Windows 7 May Finally Get IPv6 Deployed

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

Another Genuine Advantage ?

[mbone]

I have to say that this is what struck my eye :

In addition, DirectAccess can be integrated with Network Access Protection (NAP). NAP, which was introduced in its current version in Windows Server 2008, automatically checks that a remote PC has up-to-date software and the proper policy-set security settings.

OK, it checks for software status, which I guess is cool, but what makes me suspect that there is a "Refuse to operate unless the licenses appear OK" aspect to this ?

By the way, this sets up an IPSEC VPN, so I am not sure why the OP says it doesn't require a VPN.

Re:

[nielsm]

This is a server-checks-client-security thing, not a Microsoft-checks-customer-setup thing. Refusing to work with known-broken software.

Re:

[mystik]

I read about this feature a few weeks ago.

MS Is touting "this is not a VPN" (even in their marketing for this feature) -- but the parent is right, it's just an ipsec VPN that's initialized early in the boot up process.

I guess it's handy, most vpn clients I've seen are klunky things that have to run after login.

Re:

[bruce_the_loon]

FUD, glorious FUD.

You do not need Homegroups to make sharing work. It just makes it easier. The older technique of keeping the passwords synced across the machines is still operational.

And someone has already answered the IPv6 no internet connectivity FUD as well.

Slashdotted, but regarding VPNs

[jimicus]

.... right now they're a necessary evil. There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access. Though of course that's of limited benefit unless you can configure every application that needs to be accessed remotely to do this, regardless of server or client OS (...or you don't need to care because you only run applications which can be configured like this).

Knowing Microsoft, this is only useful if all y

Re:

[vlm]

There's no reason why you couldn't eliminate VPNs altogether if you ran every service over SSL and verified the client certificate before granting access.

And add two factor authentication (pretty much required for a SERIOUS vpn)

Re:

[jimicus]

Client and server verifying each others certificates gives you the first factor (something you both have).

Stick a password in front of your applications and there's your second.

Re:

[Sancho]

The key is that with VPN, you can set up those client certs and two factor auth for a single server on your LAN--the VPN server--and all the rest can be used with lower security. Compare to configuring every host on your network in this way. Furthermore, a firewall helps guard against error. Did you accidentally set up a server incorrectly? Well the firewall still prevents everyone from accessing it unless they're using VPN.

VPN/Firewall is still a good portion of the layered security approach, and it wo

Re:

[houstonbofh]

With your solution, you have to expose every device to the internet at large, and then filter. With VPN, you do not even know what is behind it. So they are not the same.

Re:

[jimicus]

This is just it - my solution is only really workable if you have a very narrow range of "things it is desirable to have available from outside the corporate network".

In other words, fairly useless for most practical purposes. By hypothetically doable...

Re:

[gad_zuki!]

So instead of managing one or two cert/keys youre managing dozens all running with the quirks of the implementation of the application - and you lose two factor authentication, centralized management, site to site, and about a few other features.

Something tells me VPN is going to be here as long as tcp/ip is. At least for serious applications. Heck, Joe Blow can remotedesktop/ssh to his computer and get some level of encryption by default now. No need for ipv6 and direct connect.

On top of it, if adding SS

Exactly why we didn't deploy DirectAccess

[Bubba]

We looked at deploying DirectAccess, but after months of talks and discussions with Microsoft, they finally came out and told us that it wouldn't work unless we rolled out IPV6 (and pushed other MS services (CA, DC) externally). We passed. We decided to stick with SSL VPN for most and Cisco AnyConnect client for our Win7 64 bit rollouts. Maybe next time, Microsoft?

They've invented SSH/SSL!

[Chris Mattern]

Except that it doesn't work with the networking you have.

IPv4 Forever!!!!

[waterlogged]

BGP filters are hard enough in v4 can you imagine doing this crap?

ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48
ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32
ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128

Forget it.

Re:

[jareth-0205]

Hate to break this to you, but the necessity of IPv6 is based on somewhat larger issues than that...

