Re: Meanwhile
I don't like IP6, it seems to ignore too many real-world problems.
Such as ?
Well, that took a while. Eighteen years after the IETF brought us IPv6 as an answer to then-looming-now-upon-us IPv4 address exhaustion, the Internet Architecture Board says: no more. Getting IPv6 into the field has been a long, slow slog. According to Google, IPv6 carries just 14.6 per cent of search requests to the web giant …
"Such as ?"
Legacy kit that's still being used, still making money, and replacing it is simply not an option. Perhaps it's custom kit meaning replacing it is super-expensive and not guaranteed to work.
How does IPv6 deal with IPv4-single-stacked legacy kit that simply will not go away. Basically, they're STUCK on IPv4 for good or ill. IPv6 is not an option because their legacy kit cannot be upgraded or replaced. This represents a noticeable chunk of the Internet, and IPv6 threatens to leave them behind.
Oh, BTW, Walmart still sells VHS tapes because some people are really, REALLY incapable of understanding ANYTHING newer. Even DVD recorders (the closest analogues) confuse them. They want their VCRs, thank you very much. They'll raid secondhand stores to keep using VCRs, and they'll die before giving them up.
So, it seems the one "real-world" problem that IPv6 "ignores" is that it isn't IPv4.
How does IPv6 deal with IPv4-single-stacked legacy kit that simply will not go away. Basically, they're STUCK on IPv4 for good or ill
That kit can carry on happily communicating with all the other kit in the world that will still support IPv4. How does IPv6 affect this in any way whatsover ?? IPv4 addresses have run out, so the alternative would be.... err, no more world-routable devices.
Last time I looked at those available via the likes of PC World (okay, sample size of one, and a few years ago), they relied on IPv4 and if they supported IPv6 at all, it was either via 6to4 gateways or instead of IPv4. Which is not much use with ISPs such as the aforementioned less-cheap more-techy one.
Has the situation changed much?
I've seen some labelled “IPv6 ready”. Unforunately, that looked just a little too much like televisions labelled as “HD Ready”, and as I didn't need anything like that at the time…
(The one which I'm using isn't claimed to be IPv6-ready. I'm only actually using it as switch and AP anyway as I usually find that these things are insufficiently configurable, particularly in the firewall department.)
Every single consumer-level DOCSIS 3.x device I've seen in the last three years has supported IUPv6. All of them.All consumer router/WAPs which have 802.11ac also support IPv6, or at least all that I've seen. The very first router/WAP which supported 802.11n that I saw didn't support
IPv6. All subsequent ones have.
Your milage may vary.
It depends per country I guess but in some consumer routers are indeed set up with IPv6 in mind. I see the same with my broadband (cable) provider (Ziggo). However, those scenario's also clearly show why this IPv6 adaptation is such a mess: it has never been about co-existence (well, maybe now) and that is in my opinion a major issue.
For example: my IPv6 router (WAN side) only spits out IPv4 addresses on the LAN side. So obviously my browsing is mostly done with IPv4. Even 'whatismyipaddress.com' shows me using IPv4.
That's... kinda how it works even if ipv6 *was* being distributed on your LAN side.
For all the internal LANs where ipv6 is being offered by a DHCP server, ipv4 is also being dished out - As some devices do not support it. This is the correct way for it to function, you may have to enable IPv6 DHCP manually on the LAN side in most cases, if it even supports that. (The Drayteks I use do, some of the TP-Links do on the LAN side, some WAN only though.)
Try http://ip6.me for a true test, I wouldn't rely on whatismyip.com to accurately report your ipv6 WAN IP address.
"Even the cheapest TP-Link ADSL / Cable (FTTC capable) offering proudly boasts an 'ipv6 ready' sticker on the box nowadays. No excuse."
Oh, you're offering to buy me a new router then, at least as good as the old one was...? Because it's working just fine, and it's not going anywhere any decade soon...
If your router is so old that it doesn't support IPv6, as traffic speeds increase, it's going to start choking from sheer volume. I was forced to replace a DI-604 because it kept rebooting. It was made during the WEP era and WPA (not 2) was a little too much for it. If your router has wireless support, you may need 802.11ac support for newer wireless devices (I'm talking laptops, phones, tablets, and other portable gear, not IoT) to keep wireless data rates up (this was why I switched to my current Netgear--it supports ac, my last one only went to g).
