How Ready Is IPv6 To Succeed IPv4?

← Back to Stories (view on slashdot.org)

How Ready Is IPv6 To Succeed IPv4?

Posted by timothy on Friday June 5, 2015 @12:34PM from the depends-what-you-want-to-do-with-it dept.

New submitter unixisc writes: Over the last 2 years, June 6th had been observed as IPv6 day. The first time, IPv6 connections were turned on by participants just for a day, and last year, it was turned on for good. A year later, how successful is the global transition to IPv6? According to Cisco 6labs, adoption rates vary from 50% in Belgium to 6% in China, with the U.S. coming somewhere in the middle at 37%. A lot of issues around IPv6, such as the absence of NAT, have apparently been resolved (NAPT is now available and recognized by the IETF). So what are the remaining issues holding people up — be it ISPs, businesses, consumers or anybody else? When could we be near a year when we could turn off all IPv4 connectivity worldwide on an IPv6 only day and nobody would notice?

20 of 595 comments (clear)

Min score:

Reason:

Sort:

Absence?! by Denis+Lemire · 2015-06-05 12:41 · Score: 5, Insightful

Absence of NAT is a feature! If not THE feature of IPv6!
1. Re:Absence?! by Denis+Lemire · 2015-06-05 12:54 · Score: 5, Insightful
  
  NAT has no security benefits. NAT's sole purpose is address scarcity. Firewalls are for firewalling. NAT is for breaking the pre-IPv6 internet out of necessity.
  My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...
  I'll wait.
2. Re:Absence?! by khasim · 2015-06-05 13:25 · Score: 4, Interesting
  
  My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...
  Somewhere between 0 and approximately 18,446,744,073,709,551.
  But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?
  With NAT they are attacking a single firewall.
  With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.
  Getting your IP address can be as simple as putting up a web server with some stupid content and having /. link to it.
3. Re:Absence?! by Denis+Lemire · 2015-06-05 13:33 · Score: 5, Insightful
  
  Without NAT, you're still hitting the stateful firewall and default deny rule at the edge of my network... Most home routers should default to this sort of behaviour.
  The difference is, I can open up as many ports as I need with no limitations. None of this crap with forwarding port 80 to one box and then... Oh, I need another web server... Hmm. 8080? Other random / arbitrarily selected ports? That sucks! It's broken.
  The IPs I'm leaving in web server logs are also throw-away addresses - read up RFC-4961.
4. Re:Absence?! by Denis+Lemire · 2015-06-05 13:34 · Score: 4, Insightful
  
  That's not a security benefit of NAT, that's a quirky side effect that would be better replaced with a proper stateful firewall.
5. Re:Absence?! by Denis+Lemire · 2015-06-05 13:42 · Score: 4, Informative
  
  No, it's not a security benefit. It was not designed as such and it shows.
  If it was, it wouldn't allow holes to be arbitrarily punched through by NAT-PMP, UPNP and other traversal mechanisms.
  If you're relying on NAT for security, you're doing it wrong.
6. Re:Absence?! by Denis+Lemire · 2015-06-05 13:48 · Score: 5, Informative
  
  Right now - quite a bit - there are all sorts of mechanism that have to be worked around. Every spend any time troubleshooting SIP? Do you know why nobody does direct media?
  Ever wonder why file transfers in instant messaging apps either work intermittently or perform slowly?
  Ever see the layers of complexity we've built to do our best to work around such issues: STUN, UPNP, NAT-PT, ICE, ALGs... It's layers upon layers of cruft. ...and we haven't even gotten to the real horror of so called "carrier-grade" NAT yet... Eg) NAT behind NAT.
  The prospects are awful.
  The fact anything works at all is a testament to... something... ...but it is not a solid solution. It was a stop-gap measure that should have been discarded long away.
7. Re:Absence?! by Anonymous Coward · 2015-06-05 13:59 · Score: 4, Informative
  
  Good news! NAT in v6 doesn't do any of that. NAT v6 is moreso about being able to renumber an arbitrary block of address space. So, for example, you can have a private network prefix in the ULA space (fd00::/8) and then map it into the global Unicast space (2000::/3) using one of your available prefixes. If you have to renumber for whatever reason, you can change the NAT and your internal network doesn't need to renumber. The only thing is that you have to sacrifice about 16 bits of address space on both ends for checksum fudging. But it's far better than v4 NAT and it doesn't break the net the same way.
  Also a lot of people use "NAT" to mean "stateful firewall". I personally consider the distinction, from a security standpoint, to be pedantic - they both break the net from a purist perspective.
8. Re:Absence?! by Denis+Lemire · 2015-06-05 14:15 · Score: 4, Informative
  
