IPv6 Still Hotly Debated

inkslinger77 writes "A significant stumbling block to IPv6 adoption may be IPv4 loyalists who are keen to keep the old protocol in preference to the 'new improved' version, according to a Computerworld Australia article. The article covers the views of Cisco's senior technical leader for IPv6 technologies, Tony Hain and Geoff Huston, a senior Internet research scientist from Asia Pacific Network Information Centre (Apnic)." From the article: "Go to your favourite venture capitalist and say 'I want to be an ISP'. By the time he stops laughing and [finds you want to run] IPv6 - the discussion gets terminated. No one wants to hear this. IPv6 is well ahead of adoption in this market so everyone is deferring. No one is running IPv6, because there is no business case for it ... if we really wanted to leave a legacy to our children we'd review the crap we have today which is pretty ghastly ..."

Re:Me too

[mboverload]

> Why 128 bits instead of, say, 64?

Exactly what I'm asking. From wikipedia:

The primary change from IPv4 to IPv6 is the length of network addresses, with IPv6 addresses being 128 bits long (as defined by RFC 2373 and RFC 2374). This corresponds to 32 hexadecimal digits, which are normally used when writing IPv6 addresses. Each hexadecimal digit can take 16 values (see combinatorics), resulting in a total of 1632 (340 undecillion) addresses. IPv6 addresses are usually composed of two logical parts: a 64-bit network prefix, and a 64-bit host-addressing part, which is often automatically generated from the interface MAC address. It is often argued that 128-bit addresses are overkill, and that the Internet will never need that many. However, it should be noted that the rationale for the 128-bit address space is not primarily to make sure that addresses never run out, but rather to ensure that routing can be handled smoothly by keeping the address space unfragmented. This is seen as an improvement over IPv4, where a great number of discrete netblocks are often assigned to one organization.

I still think it's complete overkill

NAT Separation Good???

[imunfair]

Correct me if I'm wrong, but isn't NAT and the separation of networks a good thing, security wise? (Obviously there are other measures needed, but it plays a part..) Even if we had IP6 it seems we'd still want DMZs and the like. Maybe I'm getting the wrong impression from the articles, but it seems like they're emphasizing everyone being able to have an IP address on a common network essentially - instead of the Internet being a network connecting a bunch of private networks. I don't know about you, but I feel much safer having my computers on a private network connected via one IP and a router than I would having all of them exposed.

Re:NAT Separation Good???

[hpa]

NAT and firewalling are completely separate things. Since they're done at network boundaries, they are usually combined in one device, but they don't have to be.

NAT is a pretty bad thing. Unfortunately the IPv6 people haven't considered the requirements for managing that large of an address space except by hierarchy (which breaks as soon as you want to have a backup link to another ISP), so I fear we'll still have to have NAT in an IPv6 world.

IPv6 Considered "Production Grade"

[netrangerrr]

At Tuesday's IETF meeting in Vancouver the vote for consensus was many for and none against elevating the IPv6 Protocol Standards from "draft Standard" to "Internet Standard" and make them part of the everyday production Internet. The IPv6 WG is even shutting down as it has accomplished its mission and designed a good working protcol. The wired and wireless networks provided for the engineers at the IETF is running IPv6 and we are regularly using it to get information from our working group colloboration sites like: www.v6ops.euro6ix.net/

Don't fear, the IETF V6 Operations (V6OPS) team and the IPv6 Forum will continue work to better clarify how to deploy IPv6 and to help build new network services around the new features. Most of the new network services groups in the IETF are basing new services on the features of IPv6 - early examples are Mobile IPv6 (MIPv6) and Network Mobility (NEMO) both of which are being extended to offer IPv4 access through IPv6 tunnels in order to get IPv4 native service through IPv4 NAT.

