back to article IPv6 is great, says Facebook. For us. And for you a bit, too

Facebook has wandered down to Speakers' Corner and climbed onto a fruit-crate to spruik the benefits of the decades-old, much-needed and still-relatively-unused IPv6 protocol. With IPv4 addresses just-about-depleted worldwide, Facebook has penned a blog post telling websites to roll out the protocol, if they haven't already. …

Silver badge
Boffin

Directly addressable

Network protocols aren't my thing, anyone out there like to tell me how many IPv6 implementations are directly addressable rather than using local addresses?

0
0
Boffin

Directly addressable just means it has a globally unique and routable IP address. Ordinary corporate IPv4 networks use private networks according to RFC 1918. Those addresses can be used by anybody, but they really should be unique inside a single organization. At Facebook's scale, trying to keep all those RFC 1918 addresses unique and having enough addresses for every use was becoming too difficult.

In IPv6, the idea is each device actually has multiple addresses. It has a link-local unicast address, a link-local multicast address, and ideally one or more globally routable addresses. The link-local addresses are to replace semi-IP protocols like ARP, but they also can be used on their own. The globally routable addresses could include static addresses, but for privacy they usually use one or more temporary, but still globally routable, addresses for use for about 24 hours. They automatically allocate and discard these temporary addresses.

Every IPv6 implementation I know uses globally unique and routable addresses. Current versions of the major phone and desktop operating systems support IPv6 natively. When the major ISPs upgrade to IPv6, all the ones I've seen give globally unique and routable addresses.

However, having a directly addressable IPv6 implementation doesn't mean everyone can access your computer. Firewalls can still block connections that you haven't initiated. It's still better to use IPv6, because the vast address space makes network management much, much easier.

14
2
Silver badge

To NAT or not to NAT

> However, having a directly addressable IPv6 implementation doesn't mean everyone can access your computer. Firewalls can still block connections that you haven't initiated. It's still better to use IPv6, because the vast address space makes network management much, much easier.

While it is true that you can firewall IPv6 addresses to stop direct access, NAT (OK SNAT) has the feature of being client only by default. In a NAT environment it is difficult to actually make it possible for the BBI (Big Bad Internet) to gain access to your system, whereas in an IPv6 directly routed by screened by a firewall then you're dependent on the correct configuration of the FW, so it tends to be open by default with an option to guard the door.

There are lots of things which will work better by not having to fight with NAT, but security has been a very big unintended benefit to the world using NAT.

23
1
Silver badge

Re: To NAT or not to NAT

>There are lots of things which will work better by not having to fight with NAT, but security has been a very big unintended benefit to the world using NAT.

Right up until UPnP arrived :)

With any firewall, unidirectional access is pretty much a basic function which you should be able to do with or without sNAT.

10
0
Len

Re: To NAT or not to NAT

Even the most basic firewall will provide much better security than NAT ever will. Just because it has an unintended side effect of breaking your internet connection doesn't mean that NAT can be relied on for security. If you depend on NAT instead of a firewall for your security you should expect be wide open to the internet.

7
3
hmv

Of course the original plan was that all private networks would use globally unique addresses to avoid the situation where two private networks get a private link to each other and realise they're both using the same set of addresses.

The more layers of NAT you deal with, the more of a bletcherous obscenity it seems.

5
1
Anonymous Coward

I P v 6. . . i s. . . d i g i t a l l y. . . *s i g n e d*. . . e v i d e n c e

whilst IPv4 might or might not be from a certain MAC address at a certain ISP at a certain time, and the plod can get a warrant to release the ISP IPv4 allocations. . .

I P v 6. . . i s. . . publicly. . . viewable. . . d i g i t a l l y. . . *s i g n e d*. . . e v i d e n c e. . . allegedly

0
1
Silver badge

Re: I P v 6. . . i s. . . d i g i t a l l y. . . *s i g n e d*. . . e v i d e n c e

Except that all major OSs now support privacy extensions - I can't remember whether they have to be turned on or are the default. With them, the device will use varying addresses not tied to the MAC address.

But even without that, since the IPv6 address is a) easily manually set, and b) the MAC address can normally be changed anyway, while the IPv6 address does in theory uniquely identify a device - it's not reliable enough to be used as evidence.

