems were still under the control of education and government institutions and migration could have occurred much faster than it could now.
The thing that still irks me is that there'd been a very similar and very public (though much less protracted) attempt to deal with similar address limitations in DECnet that had failed miserably and the IETF chose to turn a deaf ear to those experiences which have simply been repeated on a larger scale with IPv6.
The problem of address exhaustion remains. IPv6 is no longer the solution, it's time came and went. A different group of "other people" are now attempting to keep the Internet roughly connected, but I'm afraid end-to-end connectivity is gone because the solution that offered it has failed the acceptance test.
NAT mostly works, but it turns a lot of things that should 'just work' into a need to fiddle around with the router config.
I don't see how. Either you keep essentially all ports open to your public IP at all times (bad idea), or you need to open ports on demand.
The latter requires the same fiddling around with the router config as with NAT, assuming UPnP isn't used. If UPnP is enabled it's not an issue with NAT either and the whole point is moot.
That's only because dumb people (like you) don't realize in the first place when it would be useful. p2p comms with both ends behind a NAT?
Sure, i mean routing your shit through a 3rd party server also makes it "work", but it's arguably undesirable, except for dumb people (like you, again) who do not care. Happy Skyping.
CLI paste? paste.pr0.tips!
IPv6 utterly sucks, though. There are much easier ways to solve the address exhaustion problem; and it actually makes the routing problem worse (and no, location/id split doesn't solve that any more than CIDR did).
I figure the problem will resolve itself by Y2K38. After all, legacy machines will have issues by then, right?
I think one June, when Google did that thing with IPv6, my browser wouldn't load google.com until I turned off IPv6 on my XP machine.
It's compelling arguments like that which will surely convince people to give a shit about ipv6.
It's not that it wasn't considered. The biggest problem with interop between v6 and v4 is that you can't really do interop between v6 and v4. The v4 header only has 32 bits available for the dest host, so there's no way to specify which v6 host you want to send packets to.
Unless you count NAT64-like solutions or 6to4-like solutions, both of which do already exist.
And IPv6 still has the same shortsighted flaws for futureproofing as IPv4; It lacks extensibility. Sure it looks infeasibly big now, but they keep saying that and then we find we run out of space. It wasn't that long ago when a terabyte was considered unbelievably big yet now computers routinely come with drives of such capacities!
It does lack a way of expanding the address space, but we'd need to actually run out of space first for that to be a problem, and 128 bits really is a lot. 1 TB drives and v6 are in completely different ballparks: if v4 is 1 TB, then v6 is 80 million billion yottabytes. There are 300 million /64s available... for each person on the planet. And each /64 has essentially no limit on the number of hosts it supports. I could understand an argument that each person might end up running billions of computers (which would be no problem at all), but a quarter of a billion networks? Each?
And that's just using the 2000::/3 space. There are five more unused /3s available, so we could do it all over again five more times (presumably with smaller-than-/64 subnets) before actually running out.
You know what defeats end-to-end connectivity with IPv4 addresses? IPv6.
I think we might have found the root cause for the glacially slow rollout.
NAT was a hack used when we started running out of addresses in the early 1990s. It was never a solution to problem. And it is a hack that can't work long term. We already have about 300m public IP addressed with fixed port needs (websites, SIP, FTP...). Moreover carrier IP is the same cost and possibly even more complex than NAT to implement.
Carrier NAT is a terrible idea.
Of course it is pervasive. Since the early 1990s we've had 20 years where the internet has grown increasingly hierarchical and not flat. Our technological stack and psychology have grown up around that. When it becomes flat there will be a bit of adjusting. Then people will get the huge advantages when every endpoint is a server.
My external servers - all IPv6, publish AAAA records, all services available on IPv6.
My home - IPv6 compatible router, IPv6 compatible network, IPv6-compatible clients, even IPv6 VPN to my servers.
