back to article Google: There are three certainties in life – death, taxes and IPv6

As internet engineer jokes go, Google's Ilya Grigorik came up with a good one. On stage to answer the question "what can we expect from the internet in 2020?", he offered: As far as I can tell, by 2020, we will have flying cars, singularity... and IPv6. It's an amusing but pointed stab at the fundamental internet protocol …

  1. Red Bren
    Joke

    Bridging the gap

    "the geniuses at the IETF (Internet Engineering Task Force) deciding not to make it backwards compatible with IPv4."

    Maybe we need a bridging protocol that's backward and forwards compatible with IPv4 and IPv6. You could call it IPv5...

    1. Novex

      Re: Bridging the gap

      IPv5 kind of already exists according to this page http://archive.oreilly.com/pub/post/what_ever_happened_to_ipv5.html

      But yes, that bridging capability between the two systems is what is necessary. I don't see why an IPv4 internal network behind a NAT router couldn't use the router to give dedicated IPv6 numbers to specific IPv4 addresses behind - a pain from a DHCP point of view, but if each device has a fixed IPv4 address then it can be comfortably translated to a fixed IPv6 address. I expect, though, that there's some other shit going on with IPv6 that would be difficult to translate in the router (though I doubt it would be impossible).

      1. James Turner

        Re: Bridging the gap

        It exists in theory, called NAT46.

        There are two bits you need, first is your gateway to generate IPv4->IPv6 mappings on the fly so that your IPv4-only hosts have an address they can communicate with.

        Next is you need your DNS server to rewrite queries from IPv6 addresses into these dynamic IPv4 addresses.

        1. John Sager

          Re: Bridging the gap

          It exists in theory, called NAT46.

          Actually it really wants to be the other way round. I run dual stack on my home network but ideally I would go just v6. That then needs a NAT box, plus a DNS interceptor to respond to AAAA requests for v4 hosts with local v6 AAAA responses. The NAT box then does the clever 6-to-4 and back again packet conversion and onward DNS resolution. This won't work for protocols that include IP addresses in higher layer transactions, but even that might be hacked by application layer helpers that v4 NAT boxes already do.

          The same principle extends outward to v6-only ISPs which need to run a beefier version of that at their interface to the Internet. This hack only needs to stay in place whilst v4-only networks still exist (though that might be a long time), but it does do the required bridging function albeit in a kludgy way.

          1. Yes Me Silver badge

            Re: Bridging the gap

            Yeah, NAT64 if you must, but there's no real need for it with a dual-stack setup. For IPv6-only ISPs, there's XLAT464 to reach IPv4-only sites. This stuff is all a done deal technically, it just needs ISPs to install it and switch it on.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bridging the gap

        > if each device has a fixed IPv4 address then it can be comfortably translated to a fixed IPv6 address. I expect, though, that there's some other shit going on with IPv6 that would be difficult to translate in the router (though I doubt it would be impossible).

        Remember that an IPv4-only host only understands IPv4 source *and destination* addresses. So when it exchanges packets with another device, it must use an IPv4 address for that device too.

        Hence the translation you describe is not really very useful. You might as well just go dual-stack (give the device its own IPv6 address), and then it has full access to the IPv6 Internet as well.

        But since the majority of Internet content is on IPv4, none of this reduces your dependencies on IPv4 addresses,.

        You could run IPv6 *only* internally, and use NAT64 to access the majority of the Internet. This works, more or less. But you still need as much IPv4 address space as your current NAT44 way of accessing the Internet.

        This is the main reason that IPv6 is not being adopted - there are initial and ongoing costs to running dual stack on all your devices (think: two address allocation mechanisms, two sets of firewall rules to audit), and little or no discernible benefit to doing so.

        1. Tom Samplonius

          Re: Bridging the gap

          "But since the majority of Internet content is on IPv4, none of this reduces your dependencies on IPv4 addresses,."

          Source? The top 10 sites definitely are, and that is most of the traffic.

      3. Blotto Silver badge

        Re: Bridging the gap

        @Novex,

        it would need to be more of a proxy than a NAT.

        the ipv4 & ipv6 headers are different so would need to be completely rewritten both ways. In addition some apps may expect the address or headers to be within a particular format that a proxy would not be able to emulate on a per app basis.

