Comcast Begins Native IPv6 Deployment To End Users 326
First time accepted submitter Daaelarius writes "Comcast has begun deployment of Native IPv6 access to end users. The deployment is starting out small with a single market, but is expected to expand rapidly. They have provided ... more in depth technical details."
Finally; native dual-stack IPv6 for home customers. Perhaps we can avoid a post-exhaustion future of NAT-upon-NAT and use restrictions.
Yeah right (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2, Interesting)
Unless you want to be directly connectable.
Re: (Score:2)
I agree. There's almost nothing you need to do right now that requires you be directly connected, even in a commercial environment, much less a home environment. You don't need to be directly connected to the internet to host webpage or for bittorrent to work. You only need a single port for each of those, and sticking those behind a gateway/bastion host is fantastic.
Maybe if IPv6 takes off, we'll want to be able to configure all our devices remotely, but that is not the case for most home users today. We'r
Re: (Score:2)
Re: (Score:3)
Exactly, this is really quite trivial, and AC seems to be rather ignorant. Just set up port 23 for computer A, port 24 for computer B, port 25 for computer C, etc. Then ssh to 111.222.333.111:24 when you want to connect to computer B.
Re: (Score:3)
I'm not exactly all gung-ho on the ipv6 thing (yet), but having to deal with a purely digital resource as a limited thing is kinda silly, and needs to be corrected eventually.
Re: (Score:3)
How is that better than simply having each address correspond to a unique machine? Seems more of a hack to me, and of course you can't use a "standard" port (e.g. 80) on more than one machine.
Re: (Score:3)
Okay smarty pants, now imagine your home NAT is behind a NAT your ISP is running, which probably uses and address pool rather than a single address. They won't forward ports for your because that is all they'd do all day, if they did and tricks like hole punching and STUN won't work reliably because there is nothing to ensure a new connections have the same visible source address on the *real* Internet.
Also NAT is not security at all at least in the PC world, as I can get you to make an outbound connection
Re: (Score:3)
It's better because it doesn't require the entire world to suddenly change the way it's been doing things all along and switch to a completely incompatible system. Eventually, we might get there, but last I heard even Google wasn't too keen on IPv6, and that would be a big problem.
And yes, you can use a standard port on more than one machine. The NAT router takes care of translating the ports. You can have 10 machines all listening for ssh on port 22, and the router will take care of translating 22..31 t
Re: (Score:3)
All of those ways are one extra step beyond just hitting an inbound port, and that's what security is. There is no such thing as "an attacker can't do X", just layers that make it more difficult for an attacker to do X. It's nearly trivial to "bump" the deadbolt lock on my apartment door, but I'm sure glad I have one, vs not having any lock.
Re: (Score:2)
And why would anyone but an idiot want a phone number or postal address that can be reached by the public at large??
Exactly. Who wants to have to deal with idiot marketing calls all the time?
Re: (Score:2)
I'll take addresses and phone numbers for all of my homes and phones, without having to use post-it notes and pseudo-addresses to make everything reachable. Particularly if having those addresses affords me the same level of security as doing without.
After all, nothing about being able to address all your devices precludes the use of proper firewalling, just as you do now.
Re: (Score:2)
I'll take addresses and phone numbers for all of my homes and phones, without having to use post-it notes and pseudo-addresses to make everything reachable.
Is there a difference between having a post-it note reminding you of the IPv6 address for your toaster compared to a post-it that reminds you of the address and port?
Particularly if having those addresses affords me the same level of security as doing without.
It doesn't. Securing an address that exists requires proper configuration of a firewall and some reasonable assumption that the firewall itself doesn't have security issues. Securing an address that doesn't exist requires nothing. You cannot break into a toaster that doesn't have an internet connection.
After all, nothing about being able to address all your devices precludes the use of proper firewalling, just as you do now.
Botnets thrive because mom and pop comp
Re: (Score:2)
YOU may know how to configure a modern firewall properly, but mom and pop won't, and they'll have their toaster on the wild and wooly IPv6 internet.
Then perhaps it's about time that manufacturers put some thought into security rather than blaming something else if their devices get pwned. There's no reason why a home appliance should need a separate firewall to be secure.
Even Microsoft have got the hang of it now - I had my Vista box on a public IPv4 address for months without problems.
