Slashdot Mirror
Why the Journey To IPv6 Is Still the Road Less Traveled
alphadogg writes The writing's on the wall about the short supply of IPv4 addresses, and IPv6 has been around since 1999. Then why does the new protocol still make up just a fraction of the Internet? Though IPv6 is finished technology that works, rolling it out may be either a simple process or a complicated and risky one, depending on what role you play on the Internet. And the rewards for doing so aren't always obvious. For one thing, making your site or service available via IPv6 only helps the relatively small number of users who are already set up with the protocol, creating a nagging chicken-and-egg problem.
My border router is more than IPv6 ready. It's already passing out IPv6 addresses internally to the few devices which are capable of them. Not that it matters to me though, my ISP doesn't support IPv6 so what's the point? Yea, I can touch my router from my laptop over IPv6, but what does that get me?
Who is my ISP? Why Verizon FIOS of course. Until they decide to support IPv6 and give out addresses to people like me who are ready to use it, there won't be any mass adoption of IPv6 by their customers.
Are their any ISP's out there which support residential IPv6?
Have Facebook and/or Google go IPV6 only for website access. You will see virtually 100% adoption of IPV6 within 24hrs ...
Oh, and there's a learning curve. Most people are like water... path of least resistance.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
Rust: incompetent programmers who leak memory, which problem can be fixed at compile time (with tradeoffs that annoy some people but not others).
Both solve very real problems, you just don't see them because they are at a level deeper than you understand. Don't worry, the 'magic' will keep working, and you can keep posting, because other people will solve them.
"First they came for the slanderers and i said nothing."
2: Attackers can view your entire IP space. A simple nmap scan, then choosing what zero days to use... instant pwn-ership.
That's what firewalls are for.
Let me guess, you're one of those that thinks the breaking of end-to-end communications (NAT) is an acceptable substitute for a firewall?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I have IPV6 at home (took some calls to AT&T Customer Support). I don't have it at work, the migration will probably start small network endpoints (phones (apparently t-mobile has already switch), and home networks).
Link local IPV6 is already fairly broadly available - it's the fe80 prefixed address on your ifconfig output. You should be able to ping other ipv6 addresses on your network (*nix to *nix).
Google's IPv6 stats page indicates this too... https://www.google.com/intl/en... has a peculiar comb effect for the last few years. Zooming in seems to give a bit more insight. Google's count of IPv6 connections has a full 1% swing over the weekends vs the week days. Due to IPv6's addressing method, each unique device on your network appears as a unique device on the internet, vs the NATed IPv4 that we all know and love. This would also have an accelerating increase in the number of unique IPs that are visible on the weekend. I know I use more devices over the weekend (chromebook, phone, laptop, table) vs during the week.
Open to other insights, but our homes will be likely IPv6 before our offices are. (Of course aggressive tech companies like google and facebook are likely already IPv6).
Simple nmap scan? Yeah.
If they can scan 10,000 addresses a second they should be able to scan your home address space in not much under a million years.
Assuming you didn't do something radical, like, maybe, used a firewall.
Ignorance killed the cat. Curiosity was framed.
Which overhead do you mean exactly?
The increased address size is not really a problem, route aggregation actually makes routing ipv6 easier than ipv4.
Packet size increases a bit (20 bytes) but calling that 'too much' is simply unfair.
Secure messaging: http://quickmsg.vreeken.net/
I think that in countries with many ipv4 addresses per internet user, we won't see any change soon, they still can support one ip per home. The US is one of those. It has tons of IPs. In countries without much ipv4 addresses, the companies (especially new ones, which don't sit on millions of addresses) will see the pressure, and will run a carrier grade NAT & native ipv6 approach.
I can do IPv6 from my ISP since last November. My issues so far have been:
On the other hand, IPv6 was doing fine 12 years ago, on the IPv6 backbone from the university.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
With the current incantation of Amazon Web Services (VPC),
IPv6 support is currently not available for load balancers in Amazon VPC (EC2-VPC).
http://docs.aws.amazon.com/Ela...
So there goes lots of the internet....
1. As opposed to IPv4 where practically nothing uses the pain in the ass to set up encryption
2. Yes, if I am stupid enough to have no firewall whatsoever, even locally on the machines, all they have to do is nmap an entire internet's worth of IP addresses to find the 10 or so that actually exist on my network.