        1. Yes Me Silver badge

          Re: Bridging the gap

          If you're in a scenario where dual stack doesn't work, the definitions and implementations of NAT64 and XLAT464 are complicated but well proven. But dual stack is better when available. In any case we need to kill the meme that there's a problem caused by lack of backwards compatibility: there was a problem but it's been thoroughly solved.

    2. Reginald Marshall
      Flame

      Re: Bridging the gap

      "the geniuses at the IETF (Internet Engineering Task Force) deciding not to make it backwards compatible with IPv4."

      This reflexive, non-thinking non-argument really needs to die. There's no way to make it backwards compatible without interposing some NAT monstrosity between the endpoints. Avoiding NAT as far as possible was an explicit design goal of IPv6, which hasn't been arrived at arbitrarily, but from bitter experience with that kludge.

      1. Nate Amsden

        Re: Bridging the gap

        Meanwhile millions continue to happily use NAT in either ipv4 or ipv6(most likely NAT to ipv4 networks).

        Looking at my ATT branded note 3 it is using a 10.x ip from them (wifi is off). So carrier grade NAT there too, never had an issue(I tether to laptop constantly when I travel ).

        1. Alan Brown Silver badge

          Re: Bridging the gap

          "carrier grade NAT there too, never had an issue"

          CGNAT works ok(ish) if all you're doing is accessing webpages.

          If you're running anything with a listener on it, then all bets are off. Even with the webpage part the periodic change of IP address can be problematic.

          Marketing and management think that "Internet == http"

      2. Alan Brown Silver badge

        Re: Bridging the gap

        "Avoiding NAT as far as possible was an explicit design goal of IPv6, which hasn't been arrived at arbitrarily, but from bitter experience with that kludge."

        Having been involved with NAT from the early days, I can't upvote this enough.

        Yes NAT works - mostly.

        No, it doesn't work well.

        Running NAT behind NAT is a spectacularly bad idea but a lot of SE asian ISPs do it anyway.

        Whoever came up with CGNAT should be staked out over an anthill and smeared with honey.

      3. Trevor_Pott Gold badge

        Re: Bridging the gap

        How's that elitism working out for you and your ivory tower douchecanoes?

        In the real world, NAT has benefits. I don't give a shit if developers have to suffer through importing a handful of libraries that provide all the tools they'll ever need to work with NAT. There's no good reason whatsoever that my endpoints should have globally addressable IPs.

    3. Yes Me Silver badge

      Re: Bridging the gap

      "the geniuses at the IETF (Internet Engineering Task Force) deciding not to make it backwards compatible with IPv4."

      Oh please! As has been expounded here several times before, the problem is that IPv4 was designed with no possibility of forward compatibility with a different address size. So it's mathematically impossible to design a succesor that is backwards compatible - the dual stack deployment model is the only mathematically possible solution. There are of course a whole bunch of techniques for co-existence, and they've been built into the main operating systems for years. The slow deployment is caused by (a) conservative ISPs and (b) cheapskate residential gateway products. That's why the deployment is going faster for smartphones, in fact, since they can bypass the cheapskate products and domestic ISPs.

  2. This post has been deleted by its author

  3. Skoorb

    does Google offer IPv6 yet?

    So, Google Computer Engine, Google's answer to AWS. Does it support IPv6 yet?

    Hint: the answer is no. It also blocks all external comms that aren't IPv4 TCP or UDP.

    1. It wasnt me

      Re: does Google offer IPv6 yet?

      Does Google pay Tax yet? Is hasn't died yet so its not looking promising for 3 alleged certainties ........

  4. Anonymous Coward
    Anonymous Coward

    Umm, no thanks, no non-RFC protocols here..

    Maybe it's because I'm old, but I remember similar "gracious" efforts to improve things "for everyone" by Microsoft. Kerberos springs to mind as the most recent one, but there have been more.

    I'm all for Google blowing a lot of their ill gotten gains on finding ways to make stuff move faster, but unless such an improvement is 100% open without any possible lock in I would not go near it. It must become an unencumbered, patent free IETF/RFC style standard before anyone should touch it because getting it wrong will have really, really bad consequences.

    In case you didn't guess that already, based on their history I trust Google as much as I trust Microsoft: not at all. They may have come up with a good idea, but I've seen it all before.

  5. Anonymous Coward
    Anonymous Coward

    Try getting IPv6 from any major ISP's.

    And all you will get is ....

    We are working on it.

    and a month of sundays later we still get the same answer.

    sure, there are smaller ones that will give it to you but an awful lot won't.

