Major Sites To Join ‘World IPv6 Day’

netbuzz writes "Facebook, Google, and Yahoo are among the major sites on board with what the Internet Society is dubbing 'World IPv6 Day,' a collective trial scheduled for June 8. 'It's an exciting opportunity to take IPv6 for a test flight and try it on for a full 24 hours,' says Leslie Daigle, the Internet Society's Chief Internet Technology Officer. 'Hopefully, we will see positive results from this trial so we will see more IPv6 sooner rather than later.'"

Dual-stack mode

[Fwipp]

From TFA, it appears that they are supporting IPv6 in dual-stack mode. Most users without IPv6 connectivity should still be able to access their sites on June 8th.

Re:Dual-stack mode

[tlhIngan]

Yes, they will continue to run it in dual-stack. But instead of current practice where you need to enter ipv6.google.com you will just simply type www.google.com and will reach them via IPv6. It is similar for other sites. You, who are like me stuck in IPv4 space mark June 8 in your calendars. As it might be day when you might not reach some resources on internet. It is due to fact how DNS will be resolved. Your computer will ask for IP addres and will get AAAA record but you don't have IPv6 connectivity so you will not connect. In better case it will fall back to IPv4.

Actually, you will still be able to reach those resources just fine, with patience. What happens is (and always has when OSes started blindly enabling IPv6) the connection waits for the IPv6 connection first. If that doesn't get established, it falls back to IPv4 and you get your content. What everyone found is well, pages took forever to load as you had to wait for the IPv6 TCP session to return an error first before the IPv4 fallback.

Frankly, the problem with IPv6 is the lack of a simple drop-in router replacement that works as well as current NAT routers. I don't care to have 3 IPv6 IPs on every IPv6 capable device on my network (nevermind all the IPv4-only gear I have). Yes, 3 IPv6 addresses, because you'll have a link-local (always present), your internet IPv6 address (you get a prefix that's usually /64, so all the PCs will use that prefix and add a suffix, and that will get you to the router), and since entering random numbers and letters is annoying, and a private set of IPv6 addresses (FC00:: prefix (/64) is for private networks, akin to 10/8 and other IPv4 private space). Why can't I have a NATv6 box that can have 192.168.0.1 and FC00::1, and keep everything going the way it is? Bonus to handle IPv4-to-IPv6 translation as well (there are tricks that you can do to have IPv4-only devices support IPv6 addresses, like ipv6-literal.net virtual domain Windows has to support IPv6 CIFS and IPv6 address entry).

That's what people want - a simple box they can drop into their network without having to reconfigure their intranet immediately that works just like their existing NAT router.

Re:

[dch24]

How about a software solution instead of a hardware solution?

Why doesn't glibc patch their DNS resolver to cache the "working/not working" state of IPv6? Or even better, run the IPv6 and IPv4 DNS queries in parallel and use whichever answer is returned first -- not to discard the slower of the two but to wait for it to succeed and cache the state ("working/not working").

Re:

[hedwards]

Strictly speaking, there's no reason why anybody should need to run IPv4 on their home network, or likely even on their corporate network. An N:N NAT mapping should solve most of the problems that we were trying to deal solve with the switchover.

Sure it's a bit kludgy, but for home users, it's probably the best way, at least until the older computers without native support for IPv6 and software is in place for everybody.

Re:

[FranTaylor]

What is wrong with multiple IP addresses? If you set up your routing correctly, you can assign local IPv6 addresses to all your machines, so they can talk to each other regardless of your IPv6 connectivity to the Internet. You can then add the global IPv6 subnet handed to you by your provider and assign those also. This setup is nice because you can enable and disable your IPv6 connectivity, and even change providers and global IPv6 addresses, without interfering with your local addresses.

Being able to a

"Drop In" replacement

[FranTaylor]

Perhaps you might want to try installing a stripped-down linux distribution on a geode or arm based router.

Then you can customize it any way you want, and as a bonus you will probably be immune to those router attacks out there.

If you want the "simple box" experience, install webmin. You can do all the routine sys admin tasks with it and you don't have to go near a command line.

