So these Evil Consultants are running a propaganda campaign about Wikileaks, and Anonymous leaks their "secret plans", including the plan to try to sell a disinformation plan to BofA... But can we trust all the incriminating pages in the leaked secret plans? Could Anonymous have planted a bit of extra content in the leaked material? Could the Evil Consultants themselves planted bogus material in the leak, and leaked it to Anonymous themselves?
Besides all the obvious propaganda campaigns against Wikileaks, and all the real or potentially real problems with it, if I wanted to interfere with them in the future, I'd start trying to leak bogus information, either through them if possible, or through competing BogusLeak services. If real secrets are going to get out, one of the few defenses is to start leaking lots of fake secrets so people don't trust the real ones. Time to start leaking the US Air Force Roswell UFO secrets, time for BofA to start leaking accusations that their mother was a hamster and their father smelt of elderberries.
I swapped out my router a year ago, precisely because of 802.11n. Too many of my apartment neighbors had upgraded to higher-powered wider-bandwidth 802.11n, the local spectrum was getting too crowded, and my laptop kept losing connections to my 802.11g, so it was time to upgrade. And no, there's no IPv6 support on it, even though it's less than two years old. It's tempting to do DD-WRT.
I bought a Linksys 802.11n wireless router a year ago because enough of my neighbors had upgraded to louder wider-band 802.11n gear and my 802.11g was getting disconnected too often. I finally got around to checking the IPv6 functions, and no, there aren't any, Cisco/Linksys don't say anything about IPv6 in the support pages for the hardware, and googling for it tells me that DD-WRT should work ok. Snarl.... The Cisco web pages seem to imply that the "Restore to Factory Defaults" function doesn't actually restore the operating system to factory defaults, it just resets the network settings and password, and they don't seem to support downloading the old firmware release for that model because they haven't come out with an upgraded one so why would you need that?
Of course, one reason I had bought Cisco (besides the sale price at Fry's) was that the last Netgear router I bought (an 802.11b wireless thing) was a cretinous piece of junk, and while I've liked their Layer 2 hardware for decades, I haven't wanted to touch anything at Layer 3 or above from them until I've got some reason to assume they've Got Better. (It was nice hardware, and a long time ago, so they probably do fine today. After I ditched the Netgear, I got a 3Com 802.11g that gave you a choice of using routing or just raw Ethernet bridging, and the bridging was clean, dumb, and reliable, and I may decide to run IPv6 wireless on it.)
If somebody has root access to the machine, with actual write access to the software, hashing doesn't matter, because the attacker can do an active attack that gets the raw password that the user types into the login prompt or login web page, before it gets hashed and compared with the stored hash. They can only steal passwords from users who are actually logging in, not from the stored hashes of inactive users, but you're still toast. That's why hashed passwords are obsolete for many applications, and you need to use public-key digital-signature protocols instead -.
Hashing can protect passwords from people who have read access to the password file, which is why the original Unix/etc/passwd didn't need to be protected until a few years of Moore's Law made it easy for password crackers to crack obvious passwords and people grudgingly moved passwords into/etc/shadow (and probably made a few more commands run setuid root that hadn't needed it before.)
Basically, if somebody has access to the password file, and your password is in/usr/dict/words or the OED or is something else obvious, like your dog's name spelled backwards, it doesn't matter if your password hashing algorithm is SHA-256 with a 512-bit salt; if the hash takes much more than a second to calculate on your CPU, it's too annoying to the users, and otherwise the attacker can try a million obvious passwords in a million seconds on a CPU like yours, or in a couple thousand seconds on their GPU farm or PS3.
I don't know anything about this company's equipment except what I've read in the article today, but if they do have approval to use a radio band next to GPS and can do so without interfering with it, it's likely that equipment for that data service can use the same radio hardware as they'd use for receiving GPS signals, with just software-defined-radio or similar tuning technology to let handsets do both with less hardware, instead of needing a cellular radio and also a GPS radio.
Wikipedia LTE Article lists a bunch of different frequency bands used by LTE (and other cellular standards), and this L1 band isn't in there. So while GPS interference problems may affect this particular carrier's frequency band, it's not going to affect the widely announced plans for 4G* LTE or HSPA+, and it doesn't look like it affects the current 4G* WiMax carriers either.