    So mr google, what are your plans to make say all the DNS servers resolve IP V4 into V6 and all that faff?

    Is it just too hard and unprofitable and that you can't slurp data?

    1. simpfeld

      Re: Try getting IPv6 from any major ISP's.

      Sky Broadband are fully IPv6 enabled

      BT Infinity seems for my connection to always be giving out IPv6.

      Every UK mobile network.

      These all seem to work well from the testing I've done.

      These seem pretty major.

      And all seem to work well from the testing I've done and is largely transparent to end (home) users.

      It is finally apparently beginning to ramp up, the google stats look healthier now.

      https://www.google.com/intl/en/ipv6/statistics.html

      But it's going to still be slow for full adoption.

      1. Vince

        Re: Try getting IPv6 from any major ISP's.

        Just a few corrections:

        a) Sky is mostly IPv6 enabled

        b) BT Retail is rolling it out, but it is not standard or ubiquitous yet.

        c) Not every UK network - EE are almost there, Three no, nothing on vodafone seen.

        Of course you might be confusing link local addresses and so on - Sky routers were for example giving out LAN side IPv6 for a long time before public internet routable.

        1. druck Silver badge

          Re: Try getting IPv6 from any major ISP's.

          No sign of PlusNet having IPv6, but then we are still waiting for any form of encryption on email protocols - for about 8 years now.

      2. Alan Brown Silver badge

        Re: Try getting IPv6 from any major ISP's.

        "But it's going to still be slow for full adoption."

        When I queried Ofcom a few years ago about misleading claims on "full internet access" when IPv6 isn't available they said that at some point when adoption had picked up they'd make it a requirement.

        The question is at what point they'll make that determination and how much warning they intend to give ISPs that they have to offer IPv6 or not call themselves ISPs.

        After the fiasco at the start of the 00's with walled gardens and then web-only access being sold by mobile companies as "Internet" I don't hold out much hope for anything soon.

    2. Dwarf

      Re: Try getting IPv6 from any major ISP's.

      Google already provide IPv6 DNS servers and have since at least 2011.

      See Google DNS, which states

      The Google Public DNS IP addresses (IPv4) are as follows:

      8.8.8.8

      8.8.4.4

      The Google Public DNS IPv6 addresses are as follows:

      2001:4860:4860::8888

      2001:4860:4860::8844

      All modern DNS servers can be queried on IPv4 or IPv6 and can respond with IPv4 or IPv6 records

      As others have already stated, a number of ISP's are IPv6 enabled, there is loads of information around about who has and hasn't rolled out. See this list for the top 25 UK ISP's running IPv6.

      Sky claim 80% rollout and BT now finish in early 2017, see this article

      The others will follow when they realise they are loosing market share.

      IPv6 isn't difficult, its just a learning curve, sure you can make reasons not to if you want, but its coming like it or not.

    3. bombastic bob Silver badge
      Devil

      Re: Try getting IPv6 from any major ISP's.

      IPv6 tunnels still work. I'm using one from he.net - but of course THOSE are given away for free by an ISP that's just being nice. there are other free tunnel services as well [captain obvious says: no need to thank me, I'm not being helpful] and so it's just a matter of setting one up, which requires following somewhat detailed instructions for your OS of choice.

      now there ARE some *NEW* headaches that IPv6 is likely to cause:

      1. Your windows machine NOW has a publically viewable IPv6 address, even though you were accustomed to being behind a Linux-based NAT firewall. This is a lot like leaving your bedroom window unlocked with the curtains drawn...

      2. ANY IPv6-capable web site can discover your publically viewable IPv6 address, including rogue ad servers, CDN networks, Facebitch, and web servers with "invisible" gif images embedded into any web page.

      3. tracking you via a FIXED IP ADDRESS is now "that much easier". Each IPv6 subscriber is likely to get a netblock of addresses. there are more than enough. That net block NOW identifies YOU. Even if the IPv6 changes, if only the last 8 to 16 bits are changing, it's still "you".

      [yes I know all 3 already apply to me, but I've dealt with it]

      Keep in mind that every windows version since XP has had "magic internal stuff" listening on well-known ports, every time you boot up. Try "netstat -an" in a CMD window some time, you'll see what I mean. Every one of those UDP ports marked '*:*', every one of those 'LISTENING' TCP ports, they're ALL open to being CRACKED. All you need is a pile of already-cracked machines [remember 'code red' ? win-nuke?] banging away against random IPv6 addresses, and you'll get infected or DoS'd, eventually, if you're running an unfirewalled windows machine.