A project has been started to get rid of several internal network segments still using public IP addresses (yes, there were idiots in the past too) and it was quickly brought to a halt by a dozen IBM Notes/Domino servers running important applications nobody would like to touch right now. It also happened twice in my career to stumble upon an old, no longer maintained application whose license was tied to ... why yes, the IP address of the server. Trying to find someone who will write an application for you and pay him a hefty sum of money just for the sake of IP addressing ? No, siree!
So there you have it, IPv4 will be with us for a while whether we like it or not so those high priests of IPv6 should better start working on some sort of NAT or translation gateway that will do the job.
A migration to IPv6 in a large company is costly, risky, disruptive and brings no value to the business. Try and go tell your CFO you need to spend a few millions of dollars just because the public Internet is in danger of running out of IP addresses and see what you can get.
"an old, no longer maintained application whose license was tied to ... why yes, the IP address of the server."
does it have anything to do with a cert? [yeah I realize you COULD hard-code an IP address into a cert, but that's what DNS is supposed to be for...]
"does it have anything to do with a cert? [yeah I realize you COULD hard-code an IP address into a cert, but that's what DNS is supposed to be for...]"
It might be nothing to do with certs, instead the mentality that once upon a time thought it was OK to tie a licence to a MAC address,
Which of course was Bad News if you have a network card failure...
" We're talkiing about a 10 billion node public network."
There are only 4 billion possible IPv4 addresses.
Which means that you're using NAT extensively, which in turn means you need to use 8 bytes to canonically refer to anything (PublicIP+PrivateIP) and possibly more if there are multilayer NATs going on.
So why not just use IPv6 and be done with the kludges?
"Deal with it." The mantra of the Daily Mail commentard. Along with putting "Fact." at the end of every opinion.
DNS worked out great, didn't it? I'm being unfair. In principal, a great idea, in practice, poorly implemented with all the hijackings and poisonings.
Anyway, I like dotted quads. They're kind of friendly, and the dots are there to separate number groups, which are always there. I like Mac addresses too. They're logical and they have separators between numbers which are always there. They exist at a different level to IP addresses - this is OK in my world-view - it's how it should work. They use different delimiters - this is helpful in immediately recognising what kind of a number you are looking at. And then there's all the "Unicast-prefix-based multicast address format" and "Solicited-node multicast address format".
I'm not opposed to IPv6, don't get me wrong. I recognise IPv4 depletion is a serious issue. But I think they tried to do too much with it, muddied the waters, and made it unfriendly.
"Anyway, I like dotted quads. They're kind of friendly, and the dots are there to separate number groups, which are always there."
Amen!
"I'm not opposed to IPv6 <snip> But I think they tried to do too much with it, muddied the waters, and made it unfriendly."
Double Amen!
IP6 is just too unwieldy for mortal use. Sure, it's the cat's meow in a fully automated, integrated, updated network where the network admins get to stare at a wall of 70" screens in the NOC. But for those of us who still frequent dusty closets where network switches share space with electrical breaker panels and old phone line splice boxes, it seems like far too much overkill for our simple needs. Honestly, IP4 with 1 or 2 added octets would seem like a far better answer while still being relatively easy to remember. Everybody says "oh, that's what DNS is for." Yeah, because we know DNS never breaks or goes down. Until it does go down and you can't remember what the frikking 16-octet IP6 address is for the DNS server to connect to it. Buggers.
So you just keep a couple backup numbers for when you need it, like:
(Google)
2001:4860:4860::8888
2001:4860:4860::8844
(OpenDNS Sandbox)
2620:0:ccc::2
2620:0:ccd::2
(Verisign)
2620:74:1b::1:1
2620:74:1c::2:2
Note that thanks to IPv6 address shortening, these addresses aren't really all that long. The Google ones are even all-numeric and only 16 digits total: not much more than the 12 you may end up using with IPv4. Even if you can't keep these in your head, a quick scribble on a piece of paper slipped into your wallet or phone makes for a handy note in case you need it.
See, IPv6 does try to accommodate. And as for keeping the local DNS address for when you need, don't they keep the notes handy by the access terminal? I figured anyone who's had to configure the DNS and so on would keep a hard copy nearby.