What I don't see - IPv6 compatible websites. Slashdot is not IPv6 reachable. Nor is The Register. If even the IT crowd can't manage it, what chance do other places have? But that's no big deal, so long as they're IPv4-reachable anyway.
What I don't have - an IPv6 compatible ISP.
I can't use any IPv6 protocol except for 6to4, but the local 6to4 relay is "not supported" by my ISP and not run by them. That puts me at the behest of whatever routing is set up for that magic 6to4 address at any given point.
Sure, I could go with Sixxs etc. but that requires all kinds of signup. It's actually easier to just VPN to my IPv6-ready external server over IPv5 and bypass worrying the in-between link entirely.
It works. It's up. I receive email from third-party servers solely over IPv6 every day.
And then, you find that Google mail and DNS is IPv6. The occasional website is IPv6. The odd mail server is IPv6. And nothing else. And they are all also on IPv4 too. All that hassle, hardware and configuration and I gain... nothing.
Until we literally say "IPv4 is going to be marked for obsoletion in 6 months, and routing for it will going off on the 1st of Jan 2016, worldwide", nothing is going to change. Absolutely nothing.
Slashdot - I'm invoking my rule again. You can post articles on the IPv6 deployment when you BOTHER to put a single AAAA record on your DNS.
If I could easily apply for an IPv6 allocation that was portable then I would implement it. However I can only use our ISP supplied addresses, so it is not worth the trouble as renumbering would have to happen every time we switch ISPs.
Carrier grade NAT would likely have been probably slightly more expensive to implement than IPv6 for carriers. Of course NAT for companies doesn't cost much because NAT is a very mature technology and IPv4 stack is now built around the expectation of NAT. But that's not the right comparison.
As for the network engineer and IPv6 in private companies. If you aren't directly serving home / small business customers then there likely is nothing that is going to drive you off IPv4 in the next few years. Your ISP for your website may need IPv6 but internally you won't. Where it is a problem for you though is tunnels. IPv4 network equipment doesn't understand IPv6 tunneling. IPv6 services will make your IPv4 network security look like swiss cheese. For many companies that still doesn't matter in which case you have time.
Until the carriers clean up IPv6 for home / small business there really isn't much reason for most businesses to worry. But that's a yet not a never.
As someone who's not really a networking guy, this!
I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.
Is this attitude wrong? Probably. But it is also pervasive.
That attitude is definitely wrong. The warm fuzzyness you're currently feeling is false security - lots of ways to trick a NAT into giving access to internal machines that you think are unaddressable. What you need is a stateful firewall - that gives you real security without breaking all the stuff that NAT does.
http://blog.nexusuk.org
People who think they need end-to-end connectivity for everything don't understand networking. It's not only not required, it is undesirable in most cases.
Its undesirable in _some_ cases, it's absolutely required in others. So if you have a single IP address and you have to NAT everything, you win in the "some cases" situation and you lose for "others" (even worse with CGNAT). If you get rid of NAT and stick a stateful firewall in, you get the best of both worlds and can choose the best for the situation at hand.
http://blog.nexusuk.org
You mentioned DECnet. I was involved in that migration in a company. Migration can occur very fast if they are a priority. And they will become a priority if things are allowed to break. Breaking right now is happening as you mentioned on the area of connectivity that problem is going to get worse.
We have the technology for easy migration and we have the blueprint.
1) Carriers migrate
2) Internet companies (web hosting, CDN...) migrate
3) Home / small business user migrate
4) B2B communications migrate
5) Company's internal networks migrate
We are wrapping up (1) and (2) and staring on (3).
They aren't being adopted because they try to solve problems that aren't really problems.
No. They really are problems. Not enough addresses, too much NAT, too much PAT, yeah these are problems.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
NAT is an ugly fudge than makes things more complex than they need to be. That makes it sub-optimal as a solution to the lack of address space.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Luckily for the rest of us, and hard as you might find this to believe - it's not all about you.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
With IPv6 it's one rule at the firewall. With NAT, you need to forward a port from NAT device to NAT device, all the way from the carrier-grade NAT device at the ISP border router to your own - and most of those you will have to pay your ISP to have any forwarding added to.
