IPv6 Readiness Report

MythoBeast writes "In the latest episode of the Intellectual Icebergs podcast, Brett Thorson of Ravenwing provides a very good review of how ready our industry is for IPv6. He also provides a pretty good implementation guide for those who want to set up IPv6 at home."

The article's an MP3, not text! Text Version?

[billstewart]

I don't want to listen to some podcaster ranting about some topic that they may or may not have a clueful opinion about. Is there a text version of that person's comments? Skimming text is not only important for deciding if the author is providing any new or useful information, it also gives you much better control over how much of your time you want to spend on the quality of information you're getting. http://www.intellectualicebergs.org/ [intellectualicebergs.org] indicates that there are two main topics and three other sections, and doesn't say how long the podcast is. I normally don't rant about Slashdot's choice of material, but this is a waste of time; I could probably do better by going to a random social event* around here and asking about IPv6 readiness.

(mid-90s silicon valley story - friend of mine was visiting a friend, the house phone rang, somebody answered it and gave some technical advice about windows. "Who was it?" "Just a wrong number, but it was an easy question.")

Why do we need to be ready?

[Wesley Felter]

I didn't bother to listen to the podcast, but luckily this is Slashdot so no one will hold it against me.

Geoff Huston's "IPv6: Extinction, Evolution or Revolution?" [circleid.com] is probably the most insightful thing I've ever read about IPv6 deployment, although the conclusion is pretty negative.

But assuming that IPv6 is worth deploying, Microsoft is way ahead in getting computers IPv6-enabled. Their work on Teredo [microsoft.com] should make life a lot easier for P2P developers.

Re:By the time IPv6 is ready

[comcn]

That may be a joke, but in reality IPv6 is ready. My UK ADSL provider, Andrews & Arnold [aaisp.net], provide me with an entire block of IPv6 addresses. They will even route it to you natively if your router will support it, otherwise you have to use a 6-over-4 tunnel. My network uses it by default over IPv4; it's kind of neat when e-mail has IPv6 addresses in the headers. ;-)

IPv6 Push

[Anonymous Coward]

Most people think that the consumption of IP addresses is what's going to push the move to IPv6. While this will be a major factor, most sources I've read think it will be the exponential growth of routing tables that will eventually force the switch.

Every time a segment of IPv4 addresses are partitioned, routing tables must be updated to reflect the changes. Last book I read said the number of entries were around 100K and that it would double by 2010 (may have been later/earlier, can't remember the exact details).

With this many entries the problem of managing routing tables becomes near impossible, not to mention router performance will become critical if it can handle it at all.The huge amount of IPv6 addresses will allow major aggregation to that point that most routing tables will be a fraction of what they are now. Heiarchical routing will actually be possible with IPv6.

Of course you routing hardware can be upgraded and more people can be paid to manage tables but if you're going to do that might as well make the problem go away and add a whole lot more features with a new protocol.

Podcast Mini-review

[Da Stylin' Rastan]

I listened to the podcast being someone who is quite knowledgeable in IPv6 and thought that Brad did a good job of laying out the important points and stakes in terms that someone new to IPv6 can understand pretty well, and he was very accurate on his information from a technical standpoint (aside from when he talks about the implementation headaches of PKI, he was way off on that one). I also agree with him on the state of IPv6 (fun for geeks/military types now, but not business and consumer-level primetime yet)

The interviewer isn't too bright however. Also, for the love of god, please stop the mp3 after the interview before he launches on his excruciatingly bad Matrix-metaphor monologue. You *will* thank me

Overall, I'd say it's a good listen if you are curious just exactly what some of the benefits of IPv6 are, but for anyone who is even slightly knowledgeable about IPv6 it's a "Move along, nothing to see here"

-DSR

WRT54Gs IPv6

[Solosoft]

If your WRT is running DD-WRT v23 you can run a 4-6 tunnel through the router and run RADVD on it to give your clients IPv6 address's.

