There Is No Plan B, the Ugly Transition To IPv6 717
An anonymous reader writes "The Internet is running out of IPv4 addresses — not at some point in the future, but right now. But the only solution to the problem, IPv6, is just now really starting to be deployed. That's why we're all in for some tough times ahead."
Does anyone know.... (Score:1, Interesting)
...how many patents related to IPv6 were filed until now?
The IPv6 nightmare begins with it's design... (Score:2, Interesting)
http://cr.yp.to/djbdns/ipv6mess.html [cr.yp.to]
-paul
Nobody cares. (Score:5, Interesting)
Nobody cares, nor needs to, except the ISP's and hosting outfits. If they provide a nice 6-4 proxy (or whichever way around it is), 99.999% of users can continue doing everything they normally do. I've done it on several of my machines in the past, been in the IPv6 net and browsed IPv6 websites to confirm it, and I never once had to touch my IPv4 config or do anything too fancy - certainly nothing that an ISP couldn't do transparently from their side of the net.
It's an issue if you're hosting websites, because then your site needs to be accessible from the IPv6 addresses, but that's an issue for the hosters, most of the biggest of which are managed hosting outfits that can switch that on overnight if they haven't already - if they are allocating static IPv4 addresses, it's just a matter of translating and passing on IPv6 requests for a recognised IPv4 equivalent address to an internal IPv4 network. The root DNS servers are running IPv6 already, etc. There's absolutely nothing to stop this just working on most people's machines today and, no, not every machine needs to upgrade to IPv6 addressing in order to do that. In fact, if anything, suggesting that internal business networks suddenly become IPv6 addressable is the most stupid suggestion in the history of the world - most places just want an "4-6 convertor" in layman's terms and they'll tick along quite nicely on their internal 10, 176, and 192's without caring. Most places would run absolutely fine, the only place it matters is the extreme borders of the Internet.
People don't run IPv6 not because of any of those reasons in the article but because a) they haven't heard of it, b) ISP's don't support it or won't do it for them automatically and c) a lot of OS's never come preconfigured to use IPv6 if it's available. Oh, and of course, d) nobody will care until their IP address allocation requests start getting turned down.
It's not a big deal, it's not going to kill NAT's and 30 years from now there will STILL be local networks, internal VoIP systems, print-servers and whatever else using IPv4 addressing because it's a damn sight easier to leave a working config alone than to upgrade/replace every bit of hardware that touches IP. I can use IPv6 today. There's absolutely no need to until every link in the chain supports it and that's still YEARS away even with US government backing. And even then, IPv4 isn't going anywhere - it's just being superceded. It's like saying that all SSH servers have to switch to SSH2, or all wireless LAN's to 802.11n - it'll happen, and a little nudge won't hurt, but overall people just don't care enough for the majority of cases and their old stuff will still work on IPv4 in 20-30 years time if it's still operational.
Tell me when even 5% of the websites that I use regularly are available over IPv6 and I'll look at setting up my VPS to do the same.
This is really sad (Score:5, Interesting)
And at every job I've worked in the past 5 years, management has completely had their head in the sand about it. :-( And none of the developers understood enough about IPv6 to push in an even faintly credible way. :-(
I've been running IPv6 on my home network since about 2002. It's just not that hard. In fact, it's a lot easier than running IPv4. My IPv4 home network has a seriously contorted configuration because of the constrained addressing. When I wasn't even given a block of IPs but instead given X number of individual IP addresses it was even worse. My IPv6 network, OTOH, is configured quite simply and obviously.
OTOH, even though I've had an IPv6 DNS server for ages, my stupid registrar STILL does not support IPv6 glue records. It's ridiculous. The standard has been stable enough to do something like that for at least 3-4 years now. I just want to strangle them.
Last I checked, we only have about 200 days before ARIN stops being able to hand out new IPv4 addresses. It's around 7 months. After that, hosts start appearing on the Internet that only have IPv6 addresses. The connectivity breakage will be slow, subtle and inexorable. I bet it takes the tech industry at least another 5 or 6 years before they have to fix the problem or not have customers, and I bet it won't be fixed before then. So very very stupid.
