One Step Closer to IPv6

gbjbaanb writes "IPv6 came a step closer yesterday as ICANN added IPv6 host records to the root DNS servers, reports the BBC. 'Paul Twomey, president of Icann which oversees the addressing system, told the BBC News website there was a need to start moving to IPv6. "There's pressure for people to make the conversion to IPv6," he said. "We're pushing this as a major issue." The reason for the urgency, he said, was because the unallocated addresses from the total of 4,294,967,296 possible with IPv4 was rapidly running out. "We're down to 14% of the unallocated addresses out of the whole pool for version 4," he said. Projections suggest that this unallocated pool will run out by 2011 at the latest.'"

Sad

[suso (153703)]

Its sad to look at the list of class a allocations [iana.org] and know that we're almost out. All this was done before NATs became popular. I think ICANN/IANA should work on wrestling some of those class As back from companies like Ford, Apple, HP, etc. None of those companies are going to ever have 16,000,000 hosts on public IPs. I know some of those companies have already made sub allocations. We could probably buy 5-10 years if they could reclaim just the 3, 9, 13, 17, 19, 20, 34 and 40 class As and get over 130,000,000 IPs back.

I mean, if those companies complain, who cares. They wouldn't get such large and prestigious allocations in an IPv6 network anyways. So what's the difference.

I know, I know, we should move to IPv6 anyways. Just a suggestion. Poor initial planning warrants changes down the road.

Re:Sad

[by Anonymous Coward]

I completely agree with you. That is why I am going to pledge my entire allocation of the 10.0.0.0/8 network back to the IANA. As long as we ensure that it is reallocated properly, I think it will be a huge benefit for the Internet as a whole. For those of you who might control a part of or the entire 172.16.0.0/12 or 192.168.0.0/16 network, you might want to ask yourself this question: do I really need that many addresses?

Re:Sad

[misleb (129952)]

Didn't Bill Gates once say, "127.0.0.1 should be enough for anybody." Damn, he's always so short sited.

Re:Sad

[Guppy06 (410832)]

I just hope that the guy who holds the 127.0.0.0/8 network never follows suit. All his hosts have the largest pr0n collection I've ever seen!

Re:

[Profane MuthaFucka (574406)]

130x10^6 addresses isn't that many. It'll push off the exhaustion of the address space by a year or two at the most, and then we're still going to need IPv6.

Also, without IPv6, there's only a maximum of 2^32 Linksys routers that will be needed. IPv4 is unfairly capping the maximum number of needed NAT routers, and thus unfairly capping the profits of Cisco. We must think of the cost of IPv4 in terms of corporate profits, or we are doomed. Our economy depends on exponential growth, and that applies to addres

Re:Sad

[tknd (979052)]

We could probably buy 5-10 years if they could reclaim just the 3, 9, 13, 17, 19, 20, 34 and 40 class As and get over 130,000,000 IPs back.

130,000,000 / 4,294,967,296 = 3%

The article says we will run out of unallocated IPs by 2011. The unallocated pool is 14%. It is currently 2008. 2011 - 2008 = 3 years. What makes you think that reclaiming 3% is going to buy us 5 to 10 years?

Re:Sad

[CopaceticOpus (965603)]

But 3% of 2011 is over 60 years!

Re:

[Rolgar (556636)]

All class A's should be re-designated as class B's, and entities that currently have class As that need more than a class B should be able to claim multiple class B's from their current class A.

I'm a contractor with the Postal Service (Class A 56) and I don't think we need the whole thing. Probably 50-75% of postal computers are individual post offices that access the network through a DSL (or in some small towns, dialup) and VPN. Data Centers and other large facilities should easily be able to fit in 1-1

Re:

[gbjbaanb (229885)]

I mean, if those companies complain, who cares. They wouldn't get such large and prestigious allocations in an IPv6 network anyways. So what's the difference.

yeah, we'll restrict them to a meagre 281474976710656 addresses like everyone else. That'll show them, and if they want more than a single /48 then they can just go whistle, loooosers.