Misleading Summary

[EvilRyry]

IPv6 is only required for the VPN side. The Internet connection on both sides may still be IPv4 however. Read TFA for more details. I have a feeling Time Warner will be in no rush to upgrade my neighborhood to IPv6 no matter how many companies start using DirectAccess.

Re:

[shutdown -p now]

This. In particular, it's worth remembering about IP-HTTPS, which tunnels an IPv6 connection over a single exposed port, which pretends to be handling HTTP CONNECT, on the DirectAccess server that is the gateway between Internet and the intranet in question. So, while client has to be IPv6-aware, and so has to be the intranet, all the networking infrastructure between them has no such requirement.

Article is so full of inaccuracies...

[A beautiful mind]

...that I barely know where to begin.

IPv6 has been "the next generation of TCP/IP protocols" for so long that you can be forgiven for thinking that it will never be useful.

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

By the time Windows XP and Windows 2003 rolled out, IPv6 was built into the operating systems.

This sentence might give you the impression that you can run IPv6 with Windows XP. That's not the case, it misses DNS resolution through IPv6 and DHCPv6, so while it supports some things, the IPv6 support is far from complete.

Windows 7, when used with Server 2008 R2, may finally give enterprise network administrators a reason to deploy IPv6.

No, when the technical people at large telcos are given the money and mandate to deploy IPv6 that's when it'll happen. When the head honchos who held back the upgrade for financial reasons and the lack of government regulation in a classic example of the tragedy of the commons realise that IPv4 blocks will be gone by 2011 fall from the IANA pool and a year later from the regional registries [potaroo.net], they'll panic and start throwing money, excuses and horrible stopgap solutions at the problem, which could have been avoided to head for this bloody showdown we're going to see in the next couple of years as everyone will a. try to grab as many addresses as possible to keep telco projects in the pipeline from sinking b. franctically scramble to upgrade.

Re:

[lymond01]

IPv6 is very useful the same way electricity in a socket is useful. The two things both provide basic infrastructure for running more sexy, feature-laden things that consumers actually want.

Yep, like electric whip cream.

Wait, what?

Re:

[nine-times]

Both the Internet and the vast majority of American and European business users elected to stay with the legacy IPv4 network.

Users didn't opt for opting out of IPv6. Large telcos didn't spend enough money soon enough to get the upgrade rolling in a tragedy of the commons kind of situation.

Right. Most users don't know what IPv6 is and are simply using whatever they've been set up to use. In the case of home users, users have been set up to use whatever their ISP has told them to use. In the case of both businesses and individuals, it's hard to say anyone opted for anything since IPv6 usually isn't even a real option. ISPs aren't supporting it. It's possible to do some kind of tunneling to use IPv6, but since it's basically not in use, there isn't a lot of payoff.

To get around the much-predicted Internet IPv4 address famine, people turned to network address translation (NAT) and Dynamic Host Configuration Protocol (DHCP). With this combination, thousands of corporate PCs can have their own internal IPv4 addresses while using up only a single IP address, as far as the Internet is concerned.

Apart from leaving CIDR out of the picture, the second sentence is simply not true. The upper limit of usability is around 30-50 computers / public ip these days, if those computers are using the internet. NAT breaks so many things...

Well NAT can accomplish a

Re:

[whoever57]

why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a static IP.

just because your isp wants $200 for a business connection does not mean that static ip addresses actually cost $200. for example, linode charges somwhat less

All new accounts include one IP and are permitted to add an additional IP via the Linode Ma [linode.com]

Re:

[tlhIngan]

What really bothers me is that there *is* an IPv4 address famine. It's just that the IPv4 addresses are being rationed well enough that we haven't yet reached the point of outright crisis. If you really think that IPv4 addressed are plentiful, then riddle me this: why can't I get a static IP for my home internet connection? In order to get a static IP, I have to upgrade to a "business" account which costs $200/month more and doesn't really offer any improvements other than a static IP. Yup. $200/month for a

Re:

[A beautiful mind]

IPv6 is actually the anti-Y2K. This is a problem mainly ignored by mainstream media that has the potential to affect the global economy, while Y2K was a relatively minor issue compared to this, which got overhyped by the media.

