The point at which you can't actually receive any more addresses won't come until the RIRs exhaust the blocks that they have received from IANA which might not be for another year after that.
I Hope noone in any sort of IT role reads this article and decides to put off their IPv6 projects.
The IPv6 killer app is IPv4 address space runout. http://www.potaroo.net/tools/ipv4/index.html
Unless you are a person who has actually applied for IPv4 address space for a project ( eg. new ISP broadband product, new co-location room, planning for next years subscriber growth etc. ), you are going to have alot more work to do to imagine what is going to happen when the first bunch of IPv4 space applications are declined ( more likely approved but put on the waiting list ).
People who actually use up big wads of IPv4 space are either going to have to decide that you have to push IPv6 into the project in some form, or you are going to design up some sort of multi layer NAT monstrosity along with the huge mess that is going to make. The IPv6 doom sayers are just trying to convince people to choose the one off pain of the IPv6 migration over a giant mess of NAT forevermore. If you really love the multilayer NAT and don't want to live without it, then be consoled by the fact that you probably are going to get it along side your IPv6 for at least a while anyway.
If you are the editor of some PC mag, you aren't actually going to get to choose what happens and you probably should just shut up.
Agreed that the general idea would be a good thing.
However, how do you come up with a workable definition of "keep developing"? Would employing a drunk homeless guy to translate the comments in the source code from English to ancient hebrew making releases 6 monthly count?
You are probably seeing two different types of people replying.
The first will be people who have been using Linux for years and have probably unconsciously been picking hardware that gives no trouble with every purchasing decision they make. These people do a fresh install of the latest version of Ubuntu and are amazed because the random printer that they brought home from work goes properly along with everything else that they have. A small subset of this group will also just be lucky.
The second are people who have recently been through Linux running on an old ex-windows box with the cheapest nastiest random usb junk + ATI video they had and given up and bought a new box picking the troublesome parts themselves.
I doubt either group will be trying to be deceptive, they have just had different experiences.
You are mistaken, the prefixes in question are blocks assigned directly to end users that qualify for a block by needing multihoming.
The first few prefixes in the list in the article have been assigned to organisations like CNET and the Smithsonian Institute, that require reliable connectivity, but don't qualify as an ISP as such.
The messy bit is even some of the IANA name servers look to be in those blocks, so they are even blocking access to some important infrastructure by choosing to filter them.
Given a couple of years of treating protocols differently, then _absolutely everything_ will evolve to have an option to tunnel over http.
This is a case where from the ISP perspective the 1% of users that use 99% of your backhaul are also the most determined to carry on doing it, so the obvious technical countermeasures will get implemented without much trouble.
The bigger worry with the net neutrality debate is providers slowing traffic by destination rather than by protocol, or more likely the reverse ie. traffic shape everything other than those in our list of 'business partners'. The only workable solution for the end user is to close their account, which is probably exactly what your ISP wants you to do in this case.
Does this mean that the token ring drivers that have been in the Linux kernel for seems like forever dont exist, or does this mean you are a troll?
From the modules in ubuntu 9.04:./kernel/drivers/net/tokenring./kernel/drivers/net/tokenring/3c359.ko./kernel/drivers/net/tokenring/abyss.ko./kernel/drivers/net/tokenring/olympic.ko./kernel/drivers/net/tokenring/tms380tr.ko./kernel/drivers/net/tokenring/tmspci.ko
It was definitely an insane path, our routers were configured to drop anything with an AS path longer than 75, old versions of IOS would often just drop the BGP session ( or even crash with some _really_ old versions ).
I'm sure there will be some red faced network engineers updating IOS or even doing forklift upgrades of old boxes at their edges in the near future.
I wouldn't actually use P2P as any sort of reason for implementing IPv6, but I would use it as one example of a class of applications that will take advantage of end to end connectivity.
The government and corporations ( and probably you ) will get over themselves when the applications start taking advantage of end to end connectivity.
There is absolutely no real security added by translating addresses. Ask yourself this; if your upstream ISP decided to route 192.168.1.0/24 ( or whatever network you use at home ) at the outside interface of your router, would your router drop traffic that followed it? If it does then you have some stateful firewalling in place that would work equally well if you had public addressing. If your router does forward that traffic then the only thing saving you is NAT, you should probably do something about it.
I think people taking the position that IPv6 is more secure probably are misleading people, I can't see a single reason why, it seems to be exactly the same from any metric I can measure with. Securing a dual stack scenario will be almost exactly twice the work, this would be the case whatever the technology was.
