Slashdot Mirror
Why the Journey To IPv6 Is Still the Road Less Traveled
alphadogg writes The writing's on the wall about the short supply of IPv4 addresses, and IPv6 has been around since 1999. Then why does the new protocol still make up just a fraction of the Internet? Though IPv6 is finished technology that works, rolling it out may be either a simple process or a complicated and risky one, depending on what role you play on the Internet. And the rewards for doing so aren't always obvious. For one thing, making your site or service available via IPv6 only helps the relatively small number of users who are already set up with the protocol, creating a nagging chicken-and-egg problem.
My border router is more than IPv6 ready. It's already passing out IPv6 addresses internally to the few devices which are capable of them. Not that it matters to me though, my ISP doesn't support IPv6 so what's the point? Yea, I can touch my router from my laptop over IPv6, but what does that get me?
Who is my ISP? Why Verizon FIOS of course. Until they decide to support IPv6 and give out addresses to people like me who are ready to use it, there won't be any mass adoption of IPv6 by their customers.
Are their any ISP's out there which support residential IPv6?
Why are we revisiting? Ipv6 simply has too much overhead.
Have Facebook and/or Google go IPV6 only for website access. You will see virtually 100% adoption of IPV6 within 24hrs ...
Oh, and there's a learning curve. Most people are like water... path of least resistance.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
Rust: incompetent programmers who leak memory, which problem can be fixed at compile time (with tradeoffs that annoy some people but not others).
Both solve very real problems, you just don't see them because they are at a level deeper than you understand. Don't worry, the 'magic' will keep working, and you can keep posting, because other people will solve them.
"First they came for the slanderers and i said nothing."
2: Attackers can view your entire IP space. A simple nmap scan, then choosing what zero days to use... instant pwn-ership.
That's what firewalls are for.
Let me guess, you're one of those that thinks the breaking of end-to-end communications (NAT) is an acceptable substitute for a firewall?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
2: Attackers can view your entire IP space. A simple nmap scan, then choosing what zero days to use... instant pwn-ership.
Bullshit. Just use a firewall the proper way and stop using crap.
If your machines are that vulnerable you are already screwed. Hiding behind NAT and thinking you are safe is a joke.
Secure messaging: http://quickmsg.vreeken.net/
I have IPV6 at home (took some calls to AT&T Customer Support). I don't have it at work, the migration will probably start small network endpoints (phones (apparently t-mobile has already switch), and home networks).
Link local IPV6 is already fairly broadly available - it's the fe80 prefixed address on your ifconfig output. You should be able to ping other ipv6 addresses on your network (*nix to *nix).
Google's IPv6 stats page indicates this too... https://www.google.com/intl/en... has a peculiar comb effect for the last few years. Zooming in seems to give a bit more insight. Google's count of IPv6 connections has a full 1% swing over the weekends vs the week days. Due to IPv6's addressing method, each unique device on your network appears as a unique device on the internet, vs the NATed IPv4 that we all know and love. This would also have an accelerating increase in the number of unique IPs that are visible on the weekend. I know I use more devices over the weekend (chromebook, phone, laptop, table) vs during the week.
Open to other insights, but our homes will be likely IPv6 before our offices are. (Of course aggressive tech companies like google and facebook are likely already IPv6).
Simple nmap scan? Yeah.
If they can scan 10,000 addresses a second they should be able to scan your home address space in not much under a million years.
Assuming you didn't do something radical, like, maybe, used a firewall.
Ignorance killed the cat. Curiosity was framed.
2: Attackers can view your entire IP space. A simple nmap scan, then choosing what zero days to use... instant pwn-ership.
Hmm... Non-direct allocated IP on your subnet, 64 bit subnet, pwn-ership aint that trivial. Scanning a 64-bit address space (AT&T allocates a full /64 to me at home) is going to be pretty obvious at the firewall.
Welcome back to the internet of the early 1990's we all lived on the internet with real IPs, but were protected from firewalls... This whole concept of everyone on a Class C/B/A private subnet thing has only been around for a couple of decades.
I think that in countries with many ipv4 addresses per internet user, we won't see any change soon, they still can support one ip per home. The US is one of those. It has tons of IPs. In countries without much ipv4 addresses, the companies (especially new ones, which don't sit on millions of addresses) will see the pressure, and will run a carrier grade NAT & native ipv6 approach.
I can do IPv6 from my ISP since last November. My issues so far have been:
On the other hand, IPv6 was doing fine 12 years ago, on the IPv6 backbone from the university.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
I wonder how many IPv6 unready appliances do we have. For instance, I do not trust my ISP to have given me an IPv6 compatible router. And I cannot easily replace this router, Huawei HG253s V2, due to the fact that is needed for the optical trasducer.
With the current incantation of Amazon Web Services (VPC),
IPv6 support is currently not available for load balancers in Amazon VPC (EC2-VPC).
http://docs.aws.amazon.com/Ela...
So there goes lots of the internet....
The writing has been on the wall for quite a while now. I think it was first discovered written underneath "As I sit here all brokenhearted..."
1. As opposed to IPv4 where practically nothing uses the pain in the ass to set up encryption
2. Yes, if I am stupid enough to have no firewall whatsoever, even locally on the machines, all they have to do is nmap an entire internet's worth of IP addresses to find the 10 or so that actually exist on my network.
3. Oh my yes, only 15 years of testing, AKA, 75% as much as the IPv4 stack in most cases.
4. Not sure what you're saying there. Issue must be local, I've had no problem using IPv6.
The workarounds are rapidly running out of steam. Add another layer of NAT and things start breaking for average users.
Filtering out nmap to places you don't want it to go is EXACTLY what a firewall is for.
And your IPX comparison is also flawed. You don't need to use your MAC address, that is just one way of generating an IPv6 address. And being able to address a packet to any node on the internet directly is exactly how the internet was suposed to work. (Note that a firewall may still prevent such packet from ariving unwanted).
Secure messaging: http://quickmsg.vreeken.net/
This has been written in a very pro-selldata approach:
For example, if the proxy that’s providing a user’s address is located in a different city from that user, then location data that could aid in targeting ads would be unusable, he said.
So, should ipv6 be enabled because it kills privacy? This article is stupid shit. I really don't like if internet protocols are designed with "targeting ads" in mind. This is where the google involvement into internet standardisation has brought us to: an internet built to spy on us. Google is not very much more than that: a company getting billions from running the most profitable internet ad network in the world (visit this, and search for "Advertising revenues"), and running other services in order to show those ads on.
T-Mobile supports IPv6, so I use IPv6 on my phone. Cox doesn't so I can't use it with the devices that generate the most traffic.
I would switch, but then I'd have to rewrite my hosts files.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
C# and Java also solve the leaky memory problem and are much more popular.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
You know what NAT defeats? End-to-end connectivity.
CLI paste? paste.pr0.tips!
And 99.9% of people don't care.
I have come to believe that end-end connectivity is the problem that a lot of people think NAT solves.
Nullius in verba
You know what else solves the "not enough IP addresses" problem? NAT.
And it's a lot less of a change than switching to IPv6.
OK, perhaps some reading would help you to understand how NAT is fine for very small networks, for the most part is a huge pain in the ass for large networks. And there's no end-to-end connectivity. NAT is a layer of obfuscation that often adds to errors for Net-Ops.
You seem to have fallen into a parallel reality. In mine, all of those Windows versions can and do use IPv6. Even XP if you explicitly configure it in the network settings.