Re:

[A beautiful mind]

No matter what enterprise level thing you use, you're still going to bump into the limit. With NAT, you're trading ports for ip addresses. The number of ports is finite and nowadays there are things like http keepalive, ajax calls, skype, IMAP, and other programs, so you're ending up with hundreds of open connections per computer. When the NAT translating box runs out of ports, it's game over.

Re:

[Anomalyst]

How many non 80/443 connections are you internal hosts using for pity's sake?
In a SOHO with all those additional services, you aren't going to overwhelm even a SOHO router. Anything larger you are going to proxy or relay them out through internet facing servers. You burn a couple public IP addresses for those servers, voila access for multiple thousands of desktops. Mebbe a couple IT people are doing some SSH and oddball ports thru static translations, but the brunt of average desktop users go through the

Re:

[growse]

It's the source ports you're worried about, not the destination ones. I get in the office and along with 6,000 other people turn on my desktop and open my browser which may have 15 saved tabs. With the HTTP and DNS requests (and whatever other connections from other IM etc. apps), I could simultaneously be opening tens of connections out to different servers on the WAN. With NAT, every connection uses up a source port on the public IP. At some point, you run out of ports.

Re:

[Bios_Hakr]

Agreed. In my office, we have a Cisco ASA with about 3000 client devices behind a single public IP. We have no real problems dealing with the vast majority of web services. People can play WoW, chat on Skype/MSN/Yahoo, watch videos on YouTube, and post comments on /. Hell, even bittorrent works well enough that we are considering a packetshaper to reclaim some of our bandwidth. We currently average about 200mbps up and down per day.

Or DirectAccess may just sink it for good...

[BobMcD]

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

. set specific policies (no split tunneling)
. force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
. ensure proper key and credential management, including two-factor or challenge/response
. audit activities while user is connected to the VPN.

The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.

Re:

[Spad]

DirectAccess is actually much more VPNy than Microsoft like to claim, it's just more transparent to the user. Authentication can be simply an AD username/password if you want or two-factor authentication like any other VPN and it's not like users can just connect into your network without any control on your part (unless you're an incompetent admin, ditto on the auditing). I'm not sure about the split tunnelling aspect; I would be very surprised if you *can't* disable it when authenticated, but I haven't du

Re:

[Spad]

To answer my own questions:

Although split-tunnel routing is the default configuration for DirectAccess, IT professionals can disable the feature to send all traffic through the enterprise network.

DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. You can use any IPsec encryption method, including DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys...IPsec is also utilized to provide encryption for communications across the Internet with encryption algorithms such as AES

Re:

[Daltorak]

From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit

Oh come on. You're a professional (right?), you should know better than to say this kind of crap. You know what your problem is? You think NAT is a security mechanism -- it's not. Just because we have spent the last ten-plus years having the Firewall also perform network address translation, doesn't mean the two roles have anything to do with eachother -- they don't. NAT is a workaround for the problem of limited IP address spaces; it says so right in the freakin' abstract of the original NAT RFC (1631

Re:

[BobMcD]

You know what your problem is? You think NAT is a security mechanism -- it's not.

In fact that's not my problem. My problem, from your point of view, is that I'm not an elitist. That would be the best definition of your pejorative of my point of view.

I'm not specifically advocating NAT as a security mechanism. The actual use for NAT (working around limited space) doesn't actually present itself to the argument. Imagine instead a firewall that did one-to-one address mapping if it makes you feel better. It doesn't really matter. In the end the current setup means I use network addres

Re:Or DirectAccess may just sink it for good...

