I'd have to stop using Google as my search engine if they did that. When I do a search I want the page that is most likely to answer my question at the top, not the site that has the best IPv6 support.
Well then maybe you should stop using google. They have been checking non-content metrics such as the responsiveness, availability and unrelated things such as the age and registration data of the domain for many years. It all factors into the picture.
If anyone from google is reading this please consider preferencing sites with A and AAAA records in your search results or heck just threaten/rumor to do it.
"This past March, the Senateâ(TM)s Sergeant at Arms reported that the computer systems of the Executive Branch agencies and the Congress are now under cyber attack an average of 1.8 BILLION times per month."
The fuck you are. DoD reports on the order of tens of thousands of "attacks" against them YEARLY.
You don't get to count every ping, spam, packet, scan and automated garbage as a "cyber attack". Well you can but you would (have already) loose all credibility in the process.
"Rather than granting a âoekill switch,â S. 3480 would make it far less likely for a President to use the broad authority he already has in current law to take over communications networks."
In other words since you already have the authority to do whatever the hell you want this whole exercise is redundant? If this is the case why bother with new legislation?
I don't know of any operators who would not take reasonable steps to mitigate problems if the USG had specific information about a credible problem where public safety or life critical systems were involved. Do you? Is there any evidence whatsoever this is a problem?
I would add it is quite foolish to think one can address a "cyber attack" as in "war" in linear time or on timescales in which humans have any chance of reacting. Chances are your advsaries have already compromised the system well in advance. For all you know failure to check in due to service disruption could well result in pre-programmed failsafe action.
I continue to be amazed by all of the crap that can be invoked within your browser upon demand by the operators of any web site on the planet by default.
There are browser security bugs..but they seem to be just the tip of the iceburg. Most of this extraneous crap most can live without but it is still there for anyone with some spare time to expliot regardless.
The underlying problem is that a certain level of proritization IS network management.
You actually want to be able prioritize across different classes of services to make the most effective use of available bandwidth in cases where there may just not be enough to go around.
Bulk items such as file downloads can tolerate infinite amounts of delay and or jitter without noticably effecting service. However known delay intorlerant applications such as an RTP streams (VoIP) or UDP based realtime multiplayer games while not consume the large volumes of data that a large download of a file or netflix video would are extremely sensitive to delay.
There needs to be some formulation of what network management means in terms of proritization of services for legitimate reasons (Improvement of overall balance of quality of service for everyone)
A youtube video can tolerate large amounts of jitter and delay but a realtime video conference can not without being severly effected. Operators with limited bandwidth who are not allowed to differentiate between these classes of service will result in unecessary degregation of service for all in cases where network resources are limited.
The venn diagram including circles for network management and restriction of service differentiation needs more text to make the intent and acceptable overlap clearer.
I think I can help a little here. If you aren't using https for logins, then you can do some password hashing tricks to make things much more secure. I developed a similar solution for this at my last job. I checked some other sites to see if they used it when I developed my solution and found that yahoo email did pretty much exactly the same thing when they were using http (non-secure) logins
The very first rule when it comes to security is under no circumstances should you ever even think about rolling your own.
*) clientside javascript hashes this random long string (possibly more than once) along with password and sends to server. (This protects from rainbow table attack of password using the hash.)
This would be the reason why. Your essentially asking a liar to be truthful. What would prevent an advasary from providing their own client code to ship your plaintext elsewhere?
The cost to switch to IPv6 is not flipping a switch. It will cost trillions upon trillions of dollars globally to migrate. Selling investments like that in the middle of a global recession is not small potatoes
People on slahsdot talk about IPv6 migration like it is simple - it is NOT. There are a lot more devices than your local router, and a lot more pieces of software then your desktop OS, that have to support IPv6 before it can be migrated. Companies have decades worth of software with hundreds upon hundreds of millions of lines of code, all assuming an IP is 4 bytes.
The IPv6 switchover makes the Y2k thing look like small potatoes, namely because the IP stack is a much more integral piece of functionality in a lot of software than the absolute date ever was - that and you have a lot more to switch over today than you did in 1999
Companies can keep IPv4 in their internal networks until the end of time for all that anyone cares. Just make your Internet facing corporate web site, email..etc accessible via IPv6. No rocket science required.
What I don't get is why the people who came up with IPv6 didn't make the upgrade path easier? Obviously I'm missing something, but what if (for the sake of argument) they had decided that the first 'n' IPv6 addresses would correspond to the complete set of IPv4 addresses, and all IPv6 routers, etc, would understand that one of the first IPv6 addresses meant 'route the traffic to the corresponding IPv4 address'. Could that have been done?
I have a question that may resolve your question: After there are no more IPv4 addresses and someone with an IPv6 only address wants to access the IPv4 network.. what address does the IPv4 network see so it can send a response? It can't be IPv4 because their all in use and it can't be IPv6 because IPv4 does not understand IPv6.
Various NAT(4|6)+DNS protocols magically allow IPv6 to access IPv4 content using a fixed IPv6 prefix followed by the IPv4 address. It is essentially the scheme you describe with a mapping except using NAT to answer the question above: The IPv4 address that the IPv4 network sees and communicates with is a central NAT device on the ISP network.
Several nextgen mobile systems are actually more than a year into deploying exactly this (IPv6 ONLY) to many tens of millions of handsets around the world. The translation works for the most part with a few exceptions such as web sites which embed URLs containing real IP Addresses rather than DNS hostnames. There are also problems with protocols embedding IP Addresses (L2TP, FTP, SIP..etc) but for the most part for simple web browsing..etc it works.
Obviously not an ideal or long-term solution. Hopefully this gives content companies including slashdot have an incentive start caring about native IPv6 reachability.
