back to article How I Learned to Stop Worrying and Love IPv6

IPv4 addresses are a rapidly dwindling commodity [...] ICANN distributed the last big chunks of available IPv4 addresses to the five continental Regional Internet Registries earlier this year. The RIRs in turn are running out of supplies to allocate to ISPs and other network operators - El Reg Somewhere in the near future... …


This topic is closed for new posts.


  1. Anonymous Coward
    Thumb Up

    "Steve's Infeasible Third Coming"

    Nuff said

    1. sabba
      Thumb Up

      Re: "Steve's Infeasible Third Coming"

      Erm, I think you'll find it was Assange's coming and it was all a conspiracy (whilst you slept)

      1. Destroy All Monsters Silver badge

        Re: "Steve's Infeasible Third Coming"

        I just hear they want to question him because of repeated coming in Sweden.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Steve's Infeasible Third Coming"

          Actually that work pretty well in Swedglish, maybe adopt a slight accent when you tell folks that one ;)

  2. joeW

    I lost it at 255 Shades of Grey.

  3. Brewster's Angle Grinder Silver badge

    You can only have 254 shades of grey. #ffffff is white and #000000 is black.

    1. Phil Standen

      Double plus Grey and Double minus Grey I think you'll find.

    2. joeW

      That's how the guy knew she was faking the story. A minor error from being forced to think on the spot.

    3. Anonymous Coward
      Anonymous Coward


      White is a particularly bright type of grey, and black a very dark version.

      BTW, you have no idea just how many colours white and black there are until you have worked in a colour lab.

      I have..

      1. Brewster's Angle Grinder Silver badge

        Re: White is a particularly bright type of grey, and black a very dark version.

        Okay. Now we have 256 shades of grey. Either way, 255 was off by one.

      2. Anonymous Coward
        Anonymous Coward

        Re: So?

        So for us analogue meatbags (no offence), how many? OK I realise there may be limits on how many different colour a human eye can tell apart, and therefore want to pay for ;) And how come you allowed B&W into a colour lab, wasn't it slightly greenish, like on 3-colour plus no black cartridge printers ;)

        Reminds me of when I tried to convince a fellow hifi nut that although when you buy speakers, you may well be able to buy them with digital input, but .......well, you know ;)

    4. Steve Knox Silver badge

      RE: 254 shades of grey

      Only if you're using standard RGB encoding. Numbers have this really cool property where you can map them to anything you want. Besides, both black and white can be argued to be shades of grey.

      1. TRT Silver badge

        Re: RE: 254 shades of grey

        Can you get 50 Shades of Grey on a Kindle? Sort of, with dithering.

        1. LaeMing Silver badge

          RE: 254 shades of grey

          But is it Ocean Grey or Military Grey?

        2. Michael Wojcik Silver badge


          Can you get 50 Shades of Grey on a Kindle? Sort of, with dithering.

          I haven't read the book, but I hear it's full of dithering.

    5. nitsedy

      and........ the nerd war ensues. Before long someone will have to bring up whether or not the light being emitted is a wave or particle and then someone will take another point of view and the whole thing will go all to hell in a slit experiment. Eventually the density of the argument will reach singularity and it will all circle in upon itself with little more than hawking radiation leaking out of the thread. Time will stop. The universe will freeze. Hope will be gone. Eternity itself will become infinitely infinite. Blackless black. Deathless death. Meaningless meaningless.

      Thus a new Internet is born.

      1. JeffyPooh Silver badge

        Re: and........

        Meow... Meow... Meow...

      2. TRT Silver badge

        Re: and........

        As my old boss and world authority on colour vision would have pointed out, it's not what you can measure, it's what you perceive.

        He has astonished many people over the years by turning a "red" piece of paper into a "green" piece of paper by doing nothing more than holding up a larger piece of multi-coloured paper behind it, thus demonstrating that what they had been taught in school about "coloured light" was patently wrong or at best a misleading over-simplification.

      3. Jim McCafferty
        Thumb Up

        Re: and........



  4. Chris007

    ownership of all Class A addresses should be re-evaluated and then re-distributed.

    Title says it all.

    1. -Alex-

      Re: ownership of all Class A addresses should be re-evaluated and then re-distributed.

      And then you'll come to the same conclusion as everyone else - this would just delay the inevitable by a few months at best.

      1. Chris007

        Re: ownership of all Class A addresses should be re-evaluated and then re-distributed. @Alex

        A prediction

        Just watch how the use of Class A addresses (most of which are owned by American entities) are used to bolster the US economy because US companies will have access to Ipv4 well beyond the rest of the world (Class A addresses account for HALF of the 4 billion Ipv4 address available).

