Why You Shouldn't Worry About IPv6 Just Yet 425
Posted
by
CmdrTaco
from the more-worried-about-a-sandwich dept.
from the more-worried-about-a-sandwich dept.
nk497 writes "While it's definitely time to start thinking about IPv6, it's not time for most to move up to it, argues Steve Cassidy, saying most can turn it off in Windows 7 without causing any trouble. Many network experts argue we're nearing network armageddon, but they've been saying that for years.'This all started when Tony Blair was elected. The first time. Yep, that's how long IPv6 has been around, and it's quite a few weeks ago now.' He says smart engineering has avoided many of the problems. 'Is there an IPv6 "killer app" yet for smaller networks? No. Is there any reason based on security or ease of management — unless you're running a 100,000-seat network or a national-level ISP — for you to move up to it? No. Should you start to do a bit of reading about it? That's about the stage we're truly at, and the answer to that one is: yes,' he says."
Ah, Yes, 'Let Someone Else Worry About It' (Score:5, Insightful)
Is there any reason based on security or ease of management – unless you're running a 100,000-seat network or a national-level ISP – for you to move up to it? No.
What if you're writing web applications that monitor IP addresses? Shouldn't you be making sure that your regexp fits for IPv6 as well? What if you're storing IP addresses and your sanitizing your data? What if you're doing anything at all with IP addresses? Like monitoring logs for abuse? Shouldn't be preparing for the inevitable move to IPv6? What if you collect metrics so you can report to management your country by userbase? I say this because we've started to account for IPv6 in our coding and auditing.
What if you write any sort of firmware or software for network devices?
And if you're a consumer and you're about to purchase something that's going to last you more than three years you should probably make sure it supports IPv6 in case the computer you buy down the line can only handle IPv6 addresses allocated to it.
Go ahead and tell your readers that it's cool, Microsoft's got it covered. I'm going to err on the side of safety whether the armageddonists are right or wrong about the ETA.
Torrenting (Score:5, Insightful)
Torrenting is the killer app. Very unlikely all the spooks have updated to ipv6 snooping.
I have read it... (Score:1, Insightful)
Anonymity is lost pretty quickly with IPv6, along with ISPs seeing how many systems you have running on their network, and it exposes systems to OS flaws. no more "hardware firewall" that I can see. The logic in fact seems to be nothing but a really big switched network.
In short, I dont like what IPv6 gives us over what we lose with IPv4.
Excuse me? (Score:2, Insightful)
Re:I have read it... (Score:4, Insightful)
There is nothing in IPv6 which precludes the use of proxies and/or NATing. Its just that adoption of IPv6 no longer mandates the use of NAT'ing. Nothing is lost. There is only gain to be had from an IPv6 upgrade.
Re:Won't even notice it (Score:5, Insightful)
Many people are already using ipv6 by default without even knowing it!
One important reason to use it is for small devices that you really don't want to have to have a user interface to enable Static IP / Router Info / DHCP configuration on.
Also, if you use use Apple MobileMe's Remote Desktop feature, you are using ipv6 only - MobileMe provides an IPv6 VPN to access all of your devices wherever they may be.
So in fact there are many many users of Ipv6 out there, just not much sending packets over the un-vpn'd internet.
Roll it out in cell phones (Score:5, Insightful)
Re:I have read it... (Score:5, Insightful)
You and many others desperately need to read more about v6 before regurgitating the same old myths.
* Read up on RFC 4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6
* Their is NOTHING in IPv6 that negates a hardware firewall. You get a prefix routed to your 'router' it can have whatever allow or deny rules you like.
* If you want to use NAT and non-routable IPs for whatever reason, however misguided, there is nothing in IPv6 preventing you from doing so, see also FC00::/7 link-local addresses
* Whether a network is routed or switched has as little to do with IPv4 as it does with IPv6, these topology decisions have nothing to do with the protocol.
Network armageddon (Score:3, Insightful)
"Many network experts argue we're nearing network armageddon, but they've been saying that for years." Say what?
"Network armageddon" is already here and we've been living in it for years. The horrors of NAT, the crampedness of addresses making configuration a pain, public addresses expensive, and so on. It's just not been a sudden catastrophe, it's been more like boiling a live frog by putting it in cold water and then slowly heating it.
most hated part of ipv6 (Score:5, Insightful)
Sure, ipv4 addresses were a little cumbersome but at least they were numbers and dots. 192.168.0.1. I can type that out on the numeric keypad. 2001:0618:71A3:0801:1319:0211:FEC2:82DC is just awful. Yeah, I know you need to have more characters in there to represent the value and a larger address space means it's going to be a larger number. Keeping the old ipv4 decimal scheme would make addresses look like 128.91.45.157.220.40.0.0.0.0.252.87.212.200.31.255. But I don't really see the hex as an improvement!