In my own experience spam on google is constantly getting worse and more fustrating to deal with... I expect it for searches where there is not likely to be any hits but it is also starting to creep into top spots in situations where there is more dense information available.
I remember back in the day people working logistics used to run algorithms to maximize profits for store supply chains but their efforts actually lost a great deal of revenue as algorithms did not understand human factors and how people having to go somewhere else to get an objectivly less profitable item would impact their sales.
It is a complex space and to think you can simply throw algorithms at detecting and characterizing a problem you can't detect and quantify in the first place (Unless they actually can but are choosing not to for obvious evil reasons) seems more than just a little bit naive.
If I were google I would conduct a survey and see what real humans think about the problem rather than playing the part of a foolish statistician.
I also take exception to Matts message.. don't tell someone whos pissed off about the amount of spam that it is getting better. This is an amature hour loosing proposition. Just tell us what you plan on doing to fix it or don't say anything at all.
Others have mentioned they are doing 4 to 6 tunneling. Well that is great if you know how to set it up. 99.99995% of AT&T's or Comcasts customers will not and to even attempt to explain it to them will be a pointless endeavor
6to4 is indeed pointless and counterproductive. If everyone gets crappy unreliable IPv6 connectivity right now rather than putting pressure on their ISPs to provide a low latency, high bandwidth IPv6 tomorrow it will throw a wrench in adoption as content providers avoid it as their customers complain that it is slow.
have said this before and I still believe the best course of action is to simply scrap IPV6 and take IPV4 and simply change the segment size from BYTES to WORDS. Right now we have 254 Class A networks and just going from BYTES to WORDS will give us 65535 CLASS A Networks and that gives us 65281 class A networks to hand out with each one having 281,474,976,710,655 (FFFF.FFFF.FFFF ) unique addresses, except we do it wisely this time instead of doing things like giving a single university and entire class A
The IPv6 train left the station. In every metric that matters: bandwidth, routes, servers and hosts IPv6 is currently following an exponential growth curve. Keeping IPv4 and changing the address length gives you the exact same issues of consequence as IPv6. IPv4 hosts can't talk to a "word" IPv4 host the same as an IPv4 host can't talk to an IPv6 host. What really matters is **addressing** not some pedantic arrangement of fields in an IP header that only routers and operating systems will ever see or care about. IPv6 gives us 2^32 ISPs give or take management/reserve overhead. Each ISP gets a/32 which typically means 32-bits for internal management and partitioning...followed by 64 bits for each lan segment. Many ISPs will each see several/32 allocations.
There are plenty of cranks out there who think 2^32(minus class e, reserved and private addressing) can be made to work with ever increasingly frugal management of the IPv4 space even though this number is significantly less than than the current and projected world populations. Some of them even know how to submit drafts to the IETF. http://tools.ietf.org/html/draft-terrell-logic-analy-bin-ip-spec-ipv7-ipv8-10
There is a rough estimate of about 4000 ISP in the US and most of those get their address blocks from the really BIG ones, AT&T, Verizon, COMCAST and some others. So if the world wide number of ISP's were say 20,000 we would still have 40,000 or so unused CLASS A networks
Given the world has already switched to accepting 4-byte ASNs your allocation strategy has already failed.
Can anyone seriously really see a day when we will have more then 65535 ISP's? I do not believe this to be true unless ( and I really really doubt it ) the trend of bigger ISP's swallowing smaller ISP's changes
Yea it was projected back in 2005 to occur as early as 2010 by RIPE. Hint: not all ISPs call themselves ISPs.
Why would we ever want to "fade out" IPv4? Why should we? The IPv4 network has worked, robustly and reliably for 30 years. Running out of address space is not a good enough reason to totally drop interoperability with this working standard
This is an easy one. At a certain (distant future) critical mass there becomes no market incentive for operators to continue to waste their time and resources having to maintain and secure two different set of IP protocols at a future point where most everyone has IPv6. The stragglers will find their IPv4 universe shrinking and be forced to get with the program if they want to access anything accelerating the collapse of the IPv4 universe.
IPv4 will still have a niche in internal/private networks but thats about it.
I seem to remember an old? 60-minutes piece on the culture of Google where execs drove normal cars to work and shopping sprees to shave off excess millions were universally frowned upon.
the issue is not the state, its not big brother, its simply THE MARCH OF TECHNOLOGY that you are fighting against, and its a fight you can't win
It is the deployment and use of technology NOT technology itself at question. Just because the capability to do something (such as obliterating all life on earth) exists does not mean it automatically should or will be done. Technology is nothing more than a tool. How it is used is subject to the whims of those who yield it.
Phones have cameras to the point where it is impossible to buy one without a camera not because of technology. Rather it was cell companies who demand it from manufacturers to upsell data services and make bigger profits.
I'm thinking a high speed laser scanner can target optics and CCDs without much trouble. If there is a will there is a way. You can WIN if you care enough by using technology AND your brain. Some people are rich enough to make the "impossible" come true.
Why is ANYONE with half a brain still using Microsoft browsers?
It has only been about a decade now of bad bugs being dribbled out and gradually fixed.
Why do companies still use MS Explorer?
What bug free browser do you recommend people use? Firefox? chrome? Can you name even one not constantly having to release patches for P1 security issues? Does such a browser even exist?
There is little point with security realitivisim in this space when all of your choices == EPIC FAIL.
Notebooks at least always face away from the lecturing professor. People with tablets are always hovering at weird angles which can be quite destracting. They need to be banned if anything.
In my view College == Personal responsibility.
If young adults value farmville over the education their parents are spending a fortune on..so be it. I wish them luck in their future employment prospects as in-game gold farmers.
Given that only something on the order of one half of one percent of end users are actually USING IPv6 (and that includes developing countries), no business in their right mind would stand up an IPv6-only website. And as long as there is nothing interesting on the web that requires users to use IPv6, no one but a handful of uber-geeks is going to bother switching.