The killer IPv6 app is IPv4 address space exhaustion, get used to it.
The reality ( hand waving aside ), is that all RIR members are going to carry on requesting address space at about the same rate ( probably a little higher ) as they have for the last few years and we _are_ absolutely going to run out of IPv4 space. Look at the actual numbers:
You can try to come up with some tax to reduce public address space usage, and increase the usage of ugly hacks like NAT, or you can encourage adoption of a new standard that has no practical limitations for address space usage.
Building IPv6 networks challenges alot of your assumptions. You can build your networks mostly the same way that you build your IPv4 networks, but eliminating the scarcity of addresses means you can also build them a whole lot differently and better.
I am convinced that most people in the IT industry have no idea how much brain damage NAT causes, and how weird some of the established ideas of how networks are built are.
1. Why have a central firewall, rather than centrally managed firewalling rules and logging?
2. Why have a central IPSEC box, rather than encrypt from each host to each other host.
3. Why not build your office LAN with public DNS and public address space on the internet?
I can probably guess all the answers that people will give to these ( and I don't even recommend going out and implementing all these ideas ), but once you have built networks with these ideas you will have learnt a heap about why NAT is bad for everyone.
Your post has a great summary of views that will have to be conquered before IPv6 will take off and start to benefit people.
Setting up IPv6 ( from an ISP perspective ) is exactly as hard as setting up IPv4, once the service provider decides to deploy it, you aren't going to have much choice if you want it configured up or not ( at least to your CPE ).
If you are typing IP addresses you are probably doing something wrong anyway, IPv6 might be the incentive that spurs you upgrade to/etc/hosts or maybe even this crazy thing called DNS that those crazy internet guys are using.
If you are worried about having publicly accessible IP's put in some firewalling. Seriously, firewall those addresses off the internet, you might find that you actually want to open them back up so you can access it however. A stateful firewall has all the bits of a NAT box that actually give you the security that you probably like, translating the addresses doesn't.
If you want internet addressable condoms, then don't connect them to a network.
I'm really looking forward to people getting back end to end connectivity. But, I'm slightly nervous that the backyard computer crowd + clueless IT folk are going to ruin it because they will be scared of operating without the horrible kludge and resulting brain damage that is NAT, Hopefully they wont.
There is a level of indirection here that you are ignoring, they were disconnected for the most part for hosting the C&C boxes for a bunch of large botnets. The botnets send the spam, not the spammers directly.
I think you would have a hard time arguing that hosting a bunch of massive botnets is excusable / legal.
As a public service I am acting as an unpaid copy editor for this troll =)
Feel free to send patches, in no time we can have this troll updated into this decade in open source fashion:
You *could* but remember this tale of forewarning:
"I don't want to start a holy war here, but what is the deal with you Windows fanatics? I've been sitting here at my freelance gig in front of a Dell w/ Windows 7 x64 (w/4 GB of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium III 1000 running XP, which by all standards should be a lot slower, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, Firefox will not work. And everything else has ground to a halt. Even Notepad++ is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various Windows 7 boxes, but suffice it to say there have been many, not the least of which is I've never seen a Windows 7 box that has run faster than its XP counterpart, despite Windows 7's snappier interface. My PIII with 512 megs of ram runs faster than this Quad core 3.6 ghz machine at times. From a productivity standpoint, I don't get how people can claim that Windows 7 is superior.
Flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Windows 7 box over other faster, cheaper, more stable systems."
In New Zealand our DVB-T platform is broadcast in h.264 with a kind of funky LATM AAC audio codec and also 2 channel AC3. Our DVB-S platform is still the more conventional mpeg2 with AC3.
I'm not sure if these are options to the relevant ATSC standard or if we just chose to ignore the standards, either way I guess NZ is an example that is not mpeg2 / AC3.
I haven't come across a good technical description of the attack, but I expect that the AS path prepending is just to stop the transit AS that you are using to reinject the traffic from sending the traffic straight back at you.
ie. if you know AS666 is a transit for AS69 (that you are hijacking the traffic from), then you prepend AS666 in the path you advertise to the rest of the internet and bgp loop detection on the routers in AS666 will drop the bogus path and send your traffic to the real target AS69 instead.
Longer answer, any circuit where you don't have a predictable amount of bandwidth will be hell to build any QoS with. Pretty well any home user connection will be in this class. Most of the cheap consumer devices that claim to do this are relying on tricks that won't work in a heap of cases or worse are snake oil.