Of course, I'll be really annoyed if these guys interfere with my el-cheapo car GPS, or my cellphone's GPS, and I'll be really annoyed if they start interfering with airplane GPS systems (if I had to worry about my car falling out of the sky or crashing into mountains, I'd have more serious problems than just GPS...)
* Defining your product as "nth-Generation Wireless" is a marketing-slogan issue, and it was hubris for the carriers and equipment makers who declared their products to be the standard in the first place, so I'm not going to argue about whether LTE or WiMax or NewerShinierRadio is real 4G or not. The stuff that the major carriers and handset makers are deploying in the next year or two doesn't interfere with GPS, which is what matters, not what label they attach to it, so it's not going to cause sky-is-falling problems or create no-fly zones around your local cellular tower, even though there are probably Marin County residents panicking about it as we speak.
Yup. That's why this is under the "If you think you can ignore IPv6, think again" discussion:-)
Using port numbers for a few bits of tracking is very interesting - probably not too hard, and of course cookies give you an alternative method, for people who accept them.
Your NAT example that forwards example.com:80 to one machine and example.com:21 to another is at least interesting, though IPv6 gives you enough addresses that you can just as easily forward www.example.com to your web server and ftp.example.com to your FTP server. IPv6 doesn't stop you from doing a 6-6 NAT if you want, but the default behaviour should be that it's never necessary, and seldom implemented.
For most people, the important things about NAT are that it's something cheapass firewall appliances do so they can plug multiple computers in to their LAN, get addresses handed to the computers without needing to manually configure them, and get some semblance of security, and most stuff just works. If they're gamers, they probably need to mess with the firewall by hand anyway, unless kluges like uPNP are good enough to do the job without it.
The general plan is for ISPs to give people/56 or/48 and let them chop *that* up, either by hand or having their routers do it automatically, and/56 is big enough that the automatic stuff can be wasteful instead of efficient. If you've got a/64, you're perfectly free to chop it up by hand, but all the autoconfiguration stuff assumes that/64 is one subnet, big enough to use your equipment's EUI-64 link layer address as the host part of the IPv6 address. (EUI-64 is an extended version of MAC, designed so that the Layer 2 people never have to run out of addresses either - if you've got equipment with regular Ethernet-like MAC addresses, you create the EUI-64 by shoving some standard bits into the middle, in ways that look unnecessarily ugly to me but are the standard now.)
A surprisingly high fraction of people have two subnets - a wireless one and a wired one, and if you've got two, it sometimes helps to have more so your routers can glue stuff together automagically instead of making you configure it yourself. Most ISPs understand that if they give people multiple subnets (for example, that/56), they just don't have to care what the user does with it, and "don't have to care" means "don't need to do future support calls to change stuff, which cost money."
No, IPv4 won't entirely be turned off in a decade, and there are probably still machines running Netware IPX and definitely IBM SNA, and there's probably even X.25 on barbed wire somewhere in the world; I think I've seen DECNET within the past year. But if you're not dealing with IPv6 now, you're not going to be in the web or internet or security or telephone or computer business by late next year, because your job or company will have died by then.
Yes, businesses will make all reasonable accommodation to allow IPv6-only end users to reach their websites, and businesses that open new offices that can't get an IPv4 address from the local ISP in that country at the regular price will either pay them a lot more money or else run some ugly V4-over-V6 tunnel back to headquarters, and they'll be able to squeak by for a while, but it's going to get increasingly ugly and expensive.
... and it wasn't that wrong for a lot of people until yesterday, either, and won't be until APNIC runs out of space this summer and RIPE this fall, but it doesn't matter.
The IPv4 address space is used up, and we're rapidly sailing toward the point on the map that says "Heer Be Dragons!", and the only solutions we've got are IPv6 and Not-Really-Carrier-Grade-NAT to get us across the bleeding edge.
