IPv6 May Already Be Irrelevant - But So is Moving Off IPv4, Argues APNIC's Chief Scientist (theregister.com) 213
The chief scientist of the Asia Pacific Network Information Center has a theory about why the world hasn't moved to IPv6. From a report: In a lengthy post to the center's blog, Geoff Huston recounts that the main reason for the development of IPv6 was a fear the world would run out of IP addresses, hampering the growth of the internet. But IPv6 represented evolution -- not revolution. "The bottom line was that IPv6 did not offer any new functionality that was not already present in IPv4. It did not introduce any significant changes to the operation of IP. It was just IP, with larger addresses," Huston wrote.
IPv6's designers assumed that the protocol would take off because demand for IPv4 was soaring. But in the years after IPv6 debuted, Huston observes, "There was no need to give the transition much thought." Internetworking wonks assumed applications, hosts, and networks would become dual stack and support IPv6 alongside IPv4, before phasing out the latter. But then mobile internet usage exploded, and network operators had to scale to meet unprecedented demand created by devices like the iPhone. "We could either concentrate our resources on meeting the incessant demands of scaling, or we could work on IPv6 deployment," Huston wrote.
IPv6's designers assumed that the protocol would take off because demand for IPv4 was soaring. But in the years after IPv6 debuted, Huston observes, "There was no need to give the transition much thought." Internetworking wonks assumed applications, hosts, and networks would become dual stack and support IPv6 alongside IPv4, before phasing out the latter. But then mobile internet usage exploded, and network operators had to scale to meet unprecedented demand created by devices like the iPhone. "We could either concentrate our resources on meeting the incessant demands of scaling, or we could work on IPv6 deployment," Huston wrote.
This seems like hyperbole and bullshit. (Score:5, Informative)
Re: This seems like hyperbole and bullshit. (Score:5, Interesting)
Re: This seems like hyperbole and bullshit. (Score:4, Informative)
This. And also, what the fuck is he talking about? Literally every single one of the devices on my home network has global IPv6 addresses from a block provided by my ISP. My parents' home network too, and all they did was plug in the router that came with their internet service. For many of us, IPv6 is a reality.
The full paper [apnic.net] has some interesting graphs: (Figure 2) Global IPv6 availability extrapolated from current trends gets to 100% in 2045, and (Figure 9) Adoption has pretty much flattened in the US for the last 5 years. IPv6 is a reality for me, too, but what he's talking about is getting from "many of us" to "all of us".
Re: (Score:2)
Then the headline is wildly inappropriate. Just because some guy on Togo is stuck behind 5 layers of NAT doesn't make v6 irrelevant.
Re: (Score:3)
Looks like Togo's [togos.com] is also IPv4 only :)
Yes, the headline is poor and the article is not great, but the original paper makes some interesting points.
Re: This seems like hyperbole and bullshit. (Score:5, Informative)
Maybe, have you revised all your firewall rules? Are you sure IPv6 didn't introduce vulnerabilities?
As far as I am concerned, I like TFA because I am lazy and making sure ipv6 is safe will implicate twice the firewall testing and maintenance. So my proxmox cluster infrastructure, home routers, anything I manage drop all ipv6 traffic for now, I have seen many customer networks allowing ipv6 without any firewall rules at all:
I have this everywhere:
#BEGIN block all ip v6 external to/from internet
${IP6TABLES} -A FORWARD -i ${EXTIF} -m limit --limit ${SCAN_LOG_LIMIT} -j NFLOG --nflog-prefix "IPV6FWD SCAN: "
${IP6TABLES} -A FORWARD -i ${EXTIF} -j DROP
${IP6TABLES} -A INPUT -i ${EXTIF} -m limit --limit ${SCAN_LOG_LIMIT} -j NFLOG --nflog-prefix "IPV6IN SCAN: "
${IP6TABLES} -A INPUT -i ${EXTIF} -j DROP
${IP6TABLES} -A FORWARD -o ${EXTIF} -m limit --limit ${SCAN_LOG_LIMIT} -j NFLOG --nflog-prefix "IPV6FWD SCAN: "
${IP6TABLES} -A FORWARD -o ${EXTIF} -j DROP
${IP6TABLES} -A OUTPUT -o ${EXTIF} -m limit --limit ${SCAN_LOG_LIMIT} -j NFLOG --nflog-prefix "IPV6OUT SCAN: "
${IP6TABLES} -A OUTPUT -o ${EXTIF} -j DROP
#END block all ip v6 external to/from internet
Re: (Score:3)
I'd mod you up if I hadn't already posted. Very informative. Could be a home network disaster to the uninitiated.