No device is going to be able to do a good job without a heap of background information on what your connection is an how it behaves, things like when the buffers for outbound traffic on the other end of your DSL line kick in and behave etc.
If you want to learn a whole bunch of esoteric commands and a bit about networking you should be just fine building something to do it with a Linux box =)
Alternatively you might get a 95% successful solution if you buy a consumer device and shape the internet facing interface down to a speed that you hope your circuit will never drop below.
I did, the google logo does a little dance, other than that it just looks like google.
I guess I was expecting too much, but the sites that are indexed appear to be just the regular ipv4 sites, so they have ipv6 enabled the web frontend to the search engine but not the back end that goes and crawls the web.
My apologies, I just made it up off the top of my head. I'm not sure if it has been used anywhere before, did anyone get my half assed variant of YHBT? =)
Sounds like you just made up some definitions in your head ( or worse follow someone other deluded sods mantra ) for some fairly well worn terminology and then decided to go on a crusade to harass the unbelievers.
Firewall is not an synonym for stateful filter like you imply later on in this thread. For some data to support my statement, the firewall entry at wikipedia says:
"A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules."
It then goes on to mention classify firewalls into first, second and third generation ( the first being what you called "Port blocking" ).
If you are connecting to Linux or a BSD or anything else that runs openssh, then you can have something along these lines now. Setup an openssh DSA key, copy the public key to whatever machines you need to log into and then you can disable password logins in/etc/ssh/sshd_config altogether. If you are running Linux then for extra credit configure pam_ssh to get single sign on with an ssh key agent. If you are running windows as your client then you will have to make do with putty and pagent.
Slashdot Mirror
Whoever was telling you that we were going to run out in one year five years ago was probably smoking methamphetamines at the time.
The IANA free pool will run out next year, probably before mid year.
The point at which you can't actually receive any more addresses won't come until the RIRs exhaust the blocks that they have received from IANA which might not be for another year after that.
I don't know where you have been getting your predictions. It is pretty certain that IANA is going to run out of space about the middle of next year.
We have 14 /8's left in the IANA free pool, we use up almost 2 /8's every month.
Are you betting on the ipv4 space usage magically decreasing ( right when everyone will start freaking out about getting their last allocations )?
Where am I supposed to skip to if I'm starting in .nz?
I Hope noone in any sort of IT role reads this article and decides to put off their IPv6 projects.
The IPv6 killer app is IPv4 address space runout. http://www.potaroo.net/tools/ipv4/index.html
Unless you are a person who has actually applied for IPv4 address space for a project ( eg. new ISP broadband product, new co-location room, planning for next years subscriber growth etc. ), you are going to have alot more work to do to imagine what is going to happen when the first bunch of IPv4 space applications are declined ( more likely approved but put on the waiting list ).
People who actually use up big wads of IPv4 space are either going to have to decide that you have to push IPv6 into the project in some form, or you are going to design up some sort of multi layer NAT monstrosity along with the huge mess that is going to make. The IPv6 doom sayers are just trying to convince people to choose the one off pain of the IPv6 migration over a giant mess of NAT forevermore. If you really love the multilayer NAT and don't want to live without it, then be consoled by the fact that you probably are going to get it along side your IPv6 for at least a while anyway.
If you are the editor of some PC mag, you aren't actually going to get to choose what happens and you probably should just shut up.
Agreed that the general idea would be a good thing.
However, how do you come up with a workable definition of "keep developing"? Would employing a drunk homeless guy to translate the comments in the source code from English to ancient hebrew making releases 6 monthly count?
Dear Rupert,
/robots.txt under penalty of contract, perjery, cross my heart and pinky swear.
We will honour
Signed
Google.
You are probably seeing two different types of people replying.
The first will be people who have been using Linux for years and have probably unconsciously been picking hardware that gives no trouble with every purchasing decision they make. These people do a fresh install of the latest version of Ubuntu and are amazed because the random printer that they brought home from work goes properly along with everything else that they have. A small subset of this group will also just be lucky.
The second are people who have recently been through Linux running on an old ex-windows box with the cheapest nastiest random usb junk + ATI video they had and given up and bought a new box picking the troublesome parts themselves.
I doubt either group will be trying to be deceptive, they have just had different experiences.
You are mistaken, the prefixes in question are blocks assigned directly to end users that qualify for a block by needing multihoming.
The first few prefixes in the list in the article have been assigned to organisations like CNET and the Smithsonian Institute, that require reliable connectivity, but don't qualify as an ISP as such.