Re:Article invalid (Score:4, Interesting)
blablablabla. i99% of the times, NAT is in conjunction with a stateful firewall. That's why people say NAT = FIREWALLED.
And yet, if you RTFA (I know, I must be new here) he talks about how dropping NAT led to having to use a firewall.
Windows ICS NAT never saved anybody. The machine which would be compromised is behind another system of the same or similar OS and vulnerabilities.
Re:Procrastination (Score:2, Interesting)
Although, I guess if sharing IPs will make it more difficult for the RIAA/MPAA to "legally blackmail" people it can't be all bad.
Re:Article invalid (Score:2, Interesting)
Nah you just ping the address you know and the machine behind that one still get borked.
Great.
I doubt OMGYOUCAN'TPINGME is the greatest benefit.
Re:The IPv6 nightmare begins with it's design... (Score:5, Interesting)
While that might have been a better design, smarter people than me decided it wasn't practical to approach it that way
The problem with the approach is that it's very difficult to do in a way that doesn't break backwards compatibility, and if you're going to break compatibility then you may as well fix other things at the same time.
One option, for example, might have been to get rid of the port field as a fixed length and make network, machine, and port number all combined in the same way that network and machine addresses are now. This would let you have, for example, 256 ports per machine while getting 256 times as many IP addresses, or doubling the available addresses at the cost of only having 32K ports per machine. Only the routers at the very last hope would need any modification for this to work. Since you only need a unique port for each app that connects to the Internet (you can reuse ports, as long as the remote end is different), 2^16 is a lot more than most machines need, and losing 3-4 bits from the port field would be a lot more convenient than NAT for a lot of home users.
Of course, that would still not be a good long-term solution. After a little while, you'd end up with the port field being shortened so much that people would complain. You'd also have the problem that you actually use the variable-length port field, every machine on your local segment would need an upgraded network stack, and protocols that expected to be able to use high port numbers would have serious problems.
The effort in deploying such a solution would only be slightly lower than the effort of deploying IPv6 and it would be a significantly inferior long-term fix.
Re:Reclaim Some? (Score:2, Interesting)
There is truth in what you say - (Score:4, Interesting)
attackers don't only come from the Internet. The "hard shell, gooey centre" security model is doomed now that people are buying laptops, ipads, iphones etc. Mobile devices need to protect themselves, and since everybody is buying mobile devices, upstream network located firewalls are losing their effectiveness.
Milking the IP4 squeeze (Score:2, Interesting)
Re:Reclaim Some? (Score:1, Interesting)
>>>they sure aren't using them.
AOL now has more subscribers in 2010 than they did in 2000. And I'm one of them (Netscape ISP at $7/month). Not sure where you got the idea they are using less IPs than before??? Your comment kinda reminds me of those who say "analog television frequencies aren't being used any more". And then they suggest using them for cellular phones/internet. But the reality is that those frequencies ARE being used: By digital television (channels 2-51) and Emergency Radio (52-59) and cellphones (60-69)(approximately). Every inch of space is assigned.
Just because you BELIEVE something is no longer in use, doesn't mean it's true :-)
Oh and as for the IPv4 to IPv6 transition, it probably won't be a big deal. The government got all excited and bothered over the analog-to-digital transition, and it went off just fine. There were a few problems with people for forgot to upgrade their antennas from small to large, but those were quickly ironed out.
what stuns me... (Score:1, Interesting)
is why didn't we just go for an extension?
Normal IPv4 is 4 sections, for IPv6 we could have added 2 sections, making IPs such as:
150.150.150.150.150.150
Simple to understand, minimal hardware & software changes. Of course, some new features will be lacking but in any case...
Putting the remaining 2 sections on separate portion of the packet, keeping the first 4 sections normal, would allow legacy hardware to route these, yet trivial to make new hardware to understand.
We could have even gone for extensible protocol, address minimum if 4 sections, but at will the endpoint can allow for extension of N length.
Thus we'd need only a *single* IPv4 address per ISP for example, and they are free to give out as many as they want from that.
All the midpoints would route these trivially, and the endpoint is the only one needing to translate the last sections, making no tunneling necessary as you could visualize tunnels created automaticly, without any problems.
