back to article Finally, it’s the year of Linux on the desktop IPv6!

One month from now, World IPv6 Launch Day with be upon us. Numerous online services will be enabling IPv6 and leaving it on. AAAA records will be published, and those of us with IPv6 enabled systems will start to use IPv6 preferentially to IPv4. But what does this all mean? For the short term at least, the truth is "not much". …

COMMENTS

This topic is closed for new posts.

Page:

My ISP already has native IPv6 support. Currently, you have to enable it yourself through a setting, but come June 6 this setting will be automatically turned on for everyone.

All their modems (Fritz!Box devices) have native IPv6 support and all my devices at home automatically get a different, public IPv6 address. I am quite happy with it, as I can now access all devices directly, without the need for port forwarding.

0
0
Alert

Sounds great, but I assume all those now-publicly-accessible devices are hardened to be exposed on the internet?

Reminds me of my first job implementing a leased line for a remote office; we got given a block of public IP addresses, so we thought it'd be a great (now stupid) idea to put all our machines on the internet - Code Red had a field day with our test servers. I think the record was less than a minute from rebuilding the machine due to infection, putting it back on the network, to it getting hacked...

Yes, I was young and naive.

5
0
Anonymous Coward

Firewalls

Why do people constantly throw NAT in with firewalling?

Just because a device has a real IP, doesn't mean it isn't behind a firewall!

1
3
Anonymous Coward

Re: Firewalls

Because people use NAT as an easy way of saying "the computer in question is not publicly routable." Which is an easier way to say "if I screw up the firewall config for any reason, there is still this last layer of security; the system lives in an unroutable space that my ISP will simply NOT ROUTE, even if I do everything else wrong."

Why is it so hard for ivory tower nerds to understand that the milled masses really like having these sorts of emergency fallbacks?

Especially the overworked secretary/office manager/utilities and maintenance tech who is also the sysadmin/scriptdev and a dozen other things as well. But hey, the answer is obvious! Just throw more money/training/etc. at it, right?

What do you mean there is no money? That’s just a failure to talk the management out of it! What, there actually isn’t the physical money available at all to buy Cisco? Then you just fail at business and shouldn’t be allowed on the internet, obviously!

On behalf of startups and SMEs everywhere; [rude gesture] to each and ever self-important asshat whose thought process even remotely mirrors the above. May you one day wish to start your own business and be bankrupted by obscenely high barriers to entry designed to shift the cost burden onto end users and businesses.

Funny how you types are remarkably libertarian when the results of your libertarian policies increase the financial cost of other people, but scream like spoilt children when people exercise their rights to self determination to use things like NAT (which increase the financial burden on you, your network engineers and developers.)

I weep for you from behind my NAT boxen.

14
2

Re: Firewalls

I don't see why having an IPv6 enabled router with built-in firewall has to be more difficult/expensive than using NAT. At least my modem has a firewall built-in. And that's just a consumer device, provided as part of my VDSL+ service by my ISP.

In fact, without NAT, these devices could work on slower hardware, as they do not have to keep a NAT table in memory which has to be searched repeatedly. Many cheaper routers will crash when you try to use a torrent program, because they cannot handle the big number of connections to track. This problem does not exist with IPv6.

1
0
IT Angle

Re: Firewalls

If you saw the sheer volume of port-scans directed at my router from various countries (China), you would not question the idea of wanting every layer of security you can think of.

IPV6 is the way to go now, but would have been completely unnecessary if everyone (Ford) had been issued a few public IPs, and NATed their internal network devices. I think I read somewhere that Ford had been issued their own 8-bit block (16million public IPs).

1
0
Vic
Silver badge

Re: Firewalls

> I don't see why having an IPv6 enabled router with built-in

> firewall has to be more difficult/expensive than using NAT

Because people have to think about having all their machines exposed.

Many people have gotten used to the idea of one device (the ADSL modem/router) being the only thing directly exposed, and the core of their security is that their PCs are not routable from the Intertubes unless they have explicitly made them so.

Now it could be argued -and I probably would - that this was always the wrong way to be setting up a network. But tens of thousands of organisations across the country have exactly this model. It's where we're starting from.

To move to IPv6 as it currently stands means changing that model so that the sysad - if there is such a person - needs to think through each machine being accessible, and thus the firewall needs to be set up rather more carefully. Many organisations simply won't do that - and IPv6 will gain itself a reputation as a security problem.

