IPv6 Turns 20, Reaches 10 Percent Deployment

An anonymous reader writes: Ars notes that the RFC for IPv6 was published just over 20 years ago, and the protocol has finally reached the 10% deployment milestone. This is an increase from ~6% a year ago. (The percentage of users varies over time, peaking on the weekends when most people are at home instead of work.) "If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."

"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."

what

[phantomfive]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Re:what

The problem with IPv6 is the ability to fetch a company's internal topology quickly. Even with the firewall configured, there are always compromised machines, and it takes relatively little to figure out how a place is organized. At least with v4, a compromised machine might see a local segment, but can't really see much other than a small picture without doing an extensive discover process. V6, completely different.

Re:what

[Jawnn]

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Yes, but we all know that there is a metric shitload of routers out there that have nothing but NAT defending their "internal" networks. Turn on IPV6 and those internal networks are simply open to the world.

Now, I am not saying we shouldn't go there, but the scope of "doing it right" is almost immeasurable. IMO, it is that which is the single largest barrier to widespread adoption of IPV6.

Re:what

[bobbied]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Sounds simple enough.... Of course, nothing is really as simple as it first seems.... Good first step though.

Where I get people's reluctance to adopt IPV6 and having their local networks become immediately routable and thus externally addressable, there is a bit more to this "security" thing when switching IP versions than just dropping inbound connections. The problem stems from the fact that when you go full on IPV6 and allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before. It's true that this knowledge doesn't give them any special access if your router is working properly, but it does mean that if the router doesn't always do the right thing, they will have an easier time attacking your internal network.

Not that there are no solutions to this issue out there or that one cannot still protect their internal networks, only that such protection needs to be thought about in somewhat different terms and perspectives. IPV6 messed with more than just the number of bits in the IP address, but messed with the fundamentals of how traffic gets routed. It made a lot of things easier, faster and cheaper, but it also had impacts on network security considerations that I'm not sure we fully understand even after this long.

Re:what

[TheRaven64]

It's easy to have a firewall that has a default-deny incoming policy. The problem is that this makes IPv6 a lot less useful. It's great for things like video conferencing to make direct end-to-end connections, but if you have to open the port for your video conferencing app then it's no more convenient than forwarding a port for NAT.

Re:what

[swb]

Is there something about IPv6 that precludes the implementation of NAT?

IPv4 never "had" NAT, either, AFAIK. It was a kludge tacked onto routers and firewalls as world+dog got Internet access and ISPs only handed out /24s and ultimately /30s.

I worked at a site that had a direct /22 assignment dating to the very early 90s and we never bothered with it until the local network outstripped the useful life of the /22 and then we tacked on RFC1918 blocks for new segments, but kept using the /22 space for servers and a segment of the LAN that used a particularly shitty (HP3000) 3rd party application that dated to the original direct assignment and had a shitload of hard-coded references to the application server because neither the vendor nor the clueless admin ever bothered with DNS configuration (which, IIRC, was mildly brain damaged on the Hp3000 anyway).

We also had a sister company that had TWO /16 assignments -- they would NAT between /16 blocks, which I found to be kind of amazing, like a car you drove to a parking lot...to pick up your other car.

Re:what

[gstoddart]

Well, for many of us, the notion that everything has a unique address which can be known by anybody else seems idiotic.

Using internal 192.168.*.*, or the entire class A of 10.*.*.* means my internal IP address is not your damned business. It's an un-routable address to anything else. Which means in a lot of ways it's invisible -- you have no way of knowing the IP address of a given machine, and even if you did it wouldn't do you any good because there's no way to get there.

If you don't know information about what's behind the firewall, you can't exploit that information. NAT allows you to say "yes, there is a machine behind the firewall talking to you, but any specific information about that machine isn't for you to know because we don't trust you with that information".

Providing the same level of 'security' as NAT also includes some anonymity. You're not meant to know which machine you're talking to, and it isn't possible for that information to bleed out. Which means you don't have the ability to deduce information about it.

Having an outside entity know any information about your hosts and their IP addresses is just another vector to glean information and possibly act on it. You can't target a specific machine if you have no information about it from outside the firewall.

So, for me, if you start with the assumption that the internet is a dirty cesspool of actors which simply cannot be trusted and must be assumed to be hostile ... then you start by denying as much information as you possibly can. And after many years around the internet, not assuming the internet is a dirty cesspool of bad actors is utterly idiotic, because it hasn't been true in a very long time.

IPv6 seems to have a rather naive and in-built assumption that the internet isn't full of hostile assholes, and the decision to say that NAT was unnecessary reinforces that. Anything which assumes there isn't a risk in allowing outside actors to glean information about your environment is naive, broken, and not going to work. Because you pretty much need to assume that every additional item of information someone else has is going to be exploited in some way.

If you need to rely on state-ful firewall rules to know what's allowed, you need to rely on the vendor to competently be able to handle all of these protocols and the like. And, quite frankly, time and time again we see plenty of reasons why we can't trust the vendors to competently do that.

This is one of the reasons a lot of organizations have looked at IPv6 and consistently said "no thanks, there's parts of this we really don't like".

If after 20 years IPv6 has 10% adoption, maybe it's time to start understanding why people don't want it instead of telling us everything is fine and we don't actually need NAT.

Re:what

[belrick]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Yes.

Re:what

[110010001000]

How do you fetch an internal topology more quickly with IPv6 versus IPv4? I don't get it. You would need to scan the address space, which is much much larger with IPv6.

Re:what

[locofungus]

Pretty much every device with IPv6 has privacy extensions by default. Many it cannot be turned off.

I'm struggling with the opposite problem - it's much harder to stop OUTBOUND connections using IPv6 from particular machines. INBOUND really isn't a problem as the only static IPv6 addresses you expose are those that you want people to use.

The vast majority of people don't selectively block outbound connections so it's a non-issue for them.

Re:what

[unixisc]

The summary seems to imply that there is no supported NAT in IPv6. Au contraire, the IETF did specifically define a NAT standard for IPv6 - it's called NAPT. It has the same concepts as IPv4 NAT - translating a public address to a private one (granted, there are more categories of the latter in IPv6). Only thing different is that it's a 1:1 address mapping here, as opposed to a 1:many address mapping in IPv4. Which saves the agony of Port Address Translation and there being fewer ports for other applications that NEED it.

But if someone wants to have something handy for load balancing, NAPT can be used. I'm not sure of what the defined multi-homing mechanism is in IPv6, and whether it necessitates the use of NAPT or not

Re:what

[lokedhs]

The problem stems from the fact that when you go full on IPV6 and allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too

This isn't true though, since address randomisation arguably makes you expose less information since individual hosts will change their IP address at some random interval. This will make it pretty hard to figure out if the packet you received an hour ago was from the same host as the one just now.

Re:what

It's easy to have a firewall that has a default-deny incoming policy. The problem is that this makes IPv6 a lot less useful. It's great for things like video conferencing to make direct end-to-end connections, but if you have to open the port for your video conferencing app then it's no more convenient than forwarding a port for NAT.

A big problem in these discussions is when people don't distinguish plain-NAT from masquerading-NAT. Most IPv4 NAT is masquerading NAT which means that even if you allow incoming connections to the video-conf port, it is impossible to tell which user's computer to forward the data to as they are all masquerading as the same external IP address. Solutions to this require a lot of NAT-awareness in the protocols and often additional switchboard-type services to be provided. Opening a port on an IPv6 firewall allows incoming calls to be routed directly to the right internal computer with less complexity.

Re:what

[allo]

What are Privacy Extensions?

Re:what

Are there consumer routers that will provide security for home users using IPv6 that they can just plug in and leave with default configuration? Something Joe User can buy and plug in? When that happens, usage will go up. Home users shouldn't be expected to understand how to set up networking to protect themselves from the open internet. IPv4 NAT is slightly better than nothing.

Re:what

[lokedhs]

Or, you might want to read up on Privacy Extensions before you start talking about exposing internal information which hasn't been valid since 2001. Yes, that's 15 years ago, as modern as 2001 may feel to us old guys.

Re:what

[Todd+Knarr]

What do you mean IPv6 messed with things? What you're describing is simply the ending of the aberration that is masquerade-mode NAT and the return to the way IPv4 networks operated for most of their existence. Masquerade-mode NAT was a nasty, awkward kludge to normal routing created to work around the refusal of the DSL and cable ISPs to offer more than a single IP address to a subscriber at a time when subscribers were starting to have multiple computers in their households. Up until that point computers on IPv4 networks were directly connected to the Internet with their IP address visible to the world. That's how I used to run servers on dial-up lines, no router involved (at least on my end). All you have to do to protect your IPv6 networks is set up the equivalent to a standard IPv4 firewall. Like IPv4 you have to pay attention to what ports are allowed inbound to which hosts, but that's nothing new and IPv6 gives you more tools to help segregate desired inbound connections from unwanted ones.

Then again, I suppose most people these days haven't written firewall rules or even thought about them, masquerade-mode NAT hid the issues by terminating all non-ESTABLISHED non-RELATED traffic on the router's WAN port and the router didn't have any services except DHCP and DNS listening on the WAN side. Well, it wasn't supposed to anyway, but turns out quite a few did have things listening and those things had pretty much crap authentication so attackers could pretty much walk straight on through without breaking stride. Hence why I prefer explicit firewall rules where I know the packets are going down a black hole before anything that might be listening can even see them.

Re:what

[Midnight+Thunder]

You know how big an IPv6 subnet is? Think of scanning the whole IPv4 address space and then you are close. Between IPv6 privacy extensions and DHCPv6, you can reduce the scope of scanning. Also, with a firewall in place, that scanning shouldn't even be possible.

The biggest barrier to IPv6 adoption has been people not sitting down and adding themselves what is the native IPv6 way of dealing withings and saying it is a security risk. The biggest risk is putting off the work.

Case In point: I recently faced an issue where some users were having connectivity issues. All health checks looked good. Turns out the issue was down to not having an IPv6 strategy. These users were already on IPv6 and some of the cache servers at various providers had AAAA entries, but no IPv6 on the web server, or did have IPv6 on the server, but was badly configured. Because of the lack of IPv6 strategy, there were no operational health checks on the IPv6 status. We didn't look good to these customers, because business, and even ops, thought IPv6 wasn't important - oops.

Re:what

Is there something about IPv6 that precludes the implementation of NAT?

No, there is absolutely nothing that prevents NAT. There is a vocal group that seems absolutely fearful of the idea of NAT being as common with IPv6 as it is with IPv4. Their efforts are having success in reducing how much NAT is deployed, but they probably aren't achieving as much success as they want.

NAT can be useful for a variety of reasons, including being one way to avoid collisions of subnets (or even individual IP addresses, if you prefer to use addresses that end with ":1"). The big difference between IPv6 and IPv4, in regards to NAT, is simply that with IPv6, network address scarcity is not a reason why NAT is essential. That is actually a very important point to get across when educating people about IPv6. Some of the NAT nay-sayers go overboard, and I do think that the text "there's no NAT in IPv6." goes over the line. *Maybe* some implementations of IPv6 don't bother to support NAT, but saying "there's no NAT in IPv6" is definitely false and misleading.

The biggest difference between IPv6 and IPv4 is the much larger address space of IPv6. Handling much larger subnets is so common that it is the norm. There are some other differences, but they don't tend to be nearly as noteworthy.

The claim of no NAT in IPv6 sounds very similar in nature to another claim I've heard, which is that IPsec is part of IPv6. Even though this claim is technically true, it also seems quite misleading. I think the purpose of the claim was to help encourage people to learn about IPsec. I also think that claim did more to hurt IPv6 adoption, rather than help increase IPsec adoption. I think many people decided to try putting off the task of learning IPv6 until after they learned IPsec, and they found that they could put off learning IPsec for IPv4, and so this delayed many professionals from bothering to start trying to embrace IPv6.

The fact is that you can implement the other parts of IPv6 and if you don't implement IPsec, and the other side of the connection is also not using IPsec, then the lack of IPsec doesn't break anything, or hinder anything. The only real ramifications of making IPsec considered to be a part of IPv6 is that a device ought not claim to be fully compatible with the entire IPv6 standard if it does not support IPsec. I've been using IPv6 without using IPsec within my own local network for years.

Re:what

[gstoddart]

Pretty much every device with IPv6 has privacy extensions by default. Many it cannot be turned off.

So here's my problem with that statement: It assumes that I trust the maker of that device isn't lazy, incompetent, cheap, indifferent, or hasn't built in some back door. And, I'm sorry, but your user id is low enough that if you still put any trust the makers of consumer or even professional electronics, you simply haven't been paying enough attention.

Every week we see how the manufacturers of these devices are utterly incapable of actually doing these things correctly. Which means the only sane solution is to assume every single device has the most incompetent or non-existent level of security you can imagine, because it probably does.

Sorry, but any solution which assumes you can trust the company who made the device is a terrible idea.

When a company bears legal responsibility for crap security, I might change my mind. Until then, reality and experience tells me those privacy extensions in the device don't exist, or don't work. Because we pretty much see it weekly right here on Slashdot.

If you can't set up a rule which says "all of these machines may only communicate with these machines", then every piece of malware and spyware has free rein to send data outside of your network. If IPv6 can't do this, then IPv6 is missing some pretty serious concepts of proper security.

Defending against the broader internet and devices with crap security must be something built into the protocol. If it isn't, the protocol is defective.

Re:what

You know how big an IPv6 subnet is? Think of scanning the whole IPv4 address space and then you are close.

No you aren't close, you're nowhere near close. The whole IPv4 address space is 32 bits. The smallest IPv6 subnet an end user will be alocated is 64 bits. That's much much much much much much much much larger than the IPv4 address space and many isps are issuing larger sub nets to end users. I have 72 bits of address space from my normal consumer isp. Scanning that isn't just infeasable, it's impossible at this time.

Re:what

Network security is like encryption. If an attacker can use design information against you, you've already lost. A network should be secure by it's merits, not by hoping no one knows how it's laid out.

Re:what

[phantomfive]

Are there consumer routers that will provide security for home users using IPv6 that they can just plug in and leave with default configuration?

Home routers should be assumed to be vulnerable in any configuration. If I were going to attack someone's house, the router is the first place I would start. There are a lot of vulnerabilities in routers.

Security isn't something that can happen as an afterthought. It can't be bolted on. You need to train your programmers to have the security mindset from the very beginning, and router companies haven't done that.

Re:what

[unixisc]

But it's the firewall that comes w/ NAT that does the defending - the same thing that can be done w/ a public IPv6 connection. Not that I recommend it, but one could even use a combination of NAPT w/ IPv6 public addressing if one HAS TO use NAT: you'd still get the firewall, and you'd still have the warm and fuzzy feeling that NAT gives you.

Re:what

Yes, but we all know that there is a metric shitload of routers out there that have nothing but NAT defending their "internal" networks.

Then those networks are better described without the words "but NAT" in that sentence even in their current IPv4 mode. NAT offers no protection whatsoever other than minor obfuscation that is easily bypassed.

Re:what

[bhcompy]

Subnetting.

Re:what

[unixisc]

As far as NAT awareness in protocols go, the IETF didn't standardize on any NAT mechanism, which is why there are 3 NAT mechanisms at least in IPv4. In IPv6, the IETF went ahead and standardized NAPT, so that in the event that NAT has to be there, there is only one recognized way of doing it. That way, any application written can either require either the native IPv6 address, or a combination of the Global Prefix of a Global unicast address plus the Unique Local address of the node in question.

Re:what

[Midnight+Thunder]

You are right about the size being off a little, though you do confirm the point on scanning. I suppose I was going with best case for comparison?

Re:what

[110010001000]

Thanks for the lengthy and detailed explanation. I forgot that IPv6 has subnetting, but IPv4 doesn't. Subnetting really makes determining the toplogy fast! Mod +5 insightful please!

Re:what

[gstoddart]

Does this require that I trust a device isn't manufactured by a lazy, incompetent corporation who cares more about profits than security, and is really interested in collecting marketing and analytics data?

Because my entire point is that you pretty much have to assume you can't trust the internet at all, you can't trust the corporation who made the device, and you can't trust that any piece of software isn't actively hostile to your security.

Let's start with the premise there's not a single piece in the chain you can truly trust and assume that will never change, and then build in stuff which recognizes that fact. Don't graft something onto the protocol which may or may not be implemented properly

Anything else is ignoring every lesson about security we've learned in those 15 years -- including that the companies making this shit don't give a crap about either your privacy or your security, and therefore have to be assumed to have neither unless you force it on them.

There's no way I'm willing to believe I can put any trust in privacy extensions. I want a protocol which starts from the premise of "hell no I can't trust you fuckers, and I never will". Because that much more closely coincides with the reality of the internet.

Don't leave security in the hands of the guy who wanted to sell you an internet connected fridge. If you do, you're a complete idiot, because he doesn't give a crap about your security, and never will.

Privacy extensions my ass.

Re:what

This simply isn't true. Your proposed attack scenario is practical with IPv4 and NAT, but not with IPv6 and one firewall rule.