A site seems to be missing from the participants

[wowbagger]

A site seems to be missing from the participants, but I just can't put my finger on it /.

Re:A site seems to be missing from the participant

[mcneely.mike]

That's because the average slashdot user isn't savvy enough for this, whereas your average facebook user is... i mean, these people run their own FARMS, for chrissakes!

Re:A site seems to be missing from the participant

[Anonymous Coward]

... it's because IPv6 uses UTF-8 encoded addresses.

Re:A site seems to be missing from the participant

[SlothDead]

You mean the one that has no Unicode support?

Re:

[MonsterTrimble]

Do you SEE a like button around here?!

Actually, Slashdot's moderation system on Facebook could be pretty interesting.

Only one day?

[slaxative]

I dont understand why they wouldnt just make this change permanent. If this is the protocol we're going to, make it stick. One day is just toying with us.

Re:

[drinkypoo]

With current implementations turning on IPv6 can cause long resolutions and even failures.

Re:

[vlm]

With current implementations turning on IPv6 can cause long resolutions and even failures.

Only if you connect to a faulty v6 network, that no one bothers to fix because "its only ipv6". Current *network* implementation not end user boxes. Its hardly an inherent part of the protocol or OS implementation.

Re:

[Monkeedude1212]

You sound ridiculous.

You know that saying "Rome wasn't built in a day?" That has some factual evidence to it; it took many days to build Rome. And you want to know something a lot of people don't know? They took it down the next day, right after finishing it, because they weren't sure if it was going to work. Then they erected it all again later when they saw there were no problems.

Re:

[slaxative]

Thanks for a useful quote and I'm ridiculous... Though it has no relevance to the subject. We've known about the ipv6 push for years now, and major Operating Systems have supported it. We know ipv6 works ... because people are actively using it now, I'm one of them. google over ipv6 already works, and has been working for some time. Its time for the rest of the major websites to catch up. One day is not going to prove a lot.

Re:

[vlm]

We've known about the ipv6 push for years now, and major Operating Systems have supported it.

If you want a good laugh look up major OBSOLETE OS that support ipv6. W2K, NT, even to a limited extend supposedly W98 had an addon.

Re:

[Monkeedude1212]

Psssssst

(I'm agreeing with you... I thought I might help show how silly it is to do a 1 day stunt by throwing it into the context of something physical, like a city. I thought calling someone else ridiculous might help push the 'over the top' tone to the post)

Re:

[PrimaryConsult]

I'll counter this with a service-related example.

The New York subway in 2001 decided to test a new service pattern by running rush hour levels of service on a Sunday morning with a new pattern. After they found the problems with the pattern (congestion, delays), they repeated the test a few months later with a tweaked pattern, which ended up going into 'production'.

This type of test will help push ISPs and network managers to find where the problems lie in their IPv6 implementation and hopefully give them

Re:

[dkleinsc]

It sounds like they're trying to test it first, and see this as a way to avoid the "After you, sucker" problem. If the test works, it's likely they'll make the move permanently relatively quickly. If it fails miserably, they'll do their best to fix what went wrong and try again.

June 8th?

[VGPowerlord]

"Hopefully, we will see positive results from this trial so we will see more IPv6 sooner rather than later."

So, why not schedule it sooner rather than later? June 8th is still nearly five months away!

So how about it, Slashdot?

[Epsillon]

Isn't it about time News for Nerds got a 128bit address? You know it makes sense!

Better to make up a deadline than to wait

[Quick Reply]

Having an "IPV6" day is not such a big deal for these sites as they have already more or less prepared themselves for IPV6 already. The challenge is getting ISPs and OEMs ready to supply IPV6 links and IPV6 equipment. I think that making a big deal of "IPV6 day" will push these companies into getting their asses into gear to offer IPV6, if consumers and businesses can keep pushing them "We need IPV6, are your links going to be ready for IPV6 day?" and "We need IPV6, are your firmware updates going to be rea

Re:

[vlm]

My dlink router does IPV6, but my cable modem doesn't. Until my provider goes IPv6, it's just a curiosity.

