The threat from the fast-dwindling supply of mainstream "IPv4" Internet addresses for new users is a bit like Y2K creeping up on us all over again. Almost no one can see beyond the cost of code review, systems change, hardware upgrades and general upheaval into the brave fairly-old world of IPv6 - but putting it off forever isn' …
IPng ? Really ? Oh dear, the management is in...
Draytek in IPV6 Shocker...
The once previously high-end Draytek routers don't seem to have any credible IPV6 plan, any questions about their IPV6 product compatibility is met with a wall of silence and comments like "it's not important right now..."
Shocking to say the least....
They sell the 2130 range if you do want IPv6. To be honest those routers do so much already, I'm not complaining.
Unfortunately not in their 2920 range though. I did demo a Watchguard XTM 23 though, it's all good on paper (IPv6 included), but the thing was awful, scanning it with nmap caused it to crash!
Yeah, their statement seems to be "It's coming soon*"
* may be tomorrow, next month, next year or next century - we're not ready to commit.
Its annoying when even 'top-spec' soho routers don't even support IPv6. When will Netgear/LinkCisco et al support it - in future products that are also some distance into the future.
Surprised the article doesn't mention the single biggest reason
of moving to IPv6.
To be able to see the v6 go-go dancer:
Windows IPv6 and Teredo - danger by default
So, you enabled IPv6 by default on Windows, and presented tunnels and routing to the internet for free?
I have unloaded all IPv6 stacks from all our Windows servers, pending architecturally correct deployment, with the assurance that IDS/IPS and firewalls all treat IPv6 with the respect it deserves. No place for Teredo in our site, sorry.
Teredo bug in W7?
When I moved to dual stack at home (V4 and V6 from entanet via a reseller), the Linux stuff just worked, but my wife's W7 laptop didn't. Turned out it was trying to use a Teredo address on the native network interface. In theory that shouldn't happen, i.e. it shouldn't use a Teredo address unless it has an established Teredo tunnel. I disabled the Teredo network interface and it all now works fine.
"The upgrade work was not that difficult in the end, especially as I wasn't in an externally-imposed panic. Do it before it does you!"
Well, that's the case for most things really: doing them in panic mode usually means 10 times the effort and 100 times the stress. Makes me think I need to look at IPv6 for my home office at some point.
Peter and the wolf...
Better put; Peter & the wolf in a modern jacket. THAT is the main issue here.
"Help we're running out of IPv4 space, the Internet will explode in 5 years!".
5 years later nothing happens. People do start to wonder about "how come that new ISP's can easily get wide / huge net ranges while addressing space is said to run out?".
"Alert! Stick with the program; we're running out of space. The Internet will explode within 3 years!"
3 years later, nothing happens. Again....
"Pay attention you dumbo's! Its for REAL this time; the Internet WILL EXPLODE within 2 years time now!"
2 years later, as many people by now started to expect: nothing happens.
THAT is the main self-inflicted problem by now. Instead of turning this into a doom scenario people had better presented the whole IPv6 thing differently. By now many people simply don't care anymore because "here they go again...".
And sometimes those people can be higher in the food chain. Good luck trying to convince management that your company needs to invest in IPv6! "But everything just works? And haven't we been hearing those doom stories for ages now?".
Some people remember the hype around y2k and the overrated doom scenario's that came with it as well. "If by then it wasn't as bad as people proclaimed, why should we believe them now?".
As said; Peter & the wolf all over again. Just too bad some people apparently never heard of that story thus easily make the same dumb mistakes.
You mean it would be "the boy who cried wolf", as in the parable, not the Prokofiev Symphony that introduced so many of us to the oboe and the bassoon.
Which will happen first?
a) Every little line-of-business custom app be tested with IPv6?
b) Carrier grade NAT?
Nope, what will happen is dialup users will cease getting publicly routable addresses unless they ask for them. This is already the case with mobiles - I generally get a 10.x.x.x address from wireless modems. Guess what? It works fine. That's what SIP is for, people! The only people who need routable addresses are the same ones who need static addresses, i.e. servers.
Also, why is it such a great idea to allow devices to talk to each other, without these pesky firewalls getting in the way? It's not, it's a terrible idea, which is why firewalls were invented. If I am going to talk to you, we need to be INTRODUCED by someone we both know. That's what SIP is for, people!
Thirdly, the transition technologies are just not there. We need to be able to:
* Write an app which assumes IPv6, and the OS allows it to run unchanged on an IPv4-only host.
* Existing apps which assume IPv4 must run unchanged on an IPv6 connected host.