3. Oh my yes, only 15 years of testing, AKA, 75% as much as the IPv4 stack in most cases.
4. Not sure what you're saying there. Issue must be local, I've had no problem using IPv6.
Filtering out nmap to places you don't want it to go is EXACTLY what a firewall is for.
And your IPX comparison is also flawed. You don't need to use your MAC address, that is just one way of generating an IPv6 address. And being able to address a packet to any node on the internet directly is exactly how the internet was suposed to work. (Note that a firewall may still prevent such packet from ariving unwanted).
Secure messaging: http://quickmsg.vreeken.net/
I would switch, but then I'd have to rewrite my hosts files.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
You know what NAT defeats? End-to-end connectivity.
CLI paste? paste.pr0.tips!
I have come to believe that end-end connectivity is the problem that a lot of people think NAT solves.
Nullius in verba
an entire internet[] worth of
Since a /64 is the default allocation, that's more like an entire internet squared worth of it.
CLI paste? paste.pr0.tips!
And 99.9% of people don't care.
There are a lot of things 99.9% of people don't care about. If that's your justification...
Me personally, I'd love my end-to-end connectivity back.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Comcast says they support it
I've been using Comcast's IPv6 for well over a year. Not one problem with it.
Maybe you should go to the Comcast HSI forum on dslreports.com and ask some questions.
Actually, in the process of solving the one problem it's supposed to solve, they created about 14 trillion other problems, stuck their head in the sand refusing to learn from history or listen to the industries that use the technology -- *cough*DHCP*cough*, didn't give a single second to privacy or security, and finally simply gave up without ever trying when it came to any type of transition policy/mechanism.
We might as well be converting the internet to Appletalk. While they share a few characters in their name, IPv4 and IPv6 are radically different technologies. From an application programming level, there's not much difference, but that's never been much of a hindrance to IPv6 adoption.
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
The problem with IPv6 is that alternate solutions to the IP shortage issue such as NAT are currently far less trouble and much less expensive to implement than IPv6.
Where I work we have a LOT of computers (low-mid 6 figures) behind NAT. For the most part it works pretty well.
I spoke with our network design engineer about IPv6 a few months ago and he said IPv6 isn't even on his radar at this time for the reason stated above. If he were implementing a network at a new company with no legacy technology to deal with he might go IPv6 but he doesn't see it much in established networks anytime soon.
Any insufficiently advanced magic is indistinguishable from technology.
[citation needed] for your assertion. Been deploying IPv6 at a major ISP/carrier for 13 years now. If you bought the wrong stuff or didn't ask for IPv6, you may be right but the proper gear is out there and doesn't cost any more. I can even get IPv6 over my VPN connection.
The issue is one of mentality and training. Above someone says "turned off IPv6, problem went away". That's certainly one way to say "I blame IPv6". They didn't troubleshoot the problem. Perhaps it's a DNS problem or something else they haven't properly diagnosed. Without actually understanding how the protocols work, one is doomed to failure and blame.
When you look at the major players who have deployed IPv6, including Netflix, Google, Yahoo to name but a few and compare that with the statistics on the cellular side... VZ Wireless sees over 60% IPv6 traffic. With the coming "great mobile demotion" tomorrow, it's more likely those devices if they come over 3GPP/LTE will perhaps visit you via IPv6 than via IPv4 if you properly enable your front door. If you are a CDN customer, it's a button to turn on IPv6. Cloudflare has it on by default, Akamai you have to ask, same for Limelight.
The edge protocols have only really reached maturity in the past 2 years to deliver a connection to the edge or your home. CPE lifetime is somewhere in the 3-7 year range, we are still another generation away from having the home properly IPv6 enabled, but it's more often just going to be there and "just work". There are a lot of IT workers who haven't invested enough to learn about the subtle differences in V6, such as NDP vs ARP, etc and will block all ICMPv6 not understanding they are blocking NDP so can't see a response to their NS. This too will pass much in the same way as those who only knew appletalk or IPX routing.
Wrong. The protocol has IPsec bolted-on at the socket level. However, you are correct in that nothing knows how to actually use it.
A: FIREWALL. B: A 2^64 (::/64) LAN will take a LONG time to scan. But, yes, if you know the address of the machine not protected by anything, it's a lame duck.
Less tested than IPv4, maybe. IPv6 has been around a lot longer than you may realize, and while issues are still emerging, many of them are due to poor protocol design and not poor stack programming.