I have Comcast and one day I noticed they were announcing v6 addresses. So I turned off my 6to4 tunnel. I haven't had any problems. Modem running out of RAM is a modem problem, not an IPv6 problem. Perhaps it's old or cheesy.
an entire internet[] worth of
Since a /64 is the default allocation, that's more like an entire internet squared worth of it.
CLI paste? paste.pr0.tips!
That the point at which end users like us need to be proactive. ...or just move to a country with pervasive IPv6... :-P
Setup tunnels (like Sixxs and other similar IPv6 brokers), open tickets at your provider asking for 6rd support, etc.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
C# and Java also solve the leaky memory problem and are much more popular.
But not at compile time, and you can't use them in systems' programming on general hardware.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Are you one of those people who got suckered into believing that if you zipped the zipped zip file enough iterations you could store everything in just one byte?
There's only so much NAT can do and it's doing it now.
You know what else solves the "not enough IP addresses" problem? NAT.
It's a short-term quick hack which might make some problem seem to disappear, but creates ton of other problems.
NAT creates layers of indirection, and NAT makes machines not directly addressable.
Require hole punching and the like even for very basic functionality (like VoIP).
The internet was envisioned as a distributed network with all being equal peers, but NAT is contributing to the current assymetry of having a few key content distributor and every body else being a passive consumer.
And it's a lot less of a change than switching to IPv6.
IPv6 here. No it's not that complicated, and can be made automated. (e.g.: you don't even need to setup DHCP. your router just hands out prefixes, and the devices on the net autonomously decide their address by appending their mac address).
With NAT, you'll end up needing to fumble with your router and open / redirect ports anyway, just to be sure that everything works as it should.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Att uverse at work supports ipv6 Verizon wireless claims to support ipv6 but you can't route to their addresses stateful firewall or something So i can connect to equipment at work with either ipv4 or ipv6 but if i need to connect to anything on vzw I'm sol because the ipv4 is nat'ed and the ipv6 is firewalled
Minimum threshold fixed. Thanks!
That why solution like 6rd.
ISP can keep their current IPv4 gear, and just offer an IPv6 tunnel that the clients can use over the IPv4 infrastructure.
No need to immediately replace all the components, and meanwhile, IPv6 is already available.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
And 99.9% of people don't care.
There are a lot of things 99.9% of people don't care about. If that's your justification...
Me personally, I'd love my end-to-end connectivity back.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Comcast says they support it
I've been using Comcast's IPv6 for well over a year. Not one problem with it.
Maybe you should go to the Comcast HSI forum on dslreports.com and ask some questions.
Actually, in the process of solving the one problem it's supposed to solve, they created about 14 trillion other problems, stuck their head in the sand refusing to learn from history or listen to the industries that use the technology -- *cough*DHCP*cough*, didn't give a single second to privacy or security, and finally simply gave up without ever trying when it came to any type of transition policy/mechanism.
We might as well be converting the internet to Appletalk. While they share a few characters in their name, IPv4 and IPv6 are radically different technologies. From an application programming level, there's not much difference, but that's never been much of a hindrance to IPv6 adoption.
Yeah, my ISP gives me a static /56 and a dynamic /64, so that's a lot of space to scan. My Windows boxes randomise addresses for outgoing connections, so you can't trivially get addresses to scan by sniffing egress traffic. And on top of that my router acts as a firewall and only allows incoming connections on whitelisted address/port combinations.
Something we've gone out of our way to intentionally break (read: FIREWALLS) on purpose for decades.
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
The problem with IPv6 is that alternate solutions to the IP shortage issue such as NAT are currently far less trouble and much less expensive to implement than IPv6.
Where I work we have a LOT of computers (low-mid 6 figures) behind NAT. For the most part it works pretty well.
I spoke with our network design engineer about IPv6 a few months ago and he said IPv6 isn't even on his radar at this time for the reason stated above. If he were implementing a network at a new company with no legacy technology to deal with he might go IPv6 but he doesn't see it much in established networks anytime soon.
Any insufficiently advanced magic is indistinguishable from technology.
Hah! Can you say "reference leak"? I knew that you could. (it's actually *easier* in Java/C# to leak memory, because you have no way to explicitly destroy an object, so programmers never think about it.)
...I'd be more incline to do the move myself. The problem is when you ask if or when it will be available, you get the long pause and the "We don't know". My ISP, who shall remain nameless at this point, doesn't appear to have a plan. FOr the size of their organization, you would think they have a plan or at least are looking at it but their front line makes them look amateur-ish.
I will not name my ISP but I'm in Canada and they are based out of Toronto...lol. (This should tell you who they are...)
We should start calling them once a day and politely request IPv6 support once a day every day. (Politely because I'm canadian...lol)
Wrong. The protocol has IPsec bolted-on at the socket level. However, you are correct in that nothing knows how to actually use it.
A: FIREWALL. B: A 2^64 (::/64) LAN will take a LONG time to scan. But, yes, if you know the address of the machine not protected by anything, it's a lame duck.
Less tested than IPv4, maybe. IPv6 has been around a lot longer than you may realize, and while issues are still emerging, many of them are due to poor protocol design and not poor stack programming.
This depends on where you are and how much work you put into correcting it (read: tunnels.) But this is ultimately what the entire thread is about... ISPs simply aren't bothering to support IPv6. Those that do are doing so in a mostly jedi-hand-wave gesture for marketing.
So if one wants to allow a particular protocol through the firewall that is a typical carrier grade NAT rollout, how does one go about it?
you don't even need to setup DHCP. your router just hands out prefixes, and the devices on the net autonomously decide their address by appending their mac address
If you don't set up DHCP, then how do devices on the net bootstrap enough service to be able to resolve www.example.com. into an IPv6 address? Does each machine need to run its own recursive resolver or rely on 2001:4860:4860::8844?
just wait for ISP's to bill you per IP / outlet and ban / lockout NAT.
Right now ISP like Comcast may a lot of outlets fees on there TV side and when TV starts to really die down the last thing you want to have is to have it like the old phones days where they made for pay / rent EACH PHONE. Right now the cell phones provides make you pay per line to use the same shared pool of data / minutes and make you pay more to unlock tethering.
Bullshit. XP supports IPv6. (it's "experimental" and has no GUI, but it a) exists, and b) works.)
and big business want to have INTERNAL only networks as well VPN's that let you get into stuff that you want to lock down to be inside only. A VPN with username / password does more then just basic firewall rules.
If you are stupid enough to be running without a firewall, sure they your entire address space can be scanned. I hope they have lots of time though since even the smallest allocation gives you an address space of 18446744073709551616 addresses. That'll take a while to scan.
If you're behind CGN, then by definition you aren't allowed to run "servers" -- i.e. services that require outside systems to initiate connections toward you. (www, smtp, bittorrent, etc.)
Yes we know those are all well known and long unfixed problems with IPv4...
But you promised a list of IPv6 weaknesses.
IPSec is perfectly usable.
Telebit demonstrated transparent routing (ie: total invisibility of internal networks without loss of connectivity) in 1996.
IPv6 has a vastly simpler header, which means a vastly simpler stack. This means fewer defects, greater robustness and easier testing. It also means a much smaller stack, lower latency and fewer corner cases.
IPv6 is secure by design. IPv4 isn't secure and there is nothing you can design to make it so.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Windows has had IPv6 stacks since Windows 95 and Microsoft even started supplying them as of 98.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Several of my clients are charities for whom recycled Core 2 Duo with 2 Gigs of RAM are the best they can get. Some can't even get a semi-decent server, so they just use an old P4 as a file and print server. And you want those people to pay me to install and maintain a firewall? NAT with a $30 router is an acceptable substitute for a firewall when you don't have the money for anything else.