You can't buy a cablemodem that doesn't support V6. Don't get all technical with me about buying some stolen properly out of a car trunk from 1997 meaning you can buy a non-ipv6 cablemodem. I mean anything sold to the cablecos for years has supported v6. Its now gotten to the point that you can't legally call yourself DOCSIS 3.0 compatible without shipping a working ipv6 implementation. Mandatory ability as part of the standard.

Now your local provider can limit any and all technical abilities. Just lik

Heise.de did it first...

[Anonymous Coward]

The operator of one of the biggest German web sites [alexa.com], the Heise publishing house, held its own IPv6 day on the 16th of September 2010. Their domains got AAAA records in addition to the IPv4 A records and the web servers responded to IPv4 and IPv6. Long story short: The test produced much fewer problems than expected and two weeks after the test, Heise.de enabled IPv6 permanently. The story is here (in German). [heise.de]

Better Day

[buckhead_buddy]

Two days earlier and it would have been June 6, or 6/6. Rolling out IPv6 on 6/6 would have been biblically ordained to take over the heavens and the earth. Now it's just... another day, another test.

Three! Two!

[ThatsNotPudding]

One!...carrier lost...

IPv6 rollout on corporate networks

[Doug Neal]

At my workplace we've been doing some limited trials of providing IPv6 connectivity to internal systems (we don't have much in the way of outward facing stuff).

IMHO, and I would love to be corrected on this, but as far as I can see, there are some big problems to overcome with corporate deployments (not so much with home connections). Note that I am in no way advocating sticking with IPv4, this is just from my experiences so far:

It starts with the fact that your internal IP addresses will be determined by w

Re:

[bbn]

Do you really need DNS to thousands of hosts? A normal PC on your corporal network should just get an IP using autoconf or DHCP exactly like it has always been done. Renumbering is just updating the DHCP server.

Servers yes, they need renumbering. But it is an easy task since you only need to change the prefix part of the address. If you use DHCP to assign addresses to your servers, this will also be a simple one line change to your DHCP server. Otherwise you could probably script the change.

There is also th

Re:

[3.1415926535]

Do any operating systems use DHCPv6 by default? I know Linux just uses stateless autoconfig by default, which works great for renumbering, but how do you get DNS entries that way?

I guess you just manually configure your servers to use DHCPv6 and let everything else use autoconfig?

Re:

[Doug Neal]

DHCPv6 is still desirable for almost every other device you care to name, because autoconfig doesn't say anything about DNS servers.

Re:

[bbn]

DHCPv6 is still desirable for almost every other device you care to name, because autoconfig doesn't say anything about DNS servers.

Not true. Autoconfig can do DNS. It is specified in RFC 6106:

http://tools.ietf.org/html/rfc6106 [ietf.org]

Re:

[bbn]

There is an option for DNS using stateless autoconfig: http://tools.ietf.org/html/rfc6106 [ietf.org]

But for the time dual stack is a more likely deployment option. If you are doing dual stack you are probably using plain old DHCP to assign IPv4 including DNS information.

Linux will happily pick up the IPv4+DNS from DHCP and the IPv6 address from stateless autoconfig.

Re:Retarded

[Pojut]

It's precisely BECAUSE something could go wrong. A full day on a site like Facebook is more than enough time to see any major issues crop up, yet isn't long enough to deeply impact their service*.

*I know, I know..."Facebook" and "service" in the same sentence. Hurpadurp.

Re:

[TheL0ser]

It's precisely BECAUSE something could go wrong. A full day on a site like Facebook is more than enough time to see any major issues crop up, yet isn't long enough to deeply impact their service*.

*I know, I know..."Facebook" and "service" in the same sentence. Hurpadurp.

The juvenile side of me wants to make a joke off of "long enough" and "deeply impact", but I'd rather just say this: A full day on facebook is also a lot more likely to cause thousands of grandma's and others to claim the internet is broken if something goes wrong. I hope ISPs are going to be ready for support calls.

Re:

[Lennie]

If the day is 'marketed' properly, then yes that should be fine.