Here is a IPv6 Install Guide for DD-WRT and a WRT54Gs [solosoft.org]

I would love some more people to test out my little config and tell me if there is anything they do not understand in it. It's very straight forward and uses SMB for people who have a v4 Router (not enough room for JFFS). Of course you could simply move a conf to your /jffs/ file system.
As Long as your running Linux (with ipv6 enabled) and Windows XP (run "ipv6 install") once the router is setup and running your clients get IP's automagicly. (or any ipv6 enabled OS for that matter)

Thanks :)

SixXS is great for experimenting

[spinfire]

I run a dual stacked network at home using tunneled connectivity from SixXS [sixxs.net] (I live near Boston, MA, the tunnel endpoint is in NJ. This gives excellent latency performance.). With this tunneled connection came a subnet with enough IPs to last me many lifetimes. Additionally, I maintain a server with native IPv6 access including public access Jabber, NTP, and IRC. See here [isomerica.net] for more info.

IPv6 won't neccessarily get you anything you don't already have at this point, but the technology is ripe for experimenting and things work remarkably well.

Written guides for what?

[jd]

For installing IPv6 on Linux: Go to any IPv6 provider (British Telecom, Hurricane Electric, WIDE - there are plenty of them). Download the script. Enter your IPv4 address and MAC address into their web form. Run their script on your machine. You are now fully IPv6-ready. (Most Linux distros come fully IPv6-enabled.)

For installing IPv6 on any *BSD: Pretty much the same. All the *BSDs have been IPv6-ready for a long time, under the KAME project banner.

For installing IPv6 under Windows: You go to Microsoft Research and install the stack. Unless it's already on the CD - it is, for some versions of Windows.

For actually implementing an IPv6 stack? Well, for that you want the RFCs on the IETF website, and the IPv6 evaluation kit (TAHI) that is listed on Freshmeat. I didn't type all the damn information for the various testing packages into the record for nothing!

Aside from that, I really can't think of anything you could need a guide for.

Re:Like Y2K?

[vux984]

Seems like a market then exists where you could on-sell your IP addresses for $$$. Prices go up too high, market forces then result in IPv6 implementation. What's the problem?

The way ipv4 addressing is structured. 209.112.155.123 and 209.112.155.124 are in the same block. They don't have to be next door neighbours in the real world, but they do have to be 'close' to each other from the networks point of view. That will mean they belong to the same ISP, in the same city, and quite probably a fairly small chunk of that city.

IP addresses, by virtue of the numbers that make them up have to be hooked up to the network in a specific place in order for packets to find them. They exist in 'blocks' for convenient routing. The "routing tables" that you hear about describe where to send traffic addressed to a specific block should go. For example a backbone router A might know that traffic destined for 209.x.x.x goes "thatta way"... and and another router B further down the line might know that 209.112.x.x goes "through that pipe there"... and so forth, until it finally reaches a router C that says hey that destination block is right on the LAN here!

If 209.112.115.122 were suddenly "sold" to a guy in another city all his packets would would still end up at Router C, where they would be undeliverable because the owner isn't connected directly to that router.

As a rough analagy it would be like "selling your home address", but not your home. Even if you transfer the address to a guy in china all the mail is going to end up at your door step. Sure you could make special arrangements to have it forwarded back to china (and you can do this with ip too)... but that has two repurcussions:

1) The guy in china still needs a chinese address for the forwarded mail to arrive at so he's accomplished nothing!

2) Any mail addressed to him, even from his next door neighbour is going to be shipped around the world because it won't know its supposed stay in china until it arrives at your place. The chinese post office will see the Dutch (or whatever) address on the evelope and ship it off for a round trip through Holland...

Re:IPv6 isnt really wanted

[darkain]

UPnP brings about the same problems that the hardware/router firewalls try to protect you from... applications on your computer accessing the outside world. with exploits such as WMF (and stupid people downloading krap they shouldnt), these apps will exploit UPnP to open a port for itself, and most users would never even know. manually setting port forwarding features is more secure, but much more of a hassle for novice users.