So if you're not ready for IPv6, it's going to hurt. If you're just an end-user with a dynamic IPv4 address, it won't hurt a lot until your ISP starts giving you a 10.x address, and those cool websites you used to use don't look as cool, and that gaming application you're using for voice talk with your friends while you're killing zombies suddenly can't reach 20% of them, or maybe 80% of them, and maybe your next mobile phone will only have an IPv6 address. But if you're a content provider, you're not only going to either lose a small but growing percentage of your users, or support native IPv6, you're also going to have all those applications that tracked them by location or IP address stop working so well, and your reporting software that keeps track of comment spammers isn't going to know where they're coming from so well, and eventually you'll need to give in and make sure all your firewalls and load balancers are working. And of course, if you're an ISP, you've spent the last couple of years realizing how much this is just going to hurt all over, and if you haven't, you're planning on going out of business Real Soon Now when all your customers ditch you.
That's true if you're using protocols that can survive NAT64 translation - couch potatoes reading HTTP pages will be just fine, if their ISP does NAT64 translation for them (or gives them RFC1918 addresses and does NAT44.) And if you're in the business of serving IPv4 web pages, and don't need much more than that, then you might be ok, or you might want to add your own NAT64 server so that outsiders can reach your IPv4 address even if their ISP doesn't do NAT64 for them.
But what if you're using their address for something, like tracking repeat visits, or security, or using geolocation to serve them targeted ads? Do you mind if 80% of your customer visits are now arriving from one of ten big consumer ISP NAT blocks instead of their individual IPv4 or IPv6 addresses?
And then what happens once you decide to accept native IPv6 connections. Is it as simple as asking your ISP for dual-stack, which your routers are new enough to use by now, and telling Linux and Apache "oh, also use IPv6"? Sure, that's cool if you're trying to get a Hurricane Electric IPv6 certification, which is a good idea. But is your web server farm big enough to need load balancers, and if so do they support IPv6? Do your firewalls allow IPv6 traffic at full speed, or are they 80% slower because they have IPv4-tuned ASICs and need the CPU to do IPv6? Do your accounting programs that keep track of user visits and print out nice shiny reports store their address data in uint32 fields, and print them out in dotted-quad formats? What about your attack/fraud detection programs that are trying to keep people from cracking your web servers and stealing your user data - do they know how to recognize an anomaly from IPv6 land and warn you about it, or does it all look like uint32 to them too?
There are other ways to find the machines on your subnet besides scanning, though it is nice that scanning will become harder. If you've got a known brand of ethernet card, there are only 24 bits worth of possible MAC addresses, and what's 16 million scanning packets between friends? Multicast works by default, though your firewall might block it, and they can still do phishing to get you to go to their web page so they can get your address. (IPv6 address privacy mode is a Good Thing, though corporate networks might block it internally so they can track which machines are doing what for auditing and debugging purposes.)
Look, you're getting a subnet that's big enough for just about anything you can imagine doing at home, not just the things you can actually figure out how to do. If you're like to split your/56 into 256 different subnets and do different things on them, go ahead. You can do that without breaking the end-to-end principle.
NAT breaks stuff right and left today, for two main reasons - lots of protocols, including FTP and newer protocols, put the IP address inside the data packets, not just in the packet headers, and doing NAT properly requires ripping the packets apart, changing the addresses, and fixing up any checksums that got damaged in the process. It's even worse if you've got protocols that use crypto, either for information hiding or just simply for authentication. It's very hard to get them right, especially if people design protocols the firewall doesn't know about. - stateful NAT makes it hard to establish connections through the firewall. Sometimes this is intentional, blocking unwanted connections for security reasons, but if two people behind NAT want to communicate, neither one can talk until the other one has talked to them first. There are products like Skype that are popular because they go to a lot of trouble to work around the different broken NAT implementations out there.
Putting a firewall box in front of your computers isn't a bad thing - you just need one that's IPv6-aware instead of IPv4-only. You're not getting the security from NAT, you're getting security from having a stateful packet inspection box in front of your computer, and that's not going to change. If you want to offload packet inspection from your 2GHz CPU down to your 200 MHz SOC-based firewall, go ahead; about a quarter century ago, Van Jacobson figured out how to tune the BSD TCP/IP stack so you could do wire-speed file transfer on 10 Mbps Ethernets using a Sun 3/60, so you should have plenty of spare CPU horsepower left to inspect your packets.