Re:

[ObsessiveMathsFreak]

It can be rolled out over time and quietly fade out V4.

Why would we ever want to "fade out" IPv4? Why should we? The IPv4 network has worked, robustly and reliably for 30 years. Running out of address space is not a good enough reason to totally drop interoperability with this working standard.

"there is one network that has aol.com and cnn.com and cs.utk.edu and an incredible number of other sites. Normal people call this network ``the Internet.'' They insist on being connected to the Internet, so that they [cr.yp.to]

Re:

[BitHive]

You're right, IPv4 is going nowhere because it's a dead end. The transition to IPv6 will not be instantaneous or painless but it is necessary, inevitable, and will render the old working standard obsolete, and irritating to keep alive. Your argument that version six of the internet protocol is a dead end because it won't support internet protocol connections to internet protocol sites is humorous at best.

Re:

[jgagnon]

You could damn near have an IP address for every cell in your body.

Re:

[Anonymous Coward]

So you're admitting there are not enough addresses for every cell in every person's body. Didn't anybody think about the future?

Re:not enough

[TaoPhoenix]

Dieting is a matter of national security!

Re:

[nedlohs]

Amputations are a matter of national security!

Re:

[Beardo the Bearded]

I thought that muscles swell while fat cells increase in numbers.

Re:

[VanGarrett]

While this is true, you must also consider that more skin cells are required to contain the increased volume of the fatty tissues.

Re:

[micheas]

Being overweight does not increase the number of cells in your body: the existing fat cells just swell.

Citation please.

I don't have a citation handy, but the general definition of obese is when your fat cells start increasing in number after they have expanded, hence why people that are obese rarely get back down to their lower weight, and when they do it tends to be very hard for them to maintain that weight, as it requires the fat cells to be smaller than before becoming obese. This is an over simplification of course, but you get the idea. Fat cells mostly just grow and shrink, but at some point, they start to divide, a

Re:

[SuricouRaven]

The effect is perminant, too - people who are obese as children still have the inflated fat cell numbers when adults. Maybe intensive liposuction would help.

Re:

[ArhcAngel]

They are working on IP V Mitosis.

Re:

[zrbyte]

Not only that, but you could give about 7 IPs [wolframalpha.com] to every atom in the body of every human alive on Earth! Taking the number of stars in the observable Universe [wolframalpha.com], each star could get about a quadrillion IP addresses. So yeah, there's plenty of IPs for your toaster :)

Re:

[Lumpy]

And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.

Re:Yay

[Anonymous Coward]

While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home. For a limited time only, I'm offering, direct to the consumer, the latest and greatest in home security, a little invention I like to call "curtains". Yes, now people won't be able to see into your home anymore, which obviously makes it impossible for them to rob you. Act fast though, these babies will sell out quickly.

Re:

[j h woodyatt]

On top of that, we have an excellent way to keep your teen-age daughter from running up the home phone bill with 900 services: an unlisted number! She won't be able to make trouble if she can only make outgoing calls.

Re:

[hedwards]

But do you offer them in the same color as the upholstery?

Re:

[segedunum]

While you're locking down your home network with the rock solid security system that is NAT, I'd like to offer you a chance to put the same level of security on your home.

Unfortunately your little joke falls over because NAT is only one part of this thing called a firewall - i.e. houses have these things called doors and windows that can be locked. However, shock, horror, even though people are quite comfortable with their locks they still don't want anyone being able to look inside. That's why most people have curtains, or blinds, and they don't leave their house unlocked because they have them. Funny that.

Re:

[Ant P.]

How many people have a house with curtains and blinds but no doors or windows? That's what your NAT gets you.

Re:Yay

[xaxa]

And I'll STILL NAT everything in my house. I dont need NX10^23 script kiddies attacking every one of my appliances.

I won't, since I don't think anyone is going to port scan me.

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

Also, a firewall is simpler than a NAT, and doesn't have the disadvantages of NAT, so you can just do that instead.

Re:

[spongman]

misconfigured NAT: NO traffic gets through
misconfigured ACLs: ALL traffic gets through

which is a better solution for grandma?

Re:

[Rising Ape]

There's really no excuse these days for a device not to be secure out of the box - i.e. you should be able to plug it straight into an unfirewalled network without problems. Security issues have been known about for years - even Microsoft's got on the ball now. I had a Vista box with a public IP and no separate firewall for months, and there were no problems.

Re:

[profplump]

What makes you think the firewall for grandmother won't come pre-configured with exactly the same unidirectional, stateful firewall provided by NAT boxes? Why do you think she'd have to setup ACLs?

Also, how badly do you have to muck up your ACL to get the "all traffic gets through" configuration? Is "deny by default" the status quo for any firewall?

Re:

[asdfghjklqwertyuiop]

misconfigured NAT: NO traffic gets through

That isn't true. Usually if the attacker can get packets with your private destination IP addresses to the outside of your router and you have no ACLs saying to drop that, it will get forwarded in regardless of what the NAT says.

The solution for grandma will be the same as it has always been: buy some product that filters correctly and never even hear the words "NAT" or "ACL".

Re:

[grumbel]

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

In theory, yes. In practice IPv6 addresses aren't quite that randomly distributed and often follow common patterns (DHCP handing out addresses sequentially, etc.). There was a talk about the issue at 27C3 [youtube.com]. Conclusion basically that you can find 90-95% of the servers with just a bit brute force search. This might of course change in the future when IPv6 gets more used in practice and security issues will be handled more seriously.

Re:Yay

[cduffy]

Here's a hint: "No NAT" doesn't mean "no firewall".

Re:

[Rich0]

Here's a better one still:

NAT = firewall = no connectivity... :)

If your firewall is set up right (which takes almost no effort), then you're just as protected as if you set it up correctly with NAT. Just set a default rule that blocks anything incoming, and then allow specific IPs/ports - just like with NAT, but minus all the IP mangling.

Re:

[xaxa]

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

OK. 5000 £1 coins, spread randomly over a suitable area. But what is a suitable area?

£1 coins have area 4*pi*11.25*11.25 mm^2. Multiply by 0xFFFF,FFFF,FFFF,FFFF to get about 10^16 m^2.

Ringworld [wikipedia.org] will do nicely.

Re:

[vlm]

Here's an IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334, the bold bit is the local part. How much bandwidth is your script kiddie going to have to have to find 0000:8a2e:0370:7334 in the range 0-ffffffffffffffff?

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

Hmm, lets run the math here. If you insist on not installing a stateful firewall (why? Its already a part of your old ipv4 nat box) then they have to find a random-ish 32 digit hexadecimal number, in order to find an address to break into, then break in, which is hopefully non-trivial, and then hopefully steal your random-ish 16 digit decimal credit card number. However, if the bad guy has the resources to randomly find a needle in a haystack inside a 32 digit number, why waste the time? Why not randoml

Re:Yay

[lennier]

That's like taking all the money from your bank account and throwing it on the ground across the globe. People looking for money aren't possibly going to be able to search across 200 million square miles to find all your money, so it's perfectly safe, right?

Your collateralised debt obligation investment scheme intrigues me and I would like to contribute to your hedge fund.

Re:

[CyprusBlue113]

Good point! The numbers are astronomically large with IPV6. Does this "security through obscurity" improve your risk profile? I discussed the challenges of testing networks this large: www.redspin.com/blog/

I'm sorry, I'm confused, you are complaining about security through obscurity, and that is your argument in *favor* of nat? /boggled

Re:

[Just Some Guy]

Security though obscurity is no security at all.

Then post your password here and/or SSH private key here. "Security through obscurity" is not remotely close to what you think it means.

How can my firewall be expected to know the difference between an address generated by my network printer that should not be seen from outside my network and one from a pc that should ?

Set your firewall policy to "default deny" and whitelist connections you specifically want to allow. This has been the correct way of building firewalls since the idea was first invented.

So now even my network printer (toaster, fridge, whatever) needs a built in firewall with guaranteed bug fixes.

Why? You don't have a firewall on your router? Again, "default deny": don't open up a rule that allows random Internet hosts to connect to your toaster.

I want to be alerted to the addition of any kit to my network and be given the choice to allow or disallow access to my resources before whatever it is starts to use the limited data allocation that is my internet connection, starts to print a copy of wikipedia or otherwise use resources that cost me time or money.

Use whatever mechanism you're using r

Re:

[Just Some Guy]

Those are secrets that have no existence outside of my network. Unlike IP addresses. I believe you are mistaken in equating them.

But why do you care if they're known outside your network? You have a stateful firewall that protects them from the world. Here's my printer's IPv6 address: 2001:453:da65:1:94ab:7c00:8cba:beb5. Go ahead, have fun trying to connect to it.

And what prey tell should I do for my PC ? Set a static ipv6 address to be entered into the whitelist ?

Yes, of course. Why wouldn't you?

Re:

[kasperd]

If you implement a default deny firewall and are running randomised addresses, just how do you open a port ? Or otherwise grant access for inbound connections ?

Randomly assigned IP addresses can be static or dynamic. You assign one static to each machine and let it generate dynamic addresses on its own. For incoming connections you use the static IP of the machine. For outgoing connections you use one of the dynamic IP addresses of the machine.

I am just willing to wait for that or until ipv6 reaches critica

Re:

[asdfghjklqwertyuiop]

And you'll still be a complete idiot for doing so since the firewall rules that are currently keeping those attacks away work exactly the same way without NAT on IPv4 or 6.

Re:

[Desler]

Because not everything behind a router needs a public address?

Re:

[vlm]

Because not everything behind a router needs a public address?

Um, why? Here's a resource that is inherently by design non-scarce, but you prefer to act as if it were? The "hair shirt" brigade might approve but the rest of us kinda laugh.

Re:

[kent_eh]

Because not everything behind a router needs a public address?

Um, why?

'cause I don't want my NAS box to have one.
There's no legit reason for any machine outside my house to access it. Ever.
It's part of that layered approach to securing thing.
Yes, there is a firewall
Yes, there is a password
And, yes, the device's address is not publicly routable.

Paranoid? maybe, but so what.
It's my stuff, and I don't want you to be able to look at it. End of story.

Re:

[vlm]

Paranoid? maybe, but so what.

I wouldn't say paranoid so much as wasted effort compared to other things having a much higher rate of return. You can configure a LAN using private space at huge time and effort both in set up and long term maintenance. Grats, you did it. However that time would far better be spent on securing your internal clients which do have access to the NAS, patching your NAS, patching your firewall, etc.

That particular layer is very expensive yet likely to be spectacularly ineffective. If everything worse has al

Re:

[CAIMLAS]

If I had a hundred thousand acres of land where I kept my 10 cattle, I'd prefer to have just one gate into the property instead of one every mile or so. It'd be harder for people to steal my cows that way, and I could more easily maintain the gate.

Re:Yay

[Junta]

Your 'gate' is your router/firewall. People can't magically get around the same exact piece of equipment that NATs today simply because they are independently addressable. Those devices need to just have a 'no unsolicited incoming traffic' firewall by default.

Re:

[segedunum]

Um, why?

Because not every device needs a public IP address on a private network and public devices on the internet are not entitled to see any of my IP addresses from my devices, no matter how firewalled they are.

In addition, I don't want to have to piggy-back on to an ISP for an available public IP address when I can easily serve that with an internal network device I know will at least work most of the time. No one is thinking through the practical considerations and the network issues we have today.

Re:

[hedwards]

Solid point, for most people addresses on the network shouldn't be publicly accessible unless you choose to make them so. And if you're having to manually add access to new devices, what's the difference between a publicly routable, but blocked, address and one that isn't a public address.

Re:Yay

[vlm]

whether is has a public or private address is nothing to do with scarcity of IP but need and suitability and there a lot of IP device's that do not need a public address, my printer for starters, don't need to manage it from the outside, don't need to print to if from outside. Plain old private IP4 seems to work fine and dandy.

But using a separate address space makes your work WAY more complicated and less reliable.

All public scenario: Your stateful firewall prevents incoming traffic to your printer, just like it prevents incoming connections to anything else that you haven't specifically allowed. One address range everything reaches everything. Everything on one happy layer 2 LAN. Simple dynamic (re-)addressing.

Public plus private scenario: You still need a configured stateful firewall for all your other devices but now you have the joy of adding a statically configured LAN. How do the two networks reach each other? Route thru your slow firewall? Or multiple static and dynamic addresses on every device in your LAN? The time you spend complicating the heck out of your LAN, is time you're not spending securing it at the network and device layers.

So, sure, if you really want, you can spend a lot more time, money and effort to get a LAN that is much harder to design, configure, troubleshoot and monitor, all while being less secure, but you would be "saving" one of the 3 x 10 ^ 38 addresses, except you actually aren't because they assigned you a /64 for your LAN so its not like anyone else could use that address anyway.

IPv6 doesn't outright prevent you from shooting yourself in the foot, but its still kinda usable.

Plus if your LAN is a corporate LAN you've now gained the nightmare of merging multiple LANs using the same private addresses. Even if FC00::/8 is mostly empty, you know most clowns are going to use network=0 / host=1 for their firewall and watch the chaos when they interconnect.

There seems to be no advantage to private ipv6 space...

Re:

[kasperd]

a lot of IP device's that do not need a public address, my printer for starters

It may be correct that your printer does not need a public IP address. However the same argument has been used for lots of devices that do need to communicate with the outside world. And there certainly aren't enough IPv4 addresses for the devices that do need a public address for proper operation.

Let's get back to that printer. Let's assume you will never want to print to it from computers outside of the same local network, t

Re:Yay

[Anonymous Coward]

Why not?? In the *real world* everything has a public address. I know people don't "get it" when it comes to networking, but this is just FUD and is getting ridiculous.

NAT is like having a chaperone, where all communication happens through a 3rd party. It increases network traffic, it makes peer-to-peer internet impossible. And it is not security. You only need to trick inside device to connect to outside device, and there goes NAT as security! And that is quite easy.

Firewall is like having a security guard monitoring traffic. A firewall is actually designed to handle security, not illusion of security. This can actually catch and prevent unsanctioned communication. And if you want to use Skype, you can actually allow inbound connections.

Skype went down because of NAT. If the internet was IPv6, there would be no need for "supernodes". People could actually communicate, peer-to-peer instead of through their chaperones.

Finally, when I was young and stupid, I believed that NAT was a cool thing. When I asked a network admin at local university why they don't do more NAT and all departments gets /24 or larger, the answer was quite simple. Security. I didn't understand that answer for a few years, but now years later, it is as plain as night and day. NAT creates more problems than it's worth. And if someone brought some shitty SPAM relay (virus), it becomes a challenge just trying to identify where the rogue program is communication from.

Traceability and accountability and transparency and security is what public internet brings. NAT gives you an illusion of anonymity and security.

Re:

[surgen]

Then don't give it a global ipv6 address, only give it a link- or site-local addresses.

Re:

[Gerald]

...or you can just use site (or even link) local addresses.

Re:

[Marillion]

Mod this up!

I have ipv6 at home and I have a /64 subnet. That's 18,446,744,073,709,551,616 addresses. If you assume an adult human has about 50 trillion cells. You can assign one of those IP addresses to every cell of everyone in the US and still have leftovers.

No, not everything needs a public address. But everything could with no risk of scarcity.

Re:How do I get to their sites using IPv6?

[Bob_Sheep]

Use a tunnel broker service. There are at least 2 free tunnel brokers, SixXs [sixxs.net] and Hurricane Electric [he.net]

Re:

[Monkeedude1212]

I imagine most home users don't have IPv6 addresses.

In Canada we do. Most ISPs (Meaning the 3 big ones) are already set up to do it, and will dish you an IPv6 address if you configure things on your end (and they'll walk you through how to do it, if you wish) but they basically warn you that not every site is using it yet so they advise against using it.

Re:

[h4rm0ny]

What about within the home? Do most routers support IPv6 now or do you have to do something special?

