Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Networking Stats The Internet IT

How Ready Is IPv6 To Succeed IPv4? 595

New submitter unixisc writes: Over the last 2 years, June 6th had been observed as IPv6 day. The first time, IPv6 connections were turned on by participants just for a day, and last year, it was turned on for good. A year later, how successful is the global transition to IPv6? According to Cisco 6labs, adoption rates vary from 50% in Belgium to 6% in China, with the U.S. coming somewhere in the middle at 37%. A lot of issues around IPv6, such as the absence of NAT, have apparently been resolved (NAPT is now available and recognized by the IETF). So what are the remaining issues holding people up — be it ISPs, businesses, consumers or anybody else? When could we be near a year when we could turn off all IPv4 connectivity worldwide on an IPv6 only day and nobody would notice?
This discussion has been archived. No new comments can be posted.

How Ready Is IPv6 To Succeed IPv4?

Comments Filter:
  • Absence?! (Score:5, Insightful)

    by Denis Lemire ( 27713 ) on Friday June 05, 2015 @07:41PM (#49853563) Homepage

    Absence of NAT is a feature! If not THE feature of IPv6!

    • Re: (Score:2, Informative)

      by BitterOak ( 537666 )

      Absence of NAT is a feature! If not THE feature of IPv6!

      NAT has many benefits besides reducing the number of IP addresses required. It has important security benefits in that it allows one to hide one's internal network structure from the outside world. Without NAT, attackers would know how many systems you have on your network as well as your router deployment. Potential attackers could benefit greatly from this information when planning and launching attacks.

      • Re:Absence?! (Score:5, Insightful)

        by Denis Lemire ( 27713 ) on Friday June 05, 2015 @07:54PM (#49853669) Homepage

        NAT has no security benefits. NAT's sole purpose is address scarcity. Firewalls are for firewalling. NAT is for breaking the pre-IPv6 internet out of necessity.

        My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...

        I'll wait.

        • Re:Absence?! (Score:4, Interesting)

          by khasim ( 1285 ) <brandioch.conner@gmail.com> on Friday June 05, 2015 @08:25PM (#49853805)

          My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...

          Somewhere between 0 and approximately 18,446,744,073,709,551.

          But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?

          With NAT they are attacking a single firewall.

          With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.

          Getting your IP address can be as simple as putting up a web server with some stupid content and having /. link to it.

          • Re:Absence?! (Score:5, Insightful)

            by Denis Lemire ( 27713 ) on Friday June 05, 2015 @08:33PM (#49853847) Homepage

            Without NAT, you're still hitting the stateful firewall and default deny rule at the edge of my network... Most home routers should default to this sort of behaviour.

            The difference is, I can open up as many ports as I need with no limitations. None of this crap with forwarding port 80 to one box and then... Oh, I need another web server... Hmm. 8080? Other random / arbitrarily selected ports? That sucks! It's broken.

            The IPs I'm leaving in web server logs are also throw-away addresses - read up RFC-4961.

            • Re:Absence?! (Score:4, Informative)

              by Anonymous Coward on Friday June 05, 2015 @08:59PM (#49853969)

              Good news! NAT in v6 doesn't do any of that. NAT v6 is moreso about being able to renumber an arbitrary block of address space. So, for example, you can have a private network prefix in the ULA space (fd00::/8) and then map it into the global Unicast space (2000::/3) using one of your available prefixes. If you have to renumber for whatever reason, you can change the NAT and your internal network doesn't need to renumber. The only thing is that you have to sacrifice about 16 bits of address space on both ends for checksum fudging. But it's far better than v4 NAT and it doesn't break the net the same way.

              Also a lot of people use "NAT" to mean "stateful firewall". I personally consider the distinction, from a security standpoint, to be pedantic - they both break the net from a purist perspective.

              • When people talk about 'breaking end to end connectivity', what do they mean? Do they simply mean an uninterrupted path from the source address to the destination address, as specified in the IP header?