"Try and go tell your CFO you need to spend a few millions of dollars just because the public Internet is in danger of running out of IP addresses and see what you can get."
Simple. Tell the CFO (and the board, for that matter) that future customers WILL (not may, WILL) be IPv6-ONLY. IPv6-only customers can't talk to IPv4-only servers. Meaning unless they want to lose customers (and with it, business), they better plunk down.
Try and go tell your CFO you need to spend a few millions of dollars
That's obviously arse about face and is unlikely to get approval.
The general way to get IPv6 in a company is via the whole unified communications malarkey so the phone call can be shit either out of the phone or via a headset attached to the PC. CFOs love the potential savings associated with getting rid of their PBXs. In Germany at least the approach has been coordinated to some degree by the governments so there are tax sweeteners and jobs for the techies. Everybody's happy. Well, except the makers of PBXs and PCs.
As for but IPv6 "is utopian crap", while that's partly true, it's still better than yet another IPv4 kludge and if there are no serious steps taken to migrate then no one is going to bother writing improvements (of which there have been several) unless there is take up. Dual-stack is a well-understood stop gap for legacy systems. Consumer stuff will be led by mobiles and TVs to the IPv6 world.
Re: "Dual-stack is a well-understood stop gap for legacy systems."
Well the basic operating principles are well understood; however, I suggest we have some way to go before we can be sure about security. It would not surprise me if we see more attacks that use a combination of IPv4 and IPv6 to exploit cross stack vulnerabilities.
"A migration to IPv6 in a large company is costly, risky, disruptive and brings no value to the business. Try and go tell your CFO you need to spend a few millions of dollars just because the public Internet is in danger of running out of IP addresses and see what you can get."
Dear CFO, at some point (the timing of which is hard to predict) there will be customers and/or suppliers and/or other parts of our business that do not have IPv4 addresses because all the IPv4 addresses are in use by other people. At this point we will be losing business and/or unable to conduct business.
Prior to this point we should invest in a 21st century network architecture. Luckily all the devices we've bought in the last few years, and all new equipment we buy in the future, already supports a thing called IPv6 but we need engineering time to deploy this and budget to buy new equipment to replace the obsolete stuff we currently use.
Please add this into the budget, or put it in the risk register together with your reason for delaying.
Yours,
Technical Manager
"Dear CFO, at some point (the timing of which is hard to predict) there will be customers and/or suppliers and/or other parts of our business that do not have IPv4 addresses because all the IPv4 addresses are in use by other people. "
This is already happening. Large chunks of SE Asia are only getting onto the Internet (IPv4) via CGNAT gateways and you can't connect to their systems/resources (which is important when doing some kinds of transaction control).
Of course those same areas of the world generally have ISPs who will look at you like you just sprouted a second head when you ask for a IPv6 /48
Dear CFO.
According to new research, that point was actually reached several years ago.
Customers in Southeast Asia (major growth market that includes China, Japan, and South Korea) are FORCED to use IPv6 due to lack of IPv4 allocations on that continent. Without an IPv6 setup, this growth market will be unreachable, and I've also read that our competitors are either deploying IPv6 or already have, meaning we are currently late to react: a development that may not sit well with the investors. Further delay is likely to draw their attention.
Yours, Technical Manager
Dear Technical Manager,
re: "According to new research, that point was actually reached several years ago."
Please detail the impact this had had on our business, as surely if what you say is correct our existing customers from these regions would be unable to access our website and place orders. Likewise, since we email invoices to our customers we would be unable to invoice these customers.
re: " we need engineering time to deploy this and budget to buy new equipment to replace the obsolete stuff we currently use.
Please add this into the budget, or put it in the risk register together with your reason for delaying."
I thought you were responsible for managing engineering time and IT budgets and risk register, if you are having difficulty, I'm sure we can recruit someone with an MBA to help out.
CFO.
@AC
A project has been started to get rid of several internal network segments still using public IP addresses (yes, there were idiots in the past too)
nothing wrong with using your own public IP's internally. Thats how things where originally intended to work. RFC 1918 just means we can make much better use of the available public addresses, typical orgs do not need /8's or /16's any longer a /22 would normally be plenty.
IPv4 largely works. Apparently the people involved with IPv6 designed it to not be used, and intend to keep it that way.