This would have made minimal to no impact whatsoever for backbone networks at this moment, all it would have needed are:
- Some new edge routers for those who wish to extend
- Software update to operating systems of trivial level
- Instead of Class Cs given for new applicants, you give just a Class D (what is now single IP address)
The transition would have been smooth and easy, and if started when IPv6 came around, it would be supported by now widely by all operating systems, switches etc. only a marginal group of legacy systems do not understand.
Legacy system support:
- They are made to believe they have IPv4 address "Class D"
- Something like NAT is used to translate this based upon MAC address of the NIC.
- No downsides of NAT
- All benefits of NAT
- Basicly the same method "extensions" are being done, this time just in reverse.
- Lightweight
- Downside: Still needs packet manipulation at the switch (edge switch in case of ISPs)
This would have been *über* easy to accomplish, and can be easy to accomplish EVEN TODAY.
New software for some DSLAMS or Edge switches: Do reverse extension address translation. Done deal, no OS updates required for typical home user. Of course, that is very limited support.
OSs need to be updated for full feature set, such as extensible addresses used in typical lower level network tools (ping, traceroute as an example, which typical users DO NOT use).
On Phase 1 it would act 100% just like NAT. No support for servers as of yet tho.
Getting servers of extended IP address to work for OSs not supporting extended IPs is the tricky portion, but as of today is not required (enough IPs to go around for servers at the moment), and could follow up in several years. Those left behind, are left behind, nothing around that.
There are multiple solution routes for that aswell if legacy system are needed to make connection to extensible IP addresses, translations done on the switch. All of these needs to be researched what their impact is.
One solution is to dynamically map reserved areas of IPv4 space, or 1 class A set aside for this. The switch assings for extended IP address an regular IPv4 address from this space, allocated for this MAC address at request time. We manipulate DNS results according to this data from regular response.
- System requests dns for slashdot.org
- Switch detects this and waits for response
- Response is arriving, switch looks into the results: (changed to extended)
slashdot.org. 3583 IN A 216.34.181.45.100.100
Changes response IP to:
224.216.100.100
- connects to 224.216.100.100 (224.x.x.x is reserved/unusable space)
- switch translates that to 216.34.181.45.100.100 and does NAT for the connection
How this is *NOT* done for modern system: Modern systems in the initial request (origin IP) had the extended IP. NAT disabled for this system.
Acquiring IPs:
I'm not familiar with DHCP protocol enough to envision a proper scenario, but my guess is we can extend the protocol trivially.
Please proof me wrong this wouldn't work so i can rest easy.
Plan B (Score:4, Interesting)
For your information, plan B is ISP NAT and a zero-sum game address transfer market. That would allow us to reallocate upwards of 80% of IPv4's addresses, extending the life of IPv4 some 10 to 20 years. It's not a fun prospect, but it's eminently workable -- perhaps even more so than IPv6.
So, anyone who says there's no plan B doesn't know what they're talking about.
Re:The IPv6 nightmare begins with it's design... (Score:3, Interesting)
So why do we need entire replacement protocol?
Let's see, IPv6 autoconfiguration is nice, but DHCP is working fairly well by now. So no need for a new protocol here. No checksums for mutable header IP fields? Nice, but does it require a whole new protocol?
What else? Multihoming? Nope, IPv6 doesn't help here. Mobile IPv6? That's just a result of a large address space, so nothing new here.
So, why do we need a replacement protocol if not because of a larger address space?
You're all just getting this? (Score:4, Interesting)
Really?
Well, ok, a little recap:
IPV6 has been resisted by virtually all major players, with few exceptions.
IPV6 is poorly tested in the real world. We will see massive problems getting it working.
IPV6 WILL WORK. It will take some time.
IPV6 will coexist with IPV4 poorly, and we will see a dramatic changeover as the critical mass of IPV6 nodes comes online, and IPV4 is more trouble than it's worth to keep around for a little while longer. My estimate, 3 years.
Asia will lag behind in IPV6 adoption.
Some interesting points:
The U.S. Department of Defense holds 11 Class A blocks. If they could reduce their usage to just 3, we could give IPV6 another 3 years of grace. But:
- If we give IPV6 3 more years, it will still take 3 years from then to substantially implement it. And the industry will take those 3 years to avoid the pain.