There's no particularly good reason for your computer to look like a single computer to anybody outside your network, and simple address-munging isn't enough to solve the problem. My laptop has different addresses depending on where it's plugged in, home, work, coffeeshop, etc., and the address isn't enough to tell them anything definite. When I'm at work, I occasionally have trouble reaching sites because many other users behind my corporate firewall are accessing them at the same time, so they want me to do a CAPTCHA to verify I'm not a bot abusing their system. However, if anybody does want to track your address, with IPv 6 they'll probably do it by tracking your/56 or/48. Also, there's the IPv6 address privacy mode, which lets your computer use a different host-part address on every connection, so it's not using the same MAC address every time.
There are some ISPs that are starting off with just a single/64 (e.g. Comcast's trial), because they've got some equipment or management software that's not bright enough to handle more complex routing than that, but the general consensus is that businesses should get/48 and residences should get at least/56. That not only allows for a couple of subnets (e.g. wired, wireless, uplink, DMZ), but it also lets you use relatively dumb routers that handle subnets by cutting their address space in 2-4 pieces, and you can stack a couple of those.
I have heard of one ISP that's only allocating a/60 for residences, but IPv6 has enough address space that most people think it's worthwhile wasting some of it to get addresses aligned on byte boundaries and not mess with nibble-aligned, much less single-bit-aligned.
IANA kept track of other kinds of numbers besides IPv4 addresses, and their job wasn't just to hand out unique numbers, but to keep track of who owns the numbers that are out there. And if you think IPv4 number ownership is going to stay stable now that they're all gone and you can only get them from other people, you may be a bit surprised.
There's already so much misuse of existing police databases that gets reported in the press, and presumably a lot more that doesn't. Some of it's cops stalking ex-lovers, or cops doing a "favor" for somebody to help them stalk somebody (with or without bribes attached to the favor), in ways that are blatantly illegal. Some of it's cops helping their friends in more-or-less-organized crime find out who's after them, or find business partners who are snitching or otherwise about to become ex-partners. Some of it's motor vehicle clerks helping people get their papers in order after driving while intoxicated or driving while speaking Spanish. Some of it's politicians trying to find out about other politicians, or trying to find out what other politicians can find out about them.
The limited address space in IPv4 may affect a few kinds of attacks, but not many. This paper was pointing out 100 Gbps botnet attacks, and if you've got an ISP that allows outbound UDP packets that aren't from your IP address space, which too many sloppy ISPs still do, you can use a few billion IP addresses times ~60K ports, so it's not going to stop any practical-sized attacks that care about that. If your botnet attacks come from ISPs that don't let you impersonate other users, then you'll encounter defenses that block your/64 and probably your/56 or/48 (so you could get some of your neighbors blacklisted, I suppose.)
The main IPv6 vs. IPv4 DDOS attack is the boring one - some user in Asia can't get an IPv4 address when APNIC runs out this year, so he'll only be able to reach you through NAT, unless you've got your IPv6 working.
Sure, 5 watts for a low-power miniserver is cool, but it's almost as expensive as a low-priced netbook which would have almost the same specs plus a screen.
I think you're probably right about that, because the issue of stateful vs. stateless firewalls in front of servers is the kind of thing Roland Dobbins often talks about. There are lots of resources a DDOS attack can exploit, and if it's easier to flood the firewall than the servers or the pipe, then that's the target to hit - and stateful firewalls are really designed to protect clients, not servers. It's generally better to use stateless firewalls to take out most of the noise, and leave stateful checking to the servers which need to maintain state anyway.
On the other hand, the reporter did appear to understand the problem of "good guys make their systems tougher, bad guys make their attacks bigger, and botnets are really cheap these days so we're seeing a few 100Gbps attacks." (100 Gbps!! Wasn't that long ago that 1Gbps was big.)
Some years ago, my original-version iPod Shuffle had an unfortunate meeting with a cup of coffee. The music playing functions didn't survive the event, IIRC because the battery got toasted, but it still works fine as a USB memory stick. Of course, a gigabyte of memory stick was a lot bigger back then than it is now, and I suppose I should try to hack something interesting with the remains.
Many years before, my Palm Pilot III had a similar misfortune, and the falling cup of coffee also took out the backup database, which was the pile of dead trees in the briefcase. (Of course it happened a week after a hard drive failure on my laptop, which was not the fault of coffee, but I lost all my calendar.:-)
Slashdot Mirror
So these Evil Consultants are running a propaganda campaign about Wikileaks, and Anonymous leaks their "secret plans", including the plan to try to sell a disinformation plan to BofA... But can we trust all the incriminating pages in the leaked secret plans? Could Anonymous have planted a bit of extra content in the leaked material? Could the Evil Consultants themselves planted bogus material in the leak, and leaked it to Anonymous themselves?
