IPv6 Turns 20, Reaches 10 Percent Deployment

An anonymous reader writes: Ars notes that the RFC for IPv6 was published just over 20 years ago, and the protocol has finally reached the 10% deployment milestone. This is an increase from ~6% a year ago. (The percentage of users varies over time, peaking on the weekends when most people are at home instead of work.) "If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."

"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."

what

[phantomfive]

without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Re:what

[Jawnn]

What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?

Yes, but we all know that there is a metric shitload of routers out there that have nothing but NAT defending their "internal" networks. Turn on IPV6 and those internal networks are simply open to the world.

Now, I am not saying we shouldn't go there, but the scope of "doing it right" is almost immeasurable. IMO, it is that which is the single largest barrier to widespread adoption of IPV6.

Re:what

[unixisc]

The summary seems to imply that there is no supported NAT in IPv6. Au contraire, the IETF did specifically define a NAT standard for IPv6 - it's called NAPT. It has the same concepts as IPv4 NAT - translating a public address to a private one (granted, there are more categories of the latter in IPv6). Only thing different is that it's a 1:1 address mapping here, as opposed to a 1:many address mapping in IPv4. Which saves the agony of Port Address Translation and there being fewer ports for other applications that NEED it.

But if someone wants to have something handy for load balancing, NAPT can be used. I'm not sure of what the defined multi-homing mechanism is in IPv6, and whether it necessitates the use of NAPT or not

Re:what

[lokedhs]

Or, you might want to read up on Privacy Extensions before you start talking about exposing internal information which hasn't been valid since 2001. Yes, that's 15 years ago, as modern as 2001 may feel to us old guys.

Re:what

[Todd+Knarr]

What do you mean IPv6 messed with things? What you're describing is simply the ending of the aberration that is masquerade-mode NAT and the return to the way IPv4 networks operated for most of their existence. Masquerade-mode NAT was a nasty, awkward kludge to normal routing created to work around the refusal of the DSL and cable ISPs to offer more than a single IP address to a subscriber at a time when subscribers were starting to have multiple computers in their households. Up until that point computers on IPv4 networks were directly connected to the Internet with their IP address visible to the world. That's how I used to run servers on dial-up lines, no router involved (at least on my end). All you have to do to protect your IPv6 networks is set up the equivalent to a standard IPv4 firewall. Like IPv4 you have to pay attention to what ports are allowed inbound to which hosts, but that's nothing new and IPv6 gives you more tools to help segregate desired inbound connections from unwanted ones.

Then again, I suppose most people these days haven't written firewall rules or even thought about them, masquerade-mode NAT hid the issues by terminating all non-ESTABLISHED non-RELATED traffic on the router's WAN port and the router didn't have any services except DHCP and DNS listening on the WAN side. Well, it wasn't supposed to anyway, but turns out quite a few did have things listening and those things had pretty much crap authentication so attackers could pretty much walk straight on through without breaking stride. Hence why I prefer explicit firewall rules where I know the packets are going down a black hole before anything that might be listening can even see them.

Re:what

[unixisc]

But it's the firewall that comes w/ NAT that does the defending - the same thing that can be done w/ a public IPv6 connection. Not that I recommend it, but one could even use a combination of NAPT w/ IPv6 public addressing if one HAS TO use NAT: you'd still get the firewall, and you'd still have the warm and fuzzy feeling that NAT gives you.

Re:what

[hairyfeet]

The rotting elephant in the room is NOT the "security" of NAT, its the legal issues specifically that the *.A.A will be able to argue that "IP address equals person" thus letting them sue pretty much anybody for anything. You put up a vid of your kid dancing to a corporate media conglomerate owned song? Enjoy your lawsuit.

This of course isn't even bringing up how badly corporate has fucked IT for the last decade which means all the older networking gurus have all bailed, leaving a bunch of kids that won't know how to diagnose, much less fix shit when the inevitable IP V6 headaches hit, we have the environmental disaster as you have literally tens of millions of routers and modems that simply cannot handle IP V6 so all of that will have to be trashed, which of course adds to the cost of switching which is gonna be quite high......I'm sorry but there is a LOT of downsides and very few upsides.

If we don't adopt it, the nanobots will

[jma05]

https://xkcd.com/865/

Re:Many happy returns, IPv6

[phantomfive]

Is that the metric that keeps IPv6 adaption capped?

I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.

Re:Fuck You!

[Dagger2]

Those are all excuses. None of that stuff needs to be touched to deploy v6. Deploying v6 won't make any of it work worse than it currently is. You don't need to upgrade all your DOCSIS1/2 modems to get v6 to the DOCSIS3 modems.

Also if you're an ISP that's been buying hardware in the past half a decade that's not v6 capable, then you screwed up -- or if your hardware is much older than that, then you're probably looking towards a replacement soon anyway.

Re:More like 0.1% -- IPv6 traffic is special purpo

[jfdavis668]

My cell phone traffic has been IPv6 for years. Every time I watch a youtube video, piles of IPv6 traffic flow. A large amount of network traffic is now handheld related.

Re:Topology detection

[unixisc]

No, subnet addresses are the 49th to the 64th bit of the address, or something beyond 49th to 64th, depending on how it's allocated. Most routers would recognize the entire lower half of the address as the interface ID. There is no concept of 'class' networks the way there was in IPv4. Everything is 2^64.

Yeah, one could break the protocol and assign subnets to something in the lower half, and a few things, like SLAAC, RAs would stop working.

Re:Familiarity with IPv4 is hindering adoption

[silas_moeckel]

Your average consumer grade nat router that supports ipv6 has a default stateful firewall blocking unwanted inbound connections. Really no different than ipv4 with nat.