Pot / Kettle
I take it from their preaching that US government is 100% IPv6?
The US government is entering the next stage of grief and loss over IPv6, asking companies to explain why they won't just move over to the new protocol. "We are on the verge of an explosion in the number of Internet-connected devices, from smartwatches to connected refrigerators, furniture and thermostats," the National …
"We are on the verge of an explosion in the number of Internet-connected devices, from smartwatches to connected refrigerators, furniture and thermostats," the National Telecommunications and Information Administration (NTIA) – a part of the Department of Commerce – enthuses
Given how crappy they are all made & the lack of OS maintenance by their manufacturers, at a minimum I want those things behind a NAT router, not directly exposed to the Internet.
"I want those things behind a NAT router, not directly exposed to the Internet."
NAT doesn't matter, with IPv6 you can still just block incoming connection using connection tracking (just like NAT does) and have the exact same level of security even when every internal system has their own public IP address. Most consumer routers with IPv6 support are configured like that on default.
The problem with IPv4 is that (because of the IP shortage) eventually your provider will start doing NAT and your own router won't even have a public IP address unless you pay a premium. It already happened on the mobile network, so your phone doesn't have it's own public IP.
Not that a lot of people will care about that unfortunately, unless you want (for example) to run your own servers or use IPSEC properly.
The problem with IPv4 is that (because of the IP shortage) eventually your provider will start doing NAT and your own router won't even have a public IP address unless you pay a premium. It already happened on the mobile network, so your phone doesn't have it's own public IP. ...
Whilst I appreciate the flexibility and convenience of public IP addresses, from a pragmatic and practical perspective is that really a problem? Phones, in general, can quite reasonably be classified as 'terminals' and hence don't really need a public IP address; just like a user on a timeshare system doesn't have a public IP address assigned to their session. Yes CGNAT may cause problems, but (as far as the carriers are concerned) not to voice, since they provide an out-of-band voice service... Similarly with the majority of people's homes.
If you need to run your own servers (home or mobile) or use IPSEC and thus need a public IP address, perhaps it isn't unreasonable to ask people to pay a premium.
"eventually your provider will start doing NAT and your own router won't even have a public IP address unless you pay a premium"
It's been like that for years in SE Asia and sometimes multiple layers of NAT before the enduser gets a connection.
On the other hand it's frequently impossible to get IPv6 from the ISPs
Let me share a fun thing with you. Elreg are sitting behind Cloudflare, and Cloudflare support IPv6. If you put a Cloudflare IP for the site into your hosts file, like this:
then you can access the site over v6. Unfortunately posting doesn't seem to work though (the posts go into the aether).
We've got plans (and a Git branch) to make it all work on IPv6. We will enable it, but cannot yet.
Right now when posting via an IPv6 address some stuff breaks on our forums, which causes "issues", and I have to manually move the failed posts to /dev/null. No aether involved.
Don't piss off the sysadmins.
when posting via an IPv6 address some stuff breaks
And this is the issue. You can't simply swap the network layer out under the existing applications and guarantee that everything will work. Because of the history of the networking API you can't connect to a hostname and have the OS take care of the protocol details. Existing applications will likely call gethostbyname to convert a host name to an address but gethostbyname can only return one address - IPv4 or IPv6 - so you're snookered if you want to operate in a mixed IPv4/v6 environment.
So every application that may use IPv6 effectively needs at minimum to call getaddrinfo instead, which is at least protocol-transparent.
And any application that makes use of its own local interface address or the remote host address of a connected socket has to change to allow for the different address format.
Also, the nature of the TCP/IP programming model has led to application protocols containing representations of network addresses and there are loads of applications merrily passing host addresses around as 32-bit integers that cannot as they stand deal with IPv6.
My first involvement with what was then called "IPng" was, I realise with some astonishment, now 23 years ago. In the interim, all the commonly-used tools, like browsers, ssh and ftp have been fixed to support IPv6 but we still really don't know what the impact will be on other software.
