Why You Shouldn't Worry About IPv6 Just Yet 425
nk497 writes "While it's definitely time to start thinking about IPv6, it's not time for most to move up to it, argues Steve Cassidy, saying most can turn it off in Windows 7 without causing any trouble. Many network experts argue we're nearing network armageddon, but they've been saying that for years.'This all started when Tony Blair was elected. The first time. Yep, that's how long IPv6 has been around, and it's quite a few weeks ago now.' He says smart engineering has avoided many of the problems. 'Is there an IPv6 "killer app" yet for smaller networks? No. Is there any reason based on security or ease of management — unless you're running a 100,000-seat network or a national-level ISP — for you to move up to it? No. Should you start to do a bit of reading about it? That's about the stage we're truly at, and the answer to that one is: yes,' he says."
Won't even notice it (Score:2)
Re:Won't even notice it (Score:5, Insightful)
Many people are already using ipv6 by default without even knowing it!
One important reason to use it is for small devices that you really don't want to have to have a user interface to enable Static IP / Router Info / DHCP configuration on.
Also, if you use use Apple MobileMe's Remote Desktop feature, you are using ipv6 only - MobileMe provides an IPv6 VPN to access all of your devices wherever they may be.
So in fact there are many many users of Ipv6 out there, just not much sending packets over the un-vpn'd internet.
Re: (Score:3, Interesting)
Bonjour (ZeroConf) does do this automatically. Since I just use the bonjour name (server.local, mac.local, plug.local, etc). However the problem arises with Linux when it insists on trying IPv6 first.
I went out and spread the word about Ubuntu to my girlfriend. The install went ok. But the second she started it up the first complaint was that browsing the web was slow. So I go diggind and find out it's IPv6's fault. Apple's figured out how to make the internet not suck and use both, why the hell can't Linux
Re: (Score:3, Funny)
I don't want to have to help them solve it or risk them trying to type in some "cryptic" commands on their own. (Not to mention, one suggested method didn't work).
Let me guess... sudo rm -rf?
Re: (Score:3, Informative)
I don't think ubuntu would use v6 by default unless it actually had a v6 connection...
I have ubuntu boxes at home and at work, at home i have a v6 router with a valid v6 link running a route advertisement service and the ubuntu box will pick up an address from it and use it...
At work, there is no route advertisement service so ubuntu boxes never pick up a v6 address or route (neither do macs for that matter)...
The only place i can imagine it being slow in the way you describe, is if it picks up an address b
Re: (Score:3, Informative)
And if you ever noticed, when you get that 169.x.x.x private address then you have no network access at all under Windows. At that point, it'd be better to just mark the
Re: (Score:3, Insightful)
Same here. There have been several instances where IPv6 has caused a lot of problems. I work for a local government and have 5000 new PC's being installed on my network and they are all getting IPv6 turned off on their images because it is annoying, to say the least.
As a network engineer I am not worried about IPv6. The most that will have to be done is our main firewall and/or router will maybe eventually have to be setup to accept incoming IPv6 addresses. But for our internal network, IPv4 won't go away a
Re: (Score:3, Interesting)
Those PCs will sit there looking for an ipv6 router, effectively the same as an ipv4 client looking for a dhcp server... If there is nothing there to answer the request, they will keep sending it but never acquire an address and therefore never try to use the protocol in question.
The only time you would ever have a problem is if someone installs a device that answers those requests with invalid responses (eg it advertises an ipv6 route that doesn't go anywhere, which clients then try to use and have to wait
Re: (Score:3, Insightful)
The only time you would ever have a problem is if someone installs a device that answers those requests with invalid responses
I think it's fixed now, but when Vista was launched it would always advertise itself as a 6to4 tunnel provider, even if it didn't have a publicly routable IPv4 address. This broke every other dual-stack machine on the local network.
Ah, Yes, 'Let Someone Else Worry About It' (Score:5, Insightful)
Is there any reason based on security or ease of management – unless you're running a 100,000-seat network or a national-level ISP – for you to move up to it? No.
What if you're writing web applications that monitor IP addresses? Shouldn't you be making sure that your regexp fits for IPv6 as well? What if you're storing IP addresses and your sanitizing your data? What if you're doing anything at all with IP addresses? Like monitoring logs for abuse? Shouldn't be preparing for the inevitable move to IPv6? What if you collect metrics so you can report to management your country by userbase? I say this because we've started to account for IPv6 in our coding and auditing.
What if you write any sort of firmware or software for network devices?
And if you're a consumer and you're about to purchase something that's going to last you more than three years you should probably make sure it supports IPv6 in case the computer you buy down the line can only handle IPv6 addresses allocated to it.