Oh, did you mean "NAT as it existed before we ran out of IP addresses"? Well, that's why we need IPv6, now when we are talking about NAT, it includes carrier-grade NAT.
Google should give search result priority to IPv6 sites. This will provide a nudge to get the momentum of SEO sensitive businesses on the right path.
They will care once a large percentage cannot accept incoming connections. On a local network with NAT, you have UPNP, but you do not get that with carrier-grade NAT. Multiplayer games all over the place will start having issues. Console games do some sketchy things to allow other players without port-forwarding to play, like using other players as a proxy.
But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite".
Haven't heard anyone call it infinite. Sounds like a bit of a straw man. But I have heard it's enough to give each square centimetre of the Earth 2 million addresses each, or to uniquely address every cubic foot of the Milky Way galaxy, so it is quite a lot.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
I get that NAT isn't a firewall, but I think it makes a nice second layer.
Lets say I'm using shorewall, and for whatever reason I break my config and don't notice.
Consider: (big bad internet) -- (broken shorewall + nat) -- (internal boxes)
Suddenly you can't get to anything I was forwarding (which I'll probably notice) and yes there are probably effective attacks to get at my internal boxes through the nat, but at least it's not wide open as I imagine it would be in a configuration without nat.
I don't think you've played any games in the past 10 years. A lot of games require port-forwarding or UPNP to be working if you want to play. UPNP is pretty much enabled out of the box, so port-forwarding is transparent to most users, but CG-NAT would break that and consoles everywhere would cease working for many games.
$70 for a 70/70 dedicated fiber connection over here. ISP says it's great for web hosting. My 0.2ms ping agrees. 7ms to Chicago. My trace routes go like this Me -> ISP -> Level 3. 1 hop. fk yeah! Freaking 0.2ms hop at that.
Because it HASN'T served you for years as evidenced here.
Your "knowledge" that it "still does it's job" is irrelevant- because you were dead wrong on the subject all that time. You're an ignorant and arrogant fool that nobody should give the time of day to on this subject.
That's a good argument. I would agree the switch to IPv6 has taken too long and thus it has legacy problems already before implementation. I'd pick IPv6 over IPv4 but I'd certainly pick something better were that on the table as an option.
I've had IPv6 connectivity for the past 8 years, and native IPv6 connectivity through Comcast for the past two. The last time I installed a new modem and router, the configuration was automatic.
The deployment process has been extremely slow, but in 10 years, most connections will be happening over IPv6 and most people won't even notice. Even tech savvy people will mostly find out when they try to debug something and realize the IP address is funny looking.
-- The act of censorship is always worse than whatever is being censored. Always.
people who have no interest in running a server
Are they just unaware of what advantages running a home server can offer? Or have the benefits of a server been explained to them after which they still decline?
It's still a chicken-and-egg question. How does the link-local nameserver in customer-owned equipment configure itself?
have the porn industry convert and all the issues will get solved quickly. Adaptation will follow ASAP.
I personally believe that IPv6 is just too many numbers for most people to input and remember when something is needed to be done quickly. If they could only make an alternate version slightly shorter. I do like the concept of the double colon (xx::xx) for a shortcut.
Oh, did you mean "NAT as it existed before we ran out of IP addresses"? Well, that's why we need IPv6, now when we are talking about NAT, it includes carrier-grade NAT.
If you're behind a carrier grade NAT then fiddling with your own router config won't help much will it. That's the part I quoted and objected to.
Don't worry about it too much. :) There's always someone in Slashdot who starts the "it's not a real firewall" whining when one mentions that he is using NAT to block incoming connections.
I run my own Teamspeak server, PPTP VPN, multiple game servers for my friends and I, a Plex server and probably numerous other things that will break. Please show me how I can trade that in for AWS that will run out of IPs as well some time soon.
