Forgot your password?
typodupeerror
Networking IT

(Almost) All You Need To Know About IPv6 359

Posted by kdawson
from the billions-and-billions dept.
Butterspoon tips us to an article in Ars Technica titled "Everything you need to know about IPv6." Perhaps not quite "everything"; the article doesn't try to explain the reasons behind IPv6's meager adoption since its introduction 12 years ago. But it should be regarded as essential reading for anyone overly comfortable with their IPv4 addresses. Quoting: "As of January 1, 2007, 2.4 billion of those [IPv4 addresses] were in (some kind of) use. 1.3 billion were still available and about 170 million new addresses are given out each year. So at this rate, 7.5 years from now, we'll be clean out of IP addresses; faster if the number of addresses used per year goes up. Are you ready for IPv6?"
This discussion has been archived. No new comments can be posted.

(Almost) All You Need To Know About IPv6

Comments Filter:
  • Web 2.0 (Score:5, Funny)

    by Bloke down the pub (861787) on Thursday March 08, 2007 @11:52AM (#18277648)
    Do I need to upgrade to IPv6 to use web 2.0?
  • by Kenja (541830) on Thursday March 08, 2007 @11:53AM (#18277652)
    All you need to know about IPv6. It wont run on your current network hardware, and you wont get the budget approved to upgrade.
    • Re: (Score:2, Interesting)

      by danomac (1032160)
      I'd wager a guess that all the ISPs distributing 2-5 IP address for each residential service will only get 1 IP address before IPv6 adoption will happen.

      You'll probably have to have proof of need for more than 1 public IP. Now that I think about it, my current ISP surely has more than half a million subscribers only using one of their alloted 2 addresses (or 5 depending on what plan they are on.)

      Wouldn't it make more sense to analyze this before jumping on the "let's replace everything" bandwagon?
      • by Anonymous Coward on Thursday March 08, 2007 @12:10PM (#18277870)
        Hopefully before they start implementing this strategy, they will take the huge Class A addresses from those who don't necessarily need all of it:

        MIT (I know they make use of public IPs, but 16 million addresses?)
        Haliburton (!)
        Bolt Beranek and Newman Inc (?)
        Ford Motor Company ....

        This [iana.org] website has an updated list. There are a lot more on the list who have waste space, I just don't feel like going through all of them.
        • by wampus (1932) on Thursday March 08, 2007 @12:47PM (#18278360)

          Bolt Beranek and Newman Inc (?)
          BBN built the ARPANET, I can kind of understand why they have a class A.
        • I think that falls under the category of "rearranging the deck chairs on the Titanic." At most, it might buy us a few more months of IPv4dom, but at what cost? And by diverting those resources to IPv4 recovery, how much more painful are we going to make the transition to IPv6 when we do run out? Because the numbers are clear, we are going to run out of allocatable IPv4 addresses eventually. Distracting people by telling them that it's the Class A blocks that are the problem isn't going to make that easier; it's just going to make the eventual runout into a catastrophe instead of a page-three technology topic.
    • by caluml (551744)
      It wont run on your current network hardware

      Lies. you wont get the budget approved to upgrade

      It is probably just a software image upgrade on a router.
  • Forget IPv6 (Score:2, Funny)

    by Anonymous Coward
    I want IPv8 engine...
  • OK, so I've requested a SixXS tunnel and I'm waiting for the response. I'm actually gonna go through with it.

    This is something I've wanted to do, but never got around to before.

    What I'd like to know, are there any ISPs that offer IPv6 native? (Specifically in the San Francisco Area, as that's where I'm moving this summer)

    • by istartedi (132515)

      I've had a SixXS tunnel up for a few weeks. They are definitely the way to go. The other tunnel provider I tried wasn't very reliable. I wouldn't try this with WindowsXP. I've had to do all my testing with Linux. Some people claim to have made it work with XP; but I can only get utilities like ping to work. Real apps like IE just don't seem to work with it yet. The applications have to support it, and that seems like a bigger hurdle to IPv6 than the network infrastructure. A lot of infrastructure ha

    • Re: (Score:3, Informative)

      by rthille (8526)
      My ISP, sonic.net does:
      http://sonic.net/features/ipv6/ [sonic.net]
      Or at least it's an IPv6 tunnel (not sure how that might differ from 'native').