  Sorry, RFC-4941. Fat fingers. ...and I don't think we should design the internet with the most basic web surfing home user in mind. IPv6 will support everyones needs. IPv4 supports only the most trivial.
9. Re:Absence?! by WaffleMonster · 2015-06-05 14:32 · Score: 4, Informative
  
  Security is a process. If that process is made easier for some users by using NAT, then it's a benefit. Home users can't manage firewalls effectively. NAT is a good method (even if flawed) to protect some classes of users. Is it perfect? No. But that's why you also have other protections at other layers (host-based firewall, virus scanners, etc.)
  NAT is less secure than SPI due to existence of packet mangling ALG codes and gnarly assumptions made by application gateways attempting to deconflict sessions where ambiguities exist.
  No more difficult for the end user if SPI is deployed instead of NAT.
10. Re: Absence?! by Denis+Lemire · 2015-06-05 14:47 · Score: 4, Insightful
  
  Yes, the WEB works GREAT... I also use THE REST OF THE INTERNET.
11. Re: Absence?! by Denis+Lemire · 2015-06-05 14:59 · Score: 4, Insightful
  
  So you're cool with the Internet being forever limited to cat videos? The applications for the Internet were unforeseen. It changed the world in ways nobody could predict. IPv6 will pave the way for new applications in a way just as significant... But you can't see past today's furry thrills.
12. Re:Absence?! by Bengie · 2015-06-05 15:05 · Score: 4, Insightful
  
  Incorrect. NAT does have a security benefit. Unless ports are opened, there is no direct inbound access into the backend subnet.
  Incorrect. Many implementations of NAT have been known to allow an outside user to cause a port to get indirectly forwarded. NAT offers no additional security while increase the surface area that needs to be secured, in addition breaks the normal OSI model by cause leaky layers, making for more complicated interactions that make configuration and debugging harder.
  
  If you don't think this true, you should not be giving out advice about network security.
13. Re: Absence?! by kiddygrinder · 2015-06-05 16:24 · Score: 5, Insightful
  
  you're ignoring gamers and people using skype or other direct message programs just to begin with, because of NAT you can't have 2 xboxes online on the same internet connection. NAT is a fucking cancer that needs to be cut out.
  
  --
  This is a joke. I am joking. Joke joke joke.
14. Re: Absence?! by linuxrocks123 · 2015-06-05 16:51 · Score: 5, Informative
  
  What a brilliant argument. "This works well for the easiest, most common case, so obviously it's awesome and there are no problems." I hope you're not working on anything important.
  NAT constrains the web in ways that aren't immediately obvious. Applications haven't been built, ideas haven't been implemented, because of the way it chokes the client endpoints of the Internet.
  Why did it take so long for us to have Skype-like services? Because, despite the best efforts of the best network engineers, we can't get two home computers behind NATs to reliably talk to each other. Skype can't always do it with its shitty proprietary protocol, either, but, when it fails, the Skype client falls back to routing the traffic through Skype's own servers. This doubles the traffic necessary for communication, so it's shitty, and it also means Skype has to have hugely deep pockets to pay for and run this otherwise completely unnecessary server infrastructure.
  So, instead of peer-to-peer VoIP communication, which would make sense, we have to have a huge company proxying traffic for everyone because we can't make two endpoints talk to each other. This is hugely wasteful, a single point of failure, a single point for mass surveillance, and a single point for corporate asshattery. And this is just one example of the type of wart we have because of widespread NAT.
  Do your hypothetical true Scotsmen like to use Skype in addition to watching cat videos? Then they're negatively affected by NAT. They probably don't realize it, but they are.
  The sooner NAT dies, the better for everyone.
  