        You can forget this bulls**t about not monetising IP addresses, selling them maybe difficult (but not impossible) so they'll lease them out instead.

    2. Aldous
      Black Helicopters

      Re: ownership of all Class A addresses should be re-evaluated and then re-distributed.

      you dirty communist baby eater!

    3. John G Imrie Silver badge

      Wanna score some class A

      Top quality sub nets, know what I mean G'vnor.

    4. Cucumber C Face

      Re: ownership of all Class A addresses should be re-evaluated and then re-distributed.

      You cannot be serious. Trash the 'intranet' of each and every kindergarten, District level government office and business with more than 2 employees in the United States?

      That's fighting talk boy.

  5. This post has been deleted by its author

    1. This post has been deleted by its author

  6. Herby Silver badge

    But black and white are

    shades of grey.

    Of course there is gray code encoded grey!

  7. Chris007

    After reading this, Verity and Simon...

    should definitely collaborate on an issue or 2 of the BOFH!

    1. Steve Taylor 3

      Re: After reading this, Verity and Simon...

      > should definitely collaborate on an issue or 2 of the BOFH!

      Noooo!! I stopped reading BOFH many years ago when it stopped being funny. Many *many* years ago.

    2. Anonymous Coward
      Anonymous Coward

      Re: After reading this, Verity and Simon...

      Just wondering, has the PFY ever mentioned his parents?

  8. Anonymous Coward
    Anonymous Coward

    Classic: "That's a malformed MAC address with extra rivets."

  9. I ain't Spartacus Gold badge

    It's good to be alive! In 1985.

    1. J.G.Harston Silver badge

      Wonderful, I'll have to get my tape out.

  10. Anonymous Coward
    Anonymous Coward


    Excellently on message Ms Stob. Now please excuse me, it's time for my ttwo minutes of hate against the packet rewriter-general.

  11. Anonymous Coward
    Anonymous Coward

    Two Hundred and Fifty-Five Shades of Grey

    Literally spat my coffee out laughing. Wonderful.

    1. Anonymous Coward
      Anonymous Coward

      Re: Two Hundred and Fifty-Five Shades of Grey

      I "got" a copy of "Fifty Shades" but you know, by golly it was unsexy. Probably Guantanamo is more sexy.

      Is it for the American market, dressed up as "English teatime afternoon light bondage" , but, not too many corpses... so clearly no CSI tie-in possible :P

      I would actually recommend this instead: -

  12. Daniel B.


    Now I'm off to the obligatory Two Minutes of Hate against RFC 2663.

    ICANN has always been at war with Eastasia.

  13. Morten

    IPv6 less secure because of lack of NAT?

    Are you insane? NAT does not provide security. Please move on ...

    1. Steve the Cynic Silver badge

      Re: IPv6 less secure because of lack of NAT?

      Pff. NAT in the sense of address hiding(*) provides one very specific form of security. With a couple of exceptions in the UDP space, connection initiation is outbound only, since the translator doesn't know what to do with an inbound connection. This prevents an external attacker from reaching in directly to an internal machine.

      So, no, there are no security aids in NAT, except in one specific but very, very, very common case.

      (*) NAT can be used in various ways. The most common is where you hide an RFC1918 privately-numbered network behind a single public (or "less private" - see "Carrier-Grade NAT") IP address, although as I hope you know, those in the know sometimes call this NAPT or PAT. Less common are methods for renumbering IP networks without renumbering them, and also for hiding a private-numbered host behind one port of a public IP (port forwardiing) so that only the intended port can be reached.

      1. Kirbini

        @Steve: try again

        Even in your very specific example it is not NAT that is providing the security: it is the firewall that is preventing an inbound connection just like the lock on my front door (mostly) prevents you from entering my flat. NAT is not the security, the firewall is. Any firewall will provide this exact same level of security whether or not NAT is being employed. (ever hear of transparent mode: no NAT, same security)

        What NAT does do is allow you to obscure your assigned IP from the heathens at large. However as everyone on this board knows, there is no security through obscurity.

        1. Steve the Cynic Silver badge

          Re: @Steve: try again

          Kirbin: I didn't mention a firewall. NAT / PAT / NAPT is a separate function from firewalls, and a box might do one, the other, or even both. The point is that the translator (note, to repeat myself, not the firewall) doesn't know how to handle an incoming packet that doesn't match an outgoing connection profile, so it drops it.

          There are exceptions, in that for certain UDP situations, a (dynamically created) translation may say "from this internal IP/port, use this external IP/port, wherever it is going, and allow anyone who sends to that external port to hit the internal IP/port". This is called "cone NAT", and severely weakens the coincidental security model of NAPT. Restricted cone NAT uses the same external port for all communications from a given internal IP/port, but only allows external packets from previous destinations.

