Slashdot Mirror
IPv6 Turns 20, Reaches 10 Percent Deployment (arstechnica.com)
An anonymous reader writes: Ars notes that the RFC for IPv6 was published just over 20 years ago, and the protocol has finally reached the 10% deployment milestone. This is an increase from ~6% a year ago. (The percentage of users varies over time, peaking on the weekends when most people are at home instead of work.) "If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."
"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."
"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."
without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.
What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?
"First they came for the slanderers and i said nothing."
Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Telecom Italia - the largest italian telecom provider - still does not offer business ipv6 connectivity.
argh.
Most people and small businesses don't have the skills necessary to take care of a resource that isn't behind NAT.
So it's more like "expect to be quickly and constantly pwned."
STOP . AMERICA . NOW
Speaking of IPv6 'features' - was any solution to IPv6 multihoming actually rolled out?
NSA here. We want everyone to use IPV6 because it makes tracking everything down to your dog's internet enabled nipple piercing that much easier. So stop this nonsense about sticking with IPv4. Were watching you.
"If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."
Is that the metric that keeps IPv6 adaption capped? I'd think that the sooner we run out of IPv4 addresses, the sooner IPv6 will be adapted. Not all the current public IPv4 can be NATed, and having multiple levels of NAT would pretty much transform layer 3 networking to layer 2 networking, won't it?
All the same, many happy returns, IPv6!!!
IPv6 took a long time to get to 10% because it's a pain in the ass to support two things. This will turn around in IPv6's favor at some time in the future. With major IPv6 deployment IPv4 begins to look like last Tuesday's pizza, because you have to support IPv6, but you can save time and effort by making v4 users tunnel or convert. Network protocols don't tend to linger once they get below a certain level - see Appletalk, IPX, Banyan Vines, etc.
"It’s a poor atom blaster that won’t point both ways"
dear idiot who wants to fuck himself by running NAT
go right ahead. really. no one is stopping you.
but you're going to show up at standards meetings shouting that the best internet architecture
is infinitely nested NATS, you an choke on your own dick
ah, turning 20 and enjoying 10% recognition. reminds me of my youth. but seriously guys. theres no excuse other than laziness at this point. home docsis3 routers are dual stack, and hurricanes 6-2-4 gateways have done heavy lifting for a decade now. lets make 15% a 2016 resolution.
Good people go to bed earlier.
The chief infection vector these days is the web browser and add-ons. If a machine can connect to the Internet, even if behind seven layers of NAT, it can get infected. Second to that are Trojans and dancing bunny attacks.
Internet based attacks to compromise hosts are relatively few, and they tend to be brute force attempts, looking for older/patched bugs, or a DDoS. Good firewalls are a solved problem.
Yeah, the main problem with NAT is that it doesn't work. The point of a network is to allow endpoints to communicate with each other. NAT is like some shit from the SNA days where you had a strict client/server relationship, and to be fair it works fine for that. It's just a complete fucking mess if you want peer-to-peer comms like, er, pretty much every modern consumer application from telecoms to gaming.
Regardless, nobody's saying you can't do NAT if you want to do NAT what they're saying is it's better to have a global network infrastructure that doesn't rely on everybody doing NAT. If you can't understand the difference between these two things, please STFU.
If only IPv6 supported Private Addresses to allow you to NAT with that as well. Oh, wait, it does.
pay per IP some ISP's used to due that and tried to ban routes. I think Comcast used and had home networking as a up sell.
Now with IP V6 and no NAT they can hit you with an outlet fee per IP to make for that they lose when people cut tv with it's high outlet fees.
https://xkcd.com/865/
Most home users would be perfectly fine with a IPX connecting to a HTTP proxy. That doesn't mean it's a good idea.
IPv6 is a very different beast from IPv4. One of its strengths is also a weakness - NATless wide open host to host routing of traffic. This is great as long as everyone adequately protects their internal network from outside access. However, the vast majority of home and small business networks are hidden behind a consumer-grade NAT router. Given the low level of understanding of what's actually under the hood, IT people (and consumers) have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery. It would seem to me that the safest thing would be to continue using IPv6's NAT feature for networks like this. Not many people understand what actually makes IP routing work at a nuts-and-bolts level, so this would be a safe default. 20 years ago, when IPv6 was new, I would have more faith that the average IT person would have a better grasp of details like this. These days, it's abstracted away for the most part. I doubt non-network focused IT people learn the stack to the same depth they had to in the past.