That's NO source changes, simple configuration only. Until that arrives, IPv6 cannot happen.
IPv6 is still a long, long way away.
At first, the author mentions "the annoyance of NATing"
then he admitted the security it offers as "a side effect".
[Shout]Total failure here, folks![/Shout] NAT is one of the most important security feature firewalls are offering. This is the "block by default allow only if needed" rule expressed in a simple and easy to understand language.
NAT is security theather. The only reason that IT newcomers *think* it is secure is because NAT devices have default firewall rules that block incoming traffic. But NAT by itself won't protect you. If you do want to have stuff inaccessible to the internet, that's what the site scope was made for. People asking for NAT on IPv6 actually fail at grasping IPv6.
NAT is a cheap hack added to IPv4, intended to alleviate the addy space exhaustion; it breaks a LOT of stuff but ppl don't see the breakage because of cheap hacks made on apps to "fix" it.
Sorry, but the fail is yours.
You only think NAT is a security measure because you've probably only ever experienced it on firewalls or SOHO routers. And this isn't even true NAT (Network Address Translation) it is actually PAT (Port Address Translation) or NAT Overload, depending on who you did your network studies with.
If you run NAT or PAT only on a router for example, and have no firewall or ACLs in place, then there is very little security added.
People (even some security 'professionals' I've worked with) operate under the false pretence that by having a device accessible by a different IP address than is configured on the device itself is somehow more secure. It isn't. FACT. It's the firewall rules that exist on the device that did the NATing that are protecting you.
Are we still on the "NAT is security" myth?
A Firewall is security, and I'd LOVE every device I have to be single address routable from anywhere.
@Grumpy Joe - NAT is not a myth
it is a protection measure.
For your own information, a non routable address space is extremely useful in case you have some highly critical systems that must not access or be accessible from the Internet.
Rest assured Chinese and Russian hackers sincerely love your devices having single address routable from everywhere but don't brag about this if you'll ever happen to work for a large bank, insurance or financial services company.
NAT by itself is not security - but it's an important way of adding security to a network. There is no valid reason whatsoever to use a public IP on a computer/user that does not need it - this is a fundamental cornerstone in security. It's not the ONLY thing, but it's a VERY important thing. Not having/allowing NAT is one of the largest failures in IPV6. It's also one of the main reason's why I REFUSE to switch until there's better security options in place. Security is applied in layers - the more the better. I for one DON'T want every device on my network accessible by a routable ip address - there's ABSOLUTELY no reason for it!
Maybe not as secure as you think
You can't count on your private IPs not being routable. Some ISPs use the private address ranges internally, and in some cases I've seen them routed from customer to customer. (I'd argue this is broken, but it happens.) NAT only helps if you're blocking your internal network's IP range at the perimeter firewall...and how is that any easier than blocking a range of IPv6 addresses?
Isn't it the case that although IPv6 doesn't mandate or isn't designed for NAT there's nothing stopping a capable router sitting on the end of your IPv6 connection and hosting an internal IPv4 network?
The missing device
The device no one seems to think about is the one sitting in every office and hallway: the lowly printer. How many printers support IPv6? My home Lexmark does not, and I'm sure that most HP JetDirect adapters don't. Until that issue is fixed, I think we can safely assume that IPv6 will be at best a hybrid solution in most organizations.
My Lexmark does though...
I have a Lexmark C543dn that supports IPv6 out of the box. I plugged it into my IPv6 home network, and it was good to go!
It's hard work...
I've been slowly moving to a fully dual-stack network, but have had nothing but problems. The typical advice being to "turn off IPV6". That's not going to help adoption much...
Example: My primary ISP doesn't provide IPV6, and I suspect there isn't a cat in Hades chance of them doing it before I get my bus pass. Hurricane Electric kindly provide me with an IPV6 /48 via a tunnel, that's 65535 x (IPV4 internet address space)^2 worth of addresses. I set up a router and make it the default IPV6 route and it works!
But... YouTube crawls. Why? Well they advertise IPV6 routes, and that takes priority, so rather than using the fast IPV4 link traffic goes via the tunnelbroker. Switch IPV6 off? That's giving in. Change the default routing policy using a bodge called RFC3484 (gai.conf on Linux)? No good - squid doesn't take any notice of this and carries on merrily sending everything it can over IPV6. Current solution, a hacked version of squid that favours IPV4 except for local IPV6 addresses.
Example: Sometimes we get really slow traffic on some links on virtual machines. Turns out there's a bug in the vmxnet3 network driver that makes it ignore the MTU for IPV6 (how??!!). Turning IPV6 off solves it! Or switch to the trusty e1000 driver and lose some performance.