      The solution, of course, is to have a firewall that is INTELLIGENT enough to block these ports PROPERLY by default, and I'm not talking about the Windows firewall, I'm talking about a PROPER firewall, like a router running Linux. It also needs to properly support IPv6 routing, AND to be "shut offable" if you have something OTHER than "that box" doing the routing [which _I_ happen to have].

      And that's another headache for the ISPs: dealing with customers that aren't using "their box", are using some form of 'bridge mode', already have an IPv6 tunnel, and somehow PROTECTING all of those clueless windows users from getting their machines cracked because they're NOW publically visible. And if it has an easily guessed user/pass, you now have remote access capability.

      maybe the biggest problem in the way of IPv6 is MICRO-SHAFT and WINDOWS ???

      1. Crazy Operations Guy

        Re: "now there ARE some *NEW* headaches that IPv6 is likely to cause:"

        None of these things are going to be an issue, unless you are plugging into the modem directly without anything in between. Yes, the machines have public IP addresses, but they aren't accessible. Nearly every consumer router I've seen has fire-walling built into it that by defaults blocks nearly every port below 1024, with some blocking everything except services you explicitly allow.

        As far as addressing goes, it gets handled exactly like IPv4 has been for decades now. The only difference now might be that rather than running its own DHCP services, the router will just proxy the DHCP requests to the ISP's DHCP server, meaning that you get one of the trillions and trillions that an ISP would have in the DHCP pool: The minimum subnet size is /64, which means they would have 18,446,744,073,709,551,616 IPv6 addresses in the same space they'd have 256-512 IPv4 addresses. And no, they wouldn't just use a single /64 for everyone's addresses, since they'd have to start figuring out how to properly control and handle such a broadcast domain when IPv6 blocks are dirt cheap (It's possible to get a /48 of IPv6, which would support 65,536 /64 block for the same price as a single /24 block of IPv4) and is far simpler for their engineers to add a /64 block to an existing network segment than re-architecting the whole thing.

        Beside, someone knowing your IP address is a stupid thing to worry about, first, because you're already broadcasting it far and wide, and second, anyone going around probing IP addresses to exploit is just going to sweep the whole internet anyway (usually by using a botnet to start probing at 1.1.1.1 then 1.1.1.2, until it hits 255.0.0.0, sometimes they are smarter about it, but that's essentially what they are doing).

    4. WolfFan Silver badge

      Re: Try getting IPv6 from any major ISP's.

      The major ISPs here, both cable and non-mobile telephone, have implemented IPv6 in most of the county, and in the neighboring counties. If the users have a modem from the ISP, they are being shipped new ones capable of using IPv6 as it is implemented in their area. I got a replacement modem from the telco (which is why I have a ISP modem, I can't get a 3rd party modem that will work) nearly two years ago and on checking had IPv6. My elderly aunt, two counties over and using a cable modem I got for her, got a note from the cableco that she had IPv6 available in her area a few months back, not that she had a clue what that was. As it happens the modem I'd got her can use IPv6, so when I checked her system she had IPv6 implemented, too. It's more and more commonly available, just not that useful at present as most sites that the puplic want to visit don't have it yet.

  6. DropBear
    Facepalm

    Significant changes? Until 2020? In four years? Exactly none. Sure, everything will be slightly different, clouds will be even more cloudy and ads will be even more obnoxious, but all in all, significant changes take a decade with things that have this much inertia. Oh, and mark my words - unless they start pushing IPv6 via some new vector we'll still be using IPv4.

  7. Anonymous Coward
    Anonymous Coward

    Mandatory HTTPS

    Normal plebs (who aren't facebook) can't get TLS certificates for tor hidden services, alternative DNS, or just naked IP address.

    This is a great way to destroy alternates to ICANN.

  8. Anonymous Coward
    Anonymous Coward

    IPv6 is great...

    ...we'll know EXACTLY where you are and what devices you are using, without annoying things like DHCP and NAT getting in the way.

    1. Mike Shepherd
      Meh

      Re: IPv6 is great...

      At least, when Google knows where every client machine is, it should have no difficulty paying VAT and Corporation Tax to the right country.

      1. Anonymous Coward
        Anonymous Coward

        Re: IPv6 is great...

