If You Think You Can Ignore IPv6, Think Again

wiredmikey writes "Now that the last IPv4 address blocks have been allocated, it's expected to take several months for regional registries to consume all of their remaining regional IPv4 address pool. The IPv6 Forum, a group with the mission to educate and promote the new protocol, says that enabling IPv6 in all ICT environments is not the endgame, but is now a critical requirement for continuity in all Internet business and services. Experts believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance. During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date. This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. If you think you can ignore IPv6, think again."

Re:ISP

[Red Flayer]

And not just any porno: the kinkiest, highest-resolution, full-length nastiness the Feds can commission.

Have you ever plumbed the depths of usenet? Or /b/?

I don't think having people gouging out their eyes with grapefruit spoons is the best way to handle this.

Re:ISP

[tysonedwards]

With Cisco, End-of-Life and End-of-Support are two wildly different things... To Cisco, End-of-Life means "no more updates", while End-of-Support means "you can call us up for help, and we will provide you with a replacement unit if yours fails". End-of-Support is typically 5 years after the End-of-Life announcement, however there are the random exceptions like their VPN Concentrators.

Re:ISP

[tweak13]

I'd rather have NAT for v6 too

Why?

There are always so many people saying they want NAT, but if addresses are plentiful then it serves absolutely no purpose. I think that most people who see it as necessary are confusing its function with a firewall. You do not need NAT to do the same things your home router does today. You can still block all incoming connections to a computer and allow all outgoing connections. You can still allow specific ports to be opened to specific machines.

Using a public address on your internal network doesn't automatically mean that you need to just allow any traffic in. Use a firewall to "stealth" every port and there will continue to be no evidence that you have a computer there.

Re:Qwest

[Wingman 5]

What they said translates to "We are putting you behind a carrier grade NAT, you will no longer have a public IP unless you pay us extra for it."

Re:IPv6 sucks

[Junta]

The former is a tad old and mostly fixed by NAT64.

On second:

they created a totally new problem by avoiding arp. the
            benefit of their layer-2 discovery mechanism has been
            absolutely zero; the best unit of measure for the cost of
            that decision is "decades".

ICMPv6 neighbor solicitation at *worst* case 'degrades' to ARP-type behavior. In very well behaved layer 2 networks (almost none, admittedly) it greatly reduces load at large scale of system. I don't see why avoiding ARP costs 'decades'.

they created an entirely new and huge problem (destroying
            SIOCGIFCONF backwards compat hurt IPV6 deployment in operating
            systems on a massive scale) by not making their sockaddr be
            a power of 2 in size.

I still haven't heard anyone explain why that is so catastrophically bad. It may be, but in practice, I haven't seen how this afflicts me.

Now I will complain that they changed some fundamentals around DHCP (DHCP at all being a near afterthought as they magically thought route advertisement, stateless addressing, and mDNS would be the cure for *EVERYTHING*). However, most of it is probably going to fall into place as soon as more practical deployments start (currently, most v6 trials that end in failure cause people to just walk away from now instead of trying to push fixes.

Re:IPv6 Mess

[Junta]

Agreed in principle, however NAT64 enables *precisely* what djb complains about. An IPv6 only host can now meaningfully participate in an internet filled with v4-only servers.

Re:IPv6 Mess

[PRMan]

Yes, this would have been a whole lot easier if IPv4 addresses like: 76.33.45.121 became 0::76:33:45:121, for instance. Then everyone could easily do IPv6 passthrough. What were these people thinking that created IPv6?

Re:ISP

[SmilingBoy]

Of course they are. But this only allows one network (as networks are always /64). If I want to have three networks (servers on one network, clients on another network, and my lightswitches and fridges on a third network) I will simply be able to do this. And IPv6 allows it. And because there is enough space overall, it is efficient for routing allocations to already now give enough space to everyone so that in the case of growth of an individual enduser, two or more separate entries in a routing table can be avoided.

Re:Can someone explain IPv6 without NAT?

[bbn]

How are we supposed to roll out IPv6 without NAT? Can someone explain, and without RANTING about how NAT is unnecessary?