2
1
Silver badge

"“We’ve observed that accessing Facebook can be 10-15 percent faster over IPv6. We believe other developers will see similar advantages from migrating,” ."

With incentives like that I prefer to remain on IPV4. In fact that would be a great idea, put all the social media,commercial, sports and porn sites on IPV6 and leave the rest of us alone to live quietly in IPV4 land..

23
2
Thumb Up

... put all the social media,commercial, sports and porn sites on IPV6 and leave the rest of us alone to live quietly in IPV4 land

Can't fault that.

0
0

This post has been deleted by its author

Anonymous Coward

> With incentives like that I prefer to remain on IPV4.

Don't worry. The IP header is 20 bytes longer for IPv6 - so the actual throughput "gain" from IPv6 is actually about 1428/1448 or -1.4%

Facebook has a vested interest in IPv6 as no NAT means tracking users more effectively.

20
5
Anonymous Coward

re: -1.4%

But IPv6 packets can be much bigger than IPv4, so while each one may have longer headers, there are fewer packets needed.

A bit like eating a tin of beans one at a time rather than a spoonful at a time: smaller isn't always faster.

11
1
Anonymous Coward

"Facebook has a vested interest in IPv6 as no NAT means tracking users more effectively."

Presumably IPv6 ISPs will offer NAT capability precisely to avoid that tracking. The article mentions globally routed unique addresses which are changed every day.

I will only go to IPv6 when a reasonable ISP offers that privacy. My current ISP always allocates a new customer a fixed IPv4 address - which is unnecessary for my purposes. I would have preferred it if they had an option of a dynamic one.

3
3
Silver badge

Re: re: -1.4%

IIRC, IPv6 won't fragment like IPv4, so if you hit a router with a pants MTU, you're worse off.

Edge case, I expect, though.

2
1
Anonymous Coward

Re: re: -1.4%

"But IPv6 packets can be much bigger than IPv4, so while each one may have longer headers, there are fewer packets needed."

That may be true for large contiguous data transfers - but depending on the protocol traffic pattern it is possible to need a lot of small packets. There is also the trade-off that the larger the packet - then the more chance of an error requiring it to be retransmitted.

2
1

While the IPv6 address is indeed longer, the actual IP header may be smaller, depending on what options are there. IPv6 has a different header structure, that makes it simpler (and faster) to parse. So the throughput may actually be better.

3
0
Len

What you're looking for is not IPv6 NAT, that would be pointless and would actually limit your full use of the internet. What you're looking for is Privacy Extensions (https://tools.ietf.org/html/rfc4941). That is done on the OS level and most big operating systems support that. Many have it on by default.

Essentially it means that your OS will change it's internal IP address every so often (every 24 hours?) so any outside observer can't track to see if it's the same machine or a different one. As an end user you don't notice this at all, just like you don't notice DHCP addressing, it just works.

1
0
Silver badge

It's not just the packet size but how efficiently it's routed and packets reassembled. On top of that, IPv4 traffic might end up tunnelling over IPv6 so it's not necessarily beneficial to be using it between 2 random points on the internet. And for particular scenarios such as IPTV, live streaming it can be more efficient because multicasting is more flexible than in IPv4.

That said, IPv6 is a horrible protocol from a human standpoint.

2
2
WTF?

This idea that, by remaining ipv4 and letting other services make the move, somehow makes your ipv4 service faster/less congested is entirely bogus.

Who is using physical instances to provide any of these hops in question? It is logical interfaces on the same physical infrastructure. You have a choice: use NAPT44 or gonwith ipv6 and no NAT whatsoever. Facebook are saying the latter gives better performance. Remove a layer4 service mid hop and your end to end performance improves, seems plausible.

1
0
Anonymous Coward

Re: re: -1.4%

Isn't that the job for Jumbo Frames?

Ops, nevermind, I just read the thing on Wikipedia. IPv6 can have packets of 4GB minus 1 byte (if anybody is crazy enough to try it).

Jumbo Frames carry 9KB at best.

Carry on...

0
0

It's easy to track users already. They don't need IPv6 to do it.

0
0
Anonymous Coward

Re: re: -1.4%

IIRC, IPv6 won't fragment like IPv4, so if you hit a router with a pants MTU, you're worse off.

Minimum MTU for IPv6 is 1280 bytes. Most software is written to assume an MTU of 500 bytes, and most equipment can handle at least 1492 bytes.