      I haven't got around to setting it up, but if/when I get my WRT54GL setup with OpenWRT I'll probably have it run IPv6 as well...
    • by Znork (31774)
      Well, while native support might be nice, you dont actually need it. 6to4 works nicely.

      I've been running IPv6 over 6to4 for several months (once you start using Xen and get a lot of machines and/or have friends machines you have access to, it's quite nice to be able to ssh straight into your destination without multi-stage jumps). I was surprised at how far it had come and how easy it was to set up these days.

      To set up a linux firewall/nat box as a 6to4 router, you basically just have to install radvd, conf
    • ARIN wouldn't give us an allocation. In their rules, I have to be able to prove that we have a customer base large enough to use up a full /32 (of IPv6) addresses before we can get an allocation. So in order to get IPv6 block, we have to have enough customers to use up 2^16, or by IPv4 standards, a Class B block. WTF???? IPv4 allocations are handed out for free, but you can't get one unless you're a mega-conglomerate.

      IPv6 adoption won't occur in the US unless ARIN comes up with a better policy. :(
      • Oh, and one more thing - they told me to get an allocation from my upstream provider.

        I can't do that. Why? They can't get an IPv6 allocation because they're not big enough either. They would have to get one from THEIR upstream providerS (yes, plural), and one of those doesn't offer IPv6 allocations because...well, you figure it out.
      • Re: (Score:3, Informative)

        by tengwar (600847)
        Sounds like a misunderstanding. IPv6 addresses are hierarchical. A /32 would be allocated to an ISP, and you should get a /48 from them (yes, I've done this). If your upstream ISP doesn't distribute IPv6 addresses, they aren't going to be able to route IPv6 either, so you need to find a tunnel broker. Any tunnel broker will give you a range, either a /48 or a /64, which you can use with a fixed tunnel. Alternatively you can set up a 6to4 tunnel using the anycast addresses 192.88.99.1 and 2002:c058:6301:: as
  • Meager adoption (Score:5, Insightful)

    by beavis88 (25983) on Thursday March 08, 2007 @11:57AM (#18277726)
    The reason, in a word and three letters:

    Widespread NAT
    • Re: (Score:2, Insightful)

      by augustz (18082)
      Exactly, what is weird is how often folks chose to ignore this.

      And frankly, sticking things behind a nat works out really well for a lot of devices. Either you provide a firewall for your printers etc, or you nat them and you avoid the question of routability on the internet. Frankly, I like having a lot of stuff on private ips, and there are plenty of those to go around for many organizations.

      Not that you shouldn't still firewall, but for households, small business, dumb devices, nat works very well.
      • Re:Meager adoption (Score:4, Interesting)

        by Sancho (17056) * on Thursday March 08, 2007 @12:22PM (#18278014) Homepage
        We'd probably be in worse straits if we weren't using NAT for connection sharing. Imagine if IPV6 was the norm and everyone got something like a /26 to their home instead of a /32. There would be no NAT boxes required to share your connection amongst several computers, meaning all those worms would have affected just about every Windows computer on the Internet (instead of just the ones that were directly connected).

        NAT really does turn out to be a good thing overall for most home users. They are forced to use it if they want multiple computers on the Net (in most cases), and it protects them.
        • Re:Meager adoption (Score:5, Interesting)

          by iamacat (583406) on Thursday March 08, 2007 @12:41PM (#18278274)
          NAT really does turn out to be a good thing overall for most home users.

          Maybe home consumers, but not users in general. Even less technical users may want to publish a webcam or to play their music from a friend's computer during a party. From the birth of Internet, users with regular UNIX accounts on shared machines could run their own little services on non-privileged ports. That this ability is not available 20 years later is ludicrous.
          • Re: (Score:3, Insightful)

            by Sancho (17056) *
            It's clearly still available.

            20 years ago, though, the people who were doing this sort of thing knew at least a LITTLE something about computers and networks. Now that it's got mass adoption, of course people don't know how to do things. That's really a big part of the reason that malware propagates so easily in the first place.

            Even so, there have been attempts to address it using uPNP. And uPNP is a security hazard, much like running without a firewall. Shocking, eh? :)
            • 1) Open iTunes
              2) Click a button
              3) Write in your address/username/whatever + password
              4) ...
              5) Profit

              I don't know about you, but I'd expect pretty much anyone able to move a mouse to be able to do that much at least. Just because UNIX is for real men, it doesn't mean user friendly programs couldn't be made to hide the gory details.
          • Re: (Score:2, Funny)

            Your machine has tens of thousands of open unprivileged ports.

            Thanks to the magic of port forwarding, you can take advantage of all of them! Squee!
        • Re: (Score:3, Interesting)

          by jandrese (485)
          Er, IPv6 for the most part kills traditional scanning worms. The address space is just too large for the worm to propagate through random chance. Worm developers will have to get a lot smarter when IPv6 finally (finally!) starts to take off.
          • by Sancho (17056) *
            Not much smarter, really, assuming that the IPV6 block allocations are public knowledge. All the worm has to do is get a list of IPV6 allocations and scan those networks. The worm doesn't even have to do this itself--most worms talk to botnet controllers, which could host the updated network information harvested by a human.

            Don't knock worm developers--they're pretty bright. We're already seeing worms that exhibit p2p-like behavior (the entire botnet is decentralized), use encryption to avoid IDS, and ru
            • Re:Meager adoption (Score:5, Insightful)

              by ThinkingInBinary (899485) <thinkinginbinary&gmail,com> on Thursday March 08, 2007 @01:21PM (#18278762) Homepage

              All the worm has to do is get a list of IPV6 allocations and scan those networks.

              Erm, that's easier said than done. A normal residential IPv6 allocation will be a /64 prefix, which means you are allocated a 64-bit prefix, and you can select any address in the remaining 64-bit address space. So you'd have 18446744073709551616 addresses to scan to find all the hosts on the network. Assuming that the hosts have Privacy Extensions turned off, and that they are all autoconfiguring based on their MAC addresses, you know that the 12th and 13th bytes are 0xFF and 0xFE respectively. That still leaves 48 bits of address space, or 281474976710656 addresses. Good luck.

            • Re: (Score:2, Insightful)

              by endianx (1006895)
              Scanning just one network is like 18,446,744,073,709,551,616 (2^64) addresses.

              I am certain there will still be ways to find addresses every once in a while, but it will make things far more difficult. Especially if most computers have something as simple as windows firewall which will make a computer seem to not even be at that address (doesn't respond to pings or anything). You can sometimes trick computers into revealing themselves, but still, the extra work to do that would mean scanning the 2^64 add
            • Not much smarter, really, assuming that the IPV6 block allocations are public knowledge. All the worm has to do is get a list of IPV6 allocations and scan those networks. The worm doesn't even have to do this itself--most worms talk to botnet controllers, which could host the updated network information harvested by a human.

              You're right about this, of course, but there is an interesting side-effect as well. Right now honeynets and worm detection systems rely upon pseudo random worm propagation attempts for worm detection by monitoring IP addresses known to be unused within a network (dark IP monitoring). Security engineers have been expecting worms to move away from random scanning for some time now in order to be more stealthy, although worms in general have not adopted this strategy yet. Whether they move away from random

      • by Kadin2048 (468275) <slashdot.kadin@[ ]y.net ['xox' in gap]> on Thursday March 08, 2007 @01:33PM (#18278912) Homepage Journal
        First, NAT by itself doesn't offer that much security, once you get it outfitted with UPnP and other stuff that allow users to do the things they want to do, without messing around with it too much. (Actually, NAT in its purest implementation, without a stateful firewall at all, wouldn't offer any security, because it would only serve one host, and it would forward all connections to it, incoming and outgoing. But all home "NAT boxes" also have firewalls and serve multiple hosts, and have the side-effect of blocking incoming connections.)

        Second, there are applications coming that aren't going to play well with NAT, particularly internet telephony. We need to get rid of NAT in order to allow for WiFi/cellular phones, and portable devices that will multihome across networks. There are whole classes of applications and technologies that will be possible, once the infrastructure allows for things like this, and NAT is holding it back.

