Yes - in a network where the client has only IPv6 connectivity, it requires DNS64 mangling.
This is a minor problem with the concept but it doesn't invalidate the concept. Give it a try - you can get a live CD and use it with a free tunnel provider and you might be surprised by how usable it is even at this early stage. Remember - this technique is much more valuable for telcos than it is for a typical home user in the developed world. In those places the user will likely have dual-stack available and running for several years during the transition.
This NAT64/DNS64 concept is primarily meant to serve networks where adding new IPv4 addressing isn't possible or isn't desirable. T-mobile is in this situation because they are currently using BOGON addresses behind their IPv4 NAT - this means they are using IP addresses that have been or will be soon be assigned to other people. So they already have an issue with hardcoded IPv4 literals embedded in the content. If one of those embedded IPv4 literal addresses conflicts with something behind their NAT it would fail to work today with no IPv6 in the picture. They were forced to do this when they ran out of RFC1918 space and decided that they couldn't partition the IP space behind their NAT - probably because phones may need to talk to other phones at some point.
It's certainly possible for any other site to run NAT64/DNS64 full time so that they can eliminate IPv4 in their network and run single stack IPv6. Should that become a widespread option it's a safe bet that somebody would work on a set of ipf or ipfilter content modules that spotted IPv4 literals used in HTML HREFs and mangled them into IPv6 NAT64 addresses instead. This is exactly how FTP and some other protocols work behind an IPv4 NAT today. There is code to write but this is entirely doable if the need is there. Again - NAT64/DNS64 is early stage and has a year or two to grow into something that is fully production ready for people who elect to run single stack IPv6 which is rare today.
I'm not sure I understand you last sentence. If the client had an IPv4 address (NAT or globally routable) - the IPv4 literal address would be reachable and so no content breakage would occur. In fact, that is what makes this technique less desirable for home networks. In a home network you will probably be able to get a single IPv4 address and a block of IPv6 easily so you will simply run dual-stack and you don't need to mess with NAT64/DNS64.
You're completely right about the psychological resistance. I don't know why but even hard core tech people take time to get over the addresses and I think this has been a major factor in the lack of widespread adoption.
You're completely wrong about the number of IPv6 websites. There are thousands available and the growth has been noticeably accelerating since the 2008 Google IPv6 implementors conference. Every year around conference time more major sites announce availability. This year Facebook was the big one (but not the only one!) to announce a beta site.
Also - try running a torrent on a dual stack connection and you'll clearly see that IPv6 is very popular among torrent users.
There are a couple of major things coming up that are really going to impact this whole IPv6 discussion in the next couple of years.
There has been ongoing work to make IPv6 -> IPv4 NAT work well. This will be needed for sites that can get an IPv6 block for free while an IPv4 block is expensive or unavailable. See here - http://ecdysis.viagenie.ca/
This NAT64/DNS64 technique is available today and makes an IPv6 only connection 95% usable for IPv4 sites and 100% usable for IPv6 content. The IPv4 breakage is sites that hard code IPv4 addresses directly into HTML or XML, or whatnot which is easily fixable if there is incentive. Now for some incentive.
T-Mobile has decided that NAT64 is the way to go so they intend to start rolling out IPv6 only phones using NAT64/DNS64 to get to IPv4 sites. This means that in the next couple of years there will be a couple million handsets that are IPv6 only accessing the IPv4 through a large scale NAT64. Verizon is joining the party using dual stack IPv4 NAT/IPv6 native phones. Think about the _global_ demand for cell phones and you can see what will be driving IPv6 adoption pretty clearly. It dwarfs the PC market so the old way of thinking about your aunt's Linksys don't really apply. Mobile web is rapidly increasing in importance and you won't have to do anything more than get a new phone in a couple of years to join the IPv6 party.
Comcast, AT&T, and others have announced IPv6 trials in 2010 and 2011 respectively. These could be production systems a year or two down the road. When that happens, anybody who is running Mac OS X, Vista or Win7, or Linux is likely to automagically get a working native IPv6 connection very quickly after that when they or their ISP replaces their home router if it wasn't already v6 (Apple, Buffalo, or recent D-link). This is going to largely coincide with the IPv4 free pool exhausting itself which will give another kick in the pants to adoption.
You don't have to spend a ton of money - all the pieces have been in place for some time in most networks.