The messy bit is even some of the IANA name servers look to be in those blocks, so they are even blocking access to some important infrastructure by choosing to filter them.
Given a couple of years of treating protocols differently, then _absolutely everything_ will evolve to have an option to tunnel over http.
This is a case where from the ISP perspective the 1% of users that use 99% of your backhaul are also the most determined to carry on doing it, so the obvious technical countermeasures will get implemented without much trouble.
The bigger worry with the net neutrality debate is providers slowing traffic by destination rather than by protocol, or more likely the reverse ie. traffic shape everything other than those in our list of 'business partners'. The only workable solution for the end user is to close their account, which is probably exactly what your ISP wants you to do in this case.
Interesting times.
Does this mean that the token ring drivers that have been in the Linux kernel for seems like forever dont exist, or does this mean you are a troll?
./kernel/drivers/net/tokenring ./kernel/drivers/net/tokenring/3c359.ko ./kernel/drivers/net/tokenring/abyss.ko ./kernel/drivers/net/tokenring/olympic.ko ./kernel/drivers/net/tokenring/tms380tr.ko ./kernel/drivers/net/tokenring/tmspci.ko
From the modules in ubuntu 9.04:
This only broke BGP implementations that are getting pretty long in the tooth now, on a moderately recent version of IOS all we saw is:
Feb 17 05:25:03.731 nzdt: %BGP-6-ASPATH: Long AS path 10026 3356 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 received from xxx.xxx.xxx.xxx: More than configured MAXAS-LIMIT
It was definitely an insane path, our routers were configured to drop anything with an AS path longer than 75, old versions of IOS would often just drop the BGP session ( or even crash with some _really_ old versions ).
I'm sure there will be some red faced network engineers updating IOS or even doing forklift upgrades of old boxes at their edges in the near future.
I wouldn't actually use P2P as any sort of reason for implementing IPv6, but I would use it as one example of a class of applications that will take advantage of end to end connectivity.
The government and corporations ( and probably you ) will get over themselves when the applications start taking advantage of end to end connectivity.
There is absolutely no real security added by translating addresses. Ask yourself this; if your upstream ISP decided to route 192.168.1.0/24 ( or whatever network you use at home ) at the outside interface of your router, would your router drop traffic that followed it? If it does then you have some stateful firewalling in place that would work equally well if you had public addressing. If your router does forward that traffic then the only thing saving you is NAT, you should probably do something about it.
I think people taking the position that IPv6 is more secure probably are misleading people, I can't see a single reason why, it seems to be exactly the same from any metric I can measure with. Securing a dual stack scenario will be almost exactly twice the work, this would be the case whatever the technology was.
The killer IPv6 app is IPv4 address space exhaustion, get used to it.
The reality ( hand waving aside ), is that all RIR members are going to carry on requesting address space at about the same rate ( probably a little higher ) as they have for the last few years and we _are_ absolutely going to run out of IPv4 space. Look at the actual numbers:
http://www.potaroo.net/tools/ipv4/index.html
You can try to come up with some tax to reduce public address space usage, and increase the usage of ugly hacks like NAT, or you can encourage adoption of a new standard that has no practical limitations for address space usage.
Building IPv6 networks challenges alot of your assumptions. You can build your networks mostly the same way that you build your IPv4 networks, but eliminating the scarcity of addresses means you can also build them a whole lot differently and better.
I am convinced that most people in the IT industry have no idea how much brain damage NAT causes, and how weird some of the established ideas of how networks are built are.
1. Why have a central firewall, rather than centrally managed firewalling rules and logging?
2. Why have a central IPSEC box, rather than encrypt from each host to each other host.
3. Why not build your office LAN with public DNS and public address space on the internet?
I can probably guess all the answers that people will give to these ( and I don't even recommend going out and implementing all these ideas ), but once you have built networks with these ideas you will have learnt a heap about why NAT is bad for everyone.
Your post has a great summary of views that will have to be conquered before IPv6 will take off and start to benefit people.
Setting up IPv6 ( from an ISP perspective ) is exactly as hard as setting up IPv4, once the service provider decides to deploy it, you aren't going to have much choice if you want it configured up or not ( at least to your CPE ).
If you are typing IP addresses you are probably doing something wrong anyway, IPv6 might be the incentive that spurs you upgrade to /etc/hosts or maybe even this crazy thing called DNS that those crazy internet guys are using.
