IPv6 Still Hotly Debated 639
inkslinger77 writes "A significant stumbling block to IPv6 adoption may be IPv4 loyalists who are keen to keep the old protocol in preference to the 'new improved' version, according to a Computerworld Australia article. The article covers the views of Cisco's senior technical leader for IPv6 technologies, Tony Hain and Geoff Huston, a senior Internet research scientist from Asia Pacific Network Information Centre (Apnic)." From the article: "Go to your favourite venture capitalist and say 'I want to be an ISP'. By the time he stops laughing and [finds you want to run] IPv6 - the discussion gets terminated. No one wants to hear this. IPv6 is well ahead of adoption in this market so everyone is deferring. No one is running IPv6, because there is no business case for it ... if we really wanted to leave a legacy to our children we'd review the crap we have today which is pretty ghastly ..."
Me too (Score:4, Insightful)
But assuming we really do need more IPs, why IPv6? Why 128 bits instead of, say, 64? Why build the functionality of DHCP, which (mostly) works perfectly well* and is extensible enough to support cool stuff that hadn't been thought of when IPv4 and DHCP were invented (e.g. WPAD, netbooting), into IP? What's the deal with including your MAC address as part of your IP address?
Going with the assumption that the problem really is as bad as people say it is (China has a gazillion people and more of them are getting online, and it'd be great if my refrigerator had a web-based interface I could access remotely without setting up port forwarding or a VPN, etc.)... I'm not convinced that IPv6 is the right solution to the problem. It just seems to be the only solution anyone has offered, and a lot of money has been spent bringing it closer to reality.
So, convince me: why is IPv6 the right answer to the problem?
"IPv4 loyalists" (Score:5, Insightful)
Re:Something I don't get... (Score:4, Insightful)
One Reason Alone is Enough (Score:5, Insightful)
I, for one, will welcome the end of the NAT kludge.
Moving Day at IPv4 (Score:1, Insightful)
More like there's no easy upgrade path. The x86 survived and grew exactly because one could move from one generation to another. IPv6 doesn't have that advantage.
Market Forces (Score:5, Insightful)
Are we really running out of IPv4 numbers? The market will tell us.
Is there a killer app for IPv6? The market will tell us.
Can we ram IPv6 down everyone's throat? The market will retailiate and hit back.
BTW - what's with this "wont somebody please think of the children" bullshit about? If we need to get to IPv6 - we'll get to it - relax already!
Re:Me too (Score:5, Insightful)
IPv6 - too little, too late (Score:1, Insightful)
However, everyone involved completely underestimated the cost of switchover and overestimated its rate of adoption. This ultimately means that IPv6 is not enough of an advancement to justify its deployment costs. The end result is that IPv6 is already one-quarter through its estimated 30-year lifespan and it isn't even widely deployed yet.
I suspect that what we need is an IPv7 that would include:
If we start now, this might be deployable by 2020 or so... :-/
Two reasons. (Score:3, Insightful)
#2. Cheap and easy way to block worms and such.
Re:Something I don't get... (Score:5, Insightful)
Re:One Reason Alone is Enough (Score:3, Insightful)
I, for one, will welcome the end of the NAT kludge.
And your ISP will charge you for each Address you use!
NAT let's you use ONE IP from you ISP and have as many Internal IPs as you which without being gouged.
Re:Me too (Score:5, Insightful)
Re:One Reason Alone is Enough (Score:1, Insightful)
NAT is not the answer! (Score:5, Insightful)
You have to go to all kinds of lengths (using special session border controllers, media proxies, etc.) to be able to support SIP calls where one or both parties are behind a NAT. It is awful. NAT is a hack--a useful one in certain situations, but still a hack.
Two big issues (Score:3, Insightful)
Worst case, folks will figure out how to get by on 1-2 ip addresses, or pay more than the $1/month or so to get an extra. There are TONS of unused, unrouted addresses out there through the entire hierarchy, from subnets, class b's etc.
Second, IPv6 and you can what? If I run IPv6 only, I need to at some point tunnel to IPv4 (and often get an IPv4 address anyways) to connect to the rest of the net. If I run just IPv4, I can connect to everything, and the first person who develops google that is IPv6 ONLY is going to have very few users.
In other words, the business case is flat out not there.
Also, I never understood why IPv4 wasn't just a subset of IPv6? Why can't my existing IPv4 addresses also be IPv6 addresses with a standard prefix? Maybe this has changed, but when IPv6 came out it looked like that wasn't part of it.
If my address was a subset, my ISP could create IPv6 endpoints for my address along with the IPv4 routing, even if I hadn't upgraded. They'd just strip the prefix and forward to me.