Go ahead and tell your readers that it's cool, Microsoft's got it covered. I'm going to err on the side of safety whether the armageddonists are right or wrong about the ETA.
Re: (Score:2)
Going to be difficult for all those billions of LAM(ysql)P users until they gets a better way of storing them.
Apparently support for ipv6 is "Status: On-Hold - Priority: Low". So it looks like we're all going to have to migrate to LAP(ostgres)P.
Re: (Score:3, Insightful)
Going to be difficult for all those billions of LAM(ysql)P users until they gets a better way of storing them.
Apparently support for ipv6 is "Status: On-Hold - Priority: Low". So it looks like we're all going to have to migrate to LAP(ostgres)P.
Or just store them in strings, which is what the MySQL software I know about does for IPv4 anyway. Just make the string field a bit longer.
Comment removed (Score:5, Interesting)
Re: (Score:3, Interesting)
Just for perspective, a long time ago (late 1970s or early 1980s), I was talking with an IBM support person in Portland OR. According to him over 1/2 of all IBM installations in his area were still running the original DOS/360 [wikipedia.org], which had been EOL'd and dropped from support ten years before. Those folks had stuff that ran fine on their old machines, and saw no reason to upgrade hardware or software.
Re: (Score:3, Insightful)
The hosts file blocks whichever HOST NAMES you put in (and give an unreachable address). This works equally well with ipv6 and ipv4, and the number of host names doesn't magically increase with ipv6.
Torrenting (Score:5, Insightful)
Torrenting is the killer app. Very unlikely all the spooks have updated to ipv6 snooping.
Re: (Score:3, Informative)
Most swarms have 5-10% ip6 hosts already on some trackers.
Excuse me? (Score:2, Insightful)
Re:Excuse me? (Score:5, Interesting)
Re: (Score:3, Insightful)
It's like walking into a manager's office, and the manager is complaining about how much he hates his computer, an old 486, that works, albeit badly. In a corner is an unopened shipping carton, containing a modern PC, that's been sitting there for a few months. The manager doesn't want you to set it up, because he's having enough trouble with the computer he's got.
Beware (Score:4, Interesting)
Procrastinate at your peril.
Re: (Score:3, Informative)
Re: (Score:2)
There is no implication that the internet will be suddenly unusable. As one of the previous posts mentioned, hardware and software developers who have to deal with TCP/IP and the like better be getting up to speed now for products they expect to be selling a year from now. IPv6 is already being deployed for voluntary use on a relatively wide scale. It is a parallel network that coexists with IPv4. The ex
poorly informed (Score:2)
First of all, you are already using IPv6. Your computer is auto-picking an FE80 address, and every other machine on your switch could be talking to it (or attacking it) via this address. Bonus: many host-based firewalls let this right through.
Secondly, it is easy to set up IPv6. Just get an ISP with the addresses and set up AAAA DNS records for your servers.
Third: you need to have IPv6 working in the next year. In 2011, all v4 addresses will be assigned. Some people will be getting v6 internet addresses but
Re: (Score:2)
Secondly, it is easy to set up IPv6. Just get an ISP with the addresses and set up AAAA DNS records for your servers.
Ah, now that's the tricky part, isn't it? No ISPs that service my area support IPv6. In fact, I think on my last attempt, the response was "IP what, now?" If I want IPv6, I have to do 6-to-4 tunneling, which is, at best, a hack. Unless you're in a major metropolitan area, I would bet that you'd have the same problem.
Re: (Score:2)
Have you inquired recently?
Re: (Score:2)
My budget VPS host comes with 16 v6 addresses per server by default. But if you don't have that option, by all means use tunneling (gogo6 does it for free) to make sure everything works properly, then transition to addresses from your ISP when they are available.
Re: (Score:2)
Re: (Score:2)
No ISPs that service my area support IPv6.
For years, ipv6 folks like myself have been using tunnel providers.
At this moment, in my highly biased opinion, your best bet if you have a static ipv4 addrs is he.net, and your best bet if you have a dynamic ipv4 addrs is sixxs.net. But your mileage may vary based, etc. I've used them both to great success.
I think comcast is doing limmted tryals (Score:3, Informative)
I think comcast is doing limited trials of ipv6.
But it will take time to replace all the modems, boxes ,and so on with stuff that can do IPv6.
Re: (Score:2, Insightful)
First of all, you are already using IPv6.
Who is? The author only said he experienced it, he didn't say he migrated to it! He's using internal addressing, which by assumption IPv4 is meant. If you disable IPv6 on your system, you are not using IPv6. This goes for both Windows & Linux.