Besides all the obvious propaganda campaigns against Wikileaks, and all the real or potentially real problems with it, if I wanted to interfere with them in the future, I'd start trying to leak bogus information, either through them if possible, or through competing BogusLeak services. If real secrets are going to get out, one of the few defenses is to start leaking lots of fake secrets so people don't trust the real ones. Time to start leaking the US Air Force Roswell UFO secrets, time for BofA to start leaking accusations that their mother was a hamster and their father smelt of elderberries.
I swapped out my router a year ago, precisely because of 802.11n. Too many of my apartment neighbors had upgraded to higher-powered wider-bandwidth 802.11n, the local spectrum was getting too crowded, and my laptop kept losing connections to my 802.11g, so it was time to upgrade. And no, there's no IPv6 support on it, even though it's less than two years old. It's tempting to do DD-WRT.
I bought a Linksys 802.11n wireless router a year ago because enough of my neighbors had upgraded to louder wider-band 802.11n gear and my 802.11g was getting disconnected too often. I finally got around to checking the IPv6 functions, and no, there aren't any, Cisco/Linksys don't say anything about IPv6 in the support pages for the hardware, and googling for it tells me that DD-WRT should work ok. Snarl.... The Cisco web pages seem to imply that the "Restore to Factory Defaults" function doesn't actually restore the operating system to factory defaults, it just resets the network settings and password, and they don't seem to support downloading the old firmware release for that model because they haven't come out with an upgraded one so why would you need that?
Of course, one reason I had bought Cisco (besides the sale price at Fry's) was that the last Netgear router I bought (an 802.11b wireless thing) was a cretinous piece of junk, and while I've liked their Layer 2 hardware for decades, I haven't wanted to touch anything at Layer 3 or above from them until I've got some reason to assume they've Got Better. (It was nice hardware, and a long time ago, so they probably do fine today. After I ditched the Netgear, I got a 3Com 802.11g that gave you a choice of using routing or just raw Ethernet bridging, and the bridging was clean, dumb, and reliable, and I may decide to run IPv6 wireless on it.)
If somebody has root access to the machine, with actual write access to the software, hashing doesn't matter, because the attacker can do an active attack that gets the raw password that the user types into the login prompt or login web page, before it gets hashed and compared with the stored hash. They can only steal passwords from users who are actually logging in, not from the stored hashes of inactive users, but you're still toast. That's why hashed passwords are obsolete for many applications, and you need to use public-key digital-signature protocols instead - .
Hashing can protect passwords from people who have read access to the password file, which is why the original Unix /etc/passwd didn't need to be protected until a few years of Moore's Law made it easy for password crackers to crack obvious passwords and people grudgingly moved passwords into /etc/shadow (and probably made a few more commands run setuid root that hadn't needed it before.)
Basically, if somebody has access to the password file, and your password is in /usr/dict/words or the OED or is something else obvious, like your dog's name spelled backwards, it doesn't matter if your password hashing algorithm is SHA-256 with a 512-bit salt; if the hash takes much more than a second to calculate on your CPU, it's too annoying to the users, and otherwise the attacker can try a million obvious passwords in a million seconds on a CPU like yours, or in a couple thousand seconds on their GPU farm or PS3.
I don't know anything about this company's equipment except what I've read in the article today, but if they do have approval to use a radio band next to GPS and can do so without interfering with it, it's likely that equipment for that data service can use the same radio hardware as they'd use for receiving GPS signals, with just software-defined-radio or similar tuning technology to let handsets do both with less hardware, instead of needing a cellular radio and also a GPS radio.
Wikipedia LTE Article lists a bunch of different frequency bands used by LTE (and other cellular standards), and this L1 band isn't in there. So while GPS interference problems may affect this particular carrier's frequency band, it's not going to affect the widely announced plans for 4G* LTE or HSPA+, and it doesn't look like it affects the current 4G* WiMax carriers either.