Re:One Reason Alone is Enough (Score:3, Insightful)
Re:Me too (Score:4, Insightful)
Re:Me too (Score:1, Insightful)
Market? Or cynical manipulation? (Score:5, Insightful)
In other words, by keeping IPv4, we can sell NAT boxes (which we're already selling in huge numbers.. the wireless network hub in my den is a prime example.) Cisco has a big investment in building hardware to take care of IP space limitiations.
"You will still be able to get addresses, if you pay for them, because a market will appear."
In other words, this damned internet isn't making us enough money, because IP addresses are free. We want people to start trading them, so we can get commissions on the sales.
It's clear that this is "good buisiness" for the big internet companies: why invest in a new system that will make users's lives cheaper and easier when we can continue to sell patches on the old stuff, and make a market so that we can start charging the freeloaders?
It's also clear to me that the only way IPv6 will get adopted is if public bodies start using them and demanding their use. For instance, if Internet2, the US military, or all of
I'm no expert, but to my cynical eye it looks not like market forces, but like the usual problems with capitalism exploiting a local maximum and avoiding short-term risk.
----Nathaniel
Reasons to use NAT (Score:2, Insightful)
Even if the cable and dsl companies all switched over to IP6, and there were $50 routers and switches available, there is still reason to use NAT.
Re:One Reason Alone is Enough (Score:2, Insightful)
Re:Me too (Score:5, Insightful)
There's no reason why using IPv6 with a firewall wouldn't be just as -- and probably more -- secure. Especially because you wouldn't have to spend time configuring the NAT functionality and could instead configure it as a single-purpose stateful firewall.
It is possible -- although you probably wouldn't want to -- to create a situation using static NAT without any firewalling effect that leaves your computer just as open to attack as it would sitting on the public net. Likewise it's possible to assign every computer on a LAN a globally routable IP address and secure them using a properly designed firewall (that's actually how my company is set up).
If your comment had just said you didn't want your fridge and toaster exposed to the internet without your trusty Linux firewall between it and the internet, I would heartily agree. Although I don't doubt some would argue for you about choosing Linux over BSD.
Re:One Reason Alone is Enough (Score:3, Insightful)
NAT and simple port forwarding for those rare hosted services are all that 99.5% of the population needs. ISPs and businesses are all different. But even probably 80% of the businesses I deal with, NAT with NO port forwarding works just fine.
Of course if you are allowed and able, running a mail server at home is fun.
But get serious, NAT is an effective firewall for most people. Just like the random Chevy is good enough for most people. Saying "but but but it's not a porsche!" all the time just makes you look like an elitist geek.
Re:"IPv4 loyalists" (Score:5, Insightful)
The real question though is "Do we really want to wait until the old system finally breaks and nothing works anymore before making the change?". The old system still works, but we know it won't work forever, and we know we need to change it. Why wait till it breaks?
(Obligatory car analogy) When you put gas in your car, there's still gas left in it, so it can still work. Yet you don't wait till you go dry to put some more gas in.
Re:Anti-IPv6 people don't realize something import (Score:2, Insightful)
Re:Me too (Score:2, Insightful)
You can still use DHCP with IPv6, and you can still assign specific addresses manually if you want to. It's just that, with IPv6, you can choose to do neither of these and all your computers will give themselves non-conflicting IP addresses automatically. The sheer size of the host portion of the address means that the chances that two different hosts will assign themselves the same IP address is essentially zero.
Re:Me too (Score:3, Insightful)
My real point is though, If you have a device like your toaster on the internet, and it's vulnerable to an attack that a firewall fixes, the problem is with your toaster, not the internet. That whole example is totally weak.
Why do you want to connect your toaster to the internet, so that you can connect to it, right? Or make connections out from the toaster. Either way, you need ports open. If someone can connect to ports that you don't want open, the software/hardware in the toaster is to blame. Not the absense of a firewall, or NAT. If your toaster can be hacked through the toaster port, then a firewall ain't going to help you.
This overreliance on the firewall is disturbing to me, it makes people not fix the real issues. Granted with certain general purpose machines (i.e. your Desktop workstation) this is more difficult than others, but there's no reason why an embedded internet-aware processor can't be very secure with no firewall or NAT fo that matter. If it's not, fix the problem, don't mask it with a firewall.
Re:IPv6 Solving Yesterday's Problem (Score:1, Insightful)
Re:Me too (Score:3, Insightful)
Are we ready to surrender anonymity on the net? (Score:4, Insightful)
Yeah this looks like a serious privacy issue that most people haven't woken up to yet.