Re:Yeah right (Score:5, Insightful)
not being directly connectable (ie., behind NAT)
WRONG.
on ipv4 NAT is generally implemented as a stateful firewall that also rewrites addresses.
There is absolutely nothing preventing a firewall on ipv6 that is stateful, that leaves addresses alone.
The security gain comes from the stateful firewall, not the rewriting addresses.
Re:Yeah right (Score:4, Interesting)
Additionally, many other carriers are already seeing IPv4 exhaustion (due to their own wastefulness in the RFC1918 address space). They are co-opting DoD
I'll skip the obvious stupidity of "stealing" IPv4's from the DoD. But instead of deploying Carrier-Grade NAT, they're divvying up the internet. In one place, 28.0.0.0/8 takes you to one machine, in another place it takes you somewhere else.
It sounds like the IPv4 internet is going to fall apart simply due to negligence. How's that for an IPv6 killer app?
Re: (Score:3)
Well partially, but I'd argue the addresses have a lot to do with it, too. My home subnet is 192.168.77.0/24. My firewall blocks anything coming from the outside world bound for 192.168.77.0/24. That's nice, but doesn't really ever do anything because damn near every router between me and a potential attacker drops packets that are to or from the reserved networks, because it has no idea where to send them. About the only way it would be a viable attack is from somebody who had control at my upstream IS
Re:Yeah right (Score:4, Insightful)
And what makes you think that the IPv6 off-the-shelf routers won't default to a stateful firewall? In fact, I can't see any vendor not enabling that by default, and advertizing it in big bold letters (not the techno-jargon, but "Buy this box and keep the hackers out"). And the ISPs are likely to include such functionality in their cable/DSL modem, since they could benefit from fewer zombies on the network.
Comment removed (Score:4, Informative)
But isn't that the problem? (Score:2)
The current situation provides some level of security for the end-user ... even if the end-user does not understand the concepts.
The get 1 IP address from their ISP and they buy a magic box that provides them lots of sockets to plug stuff into and wireless access. They don't know if they're running NAT or
Re: (Score:3)
You confuse NAT with Firewall.
IPv6 still needs a firewall, which will be done by the same device that currently does your NAT and firewall. Why would that change?
But will that same behaviour have different results once they receive globally routable IP addresses for each device? I think it will.
Why, did your current router come pre-configured to forward all of your ports to random inside IPs without you directing it to do so?
No?
Then why would an IPv6 firewall allow in a single packet from the Internet without you specifically directing it to?
It won't.
Globally routable does NOT mean you are forced to globally route anything. It makes it
Re: (Score:3)
First, put away the PAT -- your Cisco is showing, and the kind of packet mangling done by virtually all home routers does both address and port translation.
Second, while it is possible to buy a WiFi bridge that isn't a router/NAT/firewall box there are actually very few consumer-grade devices that do this -- I sometimes want one and often have to spend extra time searching for one, or even for a device that comes with NAT enabled but can be placed in a bridging mode. It also seems unlikely to me that access
Re: (Score:3)
They still need a box at there end just like the box they use for nat now. IPv6 will not lead to bridged networks to you ISP. You you have two options plug one pc directly into the box or get a CPE router this is the exact same choice they have now IPv6 is changing nothing. Hell in some ways it's better since the newer telco CPE gear is generally configured as a router with firewall and moving to IPv6 will require new cpe gear for most. One of the big reasons for giving customers more than one public su
Re: (Score:3)
That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong. Shut down or secure any unneeded port-bound services, and install a basic firewall on the router to only let the ports you need out (just port 80 may be enough).
Plus, just finding a device on IPv6 can be hard. Given a 64-byte ICMP packet and a gigabit ethernet connection, it would take just under 300,000 years to ping every potential host in a /64. You want security through obscurity? Set your DHCP s
Re: (Score:2)
That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong.
How are you going to hack into my webcam when it has no publically visible IP address? In order to hack it you need to already be on my internal LAN, so my security is already toast.