                The way I understand it, end to end connectivity means that the packet should travel directly from the source address to the destination address without having its address headers altered. It is fine for it to travel through a gate, a firewall inspect whether its source address has a pass or not, and th

            • Re: (Score:3, Insightful)

              by khasim ( 1285 )

              The IPs I'm leaving in web server logs are also throw-away addresses - read up RFC-4961.

              You may be referencing the wrong RFC. That is more about port numbers than different IP addresses. The IP address of your machine should still be showing up in /.'s logs.

              Without NAT, you're still hitting the stateful firewall and default deny rule at the edge of my network... Most home routers should default to this sort of behaviour.

              Either that breaks most of the functionality of IPv6 or it entails a lot more effort and

              • Re:Absence?! (Score:5, Informative)

                by Denis Lemire ( 27713 ) on Friday June 05, 2015 @09:15PM (#49854023) Homepage

                Sorry, RFC-4941. Fat fingers. ...and I don't think we should design the internet with the most basic web surfing home user in mind. IPv6 will support everyones needs. IPv4 supports only the most trivial.

                • by khasim ( 1285 )

                  Let me quote part of that RFC for you.

                  By default, generate a set of addresses from the same (randomized) interface identifier, one address for each prefix for which a global address has been generated via stateless address autoconfiguration.

                  Parsing that shouldn't be a problem for anyone with a CCNA or equivalent experience. But there are going to be problems when the average user is trying to set up his home router.

                  Fat fingers. ...and I don't think we should design the internet with the most basic web surfi

                  • Re:Absence?! (Score:4, Informative)

                    by WaffleMonster ( 969671 ) on Friday June 05, 2015 @10:05PM (#49854217)

                    With a current home router and IPv4 + "NAT" the average home user can handle everything they know about today. Without having to learn anything new.

                    Are there any home routers with IPv6 support that don't come default out of the box with functionally same security policy implemented as SPI?

                    Most of them run Linux and same connection tracking code that make IPv4 NAT work is available for IPv6.

                  • With a current home router and IPv4 + "NAT" the average home user can handle everything they know about today. Without having to learn anything new.

                    That is disingenuous at best. The only reason IPv4+NAT works for home users is due to an incredible amount of fuckarounds like UPNP and magic in the establishment of peer-to-peer connections via a 3rd party, often implemented with questionable security practices

                    Developers do a LOT of work to make IPv4+NAT work for end users. You're just passing the load onto someone else.

              • by Skapare ( 16644 )
                so how do i hide how many different users here visited a popular website? how can i make ALL outgoing connections have the same source address in IPv6?
                • Dunno about #1. But #2 - one way would be to set things up in DHCP6, and define the range of your pool as exactly a single address. (Beats me why you would want to do that - when you have transient addresses go out - equivalent of dynamic addresses in IPv4, there is no way of telling how many actual boxes you have in your network, regardless of how many addresses get used)
          • Re:Absence?! (Score:4, Informative)

            by Bengie ( 1121981 ) on Friday June 05, 2015 @10:00PM (#49854189)
            Depending n the random NAT implementation your firewall has, there may be some really strange quirks that allow an outside computer to gain access to your internal network. It has happened more than once. NAT is a bandaid that ads complexity to the system and mixes multiple OSI layers. Not to mention in IPv6 IPSEC, everything above layer 3 is encrypted, so the firewall doesn't even know what ports are being used or if the traffic is TCP, UDP, or ICMP. Good luck natting that.
          • My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...

            Somewhere between 0 and approximately 18,446,744,073,709,551.

            But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?

            With NAT they are attacking a single firewall.

            With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.

            Getting your IP address can be as simple as putting up a web server with some stupid content and having /. link to it.

            Yeah, so you think that you can't attack end hosts directly just because they're sitting behind a NAT?

            It's perfectly possible to craft malicious packets and send them past the NAT to the desired end host. The NAT device will happily translate evil packets just as easily as the non-evil variants.