[EndlessNameless]

//My problem, from your point of view, is that I'm not an elitist.//

Your problem, from my point of view, is that you're not competent. //In the end the current setup means I use network addresses that DO NOT ROUTE to the outside world.//

It's called a firewall. Or a router with a proper ACL. You can google this stuff. NAT doesn't prevent routing to the outside world; it merely prevents the outside world from seeing your internal network structure. A properly-configured router or firewall will do that and more. //If you want into my network, I have to map it. If I didn't map it, you're not getting in, all things held equal.//

Every firewall I've ever seen has a default-deny setting which can be enabled for ingress/egress independently for every IP address, by individual IPs, or by ranges. Your argument boils down to the fact that NAT must drop inbound packets without either an existing connection or a mapping by default. You're proposing security by virtue of laziness---and neglecting other security features, to boot. //So tell me again, without being so strict with your terms, why forfeiting the level of control I presently have is a good thing//

You're using NAT as a method of access control, which is not what it was designed for. In addition, it does so very poorly and leaves a number of gaps in your security that a real access control device would cover.

In short, the control NAT gives you is illusory and meaningless. You have a far greater degree of control with a real firewall---regardless of whether it uses NAT. Get a real security implementation going and quit QQing about this new-fangled intarweb.

Re:

[raddan]

In short, the control NAT gives you is illusory and meaningless.

Then it is as illusory and meaningless as paging [wikipedia.org]. After all, you can accomplish the same thing with segmented memory. But as time has shown, the properties inherent in paging make using a computer (for a programmer) much easier. You don't have to worry about bounds-checking; the bounds are built-in by virtue of addresses not being meaningful outside of a particular process, and your addressing model is simple.

NAT gives you the same thing: addresses that are non-routable outside of your network. Using

Re:

[tftp]

You have a far greater degree of control with a real firewall---regardless of whether it uses NAT

He does have a real firewall, regardless of whether it feeds a NAT. I don't even know if there is a NAT product on the market that doesn't come with a firewall.

He has no reason to drop the NAT, unless some of his needs (like a poorly done VoIP or videoconferencing) require that.

It is true that a NAT is not a security device. But we still have safeties on our guns, even though they are "mechanical devices

Re:

[growse]

You could, you know, use a firewall?

If not-letting-people-route-to-your-ip is your security mechanism, you've got the wrong tool for that particular job.

Re:

[YesIAmAScript]

If you're any kind of network administrator, you can figure out how to control access to your network. IPv4 was designed to connect, not separate, hosts and you managed to make it do what you wanted.

If want people to connect to services in your network, don't deploy this service behind your firewall. And if you can't stop others from deploying it, well, then there were already a lot of things you couldn't stop anyway, this isn't the first one.

Re:

[Bill, Shooter of Bul]

To be fair, the article brought up four requirements that it must have in order to be secure, and only talked about one. Its crappy journalism. Plus the GP, actually RTFM!! I think he should be given some credit for that.

Will ISP give more then one IPv6 IP? or will they

[Joe The Dragon]

Will ISP give more then one IPv6 IP? or will they make you pay? comcast may want $5 per pc.

also how many DSL and cable modems even can do IPv6? how many rented ones? routers? cable phone and HSI modems (that are forced rented?)

Either that...

[roc97007]

...or DirectAccess will be a dead feature because it requires a protocol that few want to support.

Might as well rename Slashdot --

[dwiget001]

-- three Microsoft related stories out of four.

I hereby dub Slashdot "Microdot!"

Oh, wait....

From the article:

[Tubal-Cain]

IPv6, with its 128-bit addresses and the resulting astronautical address range seemed the perfect answer.

Re:IPv6 addresses are overly complex

[kennedy]

Uhh... 3 letters for you. D.N.S.

Re:

[sopssa]

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Re:IPv6 addresses are overly complex

[sunderland56]

Yeah, typing in IP addresses is a pain in those situations. Maybe in future Microsoft will add a "cut" and "paste" feature to Windows 7, like they have in OSX - that should make life easier.

Re:IPv6 addresses are overly complex

[OnlineAlias]

It is a very tough feature to code however, just ask the guys who failed to add it to the iphone for several years...

oh yeah those guys...