It's rather like Y2K - there is probably a lot of software out there that will break under IPv6 but we don't know how critical it is or how much effort would be required to fix it. Unlike Y2K there isn't a hard deadline to concentrate minds. It's hardly surprising that everyone is leaving it to someone else to move first.
An IPv8 will have better performance, but I'd prefer an IPv12, preferably turbocharged, so you can squeeze more packets into the duct before burningprocessing them. Also, it would allow for a more parallel burningprocessing of packets...
No no no. There will be lag. Much better to have it supercharged.
(yes yes there are ways to mitigate turbo lag, but never mind that)
"Much better to have it supercharged.
(yes yes there are ways to mitigate turbo lag, but never mind that)"
Ever seen a turbo supercharger with a one-way clutch to allow mechanical drive at low throttle settings? (No, not a twincharger, this is a single unit driven both mechanically AND by exhaust gas). They were and are a "thing" on 2-stroke railway locomotives.
Back on topic, what we need is IPvInfinittyAndBeyond. :)
'the Internet Engineering Task Force decided not to make it backwards-compatible, which has somewhat hampered its adoption.'
Because backwards compatibility is such a success.
Windows - Microsoft has been trying desperately to lose backwards compatibility because it makes a dog's breakfast of their operating system. But it's also the only reason anyone buys it.
USB - Gone from a standard, to two standards on one set of wires, to two sets of wires in one cable and a ludicrous two-tier plug that's nearly got enough pins to be a parallel port.
PC - A crazy stilted architecture still carrying the baggage of a 35-year-old processor.
Sometimes you just need to do it again and ditch what went before. You can't just keep adding layers.
Well what do you expect from humans, an organism still suffering from thousands, if not millions, of years of genetic mutation and still bearing the weight of its neolithic heritage in its poor sad lumbering genes. They still think digital/apple watches are a pretty neat idea for heavens sake, and might even elect that pinnacle of human evolution, Trump, to the presidency of the USA (gratuitous trump references being another sign of atavistic tendencies - we're an evolutionary dead end and no good can come of it.)
Windows - Who cares.
USB - Well, unless you up the power requirements, you're going to have to stick more leads in something (so why not USB). But I'm 50% in agreement with you, I do understand.
PC - Not sure which architecture you are using, but they all seem to carry the baggage of a CPU and memory (Did you mean ATX, IRQ's, B.I./O.S. or something specific?). I just don't understand the alternative to the general usage of the term Personal Computer outside of also using it to imply "Windows PC" aka "PC".
Because backwards compatibility is such a success.
Not because of that.
1. Hideous complexity for no reason. v6 embedded into the protocol address assignment and network parameter discovery. Nice at the time, outright idiocy compared to what you get with DHCP now. When it became clear that it is nowhere near what you are getting from DHCP on v4 today the high gods of v6 (hello Fred), continued to insist that this is needed. As a result we have a ridiculous hodgepodge of protocol driven address assignment + dhcp6 today. Making DHCP6 _ALSO_ _NOT_ properly backwards compatible was an even bigger idiocy. WTF was the issue of not allowing a host to bootstrap over v4 and go v6 or dual stack. Idiocy and technoreligious zeal.
2. Very heavy reliance on multicast. Like it or not multicast was broken one way or another in a lot of network hardware and OSes for many years. As a result anything relying on multicast for its most basic functionality like neighbor discovery had issues. Also, for the same reasons, the protocol had to grow some very hideous warts for low power network implementations and other corner cases with no true multicast (supposedly v6 home turf).
3. Making the flow labels random by spec necessitating a controller to coordinate their use in a network setting instead of static label assignment - thus killing one of the key advantages and potentially the only protocol killer feature (it would have rocked for streaming).
I can continue for a while. v6 history is peppered with technoreligious zeal and ridiculous technical decisions. So from that perspective it is no wonder it is not being adopted.
As far as the USA government pushing for its adoption, I can fully understand they would love the rest of the world to expand their attack surface for them and provide a nice array of targets. You gotta love the end-to-end principle ya know. That is a very nice idea, but the answer is a choice of no and no. No cookie.