In a year or two from now when the major last mile ISPs enable IPv6 dualstack and LTE gear/w IPv6 *ONLY* is deployed you can kiss your half of one-percent goodbye forever.
The "sky-is-falling" scare tactics of the IPv6 advocates are rapidly being exposed as snake oil and hokum. We are a long way from being "out of" IPv4 addresses. NAT has expanded that IPv4 address space from 2**32 or ~4 billion addresses to more like (2**32)*(2**24) or ~64 quadzillion addresses for end users
Everyone who would like to share a single IP Address with 100 of their neighbors please step forward and be counted. You can forget about running any servers or having anyone connect to your machine as a peer. You can forget about P2P or even UDP based multiplayer games your ISP does not explicitly provide an ALG for. TCP == lagtastic.
Eventually there may be a small bubble of IPv6 users that rivals the market penetration of Linux onto corporate desktops, but nothing that is going to happen with IPv4 is bad enough to force people to go through the pain of conversion
Except living with IPv4 workarounds and hackery or in the distant future added costs of dealing with IPv4 and IPv6.
We already know as an absolute fact some mobile carriers with MILLIONS of subscribers are going IPv6 ONLY because they have no other choice. Is any more of a incentive really necessary? They can reach you directly or thru a carrier NAT. If ISPs are struggling to keep dumb routers punting packets between large numbers of 10g interfaces at line rates IN HARDWARE what kind of investments do you think would be necessary to do the same in software for that traffic except now you have to understand protocol layer state machines, keep state between flows..etc. Don't underestimate the expense or end user experience suckage involved with large scale 1:n NAT deployments. The security implications of this from both an accountability and ALG state machine attacks are scary.
The IETF needs to admit that IPv6 was a brain-dead mistake, and go back to the drawing board for IPv7. THIS TIME, start with backwards-compatibility with IPv4, then fix the problem with iso-chronous delivery so that voice and video actually WORK, and then maybe people will start adopting it.
People who say this do not understand the nature of the problem. You can't add an 8th chevron or more digits to a phone number without wholesale replacement of IPv4 infustructure. It is a failing of IPv4 that is way too late to fix.
Anything that is compatible with IPv4 means you are limited to IPv4's address space meaning EPIC FAIL. If you have hop off points for the last mile/edge of the network and IPv4 internally this solves nothing because you still need a globally unique address for peers to communicate with each other. You still need a new addressing system even if it overlays somehow on IPv4.
The problem could have been addressed with better design of IPv4 but it is too late for that. It is also too late to turn around and choose something better than IPv6. The investments have already been made and it is irreversable.
Until then, IPv6 is just a pipe-dream, and a sales gimmick for network gear vendors trying to con suckers into digging up and replacing their safe and stable IPv4 networks.
Unfortunatly they will need to keep both networks in place for many many years.
That is a mind-boggling statement. If that was truly the case, then there would not be any problem with moving from IPv4 to IPv6 because the higher level protocols (i.e. applications) would not have to be rewritten to handle them
What does making a statement about end-2-end being a good idea have to do with the effort involved in switching address families? Most issues are related to storage and manipulation of address family specific data (sometimes in ASICs) rather than logical layering issues related to bits contained within an actual wire format. At some point you need to enter an IP to connect somewhere.. protocol agility at the application layer was not something people spent much time thinking about.
That is *precisely* the problem. If there was actual separation between the network layer and the higher level protocols as you claimed E2E provides, then the NAT middle box would not have to care about higher level protocols.
??? Suppose I'm a one-sided UDP packet and I want to be delivered to a certain user at a certain address how do you propose that I get there if there is a many-one NAT in my way and the NAT knows nothing about me, my purpose or even what my final destination should be? Should I embed next hop routing data in the IP header? (Please say no) How do you resolve this without end to end?
If I can't send a single sided message to a destination...the issue isn't IP it is whatever is standing in the way. This has nothing to do with higher layer protocols. Support of NAT actually creates more layering inversions than there otherwise would be.
No, lazy programmers are writing applications dependent on IP layer protocol because the E2E mindset lets them get away with making bad design assumptions and not actually writing programs in a protocol independent way. Also, for server-side sockets, right now I believe software that used to only open one socket to listen for IPv4 connections must now open two -- one for IPv4, and one for IPv6. This is not a scalable protocol independent API
This is just a restatement of your previous argument. I wrote several applications which were IPv4 only. At the time IPv4 was the only game in town. Now all of my applications work with both protocols and you know what there is now LESS total socket code, lower complexity and everyone is better for it. WRT two separate sockets it's called a dualstack socket. You do NOT need to listen separatly.
And no one will ever need more than 640K of RAM
It is easy to take this argument to absurdity showing others before you were wrong so by extension all statements about practical limits must be wrong regardless of the merits of the specific situation. IPv4 was at no point intended to provide network services to billions of people. I didn't even specify a number of bits. All I said was that the header does virtually nothing and is therefore uninteresting. There are only ~2^32/32's you can hand out.
Given current announced allocation policy when there are roughly 4 billion ISPs connected to the global Internet there will be an address shortage. Unlike IPv4 if we ever get close to seeing this day there are options to address it without renumbering. These are the facts - feel free to interpret them as you wish.
*laughs*
So, IPv6 is *perfect*? It will never ever need to be replaced? In a hundred years, it will still be good? Two hundred? Five hundred? A thousand?
Wow. After a bare handful of decades of the Internet, and people have already reached perfection in network protocol design! The holy IPv6 has be given unto us to last forever and ever, amen.