I'd say the router with the "pants MTU" would soon be replaced if it stopped working due to these requirements.

0
0

Re: can be 10-15 percent faster over IPv6.

I expect that speed boost will only be true so long as their is such disparity in adoption rates. The closer they get to 50:50 the less the differential, and once IPv6 starts taking over, it will be slower. Maybe the CFO is willing to be an early adopter, maybe he wants to wait.

0
0

Ineffective until there are some carrots involved

I hear claims all the time that IPv6 accounts for 30-40% of an ISPs traffic when dual stack is enabled. The reality is that 30-40% of the traffic is just a few big sites (Facebook, Google). Wider adoption is still miles off, and brings little advantage.

Until there is some reason to get your website IPv6 capable, IPv4 will remain - why would any sensible company fund a project without any tangible benefit. (For mega scale, simply address space management is a good enough reason. For small scale, not so much!).

The only way I see any rush to adoption happening is if google starts including IPv6 reach-ability in the search rankings.

On the "Showing everybody your address space" silliness, if you want to carry on NAT'ing traffic, well, there are plenty of firewalls, load balancers and proxies which will very happily allow you to do this for IPv4 and IPv6.

3
0
Anonymous Coward

Re: Ineffective until there are some carrots involved

Not necessarily. With 'always on' connections like ADSL the end user now has, effectively, a static IP address. When a new ISP (or a large growing one) cannot get any more IPv4s allocated they will have to start putting new subscribers on to IPv6 only.

When that happens you may well find that your IPv4 server is not accessible. As that number increases then if you want those clients to access your server you will need to be IPv6 capable.

3
0
Anonymous Coward

Re: Ineffective until there are some carrots involved

This will never happen because IPv6 to IPv4 translation. It is only a problem the other way round.

0
0
Anonymous Coward

Re: Ineffective until there are some carrots involved

"This will never happen because IPv6 to IPv4 translation."

... is actively worse than NAPT44. Trying to fit a 128-bit address into 32 (IPv4) +16 (port) bits of NAPT mapping does not work at all well. It can't even map the whole 64 bits of routing segment from an IPv6 onto the generated IPv4.

"It is only a problem the other way round."

Quite, the problems is entirely on the operators who decide to stay with IPv4-only networks. Paying through the nose for ever more expensive IP and NAT machinery. Good luck to them.

ISP who do that cut their clients off from hundreds of networks already, some of them CDN networks. Users finding themselves needing IPv6 sites churn away to other providers with better working networks.

Server operators who do that, well, the 8% users (and growing exponentially year-on-year) of the Internet do not care enough about your non-responsive server to bother visiting twice. There are plenty of alternative sites and Facebook, YouTube, Google etc work fine on IPv6.

2
2
Paris Hilton

Where are theregister.co.uk's AAAA records?

With IPv4 addresses just-about-depleted worldwide, Facebook has penned a post telling websites to roll out the protocol, if they haven't already.

This is referring to The Register, right? Or is your infrastructure too precious to risk changing the IP version? And if your infrastructure is too precious, what does that say to people who do actual work?

12
0
Silver badge
Trollface

Re: Where are theregister.co.uk's AAAA records?

It's on the to-do list after https.

18
0
Silver badge

Re: Where are theregister.co.uk's AAAA records?

After https? So IPv6, which is useful, is lower priority than a trendy figleaf?

0
0
Silver badge
Coat

We’ve observed that accessing Facebook can be 10-15 percent faster over IPv6

Maybe that's because hardly anyone is doing IPV6 lookups at the moment...

7
1
Anonymous Coward

I don't think that's the reason, in itself, but the fact that only 1% of their users are using IPv6 means that those servers are more lightly loaded.

2
2
Len

That's not correct. Facebook only has IPv6 servers, they removed IPv4 from all servers some time ago. Internally they only use IPv6 (both on servers and on desktops) because they ran out of RFC1918 addresses!

This is quite a good presentation about their network structure: http://www.internetsociety.org/deploy360/blog/2014/03/facebooks-extremely-impressive-internal-use-of-ipv6/

They translate IPv6-only to Dual Stack (IPv6+IPv4) at the network edge for legacy IPv4 users.

