Slashdot Mirror
How Ready Is IPv6 To Succeed IPv4?
New submitter unixisc writes: Over the last 2 years, June 6th had been observed as IPv6 day. The first time, IPv6 connections were turned on by participants just for a day, and last year, it was turned on for good. A year later, how successful is the global transition to IPv6? According to Cisco 6labs, adoption rates vary from 50% in Belgium to 6% in China, with the U.S. coming somewhere in the middle at 37%. A lot of issues around IPv6, such as the absence of NAT, have apparently been resolved (NAPT is now available and recognized by the IETF). So what are the remaining issues holding people up — be it ISPs, businesses, consumers or anybody else? When could we be near a year when we could turn off all IPv4 connectivity worldwide on an IPv6 only day and nobody would notice?
Absence of NAT is a feature! If not THE feature of IPv6!
NAT has many benefits besides reducing the number of IP addresses required. It has important security benefits in that it allows one to hide one's internal network structure from the outside world. Without NAT, attackers would know how many systems you have on your network as well as your router deployment. Potential attackers could benefit greatly from this information when planning and launching attacks.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Older routers can't handle routing IPv6 in hardware so it puts a higher CPU load on the router. Nobody wants to spend the money to replace them.
Most consumer NAT routers don't have IPv6 support and nobody wants to spend the money to replace them. This could be fixed with firmware updates, but few companies offer them, preferring to force people to buy new.
Because of the above 2 items, residential ISP's rarely offer IPv6.
All my servers are available via IPv6, but I can't even effectively test it because my local ISP does not.
No, it's not a security benefit. It was not designed as such and it shows.
If it was, it wouldn't allow holes to be arbitrarily punched through by NAT-PMP, UPNP and other traversal mechanisms.
If you're relying on NAT for security, you're doing it wrong.
Right now - quite a bit - there are all sorts of mechanism that have to be worked around. Every spend any time troubleshooting SIP? Do you know why nobody does direct media?
Ever wonder why file transfers in instant messaging apps either work intermittently or perform slowly?
Ever see the layers of complexity we've built to do our best to work around such issues: STUN, UPNP, NAT-PT, ICE, ALGs... It's layers upon layers of cruft. ...and we haven't even gotten to the real horror of so called "carrier-grade" NAT yet... Eg) NAT behind NAT.
The prospects are awful.
The fact anything works at all is a testament to... something... ...but it is not a solid solution. It was a stop-gap measure that should have been discarded long away.
Good news! NAT in v6 doesn't do any of that. NAT v6 is moreso about being able to renumber an arbitrary block of address space. So, for example, you can have a private network prefix in the ULA space (fd00::/8) and then map it into the global Unicast space (2000::/3) using one of your available prefixes. If you have to renumber for whatever reason, you can change the NAT and your internal network doesn't need to renumber. The only thing is that you have to sacrifice about 16 bits of address space on both ends for checksum fudging. But it's far better than v4 NAT and it doesn't break the net the same way.
Also a lot of people use "NAT" to mean "stateful firewall". I personally consider the distinction, from a security standpoint, to be pedantic - they both break the net from a purist perspective.
Sorry, RFC-4941. Fat fingers. ...and I don't think we should design the internet with the most basic web surfing home user in mind. IPv6 will support everyones needs. IPv4 supports only the most trivial.
Security is a process. If that process is made easier for some users by using NAT, then it's a benefit. Home users can't manage firewalls effectively. NAT is a good method (even if flawed) to protect some classes of users. Is it perfect? No. But that's why you also have other protections at other layers (host-based firewall, virus scanners, etc.)
NAT is less secure than SPI due to existence of packet mangling ALG codes and gnarly assumptions made by application gateways attempting to deconflict sessions where ambiguities exist.
No more difficult for the end user if SPI is deployed instead of NAT.
Depending n the random NAT implementation your firewall has, there may be some really strange quirks that allow an outside computer to gain access to your internal network. It has happened more than once. NAT is a bandaid that ads complexity to the system and mixes multiple OSI layers. Not to mention in IPv6 IPSEC, everything above layer 3 is encrypted, so the firewall doesn't even know what ports are being used or if the traffic is TCP, UDP, or ICMP. Good luck natting that.
With a current home router and IPv4 + "NAT" the average home user can handle everything they know about today. Without having to learn anything new.
Are there any home routers with IPv6 support that don't come default out of the box with functionally same security policy implemented as SPI?
Most of them run Linux and same connection tracking code that make IPv4 NAT work is available for IPv6.
Keep waiting.
IP4 is enough for all homes, period. Even if ISPs and internet goes full IP6 to your home modem, there is not need, to do it in the home. Your router will just filter one to the other. Even if it is just sticking an IP6-prefix on the existing 4bytes of IP4.