            Do not mistake the protection that a stateful firewall provides as protection provided by NAT.

        • Re:Absence?! (Score:4, Interesting)

          by ArchieBunker ( 132337 ) on Friday June 05, 2015 @08:42PM (#49853901) Homepage

          I keep hearing this argument against NAT but somehow everything right now is running fine. What exactly is broken?

          • Re:Absence?! (Score:5, Informative)

            by Denis Lemire ( 27713 ) on Friday June 05, 2015 @08:48PM (#49853927) Homepage

            Right now - quite a bit - there are all sorts of mechanism that have to be worked around. Every spend any time troubleshooting SIP? Do you know why nobody does direct media?

            Ever wonder why file transfers in instant messaging apps either work intermittently or perform slowly?

            Ever see the layers of complexity we've built to do our best to work around such issues: STUN, UPNP, NAT-PT, ICE, ALGs... It's layers upon layers of cruft. ...and we haven't even gotten to the real horror of so called "carrier-grade" NAT yet... Eg) NAT behind NAT.

            The prospects are awful.

            The fact anything works at all is a testament to... something... ...but it is not a solid solution. It was a stop-gap measure that should have been discarded long away.

            • And yet I can watch kitty cats on YouTube®.

              • Re: Absence?! (Score:5, Insightful)

                by Denis Lemire ( 27713 ) on Friday June 05, 2015 @09:47PM (#49854143) Homepage

                Yes, the WEB works GREAT... I also use THE REST OF THE INTERNET.

          • Re:Absence?! (Score:4, Insightful)

            by bigfinger76 ( 2923613 ) on Friday June 05, 2015 @08:54PM (#49853955)
            We're running out of IPv4 addresses, that's what's broken. You keep hearing these arguments because the adults are talking. No one is saying that NAT is broken, just that IPv6 does away with it, and those that do not understand firewalls feel vulnerable.
            • by Kr1ll1n ( 579971 )

              The problem is, you aren't going to encourage widespread adoption on the enterprise level by telling them that the structure of their networks, which have worked for nearly decades at this point, must change.

              Now they need to hire some firewall gurus, some routing gurus, and some LAN\WAN gurus, where in the past, all of those may not have been necessary.
              Go into any small/medium/large/enterprise business, and you will see NAT in perpetuity. Very few companies have v4 subnets large enough to where they do not

            • NAT was a direct response to address constraints. If it wasn't broken CGN would be the way forward.

            • ... and those that do not understand firewalls feel vulnerable.

              In other words, 99% of the population of any country.

        • Re: (Score:3, Informative)

          by rseuhs ( 322520 )
          NAT has no security benefits.

          Just because that is repeated ad-nauseam doesn't make it true.

          Of course NAT has security benefits: It acts basically as a "one-way" firewall, which is exactly what most people that don't run a server at home need.

          Of course you could configure a IPv6-firewall the same way, but that would take several days and who has time for that?

        • by Tyr07 ( 2300912 )

          There are reasons other than system crackers that you would want people to not know specifically which terminal a request came from and use nat.

          Security through obfuscation. It's not something you compare to a firewall. It's not all about probing your networks, it's about the connections your networks make outbound as well.

          The more transparent your connections are, the more information people can gather for social manipulation / hacks even. I'm not going to go into details so don't ask

          Just something you sho

      • Absence of NAT is a feature! If not THE feature of IPv6!

        NAT has many benefits besides reducing the number of IP addresses required. It has important security benefits in that it allows one to hide one's internal network structure from the outside world. Without NAT, attackers would know how many systems you have on your network as well as your router deployment. Potential attackers could benefit greatly from this information when planning and launching attacks.

        Routing and firewalling are the appropriate methods of hiding ones internal network structure, not NAT.

        If you use NAT for this then you are doing it wrong.

      • Absence of NAT is a feature! If not THE feature of IPv6!