If you actually have useful comments or design alternatives for IPv6, bring it up in IETF working group mailing lists [http://www.ietf.org/html.charters/wg-dir.html%5D [ietf.org]. If you don't understand because of FUD, please read up on our North American IPv6 Task Force website website [ www.nav6tf.org/ ] or the similar European/Asian sites.

Re:Two big issues

[hpa]

Also, I never understood why IPv4 wasn't just a subset of IPv6? Why can't my existing IPv4 addresses also be IPv6 addresses with a standard prefix? Maybe this has changed, but when IPv6 came out it looked like that wasn't part of it.

They are, the prefix is ffff::/96. In addition, there is 6to4, which lets you use your IPv4 address as a 48-bit IPv6 prefix, 2002:<IPv4 address>/48.

The problem is... who will deploy the first IPv4-unreachable Internet service?

Re:Market Forces

[tenchiken]

A few things to remember, this isn't the first time that technical purists have tried to change the underlying protocol for the internet for logistical reasons. The first Attempt [wikipedia.org] at replacing TCP/IP internet wide was far more braindead then IPv6 (packet size of 53 bytes? Yeah, let's ship everything around in a packet size that not only is not a power of two, it's a large prime number! Oh and for traffic control, let's just drop everything into a leaky bucket!)

However, it's been clear ever since IPv6 was introduced that it was signficantly larger and more complex then it needed to be. Not only is it not a sensible extension of IPv4 (which has proved it's durability over and over) it is requiring a whole new round of experience so we don't run into the same problems we hit in 88 and 89 before Van Jacobson [wikipedia.org] fixed TCP/IP.

I think that NAT and CIDR [wikipedia.org] have removed the need for IPv6 until the next iteration of technology requires it. It does not make any sense to migrate to the new technology before then.

Re:Me too

[Anonymous Coward]

Found this [wikipedia.org] on Wikipedia:

It is often argued that 128-bit addresses are overkill, and that the Internet will never need that many. However, it should be noted that the rationale for the 128-bit address space is not primarily to make sure that addresses never run out, but rather to ensure that routing can be handled smoothly by keeping the address space unfragmented. This is seen as an improvement over IPv4, where a great number of discrete netblocks are often assigned to one organization.

Seems reasonable to me.

Re:Me too

[Ancient_Hacker]

Uh, no. The universe has around 10^85 atoms (plus or minus a few orders). 2^128 is approximately 10^38. A much smaller number. About 10^63 times smaller. You can only assign IP addresses to each atom in New Jersey.

Re:IPV6 128 bit addresses make no sense

[Jerry Coffin]

I don't see why IPV6 needs to have 128 bits for addresses.

128-bit addressing isn't really necessary -- but it makes life really simple. With IPv4, you have a subnet mask (that AFAICT, 90% of people never quite understand) that tells how much of your address is devoted to the local subnet, and how much isn't. With IPv6, this has simply been fixed at 64 bits apiece, so using it, nobody ever has to figure up a subnet mask again.

A better question would be to turn this around: what would we really gain by reducing the addresses from 128 bits to 64 bits? We'd save 128 bits per packet. Even over a 28.8K dialup line, that's approximately 4 milliseconds per packet. However, IPv6 increases the maximum packet size you can reasonably use, so unless you really need to send lots of tiny packets, its addressing overhead may well be lower than with IPv4. In most cases, you gain a bit, and even in the worst case you lose very little.

If you're doing things like VoIP, IPv6 helps a lot more: in IPv4, QoS was hacked on after the fact (and has never really worked very well), but in IPv6, it's part of the base protocol.

Personally, I think we need to consider the source of TFA: Cisco and APNIC. Cisco is the leading provider of IPv4 routing (etc.) equipment by a wide margin. APNIC derives it "power" largely from the scarcity (and therefore value) of IP addresses.

A shift to IPv6 gives other router manufacturers a much better chance of gaining market share over Cisco -- about the best Cisco can hope for is to maintain their current position, but in reality they're likely to lose at least a little. Cisco has only to look at what happened to Lucent when the market shifted from ATM to IP to see how badly a technology shift can hurt even a huge market leader.