If you really are going to do it again, that's fine. Just one thing: you have to do it right. You have no excuses.
IPv6: networking's answer to Windows Vista and XHTML. Older than both, as it happens. Sadly, while Vista and XHTML have both failed and been long forgotten, IPv6 has failed and yet we seem to be stuck with it forever.
"Because backwards compatibility is such a success."
In the case of IPv6, you CAN'T make it backwards compatible.
The actual TCP/IP side is pretty much the same (16bit port addressing), but no v4 device can talk to a v6 one without some form of NAT entering the game and the sheer numbers make it impractical. (FWIW tunnelbrokers usually embed the public IPv4 address as the first part of the IPv6 anyway)
Routing is done on something less than a /64, so even if a bunch of machines in a subnet get used for a DOS attack, blocking that netblock is no worse than today.
In fact, since the routing is done a lot more intelligently in IPv6, it scales, unlike the current problem with IPv4 on top level routers.
Maybe there is some shared blame. Kind of like the telephone number shortage? I know that back in the day as a company when you asked a telcom for a large range of phone numbers they gave you 10,000 consecutive numbers.
When assigning IP addresses, did they give a range of numbers that was unreasonably large?
'bout 10 years ago I was in a meeting where the network people had done their homework and were able to successfully propose that the company could give up its class B Internet blocks (plural) and manage the whole network with two class A blocks. 5 digit intranet counts and rising. Oh, and increase network security because everything would have to go through the best centralized net boxen to be had. If you had a clue and looked ahead it was easy to benefit both your own company and everybody else.
'twas also the meeting where the CIO, after some time listening to the discussion, interjected "What's a class B address?" After a *very* long period of quiet, the nicest guy there answered succinctly and kindly. CIO didn't last another month, though.
> 'twas also the meeting where the CIO, after some time listening to the discussion, interjected "What's a class B address?" After a *very* long period of quiet, the nicest guy there answered succinctly and kindly. CIO didn't last another month, though.
Indeed, he seems like something of a dangerous intellectual in the CIO world.
A proper CIO would have demanded that the network be reconjiggered to operate only on Class A addresses and only over Layer 1, because we won't use anything but the best available under his watch!
Telephone numbers were limited by area codes (in the US) which were reportedly limited by Telco limitations to zero or one as the middle digit (go on and octet it out) by hardware.
Whatever - humans need to be able to understand this. I get a few of you autistic sorts do but the rest of us find IP6 to be gobbly-gook and unreasonably complicated.
Awww, pwease won't you use IPv6? Pweeeeeze??
#1, I'd love to have a home router that actually uses IPv6. But I have to cook up something on my own if I want that. The average schmuck has no chance at that. None.
#2, Really, it's not my decision. That's my ISP's decision. Plug in equipment, and get ... IPv4.
#3, Could we get some software updates out here, please? There are an annoying number of packages that haven't figured out that IPv6 is a good thing.
#4, Get the local sysadmin to allow IPv6. Some people are annoyingly resistant to change...
To a certain point, I'm kind of glad that organized crime has moved in. Now it's a real problem if the mob are involved.
I think there are some home routers that understand IPv6. If not, there's always OpenWRT, which is fairly easy to install (and should default to 'safe')
As for the ISP, I deliberately switched to one that did support IPv6 - perhaps if people started voting with their routers (see above) then more ISPs would need to take it seriously.
perhaps if people started voting with their routers (see above) then more ISPs would need to take it seriously.
Perhaps most people neither know nor care what IP version they are using, and are perfectly happy behind the NAT box that they don't even know they have? The Internet of Tat does not require individually-addressable devices.
@Number6 - "perhaps if people started voting with their routers"
Sure, each time my 2-year contract nears its end, for the past... 8, 10? years, I'm not sure, I've asked around for ISPs IPv6 plans. So far, they have progressed from, "what's that" to "no plans" and "take a look at our really expensive premium service". Of course, they charge for fixed IPv4 addresses, can you spell "conflict of interest"?
"As for the ISP, I deliberately switched to one that did support IPv6"
That's not a choice in most of America - generally you find that your ISP choices are a either a crappy expensive ISP or a half-arsed, very expensive ISP. My very expensive ISP has been promising IPv6 for a while now and appear to be handing out IPv6 addresses via DHCP but have not made any announcement of support yet.
That's where the UK scores, I guess. The US seems to have a near-monopoly situation, whereas the UK government did at least force BT to sell access to others so they could provide alternatives. However, BT's original network was built with public money, I'm assuming that wasn't the case in the US so the government has less moral right to force things. Although with the recent TW-Comcast merger talks, perhaps they could have allowed it but required some degree of unbundling so you could have a pipe from your cable company to your ISP of choice with a different mix of value-added services.
Comcast does IPv6 (possibly not everywhere), although they occasionally change the assigned /64 prefix which is irritating, and yes, they're expensive. While it works it's generally OK though, but that's true of any large organisation, things only get bad when you have to interact with their customer service department after something's gone wrong.
I don't have sources available, but I've read that most of the last mile infrastructure in the U.S. was indeed built with government subsidies. In a few areas I know first hand that subsidies are being plundered, including in my local home town. I have a fiber box in my yard (large rectangular box with access to an underground fiber connection inside.) They burrowed up and down my street for several weeks when installing it. I have friends that work in management at the local office of the telecom provider (a monopoly enforced by government) that have informed me that the local telecom provider has been taking advantage of federal subsidies to lay fiber underground throughout the city (small midwestern city.) (As an aside, this has been going on for over three years and no public admission of this has been made. 12MB DSL is the best I have available.)
Besides the direct subsidies, keep in mind that telecom companies were protected monopolies everywhere in the U.S. for many decades, and in a large chunk of the U.S. they still are. In the areas where competition is now allowed, only the choicest sites have developed meaningful competition.
"I'm assuming that wasn't the case in the US"
Yes and no. The USA has legislated local monopolies. It's supposedly open to competition, but the major telcos got monopoly concessions from the state PUCs in exchange for promises to invest in infrastructure.
The investments never actually happened, but when the telcos went back to get more concessions (such as baby Bells remerging) in exchange for more investment, the PUCs didn't ask any questions. The end result is that the investment never happened and AT&T (Ma Bell) has been reassembled into 2 pieces (to avoid any antitrust action) and is no longer subject to the "universal service" obligations from its 1935 antitrust settlement.
This is known as the "ten trillion dollar swindle".
A litter of 6 puppies or kittens would have probably sold more mindshares than a dial combination lock-shaped thing around a globe. The site also claims "THIS TIME IT IS FOR REAL" but according to archive.org, it said that on June 7 2012, so... We have always been at war with Eurasia.
Most ISPs (at least in the US) nowadays support IPv6. Granted, they may just do tunneling, like AT&T's U-Verse does. But still, it gives me an IPv6 address, and browsers and pretty much everything else defaults to that, and connects to an IPv6-enabled server (e.g., Google.)
My own domains are running dual-stack, and have for a couple of years.
since microsoft makes the servers prefer it. but for what purpose? Why does the world need to know about our 150 devices at company x?
Very happy with NAT and very happy keeping it simple on the inside without all the hassle of all the extra ::
Regardless of that, the ISP's don't talk about them, that is where yo have to target, coms companies. Oh and making it a bit easier to configure firewalls to be reasonably assured things are still safe.
Surely the default firewall just doesn't pass anything initiating from the outside, so the basic IPv6 router is roughly equivalent to the NAT router with no port forwarding.
Then you allow specific IP/port combos through, with the advantage that if you want two web servers on different devices(for example), they can both use port 80 without conflict bceause they'll have different IPv6 addresses.
I have two Linux boxes on the network here. I've given them fixed IPv6 addresses from the private address space (FD00) so they can talk even when IT or the DHCP server decides to do something silly with the IPv4 space.
"Surely the default firewall just doesn't pass anything initiating from the outside, so the basic IPv6 router is roughly equivalent to the NAT router with no port forwarding."
deny all incoming via "whatever interface" (tun0 or gif0 or ?)
seems that is the SAFE way to configure your network router. I tend to be more specific and just block the ports I don't EVAR want accessed, like internal network sshd ports, Samba, X11, VNC, and anything "listening" on a windows box.
And don't call me 'Shirley' [had to do that, heh]
'netstat -ln' on linux, 'netstat -an' on windows, to see what's "open". then add to the list. leaving the others open can be useful, for home-based web servers, IRC or torrents, but blocking them anyway can't hurt...
[I also set up some AAAA records for my domain]
"I tend to be more specific and just block the ports I don't EVAR want accessed, like internal network sshd ports, Samba, X11, VNC, and anything "listening" on a windows box."
It's important to block traffic OUT from your network too.
Boxes which don't need external access shouldn't be given access to it. In particular webservers (which should be treated as disposable) shouldn't be allowed to initiate connections to virtually anything on the outside world. That way when they get compromised they can't be used as staging posts to attacks elsewhere.
Yes, but you need a firewall properly configured for that - and how many cheap home routers have a good, properly configured one? How many average users can properly maintain a firewall, and ensure rules are the correct ones, and one device doesn't become vulnerable by mistake?
NAT implies that rule without many easy ways to bypass it wholly - most users will be easily tricked into opening their firewalls for external access from everybody as soon as some petty software or device of them won't work.
Just a few days ago an acquaintance of mine asked me a way to share photos as he shoots them (for a portrait course) - he told me if some advice on the Internet he found was good - one of them actually showed how to open to world+dogs SMB shares...
Even with NAT you can have "two web servers" - NAT was never limited to a single IP address, you can have more than one mapped to different internal addresses - what you mean is PAT - using a single address mapped to different address/port pairs inside.
IPv6 is needed, but it shows fully it was designed for the 1996 Internet, not the 2016 one.
since microsoft makes the servers prefer it.
I think you'll find all OSs will prefer IPv6 where available which is why Happy Eyeballs was invented, see the wikipedia article for a good starting point and https://tools.ietf.org/html/rfc6555 for the specification.
"How about forcing ISP's to issue them.."
At some threshold point, Ofcom have a plan to forbid ISPs without IPv6 from selling their service as "Internet" (That was their response to a complaint that not selling IPv6 isn't full Internet, therefore misleading)
They won't say what the threshold is.
Perhaps it's time to start lobbying Ofcom and the ASA.
Can I have budget approval for £xxk to migrate to IPv6?
Beancounter: What will it enable us to do that we can't do already?
Erm, not very much at the moment, but maybe in the future there will be some IPv6 only services, and we will be ready to use them.
Beancounter: Come back to me when there is something.
An addressing system that can assign an address to every grain of sand that has existed?
128 bits? Why?? If they had come up with a nice compatible system that made an 256 fold (8 bits more) or 65,000 fold (16 bits more) it might have gone a bit easier, but 128 bits? With that much addressing everyone picks their own way of doing "IT" and nobody really is compatible..
Maybe they assign IPv6 addresses to every key on a keyboard and go from there?
An addressing system that can assign an address to every grain of sand that has existed?
It doesn't work as you'd expect! There are many design goals, one of which is to never run out again (until we do that is). One of those goals is to try and make the global routing tables smaller by making aggregation easier. A consequence of this is truly massive "wastage" of addresses.
The smallest subnet is /64 which is rather a lot - 264 = 1.8 * 1019 which is a lot of globally routable addresses. The original plan was that a subscriber would get a /48 prefix (eg Andrews Arnold - UK) but some "only" dole out a /56 (eg Entanet - UK). The idea is that you split your /48 or /56 into several /64 subnets for your various VLANs and given wanky IoT, you will need them.
Notice how your whole network is addressable globally through only one prefix and your ISP through a few slightly shorter ones (they can have multiple /32 - 65,000ish /48s or 16M /56s).
That's the theory for small routing tables but Private Address (PI) space buggers that up, quite a bit.
Too bad Comcast is too incompetent to actually be able to assign static blocks of IPv6 to people... You can get a v6 address dynamically assigned, but they've constructed their DHCP servers so that when it expires, it will never allow you to renew it, only get a new one. I have a couple services that I host with my connection that need static addresses (Dynamic DNS doesn't work all that well with DNSSec)
Yup, I'm paying $35/month for the 5 lousy addresses I'm using. They won't even take them back and give me new ones since the ones they gave me had been blocked by the various black-list providers due to the previous users sending out malware-laden spam. Its quite difficult to run an email server when you're on all of Spamhaus's shit-lists...
It's not like they'd lose money if I had IPv6 addresses, I'm going to keep mine until IPv4 goes the way of DecNet and IPX/SPX...
"Did you and your ISP contact Spamhaus"
I contacted Spamhaus, Comcast didn't. SpamHaus was really cool about things and were easy to work with, getting the proof that I was a different person was the real problem. Every time I'd call up Comcast to see about getting some kind of official letter or something, they'd tell me "If you are having problems with Spam, we would be happy to send an engineer out to install the free copies of McAfee that come with your account that will protect you from harmful email". When I pointed out that its servers receiving my emails that are believing it to be spam, they just recommended that I tell my customers to add my address to their address books to ensure delivery. Called them 30 times in 2 months before giving up. I ended up setting a VPS to relay my email.
I ended up getting my IPs removed from 105 different blacklists over that time, and most of them were awesome people, some were actively hostile when I couldn't offer up a notarized letter from the ISP that the IPs are re-used. I can't wait until IPv6 is the dominate protocol so that entire /64's can be thrown out and avoid this mess in the first place.
"I ended up getting my IPs removed from 105 different blacklists over that time, and most of them were awesome people, some were actively hostile"
That was predicted when the early ones got stomped on by spam-friendly ISPs.
The flipside is that the more hostile ones aren't used much and you're probably better off worrying about the tens of thousands of privately operated blacklists running on individual mailservers which you'll never get out of.
You could resort to taking legal action against your ISP for supplying IP addresses which were unfit for purpose due to past customer misuse. Or you could take the easier option and take your business elsewhere, instead of staying with a spam-friendly ISP (which is one of the goals of a lot of the blacklists. Hurting spam-supporters economically is the only way to make a point)
Companies choose the path of least resistance. If that involves staying put until circumstances dictate otherwise then that's what they'll do.
If countries want to force IPV6 then it takes little more effort than legislating compliance and setting a timeline by when it should happen by. If it's not possible to *force* compliance then they can make it extremely uncomfortable to not be in compliance - withdrawal of grants, licenses, tax breaks, government contracts etc.
Got nothing against IPv6, but this current insistence that it's benefit is that every device has a routable IP address has my alarm bells ringing, particularly when it's governments and their agencies playing that card.
I know we're technically "out" of IPv4 addresses (I.e. they've all been issued), but there's no way they're all being used. I'm sure we'll see blocks returned before we'll see significant uptake of IPv6.
alarm bells ringing? consider that ALL IPv6 addresses are (essentially) like a 'fixed IP', and without firewall protection, can be cracked as they're publically viewable.
at one time it was well known that giving a windows box a publically visible IP address would guarantee that it would be cracked into within a small period of time, maybe even a few minutes. It's not as bad now, as I understand it, but I wouldn't want a windows box with a publically viewable IP address anyway.
and linux/BSD boxen can be misconfigured. watch out for X11 listening port, for example, and many desktop managers enable VNC by default, and then you probably run Samba, and your printer config is on a well known port too.
But they're not fixed. v6 addresses change randomly every day and the prefix can be either dynamic or static like a v4 address. Plus you have a firewall because the router will have one.
It's not insecure at all -- or at least it's no worse than v4 on this front. Your browser is still as vulnerable as ever...
"NATting via 16-bit port numbers already expands IPv4 by a factor of a thousand or more "
Ask your ISP to provide you with your CGNATd port 80 equivalent and get everyone's web browser to start using say SRV records to look up the port number of your web server as well as its address. Finally get your home router to forward that port to your web server. Now try to debug the bollocks of a mess you are suggesting when it goes wrong.
That's an easy one, now try and get SIP and RTP across that lot. In your plan IAX2 will take over the world very quickly for VoIP ...
If you buy a smart thermostat, you do not need OR WANT it to be directly addressable from anywhere on the internet. Your router will assign it an unrouteable address, it will connect using NAT, and it will be just fine.
There are some valid reasons to move off IPv4, but people buying crap like that for their home is NOT one of them. IoT would be far more of a security shitshow than it already is if we were all using IPv6 now, and people had all that junk directly connected to and addressable from the internet!
"If you buy a smart thermostat, you do not need OR WANT it to be directly addressable from anywhere on the internet."
You or I can do this sort of thing but most can't. For example I bought a Keekoon "baby monitor" to wire up to my Zoneminder system. Its bloody cheap (<£50) and has pan and tilt, 720p, and IR vision. It really wants to connect to a Chinese server and a smartphone app but it is now on my SEWER VLAN and can't see the interwebs. I might buy loads of them and I might buy loads of lightbulbs with an IP stack. I'm not your average consumer and they will need addresses for their things. We are running out of addresses and NAT does not cut it any more.
Think in engineering terms. For example look at aircraft - https://en.wikipedia.org/wiki/Lockheed_Martin_F-35_Lightning_II - the JSF contract was signed in 1996. That's one aircraft type: this is the global internet - it's a bit bigger and far more complicated.
ARIN is out of IPv4 addresses and that is what is being peddled as we are out of IPv4 addresses. Of course we're starting to run into a different landscape of IP economics now, but there are lots of addresses to be had. As a low end user I'm still getting an address with all my services, even getting server space with two addresses for a buck a month. Until I see the price becoming unreasonable I won't believe that we are running out.
"We are on the verge of an explosion in the number of Internet-connected devices, from smartwatches to connected refrigerators, furniture and thermostats,"...."Many of those devices will need an IP address to connect to the Internet."
So our ability to connect all future toasters to the worldwide web is threatened if we don't get universal IPv6 acceptance?
This engenders a complex moral question. I'd like some opinions from fellow Regenistas about the morality of me putting out contracts on the lives of important international advocates of IPv6 adoption, versus avoiding the damage done to the economy and personal privacy from the proliferation of expensive, unreliable, insecure and intrusive IoT devices and the possible threat to humanity posed by a potential future genocidal electronic overmind having its genesis in an internet-connected toothbrush somewhere.
From my point of view : fixing the vulnerabilities is a no go.
IPv6 is broken by design.
If only they had defined a protocol that was "IPv4 with long(er) addresses".
Instead of : since backward compatibility is not possible, let's change everything.
Now we have to live with it : there *is* a shortage of IPv4 addresses and there is no alternative layer three protocol with longer addresses.
But that does not mean we must be happy with it. I know of network admins who refuse to deploy IPv6 on the internal network, because of the vulnerabilities.
NTIA doesn't need to do anything. In a perfect world, IoT tat will use its IPv6 addresses and we will stay behind out NAT firewall on IPv4, which still works perfectly thank you very much.
What I want is the assurance that any IoT piece of shite that might somehow find its way into my house won't ever be able to connect to the Internet without my express authorization. The fact that I have disabled WiFi is a good first step, in my opinion, but I'd appreciate if my ISP could give me a router with a specific "forbid IoT tat access" setting, or at least some form of authorization on a per-IP basis.
Aren't most of us on IPv4 because our ISP only supports IPv4 for our geographic location?
For home users, Windows 7, 8, 8.1 and 10 in default configuration seem ready to go with whichever IPv is connected, whatever the router and ISP provide. (I've never tested it though.) ISP goes to v6 and we automatically go to v6 -- except maybe for the NAT routers. But then the NAT routers are usually owned by the ISP.
There is no sense on trying to sell to non-decision makers. If the 3 federal governments in North America want IPv6 then they must mandate a transition to IPv6 -- companies are not going to voluntarily forgo profits.
Benefits related to implementing IPv6: given we already have a working IPV4 network, none
Anticipated return on IPv6 investment: none (see above)
Anticipated costs: a full audit of every network connected piece of hardware or software (the full stack, not just the OS) to ensure they function correctly. Failure to do so correctly will likely open our organization up to security breaches which, due to a lack of in-house knowledge of IPV6 will be harder to identify or remedy. Dollar value unknown but makes Y2K look like a pound-shop special offer.
If IPv6 hasn't taken over by now, it'll never be widespread. It's actually obsolete -- it was developed 20 years ago, and the Internet has completely changed since then. IPv6 was actually designed as an alternative to IPv4, not an extension. As a result, there was no defined upgrade path, so nobody upgraded to it and nobody completely dropped IPv4 support.
Also, it's a lot easier for an end user to securely configure ONE device instead of the dozen or so devices that are in his house. As a result, he (and everybody else) is hiding behind NAT and the firewall in his router. Yet IPv6 essentially eliminates NAT, which is the #1 Internet security device in use today. Twenty years ago, security wasn't a problem. Today, if an end user connects an unprotected device directly to the Internet, it will be hacked by the time he downloads, installs, and configures his firewall.
My router and ISP support IPv6, but all the devices connected to that router are IPv4 with non-routable addresses. This is how most people have it set up, even though they probably don't know it. Until their router crashes from all the juggling going on, at which point tech. support will tell them to configure the router to be IPv4 all the way (like I did).
I hope the next iteration is just IPv4 with more bytes in the IP address.
IPv6 doesn't mean "directly connected to the internet". You still connect via a router, and the router will still be running a firewall (or at least the one supplied by your ISP will be -- if you run pfsense or something then it's up to you). You'll still be protected.
"Yet IPv6 essentially eliminates NAT, which is the #1 Internet security device in use today"
NAT == "security by obscurity"
Decent firewalling rules aren't hard. NAT protects devices behind the router by good fortune rather than good design (and uPNP blows that all apart anyway)
Time and time again I see comments effectively saying "why didn't they just add extra bits but keep compatibility with IPv4 ?"
Look, this is NOT possible. IPv4 has a set of specs for what's in the headers - and there is absolutely no way, really NO way to change that without breaking every piece of hardware or software that deals with anything in those headers.
Add more bits to the address - everything breaks and has to be upgraded. Every bit of software has to be changed to cope with an address storage variable that isn't 32 bits long, and be capable of determining which length to use. Every bit of hardware (eg dedicated routing engines) has to be upgraded with larger registers. Similarly if you do anything else to "expand" such as expanding the port number size to make NAT "better"
So when someone suggests that we could have "simply upgraded IPv4" then they are either deluded or lying<period>.
Yes, there are things in IPv6 that could possibly have been done better. But some of the changes have been done to make things better. I have noticed that some of the criticisms come from people who have never used anything but ethernet - and hence see no reason for some of the changes.
Unfortunately there is some relearning to be done - but if you are in "IT" and can't cope with some new skills learning then you are in the wrong industry !
So once you accept that there are no magic unicorns (somehow upgrade to longer addresses without breaking everything), why not take the opportunity to do things actually better rather than just bigger ?
Time and time again I see comments effectively saying "why didn't they just add extra bits but keep compatibility with IPv4 ?"
The trouble is that back in the late 80's when the problem was foreseen, the opportunity was there to simply define IPv6 as either IPv4 but with an enlarged address space and some extra reserved header bits for future functions or OSI CLNS !! :) . However, because the decision was made to do something much bigger and different, the opportunity to get something out prior to 1995 (in readiness for the widespread distribution of a new client with Win95) was lost and the rest is history.
We shouldn't forget that in 1995 the Internet was still largely in the control of the universities etc. and so effecting change wasn't as difficult as it is now...
Biting the hand that feeds IT © 1998–2019