5
0
Anonymous Coward

They translate IPv6-only to Dual Stack (IPv6+IPv4) at the network edge for legacy IPv4 users.

That fact makes a complete mockery of the frequently-heard claim that IPv6 and IPv4 are completely incompatible.

3
0
Anonymous Coward

Where are you getting that "1%" figure from? Google stats show more than 8.5% of end users being IPv6 now and its hard to believe they get such a different cross-section of users than Facebook.

0
0

There's begillions

There's so many address' that there's no need for NAT'ing unless it's for security reasons. To out it in perspective my company currently has 512 public ipv4 address. We have recently received our ipv6 allocation and (I'm on the train so can't remember the exact number) We've got north or a trillion trillion IP address' with that many ips we can have one for every server. So there's no need to use the private space ipv4 address. Each server can have its own public IP address'.

2
3
Anonymous Coward

Re: There's begillions

Except the "trillion trillion" addresses is false, because the designers of IPv6 decreed that you must use a /64 for each subnet; and no network engineer in their right mind would put more than 1000 servers on a single broadcast domain (250 would be a better limit)

So your /48 of IP addresses is really 65536 subnets, and if you put an average of 250 machines on each subnet, that's about 16 million usable addresses.

Don't get me wrong - that's still more than plenty for most uses. But it's not the "trillions" that people imagine.

2
2
Boffin

Re: There's begillions

Do you have to configure a /64 as a routed subnet?

Are you sure you can't be more granular than that?

This would appear to contradict that point of view.

2
0

Re: There's begillions

Except it is true. We do have that many IP address'. I never said how we'd us them but all 633,825,300,114,114,700,748,351,602,688 IPv6 address' are ours to use as we like.

I was just quoting the number to make a point about how many more address' there are on IPv6 compared to IPv4 that will mean every server should be able to have a publicly routable address' to the OP's question.

1
1
Coat

Re: There's begillions

You can subnet a /64 but lots of things won't like it. Most won't care and if your up for static assignments for servers, it does make sense. The default assumption is that your device's hardware mac address fills up the lower 64 bits so you need the top 64 bits as a /64 network address.

I've tried to explain the IPv6 world as a /64 is much like a Class C /24 where everything on the network can talk directly to everything else. The /56 or /48 that your ISP may hand out is much like a Class B /16 where its split inside into Class C. The /32 that ISP get are more like the old Class A /8 where your have enough infrastructure that major parts are dual homed differently. At least a /56 can hit the global BGP tables so if your ISPs let you, you can broadcast parts of their blocks to your other ISP which is something very few would ever even consider in the days of IPv4/24.

1
0
Silver badge

Re: There's begillions

The number you are citing is 2^99, meaning you got one 2^-29 = 1/(500 million) of the whole address space. Sure about that? If so, the address space is being wasted in the bad old IP4-ish manner.

2
1
Silver badge

Re: There's begillions

Do you have to configure a /64 as a routed subnet?

Are you sure you can't be more granular than that?

That link you gave was too long for me to read (quickly) but from what I understand, you could * use a smaller subnet but it's definitely not recommended. The problem is that ipv6 lets you do some neat automatic configuration at the "single user end LAN" router but only if the address space it's managing is /64. If your LAN space is smaller than that then the Stateless

Address Auto Configuration (SLAAC). mechanism won't work. Basically you will want to use SLAAC even thought technically you don't have to.

* ipv6 routing tables aren't significantly different from ipv4. You can still, for example, put in arbitrary static routes, but it's not the "ipv6 way".

* edit: just to add another explanatory note, ipv6's natural subnet size is /64, while they define /56 as being for "Minimal end sites assignment". So (to keep things really simple) ignoring any special address spaces carved out of the global address space, there are up to 2**56 different "end sites", each of which can have 2 ** (64-56) = 256 subnets, each of which can have up to 2 ** (128 - 64) individual hosts.

0
0
Silver badge

Re: There's begillions

There's an RFC all about /64: http://tools.ietf.org/html/rfc7421

0
0

Nat as a security measure

This is a pretty much false assumption. NAT does not make anything more secure, as you can achieve about the same effect with firewalling. NAT and especially all the associated kludgery of applications trying to traverse NAT, makes the whole setup much more complex and hence insecure.

8
8
Anonymous Coward

Re: Nat as a security measure

"NAT does not make anything more secure, "

NAT makes for better privacy. The use of IPv6 without any NAT is likely to make each device in your site uniquely identifiable by its global address.