        NAT has many benefits besides reducing the number of IP addresses required. It has important security benefits in that it allows one to hide one's internal network structure from the outside world. Without NAT, attackers would know how many systems you have on your network as well as your router deployment. Potential attackers could benefit greatly from this information when planning and launching attacks.

        Submitter here!

        The 'NAT' that IPv6 has is NAPT. It has the benefits you describe, but it is a 1:1 relationship b/w the public addresses and the private ones. So it does nothing in the department of reducing the number of required public addresses. Not that it would be required - no subnet would ever come even close to consuming 2^64 addresses. (And no, it's not the same as 640k being enough for everyone!)

    • Absence of NAT is a feature! If not THE feature of IPv6!

      NAPT does have one more advantage - load balancing. Your internal network is numbered w/ ULAs - fd00:/8, and those get mapped to the different subnets you get from different providers.

    • Absence of NAT is a feature! If not THE feature of IPv6!

      PFFFFFT! Absence of NAT was INTENDED as a feature, but that has a huge list of unwanted side-effects. Not everybody wants (and for some extremely good damned reasons) all the machines in their internal network being resolved by, say, Google. Just for one of the MINOR examples.

      NAPT is a welcome addition, and IPV6 probably won't be very popular until that makes it into commonly-used router firmware.

  • by swschrad ( 312009 ) on Friday June 05, 2015 @07:42PM (#49853575) Homepage Journal

    seriously, as long as it goes end to end, and I don't have to set it up, I don't care which method goes.

  • It is rumoured that when an African country changed the road rules from driving on the left to driving on the right, the Minister for Transport was asked when this change was going to take place, he replied "Gradually"

    Now with IPv6 being around (I believe that Facebook has gone completely IPv6 internally) why are we still on IPv4? Because we can get everything on the Internet by staying on IPv4.

    If that wasn't the case, people would demand IPv6 and countries would transition virtually overnight.

  • Here in Canada Shaw communications doesn't make IPv6 available to residential customers. To compensate I have been using Hurricane Electric IPv6 tunnel for a few years now.
    • My source of sadness for years. I whine about this regularly. I know of no Canadian ISP doing proper native IPv6... Instead I have to rely on tunnels.

      I was chatting with TekSavvy but they only provide a single /64 - I would like more than one subnet.

      They're also only doing it no their DSL services which are substantially slower than I can get from Shaw.

      It seems my only option is to hurry up and wait longer.

      • by Mashiki ( 184564 )

        I'm on teksavvy as well, but on cable. So no IPv6 for me, people keep saying that rogers is working on it, my guess? Sometime around 2020 rogers will have rolled out IPv6 for general use, even though my 3 year old modem supports it.

        • I'm actually at the point where I sadly suspect I'll see IPv6 over LTE on my mobile devices before I see it at home via my ISP.

  • Never. IPv6 would have to be demonstrably better *everywhere*, even in un-upgradable legacy embedded systems. (Even now, there are plenty of places where horses and donkeys are used because cars can't go or are impractical.)

    Even the answer to the question when will IPv4 become obsolete? is "A long, *long* time from now" because it's simple, Just Works, and is pervasive.

    (If there was no NAT or unroutable IP ranges like 10/8 then IPv6 uptake would have happened a lot sooner.)

  • I don't think I will live long enough (I'm 55) to see this happen. SMTP is poorly designed from a modern security standpoint with spammers running amok for years now without a decent solution in sight. Can't get rid of it because so many use it. IPV4 replacement will be much harder.

    • I think most people don't see spam anymore because of high-quality spam filters. At least, among technical people who would care enough to fix the problem.
    • by rwa2 ( 4391 ) *

      meanwhile, Millennials shun email because "it's for old people".

      I sorta see email dying out (not completely, but like USENET) and being gradually replaced with secure webmail and IM islands, like what healthcarw providers and some banks do to communicate with their customers. All it needs is some kind of API access through an auth broker...