IPv6 isn't just addressing.

[jd]

IPv6 includes the following features that either don't exist in IPv4 or you need to install bunches of other stuff to get it to work:

• Zero configuration of the IP stack. It's self-configuring, completely.
  
• Privacy. IPv6 mandates IPSec and I believe all IPv6 stacks out there provide that.
  
• Speed. IPv6 addressing is heirarchical and the headers are simpler and stacked, so much less information needs to be processed even though the headers are technically longer.
  
• Mobility. IPv6 supports Mobile IP - indeed, that was a design consideration - with fully optimized routing. It's only available under IPv4 as a hacked implementation of a workaround.
  
• Routing. Native IPv6 routing (as opposed to RIP-ng and OSPFv6) is designed from first principles, as opposed to being something that has evolved over time to be sub-optimal but backwards-compatiable.
  
• Multicast. IPv6 mandates multicast, which will reduce bandwidth consumption on broadcasts drastically.
  
• Anycast. This allows you to find a service by querying the network rather than some moron in technical support.
  
• MTU feedback. Your computer won't send what the network can't carry. This means you don't get packet fragmentation, which is great for firewalls and users on networks with restricted packet size. This will become more significant as jumbo packets increase in popularity.
  

Tell me again why you don't need IPv6. Only, this time, say how you're going to meet these criteria whilst you're at it.

Business case for IPv6

[jd]

This one's easy. Firewalls don't like fragmented packets, because you can't verify subsequent parts. This means that firewalls either offer limited protection (ie: let the remaining fragments through) or re-assemble the packets themselves (which is slow).

IPv6 doesn't support fragmented packets. It forces both sides to restrict the MTU of that connection to the smallest MTU of any intermediate network component. In consequence, firewalls don't need to check for fragmentation and don't need to reserve any space for extra state information.

The practical upshot is that your bottleneck (the firewall) can handle far more connections with far lower latencies, which means B2B (business-to-business) and e-commerce network traffic can run much more smoothly and the system can manage much higher numbers of connections.

More connections with lower latencies, more business transactions. More transactions, more profit.

QED.

PKI and IPsec in IPv6

[netrangerrr]

I listened to the audiocast and picked up an important point- the commentator said IPsec (an integral part of IPv6) has historically proven undeployable except in small networks and would not enhance security.

He is probably unaware that just a few weeks ago, the IETF released a series of updates to IPsec [RFCs 4301 - 4309] and a new automated key exchange (IKEv2) [RFC 4306] to update IPsec to simplify and standardize implementations and automate key exchange. Also, many a few large organizations (DoD, MIT, pharmaceutical companies, etc...) have extensive public Key Infrastructures (PKIs) ready for IPv6 IPsec. A new deployment guide on updated IPsec and IPv6 will be published shortly by the IPv6 Forum.

Re:IPv6 isnt really wanted

[Anonymous Coward]

Disclaimer, I deal with NAT'ing and Networks for a living, but...

I'm right now struggling with the various implementations of NAT-T (IPSEC NAT Traversal) and the fact that they won't play nice together. Wouldn't be necessary with IPv6.

True, but IPSec over NAT via UDP works pretty well once it's up and running. I've used a few different IPSec stacks, and yes some of the suck out-load, but stick to the good ones and NAT-T isn't an issue. But while it is possible, it's not for the faint of heart. Even getting OpenSWAN to talk AES-128 to a Cisco PIX is hard enough.

Ever tried to set up a VPN between two sites which both use 10.0.0.0/24 as their network range?

Yes, all the time. That's what NAT-T is used to get around.

Ever wished you could just ssh direct to your desktop machine from home without futzing around with vpns?

Not really sure why this is so difficult. If you have static (a pre-requisite to host a VPN) then surely you can do NAT forwarding and have a port on the outside IP that forwards to an inside server. :-/

Re:Private networks and the business case.