Re: (Score:2)
Yeah, I suspect many people are back to the dial-in modem era with public IP addresses on their computer and no firewall at all, only at Gigabit speeds. I have already seen many such cases...
At least I believe now that modern Windows devices come with a built-in firewall but many Linux distros don't even install iptables when performing a vanilla install. Anyway, a central firewall is much more secure and easier to maintain than a firewall on each device IMHO.
Re: (Score:2)
I treat my home as public Wifi. To that end I block all unsolicited inbound traffic, but allow any and all outbound traffic and it's associated stateful inbound responses. I then use MDM software to manage my machines and leverage their local security tools as needed. To be blunt, I do not trust the network.
I also have a seperate SSID and vlan that all IoT devices that are not appleTVs live on. (This includes gaming systems like my switch and xbox). The appleTVs are on the primary network so airplay works b
Re: This seems like hyperbole and bullshit. (Score:5, Insightful)
Yeah, I suspect many people are back to the dial-in modem era with public IP addresses on their computer and no firewall at all, only at Gigabit speeds. I have already seen many such cases...
Yes it's extremely common and the world hasn't ended, because you are living in the past...
You don't have a centrally managed firewall when you connect your mobile device to mobile data, or to a random public wifi network. In this case these is nothing between you and the network operators, and potentially nothing between you and other customers or even you and the rest of the internet.
many Linux distros don't even install iptables when performing a vanilla install
You know what else a vanilla install of Linux doesn't install? Any service that someone might actually connect to. So if you add iptables and the typical "block all inbound, allow all outbound" ruleset then you're now blocking access to... nothing, because there was nothing there in the first place. You've just added extra complexity and overhead for no benefit.
The vast majority of end user "firewalls" block inbound traffic and allow all outbound traffic, and the vast majority of exploits against end user devices never make an inbound connection to the victim machine so the typical firewall does absolutely nothing whatsoever. Attacks these days come from phishing, from malicious downloads, exploits of browser bugs etc - all things where the user made an outbound connection.
Modern end user devices are not at risk of attack via listening services, because they simply don't have any listening services by default. If someone has gone out of their way to expose a listening service, then they will also have jumped through the additional hoop of opening it up through any firewall that might be present. And this is basically all that a "deny inbound" firewall does these days - creates headaches for anyone who actually does want to expose a service externally.
When it comes to IPv6, the only differences are:
1) it's economically viable to have enough address space
2) the address space being so large gives you the added obscurity that nothing will not even find your machine unless you advertise it
Re: This seems like hyperbole and bullshit. (Score:2)
This is a pretty good analysis with lots of facts, my only other comment is that just visiting an address advertises your existence... And if they use trackers (who doesn't?) possibly to lots of others besides the owner.
Re: (Score:2)
Well yes temporarily, due to privacy addressing. Your outbound address will cycle every few hours depending on config so if they're not quick they will be back to scanning 2^64.
But noone is scraping access logs and backscanning, the chance of a typical end user device actually having any listening services open these days is tiny.
Re: (Score:2)
The vast majority of end user "firewalls" block inbound traffic and allow all outbound traffic, and the vast majority of exploits against end user devices never make an inbound connection to the victim machine so the typical firewall does absolutely nothing whatsoever. Attacks these days come from phishing, from malicious downloads, exploits of browser bugs etc - all things where the user made an outbound connection.
Here is a good start, this only logs new outgoing connections, you can further restrict as you wish:
for VMBR in ${ACTIVE_VMBRS}
do
${IPTABLES} -A FORWARD -i ${VMBR} -o vmbr0 -m state --state NEW \
-j NFLOG --nflog-prefix "NEW OUTCONN: "
done
Re: (Score:3)
You're only logging the FORWARD chain, which won't have any traffic unless you're actually routing (ie not bridging) devices behind, and won't log any traffic originating from the host itself.
For servers the equation is different because you actually do have listening services which you explicitly want open. I actually allow inbound unrestricted to my servers, and severely restrict outbound to specific hosts (ie ntp server, software updates etc) and log anomalies.
Normally there is no outbound traffic except
Re: (Score:2)
You're only logging the FORWARD chain, which won't have any traffic unless you're actually routing (ie not bridging) devices behind, and won't log any traffic originating from the host itself.
Congratulations! Yes I do routing inside the proxmox cluster nodes with many internal LANs with rules between each LAN where most can't talk to each other, default policy being DROP and anything allowed must be specified. The rule I posted allows me to see where servers hosted in vms connect. Just do the same with OUTPUT to log the proxmox host itself outgoing connections.
With IPv6 i can also use different addresses per service - eg each web vhost gets its own address, the SSH service has its own address. Basically each address has one service open.