What IPv6 needs is to accept NAT as a reality - just because IPv6 doesn't *need* NAT in the way IPv4 does, that's no reason to try to prevent it happening. That gives us the best of both worlds - those that want massive routability have got it, those that want to hide their internal machines have also got what they want. And NAT for IPv6 already exists - see nfnat66. Last time I looked, the IETF was less than happy[1] with NAT on IPv6 :-(

Vic.

[1] There has been some movement; NAT is no longer a dirty word, and the IETF has published RFC6296 for stateless NAT. This won't help the sort of user I've described above. nfnat66 additionally supports stateful NAT, which is what will have to happen before the general public accepts IPv6. But the SF page for nfnat66 shows an overwhelming 1182 downloads, so I don't expect to see this going mainstream for a little while yet.

1
1
Silver badge

NAT problems

NAT breaks a lot of shit; the reason everything hasn't broken down yet is because a lot of current applications have the patchwork to wade through the problems caused by NAT. What is really happening is that NAT endpoints are processing a lot of crap they wouldn't usually be doing, while building up a generation of IT folks that think NAT = security. It isn't. If your firewall is badly configured, its just a matter of time before someone manages to get traffic routed *into* your NATting device and you'll be screwed.

NAT is also causing problems in other areas; some residential ISPs now give you a 10.0.0.0/8 NATted IP, and will charge 10x or 100x the regular cost for your broadband if you want the "privilege" of having a publicly routeable IP. This practice will increase, pimping off power users until IPv6 gets fully deployed. Hopefully, the fallacy of NAT will die by then. Now, if the site-scope addy space were to be re-implemented, that would be nice...

1
2
Anonymous Coward

Cue short sighted "why can't we do expensive thing to reclaim small % of existing addresses" head in sand comments in 5... 4.... 3....

2
11
Silver badge

One of these days I'll change, but...

Currently my nice D-Link router doesn't seem to support IPv6. It nicely obtains IPv4 addresses from my DSL line and does lots of NAT work along with WiFi stuff.

Even with the nice Russian updates that D-Link doesn't publish in the USA, this thing won't even touch IPv6. Of course, another point is that for equivalent data on an Ethernet packet, IPv6 has a larger header, so fragmentation happens sometimes, but IPv6 is the best there is, so.....

One of these days I might change, but not real soon.

0
0
Meh

Consumer adoption will take a long time. I know lots of people that only replace kit when it breaks. As long as IP4 is still supported, they will not move. Many companies still have no issues with IP4. They have plenty of address space on their internal networks, so they are not going to be in a rush to move.

It wouldn't surprise me if we are still having this conversation in 2020.

14
0
Silver badge

Not sure they'd see a point switching on the internal anyhow - if you want the machines sat behind a hardware firewall rather than direct connected there's not much point when ipv4 is so simple.

2
0
Silver badge

@Mark

Not sure I agree with that.

What is there to switch anyway? Once IPv6 takes off all those companies only need to invest in setting up a gateway which gets their IPv4 data onto the IPv6 network. Could easily be a hardware firewall supporting both IPv6 & IPv4. Or when in doubt setup a dedicated box for it.

Minimum amount of effort / investment vs. maximum outcome.

1
0
Silver badge

Re: @Mark

My point is more along the lines of the PCs will access the network via a proxy, be networked internally on a LAN behind a firewall, therefore what is ipv6 really giving you? Its main advantage is the increased address space and routing. Yes there's security advantages but it just seems a bit of a headache to me when your key security issues are perimeter and meat sack and the current system works for intranets.

0
0
Anonymous Coward

Re: @Mark

What it gets him is shifting the burden of network management onto the end user/customer/business owner and away from developers, network vendors and enterprise engineers.

People who write software that would work optimally with end-to-end connectivity don't have to write things hat deal with NAT and proxies and the like in an IPv6 world. (Or at least, not the IPv6 world they imagined.) Since these are the kinds of applications they want to write and use, then moving the burdens of cost onto others is natural. Everyone seeks to externalise costs.

Flip that coin, and people who actually buy and use networking equipment, care about individual privacy or worry about things like network security absolutely and completely do not want IPv6. Dealing with IPv6 means accepting that costs which used to shouldered by the application and network equipment vendors are now their headache.

IPv6 is nothing more than the death knell of the internet itself. It is the transformation of a what was an open, semi-anonymous network with more than a little bit of the “wild west” into a network where every single device is handed a routable, unique, traceable individual address. It moves from a world in which everyone has curtains on their windows to one in which there is a CCTV in every room watching our every move.

