Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Ready Is IPv6 To Succeed IPv4?

Posted by timothy on from the depends-what-you-want-to-do-with-it dept.

New submitter unixisc writes: Over the last 2 years, June 6th had been observed as IPv6 day. The first time, IPv6 connections were turned on by participants just for a day, and last year, it was turned on for good. A year later, how successful is the global transition to IPv6? According to Cisco 6labs, adoption rates vary from 50% in Belgium to 6% in China, with the U.S. coming somewhere in the middle at 37%. A lot of issues around IPv6, such as the absence of NAT, have apparently been resolved (NAPT is now available and recognized by the IETF). So what are the remaining issues holding people up — be it ISPs, businesses, consumers or anybody else? When could we be near a year when we could turn off all IPv4 connectivity worldwide on an IPv6 only day and nobody would notice?

10 of 595 comments (clear)

  1. Re:Money by Ash-Fox · · Score: 3, Informative

    Older routers can't handle routing IPv6 in hardware so it puts a higher CPU load on the router. Nobody wants to spend the money to replace them.

    Actually IPv4 is more CPU intensive due to where the checksum was implemented. IPv6's issue with hardware is more about memory.

    Because of the above 2 items, residential ISP's rarely offer IPv6.

    At least in the UK, numerous residential ISPs, while they may not have IPv6 offerings yet have certainly been only providing routers that have IPv6 support for the last few years.

    --
    Change is certain; progress is not obligatory.
  2. Re:Absence?! by Denis+Lemire · · Score: 4, Informative

    No, it's not a security benefit. It was not designed as such and it shows.

    If it was, it wouldn't allow holes to be arbitrarily punched through by NAT-PMP, UPNP and other traversal mechanisms.

    If you're relying on NAT for security, you're doing it wrong.

  3. Re:Absence?! by Denis+Lemire · · Score: 5, Informative

    Right now - quite a bit - there are all sorts of mechanism that have to be worked around. Every spend any time troubleshooting SIP? Do you know why nobody does direct media?

    Ever wonder why file transfers in instant messaging apps either work intermittently or perform slowly?

    Ever see the layers of complexity we've built to do our best to work around such issues: STUN, UPNP, NAT-PT, ICE, ALGs... It's layers upon layers of cruft. ...and we haven't even gotten to the real horror of so called "carrier-grade" NAT yet... Eg) NAT behind NAT.

    The prospects are awful.

    The fact anything works at all is a testament to... something... ...but it is not a solid solution. It was a stop-gap measure that should have been discarded long away.

  4. Re:Absence?! by Anonymous Coward · · Score: 4, Informative

    Good news! NAT in v6 doesn't do any of that. NAT v6 is moreso about being able to renumber an arbitrary block of address space. So, for example, you can have a private network prefix in the ULA space (fd00::/8) and then map it into the global Unicast space (2000::/3) using one of your available prefixes. If you have to renumber for whatever reason, you can change the NAT and your internal network doesn't need to renumber. The only thing is that you have to sacrifice about 16 bits of address space on both ends for checksum fudging. But it's far better than v4 NAT and it doesn't break the net the same way.

    Also a lot of people use "NAT" to mean "stateful firewall". I personally consider the distinction, from a security standpoint, to be pedantic - they both break the net from a purist perspective.

  5. Re:Absence?! by Denis+Lemire · · Score: 4, Informative

    Sorry, RFC-4941. Fat fingers. ...and I don't think we should design the internet with the most basic web surfing home user in mind. IPv6 will support everyones needs. IPv4 supports only the most trivial.

  6. Re:Absence?! by WaffleMonster · · Score: 4, Informative

    Security is a process. If that process is made easier for some users by using NAT, then it's a benefit. Home users can't manage firewalls effectively. NAT is a good method (even if flawed) to protect some classes of users. Is it perfect? No. But that's why you also have other protections at other layers (host-based firewall, virus scanners, etc.)

    NAT is less secure than SPI due to existence of packet mangling ALG codes and gnarly assumptions made by application gateways attempting to deconflict sessions where ambiguities exist.

    No more difficult for the end user if SPI is deployed instead of NAT.

  7. Re:Absence?! by Bengie · · Score: 3, Informative

    Depending n the random NAT implementation your firewall has, there may be some really strange quirks that allow an outside computer to gain access to your internal network. It has happened more than once. NAT is a bandaid that ads complexity to the system and mixes multiple OSI layers. Not to mention in IPv6 IPSEC, everything above layer 3 is encrypted, so the firewall doesn't even know what ports are being used or if the traffic is TCP, UDP, or ICMP. Good luck natting that.

  8. Re:Absence?! by WaffleMonster · · Score: 3, Informative

    With a current home router and IPv4 + "NAT" the average home user can handle everything they know about today. Without having to learn anything new.

    Are there any home routers with IPv6 support that don't come default out of the box with functionally same security policy implemented as SPI?

    Most of them run Linux and same connection tracking code that make IPv4 NAT work is available for IPv6.

  9. Re:Absence?! by devman · · Score: 3, Informative

    Stateful firewalls and NAT both are built on top of connection tracking and are similar in complexity. Default IPv6 firewall rules will result in the same edge protection NAT +IPv4 does. No unsolicited inbound connections unless there is a forwarding rule.

  10. Re: Absence?! by linuxrocks123 · · Score: 5, Informative

    What a brilliant argument. "This works well for the easiest, most common case, so obviously it's awesome and there are no problems." I hope you're not working on anything important.

    NAT constrains the web in ways that aren't immediately obvious. Applications haven't been built, ideas haven't been implemented, because of the way it chokes the client endpoints of the Internet.

    Why did it take so long for us to have Skype-like services? Because, despite the best efforts of the best network engineers, we can't get two home computers behind NATs to reliably talk to each other. Skype can't always do it with its shitty proprietary protocol, either, but, when it fails, the Skype client falls back to routing the traffic through Skype's own servers. This doubles the traffic necessary for communication, so it's shitty, and it also means Skype has to have hugely deep pockets to pay for and run this otherwise completely unnecessary server infrastructure.

    So, instead of peer-to-peer VoIP communication, which would make sense, we have to have a huge company proxying traffic for everyone because we can't make two endpoints talk to each other. This is hugely wasteful, a single point of failure, a single point for mass surveillance, and a single point for corporate asshattery. And this is just one example of the type of wart we have because of widespread NAT.

    Do your hypothetical true Scotsmen like to use Skype in addition to watching cat videos? Then they're negatively affected by NAT. They probably don't realize it, but they are.

    The sooner NAT dies, the better for everyone.

    --
    vi ~/.emacs # I'm probably going to Hell for this.