The whole meltdown thing and needing and IPv6 address is a little perplexing to me since you get your IP from your provider. If you receive an IPv6 address, I can almost guarantee you that there will be a layer of IPv4
Roll it out in cell phones (Score:5, Insightful)
Re: (Score:2)
T-Mobile is already doing this testing with Nokia phones. Unfortunately, Android phones don't have support in the baseband chipset yet.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
My G1 is addressed in the 26.112.125.... subnet. Interesting, because DNS is in the 10.177 and 10.162 subnets. So I guess I am consuming profilgately.
It also looks like it's a /32 subnet...
Re: (Score:3, Informative)
T-Mobile is using IPv4 BOGONS (using IPs which are registered to others or will be registered to others).
Which is why they are rapidly moving to IPv6 with access to IPv4 via NAT64/DNS64.
Re: (Score:3, Informative)
LTE (4G/3.9G) supports IPv6 as well as 4, and Verizon (who is rolling out LTE in 30 markets this year) is actually mandating that devices on their LTE network have IPv6
Not yet (Score:5, Funny)
I'm still writing my Y2K compliance docs. I want to make sure they're detailed and complete before I turn them in to management. Have to get the font and formatting just right. Too soon to worry about the latest fads.
Why i want ipv6 to come asap (Score:5, Funny)
Re: (Score:2)
Who the hell wouldn't like their toaster to have its own ip unique ip address?
That sounds like a dangerous idea to me. Give it a unique IP address, and pretty soon it will develop its own Genuine People Personality. Next thing you know, bam! Talkie toaster. [youtube.com]
Home user perspective (Score:2)
I realize this article is coming from a corporate perspective but from a home user's perspective, I am really getting quite a lot from IPV6. I once had to poke holes in my firewall to get at internal machines on nonstandard ports when away from home. Now that they are IPV6 enabled,, I can address them directly. I can also access my Samba shares (ISP port blocking) and the SIP protocol works much better now that NAT is not involved.
The tunneling does add latency though so here's hoping the ISPs get native co
Re: (Score:2)
I once had to poke holes in my firewall to get at internal machines on nonstandard ports when away from home. Now that they are IPV6 enabled,, I can address them directly.
Couldn't you have done this before by getting rid of the firewall? (OK, maybe you didn't get enough IPs for all your machines.) I don't want all the ports on all my home machines exposed, which is why I suspect there will be a lot of people clinging to their known NAT routers as long as possible. Once I get comfortable with IPv6 firewalls, I'll switch, but I don't want to have everything opened up until then.
Re: (Score:2)
Oddly enough I typically get a 10% lower ping through my HE tunnel than with native v4. 6to4 and Teredo are much worse though, since they really need both the v4 and v6 ends to deploy gateways to avoid your packets take bizarre routes. Not many ISPs have their own 6to4 gateways, from what I've seen.
Internal vs external networks (Score:2)
with time, and just b
Actually you SHOULD worry about it... (Score:5, Informative)
For three big reasons.
a: Its actually ubiquitous in the LAN these days. Both Apple and Microsoft use IPv6 link local operations very heavily, because it Just Works with nice stateless autoconfiguration and multicast.
b: You can have things screw it up if you don't have V6 deployed, and you have to worry about V6 even if you don't 'have' V6: EG, a Windows box with connection sharing and 6to4 enabled will happily try to "share" the 6to4 connection with everyone else on the LAN, so everyone else gets a V6 address that doesn't actually work. And with Apple prefering a 6to4 IPv6 address over a V4 address, the macs on the same network will now see horrible behavior going to any dual-stacked site, as it will try V6 first, take a timeout, then revert to V4.
c: Address space exhaustion is real, and IPv6 + DS-Lite (or even just IPv6 + IPv4 NAT) allows an ISP to get around address space exhaustion in a much cleaner way than the alternatives.
Network armageddon (Score:3, Insightful)
"Many network experts argue we're nearing network armageddon, but they've been saying that for years." Say what?
"Network armageddon" is already here and we've been living in it for years. The horrors of NAT, the crampedness of addresses making configuration a pain, public addresses expensive, and so on. It's just not been a sudden catastrophe, it's been more like boiling a live frog by putting it in cold water and then slowly heating it.
most hated part of ipv6 (Score:5, Insightful)
Sure, ipv4 addresses were a little cumbersome but at least they were numbers and dots. 192.168.0.1. I can type that out on the numeric keypad. 2001:0618:71A3:0801:1319:0211:FEC2:82DC is just awful. Yeah, I know you need to have more characters in there to represent the value and a larger address space means it's going to be a larger number. Keeping the old ipv4 decimal scheme would make addresses look like 128.91.45.157.220.40.0.0.0.0.252.87.212.200.31.255. But I don't really see the hex as an improvement!