It takes the internet from a way to exchange ideas and information – from a network started by academics and embraced by the hoi polloi – and transforms it into a barren, flat, corporately controlled wasteland. Nobody is safe in an IPv6 world. Nobody is anonymous. Everyone has to invest a great deal of time and money into their own individual network security…but if you put too much effort in then you will either break connectivity with the applications developed by those who worship the end-to-end model, or you will get asked pointed questions by government/RIAA/grand toaster-connected poobah about just why, exactly, you are not letting everyone spy on everything you do all the time.

This may have seemed like an okay idea in the mid-90s. Maybe it even was an okay idea back then. But the year is 2012. We live in a world where “innocent unless proven guilty” has been so eroded in most “democratic nations” ast to have completely lost its meaning. There is no such concept. Especially when computers are involved, we are all of us guilty until proven extra guilty.

And now, with IPv6, we as end users get to pay even more for the privilege of connecting to and using this marvellous internet! Instead of simple management and maintenance, instead of simple tools to connect and interact we have to take on a massively increased security and management burden.

So what does it buy him?

Us. Our freedom. Lower costs. Higher margins.

And all he’s had to do to make it happen is shout loudly enough and mock anyone who questions IPv6.

IPv6 is pure. It is good. It is a marvel of design and thoughtfulness. It is unimpeachable. Anyone who questions it for any reason is obviously an idiot.

Why are they an idiot? Because IPv6 is pure. It is good. It is a marvel…

0
1
ql
Bronze badge
Alien

Guvmint snoop plans

On a related topic, I don't think I've ever seen an analysis of what effect ipv6 migrations will have on government snooping plans and whether spooks are salivating at the prospect or not. At the other end of the scale, there have been some cursory articles on security, but not much on what ipv6 security management will mean in practice, or how to take precautions against snoopage etc. Maybe I've just not noticed.

1
0
Anonymous Coward

Re: Guvmint snoop plans

Statewatch report that the 'snooping plans refer to IPv6 on page 8 of the European Council (EU Member States' minsters' talking shop) document ENFOPOL38 of 24th April 2001.

Statewatch claim that this document records some EU Member States wishes as being

"At a technical level, .... to encourage the industry to speed up the establishment of version 6 of the Internet protocol (IPv6) ....to achieve a considerable reduction in piracy via the Internet."

Presumeably this is because the IETF designed IPv6 to use IPSec as its standard extension header to "provide end-to-end security" (IPv6 contains 2 MANDATORY security payloads: The Authentication Header (AH) and and an encapsulated security payload (ESP)). I haven't follwed this for a while - but it seems like each (citizen) terminal device will need an authenticated public key???

Commentards are free to explain here that IPv6 is a privacy enhancing technology, rather than the seeming threat model of a mandatory uniquely digitally signed identifying correspondence packet-source technology?

Just how does the Council of Ministers see IPv6 as directly technically related to reducing internet piracy anyway?

4
0
Silver badge

Re: Guvmint snoop plans

Just how does the Council of Ministers see IPv6 as directly technically related to reducing internet piracy anyway?

Because they are a bunch of technical illiterates reading from their briefing papers?

4
0
Silver badge
Windows

Re: Guvmint snoop plans

because they think that per seat OS licensing means IP=person and they haven't heard of DHCP.

0
0
Silver badge
Holmes

Sigh... Another year and little or no progress

with the sort of routers most of us use at home and IPv6 support.

Until the likes of D-Link, Netgear etc get their act together and

1) start selling devices with IPv6 support

2) Releasing software upgrades to existing devices

The vast majority of ISP's will simply shrug their shoulders and say 'Sorry, there is no demand for IPv6'.

Doh!

3
0
Silver badge

Re: Sigh... Another year and little or no progress

The newer Netgear kit supports IPv6. At least the router I have from them at home does. (One of their more expensive ones, admittedly).

I'm not convinced we'll see lots of software updates for older kit from anyone though. Too much of an opportunity to make people re-buy. I mean how often are people forced to upgrade their router anyway?

1
0

Storing IPs

I wonder how many systems will fall over when they start recording IPv6.

Old systems that have varchar(15)/char(15) in the database to store 255.255.255.255 will end up truncating FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

0
0
Silver badge
WTF?

Re: Storing IPs

"Old systems that have varchar(15)/char(15) in the database to store 255.255.255.255 will end up truncating FFFF:FFFF:FFFF:FFFF:FFFF:FFFF"

varchar 15? Wtf are you on about? Since when did network stacks use SQL to store anything? IP4 addresses are stored as 32 bit integers, IP6 as 128 bit arrays.