Re: (Score:3)
Re: (Score:2)
Better yet some OS's can generate temp IP's so the IP you used to connect to a web site 2 seconds ago is already turned off and a new one used. OS level fire walling can automatically firewall all inbound to these temp IP's. Meaning you do not ever have to use your real IP for outbound connections. When a computer advertises a local service through something like bonjour or DNS it uses it's main IP. Sure people sill know it's all coming from the same /64 and apps will track it like they track nat ip's n
Re:Yeah right (Score:4, Informative)
http://www6.ietf.org/rfc/rfc3315.txt [ietf.org]
Autoconf currently doesn't assign a prefix delegation.
Re: (Score:2)
And anything that can do nat can do state-full fire-walling. I'm tunneled ipv6 at my home it's just as secure as my comcast connection since it's using the same firewall rules. Just because nat requires a firewall to function does not make it a good idea. Lets also remember where nat has one IP thats exposed to be attacked, a ipv6 user is given 1*10^24 IP's finding IP's to attack at random is neigh impossible if the firewall has any intelligence. Sure you can attack IPv6 boxes by finding the IP via othe
Re:Yeah right (Score:5, Insightful)
Re: (Score:2)
Re:Yeah right (Score:5, Informative)
People underestimate the address space in IPv6 when they make remarks like this.
In principle IPv6 could hold more than 10^38 addresses. Now due to structuring and various reservations and so on there is considerably fewer. So for the sake of argument, let's say it is "only" 10^20. That's still enough that for every present IPv4 address you could add an entire internet and still have addresses left over.
What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.
Re: (Score:3)
Re: (Score:2)
What does that even mean?
Re: (Score:2)
Re: (Score:3)
Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.
Nah; the ISPs already know just how to do it, and it doesn't require an idiot. All they need to do is use the same method they've used with IP4: They only accept one address at your site, and discard any packets that didn't come from that address or is sent to that address. If you want N addresses, you'll have to pay N x $X, where $X is their current price for a routable address.
It really doesn't matter how many gazillions of addresses IPv6 makes available, you will only get one. Addresses are a comm
Re: (Score:2)
Hmm...I only pay $70/mo for my 'business' account I have at home. I get static IP, no ports blocked, no data caps, can run any servers I want...etc.
I think its a pretty good deal....with decent speeds. $70 is dou
Re: (Score:2)
Re: (Score:2)
Cox Cable Business.
$69/mo....static IP, no caps, all the servers I want to run, basic level SLA (and the few times I've had to call, even in middle of the night, they had a guy out on the pole to look things over in less than an hour)...good service. I'm happy. Speeds are roughly 13-14 Mbps down, and 4-6 Mbps up...the upload used to be faster before I moved and had the service moved with me...
Re: (Score:2)
Re: (Score:3)
Addresses are a commodity, to be leased for a profit.
That's what many ISP and hosts are trying to let you believe. In reality, when you get your IPs from APNIC / ARIN / RIPE, that's not the way it works. You wouldn't pay more if you were needing more IPs.
Re: (Score:2)
Re: (Score:2)
The bigger problem is because of the ideological dead-end-to-dead-end design, when every one's toaster and light bulb have an IPv6 address, and the anti-NAT zealots have one, is that upgrading to the next generation of networks will be impossible. The inertia caused by having to have everyone upgrade every light bulb and toaster to a new standard will block any advancement in networking technology.
Re: (Score:2)
I can only think of a few ways we could run out of IP addresses with IPv6. First and most likely, if they are allocated in blocks far too big for any reasonable use. Second, if we develop an interstellar network. Third, if we develop nanotechnology to the point of making self replicating machines, each with their own IP.
Re: (Score:2)
I do. What if you allocated 3,999,999,999 IP addresses to one sock?
IIRC this happened in the early days of the internet, except the sock was MIT.
Re: (Score:3)
I should add, that my "for the sake of argument" of 10^20 is an EXTREMELY conservative estimate. In practice the IPv6 address space has an amount of addresses that is greater than the number of stars in the universe.
Re:Yeah right (Score:4, Funny)
So what you are saying is that we'll have to do a NAT behind the Sun once ipv6 is allocated to every solar system in the universe?
Fuck.
Re: (Score:2)
What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.
And yet, according to the Comcast announcement, if you are paying for just one device, you get just one IPv6 address. They call it "directly connected CPE". Yes, on my home network, I have one directly connected device -- the NAT router.