  • by Anonymous Coward

    Remember when Intel pushed IA64 for years and years with little success? Then AMD rolled out x86_64 and it spread like wildfire. Intel has been making "AMD clones" ever since.

    You know how many parts of the world have skipped deploying millions of miles of phone wire and jumped straight to cell towers?

    You know how everyone said they couldn't switch to Linux because they were familiar with Windows? Then MS rolled out a new Windows with a drastically different UX, and everyone jumped on it? Or how OpenOffice i

    • by Ash-Fox ( 726320 )

      IPv6 is not backwards compatible with IPv4.

      Yes it is, there are numerous methods supported through IPv6 for NATing to IPv4 addresses transparently just fine.

    • Point is not compatibility - it's inter-operability - and IPv6 and IPv4 are very much inter-operable, given all the transition mechanisms that exist to support one over the other. Be it tunneling, dual stack, DS-lite, Teredo or whatever. With IP, what matters is that a packet from point A in the world gets to point B. How it gets there is immaterial

      The analogy you use above misses the point that packets are agnostic about how they are transported. That's not the case w/ software, which is why Itanic b

  • Comcast and CenturyLink are the only two viable players in my area and neither provide native IPv6 addressing (even though I've requested it from my current provider comcast many times). So I'm still forced to use the he.net tunnel that I setup 15 years ago or so when they first started offering them (after 6bone closed up shop because testing was through), and even with this, I'm forced to disable auto provisioning of IPv6 addresses because various problems with access to IPv6 web pages / services, etc.. W

    • Comcast and CenturyLink are the only two viable players in my area

      Yeah, it's your area, not mine. I totally bitch about Comcast on the tv side, but the internet side is pretty kicking:

      % ping6 google.com
      PING6(56=40+8+8 bytes) 2601:982:zzzz:xxxx::yyy --> 2607:f8b0:4004:80d::200e
      16 bytes from 2607:f8b0:4004:80d::200e, icmp_seq=0 hlim=53 time=295.256 ms
      16 bytes from 2607:f8b0:4004:80d::200e, icmp_seq=1 hlim=53 time=32.454 ms
      16 bytes from 2607:f8b0:4004:80d::200e, icmp_seq=2 hlim=53 time=35.679 ms
      16 bytes from 2607:f8b0:4004:80d::200e, icmp_seq=3 hlim=53 time=28.495 ms
      16 b

  • As long as consumer ISPs aren't enabling IPv6, it's a catch-22-22: services won't switch until there's demand for it, consumers can't demand it because it doesn't work for them, and ISPs won't spend the money to get it working because there's no services that require IPv6 that consumers are threatening to quit over.

    Windows 7 and up, Mac and Linux are all ready today. Most consumer routers are ready (seeing as how they're mostly based on DD-WRT) and just need a checkbox checked, same for most of the WiFi rou

  • I have Gig Fiber coming into my research lab with a /24 subnet of IPv4. We assigned about 100 IP's right off the bat (mostly tunnels to other labs and remote access for outside researchers), we added another 12 or so this last year for new people/projects. So with 140 (give or take) IPv4 IP's left, why would I bother changing to IPv6.

    IPv6 adds NO additional useful features to our network, none. Yet would add some expense in switching over (our firewalls are PFSense, so they're ready for IPv6 if there's ev

  • IPv6 is two better than IPv4, but I'm still holding out for IPvX.

  • My smart phone has had an IPv6 address since I bought it a couple of years ago. Cell companies had to go that way to get enough addresses to handle the move to smartphones.
  • IPv6 (Score:4, Interesting)

    by ZenDragon ( 1205104 ) on Friday June 05, 2015 @09:24PM (#49854053)
    Honestly, the only reason I haven't switched to IPv6 on my internal network is because I cant remember the damn IPv6 addresses. O_o
  • Charter.com is my IP and IPv6 is only mentioned to say it's not enabled..The decoder boxes (what their cat 5 plugs into) if you access them IPv6 isn't even an option. It would require a major undertaking to change out all of the boxes, they just aren't IPv6 ready. The boxes are programmable to a point through support services, but I wouldn't think IPv6 an easy update, or even possible due to the limited storage space available.