I don't want each host to get its own public IP even less every service. For web stuff, I use one unique reverse-proxy with a single IP f
Re: (Score:2)
Having unique IPs per site is cleaner, there's no reason it can't still be going through a reverse proxy.
Each host having its own public address is also much cleaner. When/if you get malicious traffic, you can see easily what it's directed at.
How does this cut down on noise?
if someone discovers a web server (which is easy because they're indexed by search engines), they won't discover any other services if they scan the same address.
With IPv6 you will not get scanning attempts against IPs, you will get scanning attempts against DNS names.
Re: (Score:2)
So if you add iptables and the typical "block all inbound, allow all outbound" ruleset then you're now blocking access to... nothing
Well, that may be true initially, but packet filtering is still crucial for proper network hygiene. A malware or a badly configured container network could fuck you up.
Re: (Score:2)
On a server distro maybe, which is accessible remotely by design.
As far as i'm aware you have to choose SSH to be enabled at install time, you could also choose iptables or ufw.
If you choose SSH it's because you want to access the server using SSH, so blocking access to it would be counter productive.
Re: (Score:2)
Simple solution: only allow ssh from 127.0.0.0/8 /s
Re: (Score:3)
making sure ipv6 is safe will implicate twice the firewall testing and maintenance
Which is why my proxmox servers and other things ONLY use IPv6, and legacy IP is turned off.
Microsoft also take the same approach, core systems are v6-only and only externally facing load balancers are dual stack.
drop all ipv6 traffic for now
Do you switch your TV to monochrome, run DOS and only use the first 640k of ram, force set your ethernet cards to 10mbps/half and other backwards things?
Re: (Score:2)
most home routers have ipv6 default firewall to deny incoming new connections
enterprise, well... they should know what they are doing, but most of the time that is also the default in existent firewalls
Re: (Score:2)
20 years on and the iptables syntax is still as awful as ever.
Re: (Score:2)
Maybe, have you revised all your firewall rules? Are you sure IPv6 didn't introduce vulnerabilities?
Yes. And before you ask, my parents' router they received for free from their ISP also blocks any incoming connections, as is usual. But thanks for the reminder.
Re: (Score:2)
Hah, I just commented the same thing. IPTables, IPChains, both have horrible syntax.
Re: (Score:2)
That's awesome. It will be decades before I get that kind of thing from my ISP, sadly.
Re: (Score:2)
I thought the same thing, and then Comcast gave me a /60
Re: (Score:2)
Yes, TFA is silly. It uses the iPhone as an example of why we're too busy to implement IPv6.
iPhones have worked with IPv6 since 2010.
Re: (Score:2)
I wish that was true. For me I can use comcast and get ipv6 or for the same price as comcast's 1gb service I can get 5gb/5gb fiber from a regional provider. Except that provider uses carrier grade NAT and doesn't offer IPv6. So I have to tack on another 10 to get a static IP and out from under the CGNAT.
Re: This seems like the world changed (Score:5, Insightful)
firewall still exists in ipv6 and must be used, just like ipv4
NAT is not a firewall, never was, never will be, thinking you are protected because you are behind a NAT is a bad start for your security
Re: This seems like the world changed (Score:2)
You went full derp. Never go full derp.
Re: (Score:3)
Re: (Score:3)
It largely is, anybody familiar with the protocol will understand that there's a lot more to it than longer addresses.
The only thing the author has is the fact that most people don't even need to be concerned with it. The biggest reason why is because most people don't understand what you're giving up with NAT. But most people don't care because the internet is largely centralized around a few big players. Why do you need to set up a listening service when everything you do is on one of AWS, GCP, Azure, etc
Re:This seems like hyperbole and bullshit. (Score:4, Funny)
Most of them, even most people here, couldn't even tell you the difference between the internet and the web. Odds are they think both were invented by Tim Berners-Lee.
When those of us who have been around a while know that the internet was invented by Al Gore.
Re: (Score:2)
Most of them, even most people here, couldn't even tell you the difference between the internet and the web. Odds are they think both were invented by Tim Berners-Lee.
When those of us who have been around a while know that the internet was invented by Al Gore.
Yup. From Al Gore and information technology [wikipedia.org]
In the 1980s and 1990s, he promoted legislation that funded an expansion of the ARPANET, allowing greater public access, and helping to develop the Internet.
On June 24, 1986, Gore introduced S-2594, Supercomputer Network Study Act of 1986.
As a senator, Gore began to craft the High Performance Computing and Communication Act of 1991 (commonly referred to as "The Gore Bill") ... The bill was passed on Dec. 9, 1991 and led to the National Information Infrastructure (NII) which Gore referred to as the "information superhighway".
