back to article DeSENSORtised: Why the 'Internet of Things' will FAIL without IPv6

For more than 20 years, it has been clear that the internet will eventually run out of public IPv4 addresses. Despite that limit, online businesses have been slow to adopt IPv6, which has an abundance of addresses by comparison. Now that tech companies are eager to use the phrase "Internet of Things" (IoT) or the "Internet of …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Joke

Running out of addresses might sometimes be a good thing...

http://xkcd.com/865/

15
0
Silver badge

Re: Running out of addresses might sometimes be a good thing...

OK , I know this is offtopic , but that cartoon conjurs up the old grey goo scare scenario about replicating machines just constantly replicating until the whole earth is covered in them and the result of their materials processing. Guess what - it already happened, about 3 billion years ago. The "nanobots" are called bacteria and the goo isn't grey - its brown , and we call it mud.

Getting back on topic - IPv6 address are just too complicated for even a lot of net admins to grok. No one likes entering hex codes, even dyed in the wool hackers. And even today I find myself using raw IP4 addresses a lot internally when machines haven't been assigned a DNS address. I *really* don't want to be doing that with IP6. And whats with the whole link local address BS anyway?

16
5
Anonymous Coward

Re: Running out of addresses might sometimes be a good thing...

Internal address allocation:

::0.0.0.0 to ::255.255.255.255 (with the usual exceptions of course)

Router adds TLA before heading out to internet - job done. Not that hard really.

2
5
Bronze badge

Re: Running out of addresses might sometimes be a good thing...

The bigger problems with IPV6 is that there is no reliable documentation on how to set it up the way one would with IPV4 and that there's some weird taboos that doesn't exist with v4 that makes v6 a pain to work with. For example, my network is protected by a dual-homed firewall proxy running OpenBSD (one public-facing interface and one private-facing interface) which interfaces with a router provided by my telco and acts as a secondary firewall to keep guests out of my home lab's network. The public facing site is DHCP while the private facing site is static. Apparently, to have it route IPV6, both interfaces has to be static- I cannot have the public-facing interface use RTSOL to receive the settings from the router. But for some reason I cannot set up the public interface statically, the ISP-provided router refuses to recognize the firewall box if the settings are manually set instead of set through RTSOL.

Seriously, I can have the public-facing interface on DHCP while the private interface on static with IPV4. Why am I not allow to do that with the IPV6 equivalent (RTSOL on public and static on private)?

Although I must say, my current improvise seems to be alright (using Squid on the firewall as a 4-to-6 bridge). But surely there's a better way?

1
0
Unhappy

Re: Running out of addresses might sometimes be a good thing...

@RAMChYLD

Unfortunately, the majority of IPv6 engineers come from enterprises and large research organizations, and are several degrees of separation removed from the concerns of SMB and normal households. So, much of the IPv6 deployment involves manual address entry. Also, I think there's something wrong with your ISP-provided router.

It looks like the real "solution" is DHCPv6-PD. The router receives from the ISP's upstream router an address and a prefix via DHCP. Then it is free to use that prefix however it's configured. To get the DHCPv6-PD assignment, you probably have to turn off any routing fanciness in your ISP-provided router, and use it as a dumb modem. I haven't heard of CPE using DHCPv6-PD to assign subnets within a network.

IPv6 addresses are bountiful, but they're not infinite. A lot of the address space is restricted for various amusing reasons. In particular, fully half of the IPv6 address is recommended to be set aside for the subnet. (No more /24, /20, /16, /8: /64 for everyone.) SLAAC depends on that allocation scheme. That leaves not a lot of address space for the average small business. And when a bunch of ISPs are allocating only a /60 or even just a single /64, there is no alternative but to wrangle the addresses manually.

1
0
Boffin

Hex codes are a good thing

The aversion to hex codes is confounding.