        I think Google filters on swear words such as "paying tax" so your post may not be searchable.

        :)

    2. ZeroSum

      Re: IPv6 is great...

      > ...we'll know EXACTLY where you are and what devices you are using, without annoying things like DHCP and NAT getting in the way.

      This is false.

      With 3GPP mobile they'll know what PGW you came in on instead of what CGNAT you used. The PGWs can be serving users from a very wide area, even an entire country. The /64 prefixes are dynamic.

      With fixed broadband they'll only be able to identify you down to the residential gateway's WAN link. If the IPv6 prefix is coming from a dynamic pool on the BNG or CMTS it can change.

      IPv6 host devices don't embed their MAC addresses in their SLAAC addresses.

      Based on IPv6 address information for them to know exactly where you are you would have to configure a static IPv6 address.

      1. Anonymous Coward
        Anonymous Coward

        @ZeroSum

        Could you translate that into English for those of us who are not well versed in IPv6? My understanding is that part of your IPv6 address is fixed from your MAC, so if I travel around with my laptop, Google could tell it is the same device connecting via IPv6 from anywhere in the world? Is that not the case?

        That is honestly one of my bigger concerns with IPv6, is making it easier for Google and everyone else to do their tracking with no way of disabling it.

        I still think IPv6 was over-engineered with silly decisions like going to 128 bit addresses when 64 bits would have been far more than were needed that is mainly responsible for its low adoption rate. If they just made IPv5 largely like IPv4 except with more address space we would have transitioned long ago, and then we would have had time to think about what is really needed for a truly next generation system without the push to implement it because we're running out of addresses.

        1. ZeroSum

          Re: @ZeroSum

          > My understanding is that part of your IPv6 address is fixed from your MAC, so if I travel around with my laptop, Google could tell it is the same device connecting via IPv6 from anywhere in the world? Is that not the case?

          That is not the case. Privacy addresses are used now to avoid the above situation.

          https://tools.ietf.org/html/rfc4941

          https://tools.ietf.org/html/rfc7217

          A useful way of thinking about IPv6 addressing is that the /64 prefix used by autoconfiguration (SLAAC) is the basic unit of addressing rather than an individual IPv6 128 bit address. Every 3GPP smartphone connected using IPv6 gets a /64. This allows it to tether devices behind it. It also allows any IPv6 address in /64 be used so it can't be found by IP address range scanning because 64 bits is so vast.

          https://tools.ietf.org/html/rfc7934

          https://tools.ietf.org/wg/v6ops/draft-ietf-v6ops-unique-ipv6-prefix-per-host/

        2. Anonymous Coward
          Anonymous Coward

          Re: @ZeroSum

          "Could you translate that into English for those of us who are not well versed in IPv6? "

          Here's an example of what IPv6 looks like. My laptop has an interface called wlp7s0 with a MAC address in line 2. The fdf8 addresses are "private" - similar to 192.168.x.y etc which I am experimenting with and the 2001 addresses are externally routable and is my allocation from my ISP. The fe80 is my link local address which is the one used on the local subnet.

          wlp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP>

          link/ether fc:f8:de:66:79:07 brd ff:ff:ff:ff:ff:ff

          inet6 fdf8:f578:4aad:165:3935:be8c:9b20:f1c9/64

          inet6 fdf8:f578:4aad:165:fef8:deff:fe66:7907/64

          inet6 2001:4c49:ad52:dd65:3935:be8c:9b20:f1c9/64

          inet6 2001:4c49:ad52:dd65:fef8:deff:fe66:7907/64

          inet6 fe80::fef8:aeff:fe66:7907/64 scope link

          The one the internet "sees" is the 2001: ........ :f1c9 which is randomly generated and changes every time I use it. If I want to have say a web server available to the internet then I would register the 2001: ...... :7907 address, which is fixed and based on the MAC address, and open the firewall for port 80/443 to it. I could also simply add a "static" address if I wanted to and use that instead - I have rather a lot to choose from.

          1. ZeroSum

            Re: @ZeroSum

            You don't have to use the IPv6 address with the MAC address for your web server. You can configure a static IPv6 address like you would a static IPv4 address. Windows 10 and macos Sierra don't embed the MAC address by default.

    3. Yes Me Silver badge
      Headmaster

      Re: IPv6 is great...

      "...we'll know EXACTLY where you are and what devices you are using, without annoying things like DHCP and NAT getting in the way."