Gore's legislation also helped fund the National Center for Supercomputing Applications at the University of Illinois, where a team of programmers, including Netscape founder Marc Andreessen, created the Mosaic Web browser, the commercial Internet's technological springboard. 'If it had been left to private industry, it wouldn't have happened,' Andreessen says of Gore's bill, 'at least, not until years later.'
Re: This seems like hyperbole and bullshit. (Score:2)
That's what Vint Cerf says
Re: (Score:2)
they love the idea that centralization means it's easier to censor people they don't like, so we're unlikely to see any big push towards decentralization any time soon from them, if ever.
They already resist it mightily. That's why folks want to repeal the so-called "section 230" coverage for absolutely everyone. Right now, it's a small fig leaf that might work for big companies, but there are no strong protections for individuals or small ISPs that I'd personally have any faith in.
The government can always pull the CSAM card. Then no matter what they do, they are covered. Hate the regime? You're going to be found with CSAM. Want free speech? Uncle Sam says you are a kiddie pornographer.
Re: (Score:2)
Nope. Those would be the ones who think DDoS small and self-hosted services making it only practical for big, centralized providers to host anything, combined with demanding that infrastructure companies act as content police, is the right approach to everything they don't like. You know, the ones who naively believe that anonymous free speech isn't essential to a well functioning democracy. They're exactly the opposite of the ones you're describing.
Why, which e2ee protocol/platform are you thinking of that
Re:This seems like hyperbole and bullshit. (Score:5, Informative)
The real bottom lines seem to be:
- CDNs have made IP Addresses less important to establishing communications
- Domain names are now more important than IP Addresses
- We should stop expecting IPv6 to supplant IPv4 and instead call universal support for IPv6 the success metric for IPv6
Which are astute non-hyperbolic non-bullshit observations from a person deeply involved in the IPv6 transition.
Re:This seems like hyperbole and bullshit. (Score:4, Insightful)
- CDNs have made IP Addresses less important to establishing communications
Yep, and when you suck on the tit of large corporations that is a success story. Meanwhile we have not only broken the end-to-end connectivity of the internet, further embedding our reliance on a cloud intermediary to make connections, but we are actively making things worse, layering NAT on top of CG-NAT because we have actually legitimately run out of IPv4 addresses for consumer edge gateways (to say nothing of mobile phones which largely have been CG-NATed for years).
Re: (Score:2)
I think he's looking for a bigger game-changer.. Something like how QUIC replaces TCP/IP for HTTP/3. But I kind of disagree.. IPv6 has all the improvements you could really think of that belong at the IP player.
The only reason IPv6 doesn't have more adoption is It's a fundamental change, and we've left IPv4 running on the internet.
Honestly; My vote would be to introduce a NAT mechanism that allows all IPv4 addresses to be mapped to a corresponding unique IPv6 address, Then declare a global flag day
Re: (Score:3)
Stateless Address Autoconfiguration (SLAAC) isn't present in IPv4.
SLAAC, DHCP... same difference nobody cares.
IPv6 also has a simplified header,
"Simplified" if you ignore all the extension headers.
integrated IPSEC encryption, integrated QoS with flow-labels
All of these things work equally poorly in both protocols.
and elimination of fragmentation problems with better path-MTU discovery.
The only difference here there is no per-hop fragmentation which is the same as DF bit always being set.
IPv6 was designed to minimize forwarding costs yet the actual structural differences are irrelevant. From an internetwork perspective it really is "96 more bits, no magic".
It's more than just "bigger IPv4". Sounds like APNIC needs a better "scientist" not a better protocol.
Huston knows his shit, actually bother to read his blog post and try and underst
Re: (Score:2)
creating that compatibility would require big changes in ipv4, there is nothing that the ipv6 could do...
you need bidirectional communication, so even if the ipv6 can reach the ipv4 (there is even a special ipv6 network that maps all ipv4 IPs), the ipv4 will need to talk back to that address and have no idea how.
so the only workaround is to change the ipv4... and that required changes in all machines and routers... that is exactly the same work as supporting ipv6 in the first place directly
Re: (Score:2)
The options header was designed for exactly this, so "big changes" aren't necessarily required, just changes.
And in the time since the ipv6 transition was proposed, we could easily have deployed updated IP stacks to handle such changes. If it had been incorporated into Linux and FreeBSD in the early 2000s, that would cover every android and iphone device in existence.
Re: (Score:3)
That's precisely what should have been done.
Expanding to a 128-bit IPv5 with v4 semantics would have been better for everybody.
An undergrad CS class could make this work.
But aRcHiTeCtS wanted to exploit a crisis and in doing so they created a bigger crisis.
We probably would have actually had universal v6 by now by making small moves instead of being afraid to replace everything all at once.
Let that be a lesson to future Utopians.