Re:

[Cheeko (165493)]

HP actually has 2 Class A's and a class B (though they may have let the B go). When I was working there (till this past year), everything we did generally had a 15 or 16 IP. (15 = HP, 16 = DEC, the class B was the old Compaq)

Re:

[ptbarnett (159784)]

HP actually has 2 Class A's and a class B (though they may have let the B go).

HP used to have another Class B: 130.168.x.x, which it acquired along with Convex Computer. However, they subsequently gave it to Agilent when spinning it off.

Re:Sad

[ACMENEWSLLC (940904)]

I'm ready to begin to add IPv6 to my network. 99% of my machines can support IPV6. There is no RFC1918 private space needed with IPv6 since there is so much space. I went to allocate space, but found out that I can't;

http://www.arin.net/registration/guidelines/ipv6_initial_alloc.html [arin.net]

Re:Sad

[TheRaven64 (641858)]

Thats 2^48 Internets!

Why would you want that? One of my staff sent me an Internet the other week, and it took three days to arrive! If everyone has 2^48 Internets, my staff's Internets will never arrive.

Re:

[WhiteDragon (4556)]

We could probably buy 5-10 years if they could reclaim just the 3, 9, 13, 17, 19, 20, 34 and 40 class As and get over 130,000,000 IPs back.

Well, think about this: 3.x.x.x is owned by General Electric:

whois 3.0.0.0

OrgName: General Electric Company

NetRange: 3.0.0.0 - 3.255.255.255
CIDR: 3.0.0.0/8
NetName: GE-INTERNET

So naturally, you would expect www.ge.com [ge.com] to be in that block. And you would be wrong.

dig www.ge.com ;; QUESTION SECTION: ;www.ge.com. IN A ;; ANSWER SECTION:
www.ge.com. 30 IN A 216.74.131.56

I have always thought it was rather irresponsible of them.

Re:

[Torvaun (1040898)]

Do all of your machines need to be publicly accessible? Subnets for the win.

Just Like Oil

[mrxak (727974)]

Just like how when we run out of oil, solutions will come along, when we run out of IP addresses, solutions will come along. The only problem is people don't get very motivated until we're really on the edge. I don't have much hope for IPv6 for another few years yet. Still, progress is progress.

Re:

[by Anonymous Coward]

the solution came along, its ipv6

Re:

[discogravy (455376)]

well, the PJ O'Rourke line ("We're waaaay out of whale oil, but instead of sitting in the dark we found other oils for our lamps") -- which is the standard American Republican line in this case -- is that we'll innovate a new way. So far the oil/energy problem has the same problem that IPv4/IPv6 have, namely that everyone wants it, but no one wants to be the one to start (or wants it enough to actually *DO* something).

Re:Just Like Oil

[rmstar (114746)]

Do you know how deep people will drill for oil? Do you know how many kilograms of battery you need to substitute a kilogram of gasoline? No? Thought so :-)

We are not addicted to oil just because we are lazy. We are addicted to oil because it is so god-damn good. We will be badly screwed if it runs out, and no amount of innovation will bring such a wonderfully convenient energy source back. In comparison, and, come to think of it, not even in comparison, IP6 is a complete and total triviality.

Re:

[Wesley Felter (138342)]

People are adopting IPv6 from the outside in, but they're using 6to4 and Teredo instead of the obsolete 6bone.

Re:

[Wesley Felter (138342)]

Most people don't understand anything about IP, yet they use the Internet just fine. If your OS or router enables 6to4 automatically then you don't need to know anything.

6to4 is pretty similar to configured tunnels, but it structures its IPv6 addresses in such a way that each endpoint can automatically discover the IPv4 address of the other endpoint. Thus 6to4 requires no configuration or state in the network.

Re:

[betterunixthanunix (980855)]

We have solutions to both problems. People just don't want to put in the time, effort, and of course, money to implement the solutions. Would you want to pay higher taxes to help subsidize the creation of bioplastics and wind power? Would you want to pay higher taxes to help subsidize an upgrade to broadband access and IPv6 use in your country?

Re:

[Unoti (731964)]

If higher taxes would honestly go to bringing high speed fiber right to my doorstep, yes, I'd seriously consider it. I just don't have much faith in the government spending my money properly.

