Feeds

back to article How I Learned to Stop Worrying and Love IPv6

IPv4 addresses are a rapidly dwindling commodity [...] ICANN distributed the last big chunks of available IPv4 addresses to the five continental Regional Internet Registries earlier this year. The RIRs in turn are running out of supplies to allocate to ISPs and other network operators - El Reg Somewhere in the near future... …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Up

"Steve's Infeasible Third Coming"

Nuff said

3
1
Thumb Up

Re: "Steve's Infeasible Third Coming"

Erm, I think you'll find it was Assange's coming and it was all a conspiracy (whilst you slept)

0
0
Silver badge

Re: "Steve's Infeasible Third Coming"

I just hear they want to question him because of repeated coming in Sweden.

1
0
Anonymous Coward

Re: "Steve's Infeasible Third Coming"

Actually that work pretty well in Swedglish, maybe adopt a slight accent when you tell folks that one ;)

0
0
Bronze badge
Coffee/keyboard

I lost it at 255 Shades of Grey.

6
1
Silver badge
Headmaster

You can only have 254 shades of grey. #ffffff is white and #000000 is black.

23
1
Trollface

Double plus Grey and Double minus Grey I think you'll find.

30
1
Bronze badge

That's how the guy knew she was faking the story. A minor error from being forced to think on the spot.

4
1
Anonymous Coward

So?

White is a particularly bright type of grey, and black a very dark version.

BTW, you have no idea just how many colours white and black there are until you have worked in a colour lab.

I have..

5
1
Silver badge
Joke

Re: White is a particularly bright type of grey, and black a very dark version.

Okay. Now we have 256 shades of grey. Either way, 255 was off by one.

4
1
Silver badge
Boffin

RE: 254 shades of grey

Only if you're using standard RGB encoding. Numbers have this really cool property where you can map them to anything you want. Besides, both black and white can be argued to be shades of grey.

1
0
Unhappy

and........

...so the nerd war ensues. Before long someone will have to bring up whether or not the light being emitted is a wave or particle and then someone will take another point of view and the whole thing will go all to hell in a slit experiment. Eventually the density of the argument will reach singularity and it will all circle in upon itself with little more than hawking radiation leaking out of the thread. Time will stop. The universe will freeze. Hope will be gone. Eternity itself will become infinitely infinite. Blackless black. Deathless death. Meaningless meaningless.

Thus a new Internet is born.

7
0
Silver badge
Pint

Re: and........

Meow... Meow... Meow...

1
0
TRT
Silver badge

Re: RE: 254 shades of grey

Can you get 50 Shades of Grey on a Kindle? Sort of, with dithering.

4
0
Silver badge
Go

RE: 254 shades of grey

But is it Ocean Grey or Military Grey?

2
0
Anonymous Coward

Re: So?

So for us analogue meatbags (no offence), how many? OK I realise there may be limits on how many different colour a human eye can tell apart, and therefore want to pay for ;) And how come you allowed B&W into a colour lab, wasn't it slightly greenish, like on 3-colour plus no black cartridge printers ;)

Reminds me of when I tried to convince a fellow hifi nut that although when you buy speakers, you may well be able to buy them with digital input, but .......well, you know ;)

0
0
Bronze badge

Aye

Can you get 50 Shades of Grey on a Kindle? Sort of, with dithering.

I haven't read the book, but I hear it's full of dithering.

0
0
TRT
Silver badge

Re: and........

As my old boss and world authority on colour vision would have pointed out, it's not what you can measure, it's what you perceive.

He has astonished many people over the years by turning a "red" piece of paper into a "green" piece of paper by doing nothing more than holding up a larger piece of multi-coloured paper behind it, thus demonstrating that what they had been taught in school about "coloured light" was patently wrong or at best a misleading over-simplification.

0
0
Thumb Up

Re: and........

@Nitsedy

Brilliant.

0
0
Flame

ownership of all Class A addresses should be re-evaluated and then re-distributed.

Title says it all.

2
6
FAIL

Re: ownership of all Class A addresses should be re-evaluated and then re-distributed.

And then you'll come to the same conclusion as everyone else - this would just delay the inevitable by a few months at best.

14
2
Black Helicopters

Re: ownership of all Class A addresses should be re-evaluated and then re-distributed.

you dirty communist baby eater!

11
1
Silver badge

Wanna score some class A

Top quality sub nets, know what I mean G'vnor.

1
1
Coat

Re: ownership of all Class A addresses should be re-evaluated and then re-distributed.

You cannot be serious. Trash the 'intranet' of each and every kindergarten, District level government office and business with more than 2 employees in the United States?