NAT is not a solution to the IP address shortage. it is a Band-Aid on a sucking chest wound. Anyone who has ever tried to join corporate networks together that are on the same fucking 10/8 network for example knows this (oh fuck, we need to re-address all the things!). Sounds like your network design engineer is an idiot. IPv6 should be on everyone's radar at least, and any new equipment procured should have IPv6 support as a mandatory feature.
If you're behind CGN, then by definition you aren't allowed to run "servers"
Customers ought not to stand for inability to run servers. Therefore, customers ought not to stand for being stuck on carrier-grade NAT. Therefore, with more people than IPv4 addresses, IPv6 is a requirement.
I have given up trying to educate Slashdot readers about IPv6. Like most IT people they have stuck their heads in the sand and think NAT is the end-all-be-all. As an professor of IT I keep preaching knowing IPv6 to my students because someday IT management is going to wakeup to the fact that Asia (and other places) has moved on to IPv6 and if you want to do business with them you better be running it too. Then there will a rush to get everyone on IPv6 and people with experience will be in demand. So let them stick their heads in the sand, those of us who actually know the substantial advantages of IPv6 and are familiar with deploying and operating IPv6 networks will gladly be your highly compensated consultants when the day comes.
RA, aka. ICMP router advertisement. Abandoned circa 1970 as a "bad idea". It was a colossally bad idea in the 90's, and f'ing suicidally bad in 2000+. Yeah, let's trust whoever the f*** on the cable claims to be a router and send it our traffic. Oh, to protect my network(s) from that brain damage, I have to buy new switches that support "RA Guard".
They didn't like DHCP. So "no f***ing DHCP in IPv6!" DHCPv6 is a bolt-on, staple-on, and bandaid addition to IPv6. It's a horribly incomplete shadow of DHCPv4, and still requires an RA tell you to use it.
SLAAC... originally 80bit prefix plus 48bit MAC. They ignored the fact that ethernet is not the only technology in the universe. That was later amended (breaking older stacks) to 64bits. The entire purpose for the vast over-simplification of address selection (for tiny embeded systems with limit RAM/ROM/CPU) became moot 7sec into the IPng committee's existance -- IPSec shoots all three in the head, repeatedly, with artillery. Everything supports privacy extensions these days, so the logic for random address generation and duplicate address detection is there -- and rather trivial. Yet it, and SLAAC, demands the prefix-length be 64. Just to put that silliness in perspective, that's a single LAN with every ethernet device ever created (that will ever be created) in it 65,536 times over.
This leads nicely into the blindness to history... a 64bit LAN is pure lunacy. Today and likely for several decades. But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite". Sure, we can change the way we do things "with the next ::/8", but that dooms us to live with the colossal stupid of this ::/8 for ever. Again, dooming us (and our children's great grand-children) to live with our bullshit. We did a lot of stupid things with IPv4; and we're doing them all over again with IPv6.
I've had Comcast and native IPv6 since the fall of 2012, (about 6 months after they brought it up on Memorial Day). I have had no trouble with it, and about a year ago they began issuing /60 prefix delegations. An interesting thing is that since they bumped up my speed to "50Mps" (download), their speedtest website consistently shows ~41Mbps for IPv4, and ~59Mbps for IPv6. I have no idea why. Back when I was getting 20Mbps downloads, there was no significant difference.
My ISP is IPv6 capable but customers are configured for IPv4 by default. Making the change is just a matter of logging in to your account settings to enable IPv6 and making sure it is enabled on your router and devices on your home network.
Most local ISPs do not support IPv6 so end to end IPv6 isn't really an option. There were also some strange issues with a few websites after making the switch. There were no measurable performance improvements. After trying IPv6 for several months, I couldn't see any benefits so disabled it on my account and went back to IPv4. It means a lot to those limited by public address availability but not much to the average Internet user.
NAT with a $30 router is an acceptable substitute for a firewall when you don't have the money for anything else.
If that's your argument just use the Windows firewall. It's completely free.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
What's truly pathetic is I can't get it from Time Warner Cable on our dedicated fiber (not DOCSIS) connection, despite their claims that it's available to DIA customers. They have been dragging their feet now for eight or nine months, professing that we're the first business in our whole area (~250,000 people) to ask for it, so they don't actually have any experience getting it to us.
That's either complete bullshit (we have one of the largest universities in NYS here, along with major defense contractors and even a Fortune 100) to stonewall my request, or it's actually true and a sad reflection on our complete lack of progress on this issue.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
You can't be serious.
If I 'never think about it' in C++, my memory will explode in no time. If I 'never think about it' in Java, then maybe in some cases eventually my memory might explode, perhaps. That's not what 'easier to leak in Java' means to me.
I'll quote myself : "And you want those people to pay me to install and maintain a firewall?"
Charities have access to donation from Microsoft. The problem is not the cost of the license (Linux is also completely free), it's my time. I REALLY can't install, configure and maintain a firewall for $30.
Automatic address assignment: Useless. DHCP is better.
No more NAT: Useless. NAT is part of firewalls which are still needed. It's easy, and incredibly flexible.
Better multicast routing: Useless. Multicast is dead, and will remain so.
Simplified routing: Useless. This has been implemented outside IP
QOS: Useless. The IPv6 implementation is wrong for how QOS is used now.
Larger Address Space: The only useful feature in IPv6, but it was done wrong, and should be abandoned.
We need IPv8 that does things right for the internet we have *today* not the internet we thought we'd need in 1998.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
My comment has nothing to do with NAT but with the mess that BGPv6 is. IPv6 is good within an Enterprise, I actually prefer it over using RFC 1918 space, but there is much less need for it to be available to for a web site for example. You are going to hit a load-balancer anyway, even with a CDN you DNS query will only return a small subset of the entire CDN. Most of the internet does not need IPv6, with the exception of the endpoints.
That 'simple nmap scan' is 2^48 addresses. You can't scan entire IP ranges on IPv6, you have to harvest addresses by other means.
I quite like vastly increased difficulty of scanning the whole IPv6 Internet. As soon as Comcast fixes their business class remote access via IPv4 is going bye bye. Sick of looking at all this crap in my logs. If random fools want to spam me they are going to have to work for it.
I had mod points yesterday, but not today, so here's a reply instead of the "+1 insightful" you deserve. IPv6 does unsolve problems that already have solutions in IPv4. *cough* DHCP *cough* indeed.
You've clearly never had to talk someone through configuring a port forward on their router so that a file transfer over IM could work, or so they could host a game server. NAT mostly works, but it turns a lot of things that should 'just work' into a need to fiddle around with the router config.
With C and C++, the programmer has to keep up with it; thus they are constantly aware of memory usage. (well, those that aren't complete shits do.) In Java, the programmer has no say in it, so they don't think about it -- or for younger "programmers" (who may have never learned C/C++), don't know how.
Windows has had IPv6 stacks since Windows 95 and Microsoft even started supplying them as of 98.
Ok so I'll wait for IPv10
Slashdot, fix the reply notifications... You won't get away with it...
the 0.0001% of Nerd Customers ought not to stand for inability to run servers.
FTFY.
For those 0.0001%, there is AWS.
As someone who's not really a networking guy, this!
I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.
Is this attitude wrong? Probably. But it is also pervasive.
I doubt they'll go this route, but what would make sense to me would be to give customers the option to request a direct connection.
Between cell phones and people who have no interest in running a server (even unintentionally), there's probably only a small portion of people out there who really need a direct connection, and there are probably plenty of IPs to support them if you put everyone else on CGN.