Any competent computer scientist learns hex code. If you don't understand hex, then you shouldn't be holding technical opinions. And average people can't understand normal IP addresses anyway; as far as they're concerned, the dotted quads are hieroglyphs. IPv4 just has shorter hieroglyphic names than IPv6 does.

I find hex codes to be much easier to work with. Each character stands for a unique 4 bits of address. Most allocations are done along half-octet boundaries (prefixes divisible by 4: /32, /40, /48, /56, /60, /64) so each character in the prefix is the same for every host in the network, except for the trailing zeroes in the prefix. Contrast that with IPv4's decimal addresses, where each decimal digit covers several binary digits partially. And IPv4's paucity of addresses means subnets get allocated on awkward bit boundaries.

Concrete example time. Let's say you get allocated 2001:db8:abcd:ef00::/56. Every host on your network will have 2001:db8:abcd:ef00: at the beginning of the address, only varying in the last 16 hex digits, because each subnet is recommended to use 64 bits. If you have more subnets, then the two zeroes at the end of the prefix will change to the subnet address, but otherwise they will all have the same prefix. With the recommended allocation, you have 256 subnets to play with; or you could manually use those 72 bits however you want.

Let's contrast this with IPv4, an allocation of 172.16.64.0/21. Some hosts could have 172.16.65 at the beginning of the address, and others could have 172.16.70, but none will have 172.16.72. Not to mention network masks for hosts that still use those: If you want the final 11 bits to be host address, the mask will be 255.255.248.0, but if you want 10 bits for host address, the mask is 255.255.252.0. You need to do decimal to binary conversions whenever you work with IPv4 addresses. And you have far fewer subnets to play with, or far fewer hosts per subnet.

Hex digits are way easier to use. The vast address space of IPv6 makes it even easier to use. It's not the complexity of the technology that's holding it back, but laziness.

2
6
Silver badge

Re: Hex codes are a good thing

I don't think it's that they are in hex that is the problem - it's that they are a million digits long. Which is a bit annoying if you have to manually configure lots of machines and remember if the printer is 2001:0db8:3c4d:0015:1234:4321:abcd:ef12 or 2001:0db8:3c4d:0015:1234:4321:abcd:ef12

I understand DNA bases and hold technical opinions about them - but I find it a lot easier to call my wife by her first name than shout out 3Billion base pairs to identify her.

8
1

Re: Running out of addresses might sometimes be a good thing...

Haven't heard of any ISP that provides IPv6 not using DHCPv6-PD (prefix delegation).

0
0

Re: Hex codes are a good thing

There's no need to use an address that long when doing it manually. The last half of it can be a low number.

e.g.

2001:db8:123:456::7

192.168.1.7

Not much worse than a RFC1918 address to input.

0
0
Bronze badge

Re: Running out of addresses might sometimes be a good thing...

@Decade

Well, I think the router's IPV6 support is experimental at best. The only option provided in the IPV6 pane is a checkbox to enable or disable IPV6 and nothing else.

Thing is, I the way I attempted to do this is configure all my lab machines with a static IPV6 address like I would with IPV4 (I got my /64 from this one websites that generates IPV6 ranges- come to think of it I don't know now if that was a good idea and if it's a good idea to take the site seriously), and then point the gateway towards the IPV6 address of the firewall. However, the plan hit a snag when OpenBSD's documentation said that I can't use RTSOL and IPV6 forwarding at the same time.

0
0

This post has been deleted by a moderator

Silver badge
Facepalm

Security through transparency

I don't want every hacker on the internet to be able to address every light bulb and every sensor in my house individually.

35
2
LDS
Silver badge

Re: Security through transparency

But that's exactly what "data collecting" companies want, be able to identify uiniquely every sensor/device you use and collect data from it. NAT hinders it, and if external IPs are allocated dinamically through DNS, they also lose the ability to match data from different points in time.

Their dream is a unique identifier that never changes.

22
1
Anonymous Coward

Re: Security through transparency

"Their dream is a unique identifier that never changes."

Fuck 'em.