Re:most hated part of ipv6 (Score:4, Informative)
they invented a fix for you [wikipedia.org]
Re: (Score:3, Interesting)
That's cute, you think DNS solves his problem. Hate to break it to ya but often in testing you don't want your host to have a name until it's ready for production. Then of course there are times when DNS breaks due to service lockup or someone misplacing an encryption key. It's adding complexity back to a system that is supposed to reduce complexity plain and simple.
Kind of a moot point really anyway as a lot of network devices don't register hostnames with DNS anyway. I know none of my IP cameras do, alth
Re:most hated part of ipv6 (Score:4, Informative)
Hate to break it to ya but often in testing you don't want your host to have a name until it's ready for production.
They invented a fix for you, too [wikipedia.org]
(horrors, actually using the hosts file for its intended purpose instead of using it to break DNS resolution for host names you don’t like?)
Short-sighted coding (Score:3, Insightful)
That it is not yet necessary to migrate is irrelevant. One may argue with the time frame (next year or in five years or ten), but nobody denies that IPv6 will eventually become commonplace, and before most of us retire. That means it is now necessary for software to support IPv6. Writing a network-using program now that does not support IPv6 addresses is like storing the year in two digits in the nineties. It will come back to bite you.
This is flat out bad advice (Score:2, Insightful)
It won't be armageddon. Slowly parts of the Internet will be become unavailable and inaccessible to you as some sites become IPv6 only since they can't even get a valid IPv4 address. It won't be a disaster, it will be a slow loss of connectivity to the Internet as a whole.
Turning it off is horrible advice. You won't notice much of a difference right away, not until you start getting hits in search results that you can't actually fetch when you click on them. Talking to the entirety of the rest of the hu
Re:This is flat out bad advice (Score:4, Informative)
Ignoring the technology incompatibilities between v6 and v4 for a second, and just taking connectivity at heart, let's examine the effect of "isolation": your community runs out of telephone numbers for its area code. Your state creates a new area code. NEW numbers are given out to new owners; all old phone line owners remain unaffected and able to reach old phone lines and continue with business as usual with their other giant companies also using the old phone lines
With IPv6, all new owners can talk to the old owners. The old ones already have websites that they can reach. Top sites like youtube, google, facebook and maybe even windows update with reserved IPv4 address isn't just going to magically lose it. They'll shuffle less important services to IPv6 the day they are forced to exceed their IPv4 allocation.
Nobody is forced to "switch" to IPv6 entirely. They create DNS subdomains like the little known ipv6.google.com (if it works for you, then you have ipv6, by the way.) In the US, the government forced digital / HDTV adoption last year, but old and new channels coexist in your digital-ready cable boxes through the simple use of different channel numbers. I have no idea how many years it will take for them to force the non-HDTV channel numbers off, but I suspect that this will take as many decades as it took to implement HDTV and force it on us.
The only people having reachability problems like you mentioned will be those in NEW address blocks from poorly developed countries. Large companies needing more IP's may have issues, but nothing their IT teams can't fix with more 10.x.x.x addresses (2^24 addresses for internal company addressing "oughta be enough for [er, OK, most companies]") Consider the address space sizes [yahoo.com]. Though IPv4 is only 16 bits smaller than the MAC address space, which is small compared to the IPv6 total of 128 bits, nobody I have every heard is saying that billions of computers out there are going to run out of MAC addresses to give out soon. Funny because wireless devices and network devices tend to have multiple macs a piece.
From end-user perspective (Score:4, Interesting)
Is there really anything to worry about?
Afaik all modern Linux distros are fully up to the task of IPv6. TFS mentions even Windows can do it.
At this moment I am connecting my computers to the Internet via a wifi router/firewall - not likely this is going to change. Router is old, may not do IPv6 yet. My ISP also doesn't. But I guess the time will come that ISPs start to switch.
Will it really make a difference for me as end-user? Is my browsing going faster? Will I get less spam in my mailbox? Will it be easier to find the information I am looking for on the net? Probably none of the above.
At the moment I know I'm on IPv4 but on a daily basis I don't care as it just works. I don't know my IP address, it's not important to me what it is really. My home and office networks are internally IPv4, wouldn't make a difference if it's IPv6 except that addresses get harder to enter in BIND but that's one-off only. I suppose my uplink there also uses IPv4, not v6. I always approach my web site and mail server by entering an URL, not entering an IP address. Again what would I care? Let DNS take care of that part.