Re:

[Monkeedude1212]

When I do an Ipconfig /all I get a Link-Local IPv6 Address so I would assume that yes, most routers now support IPv6.

Re:

[Smitty825]

I've generally found that most "home grade" switches can route IPv6 traffic without issue. However, it's doubtful that your Cable/DSL router supports IPv6 out of the box, unless you're running a custom firmware such as DD-WRT.

Comcast gives all customers IPv6 through 6to4

[YesIAmAScript]

They also have 6RD.

All you need to do is turn it on. And if you have certain base stations, it is on by default.

http://comcast6.net/ [comcast6.net]

Re:How do I get to their sites using IPv6?

[icebraining]

They won't turn IPv4 off for probably many years. But if you actually want to try IPv6 without ISP support, you can try a free tunnel broker [gogo6.com].

Re:

[rastos1]

Try 6to4 [wikipedia.org] - follow the instructions on http://6to4.version6.net/ [version6.net]. If you are behind NAT, you need to put your machine into demilitarized zone [wikipedia.org] (i.e. it receives all packets that the NAT-ing router receives)

Re:

[dkuntz]

Apple Airport Extremes can do ipv6. I know this cause Charter in my area gives out ipv6 addresses as well as v4.

Re:

[Yaztromo]

Can it do BOTH WiFi N and WiFi G *at the same time*? If yes, then I might get one... :)

Yes, and you can even run N at 5Ghz and G at 2.4Ghz simultaneously. The latest Airport Extremes have dual independent radios specifically for this use case. Coupled with their IPv6 support (including IPv6 firewalling), IMO the Apple Airport Extreme is the best home wired/wireless router on the market.

Yaz.

Re:

[vlm]

Can any of you give me a brand of WiFi N router that can do ipv6? I guess there aren't that many. Why manufacturers aren't FORCED by law to do it?

In bridging mode, you can't (easily) make a wifi access point that won't support ipv6. Its just another type of packet on the (virtual) wire. For a good fraction of a decade that is how I've had my home set up.

The market has spoken and you cannot buy a non-docsis 3.0 cablemodem anymore. docsis 3.0 requires ipv6 support. Many people have a "wireless cablemodem" basically a modem and router and access point in one little box. Thus all wireless cablemodems going forward will support ipv6, and presumably a

Re:

[Yaztromo]

The main problem with N wifi is I do not have the connection speed to saturate my decade old plain ole 802.11B network. If I upgrade to N, rather than being capped by my provider to max out at about 33% of my network speed, I'll merely run at about 1% of my network speed. Who cares?

Anybody how has more than one host on their home network, and does data transfer between hosts?

I suppose if you only have one machine going out through your network, or if the hosts you do have never inter-communicate (or only do so at a superficial level), then sure -- 802.11b should be sufficient. Then again, so would 10-Base2 Coaxial networking (aka "fun with terminators!").

Personally, 802.11n is the best way to connect to the hosts on my home gigabit network. Not as good as wired (where I have got w

Re:

[vlm]

I can't find the section of the constitution that allows lawmakers to do that, nor would such a heavy handed policy be justified.

Well thats never stopped them from doing what they want in the past, has it?

Aside from that, if my local monopoly regulated cableco is required to provide service rates, that can be provided by docsis 3.0, and no other competing technology exists but docsis 3.0, and docsis 3.0 also happens to require a working ipv6 implementation, which it does, we are half way there.

Now convince the docsis 4.0 guys to demand the removal of ipv4 or whatever and you're basically done.

The main problem with the guys plan, is e

Re:

[John Hasler]

> Well thats never stopped them from doing what they want in the past, has it?

Yes. Many times. For a recent example see the "Children's on Line Protection Act".

Re:

[vlm]

I guess it's time that porn ... sites switched over to v6 only, that should put some pressure on hardware manufacturers and ISPs to finally deliver v6

More like, a bunch of clowns in the government trying to make v6 illegal because they think everyone should have to do what their imaginary man in the sky told them.

Re:

[YrWrstNtmr]

Since when is yahoo a "big site"?

According to Alexa, Yahoo is 4th behind Google, Facebook, and YouTube.