Re:Just Like Oil

[explosivejared (1186049)]

The Universal Service Fund is evidence enough for you. Billions of dollars of subsidies wasted as windfalls to stockholders. Your lack of faith is wise, and it's only being supported by the new broadband plan laid out by the president.

It would be nice to have a perfectly efficient method of coercion to force ISP's to actually spend their subsidies on broadband penetration, but no one in power seems to be interested. It's the same story as IPv6 up to now. ICANN seems to be taking the lead finally. Hopefully someone will follow suit in the broadband arena.

Re:

[Aqualung812 (959532)]

It isn't that simple. With IPv4, you have to subnet and that takes a few addresses. You'll have to have a gateway and a firewall/NAT device, there is two addresses. Network address and broadcast address take up two more, so now assuming you only need 1 IP address and took the smallest block, you just "wasted" three.

Now, maybe day one I only need 4 IP addresses. I get a subnet that can handle that, plus maybe 2 more. Now, when I need to add 2 more, I have to add a whole new subnet, waste more IPs, AND

Re:

[TemporalBeing (803363)]

Getting back to end-to-end networks is what needs to happen (no more NAT), and IPv6 is the way.

That's assuming I want all my devices to be publicly visible. What if I don't? While NAT is a little PITA to set up, it works beautifully for the job. I don't want people to be able to easily figure out the all the systems on my network, and even if I converted my network to IPv6, I want a solution like NAT.

NAT just makes it easy for the network to have a single point-of-contact going in/out of the network.

Re:It's a sham - the Internet is mostly dark

[BitZtream (692029)]

While I would love to agree with you completely as I believe ARIN is a bunch of tards (can't speak for the other registries). There are/were technical reasons behind the way IPs are assigned. Machines haven't always had 2 gigs of ram. Maintaining routing tables on a network the size of the Internet was a difficult task, which required aggregating networks at upstream links and all sorts of stuff in a desperate attempt to prevent every multihomed router on the Internet from needing a few gigs to hows the paths to various subnets and determine what path was the best.

Of course, time goes on, ram is cheap, and doing it now is somewhat easier, but it still requires ram and processing power, and that increases latency and cpu utilization.

For instance, assume that everyone was assigned address space in blocks of 256 address (class C) and had to show they utilized the address space before getting more as well as prove they continued to use it. Now assume that only half of the address space available was assigned. 2.1 billion addresses in use. Thats approximately 8.3 million class C blocks
allocated. I'm going to assume thats higher than what we have actually in use these days (not allocated, in use) but bear with me for reference purposes.

Now, for each packet you route, you have to search through those allocated blocks and find the one that contains the address you're communicating with. You also have to determine which path of the many you may have on your router is the best path to use based on number of hops to the destination (we'll pretend AS hops are real hops for simplicity), include other factors such as your internal weights for a route because its expensive for you to use the OC3 you have rather than the DS3 because you got a great deal on the DS3 but not so much on the OC3.

You've just spent a lot of CPU cycles trying ot figure out which path to use. Now ... do this on hardware from 10-15 years ago. Well, first off, unless your at a NAP 10 years ago, doing this would require expensive memory upgrades on your routers because most didn't have the ram required to deal with a such a routing table in the first place, now add in the processing increase your going to need because even though you can cache routes and deal with updating the cache only as the external paths change, it only helps so much because those external paths change a lot so your cache hits have to be revalidated more often than you think. God forbid you have a flapping connection, as I can tell you from personal experience, on many routers from 15 years ago, a flap of a line that relays BGP information resulted in a router that was busy for a few seconds dealing with the BGP changes unless it was a fairly high end router.

So ... the point to all that is, a lot of the way address space was assigned was because the hardware we had to work with 'back in the day' was only capable of so much.

Okay, so now we can do better, great! Lets readdress everyone ...

I'm not going to bother going into the complexities of re-addressing a large network, but its rather a pain in the arse and can cost a whole hell of a lot of money in IT resources. So when you look at the big picture and think, 'well, I can readdress now and help deal with the problem and then have to eventually switch to the new protocol (for now, IPv6) eventually anyway OR I can wait till everyone has to switch to the new protocol because of this problem and only do it once'

It makes more sense to wait and do it at once, save yourself some money, deal with it when everyone else does, and deal with the least amount of work you can until that time. And ... this is how businesses make money, but not doing extra work they are just going to have to do again later if they can prevent it.