      Wrong. That's what IPv6 temporary addresses are all about, and many other privacy aspects that have been added over the years. What Big Brother will get is exactly what he gets today, except that it will be the IPv6 prefix assigned to your access point, rather than the IPv4 address. He won't know which machine behind that access point you're using, and if you enable temporary addresses, your address will vary at whatever frequency you decide.

      In any case, as Snowden showed us, IP addresses are minor in the overall metadata surveillance story. Worry more about your email headers.

  9. Oengus

    What are taxes?

    Google: There are three certainties in life – death, taxes and IPv6

    Wait a minute... Don't Google (and all other big multi-nationals) spend all of their time avoiding taxes? So that would make 2 certainties...

    1. RyokuMas
      Facepalm

      Re: What are taxes?

      That's because they're wrong. The three certainties in life are death, IPv6 and Google will stalk you at every opportunity.

  10. FireBurn

    Sky Broadband

    Sky Broadband is using IPv6 now

  11. Mark Simon

    Four things …

    If you include advertising. After all, this is Google we’re talking about.

    Nobody expects the Spanish Inquisition.

    1. VinceH

      Re: Four things …

      I count five. Although Google stalks for advertising purposes, I'd still list stalking as an additional item.

    2. J. R. Hartley

      Re: Four things …

      Upvote for Python

  12. bsdnazz
    Facepalm

    IPv6 cannot be fully backward compatible with IPv4 and no IP stack with more IP addresses than IPv4 can be fully backward compatible with IPv4.

    The IPv6 address space is far bigger than the IPv4 one (a key point of IPv6) so even with mapping an IPv4 client can only specify 2^32 destination IP addresses. This means it cannot access all the new IPv6 systems.

  13. Anonymous Coward
    Anonymous Coward

    Untfortunately while NAT64 provides a very short solution, there is a fundamental issues to be addressed converting from IPv6 to IPv4. With IPv4 a jumbo packet is 9000 octets or 72Kb, in IPv6 a jumbo packet can be 4GB in size.

    With the multi-level addressing permitted by IPv6, Link Local Addressing unique to a LAN segment and not routable (it does no have unique within an organisation). Unique Local Unicast Addressing routable within an organisation but not to Internet. Finally Global Unicast Addressing which is a routable IPv6 address.

    Moving to IPv6 requires a radical re-think in security, devices that do not need internet access do not need Global addressing. With IPv6 communication between devices can use IPSec Transport or Tunnel mode (remember IPSec is back port from IPv6 to IPv4) so firewall rules need to be re-thought.

    1. Yes Me Silver badge
      Thumb Up

      Re: Moving to IPv6 requires a radical re-think in security

      Yes, to the extent that IPv6 has more options for security, such as using local addressing to ensure that local traffic stays local. But really it's win-win, because you can keep your network safe and private without feeling the need for NAT as a pseudo-security feature. Firewall products are all up to speed for IPv6 now. You don't actually have to re-think your basic security model, you just have to design your IPv6 addressing plan with some care and think through the firewall rules rather than mechanically transcribing them from IPv4. No magic required.

      1. Crazy Operations Guy

        Re: Moving to IPv6 requires a radical re-think in security

        Indeed, in fact IPv6 is more secure out-of-the-box that IPv4 because of its addressing. Any machine receiving an IPv6 address also creates a link-local address, most operating systems and any intelligent application would attach to the correct interface depending on security level (EG, a UPnP device would attach to the link-local address while a web server would listen on the assigned address by default)

  14. Primus Secundus Tertius

    The real third certainty

    In this modern world there are the two traditional certainties, death and taxes, and also a third: "Somebody will whinge at it".

    Whatever it is, somebody will whinge at it. E.g. IPv4 or IPv6, in the discussions above.

  15. Alistair
    Coat

    Hrmph

    A long time ago I read an item written by some nutbar who insisted that IPV6 wasn't sufficient, and who had written up (I think it was) a *very* light framework for IPV8.

    Some folks are like Donald Rumsfeld, and should not be allowed near technology. (unknown unknowns being what they are)

    I've played with IPV6 at home, and even have set up a few boxes in (lab) territory that do IPV6. While I'm a huge fan of the ease of deployment and setup, I do see huge issues in the management of resources frame of reference that will keep many IT groups from using it in large enterprise networks. Looking at the coding differences at the firewall line there are several additional levels of knowledge required to correctly understand the changes in process and deployment. Most of this is learning curve, and the larger the organization, the longer it will take to make it up that curve.