That's fighting talk boy.

0
0
Mushroom

Re: ownership of all Class A addresses should be re-evaluated and then re-distributed. @Alex

A prediction

Just watch how the use of Class A addresses (most of which are owned by American entities) are used to bolster the US economy because US companies will have access to Ipv4 well beyond the rest of the world (Class A addresses account for HALF of the 4 billion Ipv4 address available).

You can forget this bulls**t about not monetising IP addresses, selling them maybe difficult (but not impossible) so they'll lease them out instead.

0
0

This post has been deleted by its author

This post has been deleted by its author

Silver badge

But black and white are

shades of grey.

Of course there is gray code encoded grey!

1
2
Go

After reading this, Verity and Simon...

should definitely collaborate on an issue or 2 of the BOFH!

5
1
Unhappy

Re: After reading this, Verity and Simon...

> should definitely collaborate on an issue or 2 of the BOFH!

Noooo!! I stopped reading BOFH many years ago when it stopped being funny. Many *many* years ago.

3
4
Anonymous Coward

Re: After reading this, Verity and Simon...

Just wondering, has the PFY ever mentioned his parents?

0
0
Anonymous Coward

Classic: "That's a malformed MAC address with extra rivets."

23
1
Gold badge

It's good to be alive! In 1985.

5
2
Bronze badge

Wonderful, I'll have to get my tape out.

0
0
Anonymous Coward

Marvellous

Excellently on message Ms Stob. Now please excuse me, it's time for my ttwo minutes of hate against the packet rewriter-general.

3
1
Anonymous Coward

Two Hundred and Fifty-Five Shades of Grey

Literally spat my coffee out laughing. Wonderful.

3
1
Anonymous Coward

Re: Two Hundred and Fifty-Five Shades of Grey

I "got" a copy of "Fifty Shades" but you know, by golly it was unsexy. Probably Guantanamo is more sexy.

Is it for the American market, dressed up as "English teatime afternoon light bondage" , but, not too many corpses... so clearly no CSI tie-in possible :P

I would actually recommend this instead: - http://www.goodreads.com/book/show/14060248-fifty-shames-of-earl-grey

0
0
Silver badge

hehehehe

Now I'm off to the obligatory Two Minutes of Hate against RFC 2663.

ICANN has always been at war with Eastasia.

7
1
Stop

IPv6 less secure because of lack of NAT?

Are you insane? NAT does not provide security. Please move on ...

4
11
Go

Re: IPv6 less secure because of lack of NAT?

Pff. NAT in the sense of address hiding(*) provides one very specific form of security. With a couple of exceptions in the UDP space, connection initiation is outbound only, since the translator doesn't know what to do with an inbound connection. This prevents an external attacker from reaching in directly to an internal machine.

So, no, there are no security aids in NAT, except in one specific but very, very, very common case.

(*) NAT can be used in various ways. The most common is where you hide an RFC1918 privately-numbered network behind a single public (or "less private" - see "Carrier-Grade NAT") IP address, although as I hope you know, those in the know sometimes call this NAPT or PAT. Less common are methods for renumbering IP networks without renumbering them, and also for hiding a private-numbered host behind one port of a public IP (port forwardiing) so that only the intended port can be reached.

13
2
Thumb Up

Re: IPv6 less secure because of lack of NAT?

^ This.

It bears repeating: NAT != security; NAT == borked protocols.

4
10
FAIL

@Steve: try again

Even in your very specific example it is not NAT that is providing the security: it is the firewall that is preventing an inbound connection just like the lock on my front door (mostly) prevents you from entering my flat. NAT is not the security, the firewall is. Any firewall will provide this exact same level of security whether or not NAT is being employed. (ever hear of transparent mode: no NAT, same security)

What NAT does do is allow you to obscure your assigned IP from the heathens at large. However as everyone on this board knows, there is no security through obscurity.

4
15
FAIL

Re: @Steve: try again

Kirbin: I didn't mention a firewall. NAT / PAT / NAPT is a separate function from firewalls, and a box might do one, the other, or even both. The point is that the translator (note, to repeat myself, not the firewall) doesn't know how to handle an incoming packet that doesn't match an outgoing connection profile, so it drops it.

There are exceptions, in that for certain UDP situations, a (dynamically created) translation may say "from this internal IP/port, use this external IP/port, wherever it is going, and allow anyone who sends to that external port to hit the internal IP/port". This is called "cone NAT", and severely weakens the coincidental security model of NAPT. Restricted cone NAT uses the same external port for all communications from a given internal IP/port, but only allows external packets from previous destinations.