        Complaining because NAT makes your printers easier to set up securely, and thus ought to be kept around, is a little like people who grumbled that persistent network connections between campus mainframes were a huge security risk, and that everyone would be better if we just stuck with UUCP and nightly dial-ins. While they may have been right, I think we can all agree that the benefits, in hindsight, of not all being stuck on isolated systems that only connected to each other at midnight to exchange traffic, outweigh the hazards. (If you disagree, signal your discontent by reaching behind your PC and unplugging that network cable or antenna.) It's a shortsighted position.

        Until households and "dumb devices" get globally routable addresses, we won't know the sort of things that we can do with them. The ideas that people have outlined today -- the ability to use broadband applications on your cellphone or portable device over your connection at home, and then seamlessly failover to the cellular network (or another WiFi network, or whatever) when you walk out of range, without dropping the connection or needing to do a messy DHCP renewal -- that's just the beginning. That's like someone in 1985 trying to give a sales pitch about the Internet: how many things do we have now that weren't really possible to foresee at that point? (Good and bad.) A whole lot.

        Third, even with the widespread adoption of NAT, we're still running out of IPv4s. There are enough applications and situations out there that require routable addresses, that even if we were to use NAT on everything, we'd still run out. It's a temporary solution at best, and an admittedly very cool hack, but we're coming to the end of the road for it. It's time to implement a real solution.
        • by gbjbaanb (229885)
          The thing is, if you dressed up your comments about NAT as:

          "I have super NAT 2.0, its just like ordinary NAT but it allows multiple hosts behind the NAT to be configured for forwarding to the same port", then the same people who complain about removing the need for NAT will be jumping up and down at the possibilities of the new version.

          I think all home/SME routers that connect to the internet have firewalls that are enabled to block incoming traffic by default. Mine even has a button to auto-block all outbo
        • by caluml (551744)
          Actually, NAT in its purest implementation, without a stateful firewall at all, wouldn't offer any security, because it would only serve one host,

          1 public IP to 1 private IP? Not much use, really then.
  • Will we all have our own IP address in the future, like a SS# that identifies you wherever you go on the next? It looks like things are going this way. Is it the governments business if you like clown porn?
    • by wtansill (576643)

      Will we all have our own IP address in the future, like a SS# that identifies you wherever you go on the next?
      Yes. And an embedded RFID tag to broadcast your SSID...
    • by gunnk (463227)

      Or maybe someday "they" will require every network card to use a unique ID number permanently assigned to the card!

      ...oh, wait [wikipedia.org].

      • by Dog-Cow (21281)
        I don't know if it's still done this way, but Solaris used to assign one MAC to the machine, shared amongst all network (Ethernet) interfaces. I don't think MAC works the way you think it does. I also used to use ifconfig to reassign the MAC so that my cable modem would work correctly without dealing with customer (un)support(ed).
      • by Kadin2048 (468275)
        Most of the IPv6 stacks have an option to either use the interface's MAC address, or they can randomly generate a number of similar length and use that instead. BSD and Linux use the MAC address but can be changed, Windows uses a random number by default.
  • I think and fear IPv6 won't make its day.
    There are too many embedded devices that won't be upgraded to IPv6 just because they have IPv4 carved in silicon.
    Companies won't spend money in upgrades and related risks.
    • Re: (Score:3, Informative)

      by Deltaanime (932261)
      IPv4 works over IPV6 just fine :-)

      A very small peice of the IPv6's space is simply there to allow IPv4 to still work, so those devices won't have issues.

      Besides, if everything else moves to IPv6, wouldn't that allow for IPv4 addresses to be freed up for this old systems?

      ~Francisco
    • by drinkypoo (153816)

      There are too many embedded devices that won't be upgraded to IPv6 just because they have IPv4 carved in silicon.

      You can run IPv4 and IPv6 side by side. A reserved IPv4 network can be used internally to support your IPv4 devices.

  • by eugene ts wong (231154) on Thursday March 08, 2007 @12:05PM (#18277810) Homepage Journal
    I hear that we are only supposed to use the even versions, but I also heard that they kept messing around with version 6. Is it stable?

    I am running a i386. Should I just stick with IPv2?
  • by Tackhead (54550) on Thursday March 08, 2007 @12:06PM (#18277826)
    > So at this rate, 7.5 years from now, we'll be clean out of IP addresses; faster if the number of addresses used per year goes up.