It's true that businesses would have to spend money if they wanted to completely eliminate IPv4 but there isn't actually a need to do that. At many companies - most or all of their web facing presence equipment has likely been IPv6 capable for a couple of years now. What's needed is to get a connection (tunneled at first and then native when the traffic demands it) and turn it on. You don't have to eliminate IPv4 internally and you don't have to switchover everything. It's a transition and we don't need to make a false choice when neither the situation nor the economics demands it.
Windows 2000 hits end of life this summer. 2003 enters extended support which ends in 2015 - this was extended due to poor uptake of Windows 2008. They currently offer 10 years of support but they often extend if uptake of the follow on release is low.
RedHat and Novell support their enterprise linux OS products on a seven year cycle.
Novell even leaves the downloads availble for up to 10 years.
In most cases where VM is useful the people who care about the 10 processes bring so much baggage in terms of demands that it pays big dividends to have the overhead of 10 machine images running in order to not have to listen to 10 people whining.
We are consuming a little more than a/8 every month and if every single/8 was reclaimed from a corporation that was assigned prior to 1995 how much extra time would that buy us?
How many years and millions would be spent getting them to renumber or forcing them to renumber through some sort of legal process?
How long is it going to take to transition to IPv6 - probably 10 years or more.
You can run DHCPv6 and have it hand out info but not addresses via a DHCPINFORM. This also works in IPv4 also but not many know about it or use it. In a nutshell you setup a subnet but don't include a range of IPs to hand out. You simply setup DNS servers and maybe a DNS domain name, ntp, and whatnot. The clients will autoconfig but also run a dhcp client to get the DNS servers defined.
The other (and better IMHO) method is that you can include RDNSS info in the router advertisements. So for autoconfig to work you have to at least advertise the subnet and prefix that clients should use to form a complete address during autoconfig. The RDNSS (recursive DNS server) advertisements are picked up and used by the client as DNS servers. This method has less adoption but I think this is ultimately going to be the preferred method once it's supported more widely. See the radvd.conf man page for more info.
The router advertising is a part of IPv6 that is poorly understood or completely unknown to many people but they put some pretty good though into it. There is actually a mechanism to renumber an entire network using primarily router advertisements which is pretty cool.
If you get a/48 from your ISP (standard allocation recommendation by IANA and by existing v6 practice) you can run as many/64 VLANs as you want. You aren't forced to run a single VLAN when you run IPv6. You can still subnet six ways from Sunday. Your comment talks about a single subnet but that isn't the norm for IPv6 deployment.
You don't need to convert everything all at once. Experiment first, then roll it out on a DNS server or a mail server.
You will have to maintain two sets of addresses for the foreseeable future. So does everybody else. You can stay on IPv4 but at some point you will need to connect to somebody who can only get IPv6 addresses. That might be 3 years from now or 10 years from now but this is going to happen. IPv4 will be exhausted - this is a fact that a lot of people are having trouble dealing with but it doesn't have to big bad and scary. IPv6 isn't really that different from v4. They both pretty much do the same job - yes there are differences but once you work with for a short time it's not rocket science - it's just basic networking.
The weak part of IPv6 is ISP delivery. There is a dearth of providers who are providing dual stack to all of their customers and this is right now the biggest barrier to rapid adoption, particularly in the North American market. This is going to change pretty rapidly over the next 2 years and alredy has in other regions.
I agree that IPv6 is scary but a true geek should see this as a learning opportunity rather than a departure from a comfort zone. IT people are supposed to be ahead of the curve. Yeah - maybe you don't roll out IPv6 until their is a solid business case for deployment but there is a business case now for experimentation so that it won't be a fire drill when it comes time to deploy because of an actual business requirement.
This demo text client is pretty spartan. I can't wait to get my hands on the HTML5 client.
I was able to get this running on Debian Lenny on EC2 pretty quickly. I got two instances to talk to each other across the Amazon net and I could invite people from the 2nd instance to participate on the 1st instance's waves. So the fundamental server stuff seems to be working.
Has anybody tried this out with ejabberd?
Why wouldn't you just use the timestamps and let the most recent win. Even if an offline client had a bad timestamp and something got stomped you could just replay back to a "good" state and copy paste your way back to normal.
Anyway - there are smarter minds than I working on this at the wave federation protocol site.
The thing is - Windows Vista and Windows 7 aren't really a fundamental departure from the past.
For example, I applaud Microsoft for finally getting on board the IPv6 train with Vista and Win2K8 but what happened to rewriting system services and the Windows shell in managed code (.NET)? That would be a fundamental change that would justify a compat VM container.