  --
  vi ~/.emacs # I'm probably going to Hell for this.
15. Re: Absence?! by rseuhs · 2015-06-05 18:54 · Score: 4, Insightful
  
  IPv6-adherents just don't get it.
  IPv6 requires you to:
  - give all your devices new addresses (because these morons didn't expand the address space like any sane person would, they replaced the address space)
  - configure all your network infrastructure to manage the new addresses
  - maintain two sets of addresses for the forseeable future
  IPv6 is broken because it is incompatible to IPv4.
16. Re: Absence?! by swb · 2015-06-06 01:53 · Score: 4, Insightful
  
  IMHO, it's kind of the typical overreach common in IT where rather than evolving a protocol they mostly completely redesigned it, tossing out a lot of accumulated knowledge, adding a lot of complexity and lack of interoperability. A few propellerheads then stand around wondering why nobody's adopting it.
  I think there is a good argument to be made that if network space exhaustion was the principal problem with IPv4, IPv4 should have just been extended with a couple more prefix octets. The entire existing IPv4 address space could have been just arbitrarily prepended 1.1. The stack would still have needed an overhaul to accommodate this, but less so than IPv6.
  To be fair, IPv6 fixes a lot of deeper issues with IPv4, but I think it's debatable whether those problems were worse or more pressing than IPv4 exhaustion.
IPv6 has been working fine, no issues by Morgaine · 2015-06-05 14:39 · Score: 4, Insightful

The official "switch-on for good" of IPv6 a year ago was entirely seemless in my experience. There wasn't anything to fix, as nothing was broken, and IPv6 autoconfiguration handles everything so there isn't even any setup involved, it just works. This simplicity will be a boon for non-technical users once the IPv6 rollouts gain steam.
Unfortunately the ISPs are still dragging their feet and so public rollout is slow, but it's an always upward trend, and the adoption curve is close to exponential so IPv6 will be ubiquitous before long. So many ISPs are currently planning their rollouts that there's going to be a sudden upsurge when they finally appear.
People shouldn't talk about switchover to IPv6 though, that's not how it works. IPv4 and IPv6 networks run together side by side, and you use both together. Your application (eg. browser) generally picks IPv6 if your destination is accessible on that network, or else it falls back to IPv4. This is all automatic of course. It's better described as a switch on of IPv6 by your ISP followed by your gradual increasing use, not a switchover. There is no plan to switch off IPv4. The last remnants of IPv4-only equipment could still be around and operational for decades ahead.
IPv6 works so well that I recommend everyone to get on it as soon as they can. You'll be able to see 100% of the Internet, whereas if you don't have IPv6 then you're only seeing a part of it. IPv4 is by far the larger part for now of course, but it's not all of it, and the parts you can't reach are growing daily.
Happy First Anniversary of the official turn-on, IPv6! :-)

--
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Why IPv6 is broken by rseuhs · 2015-06-05 19:05 · Score: 4, Insightful

IPv6 is broken because it is incompatible.
To illustrate, let's look at phone numbers.
Imagine a phone company with 6 digit numbers which wants to give users world-accessible phone-numbers. What did the phone companies do? Easy: Just add prefixes to the numbers and everybody is happy. The old numbers stay valid, you can still connect within the old network(s), nobody has to remember new numbers.
But what if phone-numbers would have been expanded the "IPv6-way"?
Then you would have your old number and would receive a completely different new number, which would also be in an incompatible format (maybe letters instead of digits). Then you would have to update all your phone numbers everywhere, to "switch over". of course such a scheme would fail instantly and that's why IPv6 continues to fail.
The IPv6 adherents just don't get it. If the IPv6-designers were smart enough to just extend the IPv4-address space we would all be running IPv6 already, because it would require no reconfiguration of routers, no reconfiguration of DNS names, no reconfiguration of anything.
But these morons thought that a billion people will just change all their addresses just because they tell them. Well, it doesn't work that way.
Re:IPv6 shortcomings? by vtcodger · 2015-06-06 00:21 · Score: 4, Insightful

It isn't (and never was) a question of capabilities. It is a question of cost. Most decision makers at every level from individuals on up to CEOs view IT (correctly BTW) as an expense, not a corporate treasure. The IP6v train left the station without the capabilities required to make eventual I{Pv4 replacement cheap and easy -- backward capability and NAT. Lots of people tried to point out that was a mistake. It was done anyway, and the same folks that didn't understand why it was a mistake still don't seem to understand why it was a mistake.
Compared to the average business or public organization, our home setup here is not very complex at all. But we still have about two dozen devices whose software would need to be upgraded in order to change from IPv4. to IPv6. And we'd probably have to buy some new kit because some of the routers and software probably have flawed IPv6 implementations -- if they have IPv6 at all. And, of course our ISP is IPv4. Assuming they can/will deign to talk to us using IPv6 it's a safe bet that "upgrading" would cost us more time and money.
And what do we get from all that? IFAICS all we get is the capability to expose all the digital devices in the house to external hackers. Why would we want to do that? Much less spend time and money to do that?
It'll most likely be a long, long time before IPv6 completely replaces IPv4.

--
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey