back to article The internet just BROKE under its own weight – we explain how

On Tuesday, 12 August, 2014, the internet hit an arbitrary limit of more than 512,000 routes. This 512K route limit is something we have known about for some time. The fix for Cisco devices – and possibly others – is fairly straightforward. Internet service providers and businesses around the world chose not to address this …

  1. N2 Silver badge

    Sadly

    Some of this traffic was attributed to the tragic death of Robin Williams - RIP.

    1. MyffyW Silver badge

      Re: Sadly

      I'm losing track of all the bad news at the moment - Ukraine, Syria, Iraq, Gaza, Ebola, Dead Comics and now a poorly Internet...

      http://www.youtube.com/watch?v=WhF7dQl4Ico

      1. Destroy All Monsters Silver badge

        Re: Sadly

        Dead Packets' Society!

        1. wolfetone Silver badge

          Re: Dead Packets' Society!

          We must get Patch Adams immediately!

    2. NoneSuch
      Thumb Down

      Re: Sadly

      "One thing I do know is that it is the job of network administrators to know about these issues and deal with them. "

      I would say the hardware vendors and the folks who set the standards should be lined up against the wall before the admins. If there is a 512K limit then it should be made into a circular list. As new usage routes come online, the ones that have not been used the longest get dropped. Keeping a list of dead router paths serves no purpose and is the real flaw in the system.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sadly

      ...because he choked on it? A very sad case of under-planning :(

    4. Jonathan Richards 1

      Re: Sadly

      Eh?

      As I understand it, this isn't a traffic issue, it's about the number of routes that a Border Gateway Protocol device must keep in its routing tables. There are now more than 512K routes, i.e. links between Autonomous Systems, on the Internet, breaching another one of those arbitrary limits which someone set *ridiculously, humungously huge* way back when your operating system ran from a 5.25" floppy disk.

      If device operators are lucky, then increasing the routing table size is just a configuration issue (for values of 'just' involving taking down your network), otherwise they may have actually to replace the physical devices.

  2. WraithCadmus
    WTF?

    The internet is full

    For years I've been glibly saying "the internet is full" as a reason for random outages, or why I can't field a call at a given moment.

    It's drained the colour from my face to find out it actually happened.

    1. Trevor_Pott Gold badge

      Re: The internet is full

      Obligatory Dilbert.

      1. WraithCadmus
        Happy

        Re: The internet is full

        Ha! I should have guessed it was a Dilbert thing.

        I probably heard it as a non-excuse from a BOFH on a forum somewhere and didn't know the origin.

      2. Jack of Shadows Silver badge

        Re: The internet is full

        My mother actually told a new Electronics Officer that the reason the radar display wasn't working was that all the green electrons had leaked out and she had to put some more back in. Naturally when he passed this didn't go over very well for him when he reported this to the base commander in the presence of his boss, the Operations Officer.

    2. This post has been deleted by its author

      1. Gannon (J.) Dick
        Unhappy

        Re: The internet is full

        Oh dear. I hope the Internet is not full of what GCHQ and the NSA are.

    3. Fungus Bob Silver badge

      Re: The internet is full

      "For years I've been glibly saying "the internet is full" as a reason for random outages, or why I can't field a call at a given moment."

      For years I've been saying "the internet is like Bangladesh - every now and then bits of it wash away for no reason" to explain random outages.

      1. Marvin O'Gravel Balloon Face

        Re: The internet is full

        Can't we just remove some of the cat pictures or something?

    4. Hargrove

      Re: The internet is full

      We talk about cyberspace as though it was real, and forget that to get from point A to point B, information has to pass through real space, carried on signals that are governed by real physical limits, going through real routers and gateways, with real practical limits on bandwidth.

      There are technological ways to increase information transfer throughput. But they all cost money, And they are all subject to the same laws of mathematics and nature. Imagine what this is going to look like jf governments and special interests get their stuff together and figure out a way to control and charge consumers for access to bandwidth.

    5. mark jacobs
      Coat

      Re: The internet is full

      I used to give the excuse, "there's a lot of solar flare activity at the moment" ...

  3. Duncan Macdonald Silver badge
    Flame

    IPv6 like OSI is far more complex than necessary

    Unfortunately the same sort of people who designed the defunct mess that was OSI designed the complex mess that is IPv6.

    If IPv6 had been designed by engineers (rather than by theoreticians) it would have been much less complex - just increase the size of the addressing field by 2 bytes and map all existing IPv4 public addresses to IPv6 with the 2 additional address bytes being zero. Give each country its own unique 2 byte address prefix for additional connections once the IPv4 range is used up then additional values for large countries when their first prefix is near full. If this had been done then IPv6 would be in widespread use by now. (6 bytes of addressing allows for over 280 trillion addresses - over 20,000 for every man, woman and child on the planet.)

    1. Destroy All Monsters Silver badge

      Re: IPv6 like OSI is far more complex than necessary

      Well, I guess it was a second systems effect.

      And large companies high on dotcom steroids sniffing upgrade blood.

    2. A Non e-mouse Silver badge

      Re: IPv6 like OSI is far more complex than necessary

      If IPv6 had been designed by engineers (rather than by theoreticians)

      I wonder if it was more because it was designed by committee, rather than a few engineers pouring over code and packet dumps....

      1. nematoad Silver badge
        Headmaster

        Re: IPv6 like OSI is far more complex than necessary

        rather than a few engineers pouring over code and packet dumps...."

        Would they be pouring gravy or custard do you think?

        I imagine that you meant to say poring.

      2. DiViDeD Silver badge
        Headmaster

        Re: IPv6 like OSI is far more complex than necessary

        You know, I've never actually tried pouring an engineer over a packet dump, but if you think it'll help, I'll give it a go.

        Ummm, I guess I have to melt my engineer first, right?

        1. Trevor_Pott Gold badge

          Re: IPv6 like OSI is far more complex than necessary

          You could try sublimation. I mean, then the engineer would expand to fill his container, but he'd be a fluid, and theoretically pourable.

          1. Sorry that handle is already taken. Silver badge

            Re: IPv6 like OSI is far more complex than necessary

            At what temperature and pressure does an engineer sublimate? (or melt, for that matter?)

            I'd have thought they just pyrolyse.

            1. Trevor_Pott Gold badge

              Re: IPv6 like OSI is far more complex than necessary

              There has to be a temperature at which flash sublimation occurs without combustion. Every hydrocarbon has one...

            2. Lorentz

              Re: IPv6 like OSI is far more complex than necessary

              I considered this an interesting question, so I did the math for it.

              I now have the answer, although I'm afraid it only applies to spherical engineers in a vacuum.

              1. Swarthy Silver badge
                Boffin

                Re: IPv6 like OSI is far more complex than necessary

                So the sublimation of an engineer, without combustion, can only be accomplished after said engineer goes through a Lorentz Transformation?

              2. Anonymous Coward
                Anonymous Coward

                Re: IPv6 like OSI is far more complex than necessary

                "...spherical engineers in a vacuum."

                Worked with a few of those, well, trending towards spherical & living in ideological vacuum.

              3. DiViDeD Silver badge

                Re: IPv6 like OSI is far more complex than necessary

                "it only applies to spherical engineers"

                Well there's plenty of us around (around. aROUND. Oh, please yourselves)

    3. I ain't Spartacus Gold badge

      Re: IPv6 like OSI is far more complex than necessary

      IPv6 looks to me like a slow-motion car crash. I'm no network techie, in fact although I speak geek fluently enough to order dinner or a hotel, my only possible claim to techie-dom is water systems design.

      But for years now, I keep reading stories about how we're all going to have to go IPv6 RIGHT ABOUT NOW!!!! Well, it's usually in a couple of months' time - becuase someone's just found another block of v4 addresses down the back of the sofa.

      And then I read about what it can't do. Because apparently NAT smells of poo. And everything must be connected to everyone else. I wasn't aware that it would bugger up backup network connections for example.

      It's a bit like reading about the Euro crisis, for which I have enough economics to understand. A high priesthood have ordained a thing. And so it shall be done. But it can't be done. Oh, but it will be done [cue sinister voice]... It's all going to go wrong. No it isn't. Look guys, this isn't the ideal world where academics and dreamers live. This is the real world, where people fuck up, penny-pinch, cheat, or steal. It's all going to go horribly wrong.

      The only difference is the Euro-fanatics managed to just get over the line, and get their dream built before they ran out of political momentum. Just in time for it to slowly turn into a nightmare. Whereas IPv6 seems to be stuck forever in limbo.

      It makes my brain hurt. I hope all the plug and pray stuff works properly, if it ever does come in. Because I have enough trouble with home/small office IPv4 networks - and I'm never going to remember one of those huge IPv6 addresses.

      1. Destroy All Monsters Silver badge

        Re: IPv6 like OSI is far more complex than necessary

        The Tragedy of the Euro

        Where is "The tragedy of the IPv6"?

        1. Fungus Bob Silver badge

          Re: "The tragedy of the IPv6"

          As long as it is never implemented there is no tragedy.

    4. Jason Bloomberg Silver badge

      Re: IPv6 like OSI is far more complex than necessary

      The real problem is that IPv6 goes far beyond fixing the limitation of 32-bit IP addresses.

      If tasked with solving the problem I would have simply added more bytes on the left to extend global addresses and on the right to allow more local (but globally accessible) addresses.

      Of course that was far too simple but, more importantly, doesn't provide a gravy train to ride.

      1. I ain't Spartacus Gold badge
        Happy

        Re: IPv6 like OSI is far more complex than necessary

        Of course that was far too simple but, more importantly, doesn't provide a gravy train to ride.

        How exactly does one ride a gravy train, without drowning in brown liquid?

        1. Anonymous Coward
          Joke

          Re: IPv6 like OSI is far more complex than necessary

          that's not gravy, your'e up shet creek looking for your paddle

        2. Phil O'Sophical Silver badge
          Coat

          Re: IPv6 like OSI is far more complex than necessary

          How exactly does one ride a gravy train, without drowning in brown liquid?

          In a gravy boat, I suppose...

        3. BongoJoe

          Re: IPv6 like OSI is far more complex than necessary

          How exactly does one ride a gravy train, without drowning in brown liquid?

          Well you can sit in or on the next carriage behind. If you can fit, of course.

          Manor house near me has tracks for its gravy train that goes into the walls courtesy of the eccentric Victorian fellow who built it and the elderly neighbour, when she was a small child and living there, used to climb aboard.

      2. dan1980

        Re: IPv6 like OSI is far more complex than necessary

        As mentioned above, the problem to be fixed (not enough addresses) is - at least conceptually - trivial to fix: add a bit more to the address length.

        This is exactly what happened in Australia (at least in Sydney and Melbourne) when the 7-digit phone numbers were not enough: they added another number. At the start, all the existing numbers just had a '9' prepended. As new numbers were needed, they started them with '8' - instant doubling of available numbers with as little pain as possible.

        Of course, this has happened in most countries and the numbers have steadily increased in size with the population. BUT, it has been done methodically and - in most cases - very sensibly and with an eye to causing as little disruption as possible.

        Whoever was responsible for IPv6 saw it as a chance to fix everything they believed to be wrong with IPv4 and to implement what is (in their view) a perfect system.

        IPv4 has a glaring problem, which is the impending exhaustion of addresses. It almost feels like we are being held to ransom - we can't get a fix for the IPv4 address problem unless we agree to replace a working system with some committee's idea of a perfect system.

        1. This post has been deleted by its author

      3. 2+2=5 Silver badge
        Happy

        Re: IPv6 like OSI is far more complex than necessary

        > Of course that was far too simple but, more importantly, doesn't provide a gravy train to ride.

        There's nothing stopping you from raising an RFC. ;-)

      4. Yes Me Silver badge

        It's really time to stop bitching about IPv6 being different

        "simply added more bytes on the left"

        Yet again I have to point out that this "simple" change would make all un-updated systems incompatible with all the new ones with bigger addresses, and therefore *all* the tricky problems of v4/v6 coexistence that we have been dealing with would have occurred just the same (dual stacks, tunnels, NAT64,...).

        Also - contrary to the article, multihoming IPv6 sites without NAT is not a problem:

        http://tools.ietf.org/html/rfc7157

        It's really time to stop bitching about IPv6 being different and just run it, already.

        1. Trevor_Pott Gold badge

          Re: It's really time to stop bitching about IPv6 being different

          Your solution is exactly the one I griped about. It is absolutely reliant on DNS to function correctly, and requires tossing out any application that can't handle on the fly readdressing or multiple IPs. You either end up facing a single point of failure in DNS or significant expense redoing virtually every single fucking application on your network.

          Worse than that, your solution isn't just regular "preserve end-to-end at all costs", you're touting DHCPv6 as the means to salvation here too! Unbelievable!

          Maybe what you've got there will work, once every single device out there supports IPv6 in a manner that complies with the RFCs in question. AND when we've all abandoned our millions of dollars worth of investment in existing applications and recoded everything to suit the New Black.

          But, being honest now, when are you expecting that to occur? How many days/weeks/months/years/decades from now will we be at the point that there are no more non-compliant devices and no legacy applications that can't deal with your preferred solution for multihoming?

          In addition to the above, please detail for me exactly how your proposed solution provides superior value for dollar and return on investment versus deploying Network Prefix Translation, bearing in mind that - as a business owner - I please the value of the ideological purity of the end to end model at exactly $0.

          Size your solution to the 80% of businesses on the planet: 50 to 250 users. Work in that for the next 20 years these companies will be running workloads on site that they will want to host to the rest of the world in a redundant fashion. Assume that these companies are not American, so they won't be using ISPs that will allow BGP on SMB accounts, and they won't be comfortable using the public cloud for everything.

          So go ahead and bottom line it for me. Where is the business case for the solution you propose? And - in dollars and cents - show me how it will benefit me versus Network Prefix Transation? Make your case well enough and I'll publish it with commentary as an article.

          Otherwise, you're just a bag of hot air, espousing dogma and presenting no real-world solutions.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's really time to stop bitching about IPv6 being different

            "It is absolutely reliant on DNS to function correctly"

            Yep. As are most other correctly configured IP networking type things.

            "requires tossing out any application that can't handle on the fly readdressing or multiple IPs"

            You mean 'that has been bodged to use IP addresses instead of DNS names as good practice would dictate'.

            "DHCPv6 as the means to salvation here too! Unbelievable!"

            Sensible. Everyone and their dog uses DHCP. If you are moving to IPv6 then DHCP gets upgraded too.

            "Maybe what you've got there will work, once every single device out there supports IPv6 in a manner that complies with the RFCs in question"

            It does work. Companies like Colt have already fully deployed IPv6 on their core networks. And there are a number of ways of supporting devices that don't work with IPv6. Just because you don't understand the details, doesn't mean that others are so limited.

            "But, being honest now, when are you expecting that to occur?"

            It has already started. For the majority of uses the curve is not going to start to rise steeply for a few years yet, but it will...

            "In addition to the above, please detail for me exactly how your proposed solution provides superior value for dollar and return on investment "

            More addressing capacity and enhanced capabilities for less maintenance effort.

            "so they won't be using ISPs that will allow BGP on SMB accounts"

            That will change as IP6 hits mainstream.

            "Where is the business case for the solution you propose"

            That the existing solution is out of capacity and that will become a rapidly increasing problem unless we do something about it.

            "I'll publish it with commentary as an article."

            Oh god help us. Why not read such an article from people who actually understand the subject? See blogs.cisco.com/enterprise/why-would-anyone-need-an-ipv6-to-ipv6-network-prefix-translator/

            "you're just a bag of hot air, espousing dogma and presenting no real-world solutions"

            Pot - meet kettle.

            1. Trevor_Pott Gold badge

              Re: It's really time to stop bitching about IPv6 being different

              So all you have to offer is dogma, religious belief and assertions. No actual functioning solutions, no value for dollar and no hard timelines. You won't even put your name to your claptrap so we can hodl you to the wishy-washy tripe you shovel.

              You really are an internet hippy. Get off my goddamned lawn and don't come back until you've cut your hair and have something of value to offer.

              What's even more hilarious is that the blog you link to has the individual being interviewed agreeing with me. Network Prefix Translation is the solution that will see us through. If other solutions become universally viable, then and only then will we look at transitioning wholesale. But block-shifting from IPv4 NAT-PT to IPv6 Dogma edition is fucking batshit insane.

              Unbelievable.

            2. Fluffy Bunny
              Angel

              Re: It's really time to stop bitching about IPv6 being different

              "You mean 'that has been bodged to use IP addresses instead of DNS names as good practice would dictate'." -> this completely misunderstands the problem. Most applications do a DNS lookup the first time they encounter a network name and keep that address in memory.

              However your high-availability solution appears to change network addresses on the fly. Your application would need to do a DNS loopup every time they communicated with the outside world. Sucky.

              But more importantly, I quite like NAT, simply to keep my internal devices out of view of the great unwashed. It forms the first line of security, followed by basic system hardening and antivirus tools.

          2. Anonymous Coward
            Anonymous Coward

            Re: It's really time to stop bitching about IPv6 being different

            In Microsoft Windows operating systems, IPv4 addresses are valid location identifiers in Uniform Naming Convention (UNC) path names. However, the colon is an illegal character in a UNC path name. Thus, the use of IPv6 addresses is also illegal in UNC names. For this reason, Microsoft implemented a transcription algorithm to represent an IPv6 address in the form of a domain name that can be used in UNC paths. For this purpose, Microsoft registered and reserved the second-level domain ipv6-literal.net on the Internet. IPv6 addresses are transcribed as a hostname or subdomain name within this name space, in the following fashion:

            2001:db8:85a3:8d3:1319:8a2e:370:7348

            is written as

            2001-db8-85a3-8d3-1319-8a2e-370-7348.ipv6-literal.net

            This notation is automatically resolved by Microsoft software without any queries to DNS name servers. If the IPv6 address contains a zone index, it is appended to the address portion after an 's' character:

            fe80--1s4.ipv6-literal.net

        2. eldakka Silver badge

          Re: It's really time to stop bitching about IPv6 being different

          OK, i've just stared looking at that link, and right at the top I see a red flag already:

          "However, NAT and NPTv6 should be avoided, if at all possible, to permit transparent end-to-end connectivity."

          Errm, while the USER may want transparent end-to-end connectivity, the network engineer/admin may not want NETWORK level end-to-end connectivity. They may WANT to introduce things like proxy servers, which right there break your transparent end-to-end connectivity. Or how about (as my organisation does) an SSL interceptor that basically does a man-in-the-middle attack on all SSL sessions (with the exception of whitelisted known trusted sites, e.g. banks) to virus scan the stream?

          From my reading so far, it looks fairly complicated and would require someone with at least reasonable computer/network knowledge and skills. To set up multi-homed NAT IPv4? Simple, buy dual port router, hook one port to ISP one, hook second port to ISP two, enter ISPs authentication (e.g. if its xDSL), setup complete. Multi-homed failover (or even load balancing if the appropriate check-box is ticked) and you are done.

          1. jonathanb Silver badge

            Re: It's really time to stop bitching about IPv6 being different

            I don't want end-to-end connectivity. NAT means I don't need to worry about the security of my network printer for example. Anyone on the LAN can print to it without needing a password or anything like that. That's OK, because I control who is allowed on my LAN. I don't want the whole world to be able to print to it, because it is a feature that spammers would love.

    5. -tim

      Re: IPv6 like OSI is far more complex than necessary

      The original point of the /bits notation was to steal bits from the source and destination port addresses when this problem 1st showed up in IPv4 space in 1991. So an address like 1.2.3.4/34 would use two bits from the source and destination port so from a core routing point of view, a web server might be on 1.2.3.4:80 and 1.2.3.4:32848 (0x8050=32k+80). The only software that needed changed would be the network addressing libraries (aka libresolve) and some edge routers (aka NAT). We had this working on an AGS+ in 1991 without any major changes to applications other than a bind library and a wrapper about a winsock function. The idea was to treat all routes as /24 starting then with long term migration to /32 so everyone could dual home with their own IP addresses. AT&T even built a router that could cope with 16 million routes in 1992.

    6. beanbasher

      Re: IPv6 like OSI is far more complex than necessary

      Does anyone else remember the saying that a camel was a horse designed by a committe.

      1. LDS Silver badge

        Re: IPv6 like OSI is far more complex than necessary

        But a camel works very well in the environment it was designed for by evolution, and where no horse would survive. It could look ugly, but it's a good design.

        1. Trevor_Pott Gold badge

          Re: IPv6 like OSI is far more complex than necessary

          And IPv6 works very well for the places it was designed: Academia, test labs and enterprises with more money than small nations.

          It should also be noted that the Camel is ill suited - and non-present - in the majority of the world, where the Horse was the animal that prospered...and ultimately diversified to fill a great many horse-shaped ecological niches. (Though we could get into a good debate about three-toed versus two-toed ungulates here...)

          1. TheVogon Silver badge

            Re: IPv6 like OSI is far more complex than necessary

            "And IPv6 works very well for the places it was designed: Academia, test labs and enterprises with more money than small nations."

            So just like where IP v4 came from then...

          2. Pookietoo

            Re: the Camel is ill suited

            It's done rather well in Australia, I hear.

      2. Yes Me Silver badge

        Re: IPv6 like OSI is far more complex than necessary

        " camel was a horse designed by a committe."

        Actual, the camel was selected by evolution because it is very well suited to living in a desert where sources of water are few and far between. So it's a pretty good design for its environment, and the complexity compared to a horse adds value.

        If you were stuck in the desert, would you rather see a horse or a camel approaching?

        The analogy with IPv6 is perhaps not so bad.

        1. Trevor_Pott Gold badge

          Re: IPv6 like OSI is far more complex than necessary

          "If you were stuck in the desert, would you rather see a horse or a camel approaching?

          The analogy with IPv6 is perhaps not so bad."

          If I'm an enterprise with virtually unlimited resources, IPv6, with all it's foibles seems a great solution to the IP address exhaustion problem.

          If I'm the other 80% of companies on earth, or virtually every consumer on earth, then I'd far rather the IPv6 with Network Prefix Translation solution because that solves the problems I'll face in the most economic and simple fashion. I don't care about the needs of enterprises or software developers or the problems they face.

          Most of the world uses horses to get things done and they work just fine. A camel is great in the desert, but doesn't have the power or capability of a horse in virtually any other situation.

          The world uses IPv4 with NAT today and they can game, use VoIP, and every single other application that IPv6 end-to-end religious nutters whinge about just fine. The horse plows the feild and ensure their family is fed.

          Along comes a camel salesman saying we all need to shoot our horses and implement IPv6 without Network Prefix Translation because camels are better in the desert. The English farmer peers through the sheeting rain at the camel salesman and asks that one important question:

          "why should I?"

          The think IPv6 purists don't get is that there is an alternative to IPv6 + religion. That alternative is IPv6 - religion. We can have all the benefits of IPv6's address space and the benefits of Network Prefix Translation by just telling the camel vendor he's batshit fucking bananas and driving him - and his camel religion - into the sea.

          1. Suricou Raven

            Re: IPv6 like OSI is far more complex than necessary

            "The world uses IPv4 with NAT today and they can game, use VoIP, and every single other application that IPv6 end-to-end religious nutters whinge about just fine."

            No. Those things work because of awkward hacks that work some of the time, and the rest of the time if you can reconfigure your router. Try running a game server some day - it can't be done without going to your router config and telling it to set up a port forward. That's an inconvenience for current home users, and will be impossible when the address shortage forces the deployment of carrier-level NAT.

            Skype can communicate through double-NAT, but only because it uses a ridiculous three-party UDP mutual handshake bodge to trick both NAT routers into thinking their client spoke first. Such an approach is only possible when there's a third, port-accessible party (Skype's server) to act as a coordinator. A central point of failure.

            1. Trevor_Pott Gold badge

              Re: IPv6 like OSI is far more complex than necessary

              "No. Those things work because of awkward hacks"

              Who the fuck cares? Not the end user or the SMB. We don't care if it's harder for developers. There is 15 years of documentation on how to deal with that, and there are lots of free and cheap tools and libraries to help to do so. Cope.

              On the other hand, there are no viable solutions - let alone cheap or (heaven forbid) free - to solving the problems introduced by a dogmatic approach to NATless IPv6.

              You are demanding the majority pay a significant tithe in inconvenience and infrastructure/application overhauls because you're to lazy to learn to use extant libraries and techniques to bypass NAT.

              My sympathy for your position is the square root of a negative value.

              1. SImon Hobson Silver badge

                Re: IPv6 like OSI is far more complex than necessary

                Actually, end users and the SMBs do care - but not in the way you think, and they probably don't make the connection between NAT and the "costs" they see.

                I can tell that you truly haven't seen the full scale of the horrors NAT creates - and the costs that go with it. Just one example, any large VoIP provider has to provide a rack full of proxy gateways because SIP is well and truly f*cked by NAT. It may, given some favourable combination of stuff, be possible for the end user device to work out that NAT and work around it - but that really does mean "some favourable combination". Throw a Zyxel router in and it's all f*cked for good - been there, had to tell the customer "replace the router if you want <something> to work" thanks to their brain dead mangle all ports randomly approach to NAT. OK, that latter one is extreme but I've come across it. Eliminate NAT and the VoIP proxy requirement goes - and so does a chunk of cost to the VoIP provider - which means lower cost to the customer.

                Really, the fact that NAT works now is simply down to a load of sticking plasters that "mostly" hold things together. It really does impose a lot of restrictions. Someone mentioned the need for Skype to provide a "man in the middle" to get a flow going - as in you and your mate can't just "plug something in and talk to each other" without either an outside assistant or manually configuring port forwards. A lot of the workarounds involve going through a third party - as in the "remotely controllable <IoT object>" that only really works as long as the provider offers you a cloud service to use it through - or you manually configure port forwarding. Obviously, a lot of vendors see that as an advantage as it means you have to use their service and in the process given them free reign to mine your data and sell you as a product.

                TLDR version.

                NAT costs big time - in monetary cost for all the infrastructure and resources needed to work around it, and also in loss of flexibility in that it makes it very very much harder to run distributed stuff.

                Having said all that, I am inclined to think that NPTv6 would be a useful tool in many cases. It needs to have some standard tools to allow the application to directly get the mapping information from the gateway(s) and thus work out the global prefix it's mapped to - but given that, it is not half as evil as NAPTv4.

                What I do worry about is that if made available, then pretty well everyone would implement it because "we always have NAT" regardless of whether they need it. Ie, too many people couldn't get their heads around not having this crutch to lean on.

                1. Vic

                  Re: IPv6 like OSI is far more complex than necessary

                  What I do worry about is that if made available, then pretty well everyone would implement it because "we always have NAT" regardless of whether they need it. Ie, too many people couldn't get their heads around not having this crutch to lean on.

                  So what?

                  If that's how people want to use the Internet, what does it matter? It'll still work.

                  If it really does add to the costs of running a service - and, as a small-time VoIP provider, I'm not sure I can really agree with you - then you pass those costs on to the user, with rebates if he takes the solution that makes it cheaper for you. If it makes business sense for people to discard NAT, they will do so. At the moment, it's all cost and no reward.

                  IPv6 takeup is very, very slow. It would make sense for the community as a whole to work out why this is - and that involves asking the people who have chosen to stay with IPv4, not just telling them why they're wrong...

                  Vic.

                2. david 12 Bronze badge

                  Re: IPv6 like OSI is far more complex than necessary

                  I take the opposite point of view -- SIP is fucked, and it's inability to work with NAT is just one part of that. Out of all the fully -functional voice protocols that we had around, why did we wind up with SIP?

                  Actually, I know that answer to that: because it was easier for amateurs to make a broken open-source implementation of SIP, rather than implementing the existing ISO standard protocol, or any of the other protocols that actually worked.

                  1. Vic

                    Re: IPv6 like OSI is far more complex than necessary

                    SIP is fucked, and it's inability to work with NAT is just one part of that.

                    SIP works with NAT. All my land-line phone lines are doing exactly that.

                    Vic.

        2. Ian 55

          If you were stuck in the desert, would you rather see a horse or a camel approaching?

          A horse, because it suggests that I am closer to some sort of human settlement.

      3. Cpt Blue Bear

        Re: IPv6 like OSI is far more complex than necessary

        "Does anyone else remember the saying that a camel was a horse designed by a committe."

        I've often thought that a horse is a camel spec'ed by management: its sleek and fast but hopelessly inefficient, flighty, doesn't cope with difficult terrain* and has to be destroyed if something breaks.

        A camel on the hand, is the BSD of ruminants: it won't make you look good but it will get you there.

        * The last one I had anything to do with couldn't even cope with a heavy track.

      4. Fluffy Bunny
        Angel

        Re: IPv6 like OSI is far more complex than necessary

        I think a more apt aphorism is that the elephant is a mouse designed by a committeee.

        1. Michael Wojcik Silver badge

          Re: IPv6 like OSI is far more complex than necessary

          I think a more apt aphorism is that the elephant is a mouse designed by a committee.

          An aphorism is an insight designed by committee.

    7. JeffyPoooh Silver badge
      Pint

      Re: IPv6 like OSI is far more complex than necessary

      I'm holding out for IPv8; I hear it's way better.

      1. 2+2=5 Silver badge

        Re: IPv6 like OSI is far more complex than necessary

        > I'm holding out for IPv8; I hear it's way better.

        IPv8 - as recommended by Jeremy Clarkson.

        1. Anonymous Coward
          Anonymous Coward

          Re: IPv6 like OSI is far more complex than necessary

          IPv4, v6, v8 BAH!

          I.P. Daily wrote "the Yellow River"...

    8. David Halko

      Re: IPv6 like OSI is far more complex than necessary

      > Give each country its own unique 2 byte address prefix for additional connections once the IPv4 range is used up then additional values for large countries when their first prefix is near full.

      Sounds elegant, with exception to cellular phones with internet connectivity, vehicles which drive across bondaries, phones & cars sold between countries, light bulbs & door locks inside the cars & airplanes & mobile homes crossing national boundaries, equipment on artificial satellites around the earth, equipment on The Moon, equipment on Mars, ships at sea, airplanes in flight, equipment on the surface of the ocean in international water, space probes floating to/outside the edges of the solar system, ip addressable key fobs for every lock on a every person's key ring, every smart component on an airplane checking into satellites, ISIS carving out new countries from old while killing off lots of formerly potentially used IPv6 address block holders along the way, etc.

      Are the items I mentioned show-stoppers? Absolutely not. There are countless proprietary protocols, in conjunction to NAT, to network these devices today. I am merely suggesting that artificial boundaries associated with nation-states may not necessarily be the best way to handle address allocation because of the expansion of intelligent devices. I personally don't think it is a bad idea, but it may be "short-sighted", and complexity will grow as DNS does (which this article criticizes in some large quantity of words.)

      One may suspect "Ivory Tower" engineers had discussed analogues to these possibilities. Once the IPv6 address space becomes universal - one might not expect it will not be long before all those proprietary ways of networking (and hiding under TCP/IP) of individual devices or device components will dissolve. NAT is only one such hiding mechanism. M2M not dependent upon IP will consolidate into IPv6... and those devices dwarf the number of people in the world.

      1. roger stillick
        WTF?

        Re: IPv6 like OSI is far more complex than necessary - part 2

        M2M is where I live and I don't even know where to start on IPv6, it looks like it banned it even though claims here say IPv6 was made for M2M... 'psuedo RTOS' and 'Full - Duplex Round Robin' networking is my LOCAL internet protocol, I'm paying for 2 - 7Mb DSL lines to C-Link internet and I have that funny box between my stuff and everyone else's stuff (still get random outages)...

        IMHO= DARPA's Internet experiment to end single point of failures is ongoing w/Internet - v2... v3 allows random failures (watch NHK - TV, it is v3 internet and fails randomly aka 'great speed, lousy livability')... I lived w/single point of failures from 1964 to 1985= THEY SUCK !! (folks die)... FDX - RR works just fine, the world's bean counters just need to get over it and allow single points of failure to be engineered out of our attempt at universal communication, Universe Wide... 'Condition Blue' is so yesterday ('CBlue'= stop work, you might fail something)...

        caveiat= this is, hopefully, NOT a SCI-Fi rant...RS.

        1. Vic

          Re: IPv6 like OSI is far more complex than necessary - part 2

          this is, hopefully, NOT a SCI-Fi rant

          It is, however, almost entirely unintelligible :-(

          VIc.

