Slashdot Mirror
Why the Journey To IPv6 Is Still the Road Less Traveled
alphadogg writes The writing's on the wall about the short supply of IPv4 addresses, and IPv6 has been around since 1999. Then why does the new protocol still make up just a fraction of the Internet? Though IPv6 is finished technology that works, rolling it out may be either a simple process or a complicated and risky one, depending on what role you play on the Internet. And the rewards for doing so aren't always obvious. For one thing, making your site or service available via IPv6 only helps the relatively small number of users who are already set up with the protocol, creating a nagging chicken-and-egg problem.
My border router is more than IPv6 ready. It's already passing out IPv6 addresses internally to the few devices which are capable of them. Not that it matters to me though, my ISP doesn't support IPv6 so what's the point? Yea, I can touch my router from my laptop over IPv6, but what does that get me?
Who is my ISP? Why Verizon FIOS of course. Until they decide to support IPv6 and give out addresses to people like me who are ready to use it, there won't be any mass adoption of IPv6 by their customers.
Are their any ISP's out there which support residential IPv6?
Have Facebook and/or Google go IPV6 only for website access. You will see virtually 100% adoption of IPV6 within 24hrs ...
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
Rust: incompetent programmers who leak memory, which problem can be fixed at compile time (with tradeoffs that annoy some people but not others).
Both solve very real problems, you just don't see them because they are at a level deeper than you understand. Don't worry, the 'magic' will keep working, and you can keep posting, because other people will solve them.
"First they came for the slanderers and i said nothing."
I have IPV6 at home (took some calls to AT&T Customer Support). I don't have it at work, the migration will probably start small network endpoints (phones (apparently t-mobile has already switch), and home networks).
Link local IPV6 is already fairly broadly available - it's the fe80 prefixed address on your ifconfig output. You should be able to ping other ipv6 addresses on your network (*nix to *nix).
Google's IPv6 stats page indicates this too... https://www.google.com/intl/en... has a peculiar comb effect for the last few years. Zooming in seems to give a bit more insight. Google's count of IPv6 connections has a full 1% swing over the weekends vs the week days. Due to IPv6's addressing method, each unique device on your network appears as a unique device on the internet, vs the NATed IPv4 that we all know and love. This would also have an accelerating increase in the number of unique IPs that are visible on the weekend. I know I use more devices over the weekend (chromebook, phone, laptop, table) vs during the week.
Open to other insights, but our homes will be likely IPv6 before our offices are. (Of course aggressive tech companies like google and facebook are likely already IPv6).
Simple nmap scan? Yeah.
If they can scan 10,000 addresses a second they should be able to scan your home address space in not much under a million years.
Assuming you didn't do something radical, like, maybe, used a firewall.
Ignorance killed the cat. Curiosity was framed.
I think that in countries with many ipv4 addresses per internet user, we won't see any change soon, they still can support one ip per home. The US is one of those. It has tons of IPs. In countries without much ipv4 addresses, the companies (especially new ones, which don't sit on millions of addresses) will see the pressure, and will run a carrier grade NAT & native ipv6 approach.
With the current incantation of Amazon Web Services (VPC),
IPv6 support is currently not available for load balancers in Amazon VPC (EC2-VPC).
http://docs.aws.amazon.com/Ela...
So there goes lots of the internet....
Filtering out nmap to places you don't want it to go is EXACTLY what a firewall is for.
And your IPX comparison is also flawed. You don't need to use your MAC address, that is just one way of generating an IPv6 address. And being able to address a packet to any node on the internet directly is exactly how the internet was suposed to work. (Note that a firewall may still prevent such packet from ariving unwanted).
Secure messaging: http://quickmsg.vreeken.net/
I would switch, but then I'd have to rewrite my hosts files.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
You know what NAT defeats? End-to-end connectivity.
CLI paste? paste.pr0.tips!
I have come to believe that end-end connectivity is the problem that a lot of people think NAT solves.
Nullius in verba
And 99.9% of people don't care.
There are a lot of things 99.9% of people don't care about. If that's your justification...
Me personally, I'd love my end-to-end connectivity back.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
They aren't being adopted because they try to solve problems that aren't really problems.
IPv6: not enough IP addresses. The problem is very real.
The problem with IPv6 is that alternate solutions to the IP shortage issue such as NAT are currently far less trouble and much less expensive to implement than IPv6.
Where I work we have a LOT of computers (low-mid 6 figures) behind NAT. For the most part it works pretty well.
I spoke with our network design engineer about IPv6 a few months ago and he said IPv6 isn't even on his radar at this time for the reason stated above. If he were implementing a network at a new company with no legacy technology to deal with he might go IPv6 but he doesn't see it much in established networks anytime soon.
Any insufficiently advanced magic is indistinguishable from technology.