Personally I think 128 bits was pushing it and has just made life difficult. 64 bits would have been more than enough as it still gives you 19 million trillion addresses and the address would have fitted into a nice 64 bit long int as well as being a damn site easier to type.

2
2

Re: Storing IPs

"varchar 15? Wtf are you on about? Since when did network stacks use SQL to store anything? IP4 addresses are stored as 32 bit integers, IP6 as 128 bit arrays."

Not the network stack, but login records. My last job took the RADIUS login records and login records from the DHCP servers in real time and stuffed them into a mysql database so support could see what was going on if they called in. There was probably a field in a different database that held their static IP assignment, if they had one.

The network stack is the easy bit to upgrade. All the support systems that are needed to make the rest of the company work is the tricky bit.

6
0
Silver badge
Boffin

Re: Storing IPs

I present to you, the 'inet' datatype in PostgreSQL. Fully IPv6 compatible.

Nice to find out that my age-old log analytics software I developed waaay back in 2006 will still work after we're all using IPv6.

0
0
Anonymous Coward

Why?

The biggest single problem with IPv6 is what I call the 90% problem: until 90% of the world is using it, it provides no benefit. Since it provides no benefit, there is no reason to adopt it until it hits 90% - so it never hits 90%.

This is NOT to say that IPv6 doesn't have benefits - with RSVP, better flow control, better multicasting and anycasting and so on - it could make streaming video services finally "work" with no more "buffering" messages (and conversely, no more "buffer bloat"). It could greatly improve cellular data (cell phones could get routable IPv6 addresses and hand out routable addresses to devices served by hot spot mode), and it could greatly improve security (since encryption is much more built-in to IPv6).

However, NONE of those benefits have been communicated to J. Random User. And since JRU is not aware of why he should be demanding IPv6 support from (his ISP|his OS vendor|his equipment vendor), he DOESN'T demand it - and so ISPs, Microsoft, and equipment vendors are not strongly motivated to make it happen.

2
0
Bronze badge
Boffin

Re: Why?

Small point, but Windows has had IPv6 enabled by default on network connections at least as far back as XP (certainly SP1 if not RTM). No idea how pervasive it is across their non-OS estate, mind.

0
0
Thumb Up

Re: Why?

Spot on.

The internet engineers would probably have more success getting a totally new IPv..whatever implemented that was more backwards compatible with IPv4 the way UTF-8 is with ASCII than this disaster called IPv6.

Global financial collapse is going to happen sooner than IPv6 adoption hitting critical mass.

4
0
Bronze badge
Windows

Re: Why?

Most Microsoft Applications don't give two shits about the underlying address on the machine, they only see a bit-pipe where it sends and receives its data. The infrastructure products and stuff that actually would care about what the IP address is have either been patched or are so old that they wouldn't run on modern equipment anyway.

XP didn't get IPv6 until SP1, but only as an optional component, but if you are still running such an old OS, you shouldn't be on the internet anyway.

0
3
Silver badge

UK ISPs refuse to even consider it

With a couple of very minor exceptions.

My kit's been IPv6-ready for a while.

0
0

push by Google and pals

surprising Google and Facebook are not pushing. so that they get a peek at your Mac address with every packet. just flip this switch and we will provide "personalised" services no matter what cafe you are in. ipv6 has perfect info for the big personal info snarfers. geolocatable IP + unique address for a phisical laptop no login necessary.

I know you can turn that off. you can also set "do not track" . won't stop people wanting that info.

ipv4 NAT is a great global anonimiser.

1
0
Bronze badge
Thumb Down

Hardware only a small part of the problem

The thing holding businesses back is application support: it's fine saying that the routing fabric will work on IPv6, even the OS(es), but only when they can be sure that every app will as well will they consider moving. We've all seen those IPv4 dotted address dialog boxes... :-\

2
0
Silver badge
Unhappy

The trouble with IP6

Is that the numeric/hex address is just too damn hard to remember or to type manually. And for anyone who starts waffling on about just using DNS - yeah , good luck with that when your DNS is broken but you need to access a machine fast or when your company doesn't even bother entering certain machines into the DNS namespace and you have to use the numeric address.

9
0
Anonymous Coward

Re: The trouble with IP6 - Even more than that

Looking at a long list of IPv4 network addresses you can still find what you're looking for but looking at names is puzzling and ineffective. When you have the classic dotted decimal IP representation, you can conveniently ignore first/last byte but you can't do that with names, especially long ones. Let's face it, we're much better dealing with digits than with letters.