Re: (Score:2)
We should have left it to the geniuses on Slashdot who know how to connect a 48-bit, 64-bit or 128-bit address space to a 32-bit IPv4 host and have it magically work in both directions.
That's precisely what should have been done. Expanding to a 128-bit IPv5 with v4 semantics would have been better for everybody. An undergrad CS class could make this work.
I am so glad none of the tunneling bullshit from people pretending you can get 1:1 correspondence out of a fixed address space ended up gaining traction. We ended up needing a flag day just to undue the damage these harebrained schemes were causing. Dual stack ensures production quality reliable transition with commensurately incremental gains.
Re: (Score:2)
Don't forget that NAT also serves a different purposes: that the internal IP addresses not necessarily be directly addressable by the internet. The fact that this "feature" is a side effect of the NAT process shouldn't be ignored. A NAT also simplifies a typical home connection's to the internet so that we don't have to deal with routing tables on a full-fledged firewall.
Re:NATz (Score:4, Informative)
Don't forget that NAT also serves a different purposes: that the internal IP addresses not necessarily be directly addressable by the internet. The fact that this "feature" is a side effect of the NAT process shouldn't be ignored. A NAT also simplifies a typical home connection's to the internet so that we don't have to deal with routing tables on a full-fledged firewall.
It can and should be ignored because the side effect is both irrelevant and dangerous. The same stateful connection policies are enforced by default either way whether relying on a 1:many NAT or SPI.
The only difference is the absence of packet mangling and ALG codes full of exploitable assumptions in the SPI implementation. In other words not only is SPI more reliable (enabling real time communications between peers) it is also inherently more secure.
Re: NATz (Score:3)
Re:NATz (Score:4, Interesting)
The stupid thing is slashdot *DOES* have an IPv6 address:
Try putting "2606:4700::ac40:97c0 slashdot.org" into your hosts file.
It's hosted by cloudflare which fully supports IPv6, they just don't publish the AAAA records via DNS which is an absolutely braindead thing to do because it forces traffic through CGNAT with all the associated problems.
Re: (Score:3)
Well, google, microsoft, youtube and millions of other sites have v6 enabled by default and people seem to be accessing them just fine.
Misconfigured devices are misconfigured devices, the same problem can occur to legacy ip too. Having dual stack makes things more reliable because *both* have to be broken before you get a full failure.
Re: (Score:3)
Don't like the long hex addresses (Score:4, Insightful)
Not as easy to work with, let alone try to remember one.
-m
Re: (Score:2)
Not as easy to work with, let alone try to remember one.
-m
I keep things simple so IPv6 is easy.
All of my devices are down here with me in the back room of my mom's basement, and their addresses are all FE80::xx.
There's still more devices connecting (Score:3)
Aren't most mobile phones IPv6? (Score:2)
Re: (Score:2)
I know T-mobile USA is, and every other one I have had to deal with was.
With 5G maybe. 4G LTE? IPv4 all the way, if you had any IPv6, it was an aftertought.
Re: (Score:2)
With 5G maybe. 4G LTE? IPv4 all the way, if you had any IPv6, it was an aftertought.
IPv6 is mandatory to implement for LTE and IPv4 is optional.
We did run out of IPv4 addresses (Score:5, Interesting)
The world ran out of IPv4 addresses long ago. Instead of keeping additional hosts off of the network, we pulled tricks, such as NAT, to work without unique IP addresses.
In the world of software, to "run out" doesn't necessarily mean that you crash. It can mean that you are unable to use a resource in the best way, and resort to workarounds.
some ISP used to change per device on your network (Score:2)
some ISP used to change per device on your network and then people got NAT routers.
Also with IPV6 your ISP controls DHCP of your network? Ok for home. Not ok for enterprise or event small business
Re:some ISP used to change per device on your netw (Score:5, Insightful)
Also with IPV6 your ISP controls DHCP of your network? Ok for home. Not ok for enterprise or event small business
What?
This is completely untrue, the ISP only allocates a block of address space to your router. How you then choose to allocate that to your own devices is absolutely up to you. Large enterprises have their own address space direct from the RIRs and only use ISPs for transit.
Re: (Score:2)
They don't control your DHCP directly. They delegate you a prefix, which you then use in for DHCPv6 or SLAAC. Just be careful because those will be fully routable IPv6 addresses so you absolutely need a true firewall rather than a NAT pseudo-firewall.
Re: (Score:2)
they control the ipv6 NETWORK delivered to you. ... and if you want, you can use the ipv6 localnet for internal network and only have a few public endpoints
you can deploy your own dhcpv6 or even static ipv6 (still based on the network delivered to you by the ISP)
if you really want to be independent of your ISP, you can buy a ipv6 range and even setup a roaming IP range, that will keep the same IP even if you change ISP, leave office, etc (but vpn are much easier by the way)
Re: (Score:2)
Also funny that I currently have 7 routable IPv4 addresses assigned to my servers (via several providers) and had no trouble getting them. The lack of IPv4 addresses seems to be grossly overstated.