[MythoBeast]

This needs to be qualified. IPv6 has no current business case in the US. Everywhere else, they're running out of IP space pretty quickly. Mobile phones have already switched over. Japan is in full distribution. Korea's IPv4 allocation is so screwy that business were having to figure out how to build encrypted connections through multiple levels of NAT. The US Government is switching over and, if you want to do business with them, you had darn well better think about it yourself.

As for real use cases, let's talk about swarming transfer protocols like BitTorrent. That's an excellent technology that is currently just plain broke by widespread use of NAT. Let's talk about built in quality of service so you don't loose your game of Unreal Tournament because your sister gets a Skype call. Let's talk about simplified mobile computing, where you can carry your lap top from one end of the building to the other without having to suspend downloading that patch.

With these factors, it really won't be long before the value exceeds the cost. So I'd advice you to sit on your hands until until the value exceeds the cost and then get caught in the turnstyle with the eight million other people who think like you.

Re:IPv6 Business Case

[VGPowerlord]

There was no business case for the transition from ARPANET's old NCP protocol to TCP/IPv4 in the 1980s - but there were technically compelling reasons. Luckily the ARPANET pioneers realized that a new protocol was needed to easily integrate the new services and applications they were thinking of deploying.

To be exact, ARPANET switched from NCP to TCP/IP on January 1, 1983. NCP had a few shortcomings

• Like UDP, NCP had no way of handling lost packets. TCP introduced packet acknowledgement to fix this.
• NCP had no real routing. TCP/IP introduced the concept of gateways, routers, and independant networks/subnets.

The difference between IPv4 and IPv6? The size of the address space and the human representation of the addresses (hexadecimal instead of decimal).

While we're on the subject, it took over 8 years from the publication of Vint Cerf and Robert Kahn's A Protocol for Packet Network Interconnection (May 1974), which described TCP, for ARPANET to incorporate TCP/IP.

It's also important to note that the size of the Internet in the 1980s was nothing like it is today. The Internet only had 562 hosts in August 1983, 8 months after the changeover. The same source states that the Internet had 353,284,187 hosts in July 2005. (Source: Hobbes' Internet Timeline [zakon.org], with data taken from Mark Lottor's zone program reports [nw.com], and the ISC [isc.org])

Re:NAT provides a firewall

[evilviper]

a basic firewall comes "free" once your router has implemented NAT.

No. NAT PROVIDES NO SECURITY WHAT-SO-EVER. No matter how many times it is said, people still don't get it. It REALLY doesn't provide any security. All it does is add a couple simple steps before someone can address your inside machines. NAT is the equivalent of locking your door with a rubber-band.

Here, instead of repeating myself over and over again, just look at the last time I talked about it:
http://slashdot.org/comments.pl?sid=169925&cid=141 66128 [slashdot.org]

Re:NAT provides a firewall

[tepples]

All it does is add a couple simple steps before someone can address your inside machines.

Hmm... let me see... In your other comment you wrote:

Send source routed pings to the broadcast addresses of the private address ranges

Do most NAT devices support source routed pings? How do most deployed residential NAT devices handle ICMP ECHO and source routing?

make no mistake, those are certainly not the only way to easily pierce through a NAT.

What other ways were you talking about? Did you explain them in other Slashdot comments?

if you have a stateful firewall, you are very secure

In order to get FTP to work properly through a NAT, you need stateful inspection and/or rewriting of packets. By the time you've implemented this, you can get a basic stateful firewall for "free", right?

Re:IPv6 Design Mistakes

[nurmr]

There are three subranges in ipv6 'assigned' for IPv4:

• ::192.168.0.1 - real IPv4 connections
• :ffff:192.168.0.1 - for IPv6 sockets receiving IPv4 connections
• 2002:192.168.0.1:: - for 6to4 implementations

see http://unfix.org/projects/ipv6/IPv6andIPv4.gif [unfix.org] for a diagram of how traffic can be automatically translated between the two networks. The NAT-PT box allows the IPv6 only hosts to connect to the IPv4 network, and the socket5/6tunnel box allows the IPv4 only hosts to connect to the IPv6 network by doing DNS mangling, and IPv4-IPv6 translations.