Please note than I'm not talking about my petty Linksys home router here, it is the big corporate firewall with 10000+ rules updated hourly.

1
0
Silver badge

@boltar

That is of course assuming that IPv6 is meant to replace IPv4 but quite frankly I don't see that happening anytime soon. Its perfectly doable to use both together and I think that is also the better approach here.

Once they run side by side just give it time. Then eventually we "oldies" will probably complain about hard to memorize addresses while someone else is bound to come up with a new solution for that (or new IT guys actually train themselves to increase their memorization, who knows ;-)).

0
0

Media companies

are probably rubbing their hands in glee - since IPv6 is meant to do away with NAT and associate a single IP with a computer (at least on that network) they will probably start up their "but *that* IP downloaded infringing material, your Honour!" campaign again.

2
0
Anonymous Coward

Re: Media companies - Don't worry too much

Those Linux hippies that the author derides in the subtitle have been busily working on IPv6 NAT and it will happen even without the sanction of the IETF high priests. This feature is so useful (not only for privacy) that big businesses and networking hardware vendors will end up adopting anyway.

0
0
Gold badge

Re: Media companies - Don't worry too much

The author wrote the article from a CentOS desktop. The author recalls writing the IPv6 "high preist" article. The author also objects to being called "the author." Not because it's particularly objectionable, but because it's early o'clock, and the author has his trollpants on.

"Hippy?"

Bite your tongue.

4
0
Gold badge

Re: Media companies

So use IPv6 NAT? Everyone else seems to be...

0
0
Bronze badge
Coat

Re: Media companies - Don't worry too much

Go get 'em auth... I mean... back to my cave now.

0
0

Your mac address is in your IP6 IP address's host identifier portion.

Very bad for privacy, as your address is tied to actual hardware device, chipset, vendor etc..

0
3
Silver badge

"Your mac address is in your IP6 IP address's host identifier portion."

Someone correct me if I'm wrong but I *think* thats only for the link-local address which should never be visible beyond your immediate LAN. IP6 has 3 main address types , the loopback ::1, link-local and the routable address (whatever they call it) whereas IP4 just has loopback and routable.

2
0
Anonymous Coward

And due to

... some dodgy vendor selling some cheap network cards I found 20+ customers with exactly the same MAC address all trying to obtain IP addresses. We could handle it as long as they were on different cable strands off the UBR, but since the cards were all sold in the same area it was inevitable that there were some clashes.

You can not count on MAC addresses being unique.

PS. This was nearly 10 years ago.

1
0
Boffin

MAC Address does not need to be exposed in IPN

While the low 64 bits (the Host Address) of an IPv6 IPN is by default the nodes MAC address, this not a requirement. The Host Address can be a random number that is generated by the computer so as to prevent it from being tracked (it is a form of NAT). Thus all that would be exposed is your Network Number (IPv6/48) just like now with a NAT'ed IPv4/32 WAN address.

0
0
Vic
Silver badge

> I *think* thats only for the link-local address

More than that - using the MAC address is just one way of generating the link-local address.

It is absolutely *not* a mandatory part of the standard.

Vic.

0
0
Anonymous Coward

IT’S THE YEAR OF LINUX ON THE DESKTOP

I almost threw up in my mouth a little

1
2
Anonymous Coward

Re: IT’S THE YEAR OF LINUX ON THE DESKTOP

It's OK, just swallow it back and you'll be just fine for another year.

0
0
Anonymous Coward

Dear El Reg,

Please, please don't use strikeout in your headlines, Your lovely, lovely android app, shiny in all other regards, doesn't appear to render it! This makes the headline for this particular article spectacularly confusing!

Yrs,

Stuck-on-a-bus-with-my-phone-somewhere-near-Glasgow

2
1

Cable modems

In the last three years almost all the cable modems for Comcast are IPv6 capable and yes Comcast gives you an IPv6 address. So whats this crap about no demand from ISPs ??

0
0
Bronze badge
Go

DSL modems

I have installed custom firmware on my home router, so it now supports IPv6, but my DSL modem does not, so I would presumably have to tunnel IPv6 through an IPv4 connection, and I'm not sure there's even any point to that. I suppose I'll have to give it another go-round.

On the plus side, my printer's NIC died, so I no longer have to worry about IPv4 for that, clearing me to go IPv6 throughout the LAN.

0
0

Page:

This topic is closed for new posts.

Forums