The IPv6 address space is so huge that bulk scanning is simply not practical - in a standard configuration, your home network will have 64 bits of address space, compared to the 32 bits of space for all of ipv4, and only 8 bits of address space for your typical home internal network. Even if the attacker knows your whole IPv6 address, they won't be able to find any other local hosts by scanning, it would simply take too long. Meanwhile, scanning a private address range is easy and in the average case, with 8 bits of local network space, will only take a few minutes.

Additionally, NAT is less secure than a simple rule that drops new incoming traffic. Things like UPnP and NAT implementation exploits can open ports to internal addresses without your knowledge. These types of attacks are not possible with direct routed IPv6 and a firewall rule. A well-explained example by Samy Kamkar: https://www.youtube.com/watch?v=fWk_rMQiDGc

There are, of course, legitimate security concerns when switching to IPv6, but this isn't one of them. NAT doesn't really secure you in any meaningful way, and is less powerful than a simple firewall drop rule. It's also buggy and breaks things. It's past time we get rid of it wherever possible.

Re:what

[sl3xd]

Not all ISP's are equal. I get a maximum of four subnets, and the ISP (Comcast/Xfinity) only offers one subnet by default.

I'll get by, somehow, but I really wanted to be able to address every article of clothing in my wife's wardrobe.

Re:what

A temp IP address that is by default changed once per day and only valid for up to 7 days. You only give out your real IP address if you really want something to always be able to connect to you.

Re:what

You mean like the Linux kernel, which the last time I checked didn't support IPv6 nat/masquerading. Most likely due to the specific efforts of said groups.

Re:what

[silas_moeckel]

Show me a router that defaults to NAT for IPv4 and does not default to allowing nothing inbound IPv6. Now is it commonly used?

I've yet to see any, it's not realy any harder to run the state machine for NAT than IPv4 or IPv6 connected (ok some more bits). Ipv6 has some required to work bits but thats pretty tame as far as security.

Now I've seen some badly made ipv6 stacks as to ddos/port scanning but thats on network gear that frankly had ipv6 as a checkbox not a feature (Ya know those IPv6 in software L3 switches).

Re:what

The default configuration for IPv6 firewall for Fritz Box vdsl routers is to:
- deny all incoming connections,
- to deny tunnelling a IPv6 connection through the router when native IPv6 is available (something you have to disable when you have an xbox one, since it tunnels IPv6 even though it could have just gotten a native IPv6 address).

So very much like a NATed IPv4 network, except better because NAT allows hole punching, a firewall doesn't.

Re:what

I like non-routable PRIVATE addresses, thanks.

Re:what

IPv4 can't do that, either. We stop it with packet filtering rules, and that's not a feature of NAT, it's a feature of the router. Whether you've got NAT or not, all traffic must necessarily go through a single router before entering the wider internet. Just slap some iptables rules on your router:

Source address: the device you don't trust.

Criteria: Default whatever

Action: Drop.

This sets up automatic packet dropping, now go on and whitelist the traffic you want. You can complain that's a lot of work, but even on IPv4 networks, /this is how security is accomplished/. Security is hard. IPv6 or IPv4, the difficulty is identical.

Re:what

Only idiots use NAT when given a choice. This pretty much sums it up. The only benefit NAT has is as a bandaid to patch over an already broken network design.

Re:what

[unixisc]

Even if you have a public IPv6 network, the sheer size of the subnet of 64 bits means that it'd take forever to figure out how many devices you have on it, and what are their addresses before any rogue scanner out there can do squat. And by that time, under privacy extensions, or even under a DHCPv6 setup, those would have changed. The only unchanged addresses would be that of any servers that you happen to have, and well, that doesn't change in IPv4 either.

So what was it again in IPv4 that gives you the confidence that someone outside can't fuck w/ your network?

Re:what

[codealot]

There's an easy fix for those who trust nobody and nothing: Unplug from the Internet.

Re:what

[vtcodger]

> I'll get by, somehow, but I really wanted to be able to address every article of clothing in my wife's wardrobe.

And remember that you need to address each shoe with a unique address. One shoe can not always be assumed to always speak for the pair.

Re:what

[unixisc]

Is there something about IPv6 that precludes the implementation of NAT?

Check out RFC 6296

Re:what

[arth1]

One significant problem with temporary IP addresses is DNS. Even if you dynamically update the DNS forward and reverse addresses, the resolver data is cached in remote machines.
Combating this by lowering TTLs cause increased network traffic and load all the way up to root nameservers, slowing down Internet for everyone.

A similar problem is route caching. It may not take long for a router or switch to determine where to send a package with a new address, but multiply number of hops with number of devices, and you do get hiccups.

Re:what

[WaffleMonster]

Well, for many of us, the notion that everything has a unique address which can be known by anybody else seems idiotic.

Having an outside entity know any information about your hosts and their IP addresses is just another vector to glean information and possibly act on it. You can't target a specific machine if you have no information about it from outside the firewall.

This is confusing because the word "NAT" is paraded around like "Cloud" in a mostly context free environment.

When people say don't use NAT what I assume they are actually referring to is many to one mappings where a single IP address is multiplexed and ALGs are required to make naive assumptions about state management.

The most public example of this is Linux netfilter guys saying in no uncertain terms NO to IPv6 NAT yet there are still map targets where IPv6 addresses can be mapped 1:1 across to other addresses.

You can still have a logical pool of addresses for external services mapped to internal resources without NAT even though it is NAT.

IPv6 seems to have a rather naive and in-built assumption that the internet isn't full of hostile assholes, and the decision to say that NAT was unnecessary reinforces that. Anything which assumes there isn't a risk in allowing outside actors to glean information about your environment is naive, broken, and not going to work. Because you pretty much need to assume that every additional item of information someone else has is going to be exploited in some way.

IPv6 gives us more options many of us didn't have before. Nobody is telling you to expose IP addresses directly associated with servers... All it really means is stop doing crummy 1:many mappings because it is dangerous, counterproductive and completely unnecessary given available address space.

If you need to rely on state-ful firewall rules to know what's allowed, you need to rely on the vendor to competently be able to handle all of these protocols and the like. And, quite frankly, time and time again we see plenty of reasons why we can't trust the vendors to competently do that.

You are relying on the vendor not to fuck up no matter what. The question is does it take more risk/code to implement SPI or to continue to mangle packets and tolerate ALGs with heuristic assumptions attackers can drive trucks thru?

This is one of the reasons a lot of organizations have looked at IPv6 and consistently said "no thanks, there's parts of this we really don't like".

All organizations have to do at some point is provide IPv6 connectivity for public facing services. That's it. They can keep IPv4 forever on their Internal networks for all anyone cares.

Re:what

Privacy extensions are not anywhere near as good as you think they are. Internal structure can still be derived from traffic. Beleive it or not, networks don't cease to be hierarchical just because IPv6 is implemented. Subnets or simple ranges are still in use. The number of internal nodes can be found during high-usage times or through statistical averaging.

In short, RFC 3041 does not do what you says it does, yet no one will bother to actually read the link and take you at your false word.

Re:what

[arth1]

The IPv6 address space is so huge that bulk scanning is simply not practical

My concern isn't so much scanning as clients giving away a unique identifier, where they formerly with IPv4 NAT had a shared identifier. I.e. a privacy concern more than a security concern, but a concern nevertheless.

Randomized IP addresses help combat that, but does not play nice with DNS or other caching.

Re:what

[SuricouRaven]

If you try it then a mob of angry engineers come to reeducate you with blunt instruments.

Re:what

Generally firewalls can do source mac address filtering, that makes it easy enough to specify the origin machine.

Re:what

[DarkOx]

allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before.

I see this argument from time to time. I don't buy it. While I don't recommend internal address disclosure for IPv4 gateway-ed networks. I would never make it more than a LOW finding on a security report. Why because you can't do anything with that information unless you compromise an internal host. If you compromise and internal host its almost always trivial to figure out what addresses are in use internally. Even with the least privileged web shell you can usually get the adapter information off the affected host. Almost all major platforms allow ping to run without privileges and even on windows with something like AppLocker enabled ping.exe is a Microsoft signed binary and will be allowed by default. Discovering internal addressing really isn't a big deal.

Even if the ultimate outcome is that your internal addressing will now be public information, the 60 seconds someone might spend thinking about their network when turning on IPv6 probably does more for their security posture.. The other thing you have to consider is that for larger networks sub net discovery is going to get a lot harder. Discovering other hosts adjacent on the sub net also is much harder with ipv6.

I do agree though that it IS more complicated than just drop all inbound connections. That is certainly a good start but its true that it is not quite that simple. I just don't think that is so much harder though that it will impact many people at the margin. If people were just turning on NAT + UPNP and hoping for the best before they were screwed; as they will be with IPv6. If they knew/did more than that before their are not so many new considerations they are likely to do anything especially bad.

Re:what

[Geordish]

Exactly. People who run NAT as a firewall and think there is no security in IPv6 because there is no NAT is dumb. The simple basic firewall that should come on all CPE is default deny inbound, and a reflective permit outbound. This will give the actual security that people think they have with NAT.

Re:what

[locofungus]

Source address: the device you don't trust.

And there's the problem. If you have multiple devices with privacy extensions then you cannot filter by source [IP] address.

On a home network it's usually trivial to filter by MAC address instead but once there are multiple routers before the egress firewall then that won't work.

Re:what

[mark-t]

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

It's not quite the same thing... NAT also breaks end-to-end connectivity even on outgoing connections, while a firewall does not. While generally breaking such connectivity is not a desirable thing, it is not unimaginable that there may be circumstances where this might be actively desired in some situations.

Ideally such, end-to-end connectivity should be selectable per NIC in an IPv6 network.

Re:what

[unixisc]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Sounds simple enough.... Of course, nothing is really as simple as it first seems.... Good first step though.

Where I get people's reluctance to adopt IPV6 and having their local networks become immediately routable and thus externally addressable, there is a bit more to this "security" thing when switching IP versions than just dropping inbound connections. The problem stems from the fact that when you go full on IPV6 and allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before. It's true that this knowledge doesn't give them any special access if your router is working properly, but it does mean that if the router doesn't always do the right thing, they will have an easier time attacking your internal network.

Not that there are no solutions to this issue out there or that one cannot still protect their internal networks, only that such protection needs to be thought about in somewhat different terms and perspectives. IPV6 messed with more than just the number of bits in the IP address, but messed with the fundamentals of how traffic gets routed. It made a lot of things easier, faster and cheaper, but it also had impacts on network security considerations that I'm not sure we fully understand even after this long.

In addition to everything others have said above, there is also the fact that a device can have MULTIPLE IPv6 addresses of different networks. There is your link local address (fe80::/10), your unique local address (fd00::/7) and your global unicast address (2001::/64). Within your global unicast address, you can, using DHCPv6, assign different addresses to different services - something for a web server if you happen to host one, something for an email or ftp server, and so on, and you can even assign a range for your privacy extensions. That way, there is no clean mapping b/w your number of devices on your network, vs the number of addresses you are using.

You are right that concepts in IPv6 are radically different from IPv4, so new thinking is required to get on top of it.

Re:what

[unixisc]

If you don't wanna be on the internet, just go w/ Link Local IPv6 addresses, which are created by default when you first start.

Re:what

WTF? That sounds fine if a device is always & forever only ever a 'client' initiating a communication but what if I want to initiate a communication to something that should be 'listening' on purposes..e..g. lets say I want to check that I locked my house & lock it if I haven't? My fancy IoT house lock has to be listening, how the heck would I find it if its IP address keeps changing? If I have DNS for IPv6 such that I now have a name for my fancy IoT lock than I can just use the name but then the IoT lock has to register with a system doing DDNS & now its not difficult at all to figure out whether the 'packet I just received comes from the same device as an hour ago'

My point is that there is a very good reason for static numbers or names...it means someone or something can initiate a contact to you...yes that can be annoying, in the 'human world' it means I get telemarketing calls on my phone & spam in my e-mail but it also means I get the 99.999999% greater benefits of someone knowing who I am & how to get a hold of me...ultimately I see no benefit of a device randomly changing its contact info UNLESS it is only ever a client & in that case what's the point of someone knowing how to contact this device since it won't EVER be listening for incoming communications?

Re:what

[vtcodger]

You idiot!!! You are not supposed to use IPV6 and the Internet of Things to actually do stuff. They exist merely as a vehicle to transfer wealth from a client (you) to a service provider ("them"). Once you recognize and accept that, you will find that questions such as how to connect to a server with an unknowable address will no longer seem meaningful.

Re:what

ECSQUEEZE ME? I managed a class C network 'back in the day' & no I never, ever, ever put any of my servers or internal devices 'directly on the internet'...I purposely used a non-routable IP address segment specifically so this wouldn't happen not because I didn't think I had enough IP addresses for my purposes.

There are clearly some limitations imposed due to NATing but those can in theory be worked around. Frankly I liked the thought of a device not automatically being on the internet until I explicit allow it to be...a properly configured IPv6 device only communicating via a FW will accomplish this just as well as 'NATing' would but its that much more difficult to 'properly configure' the IPv6 device...

Re:what

[mattventura]

If you need something to have a static IP, then you would do exactly as you would with IPv4: either set up a DHCPv6 reservation for that host, or configure it to use a static IP. Or link the DNS and DHCP so that no matter what IP it gets, the DNS record will be updated accordingly.

Re:what

Bullpucky! Granted I only did a quick reading but if the 'address randomization' is based on the unique MAC address of the device than its not really 'random' now is it? And arguably the only benefit is in not being able to physically track where a specific device goes but why do I need 'address randomization' than, why not just 'random DHCP'? Further more almost all devices will have a 'name' (you know because humans think in terms of names not numbers) so a DNS query will quickly make the address randomization a 'moot point'...

Now, having said that, since we're discussing NATing and 'internal network information' than address randomization is not at all the same as NATing & again can easily 'leak' information or you have to rely on the protocol vendor to make the address entirely random...relying on a vendor to do that is wrong by default...seriously how many times have we seen vendors completely F up any type of security on their devices?..ultimately it has to be assumed that the vendors of devices are going to take the easiest possible route which means you can't trust ANY vendor to implement this properly either from a security point of view or even 'usability' point of view (e.g. if they F it up & a device 'randomly' stops communicating because its IPv6 address is somehow 'unuseable')...NATing allows me to control exact who sees what on the outside of my internal network while allowing my internal devices to easily find each other & it doesn't require fancy coding to do so...

Re:what

[mattventura]

It is still more convenient than port forwarding, because you could then have multiple such devices on each network without having to use alternate ports. Plus you could make it more secure by restricting what can connect to it from the other network (e.g. only allow connections to a videoconference device from videoconference devices on the other network).

Re:what

Privacy Extension? If I read that correctly than a way of 'randomizing' the IPv6 address is to take the world unique 64-bit MAC address of a device & tack on a 'random' 64 bits to make a 128 bit IPv6 address...except if I do that than the 64-bit MAC part is NOT 'random' its entirely unique & assigned to a specific device so how is that at all 'private'?

That's just one 'wtf' that I could quickly see in that document but as the other guy says 'NEVER trust the vendor'...you simply can't trust anyone to implement that RFC properly, competently or without malice. NATing provides ME the control not the vendors of the devices I buy.

Re:what

[unixisc]

As always, there is no reason you can't already do that in IPv4. Heck, you won't even need ULAs - link local addresses will be sufficient. In fact, link local addresses almost enable you to replace layer 2 connectivity w/ layer 3 connectivity.

Configuration of IPv6 devices is not much different from that of IPv4 devices, whether you're using IPtables or PF.

Re:what

[mark-t]

There is a vocal group that seems absolutely fearful of the idea of NAT being as common with IPv6 as it is with IPv4

Is this fear particularly justified with IPv6? With IPv4, the sheer lack of address space makes it virtually essential. Since there is an abundance of available addresses in IPv6, it seems more likely to me that something like NAT would only be used when the specific characteristics that NAT offers might be desired, that cannot generally be achieved by a firewall alone, specifically, the way NAT discards end-to-end connectivity.

Under normal circumstances, disregarding such connectivity is undesirable, but it is not remotely inconceivable that some users may expressly want it for at least some subset of the connected devices on their network, while still maintaining seamless outgoing connectivity.

I don't imagine NAT has any danger of becoming so pervasive as to affect end-to-end connectivity for the people that desire it, so I imagine concerns about IPv6 NAT are unwarranted in that respect.

Re:what

[sl3xd]

Yeah, the left foot not knowing what the right is doing & all that.

And then there's socks, gloves, earrings, contact lenses...

Re:what

[vux984]

I don't see how that helps me.

I'd like to know what my servers public ip address is at all times. And I'd like for everything to talk to everything else on my network seamlessly.

I want DNS to work. And I don't really want my LAN hosts to be registering their hostnames for DNS on the public internet with my ISP. So this means running my own DNS and DHCP servers right? In fact I'm running OpenWRT which is doing DHCPv6; (but I have no idea where its getting its address pool from -- my ISP isn't doing ipv6 yet so not from them) But in any case I can assume I'm not using stateless autoconfiguration addresses anymore. So these privacy extensions are irrelevant?