Probably closer to 99.999%
Scanning IPv6 isn't as hard as you make it out to be. I look at it more like using dictionary attacks rather that sequential scans. The 1st 64 bits are known if your after a specific target. It is also trivial to know if a given /64 is even used. A tree of all known used /64 shouldn't take long to create.
The 64 bits of the host is a bit different. They could be fully random (which is rare) or they are allocated based on mac address or statically assigned. The mac addresses means that 40 bits of the address are known if you know anything about the targets buying habits (i.e. they tend to buy Dell or Polycoms). That leaves 16 million guesses which can be reduced based on the vendor or the product version you which you intend to exploit once you find a target.
You may not be looking for one in 2^64, but a network of devices that all may have many addresses and you might only need one.
The static address assignment space isn't very large as well as netadmins like using :: when they type in addresses so they are unlikely to be random. That means their 1st network will be 0::something and their second is likely to be 0001::something. Oddly enough you might find they skip ::a and use ::8,::9,::10 as well or use something that match with their existing ip v4 address so things like ::192:168:1:1 is very likely.
All these things mean that Monte Carlo scans of a specific IPv6 allocation on a remote network is well within the ability of small time hackers.
Throw in a firewall that isn't filtering IPv6 properly and that will result in remote exploits of internal devices.
the 0.0001% of Nerd Customers ought not to stand for inability to run servers.
FTFY. For those 0.0001%, there is AWS.
Wah wah, for some reason it needs to run on under powered hardware in an uncontrolled environment over an asymmetrical residential connection, because, for reasons!
I'm in this weird bubble where I live. I'm currently on the city owned cable internet here in Tacoma WA. This ISP has some really shitty upstream connections depending on what site I'm trying to access. I also have Hurricane Electric's IPv6 Tunnel Broker service on my router itself, so my entire network has public IPv6 over IPv4. The route to the HE server in Seattle WA (~35mi away) seems to ALWAYS be stable. HE's backbone is also rock-solid world wide. Sites that are IPv6 enabled, I generally have a much better / faster / lower latency route to them, simply because my ISP has shit IPv4 routes leaving our local region.
Some major companies that are or are not IPv6 enabled: :face:b00c: in their IPv6 addresses)
google: yes
facebook: yes (interesting note: they always have
wikipedia: yes
mozilla.org: yes
amazon: no
AWS anything: mostly no (they have some half-assed thing on their load balancer service that sucks ass, but nothing else)
slashdot: no
twtter: no
microsoft.com: no
Yeah, the problem is though that some people then reach for NAT as the sole solution. That's the reason why my school's network is a triple NAT - 172.16/12 to 192.168/16 to 10/8.
For my computer science course I recently askd for putting a server in our school's network so we don't have to strain our outbound bandwidth (only 10 Mbit). I also considered asking for it to be reachable from the outside - but after seeing that setup, I promptly discarded the idea.
This is why: https://tools.ietf.org/html/rf...
No. Just, no. A NAT and a firewall are entirely different things and used for different purposes. Please familiarize yourself with basic networking.
CLI paste? paste.pr0.tips!
By definition? What?
CLI paste? paste.pr0.tips!
God dammit. I see what you're trying to say, but seriously this is so wrong. It's no big deal (i.e. easy to implement) to have End-to-End connectivity and still not be "exposed" to the oh-so-hostile Internet.
It is a big deal (i.e. impossible) to actually get End-to-End connecitivity when you do need it but find yourself behind a (carrier grade) NAT.
Breaking this one fundamental principle for the added comfort of being able to just deploy a NAT and feel reasonably secure is totally not worth it. Really, stop.
CLI paste? paste.pr0.tips!
As someone who's not really a networking guy
Yeah. It's showing.
CLI paste? paste.pr0.tips!
>other people will solve them
Other people are solving the real problem of address exhaustion, just not in the way that the IETF intended.
Even the IPv6 enthusiasts accepted that adoption would have to be widespread before the regional registries started running out of IPv4 addresses if it were going to work as a solution. That hasn't happened and it's now just too late - don't forget this started 22 years ago when most of the host systems were still under the control of education and government institutions and migration could have occurred much faster than it could now.
The thing that still irks me is that there'd been a very similar and very public (though much less protracted) attempt to deal with similar address limitations in DECnet that had failed miserably and the IETF chose to turn a deaf ear to those experiences which have simply been repeated on a larger scale with IPv6.
The problem of address exhaustion remains. IPv6 is no longer the solution, it's time came and went. A different group of "other people" are now attempting to keep the Internet roughly connected, but I'm afraid end-to-end connectivity is gone because the solution that offered it has failed the acceptance test.
NAT mostly works, but it turns a lot of things that should 'just work' into a need to fiddle around with the router config.
I don't see how. Either you keep essentially all ports open to your public IP at all times (bad idea), or you need to open ports on demand.
The latter requires the same fiddling around with the router config as with NAT, assuming UPnP isn't used. If UPnP is enabled it's not an issue with NAT either and the whole point is moot.
That's only because dumb people (like you) don't realize in the first place when it would be useful. p2p comms with both ends behind a NAT?
Sure, i mean routing your shit through a 3rd party server also makes it "work", but it's arguably undesirable, except for dumb people (like you, again) who do not care. Happy Skyping.
CLI paste? paste.pr0.tips!
IPv6 utterly sucks, though. There are much easier ways to solve the address exhaustion problem; and it actually makes the routing problem worse (and no, location/id split doesn't solve that any more than CIDR did).
It's compelling arguments like that which will surely convince people to give a shit about ipv6.
It's not that it wasn't considered. The biggest problem with interop between v6 and v4 is that you can't really do interop between v6 and v4. The v4 header only has 32 bits available for the dest host, so there's no way to specify which v6 host you want to send packets to.
Unless you count NAT64-like solutions or 6to4-like solutions, both of which do already exist.
And IPv6 still has the same shortsighted flaws for futureproofing as IPv4; It lacks extensibility. Sure it looks infeasibly big now, but they keep saying that and then we find we run out of space. It wasn't that long ago when a terabyte was considered unbelievably big yet now computers routinely come with drives of such capacities!
It does lack a way of expanding the address space, but we'd need to actually run out of space first for that to be a problem, and 128 bits really is a lot. 1 TB drives and v6 are in completely different ballparks: if v4 is 1 TB, then v6 is 80 million billion yottabytes. There are 300 million /64s available... for each person on the planet. And each /64 has essentially no limit on the number of hosts it supports. I could understand an argument that each person might end up running billions of computers (which would be no problem at all), but a quarter of a billion networks? Each?
And that's just using the 2000::/3 space. There are five more unused /3s available, so we could do it all over again five more times (presumably with smaller-than-/64 subnets) before actually running out.
I think we might have found the root cause for the glacially slow rollout.
NAT was a hack used when we started running out of addresses in the early 1990s. It was never a solution to problem. And it is a hack that can't work long term. We already have about 300m public IP addressed with fixed port needs (websites, SIP, FTP...). Moreover carrier IP is the same cost and possibly even more complex than NAT to implement.
Carrier NAT is a terrible idea.
Of course it is pervasive. Since the early 1990s we've had 20 years where the internet has grown increasingly hierarchical and not flat. Our technological stack and psychology have grown up around that. When it becomes flat there will be a bit of adjusting. Then people will get the huge advantages when every endpoint is a server.
My external servers - all IPv6, publish AAAA records, all services available on IPv6.
My home - IPv6 compatible router, IPv6 compatible network, IPv6-compatible clients, even IPv6 VPN to my servers.