Re: (Score:2)
Author is malicious. (Score:2)
One of the more pressing issue, how?! (Score:2)
Take any entry level tech course, and you'll hear a paraphrased version of: "It's a new version of IP, that has more addresses, and you can just enable it
Re: (Score:2)
actually using ipv6 is easier than ipv4, because what breaks the ipv4 is mostly solved in ipv6. it is just plug and play
if you do setups that are more complex that may cause ipv6 to fail, you probably already know about networks and ipv6 enough to also solve them
Re: (Score:2)
We still didn't finish migrating to ipv6 because.. (Score:5, Informative)
We still didn't finish migrating to ipv6 because... stupid guy like this!
IPV6 is not just more IPs, it is lot more. NAT is a workaround that breaks other services and pushes the internet to be centralized because the reverse path is behind nats and can't be reached.
We still didn't run out of ipv4 because we are freeing IPs from either reserved or unused spaces
People like this don't really understand the IPv6, so it is easier for them to keep using ipv4 and using all sort of workarounds. IPv6 isn't that hard and once your ISP adds support for it, most people will ipv6 without even notice... but sadly, ISP are full of people like this guy!
Re: (Score:2)
CGNAT is engineered to keep the Internet as a consumer service rather than interconnecting the world's computers. You're only meant to get on to connect to big company services.
Re: (Score:2)
"NAT is a workaround that breaks other services and pushes the internet to be centralized because the reverse path is behind nats and can't be reached." ... which is exactly what the carriers want.
Re: (Score:2)
Not so much, because then the carriers become beholden to those large services. Think of all the disputes between carriers and netflix or google for instance.
scaling doesn't include ipv6? (Score:3)
"We could either concentrate our resources on meeting the incessant demands of scaling, or we could work on IPv6 deployment," Huston wrote.
Something the article summary didn't clarify for me: how are is "IPv6 deployment" not an integral subset of "demands of scaling"?
What they don't want you to know (Score:2)
Back when IPv6 was new, ISPs were looking to migrate over to it, but there was something nasty going on in the background, the requirement to give up your static IP addresses in exchange for IPv6 addresses. For a consumer, no big deal, but if you had static IP addresses, routing, making sure people could always get to your network...yea, giving up what works for something that was still very new and that very few people had actually migrated to? What if the other ISPs and companies you peer with don't h
Re: (Score:3)
There's never been any requirement to give up legacy addresses. The whole idea was that you run dual stack (ie both) until IPv6 is ubiquitous, only then do you give up the legacy addresses because they are no longer needed.
Instead it's been left so long that now new organisations simply cannot get enough legacy addressing and millions of users are left with second class connectivity encumbered by CGNAT because there's no other option.
TFS seems to indicate a false choice (Score:2)
I would argue these are two sides of the exact same coin.
There may very well be a lot more relevant context in the actual article; but this is Slashdot after all, where people often don't even read the entire summary.
Re: (Score:2)
There may very well be a lot more relevant context in the actual article; but this is Slashdot after all, where people often don't even read the entire summary.
It's better to skip the article and read the original paper [apnic.net]. The graph of the price of IPv4 addresses is interesting - either demand has slackened, or supply has increased as people get better at moving onto smaller ranges. If the price of IPv4 addresses goes sky-high in future, then that will push people towards IPv6, or towards more and more NAT.
In the UK nobody seems to care about it (Score:2)
I've been a virgin media user for a very long time and their IPv6 support has always been "maybe, but don't hold your breath." All of the business grade lines I've had at work have all been IPv4 only, except for a single ADSL from BT that had IPv6 support. When I got a new connection at home it had IPv6 but I realised that a significant chunk of the popular internet was either unroutable or damned slow over v6 to the point I had to implement workarounds so that things like ebay's CDN was served over v4 only
Re: (Score:2)
The UK glass might be half empty, but it's also almost half full [google.com] - the Europe tab on Google's map shows 48% availability. Admittedly this is not as good as the 75% in France and Germany.
Aside from larger addresses, IPv6 was a regression (Score:2)
The most egrerious example is the elimination of the header checksum. Now the checksum is done in layer 4, is weaker than it was in IPv4, and has become mandatory in UDP, a big problem/burden for anyone doing voice or video over UDP.
And don't give me that 51h7 about "the chesum varies each tiome the TTL varies", as it would habe been simplet to checksum the header sans-TTL and make the TTL a hamming code instead of a integer...
