IPv6 Turns 20, Reaches 10 Percent Deployment (arstechnica.com) 294
An anonymous reader writes: Ars notes that the RFC for IPv6 was published just over 20 years ago, and the protocol has finally reached the 10% deployment milestone. This is an increase from ~6% a year ago. (The percentage of users varies over time, peaking on the weekends when most people are at home instead of work.) "If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."
"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."
"A decade or so ago, it was still quite common for people to complain about certain IPv6 features, and proclaim the protocol would never catch on. Although part of that can be blamed on the conservative nature of network administrators, it's true that adopting IPv6 requires abandoning some long standing IPv4 practices. For instance, with IPv4, it's common to use Network Address Translation (NAT) so multiple devices can share the use on an IPv4 address. IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6. The Internet is probably better off without NAT and the complications that it adds, but without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject."
what (Score:4, Informative)
without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.
What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?
Re:what (Score:4, Interesting)
What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?
Yes, but we all know that there is a metric shitload of routers out there that have nothing but NAT defending their "internal" networks. Turn on IPV6 and those internal networks are simply open to the world.
Now, I am not saying we shouldn't go there, but the scope of "doing it right" is almost immeasurable. IMO, it is that which is the single largest barrier to widespread adoption of IPV6.
Re:what (Score:5, Informative)
Re: (Score:3)
My Asus router supports IPv6. The IPv6 firewall is configured by default to reject all incoming connections. Done.
Re: (Score:2)
Show me a router that defaults to NAT for IPv4 and does not default to allowing nothing inbound IPv6. Now is it commonly used?
I've yet to see any, it's not realy any harder to run the state machine for NAT than IPv4 or IPv6 connected (ok some more bits). Ipv6 has some required to work bits but thats pretty tame as far as security.
Now I've seen some badly made ipv6 stacks as to ddos/port scanning but thats on network gear that frankly had ipv6 as a checkbox not a feature (Ya know those IPv6 in software L3 s
Re: (Score:3)
without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.
What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?
Sounds simple enough.... Of course, nothing is really as simple as it first seems.... Good first step though.
Where I get people's reluctance to adopt IPV6 and having their local networks become immediately routable and thus externally addressable, there is a bit more to this "security" thing when switching IP versions than just dropping inbound connections. The problem stems from the fact that when you go full on IPV6 and allow an internal host to transit your firewall outbound, you have exposed more tha
Re: (Score:2)
Pretty much every device with IPv6 has privacy extensions by default. Many it cannot be turned off.
I'm struggling with the opposite problem - it's much harder to stop OUTBOUND connections using IPv6 from particular machines. INBOUND really isn't a problem as the only static IPv6 addresses you expose are those that you want people to use.
The vast majority of people don't selectively block outbound connections so it's a non-issue for them.
Re: (Score:3)
Source address: the device you don't trust.
And there's the problem. If you have multiple devices with privacy extensions then you cannot filter by source [IP] address.
On a home network it's usually trivial to filter by MAC address instead but once there are multiple routers before the egress firewall then that won't work.
Re: (Score:2)
This isn't true though, since address randomisation [ietf.org] arguably makes you expose less information since individual hosts will change their IP address at some random interval. This will make it pretty hard to figure out if the packet you received an hour ago was from the same host as the one just now.
Re: (Score:2)
address staging (Score:2)
Re:what (Score:4, Interesting)
What do you mean IPv6 messed with things? What you're describing is simply the ending of the aberration that is masquerade-mode NAT and the return to the way IPv4 networks operated for most of their existence. Masquerade-mode NAT was a nasty, awkward kludge to normal routing created to work around the refusal of the DSL and cable ISPs to offer more than a single IP address to a subscriber at a time when subscribers were starting to have multiple computers in their households. Up until that point computers on IPv4 networks were directly connected to the Internet with their IP address visible to the world. That's how I used to run servers on dial-up lines, no router involved (at least on my end). All you have to do to protect your IPv6 networks is set up the equivalent to a standard IPv4 firewall. Like IPv4 you have to pay attention to what ports are allowed inbound to which hosts, but that's nothing new and IPv6 gives you more tools to help segregate desired inbound connections from unwanted ones.