This depends on where you are and how much work you put into correcting it (read: tunnels.) But this is ultimately what the entire thread is about... ISPs simply aren't bothering to support IPv6. Those that do are doing so in a mostly jedi-hand-wave gesture for marketing.
Anycast tells you what services are on what IP. There are other service discovery protocols, but anycast was designed specifically for IPv6 bootstrapping. It's very simple. Multicast out a request for who runs a service, the machine with the service unicasts back that it does.
Dynamic DNS lets you tell the DNS server who lives at what IP.
IPv6 used to have other features - being able to move from one network to another without dropping a connection (and sometimes without dropping a packet), for example. Extended headers were actually used to add features to the protocol on-the-fly. Packet fragmentation was eliminated by having per-connection MTUs. All routing was hierarchical, requiring routers to examine at most three bytes. Encryption was mandated, ad-hoc unless otherwise specified. Between the ISPs, the NAT-is-all-you-need lobbyists and the NSA, most of the neat stuff got ripped out.
IPv6 still does far, far more than just add addresses and simplify routing (reducing latency and reducing the memory requirements of routers), but it has been watered down repeatedly by people with an active interest in everyone else being able to do less than them.
I say roll back the protocol definition to where the neat stuff existed and let the security agencies stew.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
IPSec is perfectly usable.
Telebit demonstrated transparent routing (ie: total invisibility of internal networks without loss of connectivity) in 1996.
IPv6 has a vastly simpler header, which means a vastly simpler stack. This means fewer defects, greater robustness and easier testing. It also means a much smaller stack, lower latency and fewer corner cases.
IPv6 is secure by design. IPv4 isn't secure and there is nothing you can design to make it so.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Windows has had IPv6 stacks since Windows 95 and Microsoft even started supplying them as of 98.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Stanford Linear Accelerator Center? Small Liberal Arts College? You mean "stateless autoconfiguration", but it took until November 2010 for RFC 6106: Router Advertisement Options for DNS Configuration to bring DNS into Neighbor Discovery.
I have given up trying to educate Slashdot readers about IPv6. Like most IT people they have stuck their heads in the sand and think NAT is the end-all-be-all. As an professor of IT I keep preaching knowing IPv6 to my students because someday IT management is going to wakeup to the fact that Asia (and other places) has moved on to IPv6 and if you want to do business with them you better be running it too. Then there will a rush to get everyone on IPv6 and people with experience will be in demand. So let them stick their heads in the sand, those of us who actually know the substantial advantages of IPv6 and are familiar with deploying and operating IPv6 networks will gladly be your highly compensated consultants when the day comes.
Per-connection MTU's are a pain. You shouldn't be making that point if you think that routers having a PNAT table is a hack - having state is awful. And IPv6 has other flaws too: some headers fields are unprotected from bit-errors in transit. There is no specification as to how many extension headers I'm allowed to use. Higher layer fragments are completely unrecognisable to stateless concentrators (more so than in IPv4). UDP- and TCP-checksums are not allowed to be all zeroes (which was neat when you provided a better checksum yourself over, you know, fragments, which got ripped out).
No there's plenty rotten in the state of IPv6. And it's not just because 'interests' ripped things out.
Religion is what happens when nature strikes and groupthink goes wrong.
RA, aka. ICMP router advertisement. Abandoned circa 1970 as a "bad idea". It was a colossally bad idea in the 90's, and f'ing suicidally bad in 2000+. Yeah, let's trust whoever the f*** on the cable claims to be a router and send it our traffic. Oh, to protect my network(s) from that brain damage, I have to buy new switches that support "RA Guard".
They didn't like DHCP. So "no f***ing DHCP in IPv6!" DHCPv6 is a bolt-on, staple-on, and bandaid addition to IPv6. It's a horribly incomplete shadow of DHCPv4, and still requires an RA tell you to use it.
SLAAC... originally 80bit prefix plus 48bit MAC. They ignored the fact that ethernet is not the only technology in the universe. That was later amended (breaking older stacks) to 64bits. The entire purpose for the vast over-simplification of address selection (for tiny embeded systems with limit RAM/ROM/CPU) became moot 7sec into the IPng committee's existance -- IPSec shoots all three in the head, repeatedly, with artillery. Everything supports privacy extensions these days, so the logic for random address generation and duplicate address detection is there -- and rather trivial. Yet it, and SLAAC, demands the prefix-length be 64. Just to put that silliness in perspective, that's a single LAN with every ethernet device ever created (that will ever be created) in it 65,536 times over.