What I don't see - IPv6 compatible websites. Slashdot is not IPv6 reachable. Nor is The Register. If even the IT crowd can't manage it, what chance do other places have? But that's no big deal, so long as they're IPv4-reachable anyway.
What I don't have - an IPv6 compatible ISP.
I can't use any IPv6 protocol except for 6to4, but the local 6to4 relay is "not supported" by my ISP and not run by them. That puts me at the behest of whatever routing is set up for that magic 6to4 address at any given point.
Sure, I could go with Sixxs etc. but that requires all kinds of signup. It's actually easier to just VPN to my IPv6-ready external server over IPv5 and bypass worrying the in-between link entirely.
It works. It's up. I receive email from third-party servers solely over IPv6 every day.
And then, you find that Google mail and DNS is IPv6. The occasional website is IPv6. The odd mail server is IPv6. And nothing else. And they are all also on IPv4 too. All that hassle, hardware and configuration and I gain... nothing.
Until we literally say "IPv4 is going to be marked for obsoletion in 6 months, and routing for it will going off on the 1st of Jan 2016, worldwide", nothing is going to change. Absolutely nothing.
Slashdot - I'm invoking my rule again. You can post articles on the IPv6 deployment when you BOTHER to put a single AAAA record on your DNS.
If I could easily apply for an IPv6 allocation that was portable then I would implement it. However I can only use our ISP supplied addresses, so it is not worth the trouble as renumbering would have to happen every time we switch ISPs.
Carrier grade NAT would likely have been probably slightly more expensive to implement than IPv6 for carriers. Of course NAT for companies doesn't cost much because NAT is a very mature technology and IPv4 stack is now built around the expectation of NAT. But that's not the right comparison.
As for the network engineer and IPv6 in private companies. If you aren't directly serving home / small business customers then there likely is nothing that is going to drive you off IPv4 in the next few years. Your ISP for your website may need IPv6 but internally you won't. Where it is a problem for you though is tunnels. IPv4 network equipment doesn't understand IPv6 tunneling. IPv6 services will make your IPv4 network security look like swiss cheese. For many companies that still doesn't matter in which case you have time.
Until the carriers clean up IPv6 for home / small business there really isn't much reason for most businesses to worry. But that's a yet not a never.
As someone who's not really a networking guy, this!
I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.
Is this attitude wrong? Probably. But it is also pervasive.
That attitude is definitely wrong. The warm fuzzyness you're currently feeling is false security - lots of ways to trick a NAT into giving access to internal machines that you think are unaddressable. What you need is a stateful firewall - that gives you real security without breaking all the stuff that NAT does.
http://blog.nexusuk.org
People who think they need end-to-end connectivity for everything don't understand networking. It's not only not required, it is undesirable in most cases.
Its undesirable in _some_ cases, it's absolutely required in others. So if you have a single IP address and you have to NAT everything, you win in the "some cases" situation and you lose for "others" (even worse with CGNAT). If you get rid of NAT and stick a stateful firewall in, you get the best of both worlds and can choose the best for the situation at hand.
http://blog.nexusuk.org
You mentioned DECnet. I was involved in that migration in a company. Migration can occur very fast if they are a priority. And they will become a priority if things are allowed to break. Breaking right now is happening as you mentioned on the area of connectivity that problem is going to get worse.
We have the technology for easy migration and we have the blueprint.
1) Carriers migrate
2) Internet companies (web hosting, CDN...) migrate
3) Home / small business user migrate
4) B2B communications migrate
5) Company's internal networks migrate
We are wrapping up (1) and (2) and staring on (3).
They aren't being adopted because they try to solve problems that aren't really problems.
No. They really are problems. Not enough addresses, too much NAT, too much PAT, yeah these are problems.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
NAT is an ugly fudge than makes things more complex than they need to be. That makes it sub-optimal as a solution to the lack of address space.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
It isn't particularly hard. Just drop connections that come from the internet by default. Something like this in ip6tables on the router:
ip6tables -A FORWARD -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m state --state INVALID -j DROP
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
ip6tables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
Basically it's exactly the same as you do on v4, except you don't add a -j MASQUERADE rule. You can open holes in it by doing:
ip6tables -A FORWARD -p tcp -d <dst IP> --dport 3389 -j ACCEPT
or even something like:
ip6tables -A FORWARD -p tcp --dport 22 -j ACCEPT
to allow inbound ssh to all machines at once.
Luckily for the rest of us, and hard as you might find this to believe - it's not all about you.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite".
Haven't heard anyone call it infinite. Sounds like a bit of a straw man. But I have heard it's enough to give each square centimetre of the Earth 2 million addresses each, or to uniquely address every cubic foot of the Milky Way galaxy, so it is quite a lot.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
I get that NAT isn't a firewall, but I think it makes a nice second layer.
Lets say I'm using shorewall, and for whatever reason I break my config and don't notice.
Consider: (big bad internet) -- (broken shorewall + nat) -- (internal boxes)
Suddenly you can't get to anything I was forwarding (which I'll probably notice) and yes there are probably effective attacks to get at my internal boxes through the nat, but at least it's not wide open as I imagine it would be in a configuration without nat.
Agree with you Ben. This will change as the carriers in the USA upgrade to have IPv6 and home / small business rolls over. /. has become a can't do world of defeatists. Breaking connectivity is not going to be an acceptable option. That's obvious.
There are 0 American farmers whose cost of labor is low enough that it pays for them to scratch out dirt by hand than it does for them to use a tractor. There are 0 American builders who should shovel by hand rather than use an evacuator.
The people in your charity are Americans. Their time is worth $25/hr minimum and likely more like $100/hr. The idea that they can't afford $1k investment per employee is stupid. Regardless of what they say. They may be cheapskates but their assessment of what makes sense is not based on reality.
You don't have to use future tense anymore. They've run out of steam. We have a situation now where routers use conflicting IPv4 address schemes and thus huge blocks of machines have no IP path to other huge blocks of machines.
It's actually not much of a problem. I run v6 everywhere and I've never had any problems reaching other v4 hosts.
Why? Because I also run v4 everywhere and use that to reach v4 hosts. This is extremely easy to do: you just deploy v6, and then don't undeploy your v4, and there you go. v6 works over the same network topology as v4 does, so you can easily run both.
This also has the advantage of not being impossible.
Bullshit. Just use a firewall the proper way and stop using crap.
If your machines are that vulnerable you are already screwed. Hiding behind NAT and thinking you are safe is a joke.
Wait, you think firewalls provide security?
Even if your network is one of the rare ones that doesn't just allow any internally initiated traffic out, you'll at least have ports open for web access, email, ftp, dns, etc. Guess where the vast majority of the attacks come from? Web, email, etc. The exact ports you already have open on your firewall.
Attackers aren't stupid. They go where the opportunities are.
Traditional firewalls (stateful, L3/L4) are mostly about access control. They don't protect your vulnerable machines other than reducing the ports they can be attacked on.
That's a good argument. I would agree the switch to IPv6 has taken too long and thus it has legacy problems already before implementation. I'd pick IPv6 over IPv4 but I'd certainly pick something better were that on the table as an option.
I've had IPv6 connectivity for the past 8 years, and native IPv6 connectivity through Comcast for the past two. The last time I installed a new modem and router, the configuration was automatic.
The deployment process has been extremely slow, but in 10 years, most connections will be happening over IPv6 and most people won't even notice. Even tech savvy people will mostly find out when they try to debug something and realize the IP address is funny looking.