Then again, I suppose most people these days haven't written firewall rules or even thought about them, masquerade-mode NAT hid the issues by terminating all non-ESTABLISHED non-RELATED traffic on the router's WAN port and the router didn't have any services except DHCP and DNS listening on the WAN side. Well, it wasn't supposed to anyway, but turns out quite a few did have things listening and those things had pretty much crap authentication so attackers could pretty much walk straight on through without breaking stride. Hence why I prefer explicit firewall rules where I know the packets are going down a black hole before anything that might be listening can even see them.
Re: (Score:2)
As always, there is no reason you can't already do that in IPv4. Heck, you won't even need ULAs - link local addresses will be sufficient. In fact, link local addresses almost enable you to replace layer 2 connectivity w/ layer 3 connectivity.
Configuration of IPv6 devices is not much different from that of IPv4 devices, whether you're using IPtables or PF.
Re: (Score:3)
What configuration on the host? All configuration would be done on the router, since the last rule on the WAN IN ruleset would be to drop everything. The first rule would be to allow ESTABLISHED and RELATED traffic so the return for outbound connections works properly (assuming you want it to work, if not then just omit that rule). After that nothing outside your network's going to be able to connect inbound to your hosts unless you add rules to the middle of the WAN IN ruleset specifying exactly what you w
Re: (Score:3)
allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before.
I see this argument from time to time. I don't buy it. While I don't recommend internal address disclosure for IPv4 gateway-ed networks. I would never make it more than a LOW finding on a security report. Why because you can't do anything with that information unless you compromise an internal host. If you compromise and internal host its almost always trivial to figure out what addresses are in use internally. Even with the least privileged web shell you can usually get the adapter information off th
Re: (Score:2)
without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.
What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?
Sounds simple enough.... Of course, nothing is really as simple as it first seems.... Good first step though.
Where I get people's reluctance to adopt IPV6 and having their local networks become immediately routable and thus externally addressable, there is a bit more to this "security" thing when switching IP versions than just dropping inbound connections. The problem stems from the fact that when you go full on IPV6 and allow an internal host to transit your firewall outbound, you have exposed more than just the router's IP, but internal network information too. This means that an attacker now knows something they didn't before. It's true that this knowledge doesn't give them any special access if your router is working properly, but it does mean that if the router doesn't always do the right thing, they will have an easier time attacking your internal network.
Not that there are no solutions to this issue out there or that one cannot still protect their internal networks, only that such protection needs to be thought about in somewhat different terms and perspectives. IPV6 messed with more than just the number of bits in the IP address, but messed with the fundamentals of how traffic gets routed. It made a lot of things easier, faster and cheaper, but it also had impacts on network security considerations that I'm not sure we fully understand even after this long.
In addition to everything others have said above, there is also the fact that a device can have MULTIPLE IPv6 addresses of different networks. There is your link local address (fe80::/10), your unique local address (fd00::/7) and your global unicast address (2001::/64). Within your global unicast address, you can, using DHCPv6, assign different addresses to different services - something for a web server if you happen to host one, something for an email or ftp server, and so on, and you can even assign a
Re: (Score:2)
The IPv6 address space is so huge that bulk scanning is simply not practical
My concern isn't so much scanning as clients giving away a unique identifier, where they formerly with IPv4 NAT had a shared identifier. I.e. a privacy concern more than a security concern, but a concern nevertheless.
Randomized IP addresses help combat that, but does not play nice with DNS or other caching.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Is there something about IPv6 that precludes the implementation of NAT?
IPv4 never "had" NAT, either, AFAIK. It was a kludge tacked onto routers and firewalls as world+dog got Internet access and ISPs only handed out /24s and ultimately /30s.
I worked at a site that had a direct /22 assignment dating to the very early 90s and we never bothered with it until the local network outstripped the useful life of the /22 and then we tacked on RFC1918 blocks for new segments, but kept using the /22 space for servers
Re: (Score:2)
Is there something about IPv6 that precludes the implementation of NAT?
Check out RFC 6296 [ietf.org]
Re: (Score:2)
If you try it then a mob of angry engineers come to reeducate you with blunt instruments.
Re: (Score:2)
Is this fear particularly justified with IPv6? With IPv4, the sheer lack of address space makes it virtually essential. Since there is an abundance of available addresses in IPv6, it seems more likely to me that something like NAT would only be used when the specific characteristics that NAT offers might be desired, that cannot generally be achieved by a firewall alone, specifically, the way
Re: (Score:2, Insightful)
Well, for many of us, the notion that everything has a unique address which can be known by anybody else seems idiotic.