Sorry, I don't buy it
**NO** you did not read what I said. I ONLY made the point IPv6 header does nothing more than a postal envelope. It is both uninteresting and extensible and therefore wholesale replacement is unlikely to ever be nece
Look asshole, the problem is NOT lazy Network Engineers posting on slashdot, it's the 99.9% of the rest of the planet's population. YOU go right ahead and try to talk Grandpa Jones through flashing the firmware on his router. Keep in mind he thinks "double click" means "press the button twice as hard", and when his monitor won't turn on that it means the internet is "down"
The number of $50 router vendors offering IPv6 firmware updates for routers that did not already come with IPv6 out of the box is likely to be very close to zero.
The major problem is that 'end-to-end' has become blind ideology rather than useful design methodology. As a result, people keep fighting tooth and nail against the very idea of NAT and encouraging development of applications that are tightly coupled to the underlying network.
End to end simplifies higher layer protocol development and removes unecessary infustructure dependancies. NAT requires a middle box understand the semantics and state charts associated with higher layer protocols before it can be effectivly translated. If I wanted to write a new protocol layered on top of IP... I would be prevented from doing so because all of the NAT servers in the world would have to be updated to understand my new protocol in a many-to-one environment.
The argument mear existance of E2E somehow promotes crappy design/unecessary dependancies on lower layers is specious in my view.
Instead of pushing for IPv6, there should be an effort towards developing against a more abstract network model such that applications do not care if they are using IPv4 or IPv6 or IPv42, such that protocol translation between different network families can be implemented where necessary.
Most well written applications don't care. You are confusing IP layer protocol design with socket layer APIs and application design. (See getaddrinfo and getnameinfo) It is easy to write code today which would theoretically work without modification on a unknown future address family without much trouble at all.
Or, to answer you question, if networks globally all transition to IPv6, it will last forever because it will bring innovation in the network protocol family to a grinding halt. Even if someone came up with a truly amazing and brilliant network protocol that was provably better than IPv6, it would never get implemented in a world were every toaster oven and garage door opener is built with an IPv6 stack and, due to dead-end-to-dead-end ideology, is unable to communicate with anything but IPv6. Just look at the
How much can you really innovate around a globally unique identifier used for routing? The only question is really "how many bits" IP layer of IPv6 is sparatan and unintersting. Much more so than IPv4 was. At its core IPv6 is really just three things.. a source address, destination address and extensible option header. It would seem to me that any improvement here must be trivial.
The real magic happens by innovating protocols layered on top of IP (TCP,UDP,SCTP,ICMP..etc) where no wholesale infustructure changes are required -- only the two endpoints (E2E) need understand a protocol for it to be useful. IPv6 option header was designed to extend and improve IP without forklift changes.
transition from IPv4 to IPv6 and how long "IPv6 has been just around the corner", then imagine the inertia on migrating from IPv6
When are we going to get real about TLS+SRP binding to replace private keys and trusted third parties? With SRP support in all of the major browsers this issue would go away overnight.
Compromised private key and uncompromised self-signed private key are each subject to MITM. The only two realistic choices for the CPE vendor both suck.
When I go to my bank and enter my account password it is sent in the CLEAR over the TLS channel. The only thing protecting my password from being recovered by someone conducting an active MITM on some random leg of the Internet is blind trust in hundreds of organizations with the power to sign their own private keys to look like my banks. This situation is extremely dangerous, expensive and unecessary.
It is NOT just the CPE vendors that are being stupid here. They have no good choices available to them. The technology stacks and to some degree industry politics (CA industry) deserve equal credit for the problem.
At the end of the day secure password authentication is what most secure sites and systems really want. The authentication of the USER should provide the trust basis for initial session encryption key NOT the integrity of hundreds of unrelated third parties none of us know anything about.
We still need the PKI infustructure for cases where passwords are not used or the user has not established an account.. It is still quite useful.
If your going to take the bold step of asking a device if it is safe to use you might as well just go all in and mandate full evil bit compliance for all malicious IP packets.
To test evil compliance simply invoke the javascript function
iamastupidfoolEvilSupported(EVIL_FA_IL);
If it returns true or raises a javascript error the device is totally secure and you have NOTHING to worry about.
I never understood why people care about loading magic bytes needed by an arbitrary hardware device to do what its suppsed to. I can almost understand open drivers..but firmware? really? Whats next expecting vendors to furnish you with schematics for their asics too?
What is the big deal? Who does it hurt? What freedoms are abridged?
Will Debian be providing open Intel and AMD microcode as well or will they just forget about it in persuit of an ideal that ends up causing real harm to the end user.
Honestly look around you...look at the dynamics playing out on the Internet and mobile devices between governments, media companies, apple, google and facebook... If you really want "free"dom go pick a battle that actually stands a chance at making a real difference.
Windows XP/2003 does not support IPv6 in any meaningful way. Yes, it has it in network config page. However, for example, it won't make DNS calls over IPv6 even when querying AAAA records. Forget getting SMB running over IPv6 properly. Finally, some products like Exchange 2003 and ISA 2004 and others have zero IPv6 support
No dualstack sockets either:(
Your right it sucks most vendors make you pay for upgrades to obtain IPv6 functionality but at least IPv6 is available in current versions of exchange and forefront (ISA).
I have a 2003 server and IPv6 works fine. This is only because it also has IPv4 connectivity so the downsides you point out don't really apply to me.
DNS is really the only major showstopper for going "IPv6 only" in terms of XP Internet connectivity. It can easily be resolved by installing a local proxy agent that provides IPv6 resolver functionality missing in XP.
I think it is more realistic to project ahead in time to a point where IPv4 connectivity becomes "optional". At this point what will the XP user base look like?
Until then all ISPs with the possible exception of some mobile carriers will be going dualstack where the XP shortcommings do not matter.
Could the plugins just be collecting information that is being used by bing to seed their search engine?
Have the engineers tried setting up a fake search engine and trying the same instead of modifying google?