As far as underpowered hardware, I have a dual quad Xeon with 64 GB ram. Uncontrolled, well you got me there, I don't have redundant air conditioning. Asymmetrical, nope, FiOS went Symmetric already. But, running all of this is much cheaper than paying someone else to run all these services for me.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
He is trying to make the tired argument that residential connections aren't supposed to run servers. Technically you can get disconnected by your ISP for it, but FiOS actually seems to encourage it. Why else would they have symmetric for all their network?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
I've been playing around with my own (tunneled) IPv6 prefix at home for some time now. (I think Comcast will deliver IPv6 to me - but I haven't bothered yet.)
I run IPv6 on some of my home LANs, but not on the one I have with legacy equipment on it like webcams, TV sets, printers, and other "Internet of Things" like devices that never get patches. Those networks get the usual NAT'd IPv4 stuff.
On my IPv6 networks, I have EUI addressing turned off - a pseudo-random address gets generated from time to time (within the IPv6 LAN network prefix), and I often see those devices having multiple simultaneous IPv6 addresses. I believe that this is the default anyway for modern OSes.
And so I think that any counting of adoption by full 128-bit IPv6 addresses will dramatically over-count IPv6 adoption - even if NAT could be taken into account. Google's technicians will know this. Google's marketeers might not care.
There's only so much NAT can do
True
and it's doing it now.
Nowhere near it, there are loads of public IPs that have only one or a handful of systems behind them. How many systems you can put behind a public IP will depend on the details of what they are doing and the details of the NAT implementation but I would think 100 machines per internet IP is more than feasiable.
On the server side https hosting traditionally needed one IP per certificate (with each certificate covering either one hostname or a small group of hostnames) but SNI removes that need and with windows XP and andriod 2.x gradually fading using SNI starts to look like a more and more reasonable option.
I don't like the world that ISP level IPv4 nat would give but pretending it's not a feasible soloution is silly.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
You clearly don't understand what NAT is. Though NAT is included with almost all firewalls, it is not there to address security. It was introduced to conserve the limited address space that IPv4 provides. Since IPv6 greatly expands the number of available addresses, it is painfully obvious that NAT will go away for a great majority of users.
Will NAT go away in an all IPv6 world? No. It will fill some niche for those that have a specific need for NAT. A niche that 99% of home users, much like yourself, won't need or even understand.
NAT is gateway functionality and was never meant to address security.
This is part of the AUP of my local ISP, the cable company:
By way of example (without limitation) you may not:
Use or run dedicated, stand-alone equipment or servers from your premises that provide network content or any other services to anyone outside of your premises. Examples of prohibited equipment and servers include, but are not limited to, email, Web hosting, file sharing, and proxy services and servers;
They don't mind if you do things on a temporary basis (I've accessed a machine via ssh and ran a IRC server for a few hours), but they don't want 24/7 servers on home connections.
They also don't mind occasional use of bittorrent for things like Linux distros, software updates and the like. But they don't want you running a BT client 24/7.
> Though NAT is included with almost all firewalls, it is not there to address security.
You missed my point. Firewalls are needed for security, and if you have a firewall, you can do NAT. Not needing NAT becomes a non-feature because it doesn't significantly impact complexity or cost.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
"ISPs".
"now, an ISP".
"may impose a lot of" or "may charge a lot of".
"outlet".
"their".
"providers".
etc.
Slashdot thoughtfully provides a "Preview" button on its post/reply page. Please use it.
But it isn't feasible. On the server side, you can stuff a number of virtual websites behind a single IP, but many customers want their own VM (sometimes for very good reasons). There are things other than http(s) on the net.
On the client side, there is a matter of administrative control. Who will own the NAT device that you and your neighbors all sit behind so that you can be NATed behind a single IP? Do you want to leave it up to your ISP if a rule can be added to the NAT box so you can ssh into your network through a selected port? What if your neighbor wants the same port for something else?