35
1
Bronze badge
Big Brother

Re: Security through transparency

Ahhhh, but it won't be just the marketing dweebs, hackers, and spammers that want your data....Big, er, Guv will most likely be interested too. And just as with (no-so) smart meters, the ability to remotely control and monitor will give these power-freaks an infinite number of ways to annoy us...

Sad, too: another case of something potentially really useful being pwned by the bad guys...

See homewrecker virus....written 1993, coming to a neighborhood near you....(hopefully not...).

7
1

Re: Security through transparency

Whenever the subject of IPv6 comes up, misinformed comments spring up.

Just because you have a route-able address doesn't mean it has to be to everyone. Routers contain firewalls AND network address translation, they are two different things. IPv6 even contains privacy extensions.

If you are going to be a Luddite, then perhaps technology isn't the field for you. I look forward to a connected home, where I can remotely control thing. Where light bulbs are automatically sent to me when one is on the way out.

10
13

Re: Security through transparency

That's what the firewall is there for

6
0
Anonymous Coward

Re: Security through transparency

And everybody else is looking forward to controlling your home too.

8
1
Bronze badge

Re: Security through transparency

>I don't want every hacker on the internet to be able to address every light bulb and every sensor in my house individually.

Oh don't worry about that. All comms will be completely secured using openSSL with session keys generated by Dual_EC_DRBG. Try to keep up.

2
0
Silver badge

Re: Security through transparency

" I look forward to a connected home, where I can remotely control thing. Where light bulbs are automatically sent to me when one is on the way out."

Yeah , I guess could you have a small network enabled computer inside a lightbulb that requires networking and routing infrastructure , not to mention firewalls and perhaps antivirus software - just so it can tell you when its about to die.

Or...

You could just do what normal people do - have some spare bulbs in a drawer for when one dies.

But hey, each to their own eh?

9
2
Silver badge
FAIL

Re: Nextweek Re: Security through transparency

"....I look forward to a connected home, where I can remotely control thing. Where light bulbs are automatically sent to me when one is on the way out." Strangely enough, whenever the business looks at reqs for company networking projects, including tech to allow me at home to be lazy about my light bulbs is not one of them. Apparently, Facilities finds it just cheaper to rely on us workers as the failure detection mechanism.

The Internet of Things is a geek fantasy and has no actual interest to the majority of businesses. Why the fudge would my business be interested in whether my fridge can order a new carton of milk from the supermarket over the Internet seeing as my bizz is not a fridge manufacturer, supermarket or ISP? Businesses are the largest buyers of networking equipment, therefore until there is a real and unavoidable reason to ditch IPv4, they won't.

7
0
Silver badge

Re: Nextweek Security through transparency

The Internet of Things might be a geek fantasy, but the Internet of More Than a Billion Addressable Computers certainly isn't. Also, the unequal geographical distribution of IPv4 addresses means that India has just over half the number of static addresses per head as the Isle of Man: 29 per head, versus 54 for IoM; the remaining UK has 1,958 per head; the USA has 4,911. [ source: http://en.wikipedia.org/wiki/List_of_countries_by_IPv4_address_allocation ]

Because of this, businesses in India often have to contend with ten levels of NAT. That's ten routers that can fail between your company server and your customer's; ten routers that have to be paid for in your service plans; ten routers that slow your traffic. And getting a static address? Hah!

Even in IP-rich countries, getting a static IP address costs money, something IPv6 would abolish. But the lack of an agreed 4-6-4 translation mechanism makes it difficult to integrate (and also a lot of ISP routers just don't talk 6 at all, which rules out virtually every Small/Medium Enterprise and home worker)

One other problem is that most networking professionals have made their career on getting IPv4 to work in an exhausted address space. IPv6 removes the need for that experience, while posing a new, unknown set of challenges to their customers' networks.

I've never met a good network engineer who says things like "hey, let's deploy this everywhere because it's the cool new thing": Network engineers are cautious and conservative profession, and that's a good thing if it's your job to keep a vital infrastructure up and running. (Same goes for water, gas, electricity...)