    • No one is IPv6 ready. Out of hte last 10 companies I dealt with professionally, only one had an IPv6 for anything, and it was only for AWS hosted load balancers.

  • by Morgaine ( 4316 ) on Friday June 05, 2015 @09:39PM (#49854097)

    The official "switch-on for good" of IPv6 a year ago was entirely seemless in my experience. There wasn't anything to fix, as nothing was broken, and IPv6 autoconfiguration handles everything so there isn't even any setup involved, it just works. This simplicity will be a boon for non-technical users once the IPv6 rollouts gain steam.

    Unfortunately the ISPs are still dragging their feet and so public rollout is slow, but it's an always upward trend, and the adoption curve is close to exponential so IPv6 will be ubiquitous before long. So many ISPs are currently planning their rollouts that there's going to be a sudden upsurge when they finally appear.

    People shouldn't talk about switchover to IPv6 though, that's not how it works. IPv4 and IPv6 networks run together side by side, and you use both together. Your application (eg. browser) generally picks IPv6 if your destination is accessible on that network, or else it falls back to IPv4. This is all automatic of course. It's better described as a switch on of IPv6 by your ISP followed by your gradual increasing use, not a switchover. There is no plan to switch off IPv4. The last remnants of IPv4-only equipment could still be around and operational for decades ahead.

    IPv6 works so well that I recommend everyone to get on it as soon as they can. You'll be able to see 100% of the Internet, whereas if you don't have IPv6 then you're only seeing a part of it. IPv4 is by far the larger part for now of course, but it's not all of it, and the parts you can't reach are growing daily.

    Happy First Anniversary of the official turn-on, IPv6! :-)

  • by Sevalecan ( 1070490 ) on Friday June 05, 2015 @11:55PM (#49854569)

    How ready is Perl 6 to succeed Perl 5?

    I was just trying to be facetious with that comment, but then I thought of asking "How ready is C++ to succeed C?" or other silly things. As someone who programs in C++, I see little reason to use pure C, yet people do. When using Python, I use Python 3 and see little reason to use python 2.7, yet people do. People just don't like change, and they often won't do it unless absolutely forced to. Others here have already made this point, but the whole world isn't going to switch to pure IPv6 without some incentive, to practically force them to do it, it seems.

    Recap: It's not a question of how ready IPv6 is to succeed IPv4, it's a question of how ready people are to adopt IPv6, at the ISP and consumer level. Services will follow when there's a demand, as someone else also noted.

  • Why IPv6 is broken (Score:5, Insightful)

    by rseuhs ( 322520 ) on Saturday June 06, 2015 @02:05AM (#49854909)
    IPv6 is broken because it is incompatible.

    To illustrate, let's look at phone numbers.

    Imagine a phone company with 6 digit numbers which wants to give users world-accessible phone-numbers. What did the phone companies do? Easy: Just add prefixes to the numbers and everybody is happy. The old numbers stay valid, you can still connect within the old network(s), nobody has to remember new numbers.

    But what if phone-numbers would have been expanded the "IPv6-way"?

    Then you would have your old number and would receive a completely different new number, which would also be in an incompatible format (maybe letters instead of digits). Then you would have to update all your phone numbers everywhere, to "switch over". of course such a scheme would fail instantly and that's why IPv6 continues to fail.

    The IPv6 adherents just don't get it. If the IPv6-designers were smart enough to just extend the IPv4-address space we would all be running IPv6 already, because it would require no reconfiguration of routers, no reconfiguration of DNS names, no reconfiguration of anything.

    But these morons thought that a billion people will just change all their addresses just because they tell them. Well, it doesn't work that way.

My idea of roughing it is when room service is late.

Working...