APNIC stands to lose even more: rather than a chance of losing market share, they face a near certainty that a large part of their power base simply ceases to exist.

Looking at it from this (admittedly cynical) direction, what are the chances that they were going to write an article in favor of IPv6, regardless of its merit?

--
The universe is a figment of its own imagination.

Re:So how do I get PI addresses for IPV6?

[MrGushi]

Same way you'd get them for v4. Apply for an ASN, get them from ARIN. (Assuming you're in the Eastern Hemisphere). Otherwise, I've had good luck with tunnelbroker.net

Re:So how do I get PI addresses for IPV6?

[nsayer]

Anyone with a single globally routable IPv4 address can have a /48 IPv6 prefix right now, today. Check out 6to4.

No, wrong.

[Kadin2048]

I beg to differ. I question whether you're serious or a troll, but I'll respond anyway and give you the benefit of the doubt.

Lots of companies which are big enough to have their own Class-A allocations assign all of their clients globally routable addresses. I can tell you this from personal experience.

They don't use personal firewalls, obviously, and I have no idea why you think this is related. Using a personal firewall at the client level has nothing to do with IP address allocation or NAT. You can assign every user on a subnet a globally unique IP address, and then still use a stateful firewall for security. This is what these companies do: you get the benefit of not having your applications negotiate NAT with the protection of firewalls separating the internal networks at various facilities from the global network.

As far as the cost thing, if you're big enough to have a Class A block, you're not paying individually for IP addresses, so there's no difference in cost between a client that has a unique address and a NAT one. In fact the NAT one is probably slightly more expensive because the NAT routers are probably more maintainance and support-intensive than a straight firewall.

In short, I don't think you know what you're talking about. You might be correct when it comes to small or medium businesses, who are buying their connection from an ISP who is going to charge them more for a lot of static IPs than a few dynamic ones that they can use with NAT, but this issue isn't relevant to IBM, Ford, Apple, or the rest of the Class A companies.

Re:Me too

[jacksonj04]

Always thinking for the future...

Quick math at the moment, if everything in my house that could concievably use IP addressing does so, then that's (In whatever order they spring to mind)

6 PCs, 3 Laptops, 4 TVs, 2 Fridges, 1 Microwave, 2 Kettles, 1 Espresso Machine, 2 Toilets, 1 Shower, 1 Bath, 1 Boiler, 9 Light fittings, 10 Light switches, 2 DVD players, 1 DVR, 1 Video player, 2 CD players, 2 Radios, 4 Speaker systems, 1 Cooker, 1 Dishwasher, 1 Washing machine, 2 Outdoor lights, 1 Fishtank, 4 Mobile phones, 2 PDAs, 1 Pager, 5 Landline phone handsets, 4 Printers, 8 Clocks, 1 Burgler alarm and 2 Smoke detectors. And I've probably forgotten something.

That's 88 IPs needed for a family of four, or 22 IPs per person. Obviously if you lived on your own/single partner this would vary. That is a lot of addresses, and I quite like the idea of being able to individually address my bedroom lightbulb from the other side of the planet.

Re:Why doesn't Slashdot support it yet?

[spinfire]

There is no need to convert to *only* IPv6. Dual stacked service is available today in many data centers! This means you can simply give your interface an IPv4 and IPv6 address, and give it A and AAAA DNS records. IPv6 enabled clients will use the IPv6 address and IPv4 clients will use the IPv4 address. Simple transition.. and it can be as long as it needs to be.

Re:Reasons to use NAT

[Tony Hoyle]

Given how hard it is to get an ISP to give you reverse DNS... how in the hell are you going to persuade the them to start updating routing tables!