Using internal 192.168.*.*, or the entire class A of 10.*.*.* means my internal IP address is not your damned business. It's an un-routable address to anything else. Which means in a lot of ways it's invisible -- you have no way of knowing the IP address of a given machine, and even if you did it wouldn't do you any good because there's no way to get there.
If you don't know information ab
Re:what (Score:5, Informative)
Re: (Score:2, Insightful)
Even if you have a public IPv6 network, the sheer size of the subnet of 64 bits means that it'd take forever to figure out how many devices you have on it, and what are their addresses before any rogue scanner out there can do squat. And by that time, under privacy extensions, or even under a DHCPv6 setup, those would have changed. The only unchanged addresses would be that of any servers that you happen to have, and well, that doesn't change in IPv4 either.
So what was it again in IPv4 that gives you
Re: (Score:2)
There's an easy fix for those who trust nobody and nothing: Unplug from the Internet.
NAT (Score:2)
Those who think NAT is such a great idea... have you had to support VPN tunnels between networks with overlapping private subnets? It gets messy fast.
Universally unique addressing is a GOOD thing. For those concerned about the security of private networks, well, you have to know what you're doing. And even with ipv4 a lot of internal addresses leak out anyway. (Look at SMTP envelopes for one).
Private addresses for VPNs (Score:2)
Re: (Score:2)
Yep, but for that you need ipv6 anyway. Which doesn't help the "ipv4 is fine 'cause we have NAT" folks.
Re: (Score:2)
Well, for many of us, the notion that everything has a unique address which can be known by anybody else seems idiotic.
Having an outside entity know any information about your hosts and their IP addresses is just another vector to glean information and possibly act on it. You can't target a specific machine if you have no information about it from outside the firewall.
This is confusing because the word "NAT" is paraded around like "Cloud" in a mostly context free environment.
When people say don't use NAT what I assume they are actually referring to is many to one mappings where a single IP address is multiplexed and ALGs are required to make naive assumptions about state management.
The most public example of this is Linux netfilter guys saying in no uncertain terms NO to IPv6 NAT yet there are still map targets where IPv6 addresses can be mapped 1:1 across to other addre
Re: (Score:2)
without NAT as a first but relatively porous line of defense against random packets coming in from the open Internet, it's necessary to be much more deliberate about which types of packets to accept and which to reject.
What? If you want the same 'security' as NAT, can't you just set the firewall to reject all incoming connections?
Yes.
Re:what (Score:5, Informative)
The summary seems to imply that there is no supported NAT in IPv6. Au contraire, the IETF did specifically define a NAT standard for IPv6 - it's called NAPT. It has the same concepts as IPv4 NAT - translating a public address to a private one (granted, there are more categories of the latter in IPv6). Only thing different is that it's a 1:1 address mapping here, as opposed to a 1:many address mapping in IPv4. Which saves the agony of Port Address Translation and there being fewer ports for other applications that NEED it.
But if someone wants to have something handy for load balancing, NAPT can be used. I'm not sure of what the defined multi-homing mechanism is in IPv6, and whether it necessitates the use of NAPT or not
pay per IP some ISP's used to due that and ban rou (Score:2)
pay per IP some ISP's used to due that and tried to ban routes. I think Comcast used and had home networking as a up sell.
Now with IP V6 and no NAT they can hit you with an outlet fee per IP to make for that they lose when people cut tv with it's high outlet fees.
Re: (Score:2)
It's not quite the same thing... NAT also breaks end-to-end connectivity even on outgoing connections, while a firewall does not. While generally breaking such connectivity is not a desirable thing, it is not unimaginable that there may be circumstances where this might be actively desired in some situations.
Ideally such, end-to-end connectivity should be selectable per NIC in an IPv6 network
Comment removed (Score:5, Interesting)
Re: (Score:2)
What are Privacy Extensions?
Re: (Score:2)
One significant problem with temporary IP addresses is DNS. Even if you dynamically update the DNS forward and reverse addresses, the resolver data is cached in remote machines.
Combating this by lowering TTLs cause increased network traffic and load all the way up to root nameservers, slowing down Internet for everyone.
A similar problem is route caching. It may not take long for a router or switch to determine where to send a package with a new address, but multiply number of hops with number of devices,
Re: (Score:3)
You know how big an IPv6 subnet is? Think of scanning the whole IPv4 address space and then you are close. Between IPv6 privacy extensions and DHCPv6, you can reduce the scope of scanning. Also, with a firewall in place, that scanning shouldn't even be possible.