    It will make anonymity somewhat more difficult, but, due to size of the address space, far from impossible.

    Interestingly I've found out that the VPN system we use supports it and does some sort of internal 6to4 and 4to6 NATting. Mind you, that rings a bell somewhere, and I was asked not to do that again.

    1. Yes Me Silver badge
      Trollface

      some nutbar

      " some nutbar who insisted that IPV6 wasn't sufficient, and who had written up (I think it was) a *very* light framework for IPV8."

      Yes, that particular fantasy comes round once in a while. It can be safely ignored unless you want a laugh.

    2. Crazy Operations Guy

      " Looking at the coding differences at the firewall line"

      Any rational network admin would build the firewall rules to block everything except for sessions started by a node on the interior network (easy to determine, just record the source of all outgoing packets with SYN turned on and ACK turned off, pretty much every firewall does this already). The rest of the rules would be "Allow only port 25 to this list of specific hosts".

      My company's network is pretty much:

      block all

      allow out all

      allow in return

      allow in TCP port 25, 587, 143 to mail*.int.company.com

      allow in TCP port 80, 443 to web*.int.company.com

      allow in TCP,UDP port 53 to extdns*.int.company.com

      The firewall builds the list of addresses by querying internal DNS to discover the addresses and fill in the rule-set with either A or AAAA records. Doing it this way meant that the network admin didn't have to do anything except add a couple IPv6 addresses to the interfaces of the network appliances (which was done long before the roll-out) and add the DHCPv6 helper addresses on the routers (which is how it was rolled out, add in the helper address to the VLAN, re-load the configuration, wait for DHCP leases to expire so the client asks for an IPv6 address in addition to renewing the IPv4). The most difficult part was getting router-advertisements straightened out and assigning static IPv6 addresses to servers that needed statics.

  16. MR J

    UDP Fear

    So I have a phone here that I paid £150 in excess data charges.

    Reason.. The phone was turned off. It had a valid IP, and some server was spamming it with UDP broadcast.

    QUIC might work great for streaming services or large bandwidth applications, but unless it is able to avoid the above issue then there is no way it should be looked at as a replacement for TCP/IP. Ideally the world wouldn't have metered connections and we could move to such things - But that's never going to happen.

    On a side note, I am fighting tooth and nail to get my £150 back, cell networks should be smart enough to know when a device is not responding, but if its making money I guess they will never fix it.

    1. Blotto Silver badge
      FAIL

      Re: UDP Fear

      can you explain in simple terms how your phone received enough data whilst turned off to receive £150 of excess data charges?

      it can't have a valid ip if off, the network won't know where to send the traffic if the phone is off therefore udp or not it can't route the traffic from source to your handset as it doesn't exist on the net.

      i'm thinking you are a 2b

      http://www.theregister.co.uk/2016/09/16/bofh_2016_episode_11/

    2. Anonymous Coward
      Anonymous Coward

      Re: UDP Fear

      Doesn't broadcast only carry within the same subnet? And if someone was trying to broadcast to the world it really should have been stopped by the carrier's firewall.

      1. Crazy Operations Guy

        Re: UDP Fear

        Cell networks operate by associating the IP address to your phone's ID so it knows which towers to send the packets to. If your phone is off, the Cell provider just drops it and may send a response back to inform the send that the node is unreachable. Besides, the phone itself never gets an IP address, its a virtual interface inside a massive router on the cell provider's network hundreds of miles away from you. The router translates the packet for delivery to phone in the exact same way a phone call is performed.

        So either the cell company is doing some weird experiments with new protocols and managed to accidentally fundamentally alter how the network operates, or your phone actually did use that data. I know which explanation I'm going with...

        1. P. Lee

          Re: UDP Fear

          Whatever Mr J's issues the point does remain valid and not just for mobile.

          There's nothing to stop a UDP DOS attack chewing up my download quota. Currently if I get Gigs of inbound SYNs or DNS or NTP there's a good chance I can defend my position with my ISP.

          Regardless, it seems everyone is obsessing over ipv6 without looking at this sentence from the article:

          >QUIC's big advantage is in real-time apps, and it's faster and more reliable than TCP because it's not dependent on the operating system.

          Say WHAT?! Surely that must be a mistatement! Software layering? We've heard of it.