    Ted Stevens (R-Pork): As my colleagues from across the aisle are pointing out, we're facing Peak Internets. Clearly what we need is to open up drilling in IPNAR (Internet Protocol National Address Reserve) and start drilling in those unused /8s. We need more tubes!

    Ted Kennedy (D-Ham): Sure, how about 34.0.0.0/8, Halliburton?

    Dick Cheney (R-Oil): Suck it, Ted. Your union buddies in 19.0.0.0/8, Ford Motor Company, ain't long for this world anyways.

    Senator BOFH (I-Maginary): Umm, dudes? I didn't know DEC was still around, let alone still owned (16.0.0.0/8), and do enough people still go to Interop (45.0.0.0/8) that it deserves a whole frickin' /8 to itself?

    FCC: All of y'all, shaddap. The telcos paid us good money to put us in charge of this little exercise, so we'll take it from here. Everybody switches to IPv6 on our timetable. It shouldn't take us much longer than it took to phase out analog TV.

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      At MIT, each vending machine is said to have its own IP address. In dorm rooms, every gadget has one or more IP addresses, some rooms needing 100 or more, and there is subtle competition to outdo the next guy in order to claim "bragging rights". The current record is 200 IP addresses assigned to a toaster in Walcott 509 (East Campus). MIT encourages this, in case someone dares to suggest that their block is "underutilized".
  • Running out? (Score:2, Insightful)

    by Sobrique (543255)
    I worked for a company, that had it's own class B. Or /16 for those who prefer CIDR.

    It had never been routed across the public net. I'd be prepared to bet there's a lot of companies that decided they 'were a major entity' and grabbed a big chunk of address space, back in the day when the IPv4 address space was 'more than anyone would ever need'.

    I'd be prepared to bet there were a huge amount of 'entities' in the same situation. I mean, there's only a relatively small list that acutally need many at all,

  • MIT and Apple (Score:5, Insightful)

    by garcia (6573) on Thursday March 08, 2007 @12:11PM (#18277878) Homepage
    As of January 1, 2007, 2.4 billion of those [IPv4 addresses] were in (some kind of) use. 1.3 billion were still available and about 170 million new addresses are given out each year. So at this rate, 7.5 years from now, we'll be clean out of IP addresses; faster if the number of addresses used per year goes up. Are you ready for IPv6?"

    As of January 1, 2007 too many IP addresses were in (some kind of) use by Apple and MIT who have entire class As but don't need that kind of address space. In 7 years when we are approaching what this particular author believes will be the end of the road for IPv4, those two (and anyone else with too many unused addresses) should be mandated to give them up so that everyone else can use them.

    IPv6 won't be in wide use until the ISPs drop their ridiculous additional IP charges. They make a good bit of money through that so I assume they will be the absolute last people to switch over. Because most residential connections are on Comcast and other providers that don't want anything to do w/making less money, there's no way that this will happen w/o a fight.
    • Re:MIT and Apple (Score:4, Insightful)

      by Sancho (17056) * on Thursday March 08, 2007 @12:30PM (#18278098) Homepage
      Routing is an issue. We'll run out of allocatable blocks long before we actually run out of IPs, even if the big, unused /8 blocks get broken up. It's kinda like the FAT file system--lots of really small files will completely eat up the disk space because they get allocated large clusters and they can't share.

      IPV6 handles routing almost automagically. We should see fewer problems with chunking and "wasted" IP addresses. And of course, there are many other benefits. I honestly can't wait for the day when IPV4 is a terrible memory.
      • May I suggest Cryostasis? =D

        No really, I want IPv6 too. It's supposed to be the Internet, not the huge glob of Intranets.

  • 3.7 billion unique IP's ought to be enough for anybody.
  • by Toreo asesino (951231) on Thursday March 08, 2007 @12:17PM (#18277958) Journal
    "There's no place like 0:0:0:0:0:0:0:1 [ietf.org]"

    You heard it here first. iThankyou.
  • by amper (33785) * on Thursday March 08, 2007 @12:18PM (#18277974) Journal
    I really doubt that after all this time that IPv6 adoption will ever be driven by address scarcity in the IPv4 space. We've developed tools like NAT that have extended the usable number of addresses far beyond what was originally envisioned, and the few problems created by the widespread usage of NAT are not showstoppers to the vast majority of users.