Anycast tells you what services are on what IP. There are other service discovery protocols, but anycast was designed specifically for IPv6 bootstrapping. It's very simple. Multicast out a request for who runs a service, the machine with the service unicasts back that it does.
Dynamic DNS lets you tell the DNS server who lives at what IP.
IPv6 used to have other features - being able to move from one network to another without dropping a connection (and sometimes without dropping a packet), for example. Extended headers were actually used to add features to the protocol on-the-fly. Packet fragmentation was eliminated by having per-connection MTUs. All routing was hierarchical, requiring routers to examine at most three bytes. Encryption was mandated, ad-hoc unless otherwise specified. Between the ISPs, the NAT-is-all-you-need lobbyists and the NSA, most of the neat stuff got ripped out.
IPv6 still does far, far more than just add addresses and simplify routing (reducing latency and reducing the memory requirements of routers), but it has been watered down repeatedly by people with an active interest in everyone else being able to do less than them.
I say roll back the protocol definition to where the neat stuff existed and let the security agencies stew.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
IPSec is perfectly usable.
Telebit demonstrated transparent routing (ie: total invisibility of internal networks without loss of connectivity) in 1996.
IPv6 has a vastly simpler header, which means a vastly simpler stack. This means fewer defects, greater robustness and easier testing. It also means a much smaller stack, lower latency and fewer corner cases.
IPv6 is secure by design. IPv4 isn't secure and there is nothing you can design to make it so.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Windows has had IPv6 stacks since Windows 95 and Microsoft even started supplying them as of 98.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Per-connection MTU's are a pain. You shouldn't be making that point if you think that routers having a PNAT table is a hack - having state is awful. And IPv6 has other flaws too: some headers fields are unprotected from bit-errors in transit. There is no specification as to how many extension headers I'm allowed to use. Higher layer fragments are completely unrecognisable to stateless concentrators (more so than in IPv4). UDP- and TCP-checksums are not allowed to be all zeroes (which was neat when you provided a better checksum yourself over, you know, fragments, which got ripped out).
No there's plenty rotten in the state of IPv6. And it's not just because 'interests' ripped things out.
Religion is what happens when nature strikes and groupthink goes wrong.
RA, aka. ICMP router advertisement. Abandoned circa 1970 as a "bad idea". It was a colossally bad idea in the 90's, and f'ing suicidally bad in 2000+. Yeah, let's trust whoever the f*** on the cable claims to be a router and send it our traffic. Oh, to protect my network(s) from that brain damage, I have to buy new switches that support "RA Guard".
They didn't like DHCP. So "no f***ing DHCP in IPv6!" DHCPv6 is a bolt-on, staple-on, and bandaid addition to IPv6. It's a horribly incomplete shadow of DHCPv4, and still requires an RA tell you to use it.
SLAAC... originally 80bit prefix plus 48bit MAC. They ignored the fact that ethernet is not the only technology in the universe. That was later amended (breaking older stacks) to 64bits. The entire purpose for the vast over-simplification of address selection (for tiny embeded systems with limit RAM/ROM/CPU) became moot 7sec into the IPng committee's existance -- IPSec shoots all three in the head, repeatedly, with artillery. Everything supports privacy extensions these days, so the logic for random address generation and duplicate address detection is there -- and rather trivial. Yet it, and SLAAC, demands the prefix-length be 64. Just to put that silliness in perspective, that's a single LAN with every ethernet device ever created (that will ever be created) in it 65,536 times over.
This leads nicely into the blindness to history... a 64bit LAN is pure lunacy. Today and likely for several decades. But we "have an infinite amount of address space." Actually, NO, it is, in fact, quite finite: 128bits, to be exact. If we carve it up with the same pez-like abandon as the early IPv4 assignments, it will be even less "infinite". Sure, we can change the way we do things "with the next ::/8", but that dooms us to live with the colossal stupid of this ::/8 for ever. Again, dooming us (and our children's great grand-children) to live with our bullshit. We did a lot of stupid things with IPv4; and we're doing them all over again with IPv6.
I quite like vastly increased difficulty of scanning the whole IPv6 Internet. As soon as Comcast fixes their business class remote access via IPv4 is going bye bye. Sick of looking at all this crap in my logs. If random fools want to spam me they are going to have to work for it.
A single subnet? That's not enough for a lot of people.
Everybody with a guest wifi network, for instance.
People who think they need end-to-end connectivity for everything don't understand networking. It's not only not required, it is undesirable in most cases.
Its undesirable in _some_ cases, it's absolutely required in others. So if you have a single IP address and you have to NAT everything, you win in the "some cases" situation and you lose for "others" (even worse with CGNAT). If you get rid of NAT and stick a stateful firewall in, you get the best of both worlds and can choose the best for the situation at hand.
http://blog.nexusuk.org