I'm also confused by their statement that the device must understand "stateful DHCP6". Why? The cable modem gets assigned one IPv6 address on the cable side, and it serves one IPvX address via DHCP to the CPE. What changes? Why not make the cable modem the IPv6 to IPv4 gat
Re: (Score:2)
It seems wasteful, but it's a convenient boundary to assign to a customer. v6 makes heavy use of 64 bit subnets. An ISP dolling out 48 bit prefixes can expect their customers to use 16 bits for subnetting information, so customers can reasonably have 65,000 networks to do with as they please.
Look at a 6to4 address: 2002 + your v4 address + ABCD (whatever the heck you want) + 64 bits chosen by your computer.
Re:Yeah right (Score:4, Funny)
If you can't cook toast, then you probably shouldn't be bringing your phone in the shower with you, either.
Re: (Score:2)
No, I'd want my toaster to alert me, not my phone. I'd want my phone to alert me that YOU are trying to call me while I'm in the shower, giving me the pleasure of knowing that I'm not answering your call.
Old-tech solution (Score:2)
My solution has always been to bring the toaster into the shower with me so I do not require a notification.
Or at least that's my plan now, I'll implement that right awaZORCH
Re:Yeah right (Score:4, Insightful)
Re: (Score:3)
I like my toast burnt, you insensitive clod!!!!
Re: (Score:2)
So, as an end user... (Score:2)
I'll not still use NAT for my home network for all my devices that I authorize to use the wireless router...etc?
What does the regular user have to do to use this...and what exactly is going to push him to change his whole home network along with all the devices he currently has on there (tv's, ipads, laptops, desktops, toasters...etc)?
Re: (Score:3, Informative)
The idea is that the end user is still going to keep all his devices behind a firewall so everybody on the internet can't probe them. But since your toaster has its own actual address, it can connect directly to the Online Toasting Database server without having to kludge all that traffic through a NAT.
Re: (Score:2)
It's a start (Score:2)
Kudos for Comcast for finally getting the ball rolling on IPv6. A /128 address gets their foot in the door, and as their post says, they can expand it later.
Kudos (Score:2)
Re: (Score:2)
Rolling out IPv6 could have been considered taking a long term view a decade ago. With IPv4 exhaustion looming, starting the roll-out now is just short of required. Sadly, looking out past the end of the current quarter is considered "long term" nowadays.
Re: (Score:2)
If cabletown was a thinking long term, they wouldn't have bought that buggy whip manufacturer that calls itself NBC.
Static IP? (Score:2)
Re: (Score:2)
IPv6 addresses change all the time. They're really good at it. You should learn how DNS works, because it's going to be your new best friend if you ever want to find your needle in the v6 haystack. Even better, you can have a pile of v6 addresses on a single interface, instead of the paltry one v4 address.
Re: (Score:2)
Even better, you can have a pile of v6 addresses on a single interface, instead of the paltry one v4 address.
Who told you an interface could only have one ipv4 address? This is just flat-out incorrect.
Re: (Score:3)
Windows 98
Re: (Score:2)
How do you do it without aliasing the interface?
Re: (Score:2)
ifconfig eth0 add YOUR-IP-V4 netmask A-NETMASK
But that's a bit retarded. You should use "ip" and not "ifconfig" (and shame on me, I never remember the syntax of "ip").
One IPv4 address per interface? (Score:2)
Must be a relic of an operating system.
Re: (Score:2)
Yeah... even something as brain-dead as Windows 2000 supports multiple IPv4 assignment.
Re: (Score:2)
You could always get a business class account like I did. Then you get 5 static IPs allocated to you that never change. I've even moved and they ported the IPs with my account. Not to mention it's faster and you get more upstream bandwidth.
Yea! (Score:2)
Re: (Score:2)
The catch is that they ran out of 10/8 space for their Internal network and weren't stupid enough to overload it. They deployed v6 to manage the cable modems, and then cable modems needed to be v6, and that was convenient since they're starting to run out of public space addresses, too. Those addresses can't be helped, and they're going to get sucked back into the ISP on the NAT level. Yes, all that malarkey about sharing public v4 addresses with your neighbors is a mathematical inevitability. Read thro
Re: (Score:2)
I've been using Comcast's IPv6 6rd since it launched over a year ago. In the first few months, there were several instances with parts of the IPv6 global network were down, but those problems were corrected within a couple days.