All the ISPs I've found charge *per month* per IP for *zero* effort - it's just a cash cow. IPV6 won't change that... they'll charge you per month for a block of 256 or something instead. Then change their TOS so you're not allowed to run servers (if they haven't already).

All this is academic... IPV6 has been around for years and not a single ISP has shown any interest at all in implementing it. The old 192.88.99.1 'anycast' address no longer works I notice... it did 2/3 years ago, so IPV6 adoption is going backwards not forwards.

"The IPv6 Mess"

[Flwyd]

IPv6 fans ought to read D.J. Bernstein's excellent article on the subject [cr.yp.to]. In short, the main problem is that the two protocols aren't easily interoperable, so investment in IPv6 infrastructure is without short-term return.

Security through obscurity is NOT the answer!

[Anonymous Coward]

No, security through obscurity is not and never should be any part of the answer. The reason is that you should not rely for security on keeping things secret that you can't easily change if they should become public.

For example, you keep your cryptographic keys secret, and if they should be divulged, you change to new keys. But you should generally not rely on keeping your cryptographic algorithms secret, because if they get divulged, it would be a lot harder to issue new programs or machines using new algorithms. Coming up with new cryptographic algorithms is a highly non-trivial process, whereas anybody with access to a decent random-number generator can come up with new keys.

This is known as Kerckhoffs' Principle [wikipedia.org], and is applicable much more generally than just in cryptography.

Re:Me too

[Jimmy_B]

Routers running out of RAM is an IPv4-specific problem, too. With IPv6 the IP address space should be almost completely uniform, so that even a core router can figure out which way a packet goes from only the first few bits of the destination address.

Re:Me too

[fbjon]

Simple, don't store incomplete arp entries from sequential scans.

No, they aren't.

[j1m+5n0w]

MAC addresses are carried in IP packets.

No, they aren't. IP packets are incapsulated in ethernet packets for local hops. Ethernet packets contain the mac address in the header, but these aren't delivered end-to-end unless both ends of a connection are in the same subnet.

In IPv6, it is envisioned that machines could use their mac address for the last 48 bits of their IP address so that they can claim a unique address within a subnet without a dhcp request, but this is only one possible convention. The truly paranoid could use a randomly generated number instead.

Patents

[Alan Cox]

Its all horribly horribly simple. No large investor or large vendor wishes IPv6 to happen in the mainstream until all the bogus submarine patents filed around it have expired. Until then its not in the interest of Microsoft, Cisco or anyone else to ship large amounts of IPv6 and get shot at.

Nobody will say that in public because the US doesn't like industries apparently conspiring together against a patent holder but you will hear it in private.

Re:"IPv4 loyalists"

[Wesley Felter]

Does IPv6 have a equivalent function for NAT that is widely used now? Everyone is waving their hands saying it would be a good thing for eveyrone to use a "real" address on all equipment. But no one has discussed the processes that will be needed for an authority to pass out those addresses to ALL users.

It's called DHCP Prefix Delegation. I might as well explain how it works.

Right now the ISP is granted a block of addresses and they assign one of those to the end user. The end user setups a NAT firewall/router and puts all kinds of equipment behind it.

In the Glorious IPv6 Future, the ISP will have a huge block of addresses, and then the user will plug in a v6 home router/firewall, which will be assigned one "upstream" v6 address using stateless autoconfig or DHCP. Then the router will use DHCP-PD to request one or more subnets from the ISP, and will advertise those subnet(s) on its "downstream" interface(s).

And any good net admin knows that you ask for more than you currently need because things grow.

In IPv6 all subnets are the same size (/64) and since they never fill up, you need exactly one subnet per LAN.

So how fast is all that IPv6 addressing going to last with people asking for big chunks of addressing and companies asking for even larger portions?

The plan is for each person to get 2^16 subnets; there will still be plenty of space left over.

On top of that it is going to require a central organization (ICANN?) to pass out the address blocks. They are not going to do that for free.