Of course, I'll be really annoyed if these guys interfere with my el-cheapo car GPS, or my cellphone's GPS, and I'll be really annoyed if they start interfering with airplane GPS systems (if I had to worry about my car falling out of the sky or crashing into mountains, I'd have more serious problems than just GPS...)
* Defining your product as "nth-Generation Wireless" is a marketing-slogan issue, and it was hubris for the carriers and equipment makers who declared their products to be the standard in the first place, so I'm not going to argue about whether LTE or WiMax or NewerShinierRadio is real 4G or not. The stuff that the major carriers and handset makers are deploying in the next year or two doesn't interfere with GPS, which is what matters, not what label they attach to it, so it's not going to cause sky-is-falling problems or create no-fly zones around your local cellular tower, even though there are probably Marin County residents panicking about it as we speak.
Oh, come on, hasn't somebody posted something that obvious yet? In Soviet Russia, You eavesdrop on CIA!!
Or a Dubai Tower moment?
Yup. That's why this is under the "If you think you can ignore IPv6, think again" discussion :-)
Using port numbers for a few bits of tracking is very interesting - probably not too hard, and of course cookies give you an alternative method, for people who accept them.
Your NAT example that forwards example.com:80 to one machine and example.com:21 to another is at least interesting, though IPv6 gives you enough addresses that you can just as easily forward www.example.com to your web server and ftp.example.com to your FTP server. IPv6 doesn't stop you from doing a 6-6 NAT if you want, but the default behaviour should be that it's never necessary, and seldom implemented.
For most people, the important things about NAT are that it's something cheapass firewall appliances do so they can plug multiple computers in to their LAN, get addresses handed to the computers without needing to manually configure them, and get some semblance of security, and most stuff just works. If they're gamers, they probably need to mess with the firewall by hand anyway, unless kluges like uPNP are good enough to do the job without it.
The general plan is for ISPs to give people /56 or /48 and let them chop *that* up, either by hand or having their routers do it automatically, and /56 is big enough that the automatic stuff can be wasteful instead of efficient. If you've got a /64, you're perfectly free to chop it up by hand, but all the autoconfiguration stuff assumes that /64 is one subnet, big enough to use your equipment's EUI-64 link layer address as the host part of the IPv6 address. (EUI-64 is an extended version of MAC, designed so that the Layer 2 people never have to run out of addresses either - if you've got equipment with regular Ethernet-like MAC addresses, you create the EUI-64 by shoving some standard bits into the middle, in ways that look unnecessarily ugly to me but are the standard now.)
A surprisingly high fraction of people have two subnets - a wireless one and a wired one, and if you've got two, it sometimes helps to have more so your routers can glue stuff together automagically instead of making you configure it yourself. Most ISPs understand that if they give people multiple subnets (for example, that /56), they just don't have to care what the user does with it, and "don't have to care" means "don't need to do future support calls to change stuff, which cost money."
No, IPv4 won't entirely be turned off in a decade, and there are probably still machines running Netware IPX and definitely IBM SNA, and there's probably even X.25 on barbed wire somewhere in the world; I think I've seen DECNET within the past year. But if you're not dealing with IPv6 now, you're not going to be in the web or internet or security or telephone or computer business by late next year, because your job or company will have died by then.
Yes, businesses will make all reasonable accommodation to allow IPv6-only end users to reach their websites, and businesses that open new offices that can't get an IPv4 address from the local ISP in that country at the regular price will either pay them a lot more money or else run some ugly V4-over-V6 tunnel back to headquarters, and they'll be able to squeak by for a while, but it's going to get increasingly ugly and expensive.
... and it wasn't that wrong for a lot of people until yesterday, either, and won't be until APNIC runs out of space this summer and RIPE this fall, but it doesn't matter.
The IPv4 address space is used up, and we're rapidly sailing toward the point on the map that says "Heer Be Dragons!", and the only solutions we've got are IPv6 and Not-Really-Carrier-Grade-NAT to get us across the bleeding edge.