Indeed skimming the RFC, these extensions have nothing at all to do with what the previous poster was even asking about. All this is talking about is the issue that ipv6 addresses often include the MAC, and some people might not want their device MAC visible on the internet for $reasons$. The previous poster wasn't talking about MAC he was talking about having even their internal ip address invisible.

Re:what

[swillden]

My Asus router supports IPv6. The IPv6 firewall is configured by default to reject all incoming connections. Done.

Re:what

[thegarbz]

Yes, but we all know that there is a metric shitload of routers out there that have nothing but NAT defending their "internal" networks. Turn on IPV6 and those internal networks are simply open to the world.

NAT requires a stateful firewall to be in place.
I have never seen a router support IPv6 and which does IPv4 NAT, and yet does not provide a stateful firewall on IPv6 enabled by a simple radio button. Heck the only ones I've actually had to setup came with it enabled by default and you specifically had to disable it, and this includes the absolute garbage cable modem I got from my ISP which I subsequently sent back.

Re:what

That's the whole point of NAT. To unplug most stuff from the Internet.

Re:what

[Todd+Knarr]

What configuration on the host? All configuration would be done on the router, since the last rule on the WAN IN ruleset would be to drop everything. The first rule would be to allow ESTABLISHED and RELATED traffic so the return for outbound connections works properly (assuming you want it to work, if not then just omit that rule). After that nothing outside your network's going to be able to connect inbound to your hosts unless you add rules to the middle of the WAN IN ruleset specifying exactly what you want to allow in for each host. The FORWARD rulesets follow the same pattern, adjusted for whether you want to allow outbound by default or not. I've written the rules for an IPv6 firewall, and they're remarkably parallel to the IPv4 rules.

And as pointed out, if you want a truly isolated segment you just don't advertise a routable prefix on the LAN side of your router and autoconfiguration will give you hosts with addresses that're only valid within the segment and can't be routed outside it without some black magic in the router (don't bother, it's easier to just give them routable prefixes and then leave rules for those prefixes out of the FORWARD ruleset on your router so traffic to/from those prefixes just bounces off the the interfaces).

Re: what

Stockings

Re:what

[hairyfeet]

The rotting elephant in the room is NOT the "security" of NAT, its the legal issues specifically that the *.A.A will be able to argue that "IP address equals person" thus letting them sue pretty much anybody for anything. You put up a vid of your kid dancing to a corporate media conglomerate owned song? Enjoy your lawsuit.

This of course isn't even bringing up how badly corporate has fucked IT for the last decade which means all the older networking gurus have all bailed, leaving a bunch of kids that won't know how to diagnose, much less fix shit when the inevitable IP V6 headaches hit, we have the environmental disaster as you have literally tens of millions of routers and modems that simply cannot handle IP V6 so all of that will have to be trashed, which of course adds to the cost of switching which is gonna be quite high......I'm sorry but there is a LOT of downsides and very few upsides.

Re:what

[Jawnn]

But it's the firewall that comes w/ NAT that does the defending -

Ideally, yes, but the sad fact is that configuring a basic stateful firewall is not the same as configuring NAT. Again, lots of hardware that has the capability to do firewall chores, but doesn't.

Re:what

[Darinbob]

People are trying to apply IPv4 concepts to IPV6, rather than learn IPv6. But many network administrators and techs only know what is taught in certificate courses and have difficulty doing something different (even if it's only due to time constraints).

Remember, NAT is not all that old, it was new once and at the time a lot of people felt it was a hack. It took time to iron out the NAT problems, making sure routers and applications could work with it correctly. IPv6 should be treated the same way. At one time the ten customers who wanted NAT were treated as a headache, and today the 10 customers wanted IPv6 are being treated as a headache.

Re:what

[Darinbob]

Before NAT that's how a lot of things were done. People forget that masquerading with NAT wasn't always in common use either. Even as recent as ten to fifteen years ago it wasn't hard to find some ISPs or routers that didn't support NAT.

Re:what

Temp IP do not affect routing at all. Routers(except the local "router" that translates IPs into MAC addresses) do not care about what IPs are actually in use in a network, they just care about the net mask. Temp IPs don't need DNS entries, they're primarily used for outgoing connections.

Re:what

[unixisc]

If IPSEC is used, then RFC 6296 - the network prefix translation that is supposed to be available to anyone who MUST have NAT - would presumably be unusable. Or IPSEC would have to be 6296-aware for those 2 to be used in tandem

RFC 6296 - link below - is a 1:1 mapping b/w addresses, and therefore, preserves layer 3 connectivity, unlike NAT in IPv4 which pretty much forces layer 2 connectivity.

Re:what

You mean like the Linux kernel, which the last time I checked didn't support IPv6 nat/masquerading. Most likely due to the specific efforts of said groups.

When was the last time you checked? It's supported it for a couple of years now (and it works just like with IPv4).

Re:what

[mark-t]

NAT also breaks end-to-end connectivity, which is where all of the safety that it does have actually comes from. While breaking such connectivity is generally an undesirable thing (and the very reason that NAT is often loathed by IPv6 advocates), it is not unimaginable that there may be circumstances in which it is desired, and a firewall, by itself, cannot do that.

Of course, there are any number of ways to break end-to-end connectivity too... and you can couple such a system with a firewall to accomplish that. A layer-3 transparent proxy would be the most seamless way to achieve that, although if you are doing that, you might as well just be using NAT anyways. The biggest problem with NAT is not that it breaks the Internet, it's that it's almost always an all-or-nothing proposition, and usually not very configurable.

So please don't pretend that a firewall that simply rejects all incoming connections will do everything for everybody that a NAT would. It won't.

Re:what

[bobbied]

Only if there is no router between the firewall and the machine you which to filter. If you have a router between them, the firewall will only see the MAC address of the router for every host that is behind it... Oh, and you are assuming that you are using "Ethernet" which has MAC addresses at the hardware layer, which doesn't always need to be the case. There are other hardware layers over which you can route TCP/IP that don't use MAC addressing....

Re:what

[mark-t]

The point of NAT is not only to be unplugged from the internet, but to still be able to use the internet for outgoing connections while remaining so unplugged.

Re:what

[TheGratefulNet]

not all incoming connections, but all INITIAL incoming connections.

stateful replies are allowed, of course.

Re:what

[DanJ_UK]

lol

Re:what

[CauseBy]

Yeah, that's what they said in the sentence you quoted. "Set your firewall" means the same as "be more deliberate about packets".

Re:what

[Antique+Geekmeister]

> But it's the firewall that comes w/ NAT that does the defending - the same thing that can be done w/ a public IPv6 connection.

It is _possible_ to do many things. But NAT forces people to specifically select exposed ports for exposed services, and discourages simply opening up HTTP, HTTPS, FTP, SMTP, and most especially CIFS and NFS by default or through careless settings on a default "just open up the ports for all addresses" simple firewall configuration.

Re:what

[unixisc]

I tend to agree here. A good approach would be to be agnostic about whether Network Prefix Translation (NPT) is used while implementing IPv6. If that's what needs to be included in the package for IPv6 implementation to happen, so be it.

For applications that DO do better w/ end to end connectivity, such as Skype, there could be setups that allow for routable IPs that would be used exclusively by such applications. There are some other applications, such as GPS mapping apps, that depend heavily on ports and do better when the 65536 ports ain't eaten up by NAT mechanisms - like in PAT in IPv4. However, in case of IPv6, I imagine it wouldn't make a difference since you have a 1:1 mapping b/w routable and non-routable addresses, eliminating any need for ports to be involved, and freeing them all up for the maps

Re:what

[unixisc]

Actually no. While on the security front, there is a belief that NAT provides a shield from unwanted inbound packets coming over the internet, on the connectivity front, you are now conflating NAT w/ private addresses.

Private addresses are by design non routable. Like you may not have an internet connection in the first place, but you may have 5 computers all connected to a hub and all communicating w/ each other using their private IP addresses. (The mechanism may be different b/w IPv4 and IPv6 - layer 2 in IPv4 vs layer 3 in IPv6). The way your stuff is unplugged from the Internet is not having your gateway. And just using private IP addresses.

Re:what

[Altrag]

the 60 seconds someone might spend thinking about their network

Welcome to the 1% that would spend any time thinking about this (hell maybe less than that.. I'm sure a large portion of that 10% adoption is in large data centers and whatnot that are manned by far less people than there are machines.)

The vast majority of users will be "I know my wireless password lets rock!" That means its up to the (typically broadband installer) to pre-configure the router to allow for all common usages: Outgoing connections are typically enabled by default but what about incoming?

What happens when I try to start up my Skype video and it needs an incoming port to start up its peer-to-peer connection? Does the installer have to know what apps and games I currently use? What I may use in the next 3-5 years (which may not even be invented yet)? Currently UPnP handles this in IPv4/NAT but a quick Googling suggests that people are still discussing whether its even needed in IPv6 since everything is routable.

Except everything is NOT routable. Addresses are routable sure, but unless either a) there's a way for programs to poke temporary holes in an otherwise closed down firewall or b) every grandma on the planet learns how to configure IPTables, the ports (and thus applications) running on those addresses will still be blocked! And if you're waiting on (b), it will probably be another 20 years for the next 10% of adopters.

I mean that said I'm sure I'm not the first person in the world to realize that this is a necessary feature and I'm sure somebody somewhere is working on it (or perhaps it does already exist and I just haven't stumbled across it yet) but its things like that that we'll need before mass adoption by home users can really happen.

Re:what

[unixisc]

If your ISP is not doing IPv6, then chances are that your DHCPv6 is assigning ULAs to your computers. Which then begs the question - what sort of addresses are your DNS getting?

Anyway, privacy extensions do not involve EUI-64, which is the SLAAC mechanism that uses MAC, and provides a static address. But in my PC-BSD set-up, it is used to form the link-local address, which is usually autoconfigured. Link local addresses ain't associated w/ any router: they are automatically configured and assigned when you set up your computer. Like if you were to connect 2 computers, the link local address could be used to transfer data from one to the other w/o going to layer 2.

Privacy extensions are IPv6's equivalent of what in IPv4 is known as dynamic addresses. Addresses that change after a fixed period of time - say 7 days.

Re:what

[unixisc]

No, the point of NAT is to share routable IP addresses b/w several hosts, given the address scarcity. Now, there are other utilities that NAT acquired over time, such as load balancing, but what you described is achieved using firewalls.

Even w/ a public, routable IP address, you can have a firewall that issues a drop instruction for any inbound packets, while letting through outbound packets.

Re:what

she's usually not wearing much of anything when i come over?

Re:what

This is all bullshit. While there *may* be no RFC for IPv6 NAT, that does *non* mean that it cannot or will not exist.
In fact, all manner of consumer gear will be coming with an option for it, just like IPv4 NAT.
Precisely because it's, in effect, a cheap and dumb firewall.
The gear will come with it because users are too stupid to [bother to] learn what a real firewall [ruleset] is.
But they still demand protection across multiple computers behind one device.
Therefore... IPv6 NAT will ship.
And probably before such gear actually implements real stateful firewalls,
because vendors won't want to spend any money coding those either.

Re:what

[KGIII]

Pardon my ignorance but is there something akin to UPnP with IPv6 or are consumers going to actually have to do things like learn to use a hardware firewall, use port forwarding, and things of that nature?

I've been meaning to dig into this for a while now but I haven't. :/

I don't know as it might not be helpful to be able to have various IPv6 addresses aimed at specific ports on the same machine. I was pondering that when I went and looked into doing some tunneling (my ISP does not yet offer it so I've not yet been properly motivated to learn). It'd be kind of neat to have a separate address for a mail server, torrent client/server, http server, etc and all on the same box. I'd imagine that some method of doing that could create some fairly refined security controls.

I really do need to learn this stuff. I should find that site again and look into that tunneling thing all over again. I imagine that the sooner I learn the better off I will be.

Re:what

Huh? You could make the case that NAT is effectively a firewall, but you cannot say that the firewall is the security in NAT.

The security is that there is nowhere for the packet to go.. The router gets a packet destined for its IP address on port 21432. Now what? Which of the internal addresses does it send it to? Without the context of a previous session, there is just nothing for the router to do with the packet and it drops it. That's not a firewall, but the net effect is the same as a drop rule at the end of your firewall policy.

Re:what

[vux984]

If your ISP is not doing IPv6, then chances are that your DHCPv6 is assigning ULAs to your computers. Which then begs the question - what sort of addresses are your DNS getting?

Oh, my ISP is not doing ipv6; I was just speculating how it might work if it was. For example, even if it was doing ipv6 I'd still prefer a device under my control handing out addresses to my my other devices, and handling name resolution for them.

And in my case, with openwrt, it *is* doing that.

Anyway, privacy extensions do not involve EUI-64, which is the SLAAC mechanism that uses MAC, and provides a static address

Ok.

But the RFC that was linked... in the abstract.

"This document describes an extension to IPv6 stateless
      address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier." (And later it clarifies that that the IEEE identifier is "ie a link-layer MAC address".)

"The focus of this document is on addresses derived from IEEE identifiers, as the Extensions to IPv6 Address Autoconfiguration concern being addressed exists only in those cases where the interface identifier is globally unique and non-changing."

So you can understand why I came to the conclusion; that these extensions related to preventing the tying of publicly visible ipv6 addresses to a MAC address.

Re:what

[mark-t]

You assume that NAT's sole purpose is to deal with address scarcity. That is only one of its purposes... maybe the only one that is important to yourself, and perhaps the only one that matters to a great many people, but not necessarily the only one that may be important to everybody.

...you can have a firewall that issues a drop instruction for any inbound packets, while letting through outbound packets.

That only does half of what NAT does... while it might be the only part that matters to you, and it's probably the most important part for many, but the other part of NAT is that it also acts as a layer-3 transparent proxy between the devices you place behind it and the outside world, so that there is absolutely no mapping between any IP address that the outside world might perceive from a connection of yours and any particular IP addresses within it other than that of your NAT device itself. Of course, you can use a firewall combined with a layer-3 transparent proxy if you want and get absolutely everything that NAT does, but at that point you might as well just be using NAT anyways. While many see the fact that NAT breaks end-to-end connectivity as its biggest flaw, it is hardly inconceivable that it might be desired for people who neither need such connectivity or would be able to adequately cope with the responsibilities that might come with such connectivity if they had it. A drop-all-incoming connections rule on a a firewall might cover most of the cases you need to worry about, but without the addition of a layer-3 transparent proxy, a firewall isn't doing what a NAT does. Don't pretend that it is.

The biggest problem with NAT is not that it breaks the Internet, it is that in consumer devices it is generally an all-or-nothing proposition, and generally not very configurable. The ever-present issue of IPv4 address scarcity is probably what keeps the demand for any additional flexibility very low, because most people would simply not be able to utilize it if they had it. Because there is no lack of IP addresses in IPv6, I do not anticipate the same inflexibility to continue to apply in that domain.

Re:what

[lokedhs]

Granted I only did a quick reading but if the 'address randomization' is based on the unique MAC address of the device than its not really 'random' now is it?

The wording in the document can be confusing. When talking about the MAC-derived addresses, they are referring to the class of interfaces that needs the randomisation. The generated address is random.

And arguably the only benefit is in not being able to physically track where a specific device goes but why do I need 'address randomization' than, why not just 'random DHCP'?

You could. But one of the core ideas of IPv6 is that you don't need DHCP. The hosts decide on their own IP addresses. Originally using the MAC address to guarantee uniqueness, and subsequently using the above-quoted privacy extension to make sure the hosts can't (easily) be tracked.

Then again, if you really want, you can run DHCP as you said. It's just something you don't normally need.

Re:what

[dbIII]

Yes, and the summary is also incorrect because you can have NAT in IPv6 if you really want it (eg. for a web proxy). It's just not needed for the main use of NAT which provides more numbers at the cost of breaking the internet in many annoying little ways.
Many people here such as the above poster will already know this, but NAT is the reason why internet telephony was so damned hard and became the domain of things like Skype that provided a midpoint instead of very easy point to point communication like we used to have.
Also as things like Facebook with hundreds of linked objects per page become popular it's not hard to hit the limit of connections per port on the gateway that is doing the Network Address Translation - have a dozen people hitting Facebook at once behind one IP address and watch their web browsers slow down once per minute no matter what bandwidth you have.

Re:what

[dbIII]

Just as well that naive approach is on the old stuff that doesn't do IPv6 at all.
Get the cheapest Chinese router you can find new and you'll see even that does reasonable firewalling by default.
An expensive gold plated Cisco pushed by the sleazy salesman who is playing golf with your boss to seal the deal on the other hand may be a different story, but all other new hardware from the cheap consumer stuff up does the job as if it's 2016 with a wild untrusted internet and not 1990.