My take away from TFA is search engine toolbars are a gross invasion of privacy.
I'd have to stop using Google as my search engine if they did that. When I do a search I want the page that is most likely to answer my question at the top, not the site that has the best IPv6 support.
Well then maybe you should stop using google. They have been checking non-content metrics such as the responsiveness, availability and unrelated things such as the age and registration data of the domain for many years. It all factors into the picture.
If anyone from google is reading this please consider preferencing sites with A and AAAA records in your search results or heck just threaten/rumor to do it.
"This past March, the Senateâ(TM)s Sergeant at Arms reported that the computer systems of the Executive Branch agencies and the Congress are now under cyber attack an average of 1.8 BILLION times per month."
The fuck you are. DoD reports on the order of tens of thousands of "attacks" against them YEARLY.
You don't get to count every ping, spam, packet, scan and automated garbage as a "cyber attack". Well you can but you would (have already) loose all credibility in the process.
"Rather than granting a âoekill switch,â S. 3480 would make it far less likely for a President to use the broad authority he already has in current law to take over communications networks."
In other words since you already have the authority to do whatever the hell you want this whole exercise is redundant? If this is the case why bother with new legislation?
I don't know of any operators who would not take reasonable steps to mitigate problems if the USG had specific information about a credible problem where public safety or life critical systems were involved. Do you? Is there any evidence whatsoever this is a problem?
I would add it is quite foolish to think one can address a "cyber attack" as in "war" in linear time or on timescales in which humans have any chance of reacting. Chances are your advsaries have already compromised the system well in advance. For all you know failure to check in due to service disruption could well result in pre-programmed failsafe action.
I continue to be amazed by all of the crap that can be invoked within your browser upon demand by the operators of any web site on the planet by default.
There are browser security bugs..but they seem to be just the tip of the iceburg. Most of this extraneous crap most can live without but it is still there for anyone with some spare time to expliot regardless.
The underlying problem is that a certain level of proritization IS network management.
You actually want to be able prioritize across different classes of services to make the most effective use of available bandwidth in cases where there may just not be enough to go around.
Bulk items such as file downloads can tolerate infinite amounts of delay and or jitter without noticably effecting service. However known delay intorlerant applications such as an RTP streams (VoIP) or UDP based realtime multiplayer games while not consume the large volumes of data that a large download of a file or netflix video would are extremely sensitive to delay.
There needs to be some formulation of what network management means in terms of proritization of services for legitimate reasons (Improvement of overall balance of quality of service for everyone)
A youtube video can tolerate large amounts of jitter and delay but a realtime video conference can not without being severly effected. Operators with limited bandwidth who are not allowed to differentiate between these classes of service will result in unecessary degregation of service for all in cases where network resources are limited.
The venn diagram including circles for network management and restriction of service differentiation needs more text to make the intent and acceptable overlap clearer.
I think I can help a little here. If you aren't using https for logins, then you can do some password hashing tricks to make things much more secure. I developed a similar solution for this at my last job. I checked some other sites to see if they used it when I developed my solution and found that yahoo email did pretty much exactly the same thing when they were using http (non-secure) logins
The very first rule when it comes to security is under no circumstances should you ever even think about rolling your own.
*) clientside javascript hashes this random long string (possibly more than once) along with password and sends to server. (This protects from rainbow table attack of password using the hash.)
This would be the reason why. Your essentially asking a liar to be truthful. What would prevent an advasary from providing their own client code to ship your plaintext elsewhere?
The cost to switch to IPv6 is not flipping a switch. It will cost trillions upon trillions of dollars globally to migrate. Selling investments like that in the middle of a global recession is not small potatoes
People on slahsdot talk about IPv6 migration like it is simple - it is NOT. There are a lot more devices than your local router, and a lot more pieces of software then your desktop OS, that have to support IPv6 before it can be migrated. Companies have decades worth of software with hundreds upon hundreds of millions of lines of code, all assuming an IP is 4 bytes.
The IPv6 switchover makes the Y2k thing look like small potatoes, namely because the IP stack is a much more integral piece of functionality in a lot of software than the absolute date ever was - that and you have a lot more to switch over today than you did in 1999
Companies can keep IPv4 in their internal networks until the end of time for all that anyone cares. Just make your Internet facing corporate web site, email..etc accessible via IPv6. No rocket science required.
What I don't get is why the people who came up with IPv6 didn't make the upgrade path easier? Obviously I'm missing something, but what if (for the sake of argument) they had decided that the first 'n' IPv6 addresses would correspond to the complete set of IPv4 addresses, and all IPv6 routers, etc, would understand that one of the first IPv6 addresses meant 'route the traffic to the corresponding IPv4 address'. Could that have been done?
I have a question that may resolve your question: After there are no more IPv4 addresses and someone with an IPv6 only address wants to access the IPv4 network.. what address does the IPv4 network see so it can send a response? It can't be IPv4 because their all in use and it can't be IPv6 because IPv4 does not understand IPv6.
Various NAT(4|6)+DNS protocols magically allow IPv6 to access IPv4 content using a fixed IPv6 prefix followed by the IPv4 address. It is essentially the scheme you describe with a mapping except using NAT to answer the question above: The IPv4 address that the IPv4 network sees and communicates with is a central NAT device on the ISP network.
Several nextgen mobile systems are actually more than a year into deploying exactly this (IPv6 ONLY) to many tens of millions of handsets around the world. The translation works for the most part with a few exceptions such as web sites which embed URLs containing real IP Addresses rather than DNS hostnames. There are also problems with protocols embedding IP Addresses (L2TP, FTP, SIP..etc) but for the most part for simple web browsing..etc it works.
Obviously not an ideal or long-term solution. Hopefully this gives content companies including slashdot have an incentive start caring about native IPv6 reachability.