So if you're not ready for IPv6, it's going to hurt. If you're just an end-user with a dynamic IPv4 address, it won't hurt a lot until your ISP starts giving you a 10.x address, and those cool websites you used to use don't look as cool, and that gaming application you're using for voice talk with your friends while you're killing zombies suddenly can't reach 20% of them, or maybe 80% of them, and maybe your next mobile phone will only have an IPv6 address. But if you're a content provider, you're not only going to either lose a small but growing percentage of your users, or support native IPv6, you're also going to have all those applications that tracked them by location or IP address stop working so well, and your reporting software that keeps track of comment spammers isn't going to know where they're coming from so well, and eventually you'll need to give in and make sure all your firewalls and load balancers are working. And of course, if you're an ISP, you've spent the last couple of years realizing how much this is just going to hurt all over, and if you haven't, you're planning on going out of business Real Soon Now when all your customers ditch you.
That's true if you're using protocols that can survive NAT64 translation - couch potatoes reading HTTP pages will be just fine, if their ISP does NAT64 translation for them (or gives them RFC1918 addresses and does NAT44.) And if you're in the business of serving IPv4 web pages, and don't need much more than that, then you might be ok, or you might want to add your own NAT64 server so that outsiders can reach your IPv4 address even if their ISP doesn't do NAT64 for them.
But what if you're using their address for something, like tracking repeat visits, or security, or using geolocation to serve them targeted ads? Do you mind if 80% of your customer visits are now arriving from one of ten big consumer ISP NAT blocks instead of their individual IPv4 or IPv6 addresses?
And then what happens once you decide to accept native IPv6 connections. Is it as simple as asking your ISP for dual-stack, which your routers are new enough to use by now, and telling Linux and Apache "oh, also use IPv6"? Sure, that's cool if you're trying to get a Hurricane Electric IPv6 certification, which is a good idea.
But is your web server farm big enough to need load balancers, and if so do they support IPv6? Do your firewalls allow IPv6 traffic at full speed, or are they 80% slower because they have IPv4-tuned ASICs and need the CPU to do IPv6? Do your accounting programs that keep track of user visits and print out nice shiny reports store their address data in uint32 fields, and print them out in dotted-quad formats? What about your attack/fraud detection programs that are trying to keep people from cracking your web servers and stealing your user data - do they know how to recognize an anomaly from IPv6 land and warn you about it, or does it all look like uint32 to them too?
There are other ways to find the machines on your subnet besides scanning, though it is nice that scanning will become harder. If you've got a known brand of ethernet card, there are only 24 bits worth of possible MAC addresses, and what's 16 million scanning packets between friends? Multicast works by default, though your firewall might block it, and they can still do phishing to get you to go to their web page so they can get your address. (IPv6 address privacy mode is a Good Thing, though corporate networks might block it internally so they can track which machines are doing what for auditing and debugging purposes.)
Look, you're getting a subnet that's big enough for just about anything you can imagine doing at home, not just the things you can actually figure out how to do. If you're like to split your /56 into 256 different subnets and do different things on them, go ahead. You can do that without breaking the end-to-end principle.
NAT breaks stuff right and left today, for two main reasons
- lots of protocols, including FTP and newer protocols, put the IP address inside the data packets, not just in the packet headers, and doing NAT properly requires ripping the packets apart, changing the addresses, and fixing up any checksums that got damaged in the process. It's even worse if you've got protocols that use crypto, either for information hiding or just simply for authentication. It's very hard to get them right, especially if people design protocols the firewall doesn't know about.
- stateful NAT makes it hard to establish connections through the firewall. Sometimes this is intentional, blocking unwanted connections for security reasons, but if two people behind NAT want to communicate, neither one can talk until the other one has talked to them first. There are products like Skype that are popular because they go to a lot of trouble to work around the different broken NAT implementations out there.
Putting a firewall box in front of your computers isn't a bad thing - you just need one that's IPv6-aware instead of IPv4-only. You're not getting the security from NAT, you're getting security from having a stateful packet inspection box in front of your computer, and that's not going to change. If you want to offload packet inspection from your 2GHz CPU down to your 200 MHz SOC-based firewall, go ahead; about a quarter century ago, Van Jacobson figured out how to tune the BSD TCP/IP stack so you could do wire-speed file transfer on 10 Mbps Ethernets using a Sun 3/60, so you should have plenty of spare CPU horsepower left to inspect your packets.