Even large enterprise networks I've seen implicitly trust traffic on the inside. Obviously that's not the best way to go, but re-architecting the network for trust-nothing operation is a slow process the larger the entity.
but seriously guys. theres no excuse other than laziness at this point. home docsis3 routers are dual stack, and hurricanes 6-2-4 gateways have done heavy lifting for a decade now. lets make 15% a 2016 resolution.
How about FUCK YOU!
There is an epic shit ton of equipment out there that has only an IPv4 stack and will never be updated. There are still new products coming off the shelves that have only an IPv4 stack. Think about all of the devices in the world, all the new IoT devices... There are no excuses needed. There is another 10 years or more worth of devices that are IPv4 only, with zero chance of replacement/update because, there's simply NO NEED to replace them.
It's great that DOCSIS 3 routers are dual stack. But, what about the millions of DOCSIS 2 and even DOCSIS 1 routers still installed, still working just fine, with zero need to replace them except to increase capital expenditure?
It's fine for clueless fucktards to sit home and say; 'there's no excuse for not changing', because they don't face any cost in their ISP replacing their modem and Window s10 is "free". But, there are lots of people and companies with a massive investment that would be a massive cost to replace or update. Think of the cost to ISPs and WISPs. Think of the cost to companies that have to not only foot teh bill for equipment, installation configuration, network re-architecture, support... Think of the cost to private individuals that would have to replace TV's, VDRs, routers, WAPs, thermostats, sprinkler controllers, refrigerators, security cameras...
In my home alone I would have to replace at least 20 devices at a cost of thousands, possibly tens of thousands. I won't even consider the expense to my business.
No excuses? Fuck you!
Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6. Like if you have a network that has a subnet mask of 255.255.255.240, you know that there can be a max of 14 boxes on that subnet. In IPv6, all that is irrelevant: any subnet can have anywhere b/w 1 and 2^64 boxes: it's impossible to find out w/o port scans.
Also, unless someone uses some structure in assigning IPv6 addresses using DHCPv6, it is impossible to figure out individual addresses. And if they have privacy extensions, which is the equivalent of IPv4's dynamic addresses, that makes it even more impossible.
10% in 20years, so 100% in 200years, so full adoption in the year 2196AD. At least it won't clash with the Y2K38 bug.
Then, 150% in 300 years??
IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6.
While IPv6 has more than enough addresses for every device, do ISPs allocate enough addresses for your average consumer? As far as my ISP is concerned, they only allocate me 1 IPv4 address and that you can't get more unless you get a business package or another line. This would greatly increase my monthly bill if every single device needs their own address.
Well, there's spam egg sausage and spam, that's not got much spam in it.
If woman can survive, they may find...IPv6 deployment completed.
I know everyone hates Comcast, but they have 40%+ ipv6 deployment rates, and also the US wireless carriers have 40%+ deployment rates.
Nobody with a biz connection can get a static prefix allocation and nobody at Comcast gives a s**t enough to communicate any kind of timeline for when it will happen.
That's the reason that I've always believed that the /64 was a stupid boundary where to demarcate the Global Prefix and the Interface ID. It should have been at /96. The reason for the /64 was for easy autoconfiguration w/ SLAAC. But even w/ SLAAC, uniqueness is not guaranteed, and therefore, a lot of flexibility in IPv6 is sacrificed at the alter of autoconfiguration, resulting in an overkill when it comes to subnet sizes.
Instead, having a /96 would have enabled the internet to have had a hierarchical routing system, thereby lessening the need for things like RIPng, OSPG, EIGRP, et al. Also, RIRs, national Internet registries and ISPs could then have allotted Global prefixes up to /64 or /80, and we could have had either 16 bits of subnetting - allowing for 65,536 subnets or a full 32 bits of subnetting - allowing for a hierarchical subnet set-up.
Even w/ all this, 32 bits would have been adequate for autoconfiguration mechanisms. Yeah, it wouldn't be completely unique, but nothing is. Port scans would still be as slow as scanning the entire internet, but on top of that, privacy extensions, or allowing an address to change very frequently would make it even more impossible for port scans to determine internal network topologies. I do think something like this would have to be deployed to avoid runnning into address depletion issues even in IPv6 later.