Of course, on that same note, there are plenty of businesses which don't exist yet that will make a killing off the scare of running out of IPv4 address space and the switch to IPv6 ... just like all the ones who made out over y2k fears/bugs.

Re:It's a sham - the Internet is mostly dark

[mxs (42717)]

You are an exceptionally bad engineer, coder, thinker, and internet citizen.

The sad part is, most of the IP addresses in question are... dark. Nothing there. Even though we're approaching 85% allocation, utilization is probably around 1-2%. No, I'm not kidding.

And you have ANY hard data to back that up ? No. Others are trying to come up with better metrics (http://www.potaroo.net/tools/ipv4/index.html is exceptionally verbose), but you ? You are not kidding about thinking that it maybe probably is around 1-2% ... Wow.

Try it yourself - hack up some script to randomly generate IPs and then ping sweep the network blocks. You'll probably be quite surprised at the result.

Bzzzt. No, I would not be -- nor should anybody be. First of all, it's not a requirement for every address to be routable to (and you can check that much better by looking at what percentage of prefixes are actually advertized). Second, many, MANY hosts and networks are behind firewalls, intrusion detection & response systems, etc. -- a "simple pingscan" can easily land you in a black hole at the network border after a couple of pings -- if access to those machines is even allowed from your network. Sure, in consumer broadband connections you don't often have such firewalls restricting inbound access, but that's not the "entire internet". Hell, go ping amazon.com and see what you get back. Nada, that's what.

A while back, I wanted to have a way to detect if a host was "offline" so that it could modify its behavior. (EG: halt outgoing SOAP requests if the server's network connection was disrupted, preventing bogus error messages from entering the system)

A problem many others have faced and solved before you.

My first thought was to randomly generate 10 IP addresses, then ping them to see if they were offline, guessing that at least 50% would respond.

Accounting for the different classes of addresses, unroutable space, bogons, etc. in that random calculation would be more work than the result is worth, especially seeing as how the state of netblocks can change over time. I wonder, why was your first thought to crap out (at least) 10 packets to the net that really are not needed ? What possible reason could there be for you to automatically ping a cellphone in Singapore ? Just imagine everybody doing this, just to check whether they are "online" ... How about choosing some well-known addresses (such as one of your own servers in a different locale, or possibly "well-known" servers that you know will respond and that don't mind a ping from you every now and then ... Not only do you get a 100% response rate when everything is working correctly, you also forego abusing bandwidth in remote locales you are not at all interested in.

Basically, none did. So, then I tried randomizing addresses and keeping a list of only those that had, at one time, responded. Even that turned out to be unfruitful.

You know, while still a bit dickish, it might have occured to you that most of {a-m}.root-servers.net do reply to ping or DNS requests. So do, in all likelihood, a router in your upstream, or DNS resolvers you know about. Instead, you now latch on to addresses that respond. The cellphone in Singapore, for instance.

So finally, I took a dictionary and randomly created domain names from 1-2 normal dictionary words, pinging those, and keeping a list.

Ah. So now that flooding ICMP out to the net is not enough, you have to litter it with bogus DNS requests the reply to which you are not really interested in. Again, imagine EVERYBODY doing this. Why not pick 10 known domain names and always ping those ? At least the results will be cached, and you may even choose ones whose owners you know and can ask whether they mind to be flooded with icmp every now and then.

That yielded some 40% usable responses, allowing me to keep a list of fairly

Re:

[gmack (197796)]

You can go out and do things as long as those things don't happen to be on a link that happens to have a smaller packet size than yours. Blocking all ICMP is a common firewall mistake.

Re:Just Like Oil

[WhiteWolf666 (145211)]

Offtopic, but---

It simply doesn't follow that Co2 levels haven't ever been this high. That Co2 that we are generating; you know, from fossil fuels?

Where do you think it was before it became fossilized?

http://www.geocraft.com/WVFossils/PageMill_Images/image277.gif [geocraft.com]

For most of the current Cenozoic era, Co2 levels have been *higher* than they currently are. The *only* possible issue with "global warming" right now is whether or not the rapid rate of change in Co2 levels will be damaging, not the absolute level of Co2 in the atmosphere.