Microsoft is really giving customers the worst of both worlds. Making only incremental improvements to their mainline OS's while creating a backwards compatible VM which is simply more cruft to throw on top of an ever expanding pile of backwards compatible cruft.
The Cisco blades are going to support 192GB of RAM which is one of the most important constraints on a VM host box.
For the density and form factor this is better than the competition at the moment but I have no doubt HP, IBM, and Dell will respond quickly to keep their customers in line.
Based on the description, it sounds like they are simply presenting a different DNS view for resolvers hitting their DNS servers from a whitelisted netblock.
The view probably has AAAA records listed alongside A records rather than only A records for everybody who isn't on the whitelist.
the human, as a species in the animal kingdom, is known to be the kind of animal who fouls its own nest and overruns its habitat. the idea of a tipping point, whether it be for CO2 in the atmosphere or polar ice shelves or explosively deaggregated IPv4 routing tables, does not occur in the minds of individual decision makers. instead it's left to us "chicken little" types, and the only way the individual decision makers ever make their decisions on the basis of tipping points is if some kind of "governance" makes them do so.
--
Paul Vixie
Microsoft has broken backwards compatibility in every major release.
The broke binary driver compatibility in a stable series with Windows 2003 SP1. Imagine patching up to date and being greeted with a blue screen on the reboot. What a cluster fsck that was.
Microsoft spends enormous effort on backwards compat but they have never made it 100% compatible - that is a myth.
Slashdot Mirror
Yes - in a network where the client has only IPv6 connectivity, it requires DNS64 mangling.
This is a minor problem with the concept but it doesn't invalidate the concept. Give it a try - you can get a live CD and use it with a free tunnel provider and you might be surprised by how usable it is even at this early stage. Remember - this technique is much more valuable for telcos than it is for a typical home user in the developed world. In those places the user will likely have dual-stack available and running for several years during the transition.
This NAT64/DNS64 concept is primarily meant to serve networks where adding new IPv4 addressing isn't possible or isn't desirable. T-mobile is in this situation because they are currently using BOGON addresses behind their IPv4 NAT - this means they are using IP addresses that have been or will be soon be assigned to other people. So they already have an issue with hardcoded IPv4 literals embedded in the content. If one of those embedded IPv4 literal addresses conflicts with something behind their NAT it would fail to work today with no IPv6 in the picture. They were forced to do this when they ran out of RFC1918 space and decided that they couldn't partition the IP space behind their NAT - probably because phones may need to talk to other phones at some point.
It's certainly possible for any other site to run NAT64/DNS64 full time so that they can eliminate IPv4 in their network and run single stack IPv6. Should that become a widespread option it's a safe bet that somebody would work on a set of ipf or ipfilter content modules that spotted IPv4 literals used in HTML HREFs and mangled them into IPv6 NAT64 addresses instead. This is exactly how FTP and some other protocols work behind an IPv4 NAT today. There is code to write but this is entirely doable if the need is there. Again - NAT64/DNS64 is early stage and has a year or two to grow into something that is fully production ready for people who elect to run single stack IPv6 which is rare today.
I'm not sure I understand you last sentence. If the client had an IPv4 address (NAT or globally routable) - the IPv4 literal address would be reachable and so no content breakage would occur. In fact, that is what makes this technique less desirable for home networks. In a home network you will probably be able to get a single IPv4 address and a block of IPv6 easily so you will simply run dual-stack and you don't need to mess with NAT64/DNS64.
You're completely right about the psychological resistance. I don't know why but even hard core tech people take time to get over the addresses and I think this has been a major factor in the lack of widespread adoption.
You're completely wrong about the number of IPv6 websites. There are thousands available and the growth has been noticeably accelerating since the 2008 Google IPv6 implementors conference. Every year around conference time more major sites announce availability. This year Facebook was the big one (but not the only one!) to announce a beta site.
Also - try running a torrent on a dual stack connection and you'll clearly see that IPv6 is very popular among torrent users.
There are a couple of major things coming up that are really going to impact this whole IPv6 discussion in the next couple of years.
There has been ongoing work to make IPv6 -> IPv4 NAT work well. This will be needed for sites that can get an IPv6 block for free while an IPv4 block is expensive or unavailable. See here - http://ecdysis.viagenie.ca/
This NAT64/DNS64 technique is available today and makes an IPv6 only connection 95% usable for IPv4 sites and 100% usable for IPv6 content. The IPv4 breakage is sites that hard code IPv4 addresses directly into HTML or XML, or whatnot which is easily fixable if there is incentive. Now for some incentive.