It also does not help that, after it was ratified, we had to wait for a few years
Re: (Score:2)
The most egrerious example is the elimination of the header checksum. Now the checksum is done in layer 4, is weaker than it was in IPv4, and has become mandatory in UDP, a big problem/burden for anyone doing voice or video over UDP.
The real work is always done at layer 2. IP checksums are worthless decorations that were only ever useful at letting you know your hardware is severely broken.
4G being primary IPv4 instead of IPv6 only (Score:2)
Killed any remaining chances of IPv6 being of any use whatsoever.
Is what can be inferred from TFS and TFA
I think APNIC never bothered to look (Score:3)
1. Autoconfiguration
2. Anycasting
3. Extensible headers
4. Prefix-driven routing
5. Simplified multicast
6. Simplified word-aligned headers
7. Wider labels for better handling of intserv, diffserv, and qos
8. ICMPv4 router discovery and redirect, and ARP were replaced by unified simplified protocol
9. Transparent routing protocols which restricted visibility of the topology of internal networks to external observers (originally devised by Telebit)
Removed from IPv6, but part of the original design so all technically reintroducible without breaking anything:
1. Automatic fragmentation elimination
2. Transparent Mobile IP
3. Mandatory encryption
That's an awful lot of features IPv6 has that 4 doesn't have and cannot ever have. You'll notice I don't mention address space. Because it wasn't ever really relevant to IPv6. It may have been the initial reason, but the bulk of the address is taken up with routing information, not machine ID.
The reason this was done was to support transparent Mobile IP. Your actual address was the end bit and stayed constant. If you moved between networks, then the routing data changed but your actual IP address, the end bit of the IPv6 address, stayed the same. The routers would automatically handle your migration, since your machine ID was unique in the Internet.
This could be done securely because there was, at that stage, mandatory encryption which meant routers could authenticate that the machine claiming the new network really was you.
Yes, both these got eliminated, but the way the addresses worked stayed exactly the same. The prefix is the route, the suffix is the real address, and that bit isn't significantly bigger. But the suffix is supposed to be unique on the Internet.
As for the routing, everything was done in 2-byte chunks. So you never had to handle entire IPv6 addresses on routers or do full matches. The absolute most you ever needed to inspect were the two bytes above, at, and below your router's position in the network.
And, in a strictly hierarchical design, you could eliminate the second of those.
So your router tables, if the software was correctly written, would be equal in size to IPv4 router tables, or only slightly larger, and subnetting was a breeze if your network was properly configured.
I was on IPv6 on September 27th, 1996. I ran 10 tunnels from a Linux 2.0.20 box with the experimental IPv6 patches. (No, I don't give a damn the spec changed later on, any more than any reader here cares which particular revision of IPv4 they're on. It was IPv6 and that's the end of the matter.)
I was using a mix of RIPv6 and static tunnels, and later on a very early IPv6-aware Apache server for wide-area testing. There were also third-party IPv6 stacks for Windows and Solaris, which I used to do local testing.
For those interested, that should be more than sufficient to look up the RIPE entry in the 6Bone.
Back then, the US' Navy Research Labs provided a library which could take an IPv4 or IPv6 connection and hid the details from the app. They soon abandoned it, dunno why, it seemed a good idea.
Had everything been transparent, I doubt we'd be in this mess today, simply because no user would know or care what they used, and no app would, either. It would all be invisible, which is how it should be.
And how, for the most part, it is, on mobile phone networks, where IPv6 is used a lot.
Slashdot may already be irrelevant (Score:3)
Re: (Score:2)
If you go back about fifteen or twenty years Slashdot was the place for technical conversations like this. It is not bad now but back then it was *wonderful*.
Honestly I feel its hard to remember (Score:2)
I think it failed because its too hard to remember or communicate addresses.
If they had simply kept the same style and either added another octet or allowed numbers above 255 per octet people would have latched on.
I mean why abandon the whole format? 350.850.242.100 seems like it is both larger and just as easy to remember. They should have done that.
not human-friendly (Score:3)
I know there are precious few conditions under which one views an IP address, but they do exist.
IPv4 has the really strong appeal under those circumstances that it (a) reads easily (number, "dot", number, "dot", number, "dot", number), and (b) it's almost like a phone number. That's actually important.
Now let's consider IPv6. (a) It reads with difficulty (alphanumeric, "colon", alphanumeric, "colon" ... a total of eight times) so that pronouncing it is much more challenging. (b) It's so long that you don't know if it has the right number of fields without counting. (c) The separator being a colon makes it harder to visually parse because the density of digits isn't separated nicely like with a dot or a hyphen. (d) The weird dropped field notation when it's all zeros makes reading out loud unreliable ("did he say colon once or twice?"). (e) Should you have to type one, well, good luck to you getting it right the first, second, or even third time.