For example, during the Jurassic period, Co2 levels were at 1800 ppm. During the Cambrian period, Co2 levels were 5000 ppm. Currently, Co2 levels are at 378 ppm, and even if we burn ALL known sources of Fossil Fuels it is unlikely we will drive that above 900 ppm or so.

My home network allows over 10M hosts

[davidwr (791652)]

Sadly, it can't Talk dirEctly to my Next-DOor neighbor, who runs an equally large neTwork.

more the story

[trybywrench (584843)]

The only justification you ever hear for moving to IPv6 is address exhaustion in IPv4. There's a lot of other stuff built into the protocol that will make the net a much better place. Even if IPv4 had the same amount of addresses as IPv6 it would still be worthwhile to switch. Just give this a once over for an introduction

http://en.wikipedia.org/wiki/Ipv6#Features_and_differences_from_IPv4 [wikipedia.org]

Re:more the story

[gclef (96311)]

Yes, lets take a look at those:

Larger address space
This is the address exhaustion argument.

Stateless address autoconfiguration (SLAAC)
Interesting, but not a selling point for users, and will make administrative management a pain in the ass. Most networks will use DHCPv6 to have records of which host had a given IP address...but they'll still have to run AutoConf to get a default gateway. This kind of split is annoying more than it's helpful.

Multicast
This is really only used on the link level, with one or two site-level things. I don't think this will not be used heavily. Also, if you want multicast, it's already available in IPv4. So this isn't really a gain with IPv6.

Link-local addresses
End users don't care, most sites won't care. In fact, the only people who do care are the authors of EIGRPv6 and OSPFv6 implementation. This isn't really a gain...just a difference.

Jumbograms The first possibly interesting thing in the list. It won't be used by many places, but DB->App server jumbograms are a common thing in IPv4, and making those bigger & standard is a reasonable gain.

Network-layer security
aka IPSec. Implemented, but key exchange is left as an exercise for the reader. (In other words, it's not happening.) This will be used very, very rarely. This is also something that's already available in IPv4, so not a gain for IPv6.

Mobility
Interesting, and also something definitely new....but not actually implemented anywhere. Not clear if this will fly at all.

No more checksum at the network layer
I'm not sure if anyone really cares.

In short, the single biggest selling point for the vast majority of businesses and users really is the extra size. The other stuff is either already available in IPv4, or only useful for some rare cases. In the majority of cases, the extra IP space is IPv6's only real selling point.

I don't expect much to change

[Waffle Iron (339739)]

ISPs see the limited IPv4 address space as a revenue stream. Many of them charge almost double for the privilege of getting a fixed public IP address. They don't have to spend money on a lot of scarce IP addresses themselves since they can always stick their customers in NAT ghettos.

They're not going to be very eager to give up their position as a gatekeeper of a limited resource just so their customers can frolick in a vast address space for free. Since most of them operate in a monopoly or duopoly situation, the proverbial "free market" won't force them to move off IPv4 either.

Re:I don't expect much to change

[Tony Hoyle (11698)]

Exactly... Expect 'cheap' accounts to be allocated within a 10.x.x.x net long before an ISP thinks of implementing ipv6. They'll probably pitch it as a security feature ('let us control the firewall for you! Surf in safety! Only $10/month!').

If a user wants a public IP. That's more cost. If they want a *fixed* IP.. go talk to the business services manager over there.

If they do implement ipv6 it'll be done the same way. 1 ipv6 address per account (ipv6 NAT exists and has done for a while). If you want 8 of them that's more cost. If you want more than 256.. see that guy in a suit waving? Go hand him your chequebook.

And before anyone says 'but but we'll all get 16 million addresses!'.. yeah, over the rotting corpses of every major ISP in the world.

Peak IP?

[misleb (129952)]

Have we reached Peak IP?

IPv6 migration behind a NAT

[Midnight Thunder (17205)]

IPv6 is not quite there yet, with some of the popular web sites still not accessible via IPv6.