    I think we have much more pressing problems. I seriously question whether or not our advanced technological society will last long enough to exhaust the currently available address space, and even if the prediction is true, and we approach that state within the next 7.5 years, it is more likely that measures will be taken to ensure that abandoned or underutilized address space is reallocated.
    • I really doubt that after all this time that IPv6 adoption will ever be driven by address scarcity in the IPv4 space.

      Actually, the small size of the available IPv4 chunks has already driven the adoption of IPv6 in several large networks. Take a look at Comcast's huge migration of their cable modem customer edge. Of course other factors are driving it as well, which is why so many management networks have moved over. So what do you think, when BT completely replaces the their existing infrastructure as they are now doing, are all the new boxes going to work with IPv6? I don't think it is a requirement, but I also don't s

    • NAT is not the answer to everything. VPN is starting to be everywhere. With still more clients, suppliers, employees and partner companies VPN'ing with each other, even defining namespaces internally in 192.168.0.0/16 is starting to be an issue. I've so far been lucky with a strategy of every party selecting a pseudo-ramdom number for the third block in 192.168.0.0/16, but sooner or later, conflicts will happen.
    • You clearly read the article, or at least skimmed it, since you know that the article says that even with NAT, if current trends continue (they are likely to get worse, not to continue) we will run out in 7.5 years. You really think we're going to have a cataclysm in that timeframe? It's not impossible... but it seems relatively unlikely. As the FA says, even reclaiming a couple of used class As would be fairly useless.
  • if the predicted exhaust date for the addresses is seven years out.
  • by mrnick (108356) on Thursday March 08, 2007 @12:36PM (#18278172) Homepage
    The reason IPV6 has not been widely deployed is that the direct consumers of IPV4 addresses changed their ways and starting implementing sound IP address deployment strategies.

    When I say direct consumers as it relates to IPV4 the two largest consumers are Internet service providers and large corporations.

    I remember when I started my first ISP. Everyone that dialed up to our modem bank was assigned a public IPV4 IP address. Later as higher bandwidth solutions arrived it was nothing for an ISDN user to have a /25 (128 IP, half of what most people mistakenly call a class C). If a customer purchased a T1 then it was negotiated how many /24 (256 IP, again considered a class C).

    Now that has changed. Generally unless you pay extra you are going to have a RFC1918 (IP addresses that have been mutually agreed upon to be private). With this type of IP address nobody from the Internet can initiate communication to and of your equipment. These IP addresses are not routed on the public Internet. When you initiate an outbound communication to some server on the Internet your ISP will do a hide NAT to get you out to the Internet.

    A hide NAT is when many systems using private address space all use the same IP address as their source when they leave their ISP. So, instead of the good ol (not so good) days where ever user needed a public IP address now an ISP can hide thousands of customers behind a single IP address.

    Large corporation use similar techniques. They realized that not ever computer on ever desk need a public IP address. Again, they could use hide NAT and let them all use RFC1918 (private IP space) and when they would go out to the Internet they could either be hidden behind an IP or use a proxy. Also, almost simultaneously the idea that not all the servers in your data center needed a public address either. Your web and mail servers might but their back end database servers wouldn't. These wouldn't even require NAT because for security reasons it is just better if the have no interaction with the public Internet. The web servers could communicate with them with a physical separated network or internal routers could route their traffic to the proper location within their corporate infrastructure.

    Two factors drove this movement. First was the fear of running out of IPV4 addresses. Arin and the like were doing there best to scare consumers into rationing their allocation in fear of not being able to get another. Second came from network security. Firewalls and proxy servers and the like were being implemented more rapidly than ever before. This was partly in response to the ever expanding IT bubble that many were sure would grow indefinitely and the majority was due to the realization that without proper security the bad guys would enter you system and start poking around. A system (server environment) can never be made 100% secure but the more money you are willing to spend on security the higher you raise the bar for a potential black hat hacker. As you increase security you make those that don't easier targets so a hacker would go after the easiest to penetrate rather than the more secure environments. This feeds upon itself. There will always be hackers and network security will have to continually evolve.