The biggest barrier to IPv6 adoption has been people not sitting down and adding themselves what is the native IPv6 way of dealing withings and saying it is a security risk. The biggest risk is putting off the work.
Case In point: I recently faced an
Re: (Score:2)
You are right about the size being off a little, though you do confirm the point on scanning. I suppose I was going with best case for comparison?
Re: (Score:2)
Not all ISP's are equal. I get a maximum of four subnets, and the ISP (Comcast/Xfinity) only offers one subnet by default.
I'll get by, somehow, but I really wanted to be able to address every article of clothing in my wife's wardrobe.
Subnet sizing (Score:3)
That's the reason that I've always believed that the /64 was a stupid boundary where to demarcate the Global Prefix and the Interface ID. It should have been at /96. The reason for the /64 was for easy autoconfiguration w/ SLAAC. But even w/ SLAAC, uniqueness is not guaranteed, and therefore, a lot of flexibility in IPv6 is sacrificed at the alter of autoconfiguration, resulting in an overkill when it comes to subnet sizes.
Instead, having a /96 would have enabled the internet to have had a hierarchic
Re: (Score:2)
> I'll get by, somehow, but I really wanted to be able to address every article of clothing in my wife's wardrobe.
And remember that you need to address each shoe with a unique address. One shoe can not always be assumed to always speak for the pair.
Topology detection (Score:3)
Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6. Like if you have a network that has a subnet mask of 255.255.255.240, you know that there can be a max of 14 boxes on that subnet. In IPv6, all that is irrelevant: any subnet can have anywhere b/w 1 and 2^64 boxes: it's impossible to find out w/o port scans.
Also, unless someone u
Re: (Score:3)
Also, while IPv4 is structured in a way that one can determine the netmasks and determine how it is structured, and easily deduce the number (or at least maximum number) of boxes on the subnet, that's not even possible in IPv6.
No, not really (unless you're talking about the old classful addressing system? Nobody uses that anymore.) The only reliable way to determine who owns what IP ranges is to pull out your BGP looking glass (there are a bunch of them owned by major peering providers; google "bgp looking glass".) The same thing works for IPv6, by the way.
However none of that tells you anything about the internal (RFC1918) addresses they use beyond that. I.e. are they on a 10 net? A 172.16.x net? A 192.168.x net? Only way to kno
Re:Topology detection (Score:4, Informative)
No, subnet addresses are the 49th to the 64th bit of the address, or something beyond 49th to 64th, depending on how it's allocated. Most routers would recognize the entire lower half of the address as the interface ID. There is no concept of 'class' networks the way there was in IPv4. Everything is 2^64.
Yeah, one could break the protocol and assign subnets to something in the lower half, and a few things, like SLAAC, RAs would stop working.
Re: (Score:2)
Re: (Score:2)
Are there consumer routers that will provide security for home users using IPv6 that they can just plug in and leave with default configuration?
Home routers [arstechnica.com] should be assumed to be vulnerable in any configuration [slashdot.org]. If I were going to attack someone's house, the router is the first place I would start. There are a lot of vulnerabilities in routers.
Security isn't something that can happen as an afterthought. It can't be bolted on. You need to train your programmers to have the security mindset from the very beginning, and router companies haven't done that.
Re: (Score:2)
Unlikely that everyone will be on IPV6 by 2020 (Score:2)
Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.
Re: (Score:2)
What was the brake becomes the gas pedal (Score:2)
IPv6 took a long time to get to 10% because it's a pain in the ass to support two things. This will turn around in IPv6's favor at some time in the future. With major IPv6 deployment IPv4 begins to look like last Tuesday's pizza, because you have to support IPv6, but you can save time and effort by making v4 users tunnel or convert. Network protocols don't tend to linger once they get below a certain level - see Appletalk, IPX, Banyan Vines, etc.
"It’s a poor atom blaster that won’t point both ways"
Re: (Score:3)
Trying to not support two things, is why cell phone companies are planning on going IPv6 with NAT64/DNS64. It is also why all iOS 9 apps must support IPv6. Thus approach allows them to optimise their infrastructure for IPv6 and only deal with IPv4 on the border.