Re:what

[dbIII]

There was a paper a few years ago (and an article about that on slashdot) about a simple NAT traversal hack to map everything on an IPv4 network behind the gateway. NAT doesn't really provide anything in the way of security on it's own. Because it's found on devices that do other things to actually provide security some people attribute that security to NAT and not the filtering software found with it.
As for people finding out an IPv6 address behind the firewall - good luck guessing if they are using something like a MAC address to fill in the last portion of the IPv6 address as some are doing.

Re:what

[dbIII]

but if you have to open the port for your video conferencing app then it's no more convenient than forwarding a port for NAT.

Until you've got two people on your network that want to do video conferencing to the outside world at once.
NAT is a nasty hack that should not be confused with firewalls and the summary above is wrong anyway since you can have NAT on IPv6 if you want it. Transparent web proxies can be set up on IPv6 using NAT for example - the network address gets translated to the machine acting as a proxy.

Re:what

[dbIII]

but the other part of NAT is that it also acts as a layer-3 transparent proxy between the devices you place behind it and the outside world

Which you can still have with IPv6 so you can have a web proxy everyone has to go through on port 80 but nice point to point videoconferencing etc that does not have to go through the nasty hack of NAT and not find the other end without a third party that is not behind NAT.

Re:what

[dbIII]

The rotting elephant in the room is NOT the "security" of NAT, its the legal issues specifically that the *.A.A will be able to argue that "IP address equals person" thus letting them sue pretty much anybody for anything. You put up a vid of your kid dancing to a corporate media conglomerate owned song? Enjoy your lawsuit.

With the increasing demands around the world for ISP logging that ship has sailed whether IPv6 is involved or not. It would be nice if you had a point, and I would agree with you if the *AA was not reaching the point where they could just go to an ISP and ask who was connected to what address at which time - without a warrant.

This of course isn't even bringing up how badly corporate has fucked IT for the last decade which means all the older networking gurus have all bailed, leaving a bunch of kids that won't know how to diagnose

Hence the attitude of NAT always being there instead of having to get a new book to explain that nasty new NAT hack at one point :)

we have the environmental disaster as you have literally tens of millions of routers and modems that simply cannot handle IP V6 so all of that will have to be trashed

Already almost finished. Those recent "cable TV" boxes connect to the internet and there were more of them than remaining IPv4 numbers, so they went IPv6, as with iPhones etc (using LTE with IPv6), so if you wanted those people to get to where you are on the internet it sometimes means new hardware.

Re:what

[AmiMoJo]

Before we knew the full horror of the NSA/GCHQ spying I might have agreed. Now I think even seemingly trivial information leaks are worth preventing. Combined with other data it could be useful.

Re:what

[hairyfeet]

You obviously haven't been keeping up with trials as the courts have ruled that..thanks to NAT...that "IP address does not equal person" which of course they will reverse when every device gets its own personal IP. This will of course also be a boon to corporate and government spies as it will be trivial to find whistleblowers and build files on anybody, simply follow them via IP.

I'm not gonna even bother with the rest because you haven't even bothered to be knowledgeable on the first point which gives me little hope with the rest, HAND.

Re:what

AC so no mod points, but good post.

Re:what

[phantomfive]

Network Address Translation - have a dozen people hitting Facebook at once behind one IP address and watch their web browsers slow down once per minute no matter what bandwidth you have.

That's a really good point, I hadn't thought of that.

Re:what

[mark-t]

but the other part of NAT is that it also acts as a layer-3 transparent proxy between the devices you place behind it and the outside world

Which you can still have with IPv6

Of course, but if you are doing that, then you may as well be using NAT because that is what NAT is - a layer-3 transparent proxy. Web proxies are usually not transparent, and are typically at layer-7.

Ideally, NAT should be a end-user selectable notion, and more specifically, should be on a per-device basis that you connect to the network, so that if an end user wants a device to appear to be behind a NAT, then it can be, and if they want it to have a globally visible IP address, they can do that too. This issue is orthogonal to the presence of a firewall.

The only reason that people have to create nasty hacks to work around NAT in the first place is because NAT is so ubiquitous with IPv4, and the primary reason that it is so commonplace is on account of the lack of address space. No address scarcity exists in IPv6, so there is no reason to expect NAT to be as ubiquitous, although it may still be applied where the end user has networked devices that still require some connectivity to the outside world, but no need for any end-to-end connectivity. A transparent proxy is ideal in that respect because the application and even the operating system being used do not have to know about it or be especially configured to use it... they can carry on as though they still have end-to-end connectivity when not having it is sufficient for their purposes. Put the transparent proxy at layer 3 and you have basic NAT. Add a firewall that blocks incoming connections from the outside and you have typical consumer grade NAT.

Re:what

[unixisc]

That would actually be a neat idea. Within the interface ID, the last 2 bytes of the address could be the port number - such as :8080 for an HTTP connection. If there was any elaborate PAM software that would allow each block of the interface ID to be separately manipulated, one could have some really neat addressing mechanisms that would support a few static addresses, dynamic addresses, privacy extensions and port specific addresses for an interface.

Re:what

[unixisc]

Courts cannot reverse that even if IPv6 becomes prevalent, since there can be any number of IPv6 addresses on an interface. The only thing they MIGHT do is make IPv6 PREFIX == person, but that has its own problems in a family. Take a household, family of 5, and assume that every one of them has 5 toys - computers, phones, tablets, cable boxes, Xboxes, et al. Assume that there are some 20 devices connected in the house. If one of the IPs starts doing something illegal, the feds can't go after the entire family in that event. And if those nodes use privacy extensions, good luck ever getting a hold of them

Re:what

[david_thornley]

If the RAII finds illegal or suspicious activity on an IP that goes to you, they aren't going to worry about exactly which device did it and who it belonged to. Their chance of getting a court order to image all the disks in the household is the same whether it's IPv6 or an IPv4 record. There are several devices NATed behind my router that aren't identifiable by specific IP anyway, and most don't have a fixed IP, so I don't see the difference.

Re:what

[mark-t]

With 1:1 mapping, the IP address that the receiver gets does give some indication about your internal network, as each unique machine will be providing a unique IP. Mapping many IP's on your network to a single one for outgoing connections obfuscates even how many different machines you have, and leaves the listener with no information about your network other than that you may be using a NAT device.

Re:what

[allo]

Yeah, and whats the problem now?

You run your servers at the public ip (intended) and surf from the temp-addr (intended). The websites cannot track who in your organization is visiting them and how many employees you may have. But people can reach you on the public ip, normally via dns.

Re:what

[ahodgson]

If your ISP does IPV6 they'll delegate a /56 or larger prefix to you, and you can assign addresses out of it however you want.

Consumer ISPs will almost certainly not delegate reverse DNS to you, though.

I seriously can't believe how attached people are to NAT, though. Real addresses are SO MUCH better.

Re:what

[dbIII]

The only reason that people have to create nasty hacks to work around NAT

NAT is the nasty hack itself and was a pain in the neck when it came in.
As for a local IP being visible or not being orthogonal to a firewall - NO - that has always been the firewalls job and is utterly trivial to implement on a firewall. Don't want incoming connections to anything apart from host X - no problem. Want outgoing from Y and Z and replies from everything they send out - no problem.

Re:what

[dbIII]

I hadn't either until I did a very quick IPv6 course.
iTunes is another offender with an incredibly large number on connections on port 80 for each user.
It doesn't take a lot of people behind an IP address for it to hit the limit of 64k connections if a single page is doing well over 500 on a one minute refresh cycle to make sure the users have up to date advertisements.

Re:what

[mark-t]

That's what a firewall does, that is not all that NAT does.

NAT obfuscates all aspects of the network behind it by hiding every connection from any machine that is behind it behind a single IP address. A firewall alone does not do that. Even IPv6 privacy extensions will not achieve that... each connecting machine is given a distinct outward-facing IP, and one can count the number of distinct IP's coming from a subnet over a period of time to gain an idea of the number of physical machines that are located therein.

You can achieve the breakage in communication offered by NAT by using a proxy, but unless the proxy is transparent, it will require additional configuration to work with either at the application or operating system level. If the proxy is at layer-3 on the 7 layer OSI networking model, and transparent, then it achieves precisely what NAT does: breaking all end-to-end connectivity and hiding all outgoing connections behind a single IP address, regardless of the number of actual machines that may behind the NAT. At that point, however, you may as well be using NAT... the only difference might be that you may have more control over which devices hide behind a typical proxy than you might have with deciding which devices to hide behind a NAT, at least with typical consumer grade devices. Serious enough hackers can modify the firmware and/or the default configuration of their home routers to accommodate such flexibility even in current devices anyways.

Ultimately, the problem with NAT is not that it breaks end-to-end connectivity, because in fact it is not unimaginable that there are genuine needs for devices that require the facilities that NAT provides in that respect. The problem with NAT is that it is being used in situations where it actually hinders otherwise desirable communication, and the only justification for using it at all in those circumstances was to conserve IP addresses. This justification is warranted in an IPv4 climate, but in IPv6, there will be no such need, so NAT can applied with more discrimination only to the devices that genuinely do not require the kinds of communication that are otherwise needed by preserving end-to-end connectivity, while still maintaining a second-hand connection to the outside 'Net via the proxy.

PRAVDA?

[jtayon]

Quoting one source, from one stake holder of IPv6 is like asking the BLU to give you the stats of unemployment in the USA.

Does anyone have some figures about:
- something that can correlate this claim?
- a graph with the AS top 20 IPv6% between them?
- are we talking about specific devices (like android locked in 4G networks)?
- what is this traffic made off? (HTTP, mail, ...) ....

Some figures are like bikinis ; they tend to show all, but mask the essential.

Re:PRAVDA?

[110010001000]

Here you go: http://www.worldipv6launch.org...

Re:PRAVDA?

[jtayon]

Yes and?

If this traffic is only made of android/iphone devices that are lock in IPv6 thanks to the 4G? what about residential traffic?
Can people access 100% of the actual internet space without problem?

I am sorry to doubt any figures (especially the one from google who is a stake holder of IPv6 deployment) that have no methodology indicating how they measure. This 10% is like a local measure of temperature claiming to be global.

It is like the stupid so called scientific claiming the earth is warming and unable to say what is the "temperature of the earth".

Species (plants (hop), animals, insects) migrating all around the world since 10 years to colder places though is a simple measure that everyone can understand and observe by themselves.

Re:PRAVDA?

[110010001000]

I'm not sure what you are talking about. That page explains their measurement methodology and more info is here: http://research.google.com/pub... Did you not visit the link?

Unlikely that everyone will be on IPV6 by 2020

[blind+biker]

Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.

Re:Unlikely that everyone will be on IPV6 by 2020

[DigiShaman]

Phase out. CGNAT combined with a fast moving mobile market, I fully expect to see the cell phone industry move toward IPv6 at a much faster rate than the desktop/server market. Either the remaining IPv4s will be consolidated and sold off to be re-used, or just phased out as the servers are replaced.

Re:Unlikely that everyone will be on IPV6 by 2020

I certainly won't. They'll take my /16 from my cold dead hands.

Re:Unlikely that everyone will be on IPV6 by 2020

[WaffleMonster]

Many or even most will move on, but once the pressure for new IPV4 addresses is off

The day the pressure is off is the day the world has moved to IPv6. Content is unlikely to be willing to lose access to any percent of eyeballs for any reason.

Re:Unlikely that everyone will be on IPV6 by 2020

[Chris+Mattern]

Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.

Ignoring the (quite literal) network effects. When the tipping point comes, it'll go to 100% IPv6 very quickly. Everybody will be on IPv6 because that's where everybody else is. Nobody will want to be cut off by being on an IPv4-only address.

Re:Unlikely that everyone will be on IPV6 by 2020

[unixisc]

Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.

They may well keep them, but fact remains that one would HAVE TO HAVE IPv6 addresses to access most content on the internet

Re:Unlikely that everyone will be on IPV6 by 2020

[dbIII]

I fully expect to see the cell phone industry move toward IPv6

Using LTE they've already been there for a couple of years.

no ipv6 here

Telecom Italia - the largest italian telecom provider - still does not offer business ipv6 connectivity.

argh.

Re:no ipv6 here

[swb]

Yeah, but don't Fiats also still use 6V, positive-ground electrical systems and spring brakes?

Re:no ipv6 here

Don't think for a second that this is only because of Europe and smaller companies!
Here, Verizon still does not support ipv6 unless you pay for the fiber tier. I'm in Manhattan. I don't even get 5Mbps service because they just don't care. In the capital of the world.
I lost some sleep over Verizon's official website reporting that ipv6 would be coming soon 6 years ago. I had some hopes to test my expensive 2007 router's support back when even N support was pretty near impossible to get on mobile devices. Dual band wifi support is another one that'll take forever (wifi AC will sooner bring it as a side-effect but the price hikes will also be there)

I still see routers being sold that are single band routers, when mine was just $120 and designed 10 years ago. Now I see ridiculous $200 and $300 Wifi AC routers with 4+ antennae (aimed at gamers.) Again, router support and device support is a lot easier to get out there than actual implementation. Poke around in your browsers, FTP clients (and their command-line equivalents) your phones and apps and you'll find that they reject or have obscure support for ipv6 addresses. Firefox requires that you enclose the ip in square brackets, for instance.

I wonder whether we'll get ubiquitous ipv6 BEFORE the industry allows laptops to surpass resolutions of 800p. I won't accept just a fake-out of trying to return to their original 1024p. Tech is slow and depressing.

NAT is my antivirus

When I'm hiding behind NAT, it's much more difficult for people to infect me with malware. If you're connected directly to the internet, expect to be constantly attacked.

Re:NAT is my antivirus

If all you're using is NAT then someone can bypass your NAT by simply adding a static route for your internal network pointing at your address. What protects you is having a default deny all policy for inbound connections and ipv6 has that capability just fine. Of course the summary is flat out wrong as IPv6 does NAT just fine, it just doesn't make sense to use NAT in 99 % of the cases, it adds no security and simply increases complexity.

Re:NAT is my antivirus

[castionsosa]

The chief infection vector these days is the web browser and add-ons. If a machine can connect to the Internet, even if behind seven layers of NAT, it can get infected. Second to that are Trojans and dancing bunny attacks.

Internet based attacks to compromise hosts are relatively few, and they tend to be brute force attempts, looking for older/patched bugs, or a DDoS. Good firewalls are a solved problem.

Re:NAT is my antivirus

[codealot]

Exactly that, in my experience.

You and I, and the OP, won't be subject to any attacks behind our NAT firewalls because we're all too careful to fall for any phishing scams or malware links.

Our coworkers, family and friends, on the other hand... they'll call us and say "hey my machine is acting funny" no matter what kind of firewall they are behind.

Re:NAT is my antivirus

[mark-t]

If all you're using is NAT then someone can bypass your NAT by simply adding a static route for your internal network pointing at your address

Wouldn't they need to *KNOW* the address to accomplish this? Granted, they might be able to make an educated guess about the class of network, but they could still have a heckuva lot of IP's to choose from.

Also, wouldn't the router need to know how to deliver packets inside the network that you want to manually route from outside and be configured to do so?

Re:NAT is my antivirus

Wouldn't they need to *KNOW* the address to accomplish this? Granted, they might be able to make an educated guess about the class of network, but they could still have a heckuva lot of IP's to choose from.

If all you're using is NAT to protect your network your addressing is probably 192.168.0.0/24, as if you can't even be bothered to configure SPI why would you bother to change addresses?

Also, wouldn't the router need to know how to deliver packets inside the network that you want to manually route from outside and be configured to do so?

If all you are using is NAT to protect your network then your router is already configured to do this. That's what routers do, they route. If however you are using SPI to prevent this then NAT offers you no additional protection whatsoever, it just breaks end to end connectivity for legit apps and doesn't actually provide security from bad guys.

Re:NAT is my antivirus

[mark-t]

You appear to assume that breaking end-to-end connectivity does not provide any security that a firewall cannot provide.

While most of the security that it does provide can be provided more robustly by a firewall, the additional breaking of end-to-end connectivity does carry a certain level of security with it all by itself that a firewall alone cannot achieve, and for many purposes is all of the security one will ever require. Likewise, a firewall may offer all of the security one will ever need, but that doesn't mean there isn't enough room in the world for both, and each offers something by itself that the other does not.

You can combine a firewall that by default blocks all incoming connections with a layer-3 transparent proxy to get all of the security that a typical consumer NAT device offers, but then at that point, you are really just using NAT anyways... just calling it by a different name.

NAT by itself is not security... but it does offer a certain type of security that a firewall alone will not achieve. The fact that this may be unimportant to you does not mean it is unimportant to everyone.

More than just attacked.

[aussersterne]

Most people and small businesses don't have the skills necessary to take care of a resource that isn't behind NAT.

So it's more like "expect to be quickly and constantly pwned."

Re:More than just attacked.

[sl3xd]

I call BS.

As most consumer and small business routers run Linux and use Netfilter, it's not much of a stretch to ask "how do you do it on Linux?"