In my own experience spam on google is constantly getting worse and more fustrating to deal with ... I expect it for searches where there is not likely to be any hits but it is also starting to creep into top spots in situations where there is more dense information available.
I remember back in the day people working logistics used to run algorithms to maximize profits for store supply chains but their efforts actually lost a great deal of revenue as algorithms did not understand human factors and how people having to go somewhere else to get an objectivly less profitable item would impact their sales.
It is a complex space and to think you can simply throw algorithms at detecting and characterizing a problem you can't detect and quantify in the first place (Unless they actually can but are choosing not to for obvious evil reasons) seems more than just a little bit naive.
If I were google I would conduct a survey and see what real humans think about the problem rather than playing the part of a foolish statistician.
I also take exception to Matts message.. don't tell someone whos pissed off about the amount of spam that it is getting better. This is an amature hour loosing proposition. Just tell us what you plan on doing to fix it or don't say anything at all.
Others have mentioned they are doing 4 to 6 tunneling. Well that is great if you know how to set it up. 99.99995% of AT&T's or Comcasts customers will not and to even attempt to explain it to them will be a pointless endeavor
6to4 is indeed pointless and counterproductive. If everyone gets crappy unreliable IPv6 connectivity right now rather than putting pressure on their ISPs to provide a low latency, high bandwidth IPv6 tomorrow it will throw a wrench in adoption as content providers avoid it as their customers complain that it is slow.
have said this before and I still believe the best course of action is to simply scrap IPV6 and take IPV4 and simply change the segment size from BYTES to WORDS. Right now we have 254 Class A networks and just going from BYTES to WORDS will give us 65535 CLASS A Networks and that gives us 65281 class A networks to hand out with each one having 281,474,976,710,655 (FFFF.FFFF.FFFF ) unique addresses, except we do it wisely this time instead of doing things like giving a single university and entire class A
The IPv6 train left the station. In every metric that matters: bandwidth, routes, servers and hosts IPv6 is currently following an exponential growth curve. Keeping IPv4 and changing the address length gives you the exact same issues of consequence as IPv6. IPv4 hosts can't talk to a "word" IPv4 host the same as an IPv4 host can't talk to an IPv6 host. What really matters is **addressing** not some pedantic arrangement of fields in an IP header that only routers and operating systems will ever see or care about. IPv6 gives us 2^32 ISPs give or take management/reserve overhead. Each ISP gets a /32 which typically means 32-bits for internal management and partitioning...followed by 64 bits for each lan segment. Many ISPs will each see several /32 allocations.
There are plenty of cranks out there who think 2^32(minus class e, reserved and private addressing) can be made to work with ever increasingly frugal management of the IPv4 space even though this number is significantly less than than the current and projected world populations. Some of them even know how to submit drafts to the IETF.
http://tools.ietf.org/html/draft-terrell-logic-analy-bin-ip-spec-ipv7-ipv8-10
There is a rough estimate of about 4000 ISP in the US and most of those get their address blocks from the really BIG ones, AT&T, Verizon, COMCAST and some others. So if the world wide number of ISP's were say 20,000 we would still have 40,000 or so unused CLASS A networks
Given the world has already switched to accepting 4-byte ASNs your allocation strategy has already failed.
Can anyone seriously really see a day when we will have more then 65535 ISP's? I do not believe this to be true unless ( and I really really doubt it ) the trend of bigger ISP's swallowing smaller ISP's changes
Yea it was projected back in 2005 to occur as early as 2010 by RIPE. Hint: not all ISPs call themselves ISPs.
Why would we ever want to "fade out" IPv4? Why should we? The IPv4 network has worked, robustly and reliably for 30 years. Running out of address space is not a good enough reason to totally drop interoperability with this working standard
This is an easy one. At a certain (distant future) critical mass there becomes no market incentive for operators to continue to waste their time and resources having to maintain and secure two different set of IP protocols at a future point where most everyone has IPv6. The stragglers will find their IPv4 universe shrinking and be forced to get with the program if they want to access anything accelerating the collapse of the IPv4 universe.
IPv4 will still have a niche in internal/private networks but thats about it.
I seem to remember an old? 60-minutes piece on the culture of Google where execs drove normal cars to work and shopping sprees to shave off excess millions were universally frowned upon.
http://www.cbsnews.com/stories/2004/12/30/60minutes/main664063.shtml
the issue is not the state, its not big brother, its simply THE MARCH OF TECHNOLOGY that you are fighting against, and its a fight you can't win
It is the deployment and use of technology NOT technology itself at question. Just because the capability to do something (such as obliterating all life on earth) exists does not mean it automatically should or will be done. Technology is nothing more than a tool. How it is used is subject to the whims of those who yield it.
Phones have cameras to the point where it is impossible to buy one without a camera not because of technology. Rather it was cell companies who demand it from manufacturers to upsell data services and make bigger profits.
I'm thinking a high speed laser scanner can target optics and CCDs without much trouble. If there is a will there is a way. You can WIN if you care enough by using technology AND your brain. Some people are rich enough to make the "impossible" come true.
http://www.wired.com/gadgetlab/2009/09/russian-billionaire-installs-anti-photo-shield-on-giant-yacht/
Why is ANYONE with half a brain still using Microsoft browsers?
It has only been about a decade now of bad bugs being dribbled out and gradually fixed.
Why do companies still use MS Explorer?
What bug free browser do you recommend people use? Firefox? chrome? Can you name even one not constantly having to release patches for P1 security issues? Does such a browser even exist?
There is little point with security realitivisim in this space when all of your choices == EPIC FAIL.
Notebooks at least always face away from the lecturing professor. People with tablets are always hovering at weird angles which can be quite destracting. They need to be banned if anything.
In my view College == Personal responsibility.
If young adults value farmville over the education their parents are spending a fortune on..so be it. I wish them luck in their future employment prospects as in-game gold farmers.