Short-sighted coding (Score:3, Insightful)
That it is not yet necessary to migrate is irrelevant. One may argue with the time frame (next year or in five years or ten), but nobody denies that IPv6 will eventually become commonplace, and before most of us retire. That means it is now necessary for software to support IPv6. Writing a network-using program now that does not support IPv6 addresses is like storing the year in two digits in the nineties. It will come back to bite you.
This is flat out bad advice (Score:2, Insightful)
It won't be armageddon. Slowly parts of the Internet will be become unavailable and inaccessible to you as some sites become IPv6 only since they can't even get a valid IPv4 address. It won't be a disaster, it will be a slow loss of connectivity to the Internet as a whole.
Turning it off is horrible advice. You won't notice much of a difference right away, not until you start getting hits in search results that you can't actually fetch when you click on them. Talking to the entirety of the rest of the human race isn't a killer app exactly, but it is what the Interent is for, and by turning off IPv6 you are cutting yourself off from this benefit. Currently in a small way, but in an ever increasing way over time.
Re:I have read it... (Score:3, Insightful)
Too many people think Port Address Translation is NAT.
Re:From end-user perspective (Score:4, Insightful)
You're wrong on several counts, within 2-3 years your ISP will most likely switch you to IPv6. Can you turn it off in Windows 7 without problems in a word, no. Windows 7 has features that depend on IPv6, OS X probably does as well.
Those who really need to worry about it, is those who do not like using ISP provided routers. Many routers do not support IPv6 unless you're running a custom build on them. Those people should be looking around for IPv6 enabled routers of switch to one that can use custom firmware to do the job.
The other set of people who should be concerned are those running Windows XP since support there is flaky at best.
IPv6 is here folks, my new home printer even supports it out of the box.
Re:From end-user perspective (Score:3, Insightful)
Will I get less spam in my mailbox?
It's harder for a worm to propagate when 99.999% of address space is empty as opposed to being another windows box.
Simply because of security for my home network I prefer a single point of entry, not a dozen.
Most people will probably continue to have one ISP connected by a firewall. Instead of NAT which inherently does stateful firewalling, they'll just have a simpler stateful firewall and skip the address translation tables.
So one external IP address is simply enough for most of us.
How do I run a couple SIP phones, and a couple italk video conferences over a single ip address? Its a huge pain.
Re:Also... (Score:3, Insightful)
The hosts file blocks whichever HOST NAMES you put in (and give an unreachable address). This works equally well with ipv6 and ipv4, and the number of host names doesn't magically increase with ipv6.
Re:Won't even notice it (Score:3, Insightful)
Same here. There have been several instances where IPv6 has caused a lot of problems. I work for a local government and have 5000 new PC's being installed on my network and they are all getting IPv6 turned off on their images because it is annoying, to say the least.
As a network engineer I am not worried about IPv6. The most that will have to be done is our main firewall and/or router will maybe eventually have to be setup to accept incoming IPv6 addresses. But for our internal network, IPv4 won't go away anytime soon. I doubt if it ever will. There is just no reason to run IPv6 on an internal network unless you need some specific function of IPv6 on your internal network (which other than the mandatory IPsec integration and multicast additions I can't see anyone needing the larger address space or any other features on an internal network).
IPv6 seems to be more for ISPs and super-large networks than for the rest of us.
Issues with anonymity, etc. (Score:1, Insightful)
Ok, here's a stab.
The internet backbone becomes IPv6. However, your precious private network remains an insular IPv4 network behind a hardware IPv4 router, and an IPv6 gateway.
This way your whole IPv4 space looks like a single IPv6 address, and your network topology remains a secret. (Requires that you NOT directly connect the v4 network to the v6 network, because the v6 space has provisions for back-support of v4 space addresses. this is part of why there is a security issue.)
I somehow find it highly unlikely that IPv4 would be "Too constrained" for private use; it supports over 4 billion unique addresses. I somehow doubt that your private enterprise network would exceed that. A global internet? yes-- I can see that. A private corporate LAN? No.
Much like private networks have been using the private "reserved space" (192.168.x.x) for years now behind NAT hardware, we would just decommission the whole v4 space, and use it as the reserved pool. The v6 address space is an order of magnitude greater than the v4 space, so doing this is a drop in the bucket. That would solve the whole problem.
Re:poorly informed (Score:2, Insightful)
First of all, you are already using IPv6.