Well, with Netfilter, it's pretty simple to setup an effective IPv6 firewall that offers at least as much 'protection' offered by NAT in IPv4. ie.) allow only incoming requests that are 'related' to requests made from inside. Then if you have specific hosts/ports to open, you can add an exception in the exact same way you do for port mapping in IPv4.

If you want to be more specific about what transits the firewall, you just add more firewall rules -- which aren't any different than making rules with IPv4.

About the only practical difference is that with IPv4, you can get away with memorizing IP addresses, while with IPv6, mere mortals aren't going to memorize the full address. But that's what DNS is for -- and DNS for IPv6 isn't any more difficult than it is in IPv4.

Spreading misinformation doesn't help anybody, especially when IPv6 isn't that hard to use.

Now, if your Cisco/Juniper/commercial firewall and/or routers seem like an unmanageable mess, it's time to talk to your vendor about their product's deficiencies and ease of use. The response will probably be a lot of handwaving that amounts to "there are consulting dollars to be made, and you must pay it." If like paying to be abused, that's your choice, and I'm not going to question your decision making process. Some people like that sort of thing. Just be aware that it doesn't have to be that way.

Re:More than just attacked.

[WaffleMonster]

Most people and small businesses don't have the skills necessary to take care of a resource that isn't behind NAT.

It's 2016... TTL for this excuse has long expired.

So it's more like "expect to be quickly and constantly pwned."

SPI is more secure and easier to configure than NAT.

Re:More than just attacked.

[rl117]

I have native IPv6 from my ISP. The ISP-supplied router handles v4 and v6 automatically. The router's firewall handles IPv6 exactly the same as it handles IPv4; if you want to open up ports, allow inbound/outbound connections, etc., it's all configured pretty much exactly as it was for v4. If people can handle configuring IPv4, then they can handle IPv6. Being "constantly pwned" is seriously overstating the risks.

IPv6 Multi-homing?

[Bookwyrm]

Speaking of IPv6 'features' - was any solution to IPv6 multihoming actually rolled out?

Re:IPv6 Multi-homing?

[Midnight+Thunder]

See RFC 7157 - IPv6 Multihoming without Network Address Translation

NSA does not like

NSA here. We want everyone to use IPV6 because it makes tracking everything down to your dog's internet enabled nipple piercing that much easier. So stop this nonsense about sticking with IPv4. Were watching you.

Re:NSA does not like

[WaffleMonster]

NSA here. We want everyone to use IPV6 because it makes tracking everything down to your dog's internet enabled nipple piercing that much easier. So stop this nonsense about sticking with IPv4. Were watching you.

Restoring end to end for everyone is worth way more to continued freedom of Internet use than any NSA boogieman.

IPv6 privacy addresses are widely supported. Big data stalking firms currently have no problems discovering individual devices behind IPv4 NATs.

Dear asshole utopians who hate NAT

[PvtVoid]

The Internet is probably better off without NAT

Short response: Fuck you.

Long response: I should be the one who decides whether my local network appears to the outside as a single IP address, or multiple. Also, fuck you.

Many happy returns, IPv6

[unixisc]

"If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."

Is that the metric that keeps IPv6 adaption capped? I'd think that the sooner we run out of IPv4 addresses, the sooner IPv6 will be adapted. Not all the current public IPv4 can be NATed, and having multiple levels of NAT would pretty much transform layer 3 networking to layer 2 networking, won't it?

All the same, many happy returns, IPv6!!!

Re:Many happy returns, IPv6

IPv4 has run out. ISPs are just better handling NAT, and it's working fine so far. We don't need every device to be accessible, most homes have 10+ IP devices these days once you add tablets, phones, TVs, STBs, DVRs, consoles et al, to the regular laptops, PCs/Macs/nix boxen. Even my washing machine has IP, and my laser printer could be a remote device for some online service I've not even looked into.

Re:Many happy returns, IPv6

[suutar]

This makes me wonder how long until ISPs start wanting to phase out nat so they can better see the patterns of usage behind the router. If they can tell that you use your TV and iPad more than your laptop... well, there's gotta be someone who'd pay for that info.

Re:Many happy returns, IPv6

[phantomfive]

Is that the metric that keeps IPv6 adaption capped?

I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.

Re:Many happy returns, IPv6

[The-Ixian]

Are manufacturers of network equipment really still making IPv4-only devices... 20 years after the IPv6 standard and with a significant percentage of the Internet using it?

Even 10 years ago it would be idiotic to sell an enterprise-grade network device that didn't support IPv6. Who would want to buy an expensive network device and run the risk that IPv6 would make it useless in a few years?

I personally cannot remember the last router or switch that I have worked on that didn't support IPv6.

Perhaps your friend's ISP needs to upgrade their equipment anyway.

Re:Many happy returns, IPv6

[phantomfive]

Perhaps your friend's ISP needs to upgrade their equipment anyway.

If it works fine, why upgrade? Businesses tend not to upgrade until there's a business case for it. You don't just throw out perfectly good things because they are 'old'

Re:Many happy returns, IPv6

[Geordish]

Is that the metric that keeps IPv6 adaption capped?

I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.

As someone who works for ISPs for a living, that is nonsense. Equipment generally has a lifetime that it is useful for. We typically buy kit with 5 years in mind, but may stretch it further if there is still life in it. Equipment that is 10 years old is probably worthless (This likely is the same for most other areas of IT)

Any equipment you buy today will support IPv6, with all the latest standards. Equipment generally gets firmware upgrades for the duration of its life that adds new features as they come along.

All Cisco and Juniper kit (2 big vendors in the ISP space) have had full feature sets for v6 in the service provider routed world for quite some time now. So long that some of their kit has gone end of life that have v6 support. There may be some enterprise grade products where this doesn't hold true, but it shouldn't be far off.

If your friend claims that the way he is going to deal with v6 is to buy more kit, he is either running outdated equipment, stupid, or lying.

The CPE is the only major space where there is issues. This is getting better now, and the same 5 year rule generally applies here to ageing equipment. You have the luxury of a phased replacement plan in this space too, which makes things a bit simpler.

Re:Many happy returns, IPv6

[PlusFiveTroll]

The NOC at our cable company was bitching to me about how bad newer Cisco enterprise equipment handled IPv6 at their headend. Just because an IPv6 tickbox is checked off by the manufacture doesn't mean it actually works right in production.

Re:Many happy returns, IPv6

[unixisc]

I recall the issue w/ core or edge routers - don't remember which - where the acceleration for IPv6 packets was not supported, but acceleration for IPv4 packets was. Is that still the case?

Re:Many happy returns, IPv6

[rahvin112]

They can already see that information with DPI (Deep packet inspection) and many already do monetize it.

Re:Many happy returns, IPv6

It's not just network equipment, per se. It's the Internet of Things that got there before IPv6. My kid's wifi-controlled toy car. My wife's sewing machine and its embroidery module interface. Long lifetime scientific gear like my astronomy equipment (like, a telescope mount, focuser, CCD camera, etc. etc.) No way am I moving to IPv6 anytime in the next 10 years; it just breaks too much stuff.

Re:Many happy returns, IPv6

[Geordish]

Maybe that was the case on some super old Cisco kit. Anything bought in the past 5 years at least has forwarding in hardware for all packets.

Re:Many happy returns, IPv6

[rl117]

You can make it a business case very easily. Call your ISP and ask them for some concrete timelines for IPv6 service. If they haven't got any, then cancel your subscription; when they ask why you're leaving, tell them that you want IPv6 and they aren't providing it. They'll get the message when they lose enough business.

I moved to another ISP with IPv6 service (aaisp) specifically because my existing ISP at the time had promised it was coming for two years without delivering, and put it on the back burner. I now pay a bit more, but have excellent service which includes IPv6 by default.

Re:Many happy returns, IPv6

[aaarrrgggh]

Router performance goes down and and memory requirements go up with IPv6. That is a tough pill to swallow when people want higher bandwidth. Ten years ago, a small business getting more than 5/1 ADSL was nearly unheard of-- today gigabit is within reach.

Re:Many happy returns, IPv6

[Just+Some+Guy]

Router performance goes down

You misspelled "up". It's amazing how much you can do with dumb hardware when all switchable fields are in hardcoded locations within a packet.

and and memory requirements go up with IPv6.

...or they could stay the same.

Re:Many happy returns, IPv6

[thegarbz]

Are manufacturers of network equipment really still making IPv4-only devices... 20 years after the IPv6 standard and with a significant percentage of the Internet using it?

No, but people are running 10+ year old hardware. When your router costs 6 figures plus and still has capacity then what's the upgrade incentive?

Even 10 years ago it would be idiotic to sell an enterprise-grade network device that didn't support IPv6. Who would want to buy an expensive network device and run the risk that IPv6 would make it useless in a few years?

Who would buy an enterprise grade device that doesn't use a technology that no one else is using and very few people are talking about? Everyone. The answer to that is Everyone. IPv6 seems obvious now, but in 2006 it was a thing of doomsayers and sitting in a "we survived the millennium bug we'll survive IPv4 address exhaustion, oh and by the way have you heard of NAT" world.

Re:Many happy returns, IPv6

Who would buy an enterprise grade device that doesn't use a technology that no one else is using and very few people are talking about? Everyone. The answer to that is Everyone. IPv6 seems obvious now, but in 2006 it was a thing of doomsayers and sitting in a "we survived the millennium bug we'll survive IPv4 address exhaustion, oh and by the way have you heard of NAT" world.

IPv6 was obvious even back in 2006 when isps were using IPv4 exhaustion as an excuse to only give end users one address.

Re:Many happy returns, IPv6

[sabbede]

Well, you do need 4 times the memory to store an address, but memory is cheap and the router actually has less work to do when routing a packet. Think about how many operations have to be performed in order to translate an address and map ports. All gone.

Re:Many happy returns, IPv6

[houghi]

Not only that. Companies LOVE limited resources. Want a fixed IP? That will cost you extra. No matter that no extra adresses are used. No matter that the price for fixed IPs is not higher then that of non-fixed IPs.

This is not the time of the dialup anymore where they would have 30% or 50% of their users online at the same time max. They have 100% of their users + some extra for new users available.

To be able to say 'it is expensive, becquse it is rare' is just a way to cross sell their fixed IP. So why should an ISP start using IPv6, because those are the real customers of IP adresses (Plus some larger companies)

On the downside
1) Cost for extra infrastructure
2) Loss of revenue due to not being able to sell fixed IPs

On the plus side
1) Minority of geeks who are happy

If I were a provider I would add some layers in my pricing structure.
1) 10.x.x.x adresses as a base price
2) Non-fixed IP
3) Fixed IP

And I would fight IPv6 for as long as, possible and when it comes, change over, as the hardware is able to do it anyway.

What was the brake becomes the gas pedal

[Tim+the+Gecko]

IPv6 took a long time to get to 10% because it's a pain in the ass to support two things. This will turn around in IPv6's favor at some time in the future. With major IPv6 deployment IPv4 begins to look like last Tuesday's pizza, because you have to support IPv6, but you can save time and effort by making v4 users tunnel or convert. Network protocols don't tend to linger once they get below a certain level - see Appletalk, IPX, Banyan Vines, etc.

"It’s a poor atom blaster that won’t point both ways"

Re:What was the brake becomes the gas pedal

Heh, I still use both IPX and AppleTalk. IPX is used on older machines and VMs in order to play older games and the like without having to run the risk of exposing them to the internet, even accidentally, and because some only speak IPX. I also have a print server that exposes any attacked printer with AppleTalk and a file server that uses AFP. It has been awhile since I looked, but I would imagine that even the latest versions of OS X use AppleTalk by default for sharing folders. Don't forget that the Apple Filing Protocol is just the layer 6 and 7 protocols from the AppleTalk suite.

Re:What was the brake becomes the gas pedal

[Midnight+Thunder]

Trying to not support two things, is why cell phone companies are planning on going IPv6 with NAT64/DNS64. It is also why all iOS 9 apps must support IPv6. Thus approach allows them to optimise their infrastructure for IPv6 and only deal with IPv4 on the border.

Nothing is stopping anyone from staying IPv4 internally, but if you can't speak to that IPv6 service outside your network, then you'll look pretty stupid. At least get a web proxy, that deals with IPv6 externally, if you don't want to deal with the setup internally.

Re:What was the brake becomes the gas pedal

I would like to bet you that the IPv6 mobile rollout will NOT happen at anywhere near the pace you expect. Think all the existing cell phones baseband modems are layer-2 devices only, remind me again is it called "Packet Switched" or "Frame switched"? Surely quadrupling the address size won't have any notable impact on existing baseband chips right?

Don't confuse easy wifi and overlay IPv6 support within the OS with the same level of support required to actually change the cellular network infrastructure. Just look at GSM still in use despite being completely and utterly broken for years now.

Re:What was the brake becomes the gas pedal

[budgenator]

IPv6 took a long time to get to 10% because it's a pain in the ass to support two things. .

I think it took a long time because certain organisations realized that selling their unused IPv4 addresses blocks was extremely profitable and IPv6 would just make those assets worthless. Having to buy new routers didn't help either. As IPv6 equipment becomes ubiquitous, it will become an effort to keep it out.

Re:What was the brake becomes the gas pedal

[Midnight+Thunder]

You'd be surprised. A couple of links, for you to look at:

    - http://www.internetsociety.org...
    - http://www.internetsociety.org...

One shows the uptake and the other shows the stumbling block are the apps.

Re:What was the brake becomes the gas pedal

[Tough+Love]

IPv6 took a long time to get to 10% because it's a pain in the ass to support two things.

And because it's more clumsy and unpleasant to use than IPv4

2196AD

10% in 20years, so 100% in 200years, so full adoption in the year 2196AD. At least it won't clash with the Y2K38 bug.

Re:2196AD

[yagu]

10% in 20years, so 100% in 200years, so full adoption in the year 2196AD. At least it won't clash with the Y2K38 bug.

Then, 150% in 300 years??

Re:Dear asshole utopians who hate NAT

dear idiot who wants to fuck himself by running NAT

go right ahead. really. no one is stopping you.

but you're going to show up at standards meetings shouting that the best internet architecture
is infinitely nested NATS, you an choke on your own dick

Comcast

[110010001000]

I know everyone hates Comcast, but they have 40%+ ipv6 deployment rates, and also the US wireless carriers have 40%+ deployment rates.

Re:Comcast

[WaffleMonster]

I know everyone hates Comcast, but they have 40%+ ipv6 deployment rates, and also the US wireless carriers have 40%+ deployment rates.

Nobody with a biz connection can get a static prefix allocation and nobody at Comcast gives a s**t enough to communicate any kind of timeline for when it will happen.

memories, memories

[nimbius]

ah, turning 20 and enjoying 10% recognition. reminds me of my youth. but seriously guys. theres no excuse other than laziness at this point. home docsis3 routers are dual stack, and hurricanes 6-2-4 gateways have done heavy lifting for a decade now. lets make 15% a 2016 resolution.

Re:memories, memories

[David_Hart]

ah, turning 20 and enjoying 10% recognition. reminds me of my youth.
but seriously guys. theres no excuse other than laziness at this point. home docsis3 routers are dual stack, and hurricanes 6-2-4 gateways have done heavy lifting for a decade now. lets make 15% a 2016 resolution.

Um... Let's not and say we did...

IPv6 is only a requirement for Internet access due to the lack of available IPv4 addresses. It will gradually be adopted for the Internet as new nodes are added. There is no particular need to have a concerted effort to push it out. Call it laziness if you want, but there tends to be much higher priorities, at least in the corporate world.

Re:memories, memories

[codealot]

I've been trying, it's a bit of a struggle.

Getting my home network on IPv6 was the easiest part. My provider (not Comcast) was no help whatsoever, so I set up a tunnel from HE. Works great. Only time I had to tweak was when my IPv4 endpoint changed addresses, then I login to HE and update my tunnel. The rest of my home network all fell into line, even the mobile devices (iphones mostly) picked up an ipv6 address and use it, but it can be hard to tell since iOS only displays ipv4 info on the wifi settings page.

At work, I don't manage the corporate network, and don't see it moving to ipv6 anytime soon. That's not a barrier for me, except for testing perhaps, though I may be able to configure a tunnel at work as well.

I'm trying to move some of our public sites over, but our data center is handled by a large managed services provider, and they've been dragging their feet for two months on my request to provision ipv6. I don't think they get many requests for it, and I'm not at all sure they know quite how to do it.

It's frustrating to say the least.

Only 180 more years to go...

at the adoption rate so far.

Re:Dear asshole utopians who hate NAT

NAT is perfectly fine for home users.

Re:Dear asshole utopians who hate NAT

I don't like the idea that each device with its own IPV6 address can be tracked individually, but a device with a proper IPV6 implementation will have multiple temporary IPV6 addresses in use at once.

Re:Dear asshole utopians who hate NAT

Yeah, the main problem with NAT is that it doesn't work. The point of a network is to allow endpoints to communicate with each other. NAT is like some shit from the SNA days where you had a strict client/server relationship, and to be fair it works fine for that. It's just a complete fucking mess if you want peer-to-peer comms like, er, pretty much every modern consumer application from telecoms to gaming.