Until ALL the migration problems are solved, it just won't be done. But these problems won't be fixed in the West, but in countries like India and China, where the need is greater and more pressing..

4
0

No shit, Sherlock.

I think most Reg readers have figured this one out already.

5
0
Bronze badge
Boffin

Follow the Money (business as usual)

Not a big secret why BT isn't keen on having all those I(nternet)Things talking to each other all the time: there's no way consumers are going to pay for the extra bandwidth which will be needed to support that level of blathering. Neither are the makers of the IThings, or those people who crave the data stream being generated by them.

So why should BT, or any other network provider pick up that bill?

8
4

Re: Follow the Money (business as usual)

It's not that - telecoms have a keen understanding of QoS management already. It is much more likely that the huge address space of IPv6, no requirement for NAT and built-in end-to-end encryption will make spying and logging of internet traffic harder - which is where the drain in resources is!

0
1
Silver badge

Re: Follow the Money (business as usual)

"It's not that - telecoms have a keen understanding of QoS management already."

You forgot the joke icon.

Cheers.

4
0

Re: Follow the Money (business as usual)

If they want to spy they use DPI not NAT.

0
0
Facepalm

Bridging IPv4 to IPv6

Well, if the setup of the IPv6 protocol hadn't been so against 'allowing' a way to bridge actively between the IPv4 internet and the IPv6 internet, then this issue might simply not have existed, as it would have been possible to have the two running in parallel (and able to talk to each other) for a gradual migration.

23
3
Silver badge
FAIL

Re: Bridging IPv4 to IPv6

Mmm, so my computer, with the IP address 2001:44b8:21ac:7053:223:6cff:fe83:b6c7 decides to make contact with forums.theregister.co.uk, aka 92.52.96.89.

What do I set my source IP address to? How does forums.theregister.co.uk reply? Does it take the first 32-bits or the last 32-bit, or something in the middle? How is the rest of the Internet meant to guess the bits that are missing?

The only way we can be backward compatible with IPv6 is using things like NAT64 which for all intents and purposes, makes our IPv6 hosts look like they're sitting behind an IPv4 NAT router. The technology exists, but it doesn't fundamentally solve the problem that IPv6 was meant to solve.

7
5
Gold badge

Re: Bridging IPv4 to IPv6

Why didn't they just directly assign all IPv4 numbers to an equivalent IPv6 one, with extra digits at the beginning of course? It's not like IPv6 is short of numbers to miss the waste a mere few billion.

The other thing I don't get about IPv6 is the allergy to NAT. Lots of addresses are good, obviously. Nice and future-proof. Some stuff wants to live online all the time - and who knows how much of this there'll be in future. But some kit never needs to talk to anything outside the building. And there are local networks for that. I'm no technical expert, and I know little enough about networking - but I sometimes get the feeling I've dropped into a religious dispute when I read about IPv6.

Oh,and what did they do with IPv5? I suggest creating IPv12, and getting it completed before IPv6...

11
4
Silver badge

Re: Bridging IPv4 to IPv6

Why didn't they just directly assign all IPv4 numbers to an equivalent IPv6 one, with extra digits at the beginning of course? It's not like IPv6 is short of numbers to miss the waste a mere few billion.

You mean like this?

Sure, I can send my packet to ::ffff:92.52.96.89, the last router will probably truncate the address to the least significant address. Does it do this to the source address too? My IP address is not 254.131.182.199. How do you propose the systems in between figure out the full address from just that bit?

3
2
Gold badge

Re: Bridging IPv4 to IPv6

Stuart Longland,

I don't propose anything. Designing international networking standards is well beyond my abilities. It's not my field.

However, I suspect it's not impossible. A workaround could have been sorted out. I presume what you do at the moment is have the local network do IPv4, and then have the network box handling all the NAT and IPv6 stuff for it.