In other words, it isn't human-readable in practical terms. That was a big mistake.
There's a reason that phone numbers are always in groups of three or four digits separated by dashes (or sometimes dots or spaces), as they were designed to be easy for human brains to parse and communicate. The folks designing IPv6 blew it in that respect, big time.
Re: (Score:2)
This is why I tend to think that dual stack will be around for the foreseeable future.
IPv4 on the internal network side and IPv6 on the carrier/edge side.
There is also something a little disconcerting about all devices essentially being publicly exposed. I have been coddled by NAT and the idea of being without it sort of freaks me out :)
I am sure there is no real justification for that, but I can't be alone.
The main problem with IPv6 (Score:2)
The main problem with IPv6 is that it looks completely different to IPv4. I know it sounds silly but hear me out. People are used to working with IPv4. It's a neat, 4-number address. 4 numbers. That's it. Meanwhile, IPv6 looks more like a cipher. Unnatural, cryptic. If IPv6 creators adapted a different format, for example a 6-number dotted style (i.e. 10.123.20.234.30.255), they would probably see a much wider adoption by now because it would feel natural, like an extension of the past standard, not a new,
IPv6 Disabled (Score:2, Informative)
Re: (Score:3)
Stop disabling it FFS. It's not overkill or pointless, because most normal internal networks are connected to the Internet and the Internet has outgrown v4.
Plus I would never want any of my devices directly accessible from the internet anyway, I like having that extra bit of abstraction through a NAT.
NAT doesn't prevent your devices from being directly accessible. v6 doesn't make your devices directly accessible either, because all communication still goes through your router which -- as you said -- puts your devices behind a firewall anyway. The only thing NAT does is make it harder for you to understand what's going on, which makes you less secure.
We only need a handful of addresses (Score:3)
There is no need for 2^128 addresses when we only need about 5 to use the web effectively: google, microsoft, apple, facebook, and amazon.
I'm exaggerating, but the apnic article and its comments made me realize that big tech is fine with point-to-point communication being difficult, because they have molded the web into being a centralized network with big tech at the hub, so most information, and therefore surveillance, ads and money, go through them.
Re: (Score:2)
From a lay perspective, it's quite confusing to see 6+ IPv6 addresses for the same host (lol wut?) in that damned semicolon/hex notation.
Respectfully, a "lay" perspective would not include what you described. A lay perspective would generally stop at the home screen. (Yes, I am being pedantic)
Re: (Score:2)
This is what annoys me. It's NOT just IPv4 with longer addresses. The 128 bit addresses means that dynamic DNS updates are critical, yet implementing DDNS remains a pain in the ass everywhere. All the self-configuration "features" never seem to work very well for me, either. Honestly, do you want a rogue device to be able to just plug into your network and self-configure? Probably not. At least with DHCP infrastructure, you know what leases have been assigned and can use whitelists.
Re: (Score:2)
First, while ipv6 address are bigger (that is one of the requirements on why we needed to change the ipv4), you need to understand it's logic.
the first group is the network, think like the 192.168.1.xxx. your ISP have a network range, everybody will start the same way. the range that the ISP delivers will be your internal network range and is constant.
the second part is your network, usually it is the mac address for your network interfaces, but you can change them (hey, (network)::1, (network)::2, etc are
Re: (Score:3)
For a while, it seemed like the IPv6 people really had the "my way or the highway" approach.
No NAT - whether or not I consider NAT to be a useful tool - "no, you don't need it". /64 subnet then, despite that subnet being able to contain more IPS than the IPv4 internet, I am not allowed to split it into multiple vlans, because for some reason it should be up to my ISP whether I have vlans or not.
If my ISP assigns me a
Having to use DNS sucks - not everything supports hostnames. For example addign a firewall r
Re: (Score:2)
No
I don't want my internal network to have our IPv6 address from our ISP. An ISP can change your IPv6 address at any time, they could go out of business, they could be acquired, etc. Then what? I have to change the internal addressing for the entire company? Nah. The IPv6 address from the ISP can exist on their
Re: (Score:2)
Re: (Score:2)
another ignorant move from someone that wants to keep being ignorant
hint: you can keep your ipv6 on, everything will work the same, but if there is ipv6 on both sides, you are using ipv6 instead of ipv4.
you will not notice anything new, but many small details are now available for your systems and make a more efficient use of the network
It is not redundant because ipv4 will end, we can't keep freeing reserved networks and everything behind a NAT will have huge problems, both network performance and services
Re: (Score:2)
Take a RAID5 array, pull out one of the disks.
From a user perspective you don't notice any difference, but you're now running in degraded mode and things are worse behind the scenes.