-- The act of censorship is always worse than whatever is being censored. Always.
people who have no interest in running a server
Are they just unaware of what advantages running a home server can offer? Or have the benefits of a server been explained to them after which they still decline?
It's still a chicken-and-egg question. How does the link-local nameserver in customer-owned equipment configure itself?
Is this really that difficult?
203.0.113.168+192.168.1.2 vs 2001:db8:71a8:1::2
...
203.0.113.168+192.168.1.3 vs 2001:db8:71a8:1::3
203.0.113.168+192.168.1.4 vs 2001:db8:71a8:1::4
203.0.113.168+192.168.1.8 vs 2001:db8:71a8:1::8
203.0.113.168+192.168.1.9 vs 2001:db8:71a8:1::9
203.0.113.168+192.168.1.10 vs 2001:db8:71a8:1::10
The v6 side is shorter! Plus of course I'm totally ignoring DNS, which is the elephant in the room here. Use DNS. This is exactly what it's for.
I personally believe that IPv6 is just too many numbers for most people to input and remember when something is needed to be done quickly. If they could only make an alternate version slightly shorter. I do like the concept of the double colon (xx::xx) for a shortcut.
Oh, did you mean "NAT as it existed before we ran out of IP addresses"? Well, that's why we need IPv6, now when we are talking about NAT, it includes carrier-grade NAT.
If you're behind a carrier grade NAT then fiddling with your own router config won't help much will it. That's the part I quoted and objected to.
Why? Because I also run v4 everywhere and use that to reach v4 hosts.
So why are we even bothering with v6 again when all we need is just to keep our v4?
Because it's not big enough to number all our hosts?
I can reach the hosts that have v4 over v4, but not the ones that don't.
I run my own Teamspeak server, PPTP VPN, multiple game servers for my friends and I, a Plex server and probably numerous other things that will break. Please show me how I can trade that in for AWS that will run out of IPs as well some time soon.
As far as underpowered hardware, I have a dual quad Xeon with 64 GB ram. Uncontrolled, well you got me there, I don't have redundant air conditioning. Asymmetrical, nope, FiOS went Symmetric already. But, running all of this is much cheaper than paying someone else to run all these services for me.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
He is trying to make the tired argument that residential connections aren't supposed to run servers. Technically you can get disconnected by your ISP for it, but FiOS actually seems to encourage it. Why else would they have symmetric for all their network?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Because it's not big enough to number all our hosts?
I can reach the hosts that have v4 over v4, but not the ones that don't.
You said it wasn't a big issue that you cannot contact v4 from a v6 address, because one can simply use v4 to connect to v4. Yet you also say we need v6 because we don't have enough v4 left.
See the issue now?
Wait, you stopped reading after five words?
Secure messaging: http://quickmsg.vreeken.net/
Ah, yes. When I said:
I run v6 everywhere and I've never had any problems reaching other v4 hosts
I meant to say:
I run v6 everywhere and I've never had any problems reaching other reachable v4 hosts
Sorry about that.
I've been playing around with my own (tunneled) IPv6 prefix at home for some time now. (I think Comcast will deliver IPv6 to me - but I haven't bothered yet.)
I run IPv6 on some of my home LANs, but not on the one I have with legacy equipment on it like webcams, TV sets, printers, and other "Internet of Things" like devices that never get patches. Those networks get the usual NAT'd IPv4 stuff.
On my IPv6 networks, I have EUI addressing turned off - a pseudo-random address gets generated from time to time (within the IPv6 LAN network prefix), and I often see those devices having multiple simultaneous IPv6 addresses. I believe that this is the default anyway for modern OSes.
And so I think that any counting of adoption by full 128-bit IPv6 addresses will dramatically over-count IPv6 adoption - even if NAT could be taken into account. Google's technicians will know this. Google's marketeers might not care.
There's only so much NAT can do
True
and it's doing it now.
Nowhere near it, there are loads of public IPs that have only one or a handful of systems behind them. How many systems you can put behind a public IP will depend on the details of what they are doing and the details of the NAT implementation but I would think 100 machines per internet IP is more than feasiable.
On the server side https hosting traditionally needed one IP per certificate (with each certificate covering either one hostname or a small group of hostnames) but SNI removes that need and with windows XP and andriod 2.x gradually fading using SNI starts to look like a more and more reasonable option.
I don't like the world that ISP level IPv4 nat would give but pretending it's not a feasible soloution is silly.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
This is part of the AUP of my local ISP, the cable company:
By way of example (without limitation) you may not:
Use or run dedicated, stand-alone equipment or servers from your premises that provide network content or any other services to anyone outside of your premises. Examples of prohibited equipment and servers include, but are not limited to, email, Web hosting, file sharing, and proxy services and servers;
They don't mind if you do things on a temporary basis (I've accessed a machine via ssh and ran a IRC server for a few hours), but they don't want 24/7 servers on home connections.
They also don't mind occasional use of bittorrent for things like Linux distros, software updates and the like. But they don't want you running a BT client 24/7.
> Though NAT is included with almost all firewalls, it is not there to address security.
You missed my point. Firewalls are needed for security, and if you have a firewall, you can do NAT. Not needing NAT becomes a non-feature because it doesn't significantly impact complexity or cost.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
Good points. I'd been under the impression that link local addresses were the only ones based on MAC address, but a little investigation shows me that there are schemes that also use the MAC address for public addresses.
And you're also right that admins are likely to choose addresses that are simpler for them if they assign them manually.
But all this is moot if a working firewall is in place. And that's really no different than the IPV4 situation.
Ignorance killed the cat. Curiosity was framed.
But it isn't feasible. On the server side, you can stuff a number of virtual websites behind a single IP, but many customers want their own VM (sometimes for very good reasons). There are things other than http(s) on the net.
On the client side, there is a matter of administrative control. Who will own the NAT device that you and your neighbors all sit behind so that you can be NATed behind a single IP? Do you want to leave it up to your ISP if a rule can be added to the NAT box so you can ssh into your network through a selected port? What if your neighbor wants the same port for something else?
It sounds more like a desperate last resort than a real solution. Compared to that kind of pain, upgrading to IPv6 is a no-brainer.
But it isn't feasible. On the server side, you can stuff a number of virtual websites behind a single IP, but many customers want their own VM (sometimes for very good reasons).
Reverse load balancers could be an option here if/when IPv4 prices rise to a level where the IPv4 address is a significant part of the cost of a VM.
There are things other than http(s) on the net.
While obviously literally true afaict services other than http(s) and mail are the exception not the rule.
On the client side, there is a matter of administrative control. Who will own the NAT device that you and your neighbors all sit behind so that you can be NATed behind a single IP? Do you want to leave it up to your ISP if a rule can be added to the NAT box so you can ssh into your network through a selected port?
Just because you and I don't like the implications of something doesn't make it unfeasible.
It sounds more like a desperate last resort than a real solution.
Sure.
Compared to that kind of pain, upgrading to IPv6 is a no-brainer.
For better or worse the internet lacks any strong central authority. If it had one maybe we would have had ubiquotous deployment of IPv6 in the 2000s allowing for an IPv4 sunset now.
That hasn't happened though, there are still loads of clients and servers that are IPv4 only (including the one we are discussing this on).
So the choice now is not between "deploy horrible mechanisms to keep IPv4 on life support" and "deploy ipv6". The choice now is between "deploy horrible mechanisms to keep IPv4 on life support without deploying IPv6" and "horrible mechanisms to keep IPv4 on life support and also IPv6".
While i'm in favour of the latter denying that the former is an option is just self-delusion.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Takes longer to type, though maybe they will start making keyboards with hex numpads.