T-Mobile has decided that NAT64 is the way to go so they intend to start rolling out IPv6 only phones using NAT64/DNS64 to get to IPv4 sites. This means that in the next couple of years there will be a couple million handsets that are IPv6 only accessing the IPv4 through a large scale NAT64. Verizon is joining the party using dual stack IPv4 NAT/IPv6 native phones. Think about the _global_ demand for cell phones and you can see what will be driving IPv6 adoption pretty clearly. It dwarfs the PC market so the old way of thinking about your aunt's Linksys don't really apply. Mobile web is rapidly increasing in importance and you won't have to do anything more than get a new phone in a couple of years to join the IPv6 party.
Comcast, AT&T, and others have announced IPv6 trials in 2010 and 2011 respectively. These could be production systems a year or two down the road. When that happens, anybody who is running Mac OS X, Vista or Win7, or Linux is likely to automagically get a working native IPv6 connection very quickly after that when they or their ISP replaces their home router if it wasn't already v6 (Apple, Buffalo, or recent D-link). This is going to largely coincide with the IPv4 free pool exhausting itself which will give another kick in the pants to adoption.
You don't have to spend a ton of money - all the pieces have been in place for some time in most networks.
It's true that businesses would have to spend money if they wanted to completely eliminate IPv4 but there isn't actually a need to do that. At many companies - most or all of their web facing presence equipment has likely been IPv6 capable for a couple of years now. What's needed is to get a connection (tunneled at first and then native when the traffic demands it) and turn it on. You don't have to eliminate IPv4 internally and you don't have to switchover everything. It's a transition and we don't need to make a false choice when neither the situation nor the economics demands it.
Sorry - got off on a rant there.... :-)
I hope you are joking. Wave was the anti-Flash.
The wave client (GUI) is an HTML5 application.
Windows 2000 hits end of life this summer. 2003 enters extended support which ends in 2015 - this was extended due to poor uptake of Windows 2008. They currently offer 10 years of support but they often extend if uptake of the follow on release is low.
RedHat and Novell support their enterprise linux OS products on a seven year cycle.
Novell even leaves the downloads availble for up to 10 years.
In most cases where VM is useful the people who care about the 10 processes bring so much baggage in terms of demands that it pays big dividends to have the overhead of 10 machine images running in order to not have to listen to 10 people whining.
There's IT theory and then there IT reality...
Microsoft broke binary compatibility for many SCSI/HBA drivers between SP1 and SP2 for Windows 2003.
That was in a "stable" series.
Some people found this out the hard way when they saw the bluescreen at boot.
The RC is still getting security updates.
Wish I had some points to mod this up. Well said
We are consuming a little more than a /8 every month and if every single /8 was reclaimed from a corporation that was assigned prior to 1995 how much extra time would that buy us?
How many years and millions would be spent getting them to renumber or forcing them to renumber through some sort of legal process?
How long is it going to take to transition to IPv6 - probably 10 years or more.
Where is the time and money better spent?
Domain SID doesn't equal the machine SID
He is talking about the machine SID.
Having duplicated domain SIDs is still a problem.
There is so much mythology around the word SID I think people need to read up.
WSUS uses a different unique identifier called the WSUSClientID - you can and should reset this. It's not the SID.
NewSID changes the machine SID
Unjoining and rejoining changes the domain SID
They aren't the same thing and MS support should have told you that.
You need to make sure the image wasn't joined to the domain and that each new copy does it's own join.
The domain SID in a domain joined image will cause problems.
Russinovich's post is about the machine SID which is not the same thing as a domain SID.
There are two mechanisms for this.
You can run DHCPv6 and have it hand out info but not addresses via a DHCPINFORM. This also works in IPv4 also but not many know about it or use it. In a nutshell you setup a subnet but don't include a range of IPs to hand out. You simply setup DNS servers and maybe a DNS domain name, ntp, and whatnot. The clients will autoconfig but also run a dhcp client to get the DNS servers defined.
The other (and better IMHO) method is that you can include RDNSS info in the router advertisements. So for autoconfig to work you have to at least advertise the subnet and prefix that clients should use to form a complete address during autoconfig. The RDNSS (recursive DNS server) advertisements are picked up and used by the client as DNS servers. This method has less adoption but I think this is ultimately going to be the preferred method once it's supported more widely. See the radvd.conf man page for more info.
