Why You Shouldn't Worry About IPv6 Just Yet 425
Posted
by
CmdrTaco
from the more-worried-about-a-sandwich dept.
from the more-worried-about-a-sandwich dept.
nk497 writes "While it's definitely time to start thinking about IPv6, it's not time for most to move up to it, argues Steve Cassidy, saying most can turn it off in Windows 7 without causing any trouble. Many network experts argue we're nearing network armageddon, but they've been saying that for years.'This all started when Tony Blair was elected. The first time. Yep, that's how long IPv6 has been around, and it's quite a few weeks ago now.' He says smart engineering has avoided many of the problems. 'Is there an IPv6 "killer app" yet for smaller networks? No. Is there any reason based on security or ease of management — unless you're running a 100,000-seat network or a national-level ISP — for you to move up to it? No. Should you start to do a bit of reading about it? That's about the stage we're truly at, and the answer to that one is: yes,' he says."
Re:I have read it... (Score:5, Informative)
Anonymity is lost pretty quickly with IPv6
RFC 3041 dated January freaking 2001, assuming you're talking about using MAC addresses in the ipv6 address. Frankly I feel this is paranoia combined with ignorance of current ISP logging technology, in other words you don't have anonymity with ipv4 either.
along with ISPs seeing how many systems you have running on their network
Rates somewhere between 1) who cares 2) See RFC 3041 3) News to me that proxy servers are impossible on ipv6
exposes systems to OS flaws.
I suppose there are / will be bugs in v6 that would not happen in v4.
The logic in fact seems to be nothing but a really big switched network.
Thank god. Die NAT die! Can't happen soon enough. Some people will still want stateful "one way" firewalls. No problemo.
In short, I don't like what IPv6 gives us over what we lose with IPv4.
Given your list of misconceptions and misinformation, I'm not surprised.
Actually you SHOULD worry about it... (Score:5, Informative)
For three big reasons.
a: Its actually ubiquitous in the LAN these days. Both Apple and Microsoft use IPv6 link local operations very heavily, because it Just Works with nice stateless autoconfiguration and multicast.
b: You can have things screw it up if you don't have V6 deployed, and you have to worry about V6 even if you don't 'have' V6: EG, a Windows box with connection sharing and 6to4 enabled will happily try to "share" the 6to4 connection with everyone else on the LAN, so everyone else gets a V6 address that doesn't actually work. And with Apple prefering a 6to4 IPv6 address over a V4 address, the macs on the same network will now see horrible behavior going to any dual-stacked site, as it will try V6 first, take a timeout, then revert to V4.
c: Address space exhaustion is real, and IPv6 + DS-Lite (or even just IPv6 + IPv4 NAT) allows an ISP to get around address space exhaustion in a much cleaner way than the alternatives.
Re:I have read it... (Score:1, Informative)
IPv6 + router firewall = waayyy better security than IPv4 + NAT. Too many people think NAT actually provides decent security. It's (slightly) better than nothing at all, but it's definitely not as good as running a firewall. If IPv6 forces people to actually run firewalls, so much the better. Maybe we'll finally get some shrinking botnets for once.
On the "ISPs seeing how many systems you have running on their network" front, that's a big iffy. Modern deep packet inspection hardware should be able to infer how many machines you have active right now anyway, just by traffic patterns. Some operating systems (Windows 7 does anyway, I'm fairly sure) runs IPv6 in privacy mode by default, which means it periodically picks a new IPv6 unicast address and the unicast address isn't related to your MAC address.
I think comcast is doing limmted tryals (Score:3, Informative)
I think comcast is doing limited trials of ipv6.
But it will take time to replace all the modems, boxes ,and so on with stuff that can do IPv6.
Re:I have read it... (Score:5, Informative)
So if you want a NAT router to keep network wormable flaws away from the OS you can still do it.
you're confusing NAT address translation with stateful firewalling. Linux has been able to do that for ages on ipv4 or ipv6.
A side effect of ipv4 NAT is providing stateful firewalling, in that obviously the fw has no idea what to do with incoming traffic that doesn't belong to a flow you've already set up. All you need is one line to do this in v6.