[g4b]

I tried to help those iPhone guys, by sending them the contact of the SE guys, who implemented that feature even on my cheap little walkmanmobile, ... but all they got was sms with garbage vcard code...

Re:

[richlv]

cut&paste sort of works everywhere. except where it doesn't.
for example, there's still no cross platform cut and paste support in sdl (http://www.libsdl.org/ [libsdl.org]), which is a major pain in some cases.

Re:

[TBoon]

Can you recommend any implementation of cut & paste that works over the phone? Preferably open source of course.

Re:IPv6 addresses are overly complex

[Nimey]

Dynamic DNS, then. I use that for remoting into my computer and router from other places.

Re:

[Ephemeriis]

Theres lots of places that don't really use DNS tho, for example game servers or other servers run by individuals. In some games you even have to manually type in the address if you want to connect to your friends server. Maybe we see a major increase in those FreeDNS type of services.

Pretty much every machine has a DNS name these days. They aren't usually authoritative... But for a LAN game it'll do.

For non-LAN games you've frequently got some kind of server listing service or match-making service out there that can help you find your buddy's server. Or you could always use DynDNS/No-IP/whatever to get yourself a DNS name.

But at least one pain in the ass there is; if you need to transfer the address on paper or otherwise manually (setting up or fixing networking etc)

Again, many (most?) devices have a DNS name of some sort.

If not... Yes, it can be a pain to write down an address. And the extra address space in IPv6 is going to

Re:

[Monkeedude1212]

In some games you even have to manually type in the address if you want to connect to your friends server.

Either you're playing some older games, which came out when TCP/IP Was just starting to Boom and didn't have any DNS functionality built in - or your friends aren't hosting their server on the web, and thus DNS wouldn't resolve it - or your friends aren't port forwarding properly for that games specific host-finding service to pick it up.

In any case - if you are willing to go through the trouble of communicating an IPv4 Address to join a game, making it an IPv6 address will either be the smallest most minis

Re:

[im_thatoneguy]

By definition joining a Friends' server shouldn't be any more difficult than clicking "Join Friend's Game". That's what Steam and Live are for.

Re:

[vlm]

Uhh... 3 letters for you. D.N.S.

I've been involved long enough to remember people saying DNS A6 records were the wave of the future, and look where they are today.

(Yes I know, use AAAA now, I'm just pointing out the turmoil)

Re:IPv6 addresses are overly complex

[johnw]

Why type either? You should look at getting DNS up and running on your systems. It's a bit cutting edge, but well worth it.

Re:

[TheTurtlesMoves]

Even in my home network with only 4 machines I use DNS. moocow, the cowlaptop and eatingcows. Easy to remember and spell, and i run both ip6 and ip4.

Re:

[DarkTempes]

That's only 3. What's the 4th?

Re:

[Virak]

Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?

Re:

[negRo_slim]

Do you seriously believe "the addresses are really long" is going to be the main thing blocking IPv6 adoption? Or even something the average person will care about in the slightest?

I agree to the 'average' person IP4 addresses are already too long.

Re:

[Cro Magnon]

I might be in the minority here, but I'd rather type "www.whatever.com" than either of the other choices.

Re:

[Mr. DOS]

Offtopic, but I'd much rather you typed in whatever.com [no-www.org].

      --- Mr. DOS

Re:IPv6 addresses are overly complex

[Chris Mattern]

Off-offtopic, but I'd much rather you typed in example.com. Don't refer to what might be a real URL as an example when you've got a name reserved by RFP for that purpose.

Re:

[Mr. DOS]

Normally, I would use example.com; in this case, I was imitating the parent. I do understand what you're saying, though.

      --- Mr. DOS

Re:

[Mister Whirly]

I hate lazy people, and I'd much rather you typed "http://www.whatever.com". I mean, otherwise how is your web browser supposed to know to use hypertext transfer protocol??