IPv6 has been hanging around for a very, very long time. Perhaps it needs a re-design to reflect reality?

11
4
Bronze badge
Holmes

Re: Bridging IPv4 to IPv6

IPv6 has different packet structure, which is used to solve some of the problems IPv4 had, and also (obviously) to fit longer IP address. This means that the old gear wouldn't be able to exchange packets with IPv6 gear even if some address bits were common. Before they came with IPv6, a new protocol was designed (IPv5, also called ST2) but it didn't really address IPv4 shortcomings we are concerned about, and is not used.

As for NAT, IP was not originally designed for address translation and some internet protocols do not work with it, notably active FTP and SIP. Of course, the box making address translation can alter not only IP header, but also bits in the application specific part of the packet thus making it appear that some things work. However when they do not work, it is nearly impossible to troubleshoot since application specific part of the packet is, guess what, specific to actual application or device doing the communication. Of course, now that every ISP "gives" you a modem with builtin NAT you may think it's normal, but it's not. Buy a SIP phone and ask friends to call you when behind NAT, you will see what I mean.

As for the question of allowing certain hardware to talk to external world and disallowing some other, this is what firewalls are meant for. In fact almost all of the boxes "given" by an ISP do have builtin firewall, because it's in the Linux kernel they use and because it is used to limit the access to administration of the box, to your internal IP addresses only. Configuring firewall is actually quite easy if you have the right interface, and properly configured firewall would nicely protect your bulbs, sensors and switches from interactions with outside world. If you need to access them from your own phone, you might consider setting up an application gateway in your internal network - sshd running on dedicated box might be such device.

11
2
Bronze badge

Re: Bridging IPv4 to IPv6

The problem fundamentally is that the IPv6 crowd were so full of themselves that they gave scant thought to real world migration from IPv4 to IPv6 and the co-existence of these protocol stacks - thinking that migration would be an 'overnight' affair.

The special IPv4 format facilitates the carriage of IPv4 traffic on an IPv6 backbone infrastructure without encapsulation. Yes a limitation is that effectively this is a closed community address space, so only IPv4 stacks can use it. However, it does permit the deployment of IPv6 capable backbone infrastructure - like BT's. The challenge is getting ISP's to expose the native IPv6 service to users, so that all those dual stack systems can start to use their IPv6 stacks to communicate with other systems with addresses outside of the IPv4 walled community.

I'm a little surprised that ISP's aren't offering an IPv6 subscription offering, perhaps the IPv6 Forum need to start lobbying Facebook et al and get them to make their services available over native IPv6 and so start to create a market for IPv6.

Obviously the absence of service is causing many to turn off the IPv6 stacks in their systems and routers (which have been enabled by default for many years now), which can only cause further problems as and when IPv6 does come into use.

10
6
Bronze badge

Re: Bridging IPv4 to IPv6

I'm a little surprised that ISP's aren't offering an IPv6 subscription offering, perhaps the IPv6 Forum need to start lobbying Facebook et al and get them to make their services available over native IPv6 and so start to create a market for IPv6.

The problem is that to date there has been no "pull" making the users want IPv6. It could have been done easily - think about how many questions you see of the form "How do I set my NAT type to 'open'" (whatever that means) from console users? If Xbox One/PS4 had been IPv6 by default and they explained "If you want to use IPv4 these are the additional hoops you need to jump through because of NAT" every new consumer router would be IPv6 enabled by now, and ISPs would be falling over themselves to provide IPv6 access.

Right now the IP address shortage is simply somebody else's problem as far as the end user is concerned - there's no benefit to them at all.

8
0

Re: Bridging IPv4 to IPv6

Pah - If people are smart enough to turn IPv6 off on their own initiative, they can turn it back on also, when "further problems" emerge.