Ok, not a word about NAT.

Think about it.

I am thinking.

Let's say I set up my company with link local addresses.

You will not. Link local address is something every IPv6 interface has. You can use to communicate with other hosts on the same ethernet segment. You can not use it for communicating with the internet at large.

IPv6 forbids NAT on routers and firewalls.

It does no such thing. However nobody has bothered implementing NAT (sorry I said the word) on IPv6. I am sure someday somebody will but few will use it.

So how are my hosts going to talk to the Internet?

The minimum subnet size an ISP can assign to a customer is a /64 giving you 2^64 unique IP addresses you can distribute among your computers. In fact, your computers will pick up the prefix (the first 64 bit) from the router and then select the last 64 bit automatically. You will not have to do anything, it will just work.

Specifically, if I have a link local address of fe80::/10. That's not going to be routable from the Internet. TCP is two-way traffic, so the servers need a return route to me. How is this accomplished with NAT?

I assume you are asking how it is accomplished _without_ NAT. You are confused about link local addresses. Those are not generally something you will be using. Your computers will get the first half of the IP address from the router and it will make up the last half by using your MAC or by random. All your computers will have unique public IP addresses. Since your computer already has a public IP address there is no need to translate it to something different by NAT.

NAT is necessary so the ISP can send traffic back to my summarized address. I don't understand how this works when they forbid NAT. Someone please kindly explain how that works.

You are assuming you only have one address. In fact you will have a minimum of 2^64 addresses. The ISP only needs the first 64 bit of the address to route it back to you. The last 64 bit is handled internally on your network. If you insist, you could say the first 64 bit is your "summarized address".

Why would you want to do those broken things?

[billstewart]

Look, you're getting a subnet that's big enough for just about anything you can imagine doing at home, not just the things you can actually figure out how to do. If you're like to split your /56 into 256 different subnets and do different things on them, go ahead. You can do that without breaking the end-to-end principle.

NAT breaks stuff right and left today, for two main reasons
- lots of protocols, including FTP and newer protocols, put the IP address inside the data packets, not just in the packet headers, and doing NAT properly requires ripping the packets apart, changing the addresses, and fixing up any checksums that got damaged in the process. It's even worse if you've got protocols that use crypto, either for information hiding or just simply for authentication. It's very hard to get them right, especially if people design protocols the firewall doesn't know about.
- stateful NAT makes it hard to establish connections through the firewall. Sometimes this is intentional, blocking unwanted connections for security reasons, but if two people behind NAT want to communicate, neither one can talk until the other one has talked to them first. There are products like Skype that are popular because they go to a lot of trouble to work around the different broken NAT implementations out there.

Putting a firewall box in front of your computers isn't a bad thing - you just need one that's IPv6-aware instead of IPv4-only. You're not getting the security from NAT, you're getting security from having a stateful packet inspection box in front of your computer, and that's not going to change. If you want to offload packet inspection from your 2GHz CPU down to your 200 MHz SOC-based firewall, go ahead; about a quarter century ago, Van Jacobson figured out how to tune the BSD TCP/IP stack so you could do wire-speed file transfer on 10 Mbps Ethernets using a Sun 3/60, so you should have plenty of spare CPU horsepower left to inspect your packets.

There's no particularly good reason for your computer to look like a single computer to anybody outside your network, and simple address-munging isn't enough to solve the problem. My laptop has different addresses depending on where it's plugged in, home, work, coffeeshop, etc., and the address isn't enough to tell them anything definite. When I'm at work, I occasionally have trouble reaching sites because many other users behind my corporate firewall are accessing them at the same time, so they want me to do a CAPTCHA to verify I'm not a bot abusing their system. However, if anybody does want to track your address, with IPv 6 they'll probably do it by tracking your /56 or /48. Also, there's the IPv6 address privacy mode, which lets your computer use a different host-part address on every connection, so it's not using the same MAC address every time.

Re:IPv6 Mess

[complete loony]

That was the original idea. But of course you would need to convert those decimal numbers to hex. The current plan [ietf.org] would make that address available as 0::FFFF:4C21:2D79.