This leads nicely into the blindness to history... a 64bit LAN is pure lunacy. Today and likely for several decades. But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite". Sure, we can change the way we do things "with the next ::/8", but that dooms us to live with the colossal stupid of this ::/8 for ever. Again, dooming us (and our children's great grand-children) to live with our bullshit. We did a lot of stupid things with IPv4; and we're doing them all over again with IPv6.
You've obviously not work in the Real World(tm). Companies will continue using hardware as long as it works -- not broken, don't need new features/functions not possible through software update(s), or don't need additional capacity (based on space and/or power)
(Cell providers cycle through tech due to the last two.)
Automatic address assignment: Useless. DHCP is better.
No more NAT: Useless. NAT is part of firewalls which are still needed. It's easy, and incredibly flexible.
Better multicast routing: Useless. Multicast is dead, and will remain so.
Simplified routing: Useless. This has been implemented outside IP
QOS: Useless. The IPv6 implementation is wrong for how QOS is used now.
Larger Address Space: The only useful feature in IPv6, but it was done wrong, and should be abandoned.
We need IPv8 that does things right for the internet we have *today* not the internet we thought we'd need in 1998.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
That 'simple nmap scan' is 2^48 addresses. You can't scan entire IP ranges on IPv6, you have to harvest addresses by other means.
I quite like vastly increased difficulty of scanning the whole IPv6 Internet. As soon as Comcast fixes their business class remote access via IPv4 is going bye bye. Sick of looking at all this crap in my logs. If random fools want to spam me they are going to have to work for it.
Scanning IPv6 isn't as hard as you make it out to be. I look at it more like using dictionary attacks rather that sequential scans. The 1st 64 bits are known if your after a specific target. It is also trivial to know if a given /64 is even used. A tree of all known used /64 shouldn't take long to create.
The 64 bits of the host is a bit different. They could be fully random (which is rare) or they are allocated based on mac address or statically assigned. The mac addresses means that 40 bits of the address are known if you know anything about the targets buying habits (i.e. they tend to buy Dell or Polycoms). That leaves 16 million guesses which can be reduced based on the vendor or the product version you which you intend to exploit once you find a target.
You may not be looking for one in 2^64, but a network of devices that all may have many addresses and you might only need one.
The static address assignment space isn't very large as well as netadmins like using :: when they type in addresses so they are unlikely to be random. That means their 1st network will be 0::something and their second is likely to be 0001::something. Oddly enough you might find they skip ::a and use ::8,::9,::10 as well or use something that match with their existing ip v4 address so things like ::192:168:1:1 is very likely.
All these things mean that Monte Carlo scans of a specific IPv6 allocation on a remote network is well within the ability of small time hackers.
Throw in a firewall that isn't filtering IPv6 properly and that will result in remote exploits of internal devices.
>other people will solve them
Other people are solving the real problem of address exhaustion, just not in the way that the IETF intended.
Even the IPv6 enthusiasts accepted that adoption would have to be widespread before the regional registries started running out of IPv4 addresses if it were going to work as a solution. That hasn't happened and it's now just too late - don't forget this started 22 years ago when most of the host systems were still under the control of education and government institutions and migration could have occurred much faster than it could now.
The thing that still irks me is that there'd been a very similar and very public (though much less protracted) attempt to deal with similar address limitations in DECnet that had failed miserably and the IETF chose to turn a deaf ear to those experiences which have simply been repeated on a larger scale with IPv6.
The problem of address exhaustion remains. IPv6 is no longer the solution, it's time came and went. A different group of "other people" are now attempting to keep the Internet roughly connected, but I'm afraid end-to-end connectivity is gone because the solution that offered it has failed the acceptance test.
People who think they need end-to-end connectivity for everything don't understand networking. It's not only not required, it is undesirable in most cases.
Its undesirable in _some_ cases, it's absolutely required in others. So if you have a single IP address and you have to NAT everything, you win in the "some cases" situation and you lose for "others" (even worse with CGNAT). If you get rid of NAT and stick a stateful firewall in, you get the best of both worlds and can choose the best for the situation at hand.
http://blog.nexusuk.org
Luckily for the rest of us, and hard as you might find this to believe - it's not all about you.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.