Regardless, nobody's saying you can't do NAT if you want to do NAT what they're saying is it's better to have a global network infrastructure that doesn't rely on everybody doing NAT. If you can't understand the difference between these two things, please STFU.

Re:Dear asshole utopians who hate NAT

If only IPv6 supported Private Addresses to allow you to NAT with that as well. Oh, wait, it does.

pay per IP some ISP's used to due that and ban rou

[Joe_Dragon]

pay per IP some ISP's used to due that and tried to ban routes. I think Comcast used and had home networking as a up sell.

Now with IP V6 and no NAT they can hit you with an outlet fee per IP to make for that they lose when people cut tv with it's high outlet fees.

If we don't adopt it, the nanobots will

[jma05]

https://xkcd.com/865/

Re:Dear asshole utopians who hate NAT

The Internet is probably better off without NAT

Short response: Fuck you.

Long response: I should be the one who decides whether my local network appears to the outside as a single IP address, or multiple. Also, fuck you.

Short response: I don't give a shit. No one does.

Long response: I don't give a shit what you run in your home in the future any more than I do today. That's between you and the services you'll eventually be disconnected from at some point.

Have fun.

Re:Dear asshole utopians who hate NAT

[lokedhs]

Most home users would be perfectly fine with a IPX connecting to a HTTP proxy. That doesn't mean it's a good idea.

Familiarity with IPv4 is hindering adoption

[ErichTheRed]

IPv6 is a very different beast from IPv4. One of its strengths is also a weakness - NATless wide open host to host routing of traffic. This is great as long as everyone adequately protects their internal network from outside access. However, the vast majority of home and small business networks are hidden behind a consumer-grade NAT router. Given the low level of understanding of what's actually under the hood, IT people (and consumers) have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery. It would seem to me that the safest thing would be to continue using IPv6's NAT feature for networks like this. Not many people understand what actually makes IP routing work at a nuts-and-bolts level, so this would be a safe default. 20 years ago, when IPv6 was new, I would have more faith that the average IT person would have a better grasp of details like this. These days, it's abstracted away for the most part. I doubt non-network focused IT people learn the stack to the same depth they had to in the past.

Even large enterprise networks I've seen implicitly trust traffic on the inside. Obviously that's not the best way to go, but re-architecting the network for trust-nothing operation is a slow process the larger the entity.

Re:Familiarity with IPv4 is hindering adoption

Posting AC because I have spend mod points. Well, basically you are using the device that controls the NAT like a firewall, so why not just change the NAT device to a firewall device?

Re:Familiarity with IPv4 is hindering adoption

A firewall requires more work to get it right.

Re:Familiarity with IPv4 is hindering adoption

Just have the home router speak IPv6 to the internet, and on the inside LAN continue to use IPv4 addresses. Simple.

Re:Familiarity with IPv4 is hindering adoption

[silas_moeckel]

Your average consumer grade nat router that supports ipv6 has a default stateful firewall blocking unwanted inbound connections. Really no different than ipv4 with nat.

Re:Familiarity with IPv4 is hindering adoption

[PlusFiveTroll]

>have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery.

The nightmare of UPNP.

Re:Familiarity with IPv4 is hindering adoption

[unixisc]

I think you mean the other way around, since many ISPs still don't support IPv6. Like Charter doesn't, as yet. So the way you could do it is have the router speak IPv4 to your ISP, and inside the LAN, speak IPv6. That is the default supported by Windows, and all the major OSs - OS X, BSD and Linux - support it. That way, you can simply use your Link-local addresses, which are pre-configured anyway.

Re:Familiarity with IPv4 is hindering adoption

[thegarbz]

This is great as long as everyone adequately protects their internal network from outside access. However, the vast majority of home and small business networks are hidden behind a consumer-grade NAT router. Given the low level of understanding of what's actually under the hood, IT people (and consumers) have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery.

Given the number of IPv6 connections I've setup on the consumer level all have stateful firewalls enabled by default on the IPv6 side I would say that the protections are just as plug and play on IPv6 as they are on IPv4.

It would seem to me that the safest thing would be to continue using IPv6's NAT feature for networks like this.

Yes lets roll out something that finally fixes the biggest broken aspect on the internet but keep the broken bit from the previous version.
No if you insist that this is so very "different" (which I argue it isn't) then now is the perfect time to break patterns and change behaviours that got idiots into thinking NAT = Firewall in the first place.

Re:Familiarity with IPv4 is hindering adoption

Real men disable upnp and open ports only manually

Re:Familiarity with IPv4 is hindering adoption

[virtual_mps]

Yup. Why there are people who think that all of the sudden the magic box their ISP gives them won't default deny in an IPv6 world continues to mystify me.

Re:Familiarity with IPv4 is hindering adoption

[silas_moeckel]

Don't tell them they will try and sell it as a feature for 10 bucks a month extra.

Fuck You!

but seriously guys. theres no excuse other than laziness at this point. home docsis3 routers are dual stack, and hurricanes 6-2-4 gateways have done heavy lifting for a decade now. lets make 15% a 2016 resolution.

How about FUCK YOU!

There is an epic shit ton of equipment out there that has only an IPv4 stack and will never be updated. There are still new products coming off the shelves that have only an IPv4 stack. Think about all of the devices in the world, all the new IoT devices... There are no excuses needed. There is another 10 years or more worth of devices that are IPv4 only, with zero chance of replacement/update because, there's simply NO NEED to replace them.

It's great that DOCSIS 3 routers are dual stack. But, what about the millions of DOCSIS 2 and even DOCSIS 1 routers still installed, still working just fine, with zero need to replace them except to increase capital expenditure?

It's fine for clueless fucktards to sit home and say; 'there's no excuse for not changing', because they don't face any cost in their ISP replacing their modem and Window s10 is "free". But, there are lots of people and companies with a massive investment that would be a massive cost to replace or update. Think of the cost to ISPs and WISPs. Think of the cost to companies that have to not only foot teh bill for equipment, installation configuration, network re-architecture, support... Think of the cost to private individuals that would have to replace TV's, VDRs, routers, WAPs, thermostats, sprinkler controllers, refrigerators, security cameras...

In my home alone I would have to replace at least 20 devices at a cost of thousands, possibly tens of thousands. I won't even consider the expense to my business.

No excuses? Fuck you!

Re:Fuck You!

[110010001000]

"TV's, VDRs, routers, WAPs, thermostats, sprinkler controllers, refrigerators, security cameras" Um, what network enabled versions of these are not IPv6??? DOCSIS 2 are IPv6. Any DOCSIS 1 modem is 20 years old already. There arent millions of those out there. Jesus, calm down with your hate. You have a IPv4 only refrigerator?

Re:Fuck You!

[Dagger2]

Those are all excuses. None of that stuff needs to be touched to deploy v6. Deploying v6 won't make any of it work worse than it currently is. You don't need to upgrade all your DOCSIS1/2 modems to get v6 to the DOCSIS3 modems.

Also if you're an ISP that's been buying hardware in the past half a decade that's not v6 capable, then you screwed up -- or if your hardware is much older than that, then you're probably looking towards a replacement soon anyway.

Re:Fuck You!

[unixisc]

You're ignoring the elephant in the room - that there are simply no IPv4 addresses to shell out, and you'd need a lot more equipment to build in multiple levels of NAT. At that stage, you're back to layer 2 networking

Re:Fuck You!

[sjames]

What's Windows 10 got to do with it, IPv6 has been supported since XP. A lot of the v4 only hardware at the ISP and carrier level is already slated for replacement if it hasn't already been replaced. My cable modem that didn't support v6 failed years agio and got replaced with one that did (and that failed and got replaced too).

You must spend hours in the morning winding up your old hardware.

Topology detection

[unixisc]

Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6. Like if you have a network that has a subnet mask of 255.255.255.240, you know that there can be a max of 14 boxes on that subnet. In IPv6, all that is irrelevant: any subnet can have anywhere b/w 1 and 2^64 boxes: it's impossible to find out w/o port scans.

Also, unless someone uses some structure in assigning IPv6 addresses using DHCPv6, it is impossible to figure out individual addresses. And if they have privacy extensions, which is the equivalent of IPv4's dynamic addresses, that makes it even more impossible.

Re:Topology detection

That is not how subnets work in IPv6. /64 are just "class" networks in that everybody presumably will use the same size. Subnetting is done from there.

Re:Topology detection

[unixisc]

No, subnet addresses are the 49th to the 64th bit of the address, or something beyond 49th to 64th, depending on how it's allocated. Most routers would recognize the entire lower half of the address as the interface ID. There is no concept of 'class' networks the way there was in IPv4. Everything is 2^64.

Yeah, one could break the protocol and assign subnets to something in the lower half, and a few things, like SLAAC, RAs would stop working.

Re:Topology detection

[TechyImmigrant]

That is not how subnets work in IPv6. /64 are just "class" networks in that everybody presumably will use the same size. Subnetting is done from there.

The missing feature of IPv6 compared to IPv4 is that ISP don't get to financially rape you for $100+ extra dollars a month for a measly five of the artificially scarce addresses. IPv6 loses them that revenue stream.

Why else would the ISPs be dragging their feet?

Re:Topology detection

[ArmoredDragon]

Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6.

No, not really (unless you're talking about the old classful addressing system? Nobody uses that anymore.) The only reliable way to determine who owns what IP ranges is to pull out your BGP looking glass (there are a bunch of them owned by major peering providers; google "bgp looking glass".) The same thing works for IPv6, by the way.

However none of that tells you anything about the internal (RFC1918) addresses they use beyond that. I.e. are they on a 10 net? A 172.16.x net? A 192.168.x net? Only way to know is to either have physical access or some kind of inside informer.

Also I'm not sure why people say you can't NAT with IPv6. Indeed you can, there's even an official RFC for it:

https://tools.ietf.org/html/rf...

Though as you can read in the RFC, the IETF really frowns upon NAT, they only added it if your internal network MUST have privacy for whatever reason. (That is, you don't want outsiders to be able to uniquely identify the IP address of machines that are highly sensitive from a security perspective, and you certainly don't want any traffic to even be routable to them.) That address space is defined in RFC4193 and is FC00::/7, the "English" term for it being a Unique Local Unicast address.

I have a feeling it will come in demand one day for those trying to avoid e.g. ad trackers, which otherwise (in IPv6) have the ability to uniquely identify your machine without using cookies or anything, even if you e.g. hop on a Starbucks wifi. Why? Because your NIC's MAC address is (in the vast majority of cases) globally unique and shows up in the final /64 of an IPv6 address as part of NDP (the IPv6 version of ARP.)

Re: Topology detection

I'm sure they will intentionally change your IP on v6 even if they don't have to, just because they can. Pay extra for static v6!

Re:Topology detection

[unixisc]

Correction - the address space for the ULAs is 0xfd00::/7. The 0xfc00::/7 has been set aside in case any organization, such as the IANA, were to decide to allocate GLOBALLY UNIQUE addresses

Re:Topology detection

[wallsg]

Cox, at least in the past, wanted to charge you for each MAC you had. So, you make the MAC the router's and do NAT.

Practical question for consumers

[UnknowingFool]

IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6.

While IPv6 has more than enough addresses for every device, do ISPs allocate enough addresses for your average consumer? As far as my ISP is concerned, they only allocate me 1 IPv4 address and that you can't get more unless you get a business package or another line. This would greatly increase my monthly bill if every single device needs their own address.

Re:Practical question for consumers

[110010001000]

My ISP gives me a /60 IPv6 prefix address. That gives me enough IP addresses for my Internet enabled underwear.

Re:Practical question for consumers

[syserr0r]

IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6.

While IPv6 has more than enough addresses for every device, do ISPs allocate enough addresses for your average consumer? As far as my ISP is concerned, they only allocate me 1 IPv4 address and that you can't get more unless you get a business package or another line. This would greatly increase my monthly bill if every single device needs their own address.

Short answer: Yes.

You should get either one subnet of 18,446,744,073,709,551,616 addresses or 65,536 subnets (each subnet with the previously mentioned number of addresses).

The smallest subnet that should be allocated for IPv6 is a /64 which is 18,446,744,073,709,551,616 addresses
A /48 has 65,536 /64's or 1,208,925,819,614,629,174,706,176 individual addresses

My current line at home is a 'business' connection and they provide a /48 as standard.

Re:Practical question for consumers

[unixisc]

That allows you 16 subnets, each of which allows enough interface IDs for your internet enabled underwear

Re:Practical question for consumers

[unixisc]

If you are a home user, then 16 subnets should be enough. Like you should get 2001:db8:beef::/60. That should cover your home routers two SSIDs. A /48 is only something you should need if you are a large company and could use 64,536 subnets. I doubt that even Google or Facebook or Twitter would need more than that

Re:Practical question for consumers

[syserr0r]

If you are a home user, then 16 subnets should be enough. Like you should get 2001:db8:beef::/60. That should cover your home routers two SSIDs. A /48 is only something you should need if you are a large company and could use 64,536 subnets. I doubt that even Google or Facebook or Twitter would need more than that

I didn't ask for a /48 -- I am just given it. This should speak volumes about the number of addresses available.

Just like our head-office has 3 different lines with this company, each line with its own /48.

Re:Practical question for consumers

[Geordish]

Not giving everyone a /48 is a daft argument. From someone who is a lot smarter than me source

"Let’s assume that ISPs come in essentially 3 flavors. MEGA (The Verizons, AT&Ts, Comcasts, etc. of the world) having more than 5 million customers, LARGE (having between 100,000and 5 million customers) and SMALL (having fewer than 100,000 customers).

Let’s assume the worst possible splits and add 1 nibble to the minimum needed for each ISP and another nibble for overhead.

Further, let’s assume that 7 billion people on earth all live in individual households and that each of them runs their own small business bringing the total customer base worldwide to 14 billion.

If everyone subscribes to a MEGA and each MEGA serves 5 million customers, we need 2,800 MEGA ISPs. Each of those will need 5,000,000 /48s which would require a /24. Let’s give each of those an additional 8 bits for overhead and bad splits and say each of them gets a /16. That’s 2,800 out of
65,536 /16s and we’ve served every customer on the planet with a lot of extra overhead, using approximately 4% of the address space.

Now, let’s make another copy of earth and serve everyone on a LARGE ISP with only 100,000 customers each. This requires 140,000 LARGE ISPs each of whom will need a /28 (100,000 /48s doesn’t fit in a /32, so we bump them up to /28). Adding in bad splits and overhead at a nibble each, we give each of them a /20. 140,000 /20s out of 1,048,576 total of which we used 44,800 for the MEGA ISPS leaves us with 863,776 /20s still available. We’ve now managed to burn approximately 18% of the total address space and we’ve served the entire world twice.

Finally, let us serve every customer in the world using a small ISP. Let’s assume that each small ISP only serves about 5,000 customers. For 5,000 customers, we would need a /32. Backing that off two nibbles for bad splits and overhead, we give each one a /24.

This will require 2,800,000 /24s. (I realize lots of ISPs server fewer than 5,000 customers, but those ISPs also don’t serve a total of 14 billion end sites,
so I think in terms of averages, this is not an unreasonable place to throw the dart).

There are 16,777,216 /24s in total, but we’ve already used 2,956,800 for the MEGA and LARGE ISPs, bringing our total utilization to 5,756,800 /24s.

We have now built three complete copies of the internet with some really huge assumptions about number of households and businesses added in and we still have only used roughly 34% of the total address space, including nibble boundary round-ups and everything else."

Re:Practical question for consumers

[unixisc]

From a purely arithmetic standpoint, everything you said is well and good. Problem arises w/ the structure that is encoded within the address space - that is what makes the above picture you've drawn too simplistic.

For starters, forget that you have a 128 bit address to play w/ - you don't. The lower half of it is the interface ID, which is either assigned by some auto-configuration mechanism, such as SLAAC, or by DHCPv6. Either way, that space is space that nobody in the pecking order of numbers assignment - be it IETF, IANA, ARIN or your ISP assigns: you get it automatically.

So now, you have just the global prefix space. Of this, the first 2 bytes are assigned by the IANA to the RIR - the 2001, the 2400.... It's not a part of what your RIR gets to give you. The best your RIR can give you is a /32, and you had better be a huuuuugge organization - maybe global - w/ millions of SUBNETS to justify that. So now the ISP has 48 bits, down from the 64 - 2001:db8:b10c:abcd::/64.

Now, depending on the geographic reach of the ISP, they may need thousands of offices nationwide, and in each office, service several thousands of people. Let us assume that we have 16 million routers serviced that way - that is 2^14. So your 32 bits are now down to 18. So it now comes down to how many people are serviced by a single central office router. Lets assume it's 128, which is 2^7, and you are down to 11.

So you are already cutting into the subnet address space of the IPv6 address, since you have only 11 bits to give a customer for subnetting. Giving everyone a /48, as you mentioned, would give each customer 16 bits of subnetting address, so you now have a deficit of 5. Which is why RIRs like APNIC and RIPE assign /56s instead. Each customer that way gets 8 bits of subnetting, instead of 16. Which may or may not be adequate.