If you are stuck behind a home router, with NAT then you will probably find yourself unable to access IPv6 sites. In the meantime there are two solutions:
    - Teredo. If you have Vista this is standard. For everything else there is Miredo [remlab.net]
    - Aiccu. A litte more work and bureaucracy to get up an running, but a solution non-the less

Of course there is also Apple's Airport Extreme, which is one of the few home routers out there that support IPv6. I believe some of the third-party firmwares will do this too, but I don't think the IPv6 support is mature. As for Linksys, D-Link, et al. I think you are out of luck for the moment.

Also, if you running Apache, you will need a minium of Apache 2 and specify IPv6 support, using the configure script, prior to building it.

IP6 won't matter til Google supports it

[wowbagger (69688)]

Wake me up when I can pull up the main page of Google using nothing but packets with IP6 headers.

That means that I can do a DNS query using nothing but IP6 packets - NOT IP4 packets.
That means that I can do an HTTP transfer from Google's servers using nothing but IP6 packets - NOT IP4 packets.

Hell, wake me up when there's a AAAA record for Slashdot.

This is a *baby* step towards IP6 being useful.

Re:IP6 won't matter til Google supports it

[gbjbaanb (229885)]

This is a *baby* step towards IP6 being useful.

Yup. The thing with first steps is that you have to do them in order to make the second step (obviously), but then you can make a third and fourth steps. Next thing you know, you've got to where you were going.

Now Google can register an AAAA record, do you think they will? If they couldn't register one, do you think they would?

Re:IP6 won't matter til Google supports it

[Cajal (154122)]

This is actually a very important step towards what you want. About two-thirds of the TLDs have authoritative servers which are reachable over IPv6. There's a complete list at my blog - http://www.personal.psu.edu/dvm105/blogs/ipv6/2008/01/ipv6-dns.html [psu.edu]

So you can query the root and .com DNS servers using IPv6. If you want Google to be reachable over IPv6, go talk to Google. Everything higher in the tree is IPv6-enabled now. And Google has an IPv6 allocation from ARIN - they got a /32 2005 - http://ws.arin.net/whois/?queryinput=!%20NET6-2001-4860-1 [arin.net]

I agree that there isn't much content on the IPv6 internet now. So if you want it, yell at the content providers.

Consumer router support

[nsayer (86181)]

I've been waiting a while for Netgear, Linksys and that crowd to add 6to4 support to their home NAT routers as a way to help jump start IPv6 adoption. There would be no security issue if incoming connections were blocked by default and people could turn it off if they didn't want it. But 6to4 can be set up automatically by any machine with a publicly routable IPv4 address.

Well, I'm happy to say that my wait is finally over. They didn't make a big deal about it, so I don't know exactly when they did it, but Apple added that support to their Airport Extreme. So now when I go anywhere that has one of those, I can directly SSH into those inside machines that I've opened ports for without undue muss or fuss.

Apple has been a stalwart supporter of IPv6, from my observation. It's been possible to use AFP file sharing over IPv6 since at least Tiger and the built-in VNC stuff works over IPv6 too (though there is a naming lookup bug that requires you to connect using the IPv6 address literal if you use the command-K "Connect to" dialog).

So, Netgear and Linksys, what's holding you guys up?

I get a surprising number of IPv6 hits...

[Omnifarious (11933)]

I get a surprising number of IPv6 hits on my webserver at home. Most of these appear to be XP or Vista boxes with Internet connection sharing turned on that automatically assign themselves a 6to4 [wikipedia.org] addresses when they have an interface with a public IPv4 address.

IPv6 with 6to4 is easy to set up, and I'd recommend it to anybody who has a static IPv4 address. You can use NAT-PT [tomicki.net] so all your IPv6 hosts can still get to the IPv4 network. If you have a couple of DNS servers, you can even set up reverse DNS for your IPv6 network just the way you want using this nice web interface [nro.net] from the NRO [nro.net].

I maintain some good links to stuff about IPv6 on del.icio.us [del.icio.us].

I hate NAT. And I think IPv6 can be just as secure. Partly because a 64-bit address space is really hard to effectively randomly probe working addresses and partly because it's fairly easy to configure a firewall to not allow incoming connections.