If you are worried about having publicly accessible IP's put in some firewalling. Seriously, firewall those addresses off the internet, you might find that you actually want to open them back up so you can access it however. A stateful firewall has all the bits of a NAT box that actually give you the security that you probably like, translating the addresses doesn't.
If you want internet addressable condoms, then don't connect them to a network.
I'm really looking forward to people getting back end to end connectivity. But, I'm slightly nervous that the backyard computer crowd + clueless IT folk are going to ruin it because they will be scared of operating without the horrible kludge and resulting brain damage that is NAT, Hopefully they wont.
There is a level of indirection here that you are ignoring, they were disconnected for the most part for hosting the C&C boxes for a bunch of large botnets. The botnets send the spam, not the spammers directly.
I think you would have a hard time arguing that hosting a bunch of massive botnets is excusable / legal.
As a public service I am acting as an unpaid copy editor for this troll =)
Feel free to send patches, in no time we can have this troll updated into this decade in open source fashion:
You *could* but remember this tale of forewarning:
"I don't want to start a holy war here, but what is the deal with you Windows fanatics? I've been sitting here at my freelance gig in front of a Dell w/ Windows 7 x64 (w/4 GB of RAM) for about 20 minutes now while it attempts to copy a 17 Meg file from one folder on the hard drive to another folder. 20 minutes. At home, on my Pentium III 1000 running XP, which by all standards should be a lot slower, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, Firefox will not work. And everything else has ground to a halt. Even Notepad++ is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various Windows 7 boxes, but suffice it to say there have been many, not the least of which is I've never seen a Windows 7 box that has run faster than its XP counterpart, despite Windows 7's snappier interface. My PIII with 512 megs of ram runs faster than this Quad core 3.6 ghz machine at times. From a productivity standpoint, I don't get how people can claim that Windows 7 is superior.
Flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Windows 7 box over other faster, cheaper, more stable systems."
In New Zealand our DVB-T platform is broadcast in h.264 with a kind of funky LATM AAC audio codec and also 2 channel AC3. Our DVB-S platform is still the more conventional mpeg2 with AC3.
I'm not sure if these are options to the relevant ATSC standard or if we just chose to ignore the standards, either way I guess NZ is an example that is not mpeg2 / AC3.
I haven't come across a good technical description of the attack, but I expect that the AS path prepending is just to stop the transit AS that you are using to reinject the traffic from sending the traffic straight back at you.
ie. if you know AS666 is a transit for AS69 (that you are hijacking the traffic from), then you prepend AS666 in the path you advertise to the rest of the internet and bgp loop detection on the routers in AS666 will drop the bogus path and send your traffic to the real target AS69 instead.
Short answer, not really.
Longer answer, any circuit where you don't have a predictable amount of bandwidth will be hell to build any QoS with. Pretty well any home user connection will be in this class. Most of the cheap consumer devices that claim to do this are relying on tricks that won't work in a heap of cases or worse are snake oil.
No device is going to be able to do a good job without a heap of background information on what your connection is an how it behaves, things like when the buffers for outbound traffic on the other end of your DSL line kick in and behave etc.
If you want to learn a whole bunch of esoteric commands and a bit about networking you should be just fine building something to do it with a Linux box =)
Alternatively you might get a 95% successful solution if you buy a consumer device and shape the internet facing interface down to a speed that you hope your circuit will never drop below.
I did, the google logo does a little dance, other than that it just looks like google.
I guess I was expecting too much, but the sites that are indexed appear to be just the regular ipv4 sites, so they have ipv6 enabled the web frontend to the search engine but not the back end that goes and crawls the web.
After looking at TFUID, you _are_ new around here.... =)
My apologies, I just made it up off the top of my head. I'm not sure if it has been used anywhere before, did anyone get my half assed variant of YHBT? =)
Firewall is not an synonym for stateful filter like you imply later on in this thread. For some data to support my statement, the firewall entry at wikipedia says:
"A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules."
It then goes on to mention classify firewalls into first, second and third generation ( the first being what you called "Port blocking" ).
In retrospect IPHBT. Oh well.
If you are connecting to Linux or a BSD or anything else that runs openssh, then you can have something along these lines now. Setup an openssh DSA key, copy the public key to whatever machines you need to log into and then you can disable password logins in /etc/ssh/sshd_config altogether. If you are running Linux then for extra credit configure pam_ssh to get single sign on with an ssh key agent. If you are running windows as your client then you will have to make do with putty and pagent.
Passwords are so last century.
Friends don't let friends set up wireless networks!