Those who think NAT is such a great idea... have you had to support VPN tunnels between networks with overlapping private subnets? It gets messy fast.
Universally unique addressing is a GOOD thing. For those concerned about the security of private networks, well, you have to know what you're doing. And even with ipv4 a lot of internal addresses leak out anyway. (Look at SMTP envelopes for one).
Not infinitely nested NATs. Just one level of nesting is usually needed.
Good luck with that when your ISP puts you behind NAT, or when their ISP puts them behind NAT.
Without NAT, our corporate and government overlords will know exactly which computer each packet is going to
Please look up privacy extensions. They've only been mentioned in the comments of every single Slashdot article that mentions IPv6.
It doesn't specify a checksum for the header, which means that it relies on some elements of it (the address fields) to be checksummed by a higher layer (which indeed TCP and UDP do). But which also means that some elements of the header (quality of service, hop limit) are left out of the checksum, which means that (for instance) you can get router loops. But it's probably because the designers of IPv6 thought that the whole packet would be authenticated at layer 2. But then - why require an ICMP checksum when you've just completely redesigned ICMP (and why require the TCP and UDP checksums to still use a pseudo header)? I mean, calculating checksums costs time. Either specify that it happens at layer 2 and be done with it, or do it properly.
Religion is what happens when nature strikes and groupthink goes wrong.
What's really sobering is when you look at relatively new but very successful FOSS ecosystems like that surrounding Docker, you'll see poor considerations for IPv6. If you're working on new bleeding edge stuff and you're still developing for an IPv4 world, you're needlessly wasting a huge opportunity to help the world move beyond IPv4. I really want to call out CoreOS's fleet project for using IPv4 private networks for cross-container communications where IPv6 would have been a much better fit.
Unique Local addresses (fd00:/7) allow for precisely this - having a globally unique non-routable address, which enables 2 private networks to connect together w/o getting into overlapping private subnets.
My cell phone traffic has been IPv6 for years. Every time I watch a youtube video, piles of IPv6 traffic flow. A large amount of network traffic is now handheld related.
A few months ago, I was kind of shocked to see that my computer was downloading Ubuntu updates from an IPv6 address. I was vaguely aware that AT&T DSL had IPv6 turned on (I could see the setting in their stupid gateway), but I didn't know that it actually got used. I'm looking at iftop right now, and most of my connections seem to be IPv6. So, IPv6 does get used for generic internet communications.
Exactly that, in my experience.
You and I, and the OP, won't be subject to any attacks behind our NAT firewalls because we're all too careful to fall for any phishing scams or malware links.
Our coworkers, family and friends, on the other hand... they'll call us and say "hey my machine is acting funny" no matter what kind of firewall they are behind.
Even knowing what a phones ipv6 address is I still can't make a direct connection to it on Verizon wireless. Why even give us an ipv6 address if its just as useless as a natted ipv4 address?
Minimum threshold fixed. Thanks!
The firewall needs of the small and medium businesses, as well as those of the Home and SoHo users will be handled by NFV firewalls on the telco side, mostly administered by the telco personnel.
While is bad to relinquish direc control of your security, the security of Home/SoHo/SMB will be better than what's currently available (badly configured NAT/Routers), and besides, nothing forces us people in the know from putting a second firewall behind the telco provided one...
*** Suerte a todos y Feliz dia!
DHCPv6 should allow him to have a combination of the 2 - certain address ranges marked off for private extensions, and certain addresses statically assigned to various nodes - be it the home security system, garage door, kitchen appliances and so on. Just that I haven't seen DHCPv6 configuration been as thoroughly described as DHCPv4.
Wouldn't they need to *KNOW* the address to accomplish this? Granted, they might be able to make an educated guess about the class of network, but they could still have a heckuva lot of IP's to choose from.
Also, wouldn't the router need to know how to deliver packets inside the network that you want to manually route from outside and be configured to do so?
File under 'M' for 'Manic ranting'
For IPv6, the RFC# is 4291 for Link-local addresses (fe80::/10) and 4193 for for Unique local addresses (fd00::/7)
My isp has ipv6, although the router they sell has no updates i can apply.
dlink and others dont sell them locally. Please dont blame ipv4 users for the choices that router manufacturers decide,
ps - Love to have ipv6.