Beyond making a Don Quixote windmill fight against NAT a cornerstone of the protocol, they naively left in the blind trust of the early Arpanet largely intact, and failed to get buy in from the major firewall vendors to get fleshed out IPv6 routing and stateful packet inspection. Need the ability to fail over promptly from one one redundant/load balanced link to another? IPv4 works within limits, but IPv6 is busted by design. BGP can't propagate quickly enough, can't scale to accommodate every consumer access point on the planet, and allows any other idiot on the planet to to hijack your routing if they misconfigure their routing.
In addition, with things like Apple setting up their own IPv6 peer networks, you can get failures on dual stack capable hosts where an IPv6 "Island" sets itself up and starts taking priority for traffic from the IPv4 network.
IPv4 is not, and should not, ever really go away anyway. It will live on on local networks, in virtual machines, and on legacy WAN links in the government and universities. It will live on in Satellites and sea radio beacons. The internet archive and every retro-game that only ever supported v4 deserve to live on in history. I just plan to put stronger firewall rules on them. Much the same as the firewall rules I recommend for IPv6 traffic now.
Here's hoping IPv7 or IPv8 will be less of a SNAFU.
"and failed to get buy in from the major firewall vendors to get fleshed out IPv6 routing and stateful packet inspection. "
Those "major firewall vendors" didn't exist that long ago and SPI was only just starting to be discussed.
Can I sell you a tardis?
"IPv4 is not, and should not, ever really go away anyway. It will live on on local networks, in virtual machines, and on legacy WAN links in the government and universities. It will live on in Satellites and sea radio beacons. The internet archive and every retro-game that only ever supported v4 deserve to live on in history."
I gave you an upvote, but you forgot the <Cue-Patriotic-Music> tag for that paragraph. I can almost hear George C. Scott now...
Does anyone have an example of new protocols or ideas that this might impact? Just curious, I can't think of any new protocols that I have heard of that would have been useful to me in the past decade.
Or if someone can just name some useful protocols that have come out in the past decade?
I have been doing networking for the past 16 years or so, though generally base stuff. There is a bunch of fancy shit out there I know that has never had any value to me(e.g. TRILL -- but that is a layer 2 thing totally independent of course of layer 3 IP).
Would HTTP/2 count as such a protocol ? I suppose it would but again I'm perfectly happy with HTTP 1.1.
Firstly, backwards compatbility with an exhausted protocol that only works due to address translation at line speed is quite a brake on connectivity.
Secondly, how about hosts with as many millions of virtual addresses as you want?
How about autonomic systems with complete self-configuring secure control planes?
How about home networks with tens of self-configuring network segments?
Just three that I of between two bits of bad news about the US election...
"backwards compatbility with an exhausted protocol that only works due to address translation at line speed is quite a brake on connectivity"
Ummm. This word "exhausted" that you keep using. You're looking at it from the supply side. The correct term would be "fully used". If you have potentially a few billion devices using it can you afford not to support it? That's your problem and I don't think I've read any reply here that proposes a solution except to ignore it or denigrate it.
"There is a bunch of fancy shit out there I know that has never had any value to me(e.g. TRILL -- but that is a layer 2 thing totally independent of course of layer 3 IP)."
You haven't been paying attention:
https://www.ietf.org/proceedings/90/slides/slides-90-trill-2.pdf
TRILL keeps being pushed as a data centre protocol, but the reality is that it's better used as a large campus WAN/MAN one - the reason Radia Perlman created it was spanning-tree storms that took out a hospital network, caused by continued joining up of previously-isolated switch networks until the entire ediface fell over horribly.
TRILL distributed L3 gateways take away the SPOF of routers and the extreme traffic loads which can occur on router links. It's better than the Anycast L3 gateway proposal which proceeded it.
Yes, it works on IPv6 as well as IPv4
The vast majority of readers might THINK they have no use for TRILL, but as soon as you have more than a couple of switches interconnected and/or start having to use LACP, it has advantages.
Spanning Tree should never be used for networks more than 4 switches wide - the wastefulness of having redundant links sitting idle is one factor as is the convergence time and the fact that ANY LACP link change (even to clients) will result in a spanning-tree reconvergence event. When I'm running multiple 10GB/s links around it's not sensible to waste their capacity by having one or more sitting idle when another may be maxxed out - this happens with both spanning tree and LACP.