    But back to IPV4. Looking at the current utilization of IPV4 as to what it was say in 1990 you see a completely different picture. The current picture is what was the promise of IPV6 and that is that it doesn't look like we will be running out in the foreseeable future. It's true with IPV4 we don't have enough public IP addresses so that everyone can have all their kitchen appliance connected to the Internet with a public IP. I have listened to many people tell the analogy that IPV6 has enough IP space so that every grain of sand on the planet Earth could have it's own IP address. Well, the truth is that we don't need that many, not anywhere near that many. And though it's true that IPV6 has more features t
    • If you don't want someone to be able to initiate connections to you, you use a firewall. NAT is the wrong tool for the job.
      • by kwerle (39371)
        If you don't want someone to be able to initiate connections to you, you use a firewall. NAT is the wrong tool for the job.

        No - NAT is a tool for the job, and so is a firewall.

        If you don't want someone to be able to initiate connections to a subnet, you use NAT. You could also use a firewall for that - but what's the point?

        The bottom line is that NAT is fine, and firewalls are fine. We're all fine. We may start running out of IP space, or we may not. Nobody knows, and it's almost certain that we dumb am
        • Re: (Score:3, Insightful)

          by Lord Ender (156273)
          No, NAT is NOT fine!

          You may get away with it for a while, but wait until your company merges with another company that uses the same private IP addresses. You'll change your mind quickly.

          Globally-unique addresses should be used on anything that interacts with the internet. Anything else is a cheap hack that will bite you in the ass eventually.

          I realize that some are forced to NAT because IP4 sucks. But to choose NAT for "security" reasons when real addresses are an option is, well, ignorant.
    • by kabocox (199019)
      A hide NAT is when many systems using private address space all use the same IP address as their source when they leave their ISP. So, instead of the good ol (not so good) days where ever user needed a public IP address now an ISP can hide thousands of customers behind a single IP address. ...

      Two factors drove this movement. First was the fear of running out of IPV4 addresses ...
      The Internet has become a more efficient secure place and the main driving force behind that was the fear of running out of IP add
  • by twitter (104583) on Thursday March 08, 2007 @12:40PM (#18278258) Homepage Journal

    The article does a great job of presenting the debate. In every talk, you should tell the audience what you are going to tell them, then tell them, then tell you what you told them. In this case, the author took the novel and interesting approach of using a Slashdot summary of the subject, linking to a previous discussion and paraphrasing it. I present the summary and the expansion side by side to highlight their ingenious rhetorical style:

    "Use NAT, n00b. All 1337 of my Linux boxes share a single IP and it's safer, too!"

    Hosts behind a NAT device get addresses in the 10.0.0.0, 172.16.0.0, or 192.168.0.0 address blocks that have been set aside for private use in RFC 1918. The NAT device replaces the private address in packets sent by the hosts in the internal network with its own address, and the reverse for incoming packets. This way, multiple computers can share a single public address.

    "NAT is not a firewall."

    With IPv4, there will generally be a NAT device that functions as a simple firewall by blocking incoming sessions (although there are ways to trick NATs into allowing them). If you're working on security, keep your eye out for IPv6 because if overlooked, IPv6 could allow things that are blocked over IPv4.

    "NAT sucks."

    [1]However, NAT has several downsides. First of all, incoming connections don't work anymore, because when a session request comes in from the outside, the NAT device doesn't know which internal host this request should go to.

    [2]Things get even trickier for applications that need referrals. NAT also breaks protocols that embed IP addresses. For instance, with VoIP, the client computer says to the server, "Please send incoming calls to this address." Obviously this doesn't work if the address in question is a private address. For this reason and a few others, most of the people who participate in the Internet Engineering Task Force (IETF) don't care much for NAT.

    "You suck."

    This [1]is largely solvable with port mappings and protocols like uPnP and NAT-PMP.

    Working around this [2] requires a significant amount of special case logic in the NAT device, the communication protocol, and/or the application.

    More to the point, NAT is already in wide use, and apparently we still need 170 million new IP addresses every year.

    Thanks for the shoutout, Ars. The explanation of various non free software limitations for using IP4/IP6 and partial explanation of why those systems may need firewalls to begin with is sure to add to the human body of knowledge and foster civilized conversations. After reading the article, it's all clear to me, for sure not at all. Respeckt!