Who is? The author only said he experienced it, he didn't say he migrated to it! He's using internal addressing, which by assumption IPv4 is meant. If you disable IPv6 on your system, you are not using IPv6. This goes for both Windows & Linux.
The whole meltdown thing and needing and IPv6 address is a little perplexing to me since you get your IP from your provider. If you receive an IPv6 address, I can almost guarantee you that there will be a layer of IPv4 tunneling because there isn't going to be some mass exodus where people just stop communicating with IPv4 addresses. (the ultimate utopia, we're free of those lowlife IPv4'ers! *rolls eyes*) The two will coexist, and there will be a migration period where providers have 6to4 routers to communicate with between address schema. Maybe not perfectly, but better than the concept of having two disparate schema that don't communicate.
In 2011, all v4 addresses will be assigned.
I'm sure the blocks assigned to the providers will continue to be used in the same way during the migration. There isn't some master DHCP server in Frankfurt, Germany that's providing addresses to everyone "logging onto the IntArweb". Address blocks were assigned years ago, and it's just a matter of them being assigned by the owning provider since they own the routing equipment with addresses that route that block.
What will happen is once all IP addresses have been assigned to the last ISP/Megacorp, there will be no more to assign in that way. Then, the only place to get an IPv4 address will be from the megacorps or the ISPs that have the addresses because they've horded them. Basically a shift of power.
IPv6, or whatever pops up as something logical, will indeed be the next addressing used. However, a worldwide shift instantly is asinine. We have enough problems with culture & accepted practices of just about everything, let alone addressing.
We're still a young and struggling world, 500 years since the dark age. I think IPv6 is a minor problem in comparison.
Re:Torrenting (Score:1, Insightful)
also very unlikely there are many seeding at ipv6.
and as soon as they do, the spooks will be the first to join the party.
IPV6 on Vista crashes some older home routers (Score:2, Insightful)
I've seen a number of situations where the DHCP servers on older home routers or the entire router itself will crash if you have IPv6 enabled on Windows Vista. It appears that the DHCP servers on some older home routers freak-out when IPv6 clients make DHCP requests to them.
Before turning it on on your home LAN, make sure that your older home routers can handle it.
Re:No NAT, no glory (Score:5, Insightful)
It's not a religious taboo, it's just you not knowing what the hell you're talking about (and this happens every damn time an IPv6 story on slashdot shows up).
Except NAT doesn't do that. PAT [wikipedia.org] does that.
Except NAT doesn't do that. A firewall [wikipedia.org] does that.
You should not be doing any job involving networking with your current level of knowledge. If you don't even understand how current technology works how can you determine what is or isn't better for your customers.
Re:I have read it... (Score:3, Insightful)
Network Address Translation Address Translation? Is that like an ATM machine or a PIN number?
I think its a fair phrase to use, since the whole point of the post was some people confuse the concepts of NAT and stateful firewalls. So I'm writing about the "address translation" part of NAT not the helpful side effect of stateful firewalling.
"NAT address translation" is obsolete with ipv6 vs "NAT stateful firewalling" is better just called "stateful firewalling"
Re:From end-user perspective (Score:5, Insightful)
It is? I run hundreds of SIP phones complete with video calling behind NAT without a problem. It only becomes an issue when you have 10s or 100s of thousands of phones.
Why would the phones even need Internet access? You have your SIP proxy on your network which connects to your SIP provider or POTs provider depending how you like to deploy. It's a very simple setup, makes auditing really easy, and allows me to do tricky stuff like divert the video from the gate to the phone so whoever answers can choose whether or not to let them in.
Worms will propogate as they always have, properly firewalled setups have dramatically reduced this in IPv4 and the same will happen on IPv6. I keep hearing people speak of NAT like it's not a firewall but most of those people are forgetting that most NAT devices actually are real firewalls these days unlike the early days of NAT.
I'm not against IPv6 but I have to agree with the parent, it has to start with the ISPs before it really makes sense for the rest of us to change. ISPs are having enough trouble with current traffic levels however that I have no faith in their ability to launch anytime soon on any real scale.
Re:No NAT, no glory (Score:2, Insightful)
Back to reality, where you're just a pedantic twit. Anyone with any network experience knows exactly what he was talking about.
NAT is ubiquitously used as a synonym for PAT. I'd hate to work at the place where term nazis like you actually succeeded in getting folks to say "PAT" instead.
I have been in the industry for 12 years, worked with numerous large customer networks, going to Interop, read lots of articles and research (- i'm a network architect) . Not once, can I ever remember someone using the term "PAT" in a sentence. They'd say "Port address translation" or "NAT".