Example: "IPV6 doesn't do NAT". Actually this seems to be more of a religious point than a technical one. The way to avoid having to change all your internal IPs when changing providers is to allocate multiple IPV6 addresses to each interface. Great idea - I'll use the IPV6 private prefix and give all machines a private and public IPV6 address. Can I find a DHCPv6 server that supports multiple addresses? Nope. So we now have IPV4 addresses handed out with DHCP but IPV6 addresses have to be manually configured.
Example: If consumer-level ISP do start giving out IPV6 addresses, will they give out /48's? No chance - that'll eat up IPV6 address prefix space (which isn't that much larger than IPV4 address space) pdq. A /56? Unlikely. A /64? Maybe, but then how do you do routing without some bodge. Less than a /64? Quite possibly!
Better stop there for now - but the point is, IPV6 is still very immature. Yes, the basics work, but try and do anything more complicated and be prepared to hit bugs and lacking implementation. Give it another 10 years and it might be workable. Unfortunately for most people IPV4+NAT works, IPV6 doesn't.
Don't be taken in!
I went to the second link above
expecting some sort of technical comment on the matter but it was just a rant about government snooping. I can't comment on the accuracy of the content, but if the author has to resort to marketing-person strategies like mis-titling content to try and get a point out, I have look on the content and the author in the same lightI look on any other marketdroid types and their advertorialesque material.
If it ain't broken..
.. but it is (IPv6 not IPv4) and that's why it's been around all those years with zero uptake.
-Every computer IP-trackable by doubleclick, google, etc? BAD. Effectively, an indelible supercookie.
-Internal IP addresses tied to your ISP, your LAN infrastructure therefore tied to your ISP. Bad idea.
-Nightmarish scheme for writing IP addresses... imagine giving phone support to a home user.
-How the hell do you tell if your firewall is secure, with so complex a scheme? Dunno. Beyond me, and I'm just the IT guy.
OK taking each point in turn:
- Privacy extensions (on by default in Windows and some other OSs) negate this as the machine rotates IPv6 addresses regularly
- The *prefix* is tied to the ISP yes, but by using router advertisement should the prefix change the only change needed is on the router and then everything else should just work (note that in most cases the router will handle it automatically)
- OK I'll give you this one, writing IPs is much harder, however needing to use IPs is becoming much rarer now
- In a consumer / SME environment you would expect IPv6 devices to ship with a ruleset that is secure by default, and require some sort of 'advanced' mode to remove the 'block inbound unless related to outbound' rule that makes it do the equivalent of a typical IPv4 NAT device
Unfortunately the majority of what you are saying here is the typical FUD I hear every day regarding IPv6.
With the upmost of respect - you don't know what you're talking about.
".. but it is (IPv6 not IPv4) and that's why it's been around all those years with zero uptake."
Actually it is very heavily used in academia, military, research and development, and the scientific community. Just as the internet initially grew out as (mostly) a bunch of universities for them to share research - IPv6 is getting pushed from that direction too.
"-Every computer IP-trackable by doubleclick, google, etc? BAD. Effectively, an indelible supercookie."
How is this any different to what you have now? Home / SOHO networks generally all connect to the internet from a fixed / virtually fixed IP address. Larger corporate networks can use host id randomisation, which is actually built into the Windows IPv6 stack by default.
"-Internal IP addresses tied to your ISP, your LAN infrastructure therefore tied to your ISP. Bad idea."
Homes and Small businesses rarely have more than one subnet on the site - the only router on the whole network is the internet gateway, so on the very rare ocassion that they move ISP, you change the LAN IP on the router, and Stateless Autoconfiguration takes care of the rest. DHCP - Just change the scope. If you've used Static IP addresses instead of DHCP reservations, well that's just your own fault, and you obviously have the knowledge to set it again.
Large public sector / corporate networks wouldn't be using ISP provided IP addresses anyway - they would be using Provider Independent address ranges that can move with them as they move providers.
"-Nightmarish scheme for writing IP addresses... imagine giving phone support to a home user."
It will be tough at first I'll give you that - but what do you suggest - represent an IPv6 address in dotted decimal!? The new Hex format is vastly better than using decimal - less space taken up - easier conversion to binary form.
"-How the hell do you tell if your firewall is secure, with so complex a scheme? Dunno. Beyond me, and I'm just the IT guy."
Er - it's actually less complex because you take NAT out of the equation. Your entire internal network is represented as a single prefix, anything else is outside. Your firewall objects will be named anyway.