What about NATs

[llZENll (545605)]

So when IPv6 finally does become the norm, will there be any need for NATs on home routers, or will ISPs simply give you many addresses?

Re:

[Tony Hoyle (11698)]

We've been hearing this 'addresses will run out by year x' for 20 years, and the predicted date has been wrong every single time. It's very hard to get enthusiastic about something that seems to be run by chicken little... Sure they'll run out eventually, and there's a network there to deal with it when it happens.. until then... zzzzzzz

If google, microsoft, redhat, CNN and the BBC (insert favourite site here) all go ipv6 (and by that I mean google starts indexing it too), that will be the year of ipv6.

Re:

[Ash-Fox (726320)]

just switch to IPv5 until things get sorted out

The Internet Stream Protocol (IPv5) doesn't redefine the way addresses are handled and thus offer no benefits over IPv4 in this particular issue.

Re:Great, IPv6, an insecure protocol

[Just Some Guy (3352)]

Lest anyone think this jackass is correct:

IPv6 barely supports firewalls or NATs, allowing any Joe Sixpack to see what your secured corporate network topology is like from anywhere.

It is not up to the protocol to support the hardware. And anyway, all good firewalls support IPv6 already. NAT? It's there if you're dumb enough to want it.

It also does not support reserved IP blocks... change ISPs, and you are forced to re-ip your whole network.

Step one: update your router to the new netblock.

Step two: sed -i'' 's/^old:net:block/new:addr:ess/' db.mydomain.com; rndc reload

Step three: laugh at people who go around changing ISPs all the time.

Of course, IPv6 has -zero- hooks for IP level encryption, so this has to be handled at the trensport or app level.

If only it support IPSec [ipv6.com], "the goal of [which] is to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments." Oh, wait...

Re:

[Just Some Guy (3352)]

With no ability to NAT or firewall in IPV6 , anyone on the external Internet can find out exactly what you have, theb stage targeted attacks on every single host on a private network.

End-user netblocks are 2^64 addresses in size. If an attacker could ping a billion hosts per second, it would still take them 585 years to scan a single block.

So, again, NAT-as-security is even dumber on IPv6 than it is on IPv4.

As for the stated IPsec, it was a nice draft... but never made in the standard.

From Wikipedia:

IPsec is a mandatory part of IPv6 (mandatory to implement, not mandatory to use), and is optional for use with IPv4.

Wow. Guess you're wrong there, too.

Re:

[growse (928427)]

I firewall ipv6 very nicely, thank you very much.

And you're last comment proves you're not a net admin.

NAT Sucks

[JSBiff (87824)]

NAT is, well, better than nothing, which, currently, is your alternative. But I'd hardly call it an "elegant and awesome solution". IMO, ultimately, NAT sucks because you *do not have a globally routable address* for devices in your network. Sure, that gives some security benefits, but makes it a PITA when you do want to open connections directly to a computer or consumer electronic device in your network.

A few reasons you might want to have a public address inside your network:

* Direct VOIP telephony (SIP, Skype, various instant messenger clients, run a TeamSpeak Server), etc

* Running game servers, web server, mail server, etc

* Remote access (VNC, SSH, etc)

* Direct file transfer with a friend (I've, from time to time, run into problems with things like instant messenger client based file transfers not working behind a NAT - though they do seem to have somewhat alleviated that problem - I suspect by routing my file transfer through the IM network instead of directly to the other person), or P2P file sharing systems, like Bittorrent - yes, they can usually work behind NATs; but they work better if direct connections could be more easily made).

Yes, yes, I know about port forwarding. That's fine and dandy as long as you only have a single device per port that you want to allow incoming traffic to. Ultimately, IPv6 is a much better solution to the problem of address space limitations than is NAT. NAT usually requires software to do ugly hacks to get around the limitations of only allowing outbound connections. A simple firewall with every device having a global address is a better solution, because then I can open up as many ports to as many devices as I like, without having to worry about only allowing one device per port.

I've had a number of times where I've been extremely frustrated by NAT. Often times, if software isn't explicitly written with NAT in mind, and the problems it creates, then it won't work well in a NAT'ed network.

Re:

[timeOday (582209)]

Well, it's 64K * 4 billion. The 4 billion does help some.