- The DOD will need at least 5 years to reorganize and give back those Class A blocks. The Navy alone will need 2 years to negotiate with EDS/HP to make the changes. Read up on NMCI and you will recognize a genuine military-grade CF. NMCI is a failure. IPV6 would merely give EDS/HP another opportunity to gouge the service. They rarely miss these opportunities.
- There are several Class A block owners that look like better candidates for either conversion or elimination. None seem ready to do what the DOD would have to do, i.e. spend massive amounts of time and money to make a change for the community, without any real benefit to them.
Just some personal IPV6 observations:
I had two different Fedora distros fail for me at home because IPV6 was turned on and both my router (Linksys WRT54G stock F/W) and my ISPs (Cox and Qwest) fritzed their IPV6 implementations. No, wait, both ISPs had no working IPV6 in the Phoenix area in 2005-2008, despite claims to the opposite. The Linksys I will probably have to reload with something more useful, but it's the early one that can take a lot of new firmware.
Oh, and turning off IPV6 in each Fedora release required different and arcane methods. A hint to the Linux community - common and stable configuration methods would be a blessing. And not just a GUI. I know, security, security, security. I can assure you, my broken Fedora builds were secure, even from me. A stopped clock is right twice a day.
I think my Ubuntu distro left IPV4 on and IPV6 off, but I haven't looked. It works, and has for 3 years.
Despite the clamoring for IPV6, it just has no traction. Why bother yet? Like a lot of things, crisis will have to escalate to failure before this gets fixed.
If Jon Postel were still with us, he would have already made this happen. I miss him so. We need individuals that drive Internet management and administration, not groups. Internet by committee is failing. Can we not find anyone trustworthy to lead Internet functionality at this level?
No, Stallman is not the answer. And nobody at Sun/Oracle either.
Re:Reclaim Some? (Score:4, Interesting)
Seriously why do 3/4ths of these companies even have /8 addresses? do every one of their workstations in the company have a publicly routable address on them?
Ford certainly use addresses in their 19.0.0.0/8 space for employee workstations, even though none of those machines is accessible from outside.
Re:The IPv6 nightmare begins with it's design... (Score:5, Interesting)
Basically, this is what is going to happen:
Some ISP somewhere with a /20 is going to project that in 6 months time they will be out of IPs, /20.
and it's going to be too expensive to buy another
So they are going to buy some Cisco-hardware-NAT-appliance and say to their customers: "look here,
you are all on NAT from now on, if you want a real IP you pay extra."
This NAT box will NAT a /20 to a /24 of temp addresses+ports. It will be plug-n-play and
easier than setting up IPv6.
99.9% of customers won't read the announcement and won't notice. They are all NATing through
their DSL modems anyway, and this Cisco equipment will have hacks for all those special
apps that need it to work behind double NATing.
And no one will ever think of switching to IPv6
-paul
We are not running out, we are being stupid (Score:3, Interesting)
A friend of mine just colocated his server. The colo he used gave him 4 or 5 IP addresses for his single computer. Even though he is running VM's, he does not need 4 IP's.
This kind of thing is happening everywhere. Cleaning up that kind of junk will give us time to convert to IPv6
Re:Reclaim Some? (Score:3, Interesting)
That is a 2006 map. So it's out of date. But first, the outright errors:
Top right block? Instead of green grass it ought to be missing. There is no way to use that space for anything, because it was marked as class D experimental space and so various devices (including old Windows PCs) exist which won't believe such addresses are Unicast. No way to fix that in reasonable time.
10 is green on the map. But it's reserved. The lack of _public_ addresses in 10/8 is necessary in order for them to work as _private_ addresses, so we can never allocate these publicly.
Now onto the updates:
77-79 marked "unused"? Not any more.
The green area (172 upward) in the bottom right? A few islands are left, but the vast majority is now earmarked, and a lot is already in active use.
The grass around "North America" in the bottom part of the map is depleted, but some is still there. The 92-95 lump sticking into "Europe" is all used though, as is all the stuff toward "Asia-Pacific" from 112 and up.