IPv4 NAT with PAT makes an external network capture very difficult to correlate with an internal device. Only the router/firewall doing the address/port translation knows which of the many temporarily assigned ports on one external IPV4 address - are mapped to which internal device's local IPv4 address.

9
3
Anonymous Coward

Re: Nat as a security measure

Also as NAT often goes hand in hand with PAT on a router, generally the set up to allow access to a server with a private IP via NAT specifies the port to allow it on.

It is much easier to accidentally open up access to a single IP (IPv6) from public and not open up a single port.

Also from a firewall point of view the separation between your private/trusted network and your public network is defined and obvious from the network address space. WIthout NAT and pure public addresses you must ensure you are using the interfaces correctly on your firewall to segregate the traffic. With a simple two interface firewall that is not a problem. However when you have multi-DMZ using a mix of physical and virtual interfaces and semi trusted zones there is more room for a misconfiguration.

Sure anyone dealing with high end firewalls will have a good ITSM procedure configuration testing etc, but a busy IT team with no specialists and multiple configurators can make mistakes.

1
1
Len

Re: Nat as a security measure

The default use of IPv6 on most operating systems uses RFC4941 Privacy Extensions so your device will not have a uniquely identifiable global IPv6 address.

2
1
Anonymous Coward

Re: Nat as a security measure

"NAT makes for better privacy. The use of IPv6 without any NAT is likely to make each device in your site uniquely identifiable by its global address."

False.

What you are thinking of as "privacy" is use of RC1918 address space. This is actually a designed in feature of IPv6 (fd00::/7 and fe80::/16 addresses) which was back-ported to IPv4 several decades ago.

* In IPv4 the only way to get use of it is with a NAT44 translating between the private and public addresses.

* In IPv6 every machine is allocated with at least one of these addresses alongside one static global address, and a /64 subnet of alternative addresses that it can pick and choose from

A single slip-up in the NAT device, router, or the application layer software and the "private" address gets sent out to the global network. Correlate with the global NAT'ed IP and goodbye privacy. Thats three points of weakness.

The private IPv6 address is completely private. Routers are hardwired not to transfer the fe80 ones outside the subnet, or the fd00/fc00 ones to a global uplink. The /64 used for IPv6 address randomisation when making client connections globally provides far better pivacy than an IPv4 NAT will ever be able to achieve. Software all the way up to the application layer if it looks up the IP address gets informed of the end-to-end IPv6 address applicable to the connection. Be that the private one for LAN connections or the global IP for Internet connections. No weak points.

"IPv4 NAT with PAT makes an external network capture very difficult to correlate with an internal device. Only the router/firewall doing the address/port translation knows which of the many temporarily assigned ports on one external IPV4 address - are mapped to which internal device's local IPv4 address."

"very difficult" takes on a whole new meaning when every UDP packet, and every TCP connection has a unique IPv6 source address, and potentially a unique IPv6 destination address as well. Even when the same two client and server are talking. IPv4 more private? lol.

Additionally the IPv4 NAT device in the middle retains records of the mappings. This makes it the weakest link. It can be queried later for info about what mappings were used by which client IP, to access a given server. Think about that in context of NAT444 (carrier NATs for ISP operators) and recent laws enacted worldwide.

NAT-busting is the name for the techniques used to find active mappings in a NAT device and gain access to an internal client device by pretending to be the remote server it was talking to on an earlier NAT session. It also works from outside with the right tools. More secure? heck no.

Consider this: the static IPv6 address (of the server) is used to find the server in the first place, after which it is up to the software whether to re-use those IPv6 or a new connection made from a randomly generated server private IP to the clients current private IP. They can both swerve off into connections with private endpoint IPv6 addresses, TCP connections moving randomly around address space as the IPs change. Add strong encryption on top of that and it should be clear IPv6 offers privacy and security of a kind even Tor users can only dream about in IPv4-only networks.

4
4
Silver badge

Re: Nat as a security measure

NAT may have the side effect of providing a little more privacy in some situations, but within any particular session (and these can be pretty long-lasting) each browser probably provides more than enough information for tracking even if you have an ad-blocker installed.

For Facebook this is irrelevant as you're logged in anyway.

3
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017