Nothing is stopping anyone from staying IPv4 internally, but if you can't speak to that IPv6 service outside your network, then you'll look pretty stupid. At least get a web proxy, that deals with IPv6 externally, if you don't want to deal with the s
Re: (Score:2)
Many or even most will move on, but once the pressure for new IPV4 addresses is off
The day the pressure is off is the day the world has moved to IPv6. Content is unlikely to be willing to lose access to any percent of eyeballs for any reason.
Re: (Score:3)
Ignoring the (quite literal) network effects. When the tipping point comes, it'll go to 100% IPv6 very quickly. Everybody will be on IPv6 because that's where everybody else is. Nobody will want to be cut off by being on an IPv4-only address.
Re: (Score:2)
Many or even most will move on, but once the pressure for new IPV4 addresses is off, the rest will probably keep them. I suspect that by 2020, between 30% and 60% of users will be IPV4-only.
They may well keep them, but fact remains that one would HAVE TO HAVE IPv6 addresses to access most content on the internet
Re: (Score:3)
NSA here. We want everyone to use IPV6 because it makes tracking everything down to your dog's internet enabled nipple piercing that much easier. So stop this nonsense about sticking with IPv4. Were watching you.
Restoring end to end for everyone is worth way more to continued freedom of Internet use than any NSA boogieman.
IPv6 privacy addresses are widely supported. Big data stalking firms currently have no problems discovering individual devices behind IPv4 NATs.
IPv6 Multi-homing? (Score:2)
Speaking of IPv6 'features' - was any solution to IPv6 multihoming actually rolled out?
Re: (Score:2)
See RFC 7157 - IPv6 Multihoming without Network Address Translation
Many happy returns, IPv6 (Score:2)
"If a 67 percent increase per year is the new normal, it'll take until summer 2020 until the entire world has IPv6 and we can all stop slicing and dicing our diminishing stashes of IPv4 addresses."
Is that the metric that keeps IPv6 adaption capped? I'd think that the sooner we run out of IPv4 addresses, the sooner IPv6 will be adapted. Not all the current public IPv4 can be NATed, and having multiple levels of NAT would pretty much transform layer 3 networking to layer 2 networking, won't it?
All the same, many happy returns, IPv6!!!
Re:Many happy returns, IPv6 (Score:4, Insightful)
Is that the metric that keeps IPv6 adaption capped?
I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.
Re: (Score:2)
Are manufacturers of network equipment really still making IPv4-only devices... 20 years after the IPv6 standard and with a significant percentage of the Internet using it?
Even 10 years ago it would be idiotic to sell an enterprise-grade network device that didn't support IPv6. Who would want to buy an expensive network device and run the risk that IPv6 would make it useless in a few years?
I personally cannot remember the last router or switch that I have worked on that didn't support IPv6.
Perhaps your frie
Re: (Score:2)
Perhaps your friend's ISP needs to upgrade their equipment anyway.
If it works fine, why upgrade? Businesses tend not to upgrade until there's a business case for it. You don't just throw out perfectly good things because they are 'old'
Re: (Score:2)
The NOC at our cable company was bitching to me about how bad newer Cisco enterprise equipment handled IPv6 at their headend. Just because an IPv6 tickbox is checked off by the manufacture doesn't mean it actually works right in production.
Re: (Score:2)
Is that the metric that keeps IPv6 adaption capped?
I asked the owner of an ISP how he was going to deal with IPv6. His answer was, "Buy a lot of expensive hardware." That is the metric that keeps IPv6 adoption capped: people don't want to pay for new hardware.
As someone who works for ISPs for a living, that is nonsense. Equipment generally has a lifetime that it is useful for. We typically buy kit with 5 years in mind, but may stretch it further if there is still life in it. Equipment that is 10 years old is probably worthless (This likely is the same for most other areas of IT)
Any equipment you buy today will support IPv6, with all the latest standards. Equipment generally gets firmware upgrades for the duration of its life that adds new features as they come a
Re: (Score:3)
This makes me wonder how long until ISPs start wanting to phase out nat so they can better see the patterns of usage behind the router. If they can tell that you use your TV and iPad more than your laptop... well, there's gotta be someone who'd pay for that info.
Re: (Score:3)
They can already see that information with DPI (Deep packet inspection) and many already do monetize it.
Comment removed (Score:3)
Re: (Score:2)
I've been trying, it's a bit of a struggle.