That's why above, I had stated that splitting the address into a 96:32 is what the IETF should have done. That would have allowed for a hierarchical routing system, and would have been more flexible. The top half of the space would have been dedicated to routing, and nothing above 64 bits could be assignable. Between the 65th and the 95th bit, the ISP could decide w/ a customer how to split it, and maybe even have tiered pricing accordingly. So a major global organization could use 64 bits and have 4 billion subnets of 4 billion each, while an individual customer could get 4 /96 subnets of 4 billion.

Re:Practical question for consumers

[SuricouRaven]

In theory, as the system is designed, your ISP gives you a /64. There's no reason for them to give you less than that, technologically. They could choose to do so for business reasons, if your ISP is especially sleezy, perhaps as a means to prevent small businesses from using a cheaper residential service rather than paying for a business connection. But that's a business abuse, not an issue with the protocol, and there are plenty of ways ISPs can already misconfigure IPv4 to maximise profit.

Re:Practical question for consumers

[Geordish]

So now, you have just the global prefix space. Of this, the first 2 bytes are assigned by the IANA to the RIR - the 2001, the 2400.... It's not a part of what your RIR gets to give you. The best your RIR can give you is a /32, and you had better be a huuuuugge organization - maybe global - w/ millions of SUBNETS to justify that. So now the ISP has 48 bits, down from the 64 - 2001:db8:b10c:abcd::/64.

...

So you are already cutting into the subnet address space of the IPv6 address, since you have only 11 bits to give a customer for subnetting. Giving everyone a /48, as you mentioned, would give each customer 16 bits of subnetting address, so you now have a deficit of 5. Which is why RIRs like APNIC and RIPE assign /56s instead. Each customer that way gets 8 bits of subnetting, instead of 16. Which may or may not be adequate.

A lot of this is incorrect. RIPE by default allocate a /29 to ISPs. Getting something larger than that is super easy, as long as you have the documentation to back it up.

Also RIRs don't assign /56s to customers. The RIR allocates a prefix to a LIR (Your ISP) and the LIR allocates the addresses down to the customer.

And finally the RIPE policy (and likely others. I live and work in the RIPE region so my knowledge is more relevant to that region) recommends a /48 for end user allocation. (https://www.ripe.net/publications/docs/ripe-655. If you read from section 5.3 onwards you will see that it is up to the ISP to decide what to allocate to a customer. Anything shorter than a /48 requires documentation, but a /48 is just fine if you want. The wording has actually changed on that page recently. It used to be more specific about recommendation of prefix sizes.

There is nothing inherently special about any of the top 64 bits. While they are divvied out to RIRs by reserving so many bits from the top, it doesn't break the maths that there is a fuck tonne of /48's available. Even with outlandish allocation policies it is unlikely to ever run out. At least not in the useful life of the protocol. We are bound to hit some limitations with IPv6, but it was designed to not be the size of the address space. Why stifle potential innovation?

And splitting the address space any other way was never an option. It was always going to be 64 bits at the top, and there was only ever a question about the size of the bottom part of the address.

Re:Practical question for consumers

[Geordish]

So now, you have just the global prefix space. Of this, the first 2 bytes are assigned by the IANA to the RIR - the 2001, the 2400.... It's not a part of what your RIR gets to give you.

I've been trying to work out what you mean by all this.
IANA doesn't allocate to RIRs on /16 (2 bytes) boundaries. It allocates based on whatever is appropriate. The latest allocation was a /12 to ARIN. I don't see that it has ever allocated a /16 either. (a /16 was reserved for 6to4) http://www.iana.org/assignment...

Now, depending on the geographic reach of the ISP, they may need thousands of offices nationwide, and in each office, service several thousands of people. Let us assume that we have 16 million routers serviced that way - that is 2^14. So your 32 bits are now down to 18. So it now comes down to how many people are serviced by a single central office router. Lets assume it's 128, which is 2^7, and you are down to 11.

This really doesn't make sense to me. Firstly 2^14 is around 16k, not 16 million... What are these routers that you are servicing? CPEs? In this scenario you require 16 million /48s which would fit into a /24 quite nicely.

So you are already cutting into the subnet address space of the IPv6 address, since you have only 11 bits to give a customer for subnetting. Giving everyone a /48, as you mentioned, would give each customer 16 bits of subnetting address, so you now have a deficit of 5. Which is why RIRs like APNIC and RIPE assign /56s instead. Each customer that way gets 8 bits of subnetting, instead of 16. Which may or may not be adequate.

I genuinely don't understand what you are talking about. Maybe a diagram would help? You mention an inherent structure in v6 addresses. Maybe that is where you are getting confused, because other than the 64:64 split, there is none as such...

Re:Practical question for consumers

[rl117]

My ISP gives me an IPv4 address and an IPv6 /64. So each machine internally gets a NATed IPv4 address (as is usual) and one or more global IPv6 addresses (some are configured statically e.g. server with DNS entry; clients use SLAAC and privacy extensions).

There's no charge for the 2^64 addresses. They aren't scarce and "valuable" like IPv4 addresses.

Re:Practical question for consumers

[sjames]

In the very worst case, the ISP gives you a /64 which is enough to support every possible ethernet address 64K times over.

In the year 2525, if man is still alive

[jfdavis668]

If woman can survive, they may find...IPv6 deployment completed.

Re:Dear asshole utopians who hate NAT

infinitely nested NATS

Not infinitely nested NATs. Just one level of nesting is usually needed.

Without NAT, our corporate and government overlords will know exactly which computer each packet is going to. NAT helps obfuscate that to a certain extent. For me, that's the biggest benefit of NAT, and why it's both crucial and inevitable that NAT will continue to be used with IPv6.

Subnet sizing

[unixisc]

That's the reason that I've always believed that the /64 was a stupid boundary where to demarcate the Global Prefix and the Interface ID. It should have been at /96. The reason for the /64 was for easy autoconfiguration w/ SLAAC. But even w/ SLAAC, uniqueness is not guaranteed, and therefore, a lot of flexibility in IPv6 is sacrificed at the alter of autoconfiguration, resulting in an overkill when it comes to subnet sizes.

Instead, having a /96 would have enabled the internet to have had a hierarchical routing system, thereby lessening the need for things like RIPng, OSPG, EIGRP, et al. Also, RIRs, national Internet registries and ISPs could then have allotted Global prefixes up to /64 or /80, and we could have had either 16 bits of subnetting - allowing for 65,536 subnets or a full 32 bits of subnetting - allowing for a hierarchical subnet set-up.

Even w/ all this, 32 bits would have been adequate for autoconfiguration mechanisms. Yeah, it wouldn't be completely unique, but nothing is. Port scans would still be as slow as scanning the entire internet, but on top of that, privacy extensions, or allowing an address to change very frequently would make it even more impossible for port scans to determine internal network topologies. I do think something like this would have to be deployed to avoid runnning into address depletion issues even in IPv6 later.

Re:Subnet sizing

having a /96 would have enabled the internet to have had a hierarchical routing system

That kinda goes against the idea of the internet being non-hierarchal, and freedom of information in general.

Seriously, that way lies madness.

Pretty much every despotic government on the planet wants hierarchal routing, so they can control their people's access to the Internet, so they can prevent ideas and news from spreading. They don't want their slaves to know that people are happy and free in other parts of the world, or getting ideas that they don't have to live with a dictator.

Cases in point. North Korea, Iran, Syria, and even Russia. Putin was shocked to learn that the Internet wasn't hierarchal, because how is a government supposed to control the Internet if it's not centralized?

That fact alone makes hierarchal routing a non-starter. It's also most of the reason why the US government hasn't ceded control of the Internet to the UN. Because there are despots who want to turn the open, distributed Internet into a hub for propaganda and control..

Re:Subnet sizing

[unixisc]

What you describe is about control of the internet, and has nothing to do about routing mechanism. Don't confuse one w/ the other.

There is already a hierarchic layout of the internet - IANA => RIRs => National registries => ISPs. So it's not like governments have no control on things. What I described is meant to make routing easier, and was one of the original goals of IPv6. It seems to have been abandoned due to the desire for Provider independent addresses. But if there is a good multihoming solution available, then this should be back

Re: Subnet sizing

The US government doesn't want to protect the Internet from despots. The US government wants to BE the despots that control the Internet.

They simply don't want others involved in their game.

Re:Subnet sizing

[sl3xd]

Correct me if I'm wrong, but routing is not the same thing as managing address pools.

IANA, the RIR's, and national registries coordinate IP Address allocation so that IP addresses are (hopefully) unique.

Managing a database of unique numbers is entirely different from routing packets around a global heterogeneous network.

IANA is also a department of ICANN, which manages the root DNS servers. - again, managing translation of words to ip addresses, which is similarly related to routing.

its kind of like the difference between a government surveyor, who assigns addresses to homes (i.e. the number), and the means by which various public and private organizations deliver packages to that address (routing).

NAT

[codealot]

Those who think NAT is such a great idea... have you had to support VPN tunnels between networks with overlapping private subnets? It gets messy fast.

Universally unique addressing is a GOOD thing. For those concerned about the security of private networks, well, you have to know what you're doing. And even with ipv4 a lot of internal addresses leak out anyway. (Look at SMTP envelopes for one).

Re:Dear asshole utopians who hate NAT

[Dagger2]

Not infinitely nested NATs. Just one level of nesting is usually needed.

Good luck with that when your ISP puts you behind NAT, or when their ISP puts them behind NAT.

Without NAT, our corporate and government overlords will know exactly which computer each packet is going to

Please look up privacy extensions. They've only been mentioned in the comments of every single Slashdot article that mentions IPv6.

I still don't get parts of IPv6

[bytesex]

It doesn't specify a checksum for the header, which means that it relies on some elements of it (the address fields) to be checksummed by a higher layer (which indeed TCP and UDP do). But which also means that some elements of the header (quality of service, hop limit) are left out of the checksum, which means that (for instance) you can get router loops. But it's probably because the designers of IPv6 thought that the whole packet would be authenticated at layer 2. But then - why require an ICMP checksum when you've just completely redesigned ICMP (and why require the TCP and UDP checksums to still use a pseudo header)? I mean, calculating checksums costs time. Either specify that it happens at layer 2 and be done with it, or do it properly.

Re:I still don't get parts of IPv6

[WaffleMonster]

It doesn't specify a checksum for the header, which means that it relies on some elements of it (the address fields) to be checksummed by a higher layer (which indeed TCP and UDP do). But which also means that some elements of the header (quality of service, hop limit) are left out of the checksum, which means that (for instance) you can get router loops. But it's probably because the designers of IPv6 thought that the whole packet would be authenticated at layer 2. But then - why require an ICMP checksum when you've just completely redesigned ICMP (and why require the TCP and UDP checksums to still use a pseudo header)? I mean, calculating checksums costs time. Either specify that it happens at layer 2 and be done with it, or do it properly.

IP checksums are a joke which exist only for personal entertainment.

Re:I still don't get parts of IPv6

IP checksums are a joke which exist only for personal entertainment.

In what way?
If you have a better way to check packet integrity then go ahead and say it.
Two requirements that the IP checksum has would be that it has to be computationally inexpensive since it is going to be implemented on whatever 8-bit microcontroller your doorbell uses and that it should be possible to rewrite the packet and update the checksum without having to recalculate it for the entire packet.
You can assume that any CRC is too computationally intensive to be used.
An XOR parity could be sufficient, but the checksum provides better checking without being more expensive.

Re:I still don't get parts of IPv6

[WaffleMonster]

In what way?

Ugh lets see 16-bit check space vs hosts and switches moving millions of packets per second.

Even if the 1's complient checksum implementation was not the crudest piece of shit imaginable routinely allowing bit flips to fly under the radar it wouldn't make any difference because the space is too damn small.

I've personally witnessed IP checksum fail to prevent corruption on multiple occasions due to faulty hardware.

If you have a better way to check packet integrity then go ahead and say it.
Two requirements that the IP checksum has would be that it has to be computationally inexpensive since it is going to be implemented on whatever 8-bit microcontroller your doorbell uses and that it should be possible to rewrite the packet and update the checksum without having to recalculate it for the entire packet.
You can assume that any CRC is too computationally intensive to be used.
An XOR parity could be sufficient, but the checksum provides better checking without being more expensive.

Oh please, it isn't even a CRC. It is literally adding shit up and taking a compliment that's it. There are no tables, no position dependence no nothing. It is complete total and utter shit.

The *ONLY* reason data transmitted over the Internet is not corrupted left and right is implementation of useful error detection and correction schemes at the link layer.

RFC 1918 for IPv6

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

There is also ULA:

* https://en.wikipedia.org/wiki/Unique_local_address

I think that the PCI folks have some kind of requirement about not allowing "public addressable" machines (or some such) to have credit card data.

I agree with you though: security comes more from stateful inspection (which is generally a prerequisite for NAT) than it does for address hiding.

IPv6 compatibility w/ FOSS projects

[Yonder+Way]

What's really sobering is when you look at relatively new but very successful FOSS ecosystems like that surrounding Docker, you'll see poor considerations for IPv6. If you're working on new bleeding edge stuff and you're still developing for an IPv4 world, you're needlessly wasting a huge opportunity to help the world move beyond IPv4. I really want to call out CoreOS's fleet project for using IPv4 private networks for cross-container communications where IPv6 would have been a much better fit.

Re:IPv6 compatibility w/ FOSS projects

[Yonder+Way]

I mis-typed when I said "fleet" and meant to say "flannel".

Private addresses for VPNs

[unixisc]

Unique Local addresses (fd00:/7) allow for precisely this - having a globally unique non-routable address, which enables 2 private networks to connect together w/o getting into overlapping private subnets.

Re:Private addresses for VPNs

[codealot]

Yep, but for that you need ipv6 anyway. Which doesn't help the "ipv4 is fine 'cause we have NAT" folks.

Re:Private addresses for VPNs

[dave420]

Nothing can help them. They've been shown a demonstrably more capable and secure protocol, and thumbed their noses at it simply because they don't understand it or because it's new and they'll have to re-learn some basics.

More like 0.1% -- IPv6 traffic is special purpose

IPv6 is being used as a backup or alternative to IPv4 for companies that want to be off-the-grid.

It is not being used as a migration, nor because of a lack of IPv4 addresses.

Companies now consider it a security selling point to say "we don't even accept IPv4 packets" for XYZ service.

The amount of traffic is high because companies are using it for specialized work, such as site-to-site replication, VPN fabric, etc.

Little generic Internet communications is happening over IPv6.

Need to get real here.

Re:More like 0.1% -- IPv6 traffic is special purpo

[jfdavis668]

My cell phone traffic has been IPv6 for years. Every time I watch a youtube video, piles of IPv6 traffic flow. A large amount of network traffic is now handheld related.

IPV7

They better get started on IPV7 if they want anyone to use it by 2100 C.E.!

AT&T DSL fired up IPv6

[dlenmn]

A few months ago, I was kind of shocked to see that my computer was downloading Ubuntu updates from an IPv6 address. I was vaguely aware that AT&T DSL had IPv6 turned on (I could see the setting in their stupid gateway), but I didn't know that it actually got used. I'm looking at iftop right now, and most of my connections seem to be IPv6. So, IPv6 does get used for generic internet communications.

Re:AT&T DSL fired up IPv6

[budgenator]

Comcast says their traffic is 15% IPv6, I think more people are in a similar situation, they don't know they are using IPv6 until they look. A lot of equipment is set up to use IPv6 but there are one or two bottlenecks blocking the traffic along the way, that equipment gets changed and your using IPv6 without knowing it. Sooner or later the kids are going to find some new uber-cool thing that's only on IPv6, then all hell is going to break loose in the IT departments.

Will this be the year I can ssh to a phone?

[sims+2]

Even knowing what a phones ipv6 address is I still can't make a direct connection to it on Verizon wireless. Why even give us an ipv6 address if its just as useless as a natted ipv4 address?

Re:Will this be the year I can ssh to a phone?

[Voyager529]

Even knowing what a phones ipv6 address is I still can't make a direct connection to it on Verizon wireless. Why even give us an ipv6 address if its just as useless as a natted ipv4 address?

Because 99.99% of Verizon Wireless phones that would receive an inbound SSH connection would be attempts to pwn those phones from China or Russia, thus requiring people to run firewalls on their phones, which would be terrible on battery life. The 0.01% of legitimate SSH connections would, by definition, be going to rooted phones, since SSH connectivity is disabled on the WAN side unless explicitly allowed, which requires root. Given that Verizon has been mandating locked bootloaders for some time now and in some cases retroactively locking them (no, I'm not bitter about my Note 2, why do you ask?), its clear that they're no friends of rooted devices on their network. There's no chance that Verizon will find themselves in a place where allowing SSH connectivity by default would end up in their best interest, or the interest of 99.99% of their customers.

Why IPv6 addresses then? because they've got a lot of devices on their network, and there are only so many NAT layers they can add before Facebook and Instagram start to break...