There's no particularly good reason for your computer to look like a single computer to anybody outside your network, and simple address-munging isn't enough to solve the problem. My laptop has different addresses depending on where it's plugged in, home, work, coffeeshop, etc., and the address isn't enough to tell them anything definite. When I'm at work, I occasionally have trouble reaching sites because many other users behind my corporate firewall are accessing them at the same time, so they want me to do a CAPTCHA to verify I'm not a bot abusing their system. However, if anybody does want to track your address, with IPv 6 they'll probably do it by tracking your /56 or /48. Also, there's the IPv6 address privacy mode, which lets your computer use a different host-part address on every connection, so it's not using the same MAC address every time.
There are some ISPs that are starting off with just a single /64 (e.g. Comcast's trial), because they've got some equipment or management software that's not bright enough to handle more complex routing than that, but the general consensus is that businesses should get /48 and residences should get at least /56. That not only allows for a couple of subnets (e.g. wired, wireless, uplink, DMZ), but it also lets you use relatively dumb routers that handle subnets by cutting their address space in 2-4 pieces, and you can stack a couple of those.
I have heard of one ISP that's only allocating a /60 for residences, but IPv6 has enough address space that most people think it's worthwhile wasting some of it to get addresses aligned on byte boundaries and not mess with nibble-aligned, much less single-bit-aligned.
IANA kept track of other kinds of numbers besides IPv4 addresses, and their job wasn't just to hand out unique numbers, but to keep track of who owns the numbers that are out there. And if you think IPv4 number ownership is going to stay stable now that they're all gone and you can only get them from other people, you may be a bit surprised.
There's already so much misuse of existing police databases that gets reported in the press, and presumably a lot more that doesn't. Some of it's cops stalking ex-lovers, or cops doing a "favor" for somebody to help them stalk somebody (with or without bribes attached to the favor), in ways that are blatantly illegal. Some of it's cops helping their friends in more-or-less-organized crime find out who's after them, or find business partners who are snitching or otherwise about to become ex-partners. Some of it's motor vehicle clerks helping people get their papers in order after driving while intoxicated or driving while speaking Spanish. Some of it's politicians trying to find out about other politicians, or trying to find out what other politicians can find out about them.
Lots of opportunity for Bad Stuff to happen here.
The limited address space in IPv4 may affect a few kinds of attacks, but not many. This paper was pointing out 100 Gbps botnet attacks, and if you've got an ISP that allows outbound UDP packets that aren't from your IP address space, which too many sloppy ISPs still do, you can use a few billion IP addresses times ~60K ports, so it's not going to stop any practical-sized attacks that care about that. If your botnet attacks come from ISPs that don't let you impersonate other users, then you'll encounter defenses that block your /64 and probably your /56 or /48 (so you could get some of your neighbors blacklisted, I suppose.)
The main IPv6 vs. IPv4 DDOS attack is the boring one - some user in Asia can't get an IPv4 address when APNIC runs out this year, so he'll only be able to reach you through NAT, unless you've got your IPv6 working.
Sure, 5 watts for a low-power miniserver is cool, but it's almost as expensive as a low-priced netbook which would have almost the same specs plus a screen.
I think you're probably right about that, because the issue of stateful vs. stateless firewalls in front of servers is the kind of thing Roland Dobbins often talks about. There are lots of resources a DDOS attack can exploit, and if it's easier to flood the firewall than the servers or the pipe, then that's the target to hit - and stateful firewalls are really designed to protect clients, not servers. It's generally better to use stateless firewalls to take out most of the noise, and leave stateful checking to the servers which need to maintain state anyway.
On the other hand, the reporter did appear to understand the problem of "good guys make their systems tougher, bad guys make their attacks bigger, and botnets are really cheap these days so we're seeing a few 100Gbps attacks." (100 Gbps!! Wasn't that long ago that 1Gbps was big.)
Unlike vinyl, nobody ever really loved 8-track.
Some years ago, my original-version iPod Shuffle had an unfortunate meeting with a cup of coffee. The music playing functions didn't survive the event, IIRC because the battery got toasted, but it still works fine as a USB memory stick. Of course, a gigabyte of memory stick was a lot bigger back then than it is now, and I suppose I should try to hack something interesting with the remains.
Many years before, my Palm Pilot III had a similar misfortune, and the falling cup of coffee also took out the backup database, which was the pile of dead trees in the briefcase. (Of course it happened a week after a hard drive failure on my laptop, which was not the fault of coffee, but I lost all my calendar. :-)