Re:

[selven]

We won't run out. It's like peak oil - we won't just have one random guy scrape and hit rock bottom and suddenly the world panics. It'll become gradually harder and harder to find and prices will slowly go up, reducing consumption. Essentially, we'll never use 100% of our oil until it is completely superseded by newer technologies. Same with IPv4 addresses. They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surr

Re:

[HertzaHaeon]

Maybe oil won't run out, but it can (and likely will) be superceded by something superior, regardless of whether there's still some left or not.

I think the same can be said for IPV6. It's not just more of the same, but something better.

Re:

[A beautiful mind]

We won't run out. It's like peak oil - we won't just have one random guy scrape and hit rock bottom and suddenly the world panics. It'll become gradually harder and harder to find and prices will slowly go up, reducing consumption. Essentially, we'll never use 100% of our oil until it is completely superseded by newer technologies. Same with IPv4 addresses. They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surr

Re:IPv6 addresses are overly complex

[Yaztromo]

They'll become more and more valuable, universities with 16.7 million each will be forced to give them up, and we'll have more and more bureaucracy surrounding the IP address system. IPv6 will come in slowly.

The problem with breaking up a /8 is that you can't just spread around 16.7 million addresses to the individual machines around the globe that need them -- not unless we're ready to handle the massive explosion of routing table entries that would require (and we're not). CIDR still defines a routing hierarchy, where the huge swaths of free addresses exist within that hierarchy isn't necessarily geographically where they are needed, or where the systems that need them are going to be able to connect to them.

Not to say that some breaking up of largely unused /8's and /16's can't be done -- just that it's nowhere near as trivial a problem as most people seem to assume it is. It isn't like there is an abundance of resources in one area, so we can put them on a ship and send them to an area where the resource need exists.

Of course, all of this presumes that the holder of the /8 is using it in some sane manner where is it even possible to break the address space into routeable blocks...

Yaz.

Re:

[Greg Hullender]

While it will be useful, I don't think widespread usage of IPv6 will start before we run out of IPv4 addresses.

I rather type in 49.1.4.22 than 2001:db8:85a3::8a2e:370:7334

I don't think that'll happen until we run out of words and names!

--Greg

Re:

[Rockoon]

IPv6 wont become widespread until the millions upon million of existing routers that do not support it die of old age.

Re:

[Tynin]

Sad but true. For some reason I just had a thought that at some point when we run drastically low on IPv4 space, the US gov might, much like it did with the analog to digital TV transition, be handing out coupons for low end crappy IPv6 routers.

Re:

[fearlezz]

Anyone can type a DNS name. An ipv4 address is a bit cooler. But just imagine your coworker's respect when they see you telnet to 2001:db8:85a3::8a2e:370:7334

Not localhost

[SuperKendall]

0:0:0:0:0:0:0:1

or ::1 shorthand.

Re:

[Bengie]

it won't be this bad live. first 64bits are your country/state/city/isp, the last 64 bits is you. It will be more like ABCD:DEAD:BEEF:1234::1

Since I'll have 18,446,744,073,709,551,616 IPs for my personal use, I would subnet my home network quite nicely. Yay for no more NAT

Re:

[elzurawka]

Your average Joe probably doesn't even know what IPv4 is, let alone the reasons for going to 6

Re:

[sakdoctor]

http://ipv6.youtube.com/watch?v=oHg5SJYRHA0 [youtube.com]

I'll just leave this here. Although the URL isn't currently valid, it will be once ipv6 rolls out.

Re:Why?

[Anonymous Coward]

You don't need NAT to run a firewall that has the same security functionality as NAT

Re:Why?

[FooAtWFU]

Mod parent up. If you can map between the "inside" and the "outside" of your organization you can drop packets coming from the outside just as readily.

Re:Why?

[0racle]

IP6 (and DirectAccess) in no way require you to remove a firewall between you and the rest of the universe. NAT however, can go away.

Re:

[isomer1]

Along with the last vestiges of privacy in IP space. Every single connection you make traced directly to you instantly. Joy.

Re:

[Tynin]

Along with the last vestiges of privacy in IP space. Every single connection you make traced directly to you instantly. Joy.