          But no, Chrome implements it. Oh great, a network stack implemented at the application level. What could possibly go wrong?

          We need more OS involvement in networking not less. I know Google doesn't care about end-point security, but I think the rest of us might. I'd quite like the OS to kill network connections initiated by, for example, Word and Excel. Shouldn't the application be asking the OS for IP protocol 143 or something like that? Is the problem really TCP or poor OS IP stack design? In the end, packets need putting in their correct order, whether than happens in the OS or the application - why not have this as a library function the OS does, rather than putting it in every application?

          If we need a TCPv2 stack that's fine, let's make a TCPv2 stack, but don't kick networking session/transport reliability functions up to the application layer.

          1. Crazy Operations Guy

            Re: UDP Fear

            High-end networks card have the capability to do TCP themselves without ever having to bother the OS. Implement lower, not at the top.

  17. David Crowe

    IPv6 is of no value until real people, ordinary people, can configure a device, without an IPv4 address. Having IPv4 + IPv6 does not solve the problem because every device still needs at least one IPv4 addresses. I don't think this day will ever come. We need IPv7, not IPv6. Start from scratch and make it backwards compatible with IPv4. For starters there must be a reserved block for IPv4 addresses (all zeroes plus IPv4 address makes sense) and a mechanism for going IPv4-IPv6-IPv4 and vice versa without losing data or dropping packets. And I mean a single, standardized mechanism. If an IPv7 device could send and receive packets from IPv4 devices then every IPv7 device would save an IPv4 address, and IPv4 would start to dwindle quickly. And it wouldn't matter if it never went away because the smaller it gets the less likely we'll ever run out of IPv4 addresses.

    1. ZeroSum

      Four years ago the number of smartphones in the US was essentially zero. Now over 50% of them have IPv6. In another 4 years almost all of them will have IPv6. The public surface of the Internet is adopting IPv6 and it is going quite well.

      Too much progress has been made deploying IPv6 to start again from scratch. A huge amount of work got us to this point. It is also impossible to be fully backwards compatible with IPv4 because 128 bits into 32 bits will not go. An IPv4 end-point will never be able to connect to an arbitrary IPv6 end-point without an external lookup.

    2. Yes Me Silver badge
      Headmaster

      Re: We need IPv7

      " We need IPv7, not IPv6. Start from scratch and make it backwards compatible with IPv4"

      Sorry David but once again: that is mathematically impossible due to the non-extensible design of IPv4. That's why dual stack is the only general deployment model for IPv6. The rest of your points are answered by the various coexistence solutions already deployed in the market. And since we've already run out of IPv4 prefixes, that "at least one IPv4 address" cannot be unique; it must be an ambiguous shared address. Solutions such as NAT64 and XLAT464 take account of that.

      (The kind of solution you're thinking of was heavily investigated in the early 1990s and was conclusively known not to work by 1994 when the IPv6 direction was set. At the time people thought the transition would take 15 years, but then, damn it, Berners-Lee and Cailliau invented the web and things got complicated.)

    3. Crazy Operations Guy

      "IPv6 is of no value until real people, ordinary people, can configure a device"

      Billions of people already seem to be able to work on the internet without knowing how to configure IPv4. The reason? A little protocol called DHCP. Standardized in 1997 for IPv4 and then extended to IPv6 in 2005.

      Home routers will just need a patch to relay DHCPv6 requests to the ISP's DHCP server rather than just handling it locally. Nearly all home routers do this already if they are given a IPv6 address on their 'internet' interface. I've helped many family members out with internet issues and they already had a publicly-routable IPv6 address on their home machines despite the fact that they are just using store-bought Netgear and Linksys routers and kept them in factory-default mode (for the most part) and they have so little technical experience that I have to go over there because a USB cable came unplugged and they are worried about putting it into the wrong socket...

  18. BanburyBill

    QUIC is already fully open and will be turned into an RFC when iteration slows down. Meanwhile Google are working with IETF on it. Judging by the session on QUIC at the last IETF at which I lurked at the back, the IETF have no problems with the openness.

  19. Yugguy

    IPV6 for why?

    We don't have enough devices to even remotely worry about running out of internal IPv4 addresses.

    And we have 4, count em, 4, external IP addresses.

  20. carlsonjma

    yeah, right

    "faster and more reliable than TCP" ... yeah, right. Pull the other one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like