A MAC address is (usually) a globally unique identifier. How long before someone big builds a database relating MAC to user identity (Microsoft, your ISP, law enforcement, whoever).
At that point, no matter where you connect your laptop from, your traffic can be identified as yours. Be it for the purpose of advertising, tracing communication, or other data mining.
So the question is, are we ready and willing to surrender anonymity on the net?
Re:Me too (Score:2, Insightful)
ie) Class C sized
Subnetting in this fashion introduces overhead and wasted IP addresses. The huge address space of IPv6 makes this overhead and wasted IP addresses a non-issue.
Re:Two reasons. (Score:4, Insightful)
#1 is nothing but a direct consecquence of the current shortage of IPv4 addresses. Under IPv6, there'd be no reason why every device on your network couldn't get a separate "real" address. The way they're handed out -- using a hierarchy instead of finite blocks -- would allow your ISP to let your home DHCP router hand out globally addressable IPs if it was set up correctly. Assuming your ISP doesn't suck, that is, and that's really not the fault of the IP system, one way or the other.
#2 is pretty frightening, because it shows a misunderstanding of what NAT is and a certain amount of laziness about security in general. That said, there's no reason why you couldn't get a 'firewall in a box' that would provide just as much (or as little) security without the NAT facility. It's just that right now when you go and buy a "home firewall" from Linksys, it almost always includes NAT by default (because of point #1, the pressure by ISPs on home users to only have one IP address due to limited supply). There's no reason why this needs to be true, however, and the security comes from the firewall effect and not the address translation itself.
Hope you're not an aircraft mechanic. (Score:3, Insightful)
your car in for complete engine rebuild if the engine
is running fine.
While this may be true for your car, it's definitely not true of a helicopter, or a generator at a power plant, or any other important piece of machinery.
Would you still fly on an airline if that was their attitude towards maintenance? "Nah, we're not going to tear down that turbine...it hasn't failed yet!"
I think perhaps you should reevaluate the importance of the Internet to our society today. I think we've well surpassed the relative importance of a car to an average driver.
It's supposed to be Overkill (Score:5, Insightful)
The previous poster asked Why 128 bits instead of, say, 64?
The amount of work required to jump to 64 bit addressing or 128 bit addressing is identical. Since you're going to have to re-write everything anyway, you may as well figure in a ridiculously large address space, because not doing so saves you nothing.
Additionally, the routing table saving offered cannot be understated. With huge swaths of continguous address space, you can (hypothetically) represent an entire continent as a single aggregated routing entry (The more granular routing information would only be seen locally.), and the number of unique addresses within that range would be virtually inexhaustable.
Overkill is a good thing when it doesn't cost you anything.
Re:Me too (Score:5, Insightful)
I hate that phrase. While true, it is very misleading since obscurity does contribute to security.
It should be "Security by obscurity is not the TOTAL answer.
Security by obscurity is a necessary and vital part of security. By reducing the likelihood of computers being randomly attacked over the Internet, there would be an increase in security. It would not provide absolute security, but it would help.
If you think about it, when you use passwords, you are using security by obscurity.
For that matter, when you use a public key that is the product of two very large primes, you are using security by obscurity. With increases in techniques and hardware, that obscurity is greatly reduced overtime and the security suffers.
Re:Me too (Score:2, Insightful)
I do see that I said worst case. We don't have 2^20 route entries right now (and actually cannot with reserved space, multicast, etc.) Nor will we actually ever see 2^64 IPv6 prefixes. (certainly not within my lifetime, I hope.) The original commenter has missed the point of "more address space": more people will have globally routed networks. That means more prefixes, not less. Route aggregation will only go so far; depending on it is more of a "kludge" than IPv4 NAT.
And routers will have to handle all 128bits in their tables -- there could be network tables and more detailed sub-network tables, but as the wizard says "that's another story" -- otherwise you've hardcoded the IPv6 landscape into a classful corner (and thus doomed yourself to repeating the lessons (not) learned from IPv4.)
HAH! Planning a global routing hierarchy. Excuse me while I get the Dr. Pepper out of my nose. First off, you'll never get the entire world to agree on a numbering plan. And second, you'll never be able to enforce it. Besides, the IPv6 design already poopoo's on such things... address assignments are portable -- to avoid the issues of renumbering when changing ISPs.
Not me too (Score:4, Insightful)
It's 128 bits instead of 64 so we don't have to go through this again in five years.
Remember, the Internet *core* used to run over 56kb/s lines -- the same speed as those $20 modems that individuals are throwing away by the basketful today because they're unbearably slow for *personal* use. It's *hard* to plan well for that kind of growth. Better to waste a couple of bits than have to waste the whole thing and do it over.