    • by kju (327)
      [1]However, NAT has several downsides. First of all, incoming connections don't work anymore, because when a session request comes in from the outside, the NAT device doesn't know which internal host this request should go to.

      This problem was already addressed and the answer is Universal Plug and Play (UPnP) [wikipedia.org]. Using UPnP a client device can ask the residential gateway (aka NAT router) to open up a port and forward incoming traffic on that port. Of course this is a security risk, but it is a way to address th
  • Sig. (Score:4, Interesting)

    by caluml (551744) <[slashdot] [at] [spamgoeshere.calum.org]> on Thursday March 08, 2007 @12:46PM (#18278348) Homepage
    See my sig.
  • My comments I posted on the Ars forum:

    Interesting article, but I still feel like I have questions and don't really understand why or what I should do, if anything, with IPv6.

    I'm on Comcast cable, XP w/o IPv6 turned on, and with a WRT54G router with stock firmware. IF I enable IPv6 in XP, what do I gain? Would it mess up the other PCs on my network? Would it affect performance? Would my router handle it without modification? Does it even matter since I'm on Comcast?

    I guess I keep reading about IPv6, reading
  • How to install IPv6 (Score:2, Informative)

    by joe45 (1060584)
    The command how to install IPv6 is : windows XP: run -> type: ipv6 install linux redhat: insmod ipv6 or modprobe ipv6 , check the list get IPv6 or not, rmmod ipv6 delete ipv6. autorun: edit /etc/sysconfig/network add new line " NETWORKING_IPV6=YES " FreeBSD Unix : edit /etc/rc.conf add new ipv6_enable="YES"
  • by Anomalyst (742352) on Thursday March 08, 2007 @02:12PM (#18279392)
    I made a fairly determined effer to see if we could bring up a manageable lab with IPv6.
    1) Our local provide (XO) doesn't even offer public IPv6 address space.
    2) ARIN wants thousands of dollars PER YEAR for portable address space.
    3) Identifying what/how-to use a substitute for the deprecated "site-local" addressing. Tracking this down took days of searching and piecing things together. All the docs agreed that site-local was deprected but rarely mentioned what was going to take its place. Here is some links to what was found, MS has surprising helpful documentation:
    http://www.microsoft.com/technet/network/evaluate/ technol/tcpipfund/tcpipfund_ch03.mspx#EDAAE [microsoft.com]
    http://book.itzero.com/read/cisco/0602/Cisco.Press .Deploying.IPv6.Networks.Feb.2006_html/1587052105/ ch02lev1sec1.html [itzero.com]
    Generate a global ID with either of the tools below:
    http://www.kame.net/~suz/gen-ula.html [kame.net]
    http://www.hznet.de/tools/generate-rfc4193-addr [hznet.de]
    Additionally it is nearly impossible to control the allocation of hosts to specific suffixes. We often organize customers address space so that global catalog for each site are at, say, .5, exchange at .7, proxy server at .13, etc using DHCP static leases, it make life easier on our field techs, they know exactly where key pieces of infrastructure are for troubleshooting. We can send them to different customers and they have an ingrained familiarity of how things are configured. Currently MS IPV6 does not have a usable IPv6 DHCP server, and the IPv6 clients do not allow such an address assignment even if the server could do reservations.
    In a nutshell, IPv6 tools and implementation on hosts fall far short of the enterprise tools used define and organize a LAN for IPv4 and until ease of use is at least on par with MS IPv4 DHCP point/click environment it is going to continue to languish. It absolutely must have integrated DHCP server redundancy with automatic failover/failback/sync so sorely lacking, LO these many years in MS offerings.
  • by wowbagger (69688) on Thursday March 08, 2007 @04:32PM (#18281306) Homepage Journal
    I point this out every time the subject of IPv6 comes up, especially when people gripe about the slow update of IPv6:

    Try to get a page from Slashdot's servers using IPv6 - that is to say, using IPv6 format packets, NOT IPv4 packets.

    Then ask yourself again why IPv6 is NOT being adopted.

    (NOTE: You can replace Slashdot with CNN, Digg, or whatever other mainstream site floats your boat.)

God may be subtle, but he isn't plain mean. -- Albert Einstein

Working...