    9. TWhyman

      Re: IPv6 like OSI is far more complex than necessary

      The comment

      "If IPv6 had been designed by engineers (rather than by theoreticians) it would have been much less complex - just increase the size of the addressing field by 2 bytes and map all existing IPv4 public addresses to IPv6 with the 2 additional address bytes being zero "

      assumed me as I recall arguing some 20 years ago on IETF lists for precisely something like this (albeit more generally as variable length addresses). The argument put up against this was that "the community" was used to using mini-computers (PDP-11s, VAXes, etc) as routers and the algorithms worked on 16 or 32-bit lookups and anything new should be an extension of this i.e. an engineering argument - Engineers can be very conservative at times - and we ended up with a 128 bit (4 x 32) IPv6 address. The argument was rediculous - and I recall a CISCO Engineer pointing out that their routers didn't work this way anyway - and the tragedy was that shortly afterwards CIDR and BGP with its routing based on variable length prefixes completely invalidated the original argument - but to no effect.

      There may also have been an aspect of NIH as variable length addressing was an OSI paradigm and not an IP one.

      However, the underlying problem has less to do with address sizes and more to do with the problem that a properly worked through transition plan has never been on the table for IPv6. A transition plan requires that IPv4 and IPv6 ASs must be able to co-exist and interwork for an extended period of time and possibly forever. It can be done, but almostly certainly involves NAT and the use of the DNS to manage IPv6 to IPv4 address mapping. However, for the "ivory tower types" referred to in the article, NAT is evil and must be erradicated and IPv6 must become universal. A NAT based transition plan would be unacceptable as would the effective result: that IPv6 could well end up as an inter AS protocol only. Hence they are not interested - even though that is all we really need.

      The final problem is that there is no financial incentive for ISPs to be the first to adopt IPv6. To them it is a cost without a benefit in terms of offering cheaper services.

      IPv4 allows for 2**32 addresses. That's a big number and it will always be possible to spread it out just that bit more thinly. On the other hand, there's an inverse relationship between the efficiency of address allocation and routing efficiency. The more efficient (i.e. more densely allocated) IPv4 address allocation becomes, the less efficient inter AS routing will become and dealing with the 512K by just adding more memory will be no more than the networking equivalent of kicking the can down the road. Unfortunately, that is probably what will happen.

    10. Jack of Shadows Silver badge

      Re: IPv6 like OSI is far more complex than necessary

      Right in one. I would have considered eight bytes, and have implemented just such a design elsewhere, for symmetry and ease carving out blocks as you envisioned. Heck, the extra two bytes would have been useful for target address categorization of type of objects. Thus satisfying those who objectify everything. Whatever.

  4. dan1980

    IPv6 is a disaster waiting to happen.

    It is interesting to look at the development of the Internet with respect to TCP/IP. To start with, all endpoints were connected; it was a distributed network, effectively a campus network.

    As the Internet grew and evolved, NAT was used to conserve IPv4 addresses and allow people to connect without having to buy large ranges.

    NAT, itself, however, evolved into a critical part of networking and much is built around it, not least the idea of a central device controlling access in and out of a network. The problem is that those pushing IPv6 view NAT purely as a work-around - a band-aid covering a problem of limited public IP addresses.

    That problem is very real but in addressing it they seem determined to throw the proverbial baby out with the bathwater. No wonder the miniscule uptake.

    1. Vector

      I wonder how gramma is going to feel about managing all the IPv6 addresses she needs in her new IoT™ populated home without NAT?

    2. Ken Hagan Gold badge

      "NAT, itself, however, evolved into a critical part of networking and much is built around it, not least the idea of a central device controlling access in and out of a network."

      Firewalls and routing rules predate NAT by several years and both clearly involve the idea of a central device controlling access in and out of a network. I respectfully suggest that you present a fresh argument.

      "The problem is that those pushing IPv6 view NAT purely as a work-around - a band-aid covering a problem of limited public IP addresses."

      Perhaps they were around when the NAT RFC was published, and read it. I'm afraid that NAT *is* just a band-aid around limited public addresses.

      Furthermore, not a lot of the coverage here is bothering to mention *why* the number of global routes has now passed 512K, so I'll let you into a secret. It is caused by people buying up small allocations of IPv4 one corner of the globe and using them in another. The address space has become horribly fragmented and the IPv4 internet is going down like a 99%-full hard disc using the FAT file system. And of course the reason everyone is still on IPv4 is because NAT has allowed them to punt this problem into the long grass for almost 2 decades. Well done NAT.

  5. Peter Galbavy

    Nothing new under the sun

    We had the same concerns and problems back at "16K day" - most off the shelf equipment couldn't cope, but Demon's routers did and then "64K day" a number of years ago (I'd moved onto other things by then, so I was only a consumer again) and then AS numbers grew too big and so on and so on.

    For those pushing their beloved IPv6 - it's like on of those lovely gated communities where the grass will be cut to exactly the height of the handbook and old cars will not be tolerated in driveways, but then when the houses don't sell the less desirables start moving in and the old guard start to whine. IPv6 never needed multihoming (I was one of those arguing at RIPE meetings about how this would never really work once real world applications and resilience was required) and NAT was seen as a hack and not something ever wanted in IPv6 (la la land called, they have your unicorn). IPv6 is still a solution looking for a problem and no matter how much the proponents keep pointing and laughing at IPv4 they are still selling something that smells suspiciously like snake oil.

  6. Mage Silver badge

    We need IP6

    Just not the IP6 on offer.

    I'm glad to see other people catching on to the practical problems IP6 creates that I have been harping on about for many years.

    I was considering changing my name to Cassandra. Perhaps I should have used it as my nick here.

    1. Primus Secundus Tertius Silver badge

      Re: We need IP6

      @Mage and ...

      IPv4 is in retrospect a work of genius. It has been running for over 30 years, compared with about 10 years for the original Arpanet protocol.

      IPv5 and IPv6 look like student project designs in comparison. What was IPv5? A long-forgotten attempt to make multi-casting efficient, so that for example lectures could be distributed to students - or other one-to-many applications.

      Will IPv6 be forgetten? I hope so, we need an IPv7 that is backward compatible with IPv4, as others have commented here.

      1. brooxta

        Re: We need IP6

        We can't be too prolific with our IP versions. The version field in the IP packet header is only 4 bits long = a maximum of 16 versions ever without breaking compatibility completely.

        1. Ken Hagan Gold badge

          Re: We need IP6

          Ah, yes! The famous compatibility between IP versions. We wouldn't want to lose that.

    2. Fluffy Bunny
      Angel

      Re: We need IP6

      "Just not the IP6 on offer." - IPv7, anybody?

  7. Alan Brown Silver badge

    NAT is a kludge

    It breaks a shedload of things and I wish "we" had never pushed it out in the early 1990s

    IPv6 works just fine and instead of a NAT box you use a firewall if you want internal stuff to not see (or be seen by) the Internet at large. Decent enduser routers can do IPv4 NAT and IPv6 firewalling simultaneously with rulesets linked (Mine does)

    Of course all those sub-par BT homehubs and other pieces of cheap ISP shite won't, but that's not my problem :)

    1. Mage Silver badge

      Re: NAT is a kludge

      Yes NAT is a kludge. Rather than killing it, IP6 should have had a fixed version. Even VOIP can work via NAT (it's one of the trickiest).

      I'd like to see how well your legacy IP4 gadgets (which can't be migrated to IP6) work, how good your security and privacy works etc, when there is no IP4 for your router.

      Privacy and Security appear to be kludged afterthoughts on IP6.

      1. Vic

        Re: NAT is a kludge

        Yes NAT is a kludge. Rather than killing it, IP6 should have had a fixed version.

        IPv6 doesn't need a "fixed" version - just the removal of the objection to NAT on IPv6.

        Then NAT can carry on working just as we've been doing on IPv4; it's not a technical limitation, it's a dogmatic one.

        Vic.

        1. Oninoshiko

          Re: NAT is a kludge

          "IPv6 doesn't need a "fixed" version - just the removal of the objection to NAT on IPv6.

          Then NAT can carry on working just as we've been doing on IPv4; it's not a technical limitation, it's a dogmatic one."

          THIS.

          Honestly, it doesn't even need the objection removed, it just needs everyone to treat this objection with all it deserves (which is to say, ignore it). Noone outside you network will know, noone inside your network will know (unless, ofcourse, you have some protocol which opens a socket to a machine which "calls back" which is completely brain-dead).

      2. A Non e-mouse Silver badge

        Re: NAT is a kludge

        Privacy and Security appear to be kludged afterthoughts on IP6.

        On the privacy front, I can agree with you. Baking the device's MAC address into the IPv6 address isn't good for privacy.

        As to security, if only they'd implemented something like IPSec natively into IPv6.... (Hint, they did...)

        1. Vic

          Re: NAT is a kludge

          Baking the device's MAC address into the IPv6 address isn't good for privacy.

          That's not a mandatory part of the standard - just a suggestion - and it's only for link-local addresses. Those addresses that you use for talking to other devices on the Internet will not contain your MAC address[1]

          Vic.

          [1] Unless you're monumentally unlucky, or deliberately make it so.

          1. Mage Silver badge
            Black Helicopters

            Re: That's not a mandatory part of the standard

            Not any more. But it should never have been a part of it at all. Not unless there was the concept of NAT and that MAC could ONLY be used for unroutable addresses.

            1. Vic

              Re: That's not a mandatory part of the standard

              Not any more. But it should never have been a part of it at all.

              I don't think it ever was - it's simply a suggestion for how to allocate link-local addresses with a high probability of avoiding collision. You need to allocate unique link-local addresses, and this is a simple way of doing so.

              IPv6 has numerous difficulties, but this really hasn't ever been one, no matter how many times you hear that the sky is falling from someone writing a "helpful" blog piece...

              Vic.

        2. NumptyScrub

          Re: NAT is a kludge

          quote: "On the privacy front, I can agree with you. Baking the device's MAC address into the IPv6 address isn't good for privacy."

          As I understand it:

          That is only true for link-local IPv6 (the equivalent of 169.254.0.0/16 in IPv4, not internet routable), and is merely a suggestion.

          The MAC address is already broadcast by any device that sends a DHCP Discover packet.

          The MAC address is already present in Layer 2 headers like the Ethernet frame.

          Given the above, I'm not sure how having the MAC address as part of a link-local IPv6 address provides any information that other local devices would not already have trivial access to...

    2. I ain't Spartacus Gold badge

      Re: NAT is a kludge

      Of course all those sub-par BT homehubs and other pieces of cheap ISP shite won't, but that's not my problem :)

      Alan Brown,

      Thanks for caring. Of course, when hundreds of millions of those unprotected domestic users are joined into a giant mega-botnet DDoSing and spamming their way round the network, plus turning peoples' IoT lights and heating on and off at random, you might not be quite so sanguine...

      Any internet design that isn't hardened against incompetent users and cheapskate ISPs, is not fit for purpose. And whoever designed it is an imbecile.

    3. I Am Spartacus
      Coat

      Re: NAT is a kludge

      Just what I needed - an excuse to repurchase all my IPv4 kit that does not support IPv6, I suppose this is the net-dweebs attempt to fix the problem of not enough money in circulation.

      Mine's the one with Amazon catalog in the pocket.

      1. Fluffy Bunny
        Angel

        Re: NAT is a kludge

        "an excuse to repurchase all my IPv4 kit that does not support IPv6" !!

        Is it still possible to by kit that doesn't support IPv6? I haven't seen anything like that in the shops for years.