You have never had privacy in IP space. Not even behind a NAT. Whoever is maintaining that NAT could have every packet you've ever sent (extreme, but possible), and if it is you who are maintaining the NAT, then at best you've obfuscated your topology but it will be traced back to you. Besides, it isn't like proxy servers and services like Tor will stop working when IPv4 becomes a legacy protocol.

Re:

[AVee]

I can easily identify the host internal to my ipv6 network, they all get the same prefix. With ipv6 your not getting random addresses assigned, instead you will normally get a block of adresses to use inside your network.

Re:

[AVee]

I've got several reasons to expect a proper ipv6 netblock from my ISP:
1. Thats what I'm currently already getting from my ISP.
2. Thats how ipv6 is supposed to work.
3. Thats will be the default configuration of big routers.
4. Ipv6 addresses will not be scarce, so handing out single addresses instead of blocks will not save any money.
5. Actually, not using the default mac-address based numbering scheme will complicate configuration and will raise the requirement on end-point routers, so it's actually lik

Re:

[MathiasRav]

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

Network address translation came into use because you had limited supply of IP addresses, pigeonhole problem basically. With IPv6 that's not needed, because surely 3.4×10^38 addresses should be enough for anyone. You'll just need a firewall to reject requests from outside your own assigned block.

Re:

[mark-t]

The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

Notwithstanding, however, thanks to this quaint little notion of "extension headers" in ipv6, it is even entirely possible to rou

Re:

[Urkki]

an upshot of this is that it would effectively increasse the total number of usable IP's, because the effective IP address length would be extended by however many bits of address you put into the extension header. This process could even be chained through multiple levels of NAT's _theoretically_ indefinitely, but in practice would always be limited by the sizes of the routing tables involved, and whatever the minimum MTU for an IP packet is at the time (which is theoretically as small as 68 bytes today, but nobody uses them anywhere close to that small). Individual IPv6 packets have a maximum size of 64K each, so there's a hard limit in how big it can get regardless of how much the MTU goes up.

In the context of extending available address space, there's also a hard limit on number of addressable entities (such as atoms or Planck length grid positions in space-time) in our universe. Just a small fraction of 64K maximum packet size should be plenty for having enough extension header space for addressing whatever you can imagine to address.

Re:Why?

[mister_playboy]

The funny thing is, however, that NAT isn't entirely obsoleted by ipv6... because it is almost inevitable that ipv6 space will be almost as poorly managed as ipv4 space was in the beginning, we will probably still run out of ipv6 space sooner than we otherwise would. Of course, due to the sheer size of ipv6 space, I suspect that's not likely to happen in most of our lifetimes.

In most of our lifetimes? Per Wikipedia:

The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses—or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.

It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.

Re:

[Stan Vassilev]

In most of our lifetimes? Per Wikipedia:

The very large IPv6 address space supports a total of 2^128 (about 3.4×10^38) addresses--or approximately 5×10^28 (roughly 2^95) addresses for each of the roughly 6.5 billion (6.5×10^9) people alive in 2006. In a different perspective, this is 2^52 (about 4.5×10^15) addresses for every observable star in the known universe.

It will take way more than poor management to use up all those numbers in any timescale with meaning to a human life.

That quote from Wikipedia you pulled, is immediately followed by this:

"While these numbers are impressive, it was not the intent of the designers of the IPv6 address space to assure geographical saturation with usable addresses. Rather, the longer addresses allow a better, systematic, hierarchical allocation of addresses and efficient route aggregation."

If we could arbitrarily ignore the network structure and special ranges assigned in IPv4, we have 4.2 billion possible IP numbers (2^32). Do we have 4 billi

Re:

[tylernt]

It will take way more than poor management to use up all those numbers

You haven't met my managers.

Re:

[Monkeedude1212]

On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

If you've never had a problem with NAT, you don't have enough uses for the internet. I used to be a firm believer that NAT was a seemless solution to the problem of not having enough IP's.