Given that only something on the order of one half of one percent of end users are actually USING IPv6 (and that includes developing countries), no business in their right mind would stand up an IPv6-only website. And as long as there is nothing interesting on the web that requires users to use IPv6, no one but a handful of uber-geeks is going to bother switching.
In a year or two from now when the major last mile ISPs enable IPv6 dualstack and LTE gear /w IPv6 *ONLY* is deployed you can kiss your half of one-percent goodbye forever.
The "sky-is-falling" scare tactics of the IPv6 advocates are rapidly being exposed as snake oil and hokum. We are a long way from being "out of" IPv4 addresses. NAT has expanded that IPv4 address space from 2**32 or ~4 billion addresses to more like (2**32)*(2**24) or ~64 quadzillion addresses for end users
Everyone who would like to share a single IP Address with 100 of their neighbors please step forward and be counted. You can forget about running any servers or having anyone connect to your machine as a peer. You can forget about P2P or even UDP based multiplayer games your ISP does not explicitly provide an ALG for. TCP == lagtastic.
Eventually there may be a small bubble of IPv6 users that rivals the market penetration of Linux onto corporate desktops, but nothing that is going to happen with IPv4 is bad enough to force people to go through the pain of conversion
Except living with IPv4 workarounds and hackery or in the distant future added costs of dealing with IPv4 and IPv6.
We already know as an absolute fact some mobile carriers with MILLIONS of subscribers are going IPv6 ONLY because they have no other choice. Is any more of a incentive really necessary? They can reach you directly or thru a carrier NAT. If ISPs are struggling to keep dumb routers punting packets between large numbers of 10g interfaces at line rates IN HARDWARE what kind of investments do you think would be necessary to do the same in software for that traffic except now you have to understand protocol layer state machines, keep state between flows..etc. Don't underestimate the expense or end user experience suckage involved with large scale 1:n NAT deployments. The security implications of this from both an accountability and ALG state machine attacks are scary.
The IETF needs to admit that IPv6 was a brain-dead mistake, and go back to the drawing board for IPv7. THIS TIME, start with backwards-compatibility with IPv4, then fix the problem with iso-chronous delivery so that voice and video actually WORK, and then maybe people will start adopting it.
People who say this do not understand the nature of the problem. You can't add an 8th chevron or more digits to a phone number without wholesale replacement of IPv4 infustructure. It is a failing of IPv4 that is way too late to fix.
Anything that is compatible with IPv4 means you are limited to IPv4's address space meaning EPIC FAIL. If you have hop off points for the last mile/edge of the network and IPv4 internally this solves nothing because you still need a globally unique address for peers to communicate with each other. You still need a new addressing system even if it overlays somehow on IPv4.
The problem could have been addressed with better design of IPv4 but it is too late for that. It is also too late to turn around and choose something better than IPv6. The investments have already been made and it is irreversable.
Until then, IPv6 is just a pipe-dream, and a sales gimmick for network gear vendors trying to con suckers into digging up and replacing their safe and stable IPv4 networks.
Unfortunatly they will need to keep both networks in place for many many years.
That is a mind-boggling statement. If that was truly the case, then there would not be any problem with moving from IPv4 to IPv6 because the higher level protocols (i.e. applications) would not have to be rewritten to handle them
What does making a statement about end-2-end being a good idea have to do with the effort involved in switching address families? Most issues are related to storage and manipulation of address family specific data (sometimes in ASICs) rather than logical layering issues related to bits contained within an actual wire format. At some point you need to enter an IP to connect somewhere.. protocol agility at the application layer was not something people spent much time thinking about.
That is *precisely* the problem. If there was actual separation between the network layer and the higher level protocols as you claimed E2E provides, then the NAT middle box would not have to care about higher level protocols.
??? Suppose I'm a one-sided UDP packet and I want to be delivered to a certain user at a certain address how do you propose that I get there if there is a many-one NAT in my way and the NAT knows nothing about me, my purpose or even what my final destination should be? Should I embed next hop routing data in the IP header? (Please say no) How do you resolve this without end to end?
If I can't send a single sided message to a destination...the issue isn't IP it is whatever is standing in the way. This has nothing to do with higher layer protocols. Support of NAT actually creates more layering inversions than there otherwise would be.
No, lazy programmers are writing applications dependent on IP layer protocol because the E2E mindset lets them get away with making bad design assumptions and not actually writing programs in a protocol independent way. Also, for server-side sockets, right now I believe software that used to only open one socket to listen for IPv4 connections must now open two -- one for IPv4, and one for IPv6. This is not a scalable protocol independent API
This is just a restatement of your previous argument. I wrote several applications which were IPv4 only. At the time IPv4 was the only game in town. Now all of my applications work with both protocols and you know what there is now LESS total socket code, lower complexity and everyone is better for it. WRT two separate sockets it's called a dualstack socket. You do NOT need to listen separatly.
And no one will ever need more than 640K of RAM
It is easy to take this argument to absurdity showing others before you were wrong so by extension all statements about practical limits must be wrong regardless of the merits of the specific situation. IPv4 was at no point intended to provide network services to billions of people. I didn't even specify a number of bits. All I said was that the header does virtually nothing and is therefore uninteresting. There are only ~2^32 /32's you can hand out.
Given current announced allocation policy when there are roughly 4 billion ISPs connected to the global Internet there will be an address shortage. Unlike IPv4 if we ever get close to seeing this day there are options to address it without renumbering. These are the facts - feel free to interpret them as you wish.
*laughs*
So, IPv6 is *perfect*? It will never ever need to be replaced? In a hundred years, it will still be good? Two hundred? Five hundred? A thousand?
Wow. After a bare handful of decades of the Internet, and people have already reached perfection in network protocol design! The holy IPv6 has be given unto us to last forever and ever, amen.