  8. chris 143

    You don't need NAT for IPv6

    The idea is that you use your link local address to talk to local stuff (eg the network printer)

    Then your router advertises it's /64 range.

    So you get two IPs

    fe80::2345:6789:0abc (local one)

    2001:2345:6789:2345:6789:0abc (public one)

    1. Vic

      Re: You don't need NAT for IPv6

      You don't need NAT for IPv6. But many people *want* to use it.

      NAT introduces a few issues - at least one of which is insurmountable (and, thankfully, quite rare these days) - but it also means that setting up a small network behind a NAT router is trivial. And there are a *vast* number of people with exactly that setup.

      Now it's all very well to say that you "just" add a new firewall to hide that lot from IPv6 connectivity - but that's just adding hardware to prevent what is being sold as a benefit; it would be much, much simpler just to change the address space and leave the NAT model in place. Then everyone is happy.

      Vic.

      1. Nextweek

        Re: You don't need NAT for IPv6

        >Now it's all very well to say that you "just" add a new firewall to hide that lot from IPv6 connectivity - but that's just adding hardware to prevent what is being sold as a benefit

        This is the most ignorant comment I have seen. NAT is address translation, home routers already have firewalls so additional hardware is NOT required. UPnP opens ports on your firewall for things to get in, that not going to change with IPv6.

        The point is we need IPv6 to make it easier to do peer to peer things like videos, gaming, telephone. Removing NAT removes a level of CPU and memory requirements that saves electricity and latency. IPv6 brings a raft of other things, multicast is one example that would certainly cut back the ever growing bandwidth consumption.

        1. Vic

          Re: You don't need NAT for IPv6

          home routers already have firewalls

          They do? All of them?

          Because if any ship without firewalls - *any* - then your assertion and all the inferences you draw from it are entirely wrong.

          The point is we need IPv6 to make it easier to do peer to peer things like videos, gaming, telephone

          No, we don't. I'm already doing that - sans the gaming, usually, as that's not my thing - on IPv4 with NAT. It's all very well asserting that IPv6 is "needed" for $application, but reality does not bear that out. Feynman had good things to say about what happens when your theory doesn't agree with reality...

          Removing NAT removes a level of CPU and memory requirements that saves electricity and latency

          Bullshit. You're still processing stuff, just in a slightly different way.

          IPv6 brings a raft of other things, multicast is one example

          IPv6 brings in a number of things, but multicast is not one of them. I've been doing multicast over IPv4 for years. If you watch TV, the chances are you're watching the product of multicast over IPv4, as that's how substantially all the content providers work[1]. Multicast is entirely orthogonal to IPv6.

          Vic.

          [1] I'm not even sure if the encoders in use even support IPv6; certainly the ones I worked on don't. AFAIK, there's very little demand for it...

          1. brooxta

            Re: You don't need NAT for IPv6

            Yes. If it does NAT it is, to all intents and purposes, a firewall.

            And as to latency, which do you think is quicker/less resource intensive:

            NAT: checking whether a packet is allowed to cross the lan/wan boundary, tracking which ones do and rewriting the address and port number on all of them.

            IPv6: checking whether a packet is allowed to cross the boundary or not and forwarding them essentially unmodified if yes.

            1. Vic

              Re: You don't need NAT for IPv6

              If it does NAT it is, to all intents and purposes, a firewall.

              But it is not a firewall.

              It might be implemented by a firewall - that's how I do the NAT between two of my networks - but that doesn't make it a firewall; a firewall does many things besides NAT that may well not be implemented by a NAT box.

              And as to latency, which do you think is quicker/less resource intensive

              Neither. They're largely the same operation. You will not be able to measure any difference.

              Vic.

              1. Anonymous Coward
                Anonymous Coward

                Re: You don't need NAT for IPv6

                But it is not a firewall.

                It might be implemented by a firewall - that's how I do the NAT between two of my networks - but that doesn't make it a firewall; a firewall does many things besides NAT that may well not be implemented by a NAT box.

                Not a firewall? So then if I gain control to the system at the other end of your WAN link I can just do a:

                route add -net ${yournet}/${yourprefix} gw ${yourip}

                and just keep playing with the ${yournet} bit until I hit paydirt?

                No. Any NAT router worth its weight will do at least some firewalling, such as permitting only packets from existing connections inbound. If it doesn't, take it back to the place of purchase as it is unfit for purpose and a security liability.

                1. Vic

                  Re: You don't need NAT for IPv6

                  Any NAT router worth its weight will do at least some firewalling

                  Look at the routers being distributed by cheapo ISPs.

                  I'm not arguing whether or not they ought to have decent firewalls fitted. I'm saying that a substantial number do not.

                  Now you can say that they're not fit for purpose until you're blue in the face - this is what people *have*. Arguing that these people muist change their IT systems to suit your model is not a strong position.

                  Alternatively, we can just promote the idea of NAT over IPv6 for those who want it and all these issues just go away...

                  Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: You don't need NAT for IPv6

      So two addresses is better than one?

  9. Irongut

    You pay peanuts, you get shite.

    I have no problems at home or work but my method of choosing ISP doesn't start and end with "who is the cheapest?"

    1. Anonymous Coward
      Anonymous Coward

      "You pay peanuts, you get shite."

      You usally get Indians in my (extensive) experience.

  10. breakfast
    Thumb Up

    Good work, everyone!

    Nothing to add except that I have learned some new things from both the article and the comments here. Exactly the kind of thing that makes The Register invaluable.

    1. TwistUrCapBack

      Re: Good work, everyone!

      Brown nose

      1. breakfast

        Re: Good work, everyone!

        I prefer the term "Bronze Badge"...

  11. Aitor 1 Silver badge

    NAT 66?

    This discussion should be DEAD years ago.

    NAT66 provides NOTHING.

    Just give an IP and block incoming internet traffic, there, solved it for you.

  12. Aitor 1 Silver badge

    Please refrain from NAT66

    If you must, please read this lively discussion we have some years ago:

    http://networkingnerd.net/2011/12/01/whats-the-point-of-nat66/

    1. Trevor_Pott Gold badge

      Re: Please refrain from NAT66

      I still don't see a viable solution for renumbering/WAN redundancy. I see lots of dogma. I see no solutions.

      Or do you want to trot out how none of that is your problem, and it's up to everyone else to pay (and pay and pay and pay) to meet your religious requirements one more time?

      I prefer concrete, affordable, and currently applicable solutions. Ones that work for the 99%, without dismissing the needs of the 99% as "irrelevant".

      1. AnonFairBinary

        Re: Please refrain from NAT66

        This objection is specious... your router has two uplinks. It uses Router advertisements to tell everyone on the LAN ''this is your network segment" and all the hosts on the net pick their addresses using SLAAC, which takes a few seconds. When your primary internet goes down. the router advertisement daemon running on the router just has to notice, and start advertising the backup network, everyone will autoconfigure to the new addresses, and in a few seconds everybody is up again. the IPv4 version used NAT meaning your address changed when you changed uplinks, just swapping router advertisements means all the clients get new addresses, looks exactly the same.

        The fact that no consumer level router does this, is a supply and demand problem, not a technical one.

        1. Tom 38 Silver badge

          Re: Please refrain from NAT66

          The counter is specious - you do not need X because we have provided Y which is ideologically better but requires updating all your hardware and software and relying on a daemon on one box correctly informing everything else it needs to be updated.

          1. Ken Hagan Gold badge

            Re: Please refrain from NAT66

            " but requires updating all your hardware and software and relying on a daemon on one box correctly informing everything else it needs to be updated."

            Every desktop OS has been able to do this for donkeys years, and apps couldn't re-implement the network stack even if they wanted to. So for your PCs the hardware upgrade is going to cost you nothing. The OS upgrade will cost the same and the rest of your software will be half as much again.

            There may be some devices that will require an IPv4-capable LAN, but I doubt that many of them need to talk to the internet, so a dual stack LAN and IPv6-only WAN is now perfectly viable and has been for many years.

        2. Trevor_Pott Gold badge

          Re: Please refrain from NAT66

          So your solution to the tried, tested and true $150 dual-WAN IPv4 NAT box is a new, expensive solution that requires:

          1) Someone to know how to configure it (because SMB versions don't exist)

          2) The router advertisement daemon never to fail

          3) All applications to be able to cope with renumbering on the fly with zero errors

          4) DNS to work without flaw in order to cope with the renumbering

          5) BGP advertisement and management so that anything I'm hosting locally can be accessed form the net.

          And to top it off you threw in a "supply and demand" argument which is an ivory tower way of fobbing the problem off as belonging to someone else, without solving any of the issues to hand.

          Awesome.

          So you have no solutions. Only dogma. What you demand that everyone use to suit your religion is demonstrably worse for this very critical use case than what went before, but we are expected to just suck it up without complaint...why exactly?

          I believe my inclination is not "kowtow to the brethren" but say "up yer jacksie" and just use NAT anyways.

          Wibbly wobble wubble. SOLUTIONS, jacksie-baby. Not dogma. Can you handle it?

          Edit: additional bonus points for SLAAC, which makes the entire infrastructure absolutely reliant on DNS, most likely under the asinine premise that DNS will always work in a "real man"'s setup. That's grand. No chance of managing and maintaining your infrastructure when the DNS goes down, or the stupid router robot eats it's own face.

          Pay no attention to the daemon behind the curtain! Practical implementation concerns are "just details" anyways, hmm?

          1. I Am Spartacus
            Pint

            Re: Please refrain from NAT66

            @Trevor_Pott

            Well said. Have a beer and an up vote

          2. Anonymous Coward
            Anonymous Coward

            Re: Please refrain from NAT66

            AC because I'm not wearing asbestos underpants today.

            Hi Trevor,

            Thanks for your article. I enjoyed the exposé of the 512K issue, drawing the curtain back on recent internet events.

            I also enjoyed the segué into attack-IPv6-mode :-)

            I wonder though if perhaps we could take a little bit of the "management ought to have been listening to in-the-know-IT-types since ages ago" approach to the 512K problem and apply it also to the IPv6 problem.

            It seems to me that the major problems with IPv4 have been known for a very long time, and yet even with all the publicity regarding address space we have still ended up the creek without a paddle. Surely as sys- and net-admins we ought to have been preparing for a shift to IPv6 infrastructure in our roll-outs of IPv4 solutions so that when the tipping point came we were ready, and things could go seamlessly (or at least, as seamlessly as possible)? Instead what has happened is that more and more products/solutions have been pushed out of the door that depend on non-IPv6 compatible concepts. And this position has only become more entrenched.

            Alternatively we could have been getting off our backsides and sorting out an alternative IPv6 proposal. It seems a little late to be banging on about problems with the design now. The people with the intellectual wherewithal to architect a new system did so a long time ago (pre-dotcom bubble), and if we're actually going to pull together as a community in this whole internet thing then we need to play our part.

            Or maybe this is where the wheels come off?

            1. Trevor_Pott Gold badge

              Re: Please refrain from NAT66

              I don't disagree with any particular point, but there are some problems that are out of the techies' hands:

              1) IPv6 is asstastic for anyone excepting weathy enterprises and backbone providers that don't have the sorts of concerns faces by the under-1000 seat crowd.