There already is a central organization to manage IP addresses (IANA/ICANN), and they already charge fees. But the fees are pretty small.

So now the individual user that wants to setup an IPv6 network at home will have to pay an annual fee for his block of addresses.

A large ISP in North America would pay no more than $36,000/year for IP addresses. [arin.net] Divided by a few million customers, it comes out to about zero per customer per year.

And based on the previous message you would want to own your own block of addressing since in theory you can take it anywhere you want to go.

Sorry; end users aren't allowed to own IP addresses.

Re:Me too

[gunpowder]

Put your toaster on fec0::/10 and it won't be routable. There you go: secure.

Site-Local scoped addresses (FEC0::/10) have been deprecated as of September 2004 (see RFC3879).

Re:"IPv4 loyalists"

[quantum bit]

• Security: IPv6 mandates IPSec (which encrypts ALL streams, ALL of the time, so contextual information can't be used for cracking as it can with SSH or SSL streams, which are generally only used for specific segments of a transaction).

  Overrated. IPv6 mandates IPSec support, but it's still an overengineered protocol that's a bitch to configure. Works okay for VPN-like scenarios, but will never work with random hosts you've never talked to before.

• Authentication: X.509 within IPSec and the use of Extended Authentication protocols in IPv6 guarantee that all endpoints are who they say they are.

  Overrated. See above. The PKI can-of-worms is bad enough with only servers, who's going to issue certificates for millions of end users and devices? How do you decide which root certificates to trust? How do you handle revocation?

• Fragmented Packets: Firewalls don't handle fragmented packets well, as there is no header to check for later fragments. Fragmenting and re-assembly also adds latency. IPv6 defines per-connection MTUs, guaranteeing ALL packets are the largest supported between any two endpoints without fragmentation.

  Cool. Fragmentation sucked anyway, and per-host MTU makes it possible to use jumbo frames in mixed 100/1000 LANs.

• Latency: IPv6 headers don't have as many entries and are heirarchical, which makes routing much faster and much simpler. The lack of fragmentation and the presence of auto-MTU also helps.

  Undetermined. Heirarchical routing makes things easier for the routers, harder for end-user sites (think renumbering when you switch ISPs). It's too early to tell how this will pan out in the real world.

• Multicasting: IPv6 mandates multicasting and has a decent range of addresses for it.

  Cool, if it works. There's still a lot of issues to hammer out in this area before we see any multicast capable BitTorrent implementations.

• Anycasting: IPv6 mandates service location and resource location abilities, which means no more hunting for printers, routers, DNS servers, SMTP servers, POP/IMAP servers...

  Very Cool. The all-zeros anycast address for routers means you don't have to worry about what your default gateway is. I'm eagerly awaiting standards for DNS over anycast, which can lead to all the service discovery features. The IPv4 anycast address for the closest 6-to-4 gateway is a neat trick, too.

• Autoconfiguration: IPv6 uses autoconfiguration for routing and addressing as a standard, in a manner (almost) guaranteed to be free of conflicts and absolutely guaranteed to be fully scalable.

  Cool. The only thing missing is configuration of DNS servers; hopefully anycast will take care of that. DHCPv6 may help also, but is there even a complete implementaiton of it yet?

• Mobility: IPv6 mandates the ability for nodes or even entire networks to be totally mobile (ie: switch upstream routers without losing connectivity or existing connections) with upstream optimization of routing.

  Overrated. I don't see how this can be practical on a global hierarchically routed network. The goals seem mutually exclusive. The work I've seen focuses on forwarding by an agent on your home network, which is horribly inefficient.

• Advanced Headers: IPv6 allows an arbritary number of extended headers to be attached to packets, with controlled responses for unknown extended headers.

  Scary. Potentially cool, but I'll bet all of the cell phones and random devices people want to be IPv6 enabled will be full of security holes relating to header parsing. I don't care how clearly the spec is defined, they'll still screw it up.