Getting my home network on IPv6 was the easiest part. My provider (not Comcast) was no help whatsoever, so I set up a tunnel from HE. Works great. Only time I had to tweak was when my IPv4 endpoint changed addresses, then I login to HE and update my tunnel. The rest of my home network all fell into line, even the mobile devices (iphones mostly) picked up an ipv6 address and use it, but it can be hard to tell since iOS only displays ipv4 info on the wifi setting
Re:Fuck You! (Score:4, Insightful)
Those are all excuses. None of that stuff needs to be touched to deploy v6. Deploying v6 won't make any of it work worse than it currently is. You don't need to upgrade all your DOCSIS1/2 modems to get v6 to the DOCSIS3 modems.
Also if you're an ISP that's been buying hardware in the past half a decade that's not v6 capable, then you screwed up -- or if your hardware is much older than that, then you're probably looking towards a replacement soon anyway.
Re: (Score:2)
If we don't adopt it, the nanobots will (Score:5, Funny)
https://xkcd.com/865/ [xkcd.com]
Familiarity with IPv4 is hindering adoption (Score:3, Insightful)
IPv6 is a very different beast from IPv4. One of its strengths is also a weakness - NATless wide open host to host routing of traffic. This is great as long as everyone adequately protects their internal network from outside access. However, the vast majority of home and small business networks are hidden behind a consumer-grade NAT router. Given the low level of understanding of what's actually under the hood, IT people (and consumers) have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery. It would seem to me that the safest thing would be to continue using IPv6's NAT feature for networks like this. Not many people understand what actually makes IP routing work at a nuts-and-bolts level, so this would be a safe default. 20 years ago, when IPv6 was new, I would have more faith that the average IT person would have a better grasp of details like this. These days, it's abstracted away for the most part. I doubt non-network focused IT people learn the stack to the same depth they had to in the past.
Even large enterprise networks I've seen implicitly trust traffic on the inside. Obviously that's not the best way to go, but re-architecting the network for trust-nothing operation is a slow process the larger the entity.
Re:Familiarity with IPv4 is hindering adoption (Score:4, Informative)
Your average consumer grade nat router that supports ipv6 has a default stateful firewall blocking unwanted inbound connections. Really no different than ipv4 with nat.
Re: (Score:2)
>have been conditioned for years to believe anything plugged into the inside of their router is safe from outside access or discovery.
The nightmare of UPNP.
Practical question for consumers (Score:2)
IPv6 has more than enough addresses to give each device its own, so there's no NAT in IPv6.
While IPv6 has more than enough addresses for every device, do ISPs allocate enough addresses for your average consumer? As far as my ISP is concerned, they only allocate me 1 IPv4 address and that you can't get more unless you get a business package or another line. This would greatly increase my monthly bill if every single device needs their own address.
Re: (Score:3)
In the very worst case, the ISP gives you a /64 which is enough to support every possible ethernet address 64K times over.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not giving everyone a /48 is a daft argument. From someone who is a lot smarter than me source [nanog.org]
"Let’s assume that ISPs come in essentially 3 flavors. MEGA (The Verizons, AT&Ts, Comcasts, etc. of the world) having more than 5 million customers, LARGE (having between 100,000and 5 million customers) and SMALL (having fewer than 100,000 customers).
Let’s assume the worst possible splits and add 1 nibble to the minimum needed for each ISP and another nibble for overhead.
Further, let’s assume
In the year 2525, if man is still alive (Score:2)
I still don't get parts of IPv6 (Score:2)
It doesn't specify a checksum for the header, which means that it relies on some elements of it (the address fields) to be checksummed by a higher layer (which indeed TCP and UDP do). But which also means that some elements of the header (quality of service, hop limit) are left out of the checksum, which means that (for instance) you can get router loops. But it's probably because the designers of IPv6 thought that the whole packet would be authenticated at layer 2. But then - why require an ICMP checksum w
Re: (Score:2)
It doesn't specify a checksum for the header, which means that it relies on some elements of it (the address fields) to be checksummed by a higher layer (which indeed TCP and UDP do). But which also means that some elements of the header (quality of service, hop limit) are left out of the checksum, which means that (for instance) you can get router loops. But it's probably because the designers of IPv6 thought that the whole packet would be authenticated at layer 2. But then - why require an ICMP checksum when you've just completely redesigned ICMP (and why require the TCP and UDP checksums to still use a pseudo header)? I mean, calculating checksums costs time. Either specify that it happens at layer 2 and be done with it, or do it properly.