You're looking for a line vaguely similar to this:
ip6tables -i eth0 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
And try not to forget to drop by default anything coming in thru eth0 that doesn't match the line above, of course.
We are already using it (Score:3, Informative)
I don't know what artificial reality you guys are living in, but IPv6 is running in many research universities worldwide, and on virtually every Linux box in the military and university community.
The fact that it's not being provided by your local residential networks is not our problem.
Re:most hated part of ipv6 (Score:4, Informative)
they invented a fix for you [wikipedia.org]
Re:Roll it out in cell phones (Score:2, Informative)
Re:I have read it... (Score:3, Informative)
NAT is NOT a firewall, and a firewall most certainly doesn't require NAT at all. You absolutely don't lose any security at all with IPv6.
Yes, but since you don't know what you're talking about...
Re:This is flat out bad advice (Score:4, Informative)
Ignoring the technology incompatibilities between v6 and v4 for a second, and just taking connectivity at heart, let's examine the effect of "isolation": your community runs out of telephone numbers for its area code. Your state creates a new area code. NEW numbers are given out to new owners; all old phone line owners remain unaffected and able to reach old phone lines and continue with business as usual with their other giant companies also using the old phone lines
With IPv6, all new owners can talk to the old owners. The old ones already have websites that they can reach. Top sites like youtube, google, facebook and maybe even windows update with reserved IPv4 address isn't just going to magically lose it. They'll shuffle less important services to IPv6 the day they are forced to exceed their IPv4 allocation.
Nobody is forced to "switch" to IPv6 entirely. They create DNS subdomains like the little known ipv6.google.com (if it works for you, then you have ipv6, by the way.) In the US, the government forced digital / HDTV adoption last year, but old and new channels coexist in your digital-ready cable boxes through the simple use of different channel numbers. I have no idea how many years it will take for them to force the non-HDTV channel numbers off, but I suspect that this will take as many decades as it took to implement HDTV and force it on us.
The only people having reachability problems like you mentioned will be those in NEW address blocks from poorly developed countries. Large companies needing more IP's may have issues, but nothing their IT teams can't fix with more 10.x.x.x addresses (2^24 addresses for internal company addressing "oughta be enough for [er, OK, most companies]") Consider the address space sizes [yahoo.com]. Though IPv4 is only 16 bits smaller than the MAC address space, which is small compared to the IPv6 total of 128 bits, nobody I have every heard is saying that billions of computers out there are going to run out of MAC addresses to give out soon. Funny because wireless devices and network devices tend to have multiple macs a piece.
Re:Beware (Score:3, Informative)
Re:I have read it... (Score:3, Informative)
Correction. Teredo tunneling.
IPv6 shouldn't be that hard to switch to. Macs are happy with it. Windows machines grok it. The only issue would be a number of SOHO routers, and some applications that don't understand V6 (MySQL is a good example.)
Re:Torrenting (Score:3, Informative)
Most swarms have 5-10% ip6 hosts already on some trackers.
Denial in not a river in Egypt (Score:3, Informative)
To be very, very clear, IPv6 will happen. There is no way around it. There is almost no IPv4 address space left. The folks who are at the top of the structure that assigns addresses will run out in the middle of next year. The next tier, call Regional Internet Registries may have addresses available for another year. By the end of 2012, there will be no address space available to assign. For the gory details, see the IPv4 Countdown Page [potaroo.net]. Especially, look at Figure 35 [potaroo.net]. That is reality.
As an end users, you may not care. Comcast is already beta testing IPv6 to its customers. I assume others are or soon will be doing so soon, but this should be mostly transparent to users as their system will only require IPv4 and that will be NATed behind an IPv6 address. But it must happen or people will not be able to get new addresses. That is the bottom line. IPv4 will remain in use for many years, but the net will start getting smaller and smaller for those who don't implement IPv6.
Windows 7 HomeGroup (Score:2, Informative)
I found Windows 7 HomeGroup failed when IPv6 was disabled. While this isn't a killer app, is pretty nice to have some domain-like sharing features available at home. So while it's not a killer app, I wouldn't counsel end users to disable it.