Don't get me wrong I understand it's time to move on: we run out of address space, soon there are more devices/networks connected to the Internet infrastructure than that there are unique addresses to find them. But from an end user perspective... I say let the ISPs take care of that. It's their job. Get me the connection, make sure your hardware works, preferably understands both IPv6 and IPv4 (backwards compatibility; and mostly it's not broken in the first place), and use on your network whatever works best.
There is always the talk of IPv6 will give any ISP subscriber a complete range of addresses instead of just one, so you can connect every computer, printer, whatnot directly to the Internet. I don't understand why an end user would want to connect their printer directly to the Internet. Their second computer maybe if they have one (makes torrenting easier) but then you lose the benefit of a hardware firewall in between. Simply because of security for my home network I prefer a single point of entry, not a dozen. Much easier to keep an eye on. So one external IP address is simply enough for most of us.
So while IPv6 is important for developers and ISPs, for the end user it's not. I totally agree with this Steve Cassidi that it's simply not something to worry about. He says not yet, I'd argue not ever, unless you're developing network gear/software or work for an ISP or so.
Re:From end-user perspective (Score:4, Insightful)
You're wrong on several counts, within 2-3 years your ISP will most likely switch you to IPv6. Can you turn it off in Windows 7 without problems in a word, no. Windows 7 has features that depend on IPv6, OS X probably does as well.
Those who really need to worry about it, is those who do not like using ISP provided routers. Many routers do not support IPv6 unless you're running a custom build on them. Those people should be looking around for IPv6 enabled routers of switch to one that can use custom firmware to do the job.
The other set of people who should be concerned are those running Windows XP since support there is flaky at best.
IPv6 is here folks, my new home printer even supports it out of the box.
Re: (Score:3, Insightful)
Will I get less spam in my mailbox?
It's harder for a worm to propagate when 99.999% of address space is empty as opposed to being another windows box.
Simply because of security for my home network I prefer a single point of entry, not a dozen.
Most people will probably continue to have one ISP connected by a firewall. Instead of NAT which inherently does stateful firewalling, they'll just have a simpler stateful firewall and skip the address translation tables.
So one external IP address is simply enough for most of us.
How do I run a couple SIP phones, and a couple italk video conferences over a single ip address? Its a huge pain.
Re: (Score:2)
Most people will probably continue to have one ISP connected by a firewall. Instead of NAT which inherently does stateful firewalling, they'll just have a simpler stateful firewall and skip the address translation tables.
I'd rather have no separate firewall and have the security on the hosts. Since we can't expect home users to go round configuring their firewall box, either we let incoming connections through or limit the kind of applications people can use. I suppose you could adapt UPnP, but why bother? If you don't want the connections, simply don't open a listening port.
Re:From end-user perspective (Score:5, Insightful)
It is? I run hundreds of SIP phones complete with video calling behind NAT without a problem. It only becomes an issue when you have 10s or 100s of thousands of phones.
Why would the phones even need Internet access? You have your SIP proxy on your network which connects to your SIP provider or POTs provider depending how you like to deploy. It's a very simple setup, makes auditing really easy, and allows me to do tricky stuff like divert the video from the gate to the phone so whoever answers can choose whether or not to let them in.
Worms will propogate as they always have, properly firewalled setups have dramatically reduced this in IPv4 and the same will happen on IPv6. I keep hearing people speak of NAT like it's not a firewall but most of those people are forgetting that most NAT devices actually are real firewalls these days unlike the early days of NAT.
I'm not against IPv6 but I have to agree with the parent, it has to start with the ISPs before it really makes sense for the rest of us to change. ISPs are having enough trouble with current traffic levels however that I have no faith in their ability to launch anytime soon on any real scale.
SSL and SNI (Score:2)
Apart from that I see no reason to panic right now.
We are already using it (Score:3, Informative)
I don't know what artificial reality you guys are living in, but IPv6 is running in many research universities worldwide, and on virtually every Linux box in the military and university community.
The fact that it's not being provided by your local residential networks is not our problem.
IPv6 is a marketer's wet dream (Score:2)
it makes it easier to better identify unique users and devices
I'm just gonna use NAT on the border gateway (Score:2)
What a Maroon (Score:2)
Who is this Steve Cassidy guy anyway, and how did he get a gig writing about network technologies for a magazine?
Distilled, what this nimrod's article amounts to is:
prehistory for mayflies (Score:3, Funny)
"This all started when Tony Blair was elected. The first time."
Wow! Are there still people alive who remember back that far? I mean, that was before the first Harry Potter book came out, which was like forever ago!
Re: (Score:3, Informative)
Ummm, the first truly working IPv6 patch for Linux was rolled out for the 2.0.20 kernel. My IPv6 box at the University of Manchester was registered on the 6Bone a year, possibly two, before Tony Blair was elected. Solaris patches came out even earlier. The author clearly doesn't know their history. The rest of their arguments may be right or wrong, but I have trouble trusting arguments made by someone willing to make inaccurate claims that could have been checked with but a few seconds effort.
Denial in not a river in Egypt (Score:3, Informative)
To be very, very clear, IPv6 will happen. There is no way around it. There is almost no IPv4 address space left. The folks who are at the top of the structure that assigns addresses will run out in the middle of next year. The next tier, call Regional Internet Registries may have addresses available for another year. By the end of 2012, there will be no address space available to assign. For the gory details, see the IPv4 Countdown Page [potaroo.net]. Especially, look at Figure 35 [potaroo.net]. That is reality.
As an end users, you may not care. Comcast is already beta testing IPv6 to its customers. I assume others are or soon will be doing so soon, but this should be mostly transparent to users as their system will only require IPv4 and that will be NATed behind an IPv6 address. But it must happen or people will not be able to get new addresses. That is the bottom line. IPv4 will remain in use for many years, but the net will start getting smaller and smaller for those who don't implement IPv6.
It's time to start including it in home routers. . (Score:5, Insightful)
It might not be time for residential networks and ISPs to flip the switch yet. . . but it's *definitely* time for all new home routers, DSL/Cable gateways, etc, to include full IPv6 compatibility. That way, when the ISPs decide it's time to turn on IPv6, they and their customers don't need to replace most of the hardware already deployed. IPv6 support at the vast majority of network endpoints needs to already be present before you can actually make the switch - you can't change the protocol and just force people to suddenly change.
ISPs need to start configuring networks to run in a dual-stack mode (at least as far as the end-user is concerned - once it hits the first ISP owned router, it could be all IPv6 from that point on), so that those who are ready to use IPv6 can start using it (yeah, you can use tunnel providers or 6to4 [which is really another sort of tunnel], right now, but that usually adds additional hops and latency to your connections - basically, if you are tunneling IPv6 traffic over IPv4, why bother using it to begin with).
Re: (Score:2)
Note that you might need to wait for someone to ship a NAT router that does IPv6 though. I haven't researched whether they are available or not yet.
Re:I have read it... (Score:5, Informative)
So if you want a NAT router to keep network wormable flaws away from the OS you can still do it.
you're confusing NAT address translation with stateful firewalling. Linux has been able to do that for ages on ipv4 or ipv6.
A side effect of ipv4 NAT is providing stateful firewalling, in that obviously the fw has no idea what to do with incoming traffic that doesn't belong to a flow you've already set up. All you need is one line to do this in v6.
You're looking for a line vaguely similar to this:
ip6tables -i eth0 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
And try not to forget to drop by default anything coming in thru eth0 that doesn't match the line above, of course.
Good idea! (Score:3, Funny)
ip6tables -i eth0 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I'm going to email that to my mom so she can get her new dsl modem set up right.
Thanks!
Re: (Score:3, Informative)
When her new DSL modem/router will come with official IPv6 support, I expect it to have a large checkbox in admin UI that says "please keep away all the nasty stuff from teh intertubez". I would even expect it to be checked by default - my wireless (IPv4) router did came with firewall enabled by default, and blocking incoming connections on all ports except for FTP.
Re: (Score:3, Insightful)
Network Address Translation Address Translation? Is that like an ATM machine or a PIN number?
I think its a fair phrase to use, since the whole point of the post was some people confuse the concepts of NAT and stateful firewalls. So I'm writing about the "address translation" part of NAT not the helpful side effect of stateful firewalling.
"NAT address translation" is obsolete with ipv6 vs "NAT stateful firewalling" is better just called "stateful firewalling"
Re: (Score:2)
Umm what? IPv4 has no hardware firewall either, untill you physically place one between you and the internet. IPv6 is no different, its just generally not going to be playing hokey games with fake addressing
Re:I have read it... (Score:4, Insightful)
There is nothing in IPv6 which precludes the use of proxies and/or NATing. Its just that adoption of IPv6 no longer mandates the use of NAT'ing. Nothing is lost. There is only gain to be had from an IPv6 upgrade.
Re:I have read it... (Score:5, Insightful)
You and many others desperately need to read more about v6 before regurgitating the same old myths.
* Read up on RFC 4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6
* Their is NOTHING in IPv6 that negates a hardware firewall. You get a prefix routed to your 'router' it can have whatever allow or deny rules you like.
* If you want to use NAT and non-routable IPs for whatever reason, however misguided, there is nothing in IPv6 preventing you from doing so, see also FC00::/7 link-local addresses
* Whether a network is routed or switched has as little to do with IPv4 as it does with IPv6, these topology decisions have nothing to do with the protocol.
Re:I have read it... (Score:5, Interesting)
The sooner we get to IPv6, the better. If not, if someone wants a static IP, much less a /29 subnet with five usable host IPs, they will be paying through the nose, for it just due to artificial scarcity.
I just fear that companies are going to spend big bucks for routers that can do NAT traversal (dev subnet gets NATted to another subnet which then gets translated to the outside IP), as opposed to going to IPv6 where one can keep firewalls up and the traffic isolated and secure, but keep NAT is an option, not a must-have. If a company is worried about the IPv6 stack having issues, just use IPv6 as an edge routing protocol and keep the internal network on v4 and use Toredo. Yes, this is still not optimal, but it is better than dealing with having to bid for v4 statics so one can have their own webserver online.
Re: (Score:3, Informative)
Correction. Teredo tunneling.
IPv6 shouldn't be that hard to switch to. Macs are happy with it. Windows machines grok it. The only issue would be a number of SOHO routers, and some applications that don't understand V6 (MySQL is a good example.)
Not Hard? BWAHAHA! (Score:3, Interesting)
The problem isn't just your SOHO router, though that's actually a very big problem for ISPs.
And the problem isn't just ISP and enterprise routers that are much slower at routing IPv6 than IPv4 (the longer address space is a problem even if you weren't using ASICs to do the routing, which you were.)
And the problem isn't just application systems like MySQL that don't have native IPv6 address handling APIs.
Think about every application you've ever written that stores IPv4 addresses in a 32-bit integer, e
Re: (Score:2)
His point on privacy is not the MAC as part of the address, but enumaration of hosts that NAT 'mitigated'. Some consider that a privacy risk, I personally think it is overblown. If people NATed for the privacy explicitly, then why would it be so bad if people got to make a choice rather than have to NAT?
Agreed about the router stuff. People are scared because suddenly endusers will be empowered to not NAT, and users were implicitly firewalled through having NAT forced on them. If they don't need it, the
Re: (Score:3, Insightful)
NAT breaks end-to-end connectivity. Its main purpose in IPv4 is to deal with the limited address space. In the massive address space of IPv6, NAT is no longer necessary.
You can still NAT everything behind non-routable ULA addresses if you wish, but I see no reason to do so. If one takes this approach and later decides they need a specific port opened to more than one machine, ie) port 80 for a couple new web servers, they won't be able to do this without re-numbering or setting up a a couple new static NAT
Re: (Score:3, Interesting)
Topology hiding.
My hypothetical organization is NATted. How many computers are on my network? You can't tell. Or, at least, I'm not just giving away that information.
Re: (Score:2)
Re: (Score:3, Interesting)
I was being sarcastic. I know the IPv6 NAT isn't in Linux yet. That was my point. IPv6 will be more deployable once NAT is not only possible at the technical level but also available in the products I routinely use.
Re:I have read it... (Score:5, Informative)
Anonymity is lost pretty quickly with IPv6
RFC 3041 dated January freaking 2001, assuming you're talking about using MAC addresses in the ipv6 address. Frankly I feel this is paranoia combined with ignorance of current ISP logging technology, in other words you don't have anonymity with ipv4 either.
along with ISPs seeing how many systems you have running on their network
Rates somewhere between 1) who cares 2) See RFC 3041 3) News to me that proxy servers are impossible on ipv6
exposes systems to OS flaws.
I suppose there are / will be bugs in v6 that would not happen in v4.
The logic in fact seems to be nothing but a really big switched network.
Thank god. Die NAT die! Can't happen soon enough. Some people will still want stateful "one way" firewalls. No problemo.
In short, I don't like what IPv6 gives us over what we lose with IPv4.
Given your list of misconceptions and misinformation, I'm not surprised.
Re: (Score:3, Interesting)
Having worked for as a software developer for comScore, a major web metrics company, I can tell with absolute certainty that the concerns about anonymity and IPv6 stateless autoconfiguration are neither paranoid nor ignorant. Privacy extensions (RFC 3041) help but they create a problem inside the large enterprise where the sysadmin wants to track his users while denying Internet-based entities the ability to do the same.
Re: (Score:3, Informative)
This is *exactly* what RFC3041 [faqs.org] discusses.
Microsoft has already implemented a solution, in Windows 7 at least -- which is to say, Microsoft is actually ahead of the curve in implementing an RFC standard. Good on them. That covers the majority of home and office desktop users. The Linux folks will catch up.
Re: (Score:3, Interesting)
You can deny all incoming TCP SYN segments and all incoming UDP and ICMP traffic if you so desire, then punch holes at the router's firewall when needed. This will give you essentially the same effect as NAT under IPv4. Also, use the privacy extensions of IPv6, whose random addresses on my machines last for about a day until being replaced, and are valid for incoming traffic for 6 days thereafter.