Restricted cone is less protective than fully-restrictive NAPT that uses a separate external port for each IP/port quad-tuple, but more protective than fully-open cone NAT. The trade-off, as usual, is that open cone NAT is less unfriendly to protocols with a peer-to-peer element, but also less protective.

But once again, none of this has anything to do with firewalls, except in so far as devices that do either often do both.

Relevant note: I work in the IPS engine of a firewall-with-UTM-and-NAT-and-stuff, and I'm specifically responsible for, among other things, the code that handles all the various NAT modes. Some people might think this qualifies me to talk knowledgeably about this subject.

FAIL for you, sorry.

15
1
Anonymous Coward

@Kirbini - Re: @Steve: try again

No, you try again! Any router, server and host that performs PAT or port forwarding is offering the feature of preventing external hosts directly connecting to inside hosts, all this without any additional packet filtering. We all know this can be defeated but it is still useful as an added layer of protection which I'm not ready to give up for the sake of the beauty of IPv6 protocol.

And you know what, some bunch of Linux guys will come up with NAT6 and it will be a success, everybody else will adopt it no matter if those who created IPv6 will like it or not. And best of all, you're free not to use it.

3
4
Stop

Re: @Steve: try again

It's nice you can do cool stuff with NAT and IPS. Tell me, in a network with enough public IPs for every internal need, what can you do with NAT that I can't do with stateful ACLs?

Relevant note: I've been building packet filters since the late '80s. I had a hand in developing the early ip masquerade code in Linux-386 and worked closely with a large firewall vendor on their early NAT implementations. Some believe this qualifies me as a subject matter expert. ymmv

1
7
Thumb Down

Re: @AC 14:52

I'm afraid you're confusing firewallness with NATness. Pray tell, how is "preventing external hosts directly connecting to inside hosts" a function of NAT at all? NAT simply creates a temporary ACL that says: a trusted host sent a packet to host A on port Z; allow return traffic from that host and port; drop everything else. Once the connection is torn down that temporary ACL goes away. How is that different than a reflexive or stateful ACL other than there's NAT to muck things up.

Give me a stateful packet filter and I can do everything your NAT can do and then some. Give you a NAT only box, even with packet filtering, and you can't come close unless you include fixes for IPSEC, FTP, RSTP, SIP, IM, etc..

0
3
Paris Hilton

NAT vs stateful ACLs

The thing about ACLs is(are?) that they are not likely to appear on any consumer grade kit (out of the box) any time soon.

Add to the mix wide open windows/SMB shares, and the usual disable-every-security-feature-to-get-it-to-work-itus, and im a bit worried. Many home networks security consists of "if you've got the wifi password, you can access everything. What do you mean its your address/surname?". Unless the belkin (et al) routers are going to be a drop-in replacement, with the ACL features there is going to be quite interesting times ahead.

Im not exactly comfortable with the idea that my potentially buggy code will be addressable from anywhere on the internet. If i was confident it was secure, i wouldn't call it a test server. While i might be able to cobble something together myself, its not something im going to be proficient at, because its something have never had to do before. (and my first hello world was decades ago :s)

Sorry to ramble, but there is a lot of FUD about IPv6, and that needs to be rectified before the article (however good) starts to hit a little too close to home...

2
0

@Glen 1 - Re: NAT vs stateful ACLs

I'm pretty sure *DSL routers from Zyxel et al have included stateful firewalls for years. Netfiliter is built into the Linux kernel and it's just a matter of building a web GUI. I distinctly remember setting up port forwarding on one of those, and it involved (a) setting up DNAT and (b) opening the firewall from the Internet to the internal host.

0
0
Thumb Up

Re: NAT vs stateful ACLs

Many consumer-grade IPv6-capable home routers do already include "Simple Security" ACLs that provide equivalent blocking for inbound IPv6 traffic as they do for IPv4 traffic.

Described at http://tools.ietf.org/html/rfc6092

https://labs.ripe.net/Members/marco/ipv6-cpe-survey-results-may-2011

---

With firewalls there is a clear distinction between the more professional units and the models aimed for the residential markets. Most of the residential devices come with an enabled filter that mimics the behaviour of standard IPv4 NAT, blocking incoming connections by default. ...

---

2
0
Anonymous Coward

@Kirbini Re: @Steve: try again

Good lord man! Easy patting yourself on the back there, least you break an arm and can't share anymore of your wisdom with us via the keyboard.

I'd almost swear Steve Gibson was here...

2
0

Page:

This topic is closed for new posts.