Not so long ago, when IP was winning the Layer3 wars - all the old Appletalk and IPX/SPX guys were bemoaning IP "Oh.. it's too complicated" "The old way was better" And at about that time people were getting paid 6-figure sums to go and carry out the migrations. IPv6 is going that way - and I'm seriously looking forward to it, because I'm one of those guys who is hopefully going to be getting paid obscene amounts of money to do IPv6 rollouts, because everyone else is too scared to look at it properly.
IPv6 is the monster in the cupboard - scary as hell. Until you open the cupboard and find that there's no monsters at all - it's just John Goodman is a big fluffy blue suit.
Changing to IPv6 always reminds me of the idea of changing to drive on the other side of the road. Sweden managed it in 1960-something, but there are way too many cars, and dumb drivers, for any country to have a reasonable expection of doing it today.
Likewise IPv6 might have been a possible upgrade if it had been implemented when it was invented, but trying to change the man+dog non-techy internet users we have today to IPv6? It's a lost cause. Maybe someone needs to revisit "IP.next" and come up with a backwards-compatible method, although the IETF would probably never buy in.
Like it or not, we're stuck with NAT for the forseeable future.
Put all the porn on IPv6 and take it all off IPv4. Changeover in about a month.
All sorts of aggravating issues
The best one was when I converted the internal email server to Win-7 and allowed it to use V4 or V6. All the Win-7 clients in the building immediately switched to using V6 to make their POP3 connections. That was OK with Thunderbird but I found that Outlook (inevitably) says that the connection works but when it actually tries to use V6 it manages to fail. I had to enter the server V4 IP address in directly to get them to stop it.
And of course the ISP can't cope...
But my real bugbear is the Kerio Control firewall, which will not work with V6. The latest version at least does not kill it off internally but all external access is blocked and all attempts to get Kerio to commit to providing V6 support at any time in the future have failed. So I'm going to have to replace it with something - pity as it was really easy to work with - any suggestions?
You'd be suprised how cheap a Juniper SSG or SRX device is. Covers all that and then some too.
Failing that and you're not a large shop then FortiGate used to have some good SME devices last time I looked.
Well it is mostly an Internet issue
Just like there are still companies out there running on NetBIOS or IPX you can always run IPv4 internally.
Then again, you do have non-routable address spaces on IPv6. Typically every machine has 2 addresses, one local non-routable, the other one global. Just bind to the right address, and configure your firewall to not accept any connections you don't want to.
So locally you can have IPv4 as long as you want. Nobody cares what you do there.
If your business doesn't need Internet access, there's no need to do anything. However if you have services like e-mail, you should make sure that your e-mail server speaks IPv6 properly and that your AAAA records are correct.
Ill-informed Y2K comment
"Some people remember the hype around y2k and the overrated doom scenario's that came with it as well. "If by then it wasn't as bad as people proclaimed, why should we believe them now?"."
Y2K went quietly because a lot of techy people put a lot of time and effort into making sure it went quietly.
It *might* have gone quietly in general anyway, but there were plenty of real world examples that suggested it wasn't very likely to go quietly in the absence of (at least) checks.
What the media doom mongers did re Y2K is an entirely different story, but only an ignorant idiot would dismiss the whole thing (Y2K or IPv6) as hype.
There are a number of issues with IPv6 based on experience.
The biggest issue, and one that touches on the issue of NAT, is how to cope with multiple ISP circuits. We have the position where, being out in the sticks, high capacity bandwidth is expensive so we direct HTTP traffic over an ADSL line and anything else over a leased line circuit.
The problem is that without NAT on the IPv6 traffic and a unique global address on each internal host the only way I can find of making sure that the return path is to the same interface as the outbound route is to NAT the interface otherwise the return path is always back to the primary path for your unique host address.
Alternatively you can think about source routing and really give yourself a security headache.
Just use a proxy. All your internet traffic will then come from that IPv6 address which can be routed out over your ADSL link.
Alternatively, ditch your leased line altogether and run a 6to4 tunnel to your other site. With the money saved from your leased line, you can get fatter internet pipes.
- Updated + vids WHOA: Get a load of Asteroid DX110 JUST MISSING planet EARTH
- Very fabric of space-time RIPPED apart in latest Hubble pic
- 10 years of Facebook Inside Facebook's engineering labs: Hardware heaven, HP hell – PICTURES
- Dell charges £16 TO INSTALL FIREFOX on PCs – Mozilla is miffed
- Google! and! Facebook! IDs! face! Yahoo! login! BAN!