AFAIK - and it is some time ago - the reason migration was not so important was that "pure IPv6" would really cull routing tables in IPv6 routers (down to 8K, I think it was) and fix a bunch of hairy cases with IPv4. The hardware pushers liked that very much. People thought that "soon" there would be mostly IPv6 networks with IPv4 legacy nets as floating "islands" with NAT-boxes at the edges. They did not want to clutter up the shiny new gear with IPv4 cruft.

The IPv6 crowd also underestimated the desire for NAT in countries that like to spy on their people and filter their information, like China. A saw a lot of slides with "The Chinese comes on the Internet and use all the addresses". We are sort of the same deal as China: End-to-end encryption does not sit well with the desire to log everything for our "American Friends", so, no major telecom operator will provide it even though they have been running IPv6 in the backbone for years. Another reason is that someone probably booked their IPv4 addresses as an Asset - and borrowed against it - IPv6 coming in 64k adress blocks minimum will kill the value of those addresses and kill the "customer IP configuration business".

4
1
Bronze badge

Re: Bridging IPv4 to IPv6

The way IPv6 is specified is what has prevented it becoming widely adopted and made customers and providers reluctant to embrace it. It's mostly a choice of one or the other and that's not appealing in a world where most things are IPv4.

We shouldn't forget that an IPv4 internet also has the concept of ports which notionally allows 65,536 devices per IPv4 address. Some of those ports are used for specific things but there should still be enough ports available to satisfy most IoT users without requiring a move to IPv6.

1
4
Bronze badge

Re: Bridging IPv4 to IPv6 @the spectacularly refined chap

>The problem is that to date there has been no "pull" making the users want IPv6.

Agree, however as we demonstrated in the 80's with MAP/TOP, demand creation requires you to work on three fronts:

1. The user community: To create consumer demand - ie. to benefit from all this new stuff you need IPv6.

2. The producer community: To create supplier demand - ie. your services need to be available on IPv6.

3. IT OEM's and ISPs: To deliver products to satisfy the market demand being creating.

Yes to many users outside of the networking community, IP addresses are totally invisible and so yes it really is someone else's problem. The art and challenge is to make it as important as Y2K was and the recent end of support for widely used MS products.

1
0
Silver badge
Devil

Re: the spectacularly Re: Bridging IPv4 to IPv6

"....The problem is that to date there has been no "pull" making the users want IPv6....." As I understand it, the biggest use of IPv6 for many years (and probably still now) was uTorrent. Not exactly a great advert for the security of IPv6 that it's primary user be a tool of software pirates, paedos and hackers.

0
7

Re: Bridging IPv4 to IPv6

Facebook, Google, and countless others already offer native IPv6 to their services and have done for some time. I use them daily on AAISP without issue. For that matter, dual stack can and does work seamlessly if setup correctly.

Thinking in hex is not that difficult - if someone is bright enough to do subnet/netmask calculations with IPv4 then IPv6 will come fairly easily to them. Other than concepts like link-local addresses, the different packet structure, and no NAT, they are administered in virtually the same way from an end-user premises perspective - firewalling being part of any solution. My network has been native dual-stack for a good six months now, and had tunnelled v6 before that - the big boys like BT need to stop dragging their heels.

The biggest misconception I see is that publicly routable addresses are somehow wide open without NAT. The packets still have to pass through your router, and are therefore still subject to firewall rules. IPv6 is coming sooner or later, whether they like it or not. Might as well be ready :-)

6
1
Bronze badge

Re: Bridging IPv4 to IPv6

As for NAT, IP was not originally designed for address translation and some internet protocols do not work with it, notably active FTP and SIP

Maybe it's ignorance on my part, but I don't think that's true.

As I see it, it's not NAT that's the problem, but the fact that it's generally a one-way only operation (eg, sNAT to modify your outgoing packets so that they appear to come from the router rather than whatever your local address is). I'd thought that any program that operates from behind the firewall should work fine so long as it restricts itself to only making outgoing connections, with incoming packets for the session being correctly identified by the router as belonging to that session and so routed back inwards correctly. Am I wrong on this?