              2) "The business" is generally not ready or willing to invest in replace what works just fine today with a more expensive thing that will hopefully prepare us for the future.

              3) Pretty much everyone who isn't already wedded to IPv6 is really just hoping that the ivory tower types will capitulate, we'll get our IPv6 NAT and nobody will have to actually change how they do things.

              As for "it's a little late to keep banging on about the problems" I heartily disagree. I've been banging that drum for the better part of a decade, and so have many others. The issue here is simple: do we - the majority - accept the dogmatic implementation of IPv6, or do we tell the ivory tower types what to go do with themselves and implement a NATed version, with all the benefits - and downsides - that it entails.

              That war is emphatically not over yet. It will be decided by hardware and software availability as well as adoption and general practice. Not by RFCs and snarky internet disdain. All the powerpoint slides and wringing of hands in the world won't make people believers, nor will it make them behave how you want them to.

              So we're all sitting here staying at eachother across the neutral zone, waiting for someone else to make the first move. Meanwhile, ISPs are dragging their feet, as are consumer gadget vendors.

              ...and the Ivory Tower types offer nothing but dogma...and no solutions.

              Your comment is itself evidence of how intractable this issue has become. I raise real world issues that don't have practicable solutions for the majority of businesses and individuals and you all but accuse me of going out of my way to lay on the rails and withhold "progress". As though I am somehow not doing my "civic duty" by encouraging people to bite down on the dogma and take one for Uncle Sam.

              Well, I don't know about you, but even if I were inclined to close my eyes and thinking of England on this, my ISPs don't even offer me things like "BGP for SMB accounts" that would allow me to solve the problems in the dogmatic fashion. Nor do my apps support on-the-fly renumbering.

              So what are the solutions? Hmm? And why should we all just ignore them in the spirit of camaraderie? It seems to me it's a hell of a lot easier to punch the prickly ponces in the paunch and do the One Thing They Decry.

              They aren't My People, so I'm down with that. You?

              1. Vic

                Re: Please refrain from NAT66

                IPv6 is asstastic for anyone excepting weathy enterprises and backbone providers that don't have the sorts of concerns faces by the under-1000 seat crowd.

                It's not *quite* that bad.

                What concerns me more is the sub-15 seat companies and private users who don't have a sysad available - they are left with a fairly steep technical challenge to setting up IPv6. And what will happen is this - they'll plug in the router they get from their (el cheapo) ISP and wonder why the traffic LED flashes so much...

                "The business" is generally not ready or willing to invest in replace what works just fine today with a more expensive thing that will hopefully prepare us for the future.

                Precisely. I can create a firewall-type device to secure the network, but realistically, by the time I've built it and installed it, it's not going to come in under £300. Any small business owner is going to ask what he gets for that money - and that's not an easy story to tell.

                Pretty much everyone who isn't already wedded to IPv6 is really just hoping that the ivory tower types will capitulate, we'll get our IPv6 NAT and nobody will have to actually change how they do things.

                Nobody actually *needs* to capitulate anything - NAT will work on IPv6 in exactly the same way as it does on IPv4; it just needs to be built into the router. Unfortunately, if the cheapo modem/router from the ISP doesn't do it - and, being contrary to the spec, I suspect many manufacturers will be loath to build one that does - we're back to that £300 box again - albeit with a different purpose this time.

                do we - the majority - accept the dogmatic implementation of IPv6, or do we tell the ivory tower types what to go do with themselves and implement a NATed version, with all the benefits - and downsides - that it entails.

                The latter, obviously. Having NAT available doesn't mean you *have* to use it - the MAU is still /64, so those that want to do it per the spec can still do so. But having NAT available means that either solution is available, without breaking anything any more than we're already used to. This would seem to me to be the pragmatic solution - but it *always* causes arguments from those that think NAT should be prevented...

                Vic.

            2. dan1980

              Re: Please refrain from NAT66

              @AC

              "It seems to me that the major problems with IPv4 have been known for a very long time, and yet even with all the publicity regarding address space we have still ended up the creek without a paddle. Surely as sys- and net-admins we ought to have been preparing for a shift to IPv6 infrastructure in our roll-outs of IPv4 solutions . . ."

              The reason this problem is so thorny is because there is one big, glaring, problem with IPv4 and a few other issues that are considered by people to be useful, broken, kludgey, unworkable or beneficial depending on who you ask.

              What has us at an impasse is that the proposed solution to the single universally-agreed upon problem (the address space) aims to fix not only that but to change all other, ancillary sticking points in IPv4.

              Chief amongst these is NAT and it is the battleground.

              Where we are is with one side saying they wont deploy IPv6 without NAT and the other saying that they won't fix the address-space issue without also removing NAT.

              People on the 'NAT must die' side of the divide argue that IP was never designed with NAT in mind and it is a 'kludge' that makes everything so much harder than it needs to be at the networking level. The counter-argument is that the internet has evolved and NAT is actually a very good solution to a problem that evidently wasn't forseen in the early days and its removal would make everything so much harder at the human level.

              Yes, NAT poses some problems but most of these have been dealt with, such as with FTP and SIP and encryptions. When Trevor talks of dogma, he is (not to put words in his mouth) talking about the view that IP communication should be as it was originally designed to be - direct, end-to-end communication from node to node, with the sender using the IP address of the recipient node.

              That certainly makes everything very neat but then so does leaving your front door open with the idea that you should be able to go straight from your office to your bedroom without having to go through all those other pesky doors.

              In the end, the way IP was 'supposed' to work was good in theory and even worked for a while (much the same way leaving your doors unlocked at night likely worked in small villages) but it is just not practical for the current Internet. Those pushing IPv6 and the removal of NAT can be seen as holding up an ancient stone tablet and insisting that as it was written, so shall it be done, and they are doing so with at best no regard and, at worst, conscious disregard for the realities of network and internet connectivity 'on the ground' today.

          3. Vince

            Re: Please refrain from NAT66

            Just a quick point:

            "2) The router advertisement daemon never to fail"

            Is different to "the $150 NAT based load balancer failing how?

            I see no change in risk from that bit.

            1. Trevor_Pott Gold badge

              Re: Please refrain from NAT66

              For $150, I can buy two of the things and keep a spare on the shelf with an identical config. Worst case scenario, turf the dead one and plonk in the replacement.

              Besides which, those $150 dual-WAN routers are somewhere in the neighborhood of 20th generation technology at this point. They are at the point of "it's virtually impossible for even a junior admin to fuck this up, because guides to programing or at least configuring your own from open source components are fucking everywhere."

              I still do encounter IPv6 router advertisement daemons with multiple bugs. They aren't anywhere near as baked yet.

              1. chuckufarley

                Re: Please refrain from NAT66 "pipe" IPv6 "pipe" Lets.pretend...

                ...that the solution is here and is ready to be coded into .bin files for our SOHO type routers. How many SOHO router vendors will back port it to their entire product line? I think very few, if any. They will most likely only release it on brand new kit which they will not give away for free. Third parties will release firmware for some the more common devices but businesses are not likely to use them. Fourth parties claiming to offer a solution will use this as an attack vector for their malware. Small business owners the world over will have to buy at least one new router. In addition, their ISP will most likely upgrade a few boxes of their own which will slightly raise the cost of internet access. Now let's pretend that the solution doesn't require the SMB crowd to change a thing. That means that their ISPs will need to change even more. Which means that the cost of doing business just went up for ISPs. This cost will then be passed to their customers.

                It seems to me that the longer we go on as we are the more it will cost to fix it in the end. Is there any probable solution that will not add to the problem of global inflation?

  13. Anonymous Coward
    Anonymous Coward

    I'm to blame

    Well, my employer is.

    An ahem *large* Australian corporation. Our main router hardware dates from 1997.

    It's cheap to run, though not many network protocols post about 2003 work terribly well through them.

  14. Anonymous Coward
    Anonymous Coward

    DPI of RDP seems implausible.

    RDP sessions are encrypted, aren't they? If the ISP tried to DPI them, they'd have to MITM your session with a bogus cert, leading to alarming warnings at the client end. And even if they did, what exactly are they going to inspect in a stream of mouse co-ordinates, keypresses and desktop image bitmap fragments? Maybe they have DPI by default for most streams and what failed was routing RDP *away* from the DPI.

    1. Trevor_Pott Gold badge

      Re: DPI of RDP seems implausible.

      You can still "traffic manage", even if you aren't peering into the sessions. It's still rude.

  15. Anonymous Coward
    Anonymous Coward

    It's happening, get over it

    Whether you like it or not, there's an increasing IPv6 deployment trend easily visible here. OK, so it's "only" just over 4% today, but that's doubled in less than a year.

    https://www.google.com/intl/en/ipv6/statistics.html

    There's certainly been a good amount of dogma on all sides of the argument, but that's nothing new in the world of protocol design. IPv6 deployments are increasing and one way or another the problems mentioned by other posters are going to get solved, even if some people have to swallow previously heretical solutions.

    Is anyone really still arguing that we should forget IPv6 and continue with RFC1918 and NAT-PT FOREVER ??

    1. Trevor_Pott Gold badge

      Re: It's happening, get over it

      No, if you really want to know what we - the people- want, look up Network Prefix Translation.

      Full bore overloaded NAPT is - and let me get the proper invective to hand here - "fucking clownshoes". There's absolutely zero rational requirement for it in IPv6. It shouldn't be used. Period.

      What there is a requirement for is network prefix translation. This is a very simple 1:1 mapping of an internal address space system to one or more external IPv6 subnets. This allows for instant renumbering, ISP fail-over and more without breaking end-to-end irreparably.

      Is end-to-end, that sacred holy of holies broken? Yes. Is it broken in a meaningful manner? No. The 1:1 relationship means that we can easily code around it.

      Whether you like it or not, network prefix translation is the natrual compromise and it will be what is implemented on a large scale. Get used to it. There's no room for dogma in IT. Only actual solutions.

    2. Nate Amsden Silver badge

      Re: It's happening, get over it

      Not forever, but for the foreseeable future yes. I see absolutely no reason to deploy IPv6 myself. Any IPv6 deployments right now basically require IPv4 connectivity in some form to reach the majority of internet sites out there anyway. I can understand IPv6 is more important for the really large service providers much less so for the small companies like the ones I have worked for.

      None of the people I have spoken to over the years have expressed any interest in IPv6. I refer to the people who really want IPv6 as "internet hippies" (same goes for the IoT advocates not interested in any of that either), and have written about it on occasion. It's like the folks who want to ban grocery stores from using plastic bags, it's kind of funny.

      IPv6 people argue IPv4 with NAT breaks so many things like peer to peer (I don't do any peer to peer myself). My funny counter argument is - fine, deploy some IPv6-only clients and see what breaks by comparison relative to IPv4-only clients.

      My phone is on carrier grade NAT when it is on the telco network. Everything I have done over phone (tether) works fine whether it is the likes of SSL or IPSec VPNs, skype, and everything else. No issues.