Re:Roll it out in cell phones (Score:3, Informative)
My G1 is addressed in the 26.112.125.... subnet. Interesting, because DNS is in the 10.177 and 10.162 subnets. So I guess I am consuming profilgately.
It also looks like it's a /32 subnet...
Re:most hated part of ipv6 (Score:4, Informative)
Hate to break it to ya but often in testing you don't want your host to have a name until it's ready for production.
They invented a fix for you, too [wikipedia.org]
(horrors, actually using the hosts file for its intended purpose instead of using it to break DNS resolution for host names you don’t like?)
Re:Roll it out in cell phones (Score:3, Informative)
T-Mobile is using IPv4 BOGONS (using IPs which are registered to others or will be registered to others).
Which is why they are rapidly moving to IPv6 with access to IPv4 via NAT64/DNS64.
Re:I have read it... (Score:5, Informative)
Overloading outbound traffic from multiple machines onto a single IP address (what you call port address translation) *is* NAT, if only because most of the vendors appropriated the name from that other kind of address translator that was hardly ever used and few even remember (RFC 1631).
PAT was never really a correct name for it anyway; that was a cisco-ism. What we call NAT today derived primarily from the stateful transparent proxies of the mid-90's and as the word "stateful" implies, it remains as much a proxy as a translator.
Re:Roll it out in cell phones (Score:1, Informative)
Some mobile providers plan exactly to do that in the future. The phone only gets an IPv6 address, but they will use NAT64 so contacting IPv4 will be transparent as long as nobody returns IPv4 literals in URLs (as some sites do).
The reason they are motivated? They now already use addresses they don't own and do IPv4 to IPv4 translation because they don't have enough IPv4 anymore.
For more information see recent T-mobile articles.
Re:Won't even notice it (Score:3, Informative)
I don't think ubuntu would use v6 by default unless it actually had a v6 connection...
I have ubuntu boxes at home and at work, at home i have a v6 router with a valid v6 link running a route advertisement service and the ubuntu box will pick up an address from it and use it...
At work, there is no route advertisement service so ubuntu boxes never pick up a v6 address or route (neither do macs for that matter)...
The only place i can imagine it being slow in the way you describe, is if it picks up an address but doesn't have a valid route, which it would only do if there is a misconfigured ipv6 router present on the network.... I've had this happen at home if the v6 link drops but the v4 stays up (ip transit providers dont provide the same uptime guarantees for v6) and the system is not receiving network unreachable errors back...
Re:Good idea! (Score:3, Informative)
When her new DSL modem/router will come with official IPv6 support, I expect it to have a large checkbox in admin UI that says "please keep away all the nasty stuff from teh intertubez". I would even expect it to be checked by default - my wireless (IPv4) router did came with firewall enabled by default, and blocking incoming connections on all ports except for FTP.
Re:I have read it... (Score:3, Informative)
This is *exactly* what RFC3041 [faqs.org] discusses.
Microsoft has already implemented a solution, in Windows 7 at least -- which is to say, Microsoft is actually ahead of the curve in implementing an RFC standard. Good on them. That covers the majority of home and office desktop users. The Linux folks will catch up.
Re:prehistory for mayflies (Score:3, Informative)
Ummm, the first truly working IPv6 patch for Linux was rolled out for the 2.0.20 kernel. My IPv6 box at the University of Manchester was registered on the 6Bone a year, possibly two, before Tony Blair was elected. Solaris patches came out even earlier. The author clearly doesn't know their history. The rest of their arguments may be right or wrong, but I have trouble trusting arguments made by someone willing to make inaccurate claims that could have been checked with but a few seconds effort.
Re:Roll it out in cell phones (Score:3, Informative)
LTE (4G/3.9G) supports IPv6 as well as 4, and Verizon (who is rolling out LTE in 30 markets this year) is actually mandating that devices on their LTE network have IPv6
Re:Won't even notice it (Score:3, Informative)
And if you ever noticed, when you get that 169.x.x.x private address then you have no network access at all under Windows. At that point, it'd be better to just mark the connection as disabled since it's functionally disabled even though its configuration looks like it shouldn't be. Very deceptive; and a bad way of doing configurations.