Once you try implementing it in the professional world, where you have to worry about not just NAT but NAPT, because you've got Webservers, Print Servers, Email Servers, Backup Servers, File Servers, Application Servers - and then you've got to implement some service such as Remote Desktop from a WebApp (that has to get pa

Re:

[pdangel]

Yes NAT is a pain..and some cases breaks business apps. Hair Pin turns are the bane of my existence. But you are saying place thing either outside a firewall because its easier, or place your support staff on the Internet with out VPN?

I agree that ISP have a need for IPv6. But why would a Windows 7 user need it? Default out of the box? Or did I miss read that MS has that service on by default?

Re:

[Monkeedude1212]

Meh, we need a solution to let regular business dev reps to Remote in from home (not the support staff) without a VPN. It'd be nice if it was hosted in a web app so that we don't have to install anything on Client machines. (Something Like Remote Web Workplace).

Windows 7 has DirectAccess or whatever they're calling it, which supposedly allows for this to happen, and it needs IPv6 to run I guess.

Re:

[dave562]

Have you looked at the Sonicwall SSL/VPN appliance? I'm sure that there are probably other vendors and even open source solutions that provide similar functionality. With the Sonicwall device all you need is a web browser and you can have a secure remote desktop connection into anything on the private network. I think you can also publish individual applications (a la Citrix, etc) but I never had to get that fancy with it.

Re:

[Bert64]

Not sure about sonicwall, but other ssl/vpn setups i've seen required that your browser support activex and you permit the site to execute arbitrary code, where it installs a kernel driver (like a normal vpn client would)... I always thought the idea of allowing your browser sufficient privileges to load kernel drivers seemed extremely insane.

Re:

[Ephemeriis]

Who the hell needs 13 Gazillion addresses on their LAN? On the internet sure, ok....who the fuck going to connect a Windows box to the internet without NAT/Firewall?

While I don't think I'd recommend connecting any machine - Windows or otherwise - to the Internet without a firewall... I don't see why you think you need NAT.

NAT is Network Address Translation. It has absolutely nothing to do with security. It's a way to overload a single public IP address and funnel multiple private IP addresses through it.

Yes, NAT gives you a default, basic firewall just because you have to explicitly define incoming translations. But there's absolutely no reason you need NAT in orde

Re:

[rantingkitten]

who the fuck going to connect a Windows box to the internet without NAT/Firewall?

Teeming multitudes of clueless users who only have one computer and therefore never got a router. Every one of their boxes is totally owned, but they're oblivious.

Re:

[Changa_MC]

Wait, are you claiming you don't use IPv4 for anything? Or are you claiming you use IPv6 for some things? Because if the latter, you're right in line with Bernstein's claim. Note he doesn't say IPv6 doesn't work, he says there is no smooth transition path for IPv6 adoption from IPv4.

Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.

Does this mean you cannot run IPv6 at home? No, it ju

Re:IPV6 is fatally broke

[metamatic]

Websites with external consumers cannot stop using IPv4 until all potential consumers use IPv6. So until everyone uses IPv6, every host must continue to run IPv4 or both.

You make it sound like that's a difficult problem, rather than a matter of putting a few extra lines in a config file for the transition period.

Does this mean you cannot run IPv6 at home? No, it just means you must also run IPv4 to get to websites that haven't bothered to support both.

No, you're wrong there. While an IPv4 connection cannot reach IPv6 hosts, an IPv6 connection can reach any IPv4 host using tunneling. You talk pure IPv6 to your IPv6 ISP, and if there's a need to fall back to IPv4, they route the traffic via a tunnel broker.

Using similar technology, you can get IPv6 even if your ISP only supports IPv4. That's how I'm doing it.

Re:

[Esther Schindler]

Yeah, we wimmin shouldn't oughta write about tech stuff. It just remind youze guys how much smarter than you we iz. And makes youze cry. ::Removing tongue from cheek with prybar::

Re:

[Ksevio]

We already have a simple solution, IP4 with NAT. It works great.

I take it you've never had to program any application that needs peer to peer communications then?