NAT is still a cancer upon networking. It partially intertwines mechanism and policy, which is a backwards step.
Re: (Score:2)
Even if no one makes dedicated IPv6 NAT/Firewall systems, it seems to me it would be pretty straightforward to take an inexpensive box (even a "Wall Wart") with dedicated software to do that, stick it between the rest of your network and the outside world, and acheive exactly the same thing that commercial IPv4 N
Re: (Score:3, Informative)
NAT is NOT a firewall, and a firewall most certainly doesn't require NAT at all. You absolutely don't lose any security at all with IPv6.
Yes, but since you don't know what you're talking about...
Re: (Score:3, Insightful)
Too many people think Port Address Translation is NAT.
Re:I have read it... (Score:5, Informative)
Overloading outbound traffic from multiple machines onto a single IP address (what you call port address translation) *is* NAT, if only because most of the vendors appropriated the name from that other kind of address translator that was hardly ever used and few even remember (RFC 1631).
PAT was never really a correct name for it anyway; that was a cisco-ism. What we call NAT today derived primarily from the stateful transparent proxies of the mid-90's and as the word "stateful" implies, it remains as much a proxy as a translator.
IPv6 gives me a choice (Score:2)
With IPv6 I can use NAT if I want. I can use a stateful firewall that breaks end to end reachability. Or I can use a stateful firewall that preserves end to end reachability. I can configure some hosts to have end-to-end reachability and some not.
If people want anonymity within their local network, then there will be a market for devices that do IPv6 address cloaking and you can buy one and use it to hide your addresses.
Re: (Score:2)
With IPv6 I can use NAT if I want.
I'm all for freedom of choice, my problem actually is that you can't use ipv6 NAT even if you want. Not with Linux anyway.
If people want anonymity within their local network, then there will be a market for devices that do IPv6 address cloaking and you can buy one and use it to hide your addresses.
Exactly, you would have to pay for something you can achieve with one iptables command line on ipv4. See my point ?
Re:No NAT, no glory (Score:5, Insightful)
It's not a religious taboo, it's just you not knowing what the hell you're talking about (and this happens every damn time an IPv6 story on slashdot shows up).
Except NAT doesn't do that. PAT [wikipedia.org] does that.
Except NAT doesn't do that. A firewall [wikipedia.org] does that.
You should not be doing any job involving networking with your current level of knowledge. If you don't even understand how current technology works how can you determine what is or isn't better for your customers.
Re: (Score:3, Insightful)
> ... the effect on reachability is almost exactly the same.
Not true. There are significant differences between NAT/PAT and stateful end-to-end.
To expose an internal service you need a NAT entry plus a firewall rule to allow the traffic versus only a rule with end-to-end.
If the protocol in use embeds IP addresses, then a special content mangling module has to be written to fix these embedded IP addresses while in transit. FTP is the canonical example of this insanity but there are plenty of these modul
Re: (Score:2)
Why would we bother with the ugly kludge that NAT is if we can just use global addressing and stateful firewalls? It's not like we've always had NAT on the internet (well, in one way or another, but it hasn't been the de-facto standard for connecting client machines until quite recently).
I still miss my university days when all the workstations in the computer labs were accessible from the internet (although firewalled pretty heavily for everything but SSH if you weren't on the university's network or the s
Re: (Score:3, Interesting)
The v6 address space is an order of magnitude greater than the v4 space, so doing this is a drop in the bucket. That would solve the whole problem.
Twenty-nine orders of magnitude, if I did the math right.
Re: (Score:3, Interesting)
As I understand, that's the big problem (Score:3, Interesting)
IPv6 and IPv4 will have to run in parallel, with most systems using dual-stacking, so a system will need both an IPv4 address and an IPv6 address. So, we'll still need a lot of IPv4 addresses available to manage the transition to IPv6
If each node has a unique IPv6 address, but it's mostly just routers using globally unique IPv4 addresses, with most nodes using RFC1918 addresses, perhaps it won't be too horrible.
Re: (Score:3, Interesting)
Don't know where in the world you are, but...
I work for an ISP. We're busy pushing HARD to get IPv6 out into the wild. Our first set will be the cable set-top-boxes, then internet cable modems. Internally, we're moving some of our systems to IPv6.
We don't make money off of selling you IPs, we make money by selling you bandwidth. We limit IPs because we have to (with IPv4). Moving to IPv6 is going to be a royal pain in the ass for us, but we NEED to do it. You "forcing" us is laughable - we'd love to be ther