Re:IPv6 isnt really wanted

[Jugalator]

Also, one need to keep in mind IPv6 does a whole lot more than increase the address range for more space and removes the NAT need. It's about end-to-end IPsec support, modularized packets for less traffic across the routers, better support for ad hoc networking, and much more.

Re:Written guides for what?

[Tony Hoyle]

British Telecom, Hurricane Electric, WIDE - there are plenty of them)

The btexact tunnel has been down for weeks with no sign on resolution.. I can easily imagine it going away.

Hurricane electric works fine. WIDE is not a tunnel broker.

Last time I went on a search of tunnel brokers only a month ago there were less than 10 (pretty much all in the US only). Most of the ones that were there a year or so ago have shut down.. Also, KAME is dead... even the 6bone is being closed down.

Re:By the time IPv6 is ready

[Znork]

Anyone who has an IPv4 address has an entire block of IPv6 addesses. With 6to4 you dont need any support from your ISP (well, as long as they're not actively blocking such traffic).

"For any 32-bit global IPv4 address that is assigned to a host, a 48-bit 6to4 IPv6 prefix can be constructed for use by that host (and if applicable the network behind it) by prepending 2002 (hex) to the IPv4 address. Thus for the global IPv4 address 207.142.131.202, the corresponding 6to4 prefix would be 2002:CF8E:83CA::/48. (IPv4 addresses use decimal notation while IPv6 addresses use hexadecimal notation). This gives a total prefix length of 48 bits, the same as an end site is supposed to be allocated under normal IPv6 address alocation leaving room for a 16 bit subnet field and a 64 bit address within the subnet." - Quote from Wikipedia 6to4 entry

Re:IPv6 isn't just addressing.

[Psiren]

Huh? If the headers are longer it's slower. Not faster.

Not exactly. Slightly slower to send, yes, but not process. As I understand it the main difference with IPV6 headers is that they are word-aligned, so require less processing than IPV4 headers which use chunks of bits, therefore requiring bit shifting and extra processing in order to use the information.

So yes, they are longer, but you can use the values in the headers without any additional processing. Okay, the processing is minimal, but when you're dealing with 1gbps or 10gbps interfaces, that processing is done an awful lot.

Re:By the time IPv6 is ready

[FireFury03]

Or their routers aren't routing v6. Or their routers aren't configured for 6to4. Assumedly that would have to be done at the edge, as it would confound fast switching algorithms and push a core router over. Or the core routers between your ISP and your destination's ISP aren't configured for v6. Or your ISP is not getting v6 routes via BGP. Or another half-dozen reasons it won't work.

WTF are you talking about? You clearly need to go read up on IPv6 because what you just said is complete rubbish. Your ISP does _not_ need to know anything about 6to4. Every IPv4 address is assigned an IPv6 /48 subnet and the traffic for that subnet is carried between the anycast 6to4 relay router (or other 6to4 gateway) and your 6to4 gateway entirely over IPv4.

I assume by "that would have to be done at the edge" you mean the edge of the ISP's network, which is incorrect - the encapsulation/de-encapsulation is done at the edge of *your* network. The ISP only sees IPv4 traffic.

They are not blocking traffic when they are not configured to support it.

If the ISP isn't "configured to support" 6to4 then they shouldn't be calling themselves an ISP since they aren't "configured to support" IPv4 in that case.

A Tier1 provider can't just throw things in their configs and hope everything's OK.

Well, firstly, most (all?) tier 1 providers already do _native_ IPv6 and secondly, why exactly do the tier 1 providers need to do any reconfiguration to carry 6to4 traffic?