• High Availability: IPv4's High Availability mechanisms require a lot of fancy manoevering, because t

Peer routing

[jd]

Peer-to-peer routing is interesting with IPv6. The usual rules apply - the most specific prefix is always used first on routing decisions (and, because of the nature of IPv6 addressing, you should never get two addresses with the same prefix anyway) and if it stopped there, you'd be right. The router tables would be a mess.

The topology [elmundo.es] helps, as the IPv6 backbone developers have realized you can't have a horrible design and expect it to work.

The problem is not with customers of a peered network (as their prefix MUST match that of the peered network), but with peers of peers, where prefixes may differ. Because you have more levels of peering, the problem is theoretically reduced (as lower levels MUST share a common prefix and are - generally - not permitted to peer between branches in the hierarchy) but that is more human policy than technology.

There is some confusion with regards IPv6 and backbone connections. IPv6 was originally designed NOT to support default routes. The ::0 route was not actually prohibited, it was however considered undesirable. Later on, this was relaxed and is now pretty standard. There have also been many changes in routing protocols - originally, transparency was the watch-word and Telebit came up with a nice protocol that hid layers. BGP4+ and Protocol Independent BGP became the standards, however, and that's what we live with today.

So how does all this help? It helps because details are kept hidden as far as possible. IPv4 is bad on routing, because the layout is crap, too much is visible and has to be learned, multiple specific routes may need to be learned for a given prefix, corporations buy large blocks of addresses then share them with multiple sites using different providers, etc. IPv6 doesn't permit a lot of that and policies agreed upon don't allow the rest.

In the end, routing requires that you know every possible route you need to follow to get to where you want to go, in the most general form you can store it. There's no escaping from that. The trick is to ensure that absolutely everything is (more or less) equally general and no specific exceptions are needed. It is the exceptions that are the killer, not the rules.

Re:"IPv4 loyalists"

[ysachlandil]

# Security: IPv6 mandates IPSec

And everybody knows what a broken piece of insecure crud that is. Give me SSL any day.

# Authentication: X.509 within IPSec

Ooh goody, I cannot wait to pay $300 per server to get my x509 certs.

# Fragmented Packets:

Path MTU not good enough for you?

# Latency:

one word - MPLS.

# Multicasting:

Too bad nobody has made a workable protocol for it yet.

# Anycasting:

Brilliant, but what happened to broadcasting?

# Autoconfiguration:

It's called DHCP. Oh, and why sacrifice 64 of the 128 address bits for it? Seems excessive.

# Mobility:

And is based on Mobile IP which works fine over IPv4.

# Advanced Headers:

But nobody except the endpoint can look at them. And the endpoint already looks inside the packet. So what is this good for?

# High Availability:

Oh? So multihoming is not a problem anymore? They fixed this already? Nope, because they cannot fix it. See shim6 for an example of an ugly hack...

# Tunneling: There is no agreed method of tunneling in IPv4

VPN? Okay, that uses IPSec so that doesn't count. SSL? Cannot connect a network to a network. Hmmm, maybe tunneling is a very generic concept and we need to have multiple protocols to get everything we want. IPv6-over-IPv6 doesn't do layer-II networking because IP is already layer-III. So there will always be a layer-II tunneling protocol as well. So there will not be a single tunneling concept in IPv6 as well.

# Clusters: Infiniband cooperates well with IPv6

Okay... nice corner case. Too bad most everything else isn't compatible with IPv6 yet.

# Reachability: IPv6 can reach all IPv4 nodes

And IPv4 cannot ever reach any IPv6 nodes. So a new business always needs IPv4 addresses to get to a sufficiently large client base.

---

The biggest problem with IPv6 is that it is revolutionary instead of evolutionary. That is why overlay networks are already much more succesfull now.

Iff IPv6 supports proper multihoming without nasty hacks, then I'll give it another look. Until then it's IPv4 for me.

--Blerik