Re:Are we ready to surrender anonymity on the net? (Score:4, Insightful)
1) With a static IP, especially if you have a DNS name to go along with it, you leave just as big of a footprint, if not more. (Since I've only got the one directly addressable IP, I might as well get a name to go with it, right? And then use something like DynDNS? Well, unless I register by proxy, I have to give my name, address, phone, etc...)
2) MAC address, while theoretically static, can easily be changed in most OSes and hardware. For example, my LinkSys router has an option to "clone MAC address" in the setup. The problem with changing your MAC address is that the prefixes indicate the vendor, and that might get you in trouble with someone who "owns" that prefix. (I doubt it though)
3) There is nothing preventing you from NAT'ing IPv6, and I suspect some people probably will simply for the quasi-deny-all-in firewall effect. Moreover, if you really want to be anonymous, IPv6 makes it much easier to implement things like "onion routing" because it's a lot easier for individuals to set up persistant servers.
The point is, you can control the "MAC" portion of the address, and the "public" portion is just as visible (or not) as with IPv4. Hell, you could change your MAC address every coupla minutes for a REALLY long time without ever repeating one if that's what you wanted. (Persistant connections be damned...)
Re:IPv6 is good, but so is NAT (Score:4, Insightful)
**You have missed the point entirely**
Forcing everyone back into the bureaucratic process is exactly what the designers want to do. Imagine how much less money would be made by cell phone companies if you could pick up any phone and it would automatically choose a phone number, then register your name with a decentralized directory so anyone who wanted to reach you could. Instead, you have to pay that $50 activation fee, plus a sizable portion of every month's cell phone bill, just for the privilege of being told when and where you can make telephone calls. That is the ideal that our IPv6 overlords are shooting for. I for one welcome them.
Re:NAT is not the answer! (Score:2, Insightful)
I see the problem with SIP after 30s of reviewing the RFC. Right there in Fig. 1... it tells the remote end how to connect back. That will not work reliably - period. NAT or not. The SIP client is picking an interface/hostname (at random) and feeding it to the remote client. For any machine that has more than one NIC, there exists the possibility the client will pick the wrong interface.
I have never seen an application with the necessary logic to correctly determine what INADDR_ANY should be for a remote client. Most simply pluck the hostname from the system (and to my surprise, not always with gethostname()!) and either send that or lookup the address and send that. Those that try (and fail) to be smart and fetch a list of interfaces, never bother to look at the route table to use the correct interface. (on linux they'd have to look through any rules as well.)
NAT is not the evil here. The protocol itself demands clear, unobstructed communications between peers. This is extremely unlikely on the internet. And that's not going to change. If your NAT and/or FW device is not SIP aware, you will have problems. It's not NAT or the firewall's fault the protocol was designed this way. The designers of the protocol are to blame for not concidering the existing medium through which it would have to work -- NAT and firewalls have been around much longer than SIP. (the truth is, SIP was never intended to cross these network boundries.)
Re:One Reason Alone is Enough (Score:3, Insightful)
The ISP problem is one of artificial scarcity, which is exactly what IPv6 relieves. The only reason they charge in the first place is that IP's really are a limited commodity, and they can't give them out to every device. With IPv6, this is no longer an issue, and static addressing would be the norm (probably still managed by DHCP, but it would never change). Every piece of equipment worth anything has supported IPv6 for a long time now. Anything that doesn't (in 2005!) deserves not to work, home networking equipment included.
The amount of pure pain that NAT causes for network administration is incredible. I went into all of the routing problems in another post (asynchronous routing, excessive static routing, firewall problems, etc). Don't keep saying "we don't need to do things right, my kludge works fine (mostly)", just do it right already!
It *mostly* works for home networks, but still causes problems even there. It is still responsible for software having things like "this won't work unless you configure your router to forward these ports here", which also results in your being able to only use one of a given service "normally" on your network. Try to set up two web servers on your home network, both on port 80. With IPv6 and static addresses, you can; with NAT, you can't. P2P would be even easier (and probably more commercialized) if you could install the app and have it just work, but no, you have to forward a different range of ports for each protocol. None of this would be necessary if you had IPv6.
The only reason I've seen on this whole discussion to keep NAT is that it does allow your network to be completely abstracted from your ISP's address space. Agreed, that is certainly a benefit. However (you knew this was coming), it would be better still if instead of doing a one-to-many NAT, you did a one-to-one NAT. Keep your addresses abstracted, but avoid all of the problems and messiness of NAT (or PAT, as I probably should be calling it).