The router advertising is a part of IPv6 that is poorly understood or completely unknown to many people but they put some pretty good though into it. There is actually a mechanism to renumber an entire network using primarily router advertisements which is pretty cool.
There are a few things that you don't understand.
If you get a /48 from your ISP (standard allocation recommendation by IANA and by existing v6 practice) you can run as many /64 VLANs as you want. You aren't forced to run a single VLAN when you run IPv6. You can still subnet six ways from Sunday. Your comment talks about a single subnet but that isn't the norm for IPv6 deployment.
You don't need to convert everything all at once. Experiment first, then roll it out on a DNS server or a mail server.
You will have to maintain two sets of addresses for the foreseeable future. So does everybody else. You can stay on IPv4 but at some point you will need to connect to somebody who can only get IPv6 addresses. That might be 3 years from now or 10 years from now but this is going to happen. IPv4 will be exhausted - this is a fact that a lot of people are having trouble dealing with but it doesn't have to big bad and scary. IPv6 isn't really that different from v4. They both pretty much do the same job - yes there are differences but once you work with for a short time it's not rocket science - it's just basic networking.
The weak part of IPv6 is ISP delivery. There is a dearth of providers who are providing dual stack to all of their customers and this is right now the biggest barrier to rapid adoption, particularly in the North American market. This is going to change pretty rapidly over the next 2 years and alredy has in other regions.
I agree that IPv6 is scary but a true geek should see this as a learning opportunity rather than a departure from a comfort zone. IT people are supposed to be ahead of the curve. Yeah - maybe you don't roll out IPv6 until their is a solid business case for deployment but there is a business case now for experimentation so that it won't be a fire drill when it comes time to deploy because of an actual business requirement.
This demo text client is pretty spartan. I can't wait to get my hands on the HTML5 client. I was able to get this running on Debian Lenny on EC2 pretty quickly. I got two instances to talk to each other across the Amazon net and I could invite people from the 2nd instance to participate on the 1st instance's waves. So the fundamental server stuff seems to be working. Has anybody tried this out with ejabberd?
Why wouldn't you just use the timestamps and let the most recent win. Even if an offline client had a bad timestamp and something got stomped you could just replay back to a "good" state and copy paste your way back to normal. Anyway - there are smarter minds than I working on this at the wave federation protocol site.
Or on a large VM cluster - which thousands of data centers have in production now.
Japan started fingerprinting inbound aliens last year.
The thing is - Windows Vista and Windows 7 aren't really a fundamental departure from the past. For example, I applaud Microsoft for finally getting on board the IPv6 train with Vista and Win2K8 but what happened to rewriting system services and the Windows shell in managed code (.NET)? That would be a fundamental change that would justify a compat VM container. Microsoft is really giving customers the worst of both worlds. Making only incremental improvements to their mainline OS's while creating a backwards compatible VM which is simply more cruft to throw on top of an ever expanding pile of backwards compatible cruft.
The Cisco blades are going to support 192GB of RAM which is one of the most important constraints on a VM host box. For the density and form factor this is better than the competition at the moment but I have no doubt HP, IBM, and Dell will respond quickly to keep their customers in line.
Amazon S3 has the ability to do this. The issue is you pay per request so it could add up if you do something significant with it.
Based on the description, it sounds like they are simply presenting a different DNS view for resolvers hitting their DNS servers from a whitelisted netblock. The view probably has AAAA records listed alongside A records rather than only A records for everybody who isn't on the whitelist.
Let me refer you to what Paul Vixie has to say on the subject. Quoting from the NANOG list a couple of months ago http://www.gossamer-threads.com/lists/nanog/users/109650#109650
the human, as a species in the animal kingdom, is known to be the kind of animal who fouls its own nest and overruns its habitat. the idea of a tipping point, whether it be for CO2 in the atmosphere or polar ice shelves or explosively deaggregated IPv4 routing tables, does not occur in the minds of individual decision makers. instead it's left to us "chicken little" types, and the only way the individual decision makers ever make their decisions on the basis of tipping points is if some kind of "governance" makes them do so.
--
Paul Vixie
Microsoft has broken backwards compatibility in every major release.
The broke binary driver compatibility in a stable series with Windows 2003 SP1. Imagine patching up to date and being greeted with a blue screen on the reboot. What a cluster fsck that was.
Microsoft spends enormous effort on backwards compat but they have never made it 100% compatible - that is a myth.