If you're talking about running an FTP or SIP server inside your NAT'd network, then obviously you're out of luck unless whoever runs your NAT'ing firewall (most likely your ISP, because they realise the value of public IP addresses and usually charge extra for them, with everyone else behind NAT) agrees to do traffic forwarding of incoming connections. That being so, it's not a problem of FTP/SIP (or any other server that's designed to accept incoming requests) is incompatible with NAT, but rather that ISP's NAT policies dictate that regular users can't just request port forwarding so that their mail server or whatever appears to be "on the Internet" (at least not without paying). Again, that's the situation as I understand it.

The really big problem with NAT is that if ISPs allowed users to run servers behind the NAT box, you'd very quickly run into conflicts about the assignment of port numbers. Some services (like http) are quite happy moving from the default ports (80/443) so long as the client machine puts the right port address in the URL. Other applications are much more picky about what port they listen or talk on, and the clients (or peers, if we're talking about something like an online game like World of Warcraft, which I think uses a p2p system for downloading updates) simply don't have the option of trying to connect to a different port. I assume that SIP works with a fixed port number for receiving incoming calls (unless you have an external directory where you can look up ip:port for a number?), so if that's the case then you can only have a maximum of one user behind the firewall who "owns" that incoming port. This technical limitation (and, I guess, any privacy/security concerns arising from making a mistake and routing to the wrong user) makes me suspect that ISPs will generally not even entertain your request for port forwarding if you're a regular NAT user ...

As much as I hate this restriction with NAT, I'm still not sure that I like the alternative of flat routing (no hiding behind NAT) in IPv6. I know people will say that I can just use a router and drop packets like I used to be able to do in IPv4. At least I assume that's the case. My problem is basically that IPv6 is so complex that I'm not sure I trust myself to even do this routing correctly and be sure that none of my IPv6 devices can't be accessed from random machines on the 'net somewhere.

4
1
Silver badge

Re: FTP & SIP

There are NAT solutions for FTP and SIP.

Though certainly not elegant.

Probably IP6, or something like it is needed. But the so called "Internet of things" is actually irrelevant. My "things" want to be as simple as possible. The Gateway server (which can be an application on my existing Router or something like a Raspberry Pi) can provide a VPN and security.

If I'm using public WiFi I want a VPN. Does IP6 solve the security issues of Public WiFi? Tell me when the majority of WiFi and Gadgets are using IP6 for a year.

People that sell network gear keep claiming we are running out of IP4 (likely) and we should up grade to IP6(Well they would say that).

Of course many USA Universities, USA Organisations, USA Corporations and friends that need 6 to 600 public IP have as many public IPs assigned as a small country.

1
0
Bronze badge

Re: Bridging IPv4 to IPv6

Well, at the moment, my solution is Squid sitting on a IPV6-connected machine and all the other IPV6 "blind" machines use it to connect to IPV6 space. Need it since as mentioned before, IPV6 is allergic to NAT. Unfortunately, I rely on NATting and firewalls to prevent guests using my WiFi from getting into my lab network. That, and my ISP- provided router has strange ideas about IPV6 security (ie it ignores devices who did not take it's RA offer and configure it's route through it, effectively saying "if you didn't take my RA/RS offer, you can't use me).

In other words, if I enable RTSOL, I can't use the firewall to route. But if I don't, the telco-provided router won't play along and route my IPV6 traffic.

2
0
Silver badge

Re: Bridging IPv4 to IPv6

I don't propose anything. Designing international networking standards is well beyond my abilities. It's not my field.

However, I suspect it's not impossible. A workaround could have been sorted out. I presume what you do at the moment is have the local network do IPv4, and then have the network box handling all the NAT and IPv6 stuff for it.

That sounds awfully like NAT64. ;-)

As I say, there are solutions out there to enable an IPv6 host to talk to an IPv4 one, albeit via a gateway. But, the problem with these solutions is that one still needs a (block of) IPv4 address(es) to use on the gateway(s), and one still needs to frig around with port forwarding to make things like SIP work.