It sounds more like a desperate last resort than a real solution. Compared to that kind of pain, upgrading to IPv6 is a no-brainer.
But it isn't feasible. On the server side, you can stuff a number of virtual websites behind a single IP, but many customers want their own VM (sometimes for very good reasons).
Reverse load balancers could be an option here if/when IPv4 prices rise to a level where the IPv4 address is a significant part of the cost of a VM.
There are things other than http(s) on the net.
While obviously literally true afaict services other than http(s) and mail are the exception not the rule.
On the client side, there is a matter of administrative control. Who will own the NAT device that you and your neighbors all sit behind so that you can be NATed behind a single IP? Do you want to leave it up to your ISP if a rule can be added to the NAT box so you can ssh into your network through a selected port?
Just because you and I don't like the implications of something doesn't make it unfeasible.
It sounds more like a desperate last resort than a real solution.
Sure.
Compared to that kind of pain, upgrading to IPv6 is a no-brainer.
For better or worse the internet lacks any strong central authority. If it had one maybe we would have had ubiquotous deployment of IPv6 in the 2000s allowing for an IPv4 sunset now.
That hasn't happened though, there are still loads of clients and servers that are IPv4 only (including the one we are discussing this on).
So the choice now is not between "deploy horrible mechanisms to keep IPv4 on life support" and "deploy ipv6". The choice now is between "deploy horrible mechanisms to keep IPv4 on life support without deploying IPv6" and "horrible mechanisms to keep IPv4 on life support and also IPv6".
While i'm in favour of the latter denying that the former is an option is just self-delusion.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
In C++, use smart pointers with a little intelligence and discipline. That's what they're there for.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The thing is, it wouldn't just suck for people who know what they're doing. VOIP and some games won't work well that way either. Anything like that needs to be seen as a stopgap only running in parallel with IPv6 deployment. There actually are people claiming that more NATting faster is an actual solution to the problem INSTEAD of IPv6.
It's important not to mistake the bridge to the solution for the actual solution.
One way it might help is that it will make IPv4 feel very much like the second class citizen.
Yeah yeah. Certainly a good programmer who writes perfect code with faultless discipline can write C++ code with no memory leaks. I totally agree. But that is the rare case, not the common case. Or, at least, memory leaks are fairly common in C code. Memory leaks in C++ were the #1 most famous kind of bug. Memory leaks in Java are so rare that I can only think of one in fifteen years of programming -- and that one was long ago due to circular data structures which today are garbage collected.
The original claim was it's actually *easier* in Java/C# to leak memory which I claim is plainly wrong.
1st reason: service security starts with the physical security of the server. 2nd reason: when did God say that amazon is owed a tithe?
My Australian ISP (Internode, now iiNet) was one of the leading promoters of IPv6 and was one of the first to offer such connections, years ago. Many customers used IPv6 with no issues for several years. Then Netflix came to Australia. Netflix, in addition to some Australian digital TV channels and a few local mirrors is excluded from the ISP's broadband quotas. But it turns out, quota exclusion only works for IPv4. So people set their account back to a IPv4 connection.
Because of this, valuable momentum in IPv6 adoption has been lost.
> Are they just unaware of what advantages running a home server can offer? Or have
> the benefits of a server been explained to them after which they still decline?
Linux nerd here... sorry, but I have better things to do with my time than worry about constantly patching and running smtp/web/ftp servers, and constantly monitoring logs, etc, etc, etc. Having a life gets in the way of an internet.
I have a reasonable idea of how vulnerable linux servers are on the open internet. It's mind-boggling how easily the average Joe/Jane Lunchbucket gets pwnd/social-engineered even with a client machine behind a stateful firewall. Give every one of them a server, and if you think today's botnets are something, you ain't seen nothing yet.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
a score of 5 for this tired old ignorant shit? Alright, let's get cracking.