The Internet is probably better off without NAT
Short response: Fuck you.
Long response: I should be the one who decides whether my local network appears to the outside as a single IP address, or multiple. Also, fuck you.
Short response: Okay.
Long response: Don't go around bitching to the rest of us when developers decide it's no longer cost effective for them to run STUN servers or include thousands of extra lines of code into their products to work around your broken-ass NAT implementation after everyone else has moved on. In the post-NAT world, all of those work-arounds you rely upon daily are going to go bye-bye.
Yaz
You must not be using Android...
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
IPv6 is an absolute fail if its reached 10 percent after 20 years.
I think we should literally dump IPv6 and then devote efforts to IPv7 in whatever form contributors to the IETF thinks it should take.
Yes.
When the first 8 bits of the ipv6 subnet are 0xfd, it is considered a private subnet.
File under 'M' for 'Manic ranting'
Ipv6 has the credo that every user should have a prefix to assign his devices (in)to. Most ISPs in Germany are stuck on the idea that the adresses should be shuffled around every reconnect. Now your name resolver has to be reconfigured each time aswell, along with services that would rely on static IPs. Any simple solutions for that besides having 2 ipv6 adresses bound to each device ?
Seriously, no IPV6 love for slashdot yet.
Or for that matter, no https support either. How do I know all the jokes and comments of my fellow /.ers are real and not some man in the middle feeding me fake jokes?
Yeah, I get that neither is really important for the slashdot site, but they would add some nice spice :D
I got a Netgear @ Best Buy that does support it. But you are right - a lot of them don't
It's odd that the ISP doesn't provide a router which can use the services they provide!
I got a generic Thomson/Alcatel router from my ISP which does v4 and v6. I had the same model from my previous ISP and it was IPv4 only, so just a firmware difference between the two.
Your prefix should be constant and should remain the same across reconnects. If you want the remainder to be constant, it should be constant with SLAAC, being based on the MAC address. If it's changing and you don't want it to, try disabling privacy extensions? Or you could use DHCPv6 or static allocation if that wasn't sufficient.
There are still XP machines? Well, even they have IPv6 support patches.
Anything that has enough flash memory in it could get the code needed to add IPv6 support. All the current OSs - Windows (everything since Vista), OS X, BSD and Linux - fully support IPv6.
Yeah, dealing w/ hex is not intuitive. However, most IPv6 addresses start w/ 2 - like 2001::/16, and that tells you that it is a routable IPv6 address. You may also see something like fe80: as your starting address, which implies that it's a link local address - a non routable address that can only be reached from within the subnet.
If your ISP doesn't support IPv6, you won't see the 2001: number or anything like it. What you might see, if you were to do an ipconfig, would be something like this ::1 prefixlen 128
[lintel@cisc] ~% ifconfig
re0: flags=8843 metric 0 mtu 1500
options=8209b
ether b8:2a:72:a8:b7:cf
inet6 fe80::ba2a:72ff:fea8:b7cf%re0 prefixlen 64 scopeid 0x1
inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=23
media: Ethernet autoselect (100baseTX )
status: active
lo0: flags=8049 metric 0 mtu 16384
options=600003
inet6
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21
Wouldn't privacy extensions provide that? Or are you talking about devices that should have static IPs? If it's the latter, why should such addresses be shuffled after every reconnect?
There is absolutely nothing that NAT achieves which cannot be functionally reproduced with a combination of a firewall and a layer 3 transparent proxy.
File under 'M' for 'Manic ranting'
Yes, I am.
There are no broadcasts in IPv6: you achieve that by link-local multicasts to ff02::1 which would achieve the same result.
It's a shame one of the biggest cloud hosting providers, aws, doesn't provide ipv6 support.
I've been keeping up and I'm pretty sure that "IP address does not equal person" is going to be overturned after accurate logs are seized and released a few times. You may want to ignore the trend but it's happening and the MPAA just keeps on spamming the court systems of multiple countries to get their way.
It'd not about IPv6 only persistance of lawyers and the very consumer unfriendly, downright draconian laws they are trying to ram through to get access to all our "metadata".
You appear to assume that breaking end-to-end connectivity does not provide any security that a firewall cannot provide.