Also, to me, remembering a number and letter combination is more difficult than just number combination (I guess it's related to the numpad).
Besides, I never had to type external and internal IP at once. It's either the external IP (one, so not difficult to remember) or the internal IP (can be compressed as "the 192 subnet" 1 2)
I usually use DROP instead of REJECT. Makes port scanners take longer to scan.
In C++, use smart pointers with a little intelligence and discipline. That's what they're there for.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The thing is, it wouldn't just suck for people who know what they're doing. VOIP and some games won't work well that way either. Anything like that needs to be seen as a stopgap only running in parallel with IPv6 deployment. There actually are people claiming that more NATting faster is an actual solution to the problem INSTEAD of IPv6.
It's important not to mistake the bridge to the solution for the actual solution.
One way it might help is that it will make IPv4 feel very much like the second class citizen.
Yeah yeah. Certainly a good programmer who writes perfect code with faultless discipline can write C++ code with no memory leaks. I totally agree. But that is the rare case, not the common case. Or, at least, memory leaks are fairly common in C code. Memory leaks in C++ were the #1 most famous kind of bug. Memory leaks in Java are so rare that I can only think of one in fifteen years of programming -- and that one was long ago due to circular data structures which today are garbage collected.
The original claim was it's actually *easier* in Java/C# to leak memory which I claim is plainly wrong.
My Australian ISP (Internode, now iiNet) was one of the leading promoters of IPv6 and was one of the first to offer such connections, years ago. Many customers used IPv6 with no issues for several years. Then Netflix came to Australia. Netflix, in addition to some Australian digital TV channels and a few local mirrors is excluded from the ISP's broadband quotas. But it turns out, quota exclusion only works for IPv4. So people set their account back to a IPv4 connection.
Because of this, valuable momentum in IPv6 adoption has been lost.
> Are they just unaware of what advantages running a home server can offer? Or have
> the benefits of a server been explained to them after which they still decline?
Linux nerd here... sorry, but I have better things to do with my time than worry about constantly patching and running smtp/web/ftp servers, and constantly monitoring logs, etc, etc, etc. Having a life gets in the way of an internet.
I have a reasonable idea of how vulnerable linux servers are on the open internet. It's mind-boggling how easily the average Joe/Jane Lunchbucket gets pwnd/social-engineered even with a client machine behind a stateful firewall. Give every one of them a server, and if you think today's botnets are something, you ain't seen nothing yet.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
a score of 5 for this tired old ignorant shit? Alright, let's get cracking.
RA, aka. ICMP router advertisement. Abandoned circa 1970 as a "bad idea". It was a colossally bad idea in the 90's, and f'ing suicidally bad in 2000+. Yeah, let's trust whoever the f*** on the cable claims to be a router and send it our traffic. Oh, to protect my network(s) from that brain damage, I have to buy new switches that support "RA Guard"
Right, because DHCP totally solves spoofing problems yeah?
They didn't like DHCP. So "no f***ing DHCP in IPv6!" DHCPv6 is a bolt-on, staple-on, and bandaid addition to IPv6. It's a horribly incomplete shadow of DHCPv4, and still requires an RA tell you to use it.
No it isn't. You can do practically everything that DHCPv4 does with DHCPv6. Yes you should send an RA, so what? DHCPv4 is as much if not more of a bolt-on than DHCPv6 is (in so far as it's absolutely not part of the protocol stack whatsoever)
SLAAC... originally 80bit prefix plus 48bit MAC. They ignored the fact that ethernet is not the only technology in the universe. That was later amended (breaking older stacks) to 64bits. The entire purpose for the vast over-simplification of address selection (for tiny embeded systems with limit RAM/ROM/CPU) became moot 7sec into the IPng committee's existance -- IPSec shoots all three in the head, repeatedly, with artillery. Everything supports privacy extensions these days, so the logic for random address generation and duplicate address detection is there -- and rather trivial. Yet it, and SLAAC, demands the prefix-length be 64. Just to put that silliness in perspective, that's a single LAN with every ethernet device ever created (that will ever be created) in it 65,536 times over.
Just to put YOUR silliness in perspective: the remaining number of bits is 2^61 (within 2000::/3 obviously) which comes to 2,305,843,009,213,693,952 /64s. Get a damn sense of perspective. As far as "older stacks" go... clearly not anything seriously used in production today.
This leads nicely into the blindness to history... a 64bit LAN is pure lunacy. Today and likely for several decades. But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite". Sure, we can change the way we do things "with the next ::/8", but that dooms us to live with the colossal stupid of this ::/8 for ever. Again, dooming us (and our children's great grand-children) to live with our bullshit. We did a lot of stupid things with IPv4; and we're doing them all over again with IPv6.
No, your failure to grasp the scale of numbers is pure lunacy. If we somehow manage to fuck up 2000::/3, there's several times the size of the current global IP space waiting to be spun up with the flick of a pen, so we have plenty of opportunity to make mistakes.
I figure that the port scanner doesn't really care how long it takes to run, but I really appreciate getting proper error messages back from programs when my firewall blocks stuff. You could perhaps involve "-m recent" and start dropping when too many connections come in from a single source.
When a program does not work, I just run tcpdump (on both ends) and figure out the problem. A port scanner may only be able to scan a limited number of hosts at once, so if it spends a couple of hours trying to scan me, it won't scan others. Also, if the scanning is not automated (like a bot or virus) but is instead because somebody ran nmap, they might get bored and stop.
This is especially useful if the server does not have publicly accessible resources (that is, all incoming connections are limited by source IP). Dropping packets makes it look like that host isn't even there. Also useful in case of a DOS (that is not enough to completely saturate the uplink) as there are no packets going back.
Yeah, typing them out's a pain. I wish we could have a shorthand format like "~::2" which took the first N bits from your current network prefix. But I almost never type v6 addresses; it's usually DNS, or then copy/paste if I really am dealing with IPs for some reason. For that matter, I don't even know the v4 addresses for most of my machines -- I could give you the subnet, but I have no idea which IPs are which.
For what it's worth, v6 assignments currently start with 2001 or 2{4,6,8,a,c}0*, which is pretty similar to the well-known RFC1918 ranges. And you'll see your own prefix often enough to remember it, hex or no hex.
I remember quite a few v4 IPs of my own machines, machines of the company I work for and of clients.
Adding all that to a DNS server would be a pain (either having one private server with all of them or adding to the servers of the appropriate client, assuming the client has a DNS server, some don't, after all a network of x Windows PCs and a single samba server does not really need DNS, especially if the network is just a bunch of Windows PCs with no server).
"Just". I'd rather be told if my packets are reaching the remote end or not, rather than have to break out a microscope and go hunting. Assuming I even have enough access at both ends to do that.
And so would I if I absolutely had to -- I'd even remember the v6 addresses -- but I don't. My life is easier than that.
We can't refuse to do v6 because "DNS is hard"; v4 with NAT everywhere is way harder.
Why? I'm an ex-Network Engineer.
Guess now we know why you are 'ex.' You don't sound like you understand the situation and other people's needs very well.
"First they came for the slanderers and i said nothing."
The problem is that people like you 'never think about it' and people like me get paid to clean up after your mess.
Come to think of it, that's not a problem, I get paid for it. Keep sucking, bro.
"First they came for the slanderers and i said nothing."
C# and Java don't solve the memory leak problem, and those who think they do are invariably sucky programmers.
"First they came for the slanderers and i said nothing."
Eh, IPv6 is spreading more and more. If you run netstat on your phone, you'll probably see a few ipv6 connections open.