Today there are 14 of those grassy square blocks left to allocate. There are 5 RIRs (ARIN, RIPE, APNIC, AfriNIC, LANIC) and they'll each get one last block no matter what, as a sort of "farewell, and good luck". So there are nine blocks left before that happens. Typically 2-3 are assigned at a time. So we may be only three more assignments away from Exhaustion. It could happen in six months, or nine, but it won't be years.
Re:Ford (Score:3, Interesting)
NAT didn't exist in its present form when these addresses were handed out. The assumption was that every machine on the Internet was a routable entity unto itself.
IPv6 brings back that concept, with all its benefits and security issues.
Re:Reclaim Some? (Score:5, Interesting)
4) It's Just Not Fair. Why should Ford, Apple, and HP be forced to give their /8s back when Level 3 and AT&T get to keep and resell theirs?
Re:Reclaim Some? (Score:1, Interesting)
>>>hahaha, no.
hahaha, yes. If a webpage takes 10 seconds to load on my home DSL, and 10 seconds to load on Compressed Dialup, that means the dialup "looks" as fast as the DSL. - The reason why it's faster is because HTML/text is compressed to 5% original size and images are compressed to 10% original size. Sure the images look like crap but so what? They're mostly junk ads anyway.
Re:Right now? (Score:3, Interesting)
If you can think of a way to expand the address space without expanding the number of bits in the address, I think there's a Nobel prize in it for you.
But to answer your concern, you should look into this cool new technology: http://en.wikipedia.org/wiki/Domain_Name_System [wikipedia.org]
Re:Reclaim Some? (Score:2, Interesting)
Re:Plan B (Score:3, Interesting)
As long as you just want to be a consumer of web and mail, it works to a degree (it will require some big honking firewalls to do the NAT), but if you actually want to serve content, ssh to your home machine, or do anything even slightly off of the norm, you might as well just cut the cable because it's not going to happen.
Just forget it is NOT plan B, it's just giving up.
That's a real shame when v6 is actually quite easy to set up and even the ancient XP machines can handle it.
Re:Right now? (Score:3, Interesting)
Maybe, maybe not. I'm not so sure it is harder now. We are just far more cowardly than we were in the mid 1990s and far less staffed up for change. Heck we got the country moved from DOS to Windows which meant replacing essentially all the hardware. We got the whole world hooked up on local lans, which involved physically touching every computer in the USA.
We scoped it, we did it.
What's changed is that:
1) People are much more dependent on the internet.
2) We've lost the manpower we used to have
I'd love to see IPV6 help fix (2).
The internet was undergoing explosive growth in 1995 people were distracted and focused on change that was happening monthly. There really is nothing complex about doing the shift to IPV6 by 1990s standards. You go in you, you tell people how to switch to the new system, you replace the old equipment with the new; configure away any bugs.
Further, the internet is big enough now that the FCC for example could just declare various days that things happen.
Feb 1, 2011 all ISP must provide IPV6 technology or lose their right to use of telecommunications / cable company interconnects for data.
April 1, 2011 All corporations operating in the United with over 50 employees must have a list of all routers and switches not IPV6 capable or lose their right to business class connectivity.
etc.... It really isn't that hard to do as a series of dictates. The US government used to lead on technology shifts. They refused to so under the GW Bush administration but that doesn't mean they couldn't go back to leading like they did under Clinton and HW Bush.
So in 1995 it would have been much easier when getting on the internet was supposed to be hard, and people expected it to be tricky and thus followed instructions. Also far fewer protocols you had to get working all at once. On the other hand you don't have a unified infrastructure. In 1994 I still would have believed that gopher was more important protocol than HTTP as far as information sharing.
Moreover I'm not even sure people would have wanted it. I would have wanted a much more hierarchical internet like we had but were losing. That sort of internet allowed for community, a low security environment. Things like spam, heck advertising didn't exist. I wouldn't have seen enabling commercial activity the way it exists today as a good thing. I probably would have been against the massive proliferation which is the whole point of IPV6. Widespread internet ubiquity destroyed accountability. We still had an open internet in 1995. If I could have looked 5 years in the future I'd see how cool the commercial internet would become and absolutely I'd say that's worth losing the open internet. But in 1995?
Remember the commercial people were online service providers that offered internet as a gimmick on top of their core offerings.
So no, I don't think its harder now. Its more work absolutely but that not the same thing.