SIPs problem with NAT isn't in the making outbound calls, but receiving inbound ones. If two SIP endpoints are communicating, it is desirable that the traffic goes direct rather than via a provider's network: NAT makes this more difficult, or in some cases, impossible.

Things like Skype only work because there are hosts run by Microsoft and others that are publicly accessible, thus can forward traffic between NATed hosts, thus it makes the service more costly to run as more endpoints rely on funnelling their data through these hosts instead of to each-other directly.

The Internet of Things is another area where its desirable to have the endpoints talk directly rather than through some intermediate point. Not that I'm in favour of the "Internet of Things".

I remember some time back when IPv6 was a new concept, people were suggesting such a network. They gave an example of having an IP-enabled fridge being able to talk to IP-enabled containers inside and provide status information to your portable computer (this was before the iPhone) to provide a shopping list.

Personally I couldn't think of a more ridiculous application, but there you go, I'm a 30 year old Luddite.

The real benefit to commerce is things like VoIP and VPNs: the former because of reduced management overheads (they just need to open a hole in the firewall, no port forwarding needed) and the latter due to reduced risk of address-space collisions.

1
0
Silver badge

Re: Bridging IPv4 to IPv6

Well, at the moment, my solution is Squid sitting on a IPV6-connected machine and all the other IPV6 "blind" machines use it to connect to IPV6 space. Need it since as mentioned before, IPV6 is allergic to NAT. Unfortunately, I rely on NATting and firewalls to prevent guests using my WiFi from getting into my lab network.

Firstly, far from being allergic to it, NAT does exist on IPv6, at least in Linux:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/netfilter/Kconfig#n230

Secondly, what prevents you from using packet filter rules to achieve what you're doing using NAT? Any ISP worthwhile will provide a /56 prefix which gives you 256 subnets, allocate one to your lab, another to your guests, a third to your DMZ. Block any traffic originating from the guest network to the lab. Is it really that hard?

1
0

Re: Bridging IPv4 to IPv6

"My network has been native dual-stack for a good six months now, and had tunnelled v6 before that - the big boys like BT need to stop dragging their heels."

Looks like my situation. I've been tunneling to the rest of the IPv6 Internet for the better part of 12 years now. Haven't had any problems with that. The only reason I didn't tunnel out (IPv6 over IPv4) earlier is that I didn't know of any IPv6 transit providers then.

My own suspicion is that there are a lot of IPv6 users already, and the only reason you don't hear from them is that they've already accepted the reality that ISP's will never get with it until they are forced to, and IPv6 users have simply "routed past the network failure" by tunneling to the global IPv6 Internet.

Certainly is what I did.

1
0

Re: Bridging IPv4 to IPv6

"As much as I hate this restriction with NAT, I'm still not sure that I like the alternative of flat routing (no hiding behind NAT) in IPv6."

With IPv6 your options for creating globally reachable subnets are quite a bit richer than that for IPv4. In particular, if you want to divide up your network into a "Private" network and a "Public" network, use (at least two) subnets and filtering rules to drop all traffic except as you authorise on entry, egress, or transit. In other words, no more complicated than the original picture for IPv4, and a lot less complicated than the picture for IPv4 plus NAT.

1
0

Re: Bridging IPv4 to IPv6

Facebook is available over IPv6. When more ISPs start providing it to their customers a lot of existing traffic will use v6 instead of v4.

0
0
Silver badge

Re: Bridging IPv4 to IPv6

The problem has never been IPv6 talking to IPv4. There's a reserved IPv6 prefix for IPv4 addresses. The problem has always been going the other way: an IPv4 site wanting to talk to an IPv6 site.

1
0
Silver badge

Why don't the megacorps and universities sitting on public class A addresses start selling off some of their address space? Are they just waiting for the price to rise?

5
2

Page:

This topic is closed for new posts.

Forums