RA, aka. ICMP router advertisement. Abandoned circa 1970 as a "bad idea". It was a colossally bad idea in the 90's, and f'ing suicidally bad in 2000+. Yeah, let's trust whoever the f*** on the cable claims to be a router and send it our traffic. Oh, to protect my network(s) from that brain damage, I have to buy new switches that support "RA Guard"
Right, because DHCP totally solves spoofing problems yeah?
They didn't like DHCP. So "no f***ing DHCP in IPv6!" DHCPv6 is a bolt-on, staple-on, and bandaid addition to IPv6. It's a horribly incomplete shadow of DHCPv4, and still requires an RA tell you to use it.
No it isn't. You can do practically everything that DHCPv4 does with DHCPv6. Yes you should send an RA, so what? DHCPv4 is as much if not more of a bolt-on than DHCPv6 is (in so far as it's absolutely not part of the protocol stack whatsoever)
SLAAC... originally 80bit prefix plus 48bit MAC. They ignored the fact that ethernet is not the only technology in the universe. That was later amended (breaking older stacks) to 64bits. The entire purpose for the vast over-simplification of address selection (for tiny embeded systems with limit RAM/ROM/CPU) became moot 7sec into the IPng committee's existance -- IPSec shoots all three in the head, repeatedly, with artillery. Everything supports privacy extensions these days, so the logic for random address generation and duplicate address detection is there -- and rather trivial. Yet it, and SLAAC, demands the prefix-length be 64. Just to put that silliness in perspective, that's a single LAN with every ethernet device ever created (that will ever be created) in it 65,536 times over.
Just to put YOUR silliness in perspective: the remaining number of bits is 2^61 (within 2000::/3 obviously) which comes to 2,305,843,009,213,693,952 /64s. Get a damn sense of perspective. As far as "older stacks" go... clearly not anything seriously used in production today.
This leads nicely into the blindness to history... a 64bit LAN is pure lunacy. Today and likely for several decades. But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite". Sure, we can change the way we do things "with the next ::/8", but that dooms us to live with the colossal stupid of this ::/8 for ever. Again, dooming us (and our children's great grand-children) to live with our bullshit. We did a lot of stupid things with IPv4; and we're doing them all over again with IPv6.
No, your failure to grasp the scale of numbers is pure lunacy. If we somehow manage to fuck up 2000::/3, there's several times the size of the current global IP space waiting to be spun up with the flick of a pen, so we have plenty of opportunity to make mistakes.
Why? I'm an ex-Network Engineer.
Guess now we know why you are 'ex.' You don't sound like you understand the situation and other people's needs very well.
"First they came for the slanderers and i said nothing."
The problem is that people like you 'never think about it' and people like me get paid to clean up after your mess.
Come to think of it, that's not a problem, I get paid for it. Keep sucking, bro.
"First they came for the slanderers and i said nothing."
C# and Java don't solve the memory leak problem, and those who think they do are invariably sucky programmers.
"First they came for the slanderers and i said nothing."
Eh, IPv6 is spreading more and more. If you run netstat on your phone, you'll probably see a few ipv6 connections open.
"First they came for the slanderers and i said nothing."
I note that you did not specify which Xeon chips you actually have, which kind of suggests a set of E5450 or something similar. FiOS does not charge you enough for a continually saturated link, whether it is 25 or 500mbps, so you are still contending with some hard and secret GB limit (starts to make the $/GB model seem more appealing). Game servers tend to be pretty light, and most could run on very modest AWS hardware. Beyond that, EC2 costs nothing when the machines are powered down, and they provide a robust API & access control that would easily allow your friends to boot/stop the machines on demand. That setup is how my friends game, and you really should at least consider it when the service life of your server machine finally ends.
That's not what I said. I said that a reasonable amount of local discipline will avoid memory leaks.