Problem is that it would be a mess to have IPv6 outdoors and IPv4 indoors. If you have a protocol in one place, have the same protocol in another place to keep it simple. As for sticking an IPv6 prefix to an IPv4 address, it's been tried before - first w/ IPv4 mapped IPv6 - quickly deprecated, then w/ IPv4 compatible IPv6 - hardly used - and then various transition mechanisms, like Teredo, 6rd and so on.
IP4 is also easier to understand after more than 30 years in common use. Lets make every one change how to dial a phone! Yeah, we all can dial circuit numbers. Write a date and time. Every can use ISO8601. Change tool guage. Metric right? Oh yeah, US has been metric for over 100yrs - they took the long view and redefined SAE in metric measures.
Easier to use, but precariously inadequate to support the needs of the internet. It's now come to the point where you have 2 or more layers of NAT, which just ends up fattening lookup tables and increasing the memory requirements of boxes too antiquated to support it. The more you NAT, the more memory you need due to the larger routing tables. As for IPv6 addresses, there are ways of simplifying the static ones - the ones one would like to define w/ DHCP - while the transient ones are ones that are there for too short a time for people to start worrying about.
See the issue is the masses do not need IP6, or any of the other things... Hell IP6 is not needed at all, use MAC addresses. It is why DNS exist to make the hard to remember, to be simple to use. Fluffy name over numbers. Same for phone books.
IP6 is solution looking for question. You want to do the world good, take back the class A's. Disney does not them need, nor does AT&T or even Google. That will free up any supply problem. Get tech companies to fix the sub-nettting issue of waste. Why do you need to 4 IPs to connect 2 machines? If only two machines are in a subnet then /31 is all that is needed. But no you have use /30. That simple change will save alot of work and IPs.
That is far more trouble than it has taken to establish IPv6 to the extent it has, to date. Taking back the numbers is next to impossible, w/ several organizations that have networking gear hard coded w/ their assigned IPv4 addresses. The other things you are suggesting - fixing subnetting - is laughable, and would practically define a new protocol that won't be IPv4, since no protocol can have different rules for doing the same thing, such as subnetting.
But even aside from that, you ignore a simple statistical factoid. IPv4 at its maximum would be 4 billion addresses - that's it!!! That is just marginally more than the world's population. Once you take out the private addresses, the class D & E addresses as well as the loopback addresses - 127.*.*.*, you are left w/ actually 3.7 billion addresses. Want to use NAT evenly? You'd have to find a way to split each and every public address evenly, just at the point where it can branch to as many NAT members as needed w/o needing a second layer of NAT. You are in short opening a whole can of worms, w/ a few baby snakes crawling amongst them.
All these are part of the reasons that the IETF started from scratch w/ IPng, which later evolved to IPv6.
Stateful firewalls and NAT both are built on top of connection tracking and are similar in complexity. Default IPv6 firewall rules will result in the same edge protection NAT +IPv4 does. No unsolicited inbound connections unless there is a forwarding rule.
What a brilliant argument. "This works well for the easiest, most common case, so obviously it's awesome and there are no problems." I hope you're not working on anything important.
NAT constrains the web in ways that aren't immediately obvious. Applications haven't been built, ideas haven't been implemented, because of the way it chokes the client endpoints of the Internet.
Why did it take so long for us to have Skype-like services? Because, despite the best efforts of the best network engineers, we can't get two home computers behind NATs to reliably talk to each other. Skype can't always do it with its shitty proprietary protocol, either, but, when it fails, the Skype client falls back to routing the traffic through Skype's own servers. This doubles the traffic necessary for communication, so it's shitty, and it also means Skype has to have hugely deep pockets to pay for and run this otherwise completely unnecessary server infrastructure.
So, instead of peer-to-peer VoIP communication, which would make sense, we have to have a huge company proxying traffic for everyone because we can't make two endpoints talk to each other. This is hugely wasteful, a single point of failure, a single point for mass surveillance, and a single point for corporate asshattery. And this is just one example of the type of wart we have because of widespread NAT.
Do your hypothetical true Scotsmen like to use Skype in addition to watching cat videos? Then they're negatively affected by NAT. They probably don't realize it, but they are.
The sooner NAT dies, the better for everyone.
vi ~/.emacs # I'm probably going to Hell for this.
Just because that is repeated ad-nauseam doesn't make it true.
Of course NAT has security benefits: It acts basically as a "one-way" firewall, which is exactly what most people that don't run a server at home need.
Of course you could configure a IPv6-firewall the same way, but that would take several days and who has time for that?