"First they came for the slanderers and i said nothing."
I note that you did not specify which Xeon chips you actually have, which kind of suggests a set of E5450 or something similar. FiOS does not charge you enough for a continually saturated link, whether it is 25 or 500mbps, so you are still contending with some hard and secret GB limit (starts to make the $/GB model seem more appealing). Game servers tend to be pretty light, and most could run on very modest AWS hardware. Beyond that, EC2 costs nothing when the machines are powered down, and they provide a robust API & access control that would easily allow your friends to boot/stop the machines on demand. That setup is how my friends game, and you really should at least consider it when the service life of your server machine finally ends.
No, it's not. A NAT router works as a good firewall straight out of the box, you may not even need to configure it other than setting the admin password. Uplink IP is configured using DHCP, the router has its own DHCP server for internal network and no incoming connections are allowed.
That's not what I said. I said that a reasonable amount of local discipline will avoid memory leaks.
When you allocate memory, assign it to a unique_ptr or shared_ptr. Do not change the type of the pointer thereafter. Allow raw pointers only for non-owning pointers, so deleting a pointer is an obvious mistake. This does not require perfect code or flawless discipline. All deviations can easily be spotted in a code review.
I wasn't talking about C memory leaks, since C is a different language. C++ used to use C-style memory management (with constructors and destructors attached), but the original standard had one sort of smart pointer, the second was in the 2003 Technical Report, and the original smart pointer was replaced with something much better in the 2011 Standard.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Right right, I'm not trying to say you made the claim, but my response is to Cramer's statement: it's actually *easier* in Java/C# to leak memory.
Okay, sounds good! Come work where I work and maybe someday you can find a bug to fix. So far, sucking has resulted in no memory leaks, but maybe it will someday.
Because I didn't waste company money on white elephants and have since been promoted and earning double what I was then? Yeah, you got it in one.
Heh.....got promoted to management, and now you don't know what you're talking about. Typical.
"First they came for the slanderers and i said nothing."
So far, sucking has resulted in no memory leaks,
It has, you just don't know how to find them.
Either that, or you don't write anything significant. Which sounds likely.
"First they came for the slanderers and i said nothing."
Yeah that's probably it. I suck and I don't do anything important.
Probably. You could use some improvement anyway.
"First they came for the slanderers and i said nothing."
You should come educate me so I don't suck so much. Find me in Palo Alto, we'll have a cookie at CREAM then go to my office for a lesson in Java memory leaks.
then go to my office for a lesson in Java memory leaks.
If you have a program that is long-running (that is, it doesn't clear all the objects you created every time a new http request comes in), and you aren't thinking about memory leaks, then you have them.
Recently I saw a case where a guy had written a program half in C and half in Java. It had some leaks in it but he couldn't find them (mainly he had not been using any introspection tools, so it's not surprising. If you want to find leaks, you need to be able to look at what's going on with your memory. Use jmap or something).
"First they came for the slanderers and i said nothing."
No they didn't. Or at least if they did, they never released them. There was a download for IPv6 on WIndows 2000, which they called a "preview" and not officially supported. Windows XP had it built in but you had to install it. It was still not 100% there in XP yet (for example you couldn't do DNS over IPv6... which was kind of a deal breaker). The first version of Windows that really properly supported IPv6 was Vista.
Comcast may have lots of other issues as an ISP, such as banning customers from running server at home, and monthly usage caps (if they still do that), but they were ahead of most other US consumer ISPs on taking IPv6 seriously.
(My ISP supports IPv6 over tunnels, but doesn't run native dual-stack, at least on telco DSL. And I really should get around to actually trying it out, but I haven't...)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Back when I was closer to the ISP business, the general plan of most consumer ISPs was to start supporting IPv6 (once they had all their hardware and operations support systems able to manage it - it's amazing how many moving parts there are), and migrate most users to dual-stack, with NAT for IPv4 plus native IPv6, or else to use NAT IPv4 with tunneled IPv6.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
IPv6 was originally supposed to solve a whole lot of problems - not only did it have longer addresses (which ISPs need to avoid having to deploy customers on NAT, and in general to avoid running out of address spaces and crashing into the "Here Be Dragons" sign at the edge), but it was also supposed to solve a whole lot of other problems, like route aggregation, security, multihoming, automatic addressing, etc.
A lot of that turned out to be wishful thinking, e.g. the hard part about IPSEC tunnels is the key exchange and authentication, not building the tunnels, route aggregation didn't really work out because enterprises weren't willing to use carrier addresses instead of their own, and small carriers also wanted their own addresses instead of sharing their upstream's address space, or if it wasn't wishful thinking, it was addressing problems that IPv4 found other solutions for, like DHCP for automatic addressing.
And while NAT is a hopeless botch, it does provide a simple-minded stateful firewall as default behaviour, while IPv6 users need explicit firewalling to get the same security with real addresses (which they needed to do anyway, but especially if you're using tunnels, you have to be sure to put it in all the right places.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yeah, that turned out to be one of the big problems with IPv6 address aggregation - sounds great in the ivory tower, doesn't meet the needs of real customers, which is too bad, because every company that wants their own AS and routable address block is demanding a resource from every backbone router in the world.
IPv6's solution to the problem was to allow interfaces to have multiple IPv6 addresses, so you'd have advertise address 2001:AAAA:xyzw:: on Carrier A and 2001:BBBB:abcd:: on Carrier B, both of which can reach your premises routers and firewalls, and if a backhoe or router failure takes out your access to Carrier A, people can still reach your Carrier B address. Except, well, your DNS server needs to update pretty much instantly, and browsers often cache DNS results for a day or more, so half your users won't be able to reach your website, and address aggregation means that you didn't get your own BGP AS to announce route changes with, but hey, your outgoing traffic will still be fine.
My back-of-a-napkin solution to this a few years ago was that there's an obvious business model for a few ISP to conspire to jointly provide dual-homing. For instance, if you've got up to 256 carriers, 00 through FF, each pair aa and bb can use BGP to advertise a block 2222:aabb:/32 to the world, and have customer 2222:aabb:xyzw::/48, so the global BGP tables get 32K routes for the pairs of ISPs, and each pair of ISPs shares another up-to-64K routes with each other using either iBGP or other local routing protocols to deal with their customers actual dual homing. (Obviously you can vary the number of ISPs, size of the dual-homed blocks, amount of prefix for this application (since :2222: may be too long, etc.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
your outgoing traffic will still be fine
That may not be fine as well, since unless IPv6 can cram both host IPs into the packet, existing sessions will get dropped (which may not happen with IPv4, since IPs stay the same). Also, that requires more complex firewall configuration (what's the probability that one of the IPs will not be entered?).
My back-of-a-napkin solution to this a few years ago was that there's an obvious business model for a few ISP to conspire to jointly provide dual-homing.
There are a few problems with this:
1. The ISPs must be willing to cooperate (unlike now, they only have to provide BGP access).
2. The customer still cannot change ISPs (now I can take my AS to another ISP if I do not like the current one or another pair of ISPs if I'm moving and the current ISPs do not provide service in the new location).
3. The failure of an ISP must trigger a BGP announce to stop traffic from coming to it. This may not happen. Currently we had multiple problems where the main ISP failed but did not announce that - out BGP router still though that the ISP is good. I had to write a script that checks if the internet is accessible and if not (for a few minutes) forces our BGP router to use the other ISP (done with prepends and priorities).
Yeah that's it. Cognitive dissonance is a powerful force.
And my response was to your statement about C++ memory exploding in no time. We may now be in agreement.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes