I can't wait until the patents necessary to create the first DVD players run out.
The only thing patents are doing is holding back innovation, increasing costs and unjustly enriching those who no longer have an incentive to offer anything but dead labor.
If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you.
An SMS from google is essentially a giant signal beacon announcing your presence and exact location. An extremely unwise course of action if your advasary is a government.
If I required that kind of security where a strong password was not enough for messaging I would not be using a hosted platform such as google or SMTP for that matter.
They are juxtopofusing TLDs with Domain names. Nobody in TFA is saying anything about individual domains.
I object to the notion ICANN is a non-profit organization operating in the best interests of the Internet. They are mearly a front for domain registrars...back in the day when ICANN had people that really cared they activly resisted calls for opening the flood gates on TLDs.
The only thing TLDs sprawl is good for is raising registrar revenues and confusing the living hell out of end users and trademark holders alike.
>>>I sure am glad that my right to pay steve 30%
To be fair, Microsoft and Ubuntu linux password systems are not any more secure. Apple is no worse than they.
Bzzt... the correct answer is both operating systems are more secure.
If windows syskey is used properly via startup storage device, TPM or startup password the nt hashes are stored in an encrypted database.
Ubuntu uses salted sha512 for password encryption by default. The length of time it takes to crack a password depends entirely on the security of the password.
In neither case will either Windows or Linux operating systems give up the has material without credentials or bypassing the OS by accessing the storage device directly.
Argh! Another IPv6 story........and we're NOT out of IPv4 addresses....
Imagine being in a grocery store watching as the last bag of marsmellows is snatched by a customer just moments before you.
Not preparing for the obvious future before it happens is like megafoodco getting rid of its supply chain.
Unstead of waiting a few hours or coming back the next day for someone to restock the shelf you get to wait a month for the stay-puff marshmellow man to make a fresh batch of marsmellows and ship them to your grocery store via snail express.
Believe it or not there are people who actually get paid to look ahead and make sure their organization is prepared for the future. Some consumers often do as well.
The IPv4 exhaustion issue is trumpeted as a reason to provide IPv6 support. But the exhaustion is purely at the NIC level at this point. It hasn't reached a single end user yet. It'll take years for people to start caring about this much. By that time, the current product line will be swapped out for new gear.
It has been reaching users for many many years in the terms of ISP documentation requirements. This is why residential customers get a single IP address if their lucky.
SQL databases are just too complicated for the average IT professional, let alone the average person. And their proliferation into even desktop software, such as various accounting packages, is a development that will keep our industry on it's toes for some time to come.
If USG just turned off Internet in the US it would fuck over the rest of the worlds connectivity. The rest of the world will all be all pissed about what happened to their infustructure and start stringing routes and peers which no longer transit the US.
This means those AT&T fibre taps which supposedly monitor only "foreign" communication (as if that is acceptable) become paper weights.
Even the threat of legally codified availability of such a power could have the same effect as more governments see the dependancy on the US as a liability.
Selective availability (See GPS) as a way to locally deny Internet capability is in practical terms a useless capability. If you want to protect a power station from sabatoge via Internet..unplug the damned Internet cable! There is no reason to get an ISP involved.
It is no different than the terrorist "smoking gun" scenario... It sounds good but there is no evidence that it has ever occured or that threats are not best positioned for mitigation at the edge rather than higher up in the network.
My fear is the real intention here is stepping stone to codify remote capabilities for USG to control private networks on demand.
If USG really cared about safety and security of private networks they would provide more resources along the lines of US-Cert..no private company wants to be hacked...so there is no reason for parties not to have common interests and cooperate. It is hard to not see this as just a power grab.. As far as I have been able to see and I have tried... there are zero practical examples of real life scenarios where it is worth a hill of beans.
Ask your member of congress for one concrete example of what good it will do.. Don't accept generalities.
Could there be a more rediculously ineffecient way to waste bandwidth while at the same time locking customers into a subscription model and expensive data plans? With all the latency in a mobile environment the experience is sure to suck ass. It seems the winner here is NOT the customer.
...
Mobile devices are getting incresingly sophisticated GPUs as a standard feature.. It costs nothing to use what you already have.
What if there really was an evil bit and it really did work?
Do you think governments would not pass laws requiring ISPs to filter packets containing such bits?
TLDs containing sexually, politically and morally contentious material is putting the topology of the network at risk by making it a lightning rod for attack by repressive and conservative governments throughout the world. It is a safe bet they will seek the capability to block entire TLDs and eventually rewire/fragment DNS to the detrement of all.
Normally if you don't like an individual site you just blackhole their network. Blocking entire TLDs just makes repression easier (No need to identify individual sites), reduces global cooperation and provides an excuse for entry points to the implementation of laws which uproot the global DNS database.
Is globalization ethical? Does it create problems we should all have at least some responsibilty for addressing?
Why should people in your own country take precedence over those in other countries? Are they any less deserving? Would you have the same reservations if the help desk was setup on the other side of your own country? If so why?
The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible.
On the contrary, if IPv6 address space was designed to be an long term extension of the IPv4 address, dual stacking would not be required. Network reconfiguration wouldn't be required either.
And when you ran out of IPv4 space IPv6 people would be totally disconnected from the IPv4 network until people on that network upgraded to IPv6... without of course the use of CGN. It is materially no different than tunneling IPv4 over IPv6 to an IPv4 CGN.
DJB recognizes that of course everyone will eventually have to get upgrades to handle the extra address space, or for anyone to practically use an address in the extended area. The difference is that the upgrade would be transparent, because no network reconfiguration would have to be done. All old IP addresses and routing prefixes would be preserved, on the new network, forever.
I'll pass thank you. Inheriting the v4 addressing mess by clever addition of bits to existing addresses is opertionally insane. If you have more bits you have network reconfiguration period end of story... stringing new bgp sessions and routing entries to do it the right way is in realitive terms no big deal that people would not be delighted to do it rather than living with the current state of affairs and whatever magical netmask bit nonsense you came up with to give people more room within their existing address spaces... There is a reason why these proposals were all considered and REJECTED. They just don't work.
No, I think that IPv6 should have gone for at the most 64 bit sub-nets because there are not a lot of 128-bit Embedded CPU's and memory controllers. This is where I think the really problem lies for the fast internet routers. They will be doing 128-bit calculations and look-ups on what are usually 32-bit architectures and newly available 64-bit embedded architectures.
"Fast" routers are unlikely to route packets based on the full 128-bit destination due to limited precious tcam space.
They are almost always configured to look at the first 64 bits only for routing assuming the remaining is a host identifier on the destination network.
Oh, and one thing I forgot about NAT - it makes it REALLY easy to move publicly accessible services without interruption - just change a port forward and everyone automatically starts using the new service:)
NAT is just a really handy tool, for many reasons. It doesn't make sense to discard it for purely ideological reasons.
NAT is the reason why cisco can get away with selling umi for $600 PLUS $20/month required to prevent decay into paper weight.
It is why gotomypeecee can get away with selling you a service you could otherwise do for yourself for free and without trusting a 3rd party to not mess with your system.
It is why supernodes are required to use skype sending your conversation thru those few precious intermediates that are not broken by NAT and may not have your best interests at heart.
End users don't need an IPv6 NAT in their homes just because they had one with IPv4.. A home router with a stateful firewall provides the same functionality as their IPv4 NAT routers without having to mangle packets and break end to end.
Business folks should expect to have the same capabilities they had with IPv4 but I will not defend those who treat IPv6 the same as IPv4 out of ignorance and habbit. As you point out there are a number of very useful network elements that can be loosly lumped into "NAT" (load balancers, firewalls..). These devices are as needed in the IPv6 world as they have been in IPv4.
And lets face it - NAT is handy enough, and so entrenched, that if the IETF DOESN'T formally define a spec for it, we'll end up with vendors hacking up custom solutions in response to customer demand, which is definitely not a good thing.
IPv6 is the same as IPv4 in all ways that matter. There is no reason for the IETF to do any such thing. Anyone who wants to can implement it themselves without IETF supervision. The state charts for TCP and all the other protocols are exactly the same in IPv6 as they are in IPv4.
Let's just write a formal spec for NATv6 and let the greater internet decide whether it's a good thing or not.
Noone is being prevented from implementing NAT by any action or inaction of any standards body.
The few open source developers who have publically stated "over my dead body" are entitled to their opinions and selection of what they want to spend their time on as are you.
That was the original idea. But of course you would need to convert those decimal numbers to hex. The current plan would make that address available as 0::FFFF:
This is a little confusing...::ffff is the IPv4 mapped IPv6 address used *internally* for dual stack sockets. (They are mapped to the hosts native IPv4 stack) These addresses are explicitly forbidden from being sent as IPv6 over the wire.. It is local representation only.
IPv6 will be very slow in coming, and there will be no crisis.
The operators I know are scrambling to light up v6 on their networks. Most of the large end-user ISPs in the US are activly working IPv6 deployment/w end user trials. Most plan to deploy this year or early next. Think about that..within a years time tens of millions of subscribers are IPv6 capable.
Yes there will be a lot of people with cpe gear that needs to be replaced or updated and it will take forever to get EVERYONE transitioned but a large number of people will just work on IPv6 overnight and when Google/youtube/facebook/netflix flip their switches and announce an AAAA record.. guess what a huge percentage of US traffic switches from IPv4 to IPv6 overnight!
Please don't misunderstand..the complete transition will take a long time and it will be slow but the v6 growth curve will still continue to follow its current expontential path for some time before colliding with stragglers in the comming years.
As ISPs run our of v4 address space, they will offer natted rfc1918 space by default, and charge a few dollars extra for public addresses. Only a few
What if I'm a new ISP or hosting provider and I can't get any IP Addresses?? This qualifies as a crisis to me.
people prefer a public address if charged $5/month for it, and they won't miss anything either. While lots of public servers will be offered in both v4 and v6 space, nothing interesting will require v6.
In the future there will come a point where people will get tired of running two separate protocol stacks and begin to offer IPv6 only. You don't realize the extreme pressure on address allocation in the emerging world. In the US what you say is largly true... it is not clear to me that it will be possible globally. apnic is burning a/8 each and every month. CGNs at that scale are expensive to run and manage and bring a whole set of operational issues including CALEA, attack vectors against NAT state charts, breakage of popular software such as P2P and skype.
v6 will grow slowly based on its use in purely internal networks. The things lusers need will always be available in v4
Why would anyone switch to IPv6 for an Internal network? It is just the public facing stuff that needs IPv4 addresses... People go nuts thinking about having to renumber their internal networks and replace their accounting software....no you don't..keep what you have... ADD IPv6.
and there aren't enough clued users to create a real shortage
Did I mention apnic is burning thru a/8 per month... LTE is being deployed to tens of millions globally... Is slashdot real? Am I real... is whats real really real?
It's not impossible. It just wasn't done this way.
If the existing IPv4 space was embedded in IPv6, it could be part of 0000:0000:0000:0000:0000:0000, and that prefix could be optional (the prefix could really be anything, as long as it was a standard). This would make an IPv4 address of 123.123.123.123 be 0000:0000:0000:0000:0000:0000:7b7b:7b7b (aka 0::7b7b:7b7b).
Ah... you can actually just type::123.123.123.123 and get the same bit pattern in IPv6 address. There are also transition technologies that make this work..This SOLVES NOTHING.
All servers would then automatically be part of the IPv6 network, and accessible from any IPv4 client, and from any IPv6 client that is in that same IPv6 subnet. With a minor update to the router or host, the old IPv4 server could talk to any IPv6 client too... they'd just start sending full length packets
"A minor update to the host"..... I..ah so ah.....ahh...please stop and think about what you just said.
When we run out of IPv4 addresses your map breaks. All IPv4 hosts need a "minor update" to communicate with IPv6 hosts which can no longer map to IPv4 because there is no more IPv4.. Thus IPv4 can no longer talk to IPv6 *and* vis-versa.
There is no such thing as a "minor update". It doesn't exist...think about it.
I love and respect DJB but he is reacting to a common set of concerns without understanding the entire problem space and without understanding why things must be the way they are.
On his compatibility argument.. it is just not possible. You could make IPv4 a subset of IPv6 which the::n.n.n.n and some translation technologies seek to do but this does NOTHING to address the problem of address shortage.
A very simple question remains.. What address does an IPv4 host use to respond to an IPv6 host after the IPv4 pool is exhausted? It can't be IPv4 because there are none for the IPv6 host to be assigned and it can't be IPv6 because IPv4 does not understand IPv6.. AND you can't retroactivly make IPv4 compatible with IPv6 without wholesale updates to the entire infustructure... (AKA IPv6 transition)
I wish there was another way but it just isn't technically possible to have interop without the deployment of CGNs.
At everything above L3 it doesn't matter because of DNS bindings and dualstack hosts it looks like both protocols work seemlessly together which is really all that the end user cares about.
I want to go to a *single* IP address that represents all systems on my network. Same thing I am doing today with IPv4. I don't like people outside to be able to enumerate devices on my network - and using a single address is a first step (tweaking IP stacks to change signature and replacing browser agent string helps too).
It is possible today to recover the users internal IP address on their private IPv4 network using flash / javascript when they visit a web site.
NAT == stateful firewall without packet mangling.
Effectivly anyone who wants it gets the same information and capabilities from your users regardless of IPv4 NAT vs IPv6 firewall.
Sorry, at a loss. comcast should just keep ipv4 internal and proxy ipv6 externally. Don't understand the reason to complicate its implementation any more. Other than let us geeks suffer the consequences
When IPv4 addresses are no longer available(Coming within just months to a RIR near you! IANA global pool already gone!!) how do you propose to use IPv4 internally when the necessary IPv4 address space simply does not exist?
I can see an ISP following your advice right up until they need to fill out a new SWIP request for address space that does not exist. RIR: sorry dude.. ISP to customer: sorry dude... customer: @*(@#**!
When IPv4 runs out the only avenue for not switching to IPv6 for new users is CGN... given the choice I would rather have a monsterous IPv6 address than stay with IPv4 and go through a carrier NAT loosing the ability to connect to my stuff from the network and run my own servers.
Comcast and the rest of the world are extremely late on IPv6 deployment. Slashdots... oh slashdot... tears come to my eyes just thinking about slashdots lack of IPv6 support. It is really sad.
If you care about a global network that can accomodate everyone on the planet equally as peers IPv6 is the only answer available. I believe the developing world should have the same opportunties as the developed world.
Unfortunatly the number of naysayers who either do not care, do not want to change or do not see the big cluster*@*# on the horizion due to v4 depletion even with IPv6 deployment is still quite large.
I don't know what to say or how to convinence people they need to take IPv6 seriously. After all it is not your problem...why should you care?
I remember back in the day firewalls were about *logging* more than they were about security.
I guess I have trouble understanding the point of firewalls for public facing systems. If you can't configure the server to only expose the required services to the public a firewall is great but nowadays there really is no credible reason such configuration is not possible either directly in the server configuration file or with local firewalling rules.
IDS and various layer n scanning and proxy filters and the operating systems they run on top of are not immune to attack themselves. There have been a number of attacks specifically targeting IDS systems. By deploying unecessary systems you are growing additional branches on your systems threat tree.
At the end of the day the *application* you expose has to stand on its own. Systems without a brain don't have the capability to meaningfully understand higher layer interactions. A firewall will happily forward all non-cheesy app layer attack vectors. The only thing you gain is independant logging!! If you compromise a host you can compromise its logs but if there is a middle box doing the logging it is isolated from compromise.
For example many systems advertise protection against injection attack however nothing but the app can block an injection attack with 100% coverage and no false alarms (which can have adverse effects on legitimate use of a system) By definition there is no informational basis to obtain such knowledge.
The kicker is few seem to care much about their firewall logs these days..They keep them but don't really spend any time and energy reviewing them. All PPL are doing is checking the firewall box on their security checklists and moving on.
In my view the act of thinking that one is safe because they use a firewall is worse than not having a firewall.
The only thing patents are doing is holding back innovation, increasing costs and unjustly enriching those who no longer have an incentive to offer anything but dead labor.
If you think a totalitarian government might be going after you because you're part of a human rights organization, then signing up for two-factor authentication is for you.
An SMS from google is essentially a giant signal beacon announcing your presence and exact location. An extremely unwise course of action if your advasary is a government.
If I required that kind of security where a strong password was not enough for messaging I would not be using a hosted platform such as google or SMTP for that matter.
I object to the notion ICANN is a non-profit organization operating in the best interests of the Internet. They are mearly a front for domain registrars...back in the day when ICANN had people that really cared they activly resisted calls for opening the flood gates on TLDs.
The only thing TLDs sprawl is good for is raising registrar revenues and confusing the living hell out of end users and trademark holders alike.
>>>I sure am glad that my right to pay steve 30% To be fair, Microsoft and Ubuntu linux password systems are not any more secure. Apple is no worse than they.
Bzzt... the correct answer is both operating systems are more secure.
If windows syskey is used properly via startup storage device, TPM or startup password the nt hashes are stored in an encrypted database.
Ubuntu uses salted sha512 for password encryption by default. The length of time it takes to crack a password depends entirely on the security of the password.
In neither case will either Windows or Linux operating systems give up the has material without credentials or bypassing the OS by accessing the storage device directly.
Argh! Another IPv6 story..... ...and we're NOT out of IPv4 addresses....
Imagine being in a grocery store watching as the last bag of marsmellows is snatched by a customer just moments before you.
Not preparing for the obvious future before it happens is like megafoodco getting rid of its supply chain.
Unstead of waiting a few hours or coming back the next day for someone to restock the shelf you get to wait a month for the stay-puff marshmellow man to make a fresh batch of marsmellows and ship them to your grocery store via snail express.
Believe it or not there are people who actually get paid to look ahead and make sure their organization is prepared for the future. Some consumers often do as well.
Why on earth would you want DHCPv6? Router advertisements and SLAAC is much easier
Here is your list of reasons... http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xml
The IPv4 exhaustion issue is trumpeted as a reason to provide IPv6 support. But the exhaustion is purely at the NIC level at this point. It hasn't reached a single end user yet. It'll take years for people to start caring about this much. By that time, the current product line will be swapped out for new gear.
It has been reaching users for many many years in the terms of ISP documentation requirements. This is why residential customers get a single IP address if their lucky.
SQL databases are just too complicated for the average IT professional, let alone the average person. And their proliferation into even desktop software, such as various accounting packages, is a development that will keep our industry on it's toes for some time to come.
The alternative is worse.
This means those AT&T fibre taps which supposedly monitor only "foreign" communication (as if that is acceptable) become paper weights.
Even the threat of legally codified availability of such a power could have the same effect as more governments see the dependancy on the US as a liability.
Selective availability (See GPS) as a way to locally deny Internet capability is in practical terms a useless capability. If you want to protect a power station from sabatoge via Internet..unplug the damned Internet cable! There is no reason to get an ISP involved.
It is no different than the terrorist "smoking gun" scenario... It sounds good but there is no evidence that it has ever occured or that threats are not best positioned for mitigation at the edge rather than higher up in the network.
My fear is the real intention here is stepping stone to codify remote capabilities for USG to control private networks on demand.
If USG really cared about safety and security of private networks they would provide more resources along the lines of US-Cert..no private company wants to be hacked...so there is no reason for parties not to have common interests and cooperate. It is hard to not see this as just a power grab.. As far as I have been able to see and I have tried... there are zero practical examples of real life scenarios where it is worth a hill of beans.
Ask your member of congress for one concrete example of what good it will do.. Don't accept generalities.
Mobile devices are getting incresingly sophisticated GPUs as a standard feature.. It costs nothing to use what you already have.
Do you think governments would not pass laws requiring ISPs to filter packets containing such bits?
TLDs containing sexually, politically and morally contentious material is putting the topology of the network at risk by making it a lightning rod for attack by repressive and conservative governments throughout the world. It is a safe bet they will seek the capability to block entire TLDs and eventually rewire/fragment DNS to the detrement of all.
Normally if you don't like an individual site you just blackhole their network. Blocking entire TLDs just makes repression easier (No need to identify individual sites), reduces global cooperation and provides an excuse for entry points to the implementation of laws which uproot the global DNS database.
Is globalization ethical? Does it create problems we should all have at least some responsibilty for addressing?
Why should people in your own country take precedence over those in other countries? Are they any less deserving? Would you have the same reservations if the help desk was setup on the other side of your own country? If so why?
I think you mean ::4C21:2D78, but I agree with your point about IPv6 being an extension of IPv4, not a replacement of it.
You don't even need that.. ::76.33.45.121 is a perfectly valid address.
The author claims that IPv6 should have been designed as an extension to IPv4 so that IPv4 and IPv6 hosts can communicate with each other directly. This is fundamentally impossible.
On the contrary, if IPv6 address space was designed to be an long term extension of the IPv4 address, dual stacking would not be required. Network reconfiguration wouldn't be required either.
And when you ran out of IPv4 space IPv6 people would be totally disconnected from the IPv4 network until people on that network upgraded to IPv6... without of course the use of CGN. It is materially no different than tunneling IPv4 over IPv6 to an IPv4 CGN.
DJB recognizes that of course everyone will eventually have to get upgrades to handle the extra address space, or for anyone to practically use an address in the extended area. The difference is that the upgrade would be transparent, because no network reconfiguration would have to be done. All old IP addresses and routing prefixes would be preserved, on the new network, forever.
I'll pass thank you. Inheriting the v4 addressing mess by clever addition of bits to existing addresses is opertionally insane. If you have more bits you have network reconfiguration period end of story... stringing new bgp sessions and routing entries to do it the right way is in realitive terms no big deal that people would not be delighted to do it rather than living with the current state of affairs and whatever magical netmask bit nonsense you came up with to give people more room within their existing address spaces... There is a reason why these proposals were all considered and REJECTED. They just don't work.
No, I think that IPv6 should have gone for at the most 64 bit sub-nets because there are not a lot of 128-bit Embedded CPU's and memory controllers. This is where I think the really problem lies for the fast internet routers. They will be doing 128-bit calculations and look-ups on what are usually 32-bit architectures and newly available 64-bit embedded architectures.
"Fast" routers are unlikely to route packets based on the full 128-bit destination due to limited precious tcam space.
They are almost always configured to look at the first 64 bits only for routing assuming the remaining is a host identifier on the destination network.
Oh, and one thing I forgot about NAT - it makes it REALLY easy to move publicly accessible services without interruption - just change a port forward and everyone automatically starts using the new service :)
NAT is just a really handy tool, for many reasons. It doesn't make sense to discard it for purely ideological reasons.
NAT is the reason why cisco can get away with selling umi for $600 PLUS $20/month required to prevent decay into paper weight. It is why gotomypeecee can get away with selling you a service you could otherwise do for yourself for free and without trusting a 3rd party to not mess with your system. It is why supernodes are required to use skype sending your conversation thru those few precious intermediates that are not broken by NAT and may not have your best interests at heart. End users don't need an IPv6 NAT in their homes just because they had one with IPv4.. A home router with a stateful firewall provides the same functionality as their IPv4 NAT routers without having to mangle packets and break end to end. Business folks should expect to have the same capabilities they had with IPv4 but I will not defend those who treat IPv6 the same as IPv4 out of ignorance and habbit. As you point out there are a number of very useful network elements that can be loosly lumped into "NAT" (load balancers, firewalls..). These devices are as needed in the IPv6 world as they have been in IPv4.
And lets face it - NAT is handy enough, and so entrenched, that if the IETF DOESN'T formally define a spec for it, we'll end up with vendors hacking up custom solutions in response to customer demand, which is definitely not a good thing.
IPv6 is the same as IPv4 in all ways that matter. There is no reason for the IETF to do any such thing. Anyone who wants to can implement it themselves without IETF supervision. The state charts for TCP and all the other protocols are exactly the same in IPv6 as they are in IPv4.
Let's just write a formal spec for NATv6 and let the greater internet decide whether it's a good thing or not.
Noone is being prevented from implementing NAT by any action or inaction of any standards body. The few open source developers who have publically stated "over my dead body" are entitled to their opinions and selection of what they want to spend their time on as are you.
That was the original idea. But of course you would need to convert those decimal numbers to hex. The current plan would make that address available as 0::FFFF:
This is a little confusing... ::ffff is the IPv4 mapped IPv6 address used *internally* for dual stack sockets. (They are mapped to the hosts native IPv4 stack) These addresses are explicitly forbidden from being sent as IPv6 over the wire.. It is local representation only.
IPv6 will be very slow in coming, and there will be no crisis.
The operators I know are scrambling to light up v6 on their networks. Most of the large end-user ISPs in the US are activly working IPv6 deployment /w end user trials. Most plan to deploy this year or early next. Think about that..within a years time tens of millions of subscribers are IPv6 capable.
Yes there will be a lot of people with cpe gear that needs to be replaced or updated and it will take forever to get EVERYONE transitioned but a large number of people will just work on IPv6 overnight and when Google/youtube/facebook/netflix flip their switches and announce an AAAA record .. guess what a huge percentage of US traffic switches from IPv4 to IPv6 overnight!
Please don't misunderstand..the complete transition will take a long time and it will be slow but the v6 growth curve will still continue to follow its current expontential path for some time before colliding with stragglers in the comming years.
As ISPs run our of v4 address space, they will offer natted rfc1918 space by default, and charge a few dollars extra for public addresses. Only a few
What if I'm a new ISP or hosting provider and I can't get any IP Addresses?? This qualifies as a crisis to me.
people prefer a public address if charged $5/month for it, and they won't miss anything either. While lots of public servers will be offered in both v4 and v6 space, nothing interesting will require v6.
In the future there will come a point where people will get tired of running two separate protocol stacks and begin to offer IPv6 only. You don't realize the extreme pressure on address allocation in the emerging world. In the US what you say is largly true... it is not clear to me that it will be possible globally. apnic is burning a /8 each and every month. CGNs at that scale are expensive to run and manage and bring a whole set of operational issues including CALEA, attack vectors against NAT state charts, breakage of popular software such as P2P and skype.
v6 will grow slowly based on its use in purely internal networks. The things lusers need will always be available in v4
Why would anyone switch to IPv6 for an Internal network? It is just the public facing stuff that needs IPv4 addresses... People go nuts thinking about having to renumber their internal networks and replace their accounting software....no you don't..keep what you have... ADD IPv6.
and there aren't enough clued users to create a real shortage
Did I mention apnic is burning thru a /8 per month... LTE is being deployed to tens of millions globally... Is slashdot real? Am I real... is whats real really real?
It's not impossible. It just wasn't done this way.
If the existing IPv4 space was embedded in IPv6, it could be part of 0000:0000:0000:0000:0000:0000, and that prefix could be optional (the prefix could really be anything, as long as it was a standard). This would make an IPv4 address of 123.123.123.123 be 0000:0000:0000:0000:0000:0000:7b7b:7b7b (aka 0::7b7b:7b7b).
Ah... you can actually just type ::123.123.123.123 and get the same bit pattern in IPv6 address. There are also transition technologies that make this work..This SOLVES NOTHING.
All servers would then automatically be part of the IPv6 network, and accessible from any IPv4 client, and from any IPv6 client that is in that same IPv6 subnet. With a minor update to the router or host, the old IPv4 server could talk to any IPv6 client too... they'd just start sending full length packets
"A minor update to the host" ... .. I..ah so ah... ..ahh...please stop and think about what you just said.
When we run out of IPv4 addresses your map breaks. All IPv4 hosts need a "minor update" to communicate with IPv6 hosts which can no longer map to IPv4 because there is no more IPv4.. Thus IPv4 can no longer talk to IPv6 *and* vis-versa.
There is no such thing as a "minor update". It doesn't exist...think about it.
I love and respect DJB but he is reacting to a common set of concerns without understanding the entire problem space and without understanding why things must be the way they are.
On his compatibility argument.. it is just not possible. You could make IPv4 a subset of IPv6 which the ::n.n.n.n and some translation technologies seek to do but this does NOTHING to address the problem of address shortage.
A very simple question remains.. What address does an IPv4 host use to respond to an IPv6 host after the IPv4 pool is exhausted? It can't be IPv4 because there are none for the IPv6 host to be assigned and it can't be IPv6 because IPv4 does not understand IPv6.. AND you can't retroactivly make IPv4 compatible with IPv6 without wholesale updates to the entire infustructure... (AKA IPv6 transition)
I wish there was another way but it just isn't technically possible to have interop without the deployment of CGNs.
At everything above L3 it doesn't matter because of DNS bindings and dualstack hosts it looks like both protocols work seemlessly together which is really all that the end user cares about.
Dispense the cards in a way where you cannot cherry pick.
I want to go to a *single* IP address that represents all systems on my network. Same thing I am doing today with IPv4. I don't like people outside to be able to enumerate devices on my network - and using a single address is a first step (tweaking IP stacks to change signature and replacing browser agent string helps too).
It is possible today to recover the users internal IP address on their private IPv4 network using flash / javascript when they visit a web site.
NAT == stateful firewall without packet mangling.
Effectivly anyone who wants it gets the same information and capabilities from your users regardless of IPv4 NAT vs IPv6 firewall.
Sorry, at a loss. comcast should just keep ipv4 internal and proxy ipv6 externally. Don't understand the reason to complicate its implementation any more. Other than let us geeks suffer the consequences
When IPv4 addresses are no longer available(Coming within just months to a RIR near you! IANA global pool already gone!!) how do you propose to use IPv4 internally when the necessary IPv4 address space simply does not exist?
I can see an ISP following your advice right up until they need to fill out a new SWIP request for address space that does not exist. RIR: sorry dude.. ISP to customer: sorry dude... customer: @*(@#**!
When IPv4 runs out the only avenue for not switching to IPv6 for new users is CGN... given the choice I would rather have a monsterous IPv6 address than stay with IPv4 and go through a carrier NAT loosing the ability to connect to my stuff from the network and run my own servers.
Comcast and the rest of the world are extremely late on IPv6 deployment. Slashdots... oh slashdot... tears come to my eyes just thinking about slashdots lack of IPv6 support. It is really sad.
If you care about a global network that can accomodate everyone on the planet equally as peers IPv6 is the only answer available. I believe the developing world should have the same opportunties as the developed world.
Unfortunatly the number of naysayers who either do not care, do not want to change or do not see the big cluster*@*# on the horizion due to v4 depletion even with IPv6 deployment is still quite large.
I don't know what to say or how to convinence people they need to take IPv6 seriously. After all it is not your problem...why should you care?
I remember back in the day firewalls were about *logging* more than they were about security.
I guess I have trouble understanding the point of firewalls for public facing systems. If you can't configure the server to only expose the required services to the public a firewall is great but nowadays there really is no credible reason such configuration is not possible either directly in the server configuration file or with local firewalling rules.
IDS and various layer n scanning and proxy filters and the operating systems they run on top of are not immune to attack themselves. There have been a number of attacks specifically targeting IDS systems. By deploying unecessary systems you are growing additional branches on your systems threat tree.
At the end of the day the *application* you expose has to stand on its own. Systems without a brain don't have the capability to meaningfully understand higher layer interactions. A firewall will happily forward all non-cheesy app layer attack vectors. The only thing you gain is independant logging!! If you compromise a host you can compromise its logs but if there is a middle box doing the logging it is isolated from compromise.
For example many systems advertise protection against injection attack however nothing but the app can block an injection attack with 100% coverage and no false alarms (which can have adverse effects on legitimate use of a system) By definition there is no informational basis to obtain such knowledge.
The kicker is few seem to care much about their firewall logs these days..They keep them but don't really spend any time and energy reviewing them. All PPL are doing is checking the firewall box on their security checklists and moving on.
In my view the act of thinking that one is safe because they use a firewall is worse than not having a firewall.