Slashdot Mirror
IPv6 Turns 20, Reaches 10 Percent Deployment (arstechnica.com)
An anonymous reader writes: Ars notes that the RFC for IPv6 was published just over 20 years ago, and the protocol has finally reached the 10% deployment milestone. This is an increase from ~6% a year ago. (The percentage of users varies over time, peaking on the weekends when most people are at home instead of work.) "If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."
"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."
"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."
dear idiot who wants to fuck himself by running NAT
go right ahead. really. no one is stopping you.
but you're going to show up at standards meetings shouting that the best internet architecture
is infinitely nested NATS, you an choke on your own dick
Well, for many of us, the notion that everything has a unique address which can be known by anybody else seems idiotic.
Using internal 192.168.*.*, or the entire class A of 10.*.*.* means my internal IP address is not your damned business. It's an un-routable address to anything else. Which means in a lot of ways it's invisible -- you have no way of knowing the IP address of a given machine, and even if you did it wouldn't do you any good because there's no way to get there.
If you don't know information about what's behind the firewall, you can't exploit that information. NAT allows you to say "yes, there is a machine behind the firewall talking to you, but any specific information about that machine isn't for you to know because we don't trust you with that information".
Providing the same level of 'security' as NAT also includes some anonymity. You're not meant to know which machine you're talking to, and it isn't possible for that information to bleed out. Which means you don't have the ability to deduce information about it.
Having an outside entity know any information about your hosts and their IP addresses is just another vector to glean information and possibly act on it. You can't target a specific machine if you have no information about it from outside the firewall.
So, for me, if you start with the assumption that the internet is a dirty cesspool of actors which simply cannot be trusted and must be assumed to be hostile ... then you start by denying as much information as you possibly can. And after many years around the internet, not assuming the internet is a dirty cesspool of bad actors is utterly idiotic, because it hasn't been true in a very long time.
IPv6 seems to have a rather naive and in-built assumption that the internet isn't full of hostile assholes, and the decision to say that NAT was unnecessary reinforces that. Anything which assumes there isn't a risk in allowing outside actors to glean information about your environment is naive, broken, and not going to work. Because you pretty much need to assume that every additional item of information someone else has is going to be exploited in some way.
If you need to rely on state-ful firewall rules to know what's allowed, you need to rely on the vendor to competently be able to handle all of these protocols and the like. And, quite frankly, time and time again we see plenty of reasons why we can't trust the vendors to competently do that.
This is one of the reasons a lot of organizations have looked at IPv6 and consistently said "no thanks, there's parts of this we really don't like".
If after 20 years IPv6 has 10% adoption, maybe it's time to start understanding why people don't want it instead of telling us everything is fine and we don't actually need NAT.
Lost at C:>. Found at C.
Most home users would be perfectly fine with a IPX connecting to a HTTP proxy. That doesn't mean it's a good idea.
IPv6 is a very different beast from IPv4. One of its strengths is also a weakness - NATless wide open host to host routing of traffic. This is great as long as everyone adequately protects their internal network from outside access. However, the vast majority of home and small business networks are hidden behind a consumer-grade NAT router. Given the low level of understanding of what's actually under the hood, IT people (and consumers) have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery. It would seem to me that the safest thing would be to continue using IPv6's NAT feature for networks like this. Not many people understand what actually makes IP routing work at a nuts-and-bolts level, so this would be a safe default. 20 years ago, when IPv6 was new, I would have more faith that the average IT person would have a better grasp of details like this. These days, it's abstracted away for the most part. I doubt non-network focused IT people learn the stack to the same depth they had to in the past.
Even large enterprise networks I've seen implicitly trust traffic on the inside. Obviously that's not the best way to go, but re-architecting the network for trust-nothing operation is a slow process the larger the entity.
Is that the metric that keeps IPv6 adaption capped?
I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.
"First they came for the slanderers and i said nothing."
Those are all excuses. None of that stuff needs to be touched to deploy v6. Deploying v6 won't make any of it work worse than it currently is. You don't need to upgrade all your DOCSIS1/2 modems to get v6 to the DOCSIS3 modems.
Also if you're an ISP that's been buying hardware in the past half a decade that's not v6 capable, then you screwed up -- or if your hardware is much older than that, then you're probably looking towards a replacement soon anyway.
Even if you have a public IPv6 network, the sheer size of the subnet of 64 bits means that it'd take forever to figure out how many devices you have on it, and what are their addresses before any rogue scanner out there can do squat. And by that time, under privacy extensions, or even under a DHCPv6 setup, those would have changed. The only unchanged addresses would be that of any servers that you happen to have, and well, that doesn't change in IPv4 either.
So what was it again in IPv4 that gives you the confidence that someone outside can't fuck w/ your network?