When you allocate memory, assign it to a unique_ptr or shared_ptr. Do not change the type of the pointer thereafter. Allow raw pointers only for non-owning pointers, so deleting a pointer is an obvious mistake. This does not require perfect code or flawless discipline. All deviations can easily be spotted in a code review.
I wasn't talking about C memory leaks, since C is a different language. C++ used to use C-style memory management (with constructors and destructors attached), but the original standard had one sort of smart pointer, the second was in the 2003 Technical Report, and the original smart pointer was replaced with something much better in the 2011 Standard.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Right right, I'm not trying to say you made the claim, but my response is to Cramer's statement: it's actually *easier* in Java/C# to leak memory.
Okay, sounds good! Come work where I work and maybe someday you can find a bug to fix. So far, sucking has resulted in no memory leaks, but maybe it will someday.
Because I didn't waste company money on white elephants and have since been promoted and earning double what I was then? Yeah, you got it in one.
Heh.....got promoted to management, and now you don't know what you're talking about. Typical.
"First they came for the slanderers and i said nothing."
So far, sucking has resulted in no memory leaks,
It has, you just don't know how to find them.
Either that, or you don't write anything significant. Which sounds likely.
"First they came for the slanderers and i said nothing."
Yeah that's probably it. I suck and I don't do anything important.
Probably. You could use some improvement anyway.
"First they came for the slanderers and i said nothing."
You should come educate me so I don't suck so much. Find me in Palo Alto, we'll have a cookie at CREAM then go to my office for a lesson in Java memory leaks.
then go to my office for a lesson in Java memory leaks.
If you have a program that is long-running (that is, it doesn't clear all the objects you created every time a new http request comes in), and you aren't thinking about memory leaks, then you have them.
Recently I saw a case where a guy had written a program half in C and half in Java. It had some leaks in it but he couldn't find them (mainly he had not been using any introspection tools, so it's not surprising. If you want to find leaks, you need to be able to look at what's going on with your memory. Use jmap or something).
"First they came for the slanderers and i said nothing."
Comcast may have lots of other issues as an ISP, such as banning customers from running server at home, and monthly usage caps (if they still do that), but they were ahead of most other US consumer ISPs on taking IPv6 seriously.
(My ISP supports IPv6 over tunnels, but doesn't run native dual-stack, at least on telco DSL. And I really should get around to actually trying it out, but I haven't...)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Back when I was closer to the ISP business, the general plan of most consumer ISPs was to start supporting IPv6 (once they had all their hardware and operations support systems able to manage it - it's amazing how many moving parts there are), and migrate most users to dual-stack, with NAT for IPv4 plus native IPv6, or else to use NAT IPv4 with tunneled IPv6.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
IPv6 was originally supposed to solve a whole lot of problems - not only did it have longer addresses (which ISPs need to avoid having to deploy customers on NAT, and in general to avoid running out of address spaces and crashing into the "Here Be Dragons" sign at the edge), but it was also supposed to solve a whole lot of other problems, like route aggregation, security, multihoming, automatic addressing, etc.
A lot of that turned out to be wishful thinking, e.g. the hard part about IPSEC tunnels is the key exchange and authentication, not building the tunnels, route aggregation didn't really work out because enterprises weren't willing to use carrier addresses instead of their own, and small carriers also wanted their own addresses instead of sharing their upstream's address space, or if it wasn't wishful thinking, it was addressing problems that IPv4 found other solutions for, like DHCP for automatic addressing.
And while NAT is a hopeless botch, it does provide a simple-minded stateful firewall as default behaviour, while IPv6 users need explicit firewalling to get the same security with real addresses (which they needed to do anyway, but especially if you're using tunnels, you have to be sure to put it in all the right places.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yeah, that turned out to be one of the big problems with IPv6 address aggregation - sounds great in the ivory tower, doesn't meet the needs of real customers, which is too bad, because every company that wants their own AS and routable address block is demanding a resource from every backbone router in the world.