Re:Will this be the year I can ssh to a phone?

[Aqualung812]

Because 99.99% of Verizon Wireless phones that would receive an inbound SSH connection...

Ummm...how? Try to wrap your mind around doing a port scan of a /64 and then try to wrap your mind around the 2620:0:1600::/41 that Verizon Data Services owns. That was just the first one I could find on ARIN, I'm sure they have more than one large allocation like that.

So, please, let China and Russia start portscanning IPv6 on port 22 and see how far they get. Another security feature of IPv6 to me!

Re:Will this be the year I can ssh to a phone?

because ipv6 is 2 better than ip4, so consumers will know that their technology is improving. Seriously though, my answer is that 'I doubt it', though provisionally. The provision is that you might in fact be able to do it, but it will still constitute a violation of your terms of service, as 'any kind of server' is prohibited from being connected to e.g. GoogleFiber. Which in my opinion/estimation is a manifestation of anti-competitive protectionism. I.e. what would make the world really awesome, is if in addition to being able to ssh into your own phone, you could do so without violating your terms of service, and everyone else could as well. We would see some seriously cool fucking 'APP'lications of technologies involving 'servers' in such a world. Probably to the point that things like facebook, gmail, and twitter would all see an exodus. The only reason those shitty elite establishment controlled services hold onto their user marketshare is because of server persecution. If everyone could ssh into their own phone, and everything else that that baseline would enable, oh, what a non corporate fucking controlled world we might live in. https://lwn.net/Articles/658006/

Re:Will this be the year I can ssh to a phone?

[dbIII]

thus requiring people to run firewalls on their phones, which would be terrible on battery life

Where did you get that idea? The business I work for has a firewall router that has about a tenth of the CPU power of a smartphone.

FireWalls dor Home, SoHo and SMB

[williamyf]

The firewall needs of the small and medium businesses, as well as those of the Home and SoHo users will be handled by NFV firewalls on the telco side, mostly administered by the telco personnel.

While is bad to relinquish direc control of your security, the security of Home/SoHo/SMB will be better than what's currently available (badly configured NAT/Routers), and besides, nothing forces us people in the know from putting a second firewall behind the telco provided one...

address staging

[unixisc]

DHCPv6 should allow him to have a combination of the 2 - certain address ranges marked off for private extensions, and certain addresses statically assigned to various nodes - be it the home security system, garage door, kitchen appliances and so on. Just that I haven't seen DHCPv6 configuration been as thoroughly described as DHCPv4.

riiiiiight

cause one ip per device is far safer then NET - IPv4 (firewall) nat to whatever i want.....internally
lets just have everything with a public ipv6 address....

NO THANKS

Private address RFCs for IPv6

[unixisc]

For IPv6, the RFC# is 4291 for Link-local addresses (fe80::/10) and 4193 for for Unique local addresses (fd00::/7)

Re:Dear asshole utopians who hate NAT

WOW? REALLY?

Let me help you a bit...IF you want 'insecure peer-to-peer comms like, er, pretty much every modern consumer application from telecoms to gaming'...there I fixed that for you...

I agree that 'peer-to-peer' networking is great, a huge boon & I don't believe in limiting things where 1 side is always a client & the other the server (e.g. strictly 'client/server') BUT I do believe in wanting to control who talks to MY 'servers' and what they know about them...

The point is that a protocol that can't handle NAT or at least understand that a NAT might exist and have facilities to allow for its use (if necessary) is a protocol that removes control out of my hands...I might need to use it but I'd think long & hard about the 'why it won't work the way I want it to'...

NAT is not the 'end all & be all' but it is also not 'obviously lame, useless & idiotic' as at least one AC noted in this thread...

I cannot buy an ipv6 consumer router - import only

[sjwest]

My isp has ipv6, although the router they sell has no updates i can apply.

dlink and others dont sell them locally. Please dont blame ipv4 users for the choices that router manufacturers decide,

ps - Love to have ipv6.

Re:Dear asshole utopians who hate NAT

[Yaztromo]

The Internet is probably better off without NAT

Short response: Fuck you.

Long response: I should be the one who decides whether my local network appears to the outside as a single IP address, or multiple. Also, fuck you.

Short response: Okay.

Long response: Don't go around bitching to the rest of us when developers decide it's no longer cost effective for them to run STUN servers or include thousands of extra lines of code into their products to work around your broken-ass NAT implementation after everyone else has moved on. In the post-NAT world, all of those work-arounds you rely upon daily are going to go bye-bye.

Yaz

Re:More like 0.1% -- IPv6 traffic is special purpo

[CAIMLAS]

You must not be using Android...

IPv6?... Why not Zoidberg?

[Idisagree]

IPv6 is an absolute fail if its reached 10 percent after 20 years.

I think we should literally dump IPv6 and then devote efforts to IPv7 in whatever form contributors to the IETF thinks it should take.

IPv6 addresses unfriendly

The nice thing about IPv4 is that it's just 4 sets of numbers, whenever I see an IPv6 address my head spins at the sign of an unfamiliar notation. For people that have implemented IPv6 at home/work, is there a user-friendly subnet you use similar to how people use 192.168.x.x or 10.x.x.x, whereby a person can just use different numbers for the last part of the address?

Re:IPv6 addresses unfriendly

[mark-t]

Yes.

When the first 8 bits of the ipv6 subnet are 0xfd, it is considered a private subnet.

Re:IPv6 addresses unfriendly

[unixisc]

Yeah, dealing w/ hex is not intuitive. However, most IPv6 addresses start w/ 2 - like 2001::/16, and that tells you that it is a routable IPv6 address. You may also see something like fe80: as your starting address, which implies that it's a link local address - a non routable address that can only be reached from within the subnet.

If your ISP doesn't support IPv6, you won't see the 2001: number or anything like it. What you might see, if you were to do an ipconfig, would be something like this
[lintel@cisc] ~% ifconfig
re0: flags=8843 metric 0 mtu 1500
options=8209b
ether b8:2a:72:a8:b7:cf
inet6 fe80::ba2a:72ff:fea8:b7cf%re0 prefixlen 64 scopeid 0x1
inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=23
media: Ethernet autoselect (100baseTX )
status: active
lo0: flags=8049 metric 0 mtu 16384
options=600003
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21

semi-random privacy

Source address: the device you don't trust.

And there's the problem. If you have multiple devices with privacy extensions then you cannot filter by source [IP] address.

It depends. If you use pure-random privacy extensions (RFC 4941), then you're right.

If, however, you use RFC 7217 instead, you get a unique address for each subnet, but the interface part (last 64 bits) isn't always random. So: for subnet A, you'll (always) have "X" as the value of the interface-part of your IPv6 address; for subnet B, you'll (always) generate "Y"; subnet C, generates "Z".

So if you start off at home you'll have A:X, then you get some coffee and at the cafe you'll generate B:Y, and finally at the office you'll get C:Y. In the evening when you come home you'll get A:X again (and always for subnet A, unless you reset your state).

From the outside you look unique because the address is the same, but with-in each network each machines generates the same "random" (really deterministic) address.

Re:More like 0.1% -- IPv6 traffic is special purpo

As for IPv4... My XP machine. My Skype phone. Probably my Roku 3. I think the TiVo Roamios. Oh, some software might not work well with IPv6 either, even if the machine can. Upgrading may not be feasible. All it takes is one to ruin to change to go IPv6. But it's great (not being sarcastic) that cell phones are IPv6. Hopefully that frees some things up that definitely need IPv4.

Dynamic prefixes make SOHO networking a nightmare

[zaibazu]

Ipv6 has the credo that every user should have a prefix to assign his devices (in)to. Most ISPs in Germany are stuck on the idea that the adresses should be shuffled around every reconnect. Now your name resolver has to be reconfigured each time aswell, along with services that would rely on static IPs. Any simple solutions for that besides having 2 ipv6 adresses bound to each device ?

slashdot still doesn't support IPV6

[nichogenius]

Seriously, no IPV6 love for slashdot yet.

Or for that matter, no https support either. How do I know all the jokes and comments of my fellow /.ers are real and not some man in the middle feeding me fake jokes?

Yeah, I get that neither is really important for the slashdot site, but they would add some nice spice :D

Re:slashdot still doesn't support IPV6

[david_thornley]

I assure you that all the comments are real and not MITM things.

Signed, Joe Harris Trust the NSA!

You need NAT in ipv6

NAT is still essential in an ipv6 world. For e very simple reason.

NAT obfuscates your internal network architecture from the outside world. It would be a piece of cake to map the service functions of an internal corporate network by just profiling the types of packets that at visible on which addresses in ipv6. You are basically broadcasting to the planet a significant part of hackers plan when attacking a network.

At the moment it's not overly important on a home network. But very soon it will be. IoT devices are extremely weak when it comes to security they are prime targets. As consumers load up their homes with these IoT devices they are going to be exposing more and more about the weaknesses of the home network. Basically IoT is a form of a services based compute model for a lot of homes.

Corps who are adopting Visualization / Services Architectures / appliances based capabilities will also fall into this trap. If they haven't already fallen in.

Network obfuscation provided by NAT is an important part of any networks security. Do not start jump up and down saying NAT is not security. By it self it is not. It's PART of a security defense.

Re:You need NAT in ipv6

[mark-t]

There is absolutely nothing that NAT achieves which cannot be functionally reproduced with a combination of a firewall and a layer 3 transparent proxy.

Re:I cannot buy an ipv6 consumer router - import o

[unixisc]

I got a Netgear @ Best Buy that does support it. But you are right - a lot of them don't

Re:I cannot buy an ipv6 consumer router - import o

[rl117]

It's odd that the ISP doesn't provide a router which can use the services they provide!

I got a generic Thomson/Alcatel router from my ISP which does v4 and v6. I had the same model from my previous ISP and it was IPv4 only, so just a firmware difference between the two.

Re:Dynamic prefixes make SOHO networking a nightma

[rl117]

Your prefix should be constant and should remain the same across reconnects. If you want the remainder to be constant, it should be constant with SLAAC, being based on the MAC address. If it's changing and you don't want it to, try disabling privacy extensions? Or you could use DHCPv6 or static allocation if that wasn't sufficient.

Re:More like 0.1% -- IPv6 traffic is special purpo

[unixisc]

There are still XP machines? Well, even they have IPv6 support patches.

Anything that has enough flash memory in it could get the code needed to add IPv6 support. All the current OSs - Windows (everything since Vista), OS X, BSD and Linux - fully support IPv6.

Re:Dynamic prefixes make SOHO networking a nightma

[unixisc]

Wouldn't privacy extensions provide that? Or are you talking about devices that should have static IPs? If it's the latter, why should such addresses be shuffled after every reconnect?

IPv6 had it's chance with 6to4

and they blew it. once apple took it off the airport routers, it was over. the neckbeards never got it on the linksys and other friends so thanks to that stupid short sightedness, being able to overlay ipv6 on the v4 backbone is a non event.

Re:More like 0.1% -- IPv6 traffic is special purpo

[jfdavis668]

Yes, I am.

Re:what... IPv7 ;)

well, I bet Cisco comes out with IPv7 and fixes all the issues running IPv4 and IPvX so we do not have to run Dual Stacks or have leaky IPv6/7 routers.

There are occasions where you have to scan your internal network so I am not sure a a /64 or /112 would be useful even in a large network... We still have systems that use broadcasts and some software vendors suggest L2 networks no larger than /23 or /22 ;)

Just because you can does not mean you should...

Re:what... IPv7 ;)

[unixisc]

There are no broadcasts in IPv6: you achieve that by link-local multicasts to ff02::1 which would achieve the same result.

Aws

[mcfedr]

It's a shame one of the biggest cloud hosting providers, aws, doesn't provide ipv6 support.

That's not about IPv6 only persistance of lawyers

[dbIII]

I've been keeping up and I'm pretty sure that "IP address does not equal person" is going to be overturned after accurate logs are seized and released a few times. You may want to ignore the trend but it's happening and the MPAA just keeps on spamming the court systems of multiple countries to get their way.
It'd not about IPv6 only persistance of lawyers and the very consumer unfriendly, downright draconian laws they are trying to ram through to get access to all our "metadata".

Re:Dear asshole utopians who hate NAT

I agree that 'peer-to-peer' networking is great, a huge boon & I don't believe in limiting things where 1 side is always a client & the other the server (e.g. strictly 'client/server') BUT I do believe in wanting to control who talks to MY 'servers' and what they know about them...

What does NAT have to do with that? NAT doesn't control who talks to your servers, stateful packet inspection does, you need SPI with NAT in order for your servers to be secure, all NAT is is address translation, nothing more nothing less. As a side effect it can make it more difficult to talk to your servers for good guys, but bad guys already know this and use tricks to get around it. SPI is the one that is actually difficult to get around. You don't need or even truly want NAT you want SPI. You're just getting the two things confused.

The point is that a protocol that can't handle NAT or at least understand that a NAT might exist and have facilities to allow for its use (if necessary) is a protocol that removes control out of my hands...I might need to use it but I'd think long & hard about the 'why it won't work the way I want it to'...

I guess its a good thing ipv6 can do NAT just fine then isn't it? even though we already established you don't need it and its unrelated to what you want.

Re:I cannot buy an ipv6 consumer router - import o

[sjwest]

The isp thing does ipv6 but who actually manages it ? - i'd rather not become a public hotspot because its there config and updates

I have ddwrt flashed routers

Re:Dear asshole utopians who hate NAT

[sabbede]

Why?

And why does it matter if, from the outside, your network looks like one 32 bit address or a 64 bit subnet? The actual addresses in use on your network aren't any more visible to the internet than they would be if NAT was in use (you still have a firewall on or before your router after all), you're just doing away with all that port mapping and translation.

I don't see that you have a point

[dbIII]

but unless the proxy is transparent

Which is something that can be forced and is pretty well the only useful bit of Network Address Translation left if you have enough IP addresses. A proxy on a bridge is another option but less trivial to set up.
I really don't get the point of all your verbiage since IPv6 can also do NAT and a firewall is far more effective at doing the other tasks described anyway. There's no real security with NAT as shown with some of the NAT traversal hacks demonstrated over the years and even featured here. Relying on hiding instead of actual blocking is not a wise action, especially when the outright blocking is trivially accomplished.

I really cannot see any advantage of IPv4 plus NAT apart from the obvious of it already being in place - an advantage that vanishes with new installations that may have to be behind multiple layers of NAT that make it hard for the things you want to make it through.

IPv6 routing vs address assignments

[unixisc]

Right, and originally, the way addresses were thought out was that you'd drill deeper into an address to find its destination. I know that 2001:db8 is what is used for documentation purposes, but for the example below, I'll use an ARIN specific range to support the levels I'm discussing.

So let's say ARIN has an address - 2615::/16. Let's say University of California approaches them for an address block for their various campii. ARIN gives them 2615:db8::/32. Following that, the various campii ask them for blocks of addresses. UC gives UCLA 2615:db8:2000::/36. They give Berkeley 2615:db8:3000::/36. Riverside gets 2615:db8:4000::/36. UCSD gets 2615:db8:5000::/36. UCSC gets 2615:db8:6000::/36. And so on.

Now, lets say at Berkeley, the CS department wants a block of addresses. They are assigned 2615:db8:3300::/40. The CS department then assigns blocks of /48 to various sub-groups within the department, such as Graphics processing, AI, Networking, and so on.

Now let's say someone from out there wants to access Berekey's AI lab. From a routing standpoint, it would follow the same rules. 2615::/16 would tell the router that it is within the ARIN's coverage area. It will parse the next word of the address - db8 - which will tell it that it goes to the University of CA. The following nybble will find 3, which will send it to Berkeley, and then, the remaining 3 nybbles will direct it to the AI lab.

The reason this is not currently implemented is due to the concept of provider independent addresses. Like in the above example, let's say that the UC system got their internet access from different vendors - SBC, Verizon communications, Comcast Business and AT&T. UC would want to have the same IP addressing scheme regardless of who they used, and would want to use, from the above example, 2615:db8::/32, and not have to change that everytime the ISP changes. While this maintains the simplicity of their addressing scheme, the routing is now complicated due to the fact that within the same range, one would have to be reached via SBC sites, another via Verizon sites and so on. A way around this would be multihoming solutions like mentioned in RFC 7157.

In IPv4, given the scarcity of addresses, nothing like what I described above was even conceivable, since you had ~ 3.7 billion routable addresses to start w/. Here, having a hierarchic level of addressing does potentially simplyfy routing, as long as the multihoming solutions would address and work around the needs of Provider Independent addressing.

Re:More like 0.1% -- IPv6 traffic is special purpo

I should have clarified. XP supports it, but not necessarily all the software I use, which may not be patched anymore.

I don't think my TiVo supports IPv6.

% increase this year doesn't matter

[morgauxo]

"if a 67% increase per year"

??? It was a 6% increase. Was that a typo that was supposed to read 6 - 7%?

Anyway, I'm not sure it matters. Look at the graph. It's not linear it's exponential. If that trend keeps up I would expect much more than 6 to 7% increases in the coming years.