      IPv6 may come sooner or later, I suspect it is many years out still though.

      I may not even be doing networking anymore by the time it really hits.

      The thing I dislike most about IPv6 is the addressing scheme it looks like a MAC address, seems like it will be difficult to remember IPs relative to IPv4 addressing. Some people have said "but we have DNS!" yes we have DNS but that doesn't always work or isn't always configured correctly. I don't need to memorize every IP in my network but I have quite a few memorized of the key devices (just out of habit, it's not something I tried to memorize specifically).

      1. Vic

        Re: It's happening, get over it

        IPv6 people argue IPv4 with NAT breaks so many things like peer to peer

        You hear a lot of that.

        For example, I've been assured many times that NAT breaks VoIP. And yet here I am, doing VoIP through NAT. It's stunningly[1] simple...

        Vic.

        [1] Yes, I did.

        1. dan1980

          Re: It's happening, get over it

          @Vic

          Boom! Nice one.

          And that's the thing, really - as I said in another post, the complications that some protocols had traversing NAT boundaries have been fixed. NAT is a fact of Internet life now and applications and protocols are coded accordingly.

          "It makes things more difficult". Boo hoo. Having to go through customs at the airport makes things more difficult too. So you don't have direct, end-to-end communication. Deal with it; it was a utopian ideal that didn't survive contact with the real world.

      2. Jamie Jones Silver badge
        Happy

        Re: It's happening, get over it

        I always get much lower latency connecting to my US servers from the UK using IPv6.

        Yes, I know this is due to link usage/capacity etc., and nothing directly attributable to IPv6, and that this load imbalance could well change in future, but still, it's a 'real world' advantage for me to have IPv6 at the moment!

      3. Charles 9 Silver badge

        Re: It's happening, get over it

        "My phone is on carrier grade NAT when it is on the telco network. Everything I have done over phone (tether) works fine whether it is the likes of SSL or IPSec VPNs, skype, and everything else. No issues."

        Sounds like you're MAKING the connections in this case, plus Skype has a Trent to help it. But what about if you have to operate a deamon behind a carrier-grade NAT. Even worse, what if both you and the target party are behind a NAT (or worse, carrier-grade NAT, meaning neither you nor your destination have a uniquely-addressable point to refer to. There's physically no way to achieve that without a third party (a Trent) that both of you can reach, which has safety implications of its own (Is Trent really Trent?).

  16. Anonymous Coward
    Anonymous Coward

    Why is it not available?

    If IPv4 behind a NAT that talks IPv6 to the wider world is so good, then why are there not Open Source projects doing this all over the Internet? I've obviously missed something.

  17. Tim Brown 1
    Mushroom

    A short IPv6 story

    A little while ago, we leased a new dedicated server for our business. In the spirit of keeping up with technology and looking to the future, I got one that had ipv6 connectivity.

    Shortly after migrating to this new server I was made aware that an application that uses Google Cloud Messaging was no longer working properly, Google was reporting that the server was unauthorised to send out messages. I checked everything and couldn't see the problem, the code was exactly the same as running on the older server and the new ipv4 address had been entered correctly into the Google control panel.

    Only after days of digging did the cause of the problem come to light. The cURL library used to send out messages was automatically defaulting to ipv6 rather than ipv4 and so Google was rejecting the messages since the ipv6 address wasn't authorised. Fine - I'd just enter that into the Google control panel then... but wait, what's this? Google's control panel only accepts ipv4 addresses...

    Long story short - I disabled ipv6 on the new server as the simplest solution with the added benefit that no more stuff would break for no apparent reason.

    1. (AMPC) Anonymous and mostly paranoid coward
      Thumb Up

      Re: A short IPv6 story

      I did the same thing after our training VLAN was hacked via an IPV6 flaw in our router. I currently don't allow any IPv6 traffic or support into our LAN, likewise at home. IPv6 is disabled on all system NICs by group policy. Existing and future IPv6 security issues are no longer my issues.

      In sum, Trevor's arguments make sense. If we don't need IPv6 internally and depend on NAT to protect us from Internet badness, what the hell is the rush?

      Ideological purity, like a vacuum, is rarely encountered in nature.

  18. Nate Amsden Silver badge

    kind of weird

    that it took el reg over 24 hrs to write about it? If you had people contacting you for 12 hrs it would of been nice to see an article earlier :)

    I think I first realized what was going on at around 1:15 yesterday afternoon (Pacific). There was nothing that directly affected me but I got notices early in the morning from our data center provider they were doing emergency memory upgrades on all of their switches/routers at all of their data centers (we don't use them for IP connectivity). Then I got another email from a service we use saying they were having problems with their carriers. Then I contacted a friend and he pointed me to a reddit thread (I don't spend any time on reddit otherwise) which had a bunch of folks talking about it.

    A co-worker late yesterday afternoon searched google and said he found nothing other then the reddit thread on the issue. Which prompted me to write a blog post on it(I don't have much to write about these days..).

    interesting to hear that network admins were turned down for upgrades in preparation. Seems like an easy sell "look at this graph: http://bgp.potaroo.net/bgprpts/rva-index.html when it gets to 512,000 - we go down unless we buy X" (I realize that most providers didn't go completely down but rather degraded but it's easier to explain to just say you go down). I've worked for some really cheap bastards over the years and I don't think any of them would of given me shit had I told them that.

    On that note however I looked up the specs of the core switches I was using 10 years ago and they had capacity of 1 million unique BGP4 routes in hardware as well as 2 million non unique BGP4 routes in hardware(we did not use BGP they were just powerful switches). How service providers 10 years later could be running equipment that can't do at least that is just pathetic. I would expect switches/routers of today to handle at least 5 times that without blinking.

    I had some reports of some of our customers reporting bad experiences on the interwebs - but neither of our IP providers reported any problems and none of our monitoring indicated any issues with our site internally or externally which was nice.

    1. Trevor_Pott Gold badge

      Re: kind of weird

      " kind of weird that it took el reg over 24 hrs to write about it? If you had people contacting you for 12 hrs it would of been nice to see an article earlier :)"

      Deeply sorry. I was busy dealing with the fallout of it for my clients and at the same time hadn't slept in two days because I'm trying to get this booth demo built before it has to ship to 'Frisco. To be perfectly honest with you I felt that it was just plain easier to send feelers out to people smarter than me to verify my assumptions than to try to force my sleep-deprived brain through the mental gymnastics of working out all the details myself.

      I'll try harder next time.

  19. Nate Amsden Silver badge

    forgot to mention

    oh and routing RDP has nothing to do with the 512k route thing. Not sure why you mentioned that. These are layer 3 routes, RDP is layer 4 and up, which requires layer 3, but of course not vise versa.

    1. Trevor_Pott Gold badge

      Re: forgot to mention

      Because my sources say that the way the DPI widget works is thusly:

      1) Streams enter DPI widget

      2) Widget determines where various protocols will go

      3) packets are vomited into appropriate route.

      If the DPI widget - or some intermediate chunk - is "full" thanks to 512Kday, then it is entirely possible for one specific protocol not to work while all the others do. (Thanks, "traffic management"!) Of course, I don't have "official" confirmation of this, but it was laid out for me in such a manner that it seemed entirely plausible that both issues had a single cause.

      1. Nate Amsden Silver badge

        Re: forgot to mention

        the DPI widget may very well of been overwhelmed, though that's still a layer 3 thing. The original article somewhat implies (though I suspect most of the readers are techy enough to see past it) that the problem may of impacted specific protocols rather than connectivity in general regardless of protocol.

        but in any case not a big deal

  20. IanCa

    for the 512k limit - a relatively small number of relatively old boxes still run by a subset of smaller isp's had this limit. there is a published workaround. some would have had to implement it in a hurry if they had not done so already. All the modern big internet routing tin running in the majority of ISP's, stopped worrying about this limit years ago.

    IPv6 - concur . v6 is is fundamentally harder for your brain than v4, - this from someone at CCIE level. The businesses whose sysadmin/network people are at the CCNP, CCNA or CCnotatall level, are going to find it night on impossible. as other posters said, they can't expected to have clue how to setup v6 multihoming with BGP - or in fact what those words even mean! u v6 is still in the land of early adopters - geeks who want to do it cos its cool to have a v6 connection from your bedroom.. providers who can run it in self-contained fashion within their clouds that their engineers have control of (think mobile operators) . The progression into even large enterprises who can afford to have a bunch of CCIE's on the books, will take years.. why should they change? until draytek/netgear/dlink and that crowd produce a box that does it all for them without requiring thinking, it cant go mass. non-tech people can just about cope with 192.168.1.1. expecting them to comprehend 2001:DEAD:BEEF::<some EUI>/64... your having a laugh? so I fail to see how v6 ever practically gets rolled out to enough of the world to matter....

    1. brooxta

      > geeks who want to do it cos its cool to have a v6 connection from your bedroom

      Yes, because when was the last time a geek in their bedroom changed the face of the internet as most people know it?

    2. Nate Amsden Silver badge

      Subset of smaller ISPs perhaps. I see names like AT&T, Verizon, Comcast being tossed about(datacenter knowledge article).

      I don't wish to single out my data center provider but all of their facilities were impacted as well and they have several million square feet of data center space, the facility my equipment is in is one of the largest data centers in the world (colo anyway - it feels like a half mile walk from the parking lot inside the building to get to my cage probably closer to .3 miles). But again we don't use them for IP transit, so their problems did not impact us.

      This particular data center I believe came online in the last 5 years, so it's not as if they were running the same equipment for the past 15 years or something. To their credit they had their first facility that was impacted(the one I was in) upgraded by about 2PM pacific time.

      A monitoring service we use was impacted as well and they are in a well connected data center(s) too. I don't know who operates those facilities though.

      So this goes well beyond end user connectivity into lots of data center facilities probably around the world.

  21. John Savard Silver badge

    Problems Yesterday

    Yesterday, I noticed that for some time I could not access Typophile or the webcomic Atomic Laundromat, but other sites worked properly. I don't know if that was due to this routing bottleneck or not.

    1. Destroy All Monsters Silver badge

      Re: Problems Yesterday

      On the Internet, nobody knows whether you are the guy with painful BGP problems.

      Nobody.

  22. Anonymous Coward
    Anonymous Coward

    Huh

    I don't get the people who say "IPv6 is rubbish, we should just chuck a few more octets onto IPv4". I'm sure that well engineered thought took all of 30 seconds to think of.

    IPv6 adoption isn't massive and that's a far more established standard than tacking bits onto IPv4 would ever be. Not sure you're going to get far by suggesting we scrap the v6 work and wait for router manufacturers to do "extended IPv4" or whatever.

    The idea that IPv4 and the various plasters that people have proposed (like CGNAT instead of doing V6, ugh) is just as shortsighted and ideological as the v6ers who think that NAT shouldn't exist at all.

    The telephone number analogy is a bit off, too. Telephone switches are designed with variable length numbers in mind - as every country uses a different system, and in the UK you've got about 5-6 different systems alone (3/4/5/6 digit area codes, variable numbers, variable length exchange codes necessitating different route patterns, landline telephone exchanges can route on number or on area code and number, or carrier access code, area code and number, etc) - the US numbering plan looks like a work of art in comparison. IP equipment doesn't work that way.