IPv6's solution to the problem was to allow interfaces to have multiple IPv6 addresses, so you'd have advertise address 2001:AAAA:xyzw:: on Carrier A and 2001:BBBB:abcd:: on Carrier B, both of which can reach your premises routers and firewalls, and if a backhoe or router failure takes out your access to Carrier A, people can still reach your Carrier B address. Except, well, your DNS server needs to update pretty much instantly, and browsers often cache DNS results for a day or more, so half your users won't be able to reach your website, and address aggregation means that you didn't get your own BGP AS to announce route changes with, but hey, your outgoing traffic will still be fine.
My back-of-a-napkin solution to this a few years ago was that there's an obvious business model for a few ISP to conspire to jointly provide dual-homing. For instance, if you've got up to 256 carriers, 00 through FF, each pair aa and bb can use BGP to advertise a block 2222:aabb:/32 to the world, and have customer 2222:aabb:xyzw::/48, so the global BGP tables get 32K routes for the pairs of ISPs, and each pair of ISPs shares another up-to-64K routes with each other using either iBGP or other local routing protocols to deal with their customers actual dual homing. (Obviously you can vary the number of ISPs, size of the dual-homed blocks, amount of prefix for this application (since :2222: may be too long, etc.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
your outgoing traffic will still be fine
That may not be fine as well, since unless IPv6 can cram both host IPs into the packet, existing sessions will get dropped (which may not happen with IPv4, since IPs stay the same). Also, that requires more complex firewall configuration (what's the probability that one of the IPs will not be entered?).
My back-of-a-napkin solution to this a few years ago was that there's an obvious business model for a few ISP to conspire to jointly provide dual-homing.
There are a few problems with this:
1. The ISPs must be willing to cooperate (unlike now, they only have to provide BGP access).
2. The customer still cannot change ISPs (now I can take my AS to another ISP if I do not like the current one or another pair of ISPs if I'm moving and the current ISPs do not provide service in the new location).
3. The failure of an ISP must trigger a BGP announce to stop traffic from coming to it. This may not happen. Currently we had multiple problems where the main ISP failed but did not announce that - out BGP router still though that the ISP is good. I had to write a script that checks if the internet is accessible and if not (for a few minutes) forces our BGP router to use the other ISP (done with prepends and priorities).
Yeah that's it. Cognitive dissonance is a powerful force.
And my response was to your statement about C++ memory exploding in no time. We may now be in agreement.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
NAT != Firewall != Stateful Packet Inspection, they are all useful tools but independent functions. Having NAT for IPv6 might be useful in some circumstances but not as they way to access the Internet. The default way should be as IPv6 promises via unique addressing and your router should just operate SPI to protect your site from inbound attacks.
Simplified routing is very useful, smaller global routing tables, no need for (buggy/problematic) extensions to BGP to cope with a large number of ASes and large number of prefixes announced.
Larger Address Space: You do not cite any actual issue. I can't think of a downside. 6 extra bytes per packet, there is plenty of useless bits in IPv4 headers, but Meh!, technology now is faster more dense than it was in 1970s when IPv4 was created. So the extra bytes in the header fine by me.
WTF, RA is no less secure than DHCP. If you need to correct the issue of who to trust on the network then buy an enterprise router, has features such as device authentication, broadcast control (you can control who gets to be a "server" using the broadcast, without affecting ARP).
RA is pretty secure, for example if another device managed to announce it was the router (without the real router seeing), it would still need to hijack packets and somehow send them somewhere useful (without going via the real router, since it could reject since it was not coming from the correct MAC, or the fake device would need to perform NAT). Its is no more broken than someone buying a $10 router and plugging it in and the DHCP server that is on by default taking your network down.
I really don't see the issue with the address space. The carve up plan looks just fine. Maybe you can draw up some projections to hilight your areas of concern. This version of IP protocol only has to live the next 100 years, since within about 50 years there will be another version out. Even if it takes 25 years to adopt.