IP checksums are a joke which exist only for personal entertainment.
IPv6 compatibility w/ FOSS projects (Score:3)
What's really sobering is when you look at relatively new but very successful FOSS ecosystems like that surrounding Docker, you'll see poor considerations for IPv6. If you're working on new bleeding edge stuff and you're still developing for an IPv4 world, you're needlessly wasting a huge opportunity to help the world move beyond IPv4. I really want to call out CoreOS's fleet project for using IPv4 private networks for cross-container communications where IPv6 would have been a much better fit.
Re: (Score:2)
I mis-typed when I said "fleet" and meant to say "flannel".
Will this be the year I can ssh to a phone? (Score:2)
Even knowing what a phones ipv6 address is I still can't make a direct connection to it on Verizon wireless. Why even give us an ipv6 address if its just as useless as a natted ipv4 address?
FireWalls dor Home, SoHo and SMB (Score:2)
The firewall needs of the small and medium businesses, as well as those of the Home and SoHo users will be handled by NFV firewalls on the telco side, mostly administered by the telco personnel.
While is bad to relinquish direc control of your security, the security of Home/SoHo/SMB will be better than what's currently available (badly configured NAT/Routers), and besides, nothing forces us people in the know from putting a second firewall behind the telco provided one...
More than just attacked. (Score:2)
Most people and small businesses don't have the skills necessary to take care of a resource that isn't behind NAT.
So it's more like "expect to be quickly and constantly pwned."
Re: (Score:2)
I call BS.
As most consumer and small business routers run Linux and use Netfilter, it's not much of a stretch to ask "how do you do it on Linux?"
Well, with Netfilter, it's pretty simple to setup an effective IPv6 firewall that offers at least as much 'protection' offered by NAT in IPv4. ie.) allow only incoming requests that are 'related' to requests made from inside. Then if you have specific hosts/ports to open, you can add an exception in the exact same way you do for port mapping in IPv4.
If you want to
Re: (Score:2)
Most people and small businesses don't have the skills necessary to take care of a resource that isn't behind NAT.
It's 2016... TTL for this excuse has long expired.
So it's more like "expect to be quickly and constantly pwned."
SPI is more secure and easier to configure than NAT.
Re: (Score:2)
The chief infection vector these days is the web browser and add-ons. If a machine can connect to the Internet, even if behind seven layers of NAT, it can get infected. Second to that are Trojans and dancing bunny attacks.
Internet based attacks to compromise hosts are relatively few, and they tend to be brute force attempts, looking for older/patched bugs, or a DDoS. Good firewalls are a solved problem.
Re: (Score:2)
Exactly that, in my experience.
You and I, and the OP, won't be subject to any attacks behind our NAT firewalls because we're all too careful to fall for any phishing scams or malware links.
Our coworkers, family and friends, on the other hand... they'll call us and say "hey my machine is acting funny" no matter what kind of firewall they are behind.
Re: (Score:2)
Yeah, but don't Fiats also still use 6V, positive-ground electrical systems and spring brakes?
Re: (Score:3, Insightful)
Re: (Score:2)
Not infinitely nested NATs. Just one level of nesting is usually needed.
Good luck with that when your ISP puts you behind NAT, or when their ISP puts them behind NAT.
Without NAT, our corporate and government overlords will know exactly which computer each packet is going to
Please look up privacy extensions. They've only been mentioned in the comments of every single Slashdot article that mentions IPv6.
Re: (Score:2)
10% in 20years, so 100% in 200years, so full adoption in the year 2196AD. At least it won't clash with the Y2K38 bug.
Then, 150% in 300 years??
Re: (Score:2)
I know everyone hates Comcast, but they have 40%+ ipv6 deployment rates, and also the US wireless carriers have 40%+ deployment rates.
Nobody with a biz connection can get a static prefix allocation and nobody at Comcast gives a s**t enough to communicate any kind of timeline for when it will happen.
Re:More like 0.1% -- IPv6 traffic is special purpo (Score:5, Informative)
AT&T DSL fired up IPv6 (Score:2)
A few months ago, I was kind of shocked to see that my computer was downloading Ubuntu updates from an IPv6 address. I was vaguely aware that AT&T DSL had IPv6 turned on (I could see the setting in their stupid gateway), but I didn't know that it actually got used. I'm looking at iftop right now, and most of my connections seem to be IPv6. So, IPv6 does get used for generic internet communications.