          Restricted cone is less protective than fully-restrictive NAPT that uses a separate external port for each IP/port quad-tuple, but more protective than fully-open cone NAT. The trade-off, as usual, is that open cone NAT is less unfriendly to protocols with a peer-to-peer element, but also less protective.

          But once again, none of this has anything to do with firewalls, except in so far as devices that do either often do both.

          Relevant note: I work in the IPS engine of a firewall-with-UTM-and-NAT-and-stuff, and I'm specifically responsible for, among other things, the code that handles all the various NAT modes. Some people might think this qualifies me to talk knowledgeably about this subject.

          FAIL for you, sorry.

          1. Kirbini

            Re: @Steve: try again

            It's nice you can do cool stuff with NAT and IPS. Tell me, in a network with enough public IPs for every internal need, what can you do with NAT that I can't do with stateful ACLs?

            Relevant note: I've been building packet filters since the late '80s. I had a hand in developing the early ip masquerade code in Linux-386 and worked closely with a large firewall vendor on their early NAT implementations. Some believe this qualifies me as a subject matter expert. ymmv

            1. Anonymous Coward
              Anonymous Coward

              @Kirbini Re: @Steve: try again

              Good lord man! Easy patting yourself on the back there, least you break an arm and can't share anymore of your wisdom with us via the keyboard.

              I'd almost swear Steve Gibson was here...

        2. Anonymous Coward
          Anonymous Coward

          @Kirbini - Re: @Steve: try again

          No, you try again! Any router, server and host that performs PAT or port forwarding is offering the feature of preventing external hosts directly connecting to inside hosts, all this without any additional packet filtering. We all know this can be defeated but it is still useful as an added layer of protection which I'm not ready to give up for the sake of the beauty of IPv6 protocol.

          And you know what, some bunch of Linux guys will come up with NAT6 and it will be a success, everybody else will adopt it no matter if those who created IPv6 will like it or not. And best of all, you're free not to use it.

          1. Kirbini
            Thumb Down

            Re: @AC 14:52

            I'm afraid you're confusing firewallness with NATness. Pray tell, how is "preventing external hosts directly connecting to inside hosts" a function of NAT at all? NAT simply creates a temporary ACL that says: a trusted host sent a packet to host A on port Z; allow return traffic from that host and port; drop everything else. Once the connection is torn down that temporary ACL goes away. How is that different than a reflexive or stateful ACL other than there's NAT to muck things up.

            Give me a stateful packet filter and I can do everything your NAT can do and then some. Give you a NAT only box, even with packet filtering, and you can't come close unless you include fixes for IPSEC, FTP, RSTP, SIP, IM, etc..

            1. Glen 1 Bronze badge
              Paris Hilton

              NAT vs stateful ACLs

              The thing about ACLs is(are?) that they are not likely to appear on any consumer grade kit (out of the box) any time soon.

              Add to the mix wide open windows/SMB shares, and the usual disable-every-security-feature-to-get-it-to-work-itus, and im a bit worried. Many home networks security consists of "if you've got the wifi password, you can access everything. What do you mean its your address/surname?". Unless the belkin (et al) routers are going to be a drop-in replacement, with the ACL features there is going to be quite interesting times ahead.

              Im not exactly comfortable with the idea that my potentially buggy code will be addressable from anywhere on the internet. If i was confident it was secure, i wouldn't call it a test server. While i might be able to cobble something together myself, its not something im going to be proficient at, because its something have never had to do before. (and my first hello world was decades ago :s)

              Sorry to ramble, but there is a lot of FUD about IPv6, and that needs to be rectified before the article (however good) starts to hit a little too close to home...

              1. foo_bar_baz

                @Glen 1 - Re: NAT vs stateful ACLs

                I'm pretty sure *DSL routers from Zyxel et al have included stateful firewalls for years. Netfiliter is built into the Linux kernel and it's just a matter of building a web GUI. I distinctly remember setting up port forwarding on one of those, and it involved (a) setting up DNAT and (b) opening the firewall from the Internet to the internal host.

              2. jm493
                Thumb Up

                Re: NAT vs stateful ACLs

                Many consumer-grade IPv6-capable home routers do already include "Simple Security" ACLs that provide equivalent blocking for inbound IPv6 traffic as they do for IPv4 traffic.

                Described at



                With firewalls there is a clear distinction between the more professional units and the models aimed for the residential markets. Most of the residential devices come with an enabled filter that mimics the behaviour of standard IPv4 NAT, blocking incoming connections by default. ...


    2. Kirbini
      Thumb Up

      Re: IPv6 less secure because of lack of NAT?

      ^ This.

      It bears repeating: NAT != security; NAT == borked protocols.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019