Sorry, I don't buy it
**NO** you did not read what I said. I ONLY made the point IPv6 header does nothing more than a postal envelope. It is both uninteresting and extensible and therefore wholesale replacement is unlikely to ever be nece
Look asshole, the problem is NOT lazy Network Engineers posting on slashdot, it's the 99.9% of the rest of the planet's population. YOU go right ahead and try to talk Grandpa Jones through flashing the firmware on his router. Keep in mind he thinks "double click" means "press the button twice as hard", and when his monitor won't turn on that it means the internet is "down"
The number of $50 router vendors offering IPv6 firmware updates for routers that did not already come with IPv6 out of the box is likely to be very close to zero.
The major problem is that 'end-to-end' has become blind ideology rather than useful design methodology. As a result, people keep fighting tooth and nail against the very idea of NAT and encouraging development of applications that are tightly coupled to the underlying network.
End to end simplifies higher layer protocol development and removes unecessary infustructure dependancies. NAT requires a middle box understand the semantics and state charts associated with higher layer protocols before it can be effectivly translated. If I wanted to write a new protocol layered on top of IP ... I would be prevented from doing so because all of the NAT servers in the world would have to be updated to understand my new protocol in a many-to-one environment.
The argument mear existance of E2E somehow promotes crappy design/unecessary dependancies on lower layers is specious in my view.
Instead of pushing for IPv6, there should be an effort towards developing against a more abstract network model such that applications do not care if they are using IPv4 or IPv6 or IPv42, such that protocol translation between different network families can be implemented where necessary.
Most well written applications don't care. You are confusing IP layer protocol design with socket layer APIs and application design. (See getaddrinfo and getnameinfo) It is easy to write code today which would theoretically work without modification on a unknown future address family without much trouble at all.
Or, to answer you question, if networks globally all transition to IPv6, it will last forever because it will bring innovation in the network protocol family to a grinding halt. Even if someone came up with a truly amazing and brilliant network protocol that was provably better than IPv6, it would never get implemented in a world were every toaster oven and garage door opener is built with an IPv6 stack and, due to dead-end-to-dead-end ideology, is unable to communicate with anything but IPv6. Just look at the
How much can you really innovate around a globally unique identifier used for routing? The only question is really "how many bits" IP layer of IPv6 is sparatan and unintersting. Much more so than IPv4 was. At its core IPv6 is really just three things.. a source address, destination address and extensible option header. It would seem to me that any improvement here must be trivial.
The real magic happens by innovating protocols layered on top of IP (TCP,UDP,SCTP,ICMP..etc) where no wholesale infustructure changes are required -- only the two endpoints (E2E) need understand a protocol for it to be useful. IPv6 option header was designed to extend and improve IP without forklift changes.
transition from IPv4 to IPv6 and how long "IPv6 has been just around the corner", then imagine the inertia on migrating from IPv6
My guess it will never happen.
When are we going to get real about TLS+SRP binding to replace private keys and trusted third parties? With SRP support in all of the major browsers this issue would go away overnight.
Compromised private key and uncompromised self-signed private key are each subject to MITM. The only two realistic choices for the CPE vendor both suck.
When I go to my bank and enter my account password it is sent in the CLEAR over the TLS channel. The only thing protecting my password from being recovered by someone conducting an active MITM on some random leg of the Internet is blind trust in hundreds of organizations with the power to sign their own private keys to look like my banks. This situation is extremely dangerous, expensive and unecessary.
It is NOT just the CPE vendors that are being stupid here. They have no good choices available to them. The technology stacks and to some degree industry politics (CA industry) deserve equal credit for the problem.
At the end of the day secure password authentication is what most secure sites and systems really want. The authentication of the USER should provide the trust basis for initial session encryption key NOT the integrity of hundreds of unrelated third parties none of us know anything about.
We still need the PKI infustructure for cases where passwords are not used or the user has not established an account.. It is still quite useful.
If your going to take the bold step of asking a device if it is safe to use you might as well just go all in and mandate full evil bit compliance for all malicious IP packets. To test evil compliance simply invoke the javascript function iamastupidfoolEvilSupported(EVIL_FA_IL); If it returns true or raises a javascript error the device is totally secure and you have NOTHING to worry about.
I never understood why people care about loading magic bytes needed by an arbitrary hardware device to do what its suppsed to. I can almost understand open drivers..but firmware? really? Whats next expecting vendors to furnish you with schematics for their asics too?
What is the big deal? Who does it hurt? What freedoms are abridged?
Will Debian be providing open Intel and AMD microcode as well or will they just forget about it in persuit of an ideal that ends up causing real harm to the end user.
Honestly look around you...look at the dynamics playing out on the Internet and mobile devices between governments, media companies, apple, google and facebook... If you really want "free"dom go pick a battle that actually stands a chance at making a real difference.
I can live with PPL begging for money for a few weeks if it means no ads for an entire year.
The problem of annoying Wales ads is easily solved by taking all of his ads out of rotation and keeping Lilaroja :)
No dualstack sockets either :(
Your right it sucks most vendors make you pay for upgrades to obtain IPv6 functionality but at least IPv6 is available in current versions of exchange and forefront (ISA).
I have a 2003 server and IPv6 works fine. This is only because it also has IPv4 connectivity so the downsides you point out don't really apply to me.
DNS is really the only major showstopper for going "IPv6 only" in terms of XP Internet connectivity. It can easily be resolved by installing a local proxy agent that provides IPv6 resolver functionality missing in XP.
I think it is more realistic to project ahead in time to a point where IPv4 connectivity becomes "optional". At this point what will the XP user base look like?
Until then all ISPs with the possible exception of some mobile carriers will be going dualstack where the XP shortcommings do not matter.