While most of the security that it does provide can be provided more robustly by a firewall, the additional breaking of end-to-end connectivity does carry a certain level of security with it all by itself that a firewall alone cannot achieve, and for many purposes is all of the security one will ever require. Likewise, a firewall may offer all of the security one will ever need, but that doesn't mean there isn't enough room in the world for both, and each offers something by itself that the other does not.
You can combine a firewall that by default blocks all incoming connections with a layer-3 transparent proxy to get all of the security that a typical consumer NAT device offers, but then at that point, you are really just using NAT anyways... just calling it by a different name.
NAT by itself is not security... but it does offer a certain type of security that a firewall alone will not achieve. The fact that this may be unimportant to you does not mean it is unimportant to everyone.
File under 'M' for 'Manic ranting'
The isp thing does ipv6 but who actually manages it ? - i'd rather not become a public hotspot because its there config and updates
I have ddwrt flashed routers
And why does it matter if, from the outside, your network looks like one 32 bit address or a 64 bit subnet? The actual addresses in use on your network aren't any more visible to the internet than they would be if NAT was in use (you still have a firewall on or before your router after all), you're just doing away with all that port mapping and translation.
Which is something that can be forced and is pretty well the only useful bit of Network Address Translation left if you have enough IP addresses. A proxy on a bridge is another option but less trivial to set up.
I really don't get the point of all your verbiage since IPv6 can also do NAT and a firewall is far more effective at doing the other tasks described anyway. There's no real security with NAT as shown with some of the NAT traversal hacks demonstrated over the years and even featured here. Relying on hiding instead of actual blocking is not a wise action, especially when the outright blocking is trivially accomplished.
I really cannot see any advantage of IPv4 plus NAT apart from the obvious of it already being in place - an advantage that vanishes with new installations that may have to be behind multiple layers of NAT that make it hard for the things you want to make it through.
Right, and originally, the way addresses were thought out was that you'd drill deeper into an address to find its destination. I know that 2001:db8 is what is used for documentation purposes, but for the example below, I'll use an ARIN specific range to support the levels I'm discussing.
So let's say ARIN has an address - 2615::/16. Let's say University of California approaches them for an address block for their various campii. ARIN gives them 2615:db8::/32. Following that, the various campii ask them for blocks of addresses. UC gives UCLA 2615:db8:2000::/36. They give Berkeley 2615:db8:3000::/36. Riverside gets 2615:db8:4000::/36. UCSD gets 2615:db8:5000::/36. UCSC gets 2615:db8:6000::/36. And so on.
Now, lets say at Berkeley, the CS department wants a block of addresses. They are assigned 2615:db8:3300::/40. The CS department then assigns blocks of /48 to various sub-groups within the department, such as Graphics processing, AI, Networking, and so on.
Now let's say someone from out there wants to access Berekey's AI lab. From a routing standpoint, it would follow the same rules. 2615::/16 would tell the router that it is within the ARIN's coverage area. It will parse the next word of the address - db8 - which will tell it that it goes to the University of CA. The following nybble will find 3, which will send it to Berkeley, and then, the remaining 3 nybbles will direct it to the AI lab.
The reason this is not currently implemented is due to the concept of provider independent addresses. Like in the above example, let's say that the UC system got their internet access from different vendors - SBC, Verizon communications, Comcast Business and AT&T. UC would want to have the same IP addressing scheme regardless of who they used, and would want to use, from the above example, 2615:db8::/32, and not have to change that everytime the ISP changes. While this maintains the simplicity of their addressing scheme, the routing is now complicated due to the fact that within the same range, one would have to be reached via SBC sites, another via Verizon sites and so on. A way around this would be multihoming solutions like mentioned in RFC 7157.
In IPv4, given the scarcity of addresses, nothing like what I described above was even conceivable, since you had ~ 3.7 billion routable addresses to start w/. Here, having a hierarchic level of addressing does potentially simplyfy routing, as long as the multihoming solutions would address and work around the needs of Provider Independent addressing.
"if a 67% increase per year"
??? It was a 6% increase. Was that a typo that was supposed to read 6 - 7%?
Anyway, I'm not sure it matters. Look at the graph. It's not linear it's exponential. If that trend keeps up I would expect much more than 6 to 7% increases in the coming years.