And saying that NAT does not obscure internal identities, only "firewalls" do is just stupid pendantics that ignores the actual usage of vocabulary in the industry.
Re:No NAT, no glory (Score:3, Insightful)
> ... the effect on reachability is almost exactly the same.
Not true. There are significant differences between NAT/PAT and stateful end-to-end.
To expose an internal service you need a NAT entry plus a firewall rule to allow the traffic versus only a rule with end-to-end.
If the protocol in use embeds IP addresses, then a special content mangling module has to be written to fix these embedded IP addresses while in transit. FTP is the canonical example of this insanity but there are plenty of these modules in existence that had to be written and the effect has been to force protocol designers to simplify because they want their traffic to pass through NAT/PAT setups. I think simple is better but who knows how things would have evolved differently had NAT taken such a large role in the IPv4 internet?
If two parties, both behind PAT, want to communicate directly then a firewall rule isn't enough to make this happen. You need a 3rd party or you have to switch to NAT on both ends. In and end-to-end setup if the rule is in place the packets can flow from either direction.
It's time to start including it in home routers. . (Score:5, Insightful)
It might not be time for residential networks and ISPs to flip the switch yet. . . but it's *definitely* time for all new home routers, DSL/Cable gateways, etc, to include full IPv6 compatibility. That way, when the ISPs decide it's time to turn on IPv6, they and their customers don't need to replace most of the hardware already deployed. IPv6 support at the vast majority of network endpoints needs to already be present before you can actually make the switch - you can't change the protocol and just force people to suddenly change.
ISPs need to start configuring networks to run in a dual-stack mode (at least as far as the end-user is concerned - once it hits the first ISP owned router, it could be all IPv6 from that point on), so that those who are ready to use IPv6 can start using it (yeah, you can use tunnel providers or 6to4 [which is really another sort of tunnel], right now, but that usually adds additional hops and latency to your connections - basically, if you are tunneling IPv6 traffic over IPv4, why bother using it to begin with).
Re:I have read it... (Score:3, Insightful)
NAT breaks end-to-end connectivity. Its main purpose in IPv4 is to deal with the limited address space. In the massive address space of IPv6, NAT is no longer necessary.
You can still NAT everything behind non-routable ULA addresses if you wish, but I see no reason to do so. If one takes this approach and later decides they need a specific port opened to more than one machine, ie) port 80 for a couple new web servers, they won't be able to do this without re-numbering or setting up a a couple new static NAT rules. Note: I specifically say a couple (or more than one) as this is specifically where dynamic NAT based port forwarding breaks down.
A much better approach is to keep everything on globally routable IPs and adding a quick (hopefully default) firewall rule to deny all incoming traffic. This way you still protect your network from undesired incoming connections but still have an easy option later to open ports as needed without any of the limitations. This is exactly how I would set my IPv4 networks up today, if real IPs were actually available.
There MAY be niche scenarios where non-routable IPs are desirable in the IPv6 world, I honestly can't think of any. Can you?
Re:I have read it... (Score:1, Insightful)
The difference is vast. Sure, with IPV4 your ISP can log what you do. But with IPV6, you potentially[*] expose a universally unique identifier (MAC address) to every site you connect to. That's like having a single tracking cookie in your browser that any site can read and correlate with. Advertisers will love it. People like you won't care because "privacy is dead". Choose that for yourself if you want, but let me make my own choice, thanks.
*Apparently Windows by default will replace the MAC with a random number, making this somewhat less of an issue.
Re:Excuse me? (Score:3, Insightful)
It's like walking into a manager's office, and the manager is complaining about how much he hates his computer, an old 486, that works, albeit badly. In a corner is an unopened shipping carton, containing a modern PC, that's been sitting there for a few months. The manager doesn't want you to set it up, because he's having enough trouble with the computer he's got.
Re:Won't even notice it (Score:3, Insightful)
The only time you would ever have a problem is if someone installs a device that answers those requests with invalid responses
I think it's fixed now, but when Vista was launched it would always advertise itself as a 6to4 tunnel provider, even if it didn't have a publicly routable IPv4 address. This broke every other dual-stack machine on the local network.
Re:Ah, Yes, 'Let Someone Else Worry About It' (Score:3, Insightful)
Going to be difficult for all those billions of LAM(ysql)P users until they gets a better way of storing them.
Apparently support for ipv6 is "Status: On-Hold - Priority: Low". So it looks like we're all going to have to migrate to LAP(ostgres)P.
Or just store them in strings, which is what the MySQL software I know about does for IPv4 anyway. Just make the string field a bit longer.