All said, Comcast has been out in front of this compared with the other US ISPs. They should be commended (on this issue, at least).
From another perspective... (Score:2)
It's lock-in. Once you've gone IPV6, who's going to want to go back. You'll be a Comcast customer until FIOS, DSL or whatever other competition might actually exist catches up.
Re: (Score:2)
Do you think a significant proportion of their users actually would know or care what the difference is?
Re: (Score:2)
If they neither know nor care, they never would have signed up for the pilot.
Re: (Score:3)
Re: (Score:2)
Charter was about a year behind with IPv6 6rd, but they are likely to catch up quickly.
Re: (Score:2)
Re: (Score:2)
not lock in at all, you can have IPV6 even if you move to ISP with only ipv4. I do it through a tunneling router to ipv6 provider (several do it for free and give you monstrous static ipv6 subnet), and I can saturate my adsl line with ipv6 traffic so no bottlenecks by tunnel. it's nice having static addresses even though my ipv4 connection is dynamic!
Re: (Score:2)
True, it's kind of like trapping oneself, really.
There will be no IPv6 transition (Score:2, Flamebait)
The problem is that there is no benefit in using IPv6 as long as there are no IPv6-only services.
Therefore, it is unlikely that IPv6 can be rolled out successfully [in-other-news.com].
Re: (Score:2)
The linked article echoes what I've been saying for years now: IPv6 is lab technology, cool, interesting but essentially pointless as anything other than a conversation piece in real life. Converting all of the internet would require 40,000 man-years of labor to complete... Conservatively. And that doesn't count even a second of work for changes to internal networks to get to an "All IPv6" network so we can actually have "end-to-end" connectivity. Honestly, who wants it? Who needs it? If I need end-to-end c
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Just like there weren't any IPv4-only services in the beginning? What kind of an argument is that?
A good one. It's your response that isn't a good argument... There were no IPv4 services prior to the Internet. But there ARE legacy services prior to the IPv6 internet. And the popularity of these legacy services mean implementing a forklift-upgrade to IPv6 is simply economically impossible for the reasons listed in the linked article, specifically:
Awesome (Score:2)
Re: (Score:2)
Re:Available in my area? (Score:5, Funny)
Right after they test with the current demographic -- people with one computer that is directly connected to the cable modem.
This should go quickly, since every one of those people is already a zombie spam-bot.
Re: (Score:2)
Right after they test with the current demographic -- people with one computer that is directly connected to the cable modem.
I wish they'd broken that out as a percentage of their userbase. I can't imagine it's very large - most of even my non-techie friends still have some sort of wireless or wired router on this side of their cable modem.
Re: (Score:2)
Well, Dual Stack Lite is going to be their long term IPv4 availability, which removes NAT from the CPE and shifts it up into the ISP layer. So all of your transactions will be manipulated inside the ISP's AFTR element, which would be a very convenient place to mine your data stream for goodies. But that would be paranoid to think they would do that. Especially when they could do it anywhere else just as easily!
Re: (Score:2)
Re: (Score:2)
IPv6 6rd has been freely accessible since early 2010.
Re: (Score:2)
now also your ISP can see exactly how many devices you're attaching to the internet.
And since comcast is really just a cable TV company at its core, they will charge you per device.
I'm assuming that something like PFsense or a timecapsule will still work as a NAT device?
Re: (Score:2)
That notion is very alarmist and 1990's era. An ISP can make a pretty good guess of how many lan devices you have using million dollar stat boxes, like sandvine makes. They dont care. ISPs are all media providing machines on another face and they know all your lan devices are just media consuming vehicles with credit card slots strapped on the side. They really don't care. They'll just do metered billing someday and we'll all crab together.
Re: (Score:2)
So set your firewall up so that your ISP cannot see your toaster.
Re: (Score:2)
nope, as you can also change the your ipv6 address, specially if you use the ipv6 privacy extension [superuser.com]... your ISP will not know when its the same device or another device
to do that, they would need to deliver just ONE ipv6 address for you... and that goes against the goal of the IPV6 and would probably force the ISP to have a lot more work to deliver ipv6 that way than to allow a normal ipv6 range to the user...
Re: (Score:3)
ISPs do not have to provide a
Essentially, chances are you're going to get