  23. 2+2=5 Silver badge
    Unhappy

    Too much censorship

    John Gilmore: "The Net interprets censorship as damage and routes around it".

    (But only for 512K acts of censorship)

  24. harmjschoonhoven
    IT Angle

    Re: 512KDay

    I will wait till the 2^19Day.

  25. croc
    Coat

    BGP? IPv6???

    If we had all agreed to use ATM we'd not be having this discussion...

    (where's a good duck when you need one?)

  26. david 12 Bronze badge

    .. we handled the very real issues posed by [Y2K] so well...

    Or perhaps you handled them so badly.

    Dedicating too much real resource to fix a problem is a fail, just as much as loosing resources because of unfixed problems is a fail.

    I was doing consulting with a [very] large multinational company that was unable to pay their very large [national] bills for a month, because they had dedicated all of their IT effort to ensuring that there would be no Y2K problem, and then had only 6 months to prepare for a real, legislated, [national] accounting and tax change.

    Proper IT management would be good. Y2K was not a good example of good management.

  27. Huckleberry Muckelroy

    Making Do

    I think that IPv6 DNS for every device made by Man and God, and a host file for the local subnet; a bit like if it all comes crashing down, we'll always have Fire and the Wheel.

  28. Brent Beach

    Is this really why the Y2K problem has a long shadow? "Globally, we handled the very real issues posed by computers being unable to comprehend the passing of the millennium so well that the average punter didn't notice the few systems that didn't get updated."

    My recollection is that in fact there were no real issues, or almost none.

    In fact, the Y2K BS storm inflated the computing market which then blew up in the dot com bubble.

    The implication that Y2K was a success, rather than a much hyped non-event is certainly counter to my experience at the time.

    1. Vic

      My recollection is that in fact there were no real issues, or almost none.

      Then you were lucky. I had *lots* to fix at several establishments.

      Y2K might not have been a worked example in how to run a development project, but the reason it was such a non-event is all the hard work put in by many people trying to turn it into that non-event.

      Vic.

    2. Phil O'Sophical Silver badge
      FAIL

      Y2K

      My recollection is that in fact there were no real issues, or almost none.

      Which is entirely due to the considerable effort put in by my colleagues and I, and other engineers in other companies, to find and fix problems well before 1/1/2000.

      Of course, we could have just waited to see what went wrong and fixed it then. Based on the bugs that we did fix I can assure you that it wouldn't have been a non-event then, believe me. Perhaps you'd have preferred that?

  29. HKmk23

    Cloud computing......I don't think so

    What did they expect.....?

  30. Flash_Penguin

    dumb question

    Why can't you have an ipv6 router internet facing with an ipv4 back end?

    1. Trevor_Pott Gold badge

      Re: dumb question

      Because the two protocols are completely incompatible. Every attempt I've seen to do what you suggest is best described by the phrase "slouching towards Bethlehem".

    2. Phil O'Sophical Silver badge

      Re: dumb question

      Why can't you have an ipv6 router internet facing with an ipv4 back end?

      Many reasons, not least that the IPv4 systems connected to the back end have no way to put the IPv6 address of the external system they want to talk to into the address field of the packets. Something would need to maintain a translation table.

      Think of trying to address a letter to someone in China if you can only write English characters and the Chinese post office can only process addresses written in Chinese.

  31. -v(o.o)v-

    Luckily there are systems out there doing NAT66 for those that need it even though it is not "pretty".

  32. Flywheel Silver badge

    Name and er, shame?

    Soooo, where can I get list of routers that can't handle more than 512K routes? This important piece of information seems to be sadly lacking.

    1. Chris Miller

      Re: Name and er, shame?

      I think most BGP routers that can't handle more than 512K routes are to be found in science museums. The problem is all the ones that can handle more than 512K routes, but haven't had their config files updated.

    2. theblackhand

      Re: Name and er, shame?

      I suspect it will be Cisco Catalyst 6500/7600 switches with Supervisor 720 engines.

      There are 2 models - one supporting up to 256K IPv4 routes and one supporting up to 1M IPv4 routes.

      But....

      The default configuration of the devices allocates 512K IPv4 routes and 256K IPv6 routes.

      Other devices with insufficient memory would also be affected, but I suspect the deployment of Cisco 6500's in telco networks is very common and hence are the key to this issue being so widespread.

  33. sawatts
    Facepalm

    Crisis Fatigue

    Reminds me of several comments on the post-Millennium world...

    "We wasted MILLIONS fixing the millennium bug, and then NOTHING happened!"

  34. Stevie Silver badge

    Bah!

    This article exacerbate the problem by citing so many links that required a further link to get to the meat of whatever point was being made.

  35. Panicnow

    1Mb Day

    I remember 1Mb Day when the routing table went over the 1Mb RAM limit of Cisco's original 68000 based routers.

    In those days, the "new" but limited supply of Cisco 4000's were handed around between ISPs to ensure that core routers could be upgraded first.

  36. Anonymous Coward
    Anonymous Coward

    Thoughts from a mere user ...

    When my ISP announced that they were IPv6 compliant and were about to allocate me a shed load of IPv6 addresses, but only one IPv4 because they were nearly extinct, I read up about all the "advantages" that IPv6 was supposed to offer me and started getting worried. Then the ISP started writing about how IPv6 "just worked" through their routers, and those who adopted it would never have to worry about internet connectivity ever again (OK I paraphrase them a bit in order to provide a little plausible deniability). And my worry was confirmed.

    It was compounded when reading about a big ISP that decided to go perfurkling around all their customers' LANs looking for something or other. I honestly can't remember what the issue was, it was just the idea that they thought it a reasonable thing to do that worried me. So if they are prepared to do that through a specially inserted back door in the routers they provide for their customers, what would happen when everybody can go on a hunt through everybody else's LANs through the front door? Just think of the usual culprits with three and four letter acronyms instead of names! I am sufficiently worried about the lack of protection that will be caused by this stupidity on the part of the powers that be, that I will probably be re-introducing air gapped "sneakernet" systems in the near future. That will be a bloody nuisance, especially where connectivity has been routine. For me, an unreformed IPv6 is going to kill the internet.

    No, I haven't got anything to hide, I just don't like an audience 24/7. That's why this is AC.

    1. Ken Hagan Gold badge

      Re: Thoughts from a mere user ...

      This is getting silly.

      Maybe we're pampered here in the UK, but I have half a dozen routers collecting dust on a shelf nearby, some going back over a decade, none costing more than a few tens of pounds and *none* of them have no firewall. So, just to illuminate the discussion, can someone please name a router (not a modem with a single port, which you'd have to plug into a PC, which all have firewalls these days and have had for about a decade), which is IPv6-capable, which doesn't have a firewall?

      Sorry, but since the firewall is just software, and routers all run Linux, where the firewalling capability is free, and since IPv4 routers even at the cheapest end of the market have had proper firewalls since forever, and since IPv6 support is going to require a slight tweaking of the vendors preferred Linux image anyway, and since failing to include a firewall *might* be grounds for a case of negligence against the provider, I just can't imagine anyone producing an IPv6 router without one. So I'm rather minded to say "put up (examples) or shut up".

      1. Anonymous Coward
        Anonymous Coward

        Re: Thoughts from a mere user ...

        Indeed. Name a Linux-based router that supposedly does NAT but not firewalling… In the Linux kernel, and this has been the case since kernel 2.4 days and possibly earlier, netfilter is responsible for all packet filtering and NAT.

        Both come under the same subsystem. Just because they don't expose knobs and dials for you to tweak does not mean the feature is absent from the device.

    2. Alan Brown Silver badge

      Re: Thoughts from a mere user ...

      "So if they are prepared to do that through a specially inserted back door in the routers they provide for their customers, what would happen when everybody can go on a hunt through everybody else's LANs through the front door?"

      And you don't run firewalls on your network border routers because.....?

  37. DrBobMatthews

    Try explaining the problem to a marketing or finance suit, there eyes glaze over, mthey see $/£ signs and have a heart attack.They then, some of them scream "you don't know what you are talking about" as though this willm fix the problem, or we "can't afford to increase the budget" when they should be thinking we can't ignore the problem. British management is brilliant at three things, 1) Poor investment 2)m Short termism 3) Slopet shoulders and buck passing

  38. razorfishsl

    Just wait until we start shoving the 'IOT' crap with buggy software onto the system…..

  39. Henry Wertz 1 Gold badge

    ipv6-literal.net not reserved.

    " For this purpose, Microsoft registered and reserved the second-level domain ipv6-literal.net on the Internet."

    Apparently not! Windows is just hard-wired to handle ipv6-literal.net addresses specially. The actual ipv6-literal.net domain is just owned by some kind of cybersquatter, in a browser for instance it goes to one of those generic pages with ads with "IPv6" in the titles.

    1. Charles 9 Silver badge

      Re: ipv6-literal.net not reserved.

      Ever thought that it's both? That Microsoft is the cyber-squatter in question and that they did this so they can't be accused of breaking Internet conventions by internally routing an otherwise-fair-game domain (it's quite all right if they own it)?

  40. lambda_beta
    Linux

    512K limit

    I thought this was solved years ago ... oh sorry that was the 640k limit ... never mind.

  41. ken jay

    my view on the broken internet as a system admin

    My belief is that hackers have found a way to access bgp on most main backbones grabbing certain types of traffic to their own c&c servers and others breaking bgp by attempting to access the routes by bgp all thanks to the article on the internet by yourselves

    http://www.theregister.co.uk/2014/08/07/bgp_bitcoin_mining_heist/

    I have worked with bgp and thought that the security to access bgp was usually higher than most people with root access to internal servers and talked about in hushed tones around the aircon intake and cisco routers.

    no the internet is not filling up, we dont need to rush to buy new equipment but theres a war going on behind tcp-ip between the hackers and the NSA who both want to take over this space because of what you can do to the routed data.

    1. Alan Brown Silver badge

      Re: my view on the broken internet as a system admin

      "My belief is that hackers have found a way to access bgp on most main backbones grabbing certain types of traffic to their own c&c servers"

      No need to look at blackhats. Pakistani telecom managed to shut down a good chunk of the internet whilst attempting to block Youtube a couple of years back.

      Hit-and-run route hijacking has been a noticeable problem for about 15 years, as has theft of IPv4 blocks via forged documentation, but the problem is far less widespread than it used to be thanks to the Hijacked list and lockdowns on BGP security.

      Ironically, it's far easier to route-hijack phone networks than IP ones(*) - and the world's phone number routing networks have the same kind of route capacity issues as BGP.

      (*) The fallacy is that entities with access to the phone routing nets are "trusted", so security isn't necessary.

  42. mark jacobs

    IPV6 and BT in the UK

    I have heard (my sources will remain secret) that BT (yes, British Telecom) have recently rolled out a load of fibre-optic routers and other equipment that DO NOT SUPPORT IPV6 at all! If you are going to deploy IPV6 stuff, don't expect the UK to understand any of it in the near to medium future!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019