IPV6 Foot Dragging Goes On Forever
This isn't amusing any more. It's time to catch up with the future.
Microsoft's Azure cloud service has run out of occasionally runs out of US-based IPv4 addresses. Redmond 'fessed up to the issue in a blog post in which it says users have been asking it why, when they use Azure-hosted VMs, they find themselves redirected to websites localised for other nations. The post offers a screen shot …
@Primus Secundus Tertius
This covers your rather odd post, and more http://programmers.stackexchange.com/questions/185380/ipv4-to-ipv6-where-is-ipv5.
@all others: Could someone tell me why IPv6 is looked down on by so many? I'm not a network guy.
This post has been deleted by its author
A lot of these things aren't quite problems or have been somewhat solved, some remain, but it isn't as bad as it would seem.
*You can't manually set a default route on most OSes (You need to enable Routing Advertisements)
Which OSes? I've been able to manually set default routes on Windows and Linux. Not sure about OSX but I'd assume it's possible as well. The one I did have problem setting up was with a particular Solaris box, which indeed required me setting up SLAAC/radvd.
*There are a bunch of other services needed on DHCP-based clients
Not sure what you're talking about here.
*Many ISPs don't support IPv6, which means you have to pay for a tunnel
There are free tunnel brokers, SixXS and Hurricane Electric at the least.
*ISPs that d support IPv6 will charge you an arm, a leg and your first born for IP addresses (usually a /64)
Some ISPs are giving out larger blocks. Sometimes a /56 or a /48.
* The smallest IP block you can use is a /64, so you need a new block for every network segment you have.
Agreed, while having /64 as a minimum is a "feature" intended to avoid having the IPv4 problem of "ISP didn't give me but one IP for my home network", if your ISP only gives you a /64 you'll need to ask for new blocks if you want to segment your network. ISPs would have to be forced to give out larger than /64 blocks then.
*No NAT, so rather than just needing a small block of external addresses and using chunk of the 192.168.*.*/16, 172.16.*.*/20 or 10.*.*.*/8, you now need a separate /64 for each piece you were planning on taking.
This is a feature. NAT was originally brought in because of the IPv4 address exhaustion. But the internet was never intended to have a zillion private addresses being hacked into a single IP on the global network and the protocols show it. NAT breaks a lot of stuff and the only reason we see it running smoothly at some places is because the gateways are keeping tabs on the whole NAT stuff. But some things won't work at all. IPv6 brought the "scoped addresses" concept, so your internal stuff can set up a private address space similar to the 10.0.0.0/8 and similar variants for internal equipment, and you don't need to dole out global-scope IPv6 addresses to boxes that aren't going to need access to the global internet.
Sure, it requires a lot of re-training on the security side of IT, but we have to realize that the current "NAT == Security" mentality is wrong and move on.
>but also raises questions about why Azure is relying on Ipv4
Because (according to the quality of comments on articles IPv6 on el reg) network administrators don't like typing and are incapable of finding tools to make their lives easier or writing their own so they have slowed the uptake of IPv6 tremendously. If 90%+ of your users have no way to access your server via IPv6 you're going to need an IPv4 address too.
>and how Redmond let itself run out of IPv4 addresses.
Because there aren't any left. How many decades of people repeatedly saying that there simply aren't enough free addresses to scale to current and future demand does it take for the message to get through?
>>and how Redmond let itself run out of IPv4 addresses.
Well we shouldn't forget Microsoft (like many others) were late to the party so missed out on a free /8 or two allocation. Also MS haven't exactly acquired companies with large allocations in the same way HP have.
What this announcement tells me is that cloud infrastructure is such that there are design and operational reasons why NAT can't be used to any great extent.
No, to the average US punter the world outside the US is a big, scary place full of foreigners and their non-American ways. Having your stuff hosted in the US is, for them, like a security blanket. It might not be of any practical use but it keeps the bogeyman at bay.
For the rest of the world NOT having your stuff hosted in the US is a plus, probably as equally illusory, as who knows what the "security services" have got their fangs into?
Although having said that having a host located in Brazil is probably as good as it gets just now. Ask Dilma Rouseff why that should be.
After all SCADA in the Cloud is a big market for Azure, most of such installations run on Azure. And SCADA systems are mostly legacy systems which are unlikely to support IPv6. And you aren't going to replace your industrial controller just to support IPv6.
Solution: Charge more for an IPv4 address. They are a rarity so this can be justified, those that don't need them will go for IPv6 for costing, in a few years when you've moved enough onto IPv6 and lowered your IPv4 usage, you can lower the price to match for legacy systems and maybe throw in a loyalty bonus for those that did genuinely need IPv4 for legacy systems.
"Solution: Charge more for an IPv4 address."
Better yet, charge a subscription for address allocations, with the cost increasing exponentially the larger the subnet and/or total number of IP addresses the company leases.
Those with massive ranges probably have deep pockets, or can sub-let them at cost to others that need them.
The SCADA world needs a big kick up the bum and anything that helps achieve that is good news.
Just clever enough to connect your nuclear power plant to the IPv4 Internet, not clever enough to use an encrypted connection or change the default password (or even make the default password changable).
Sorry, wrong. MPAA et al. are not claiming third party geolocation databases can tell what house an IP is associated with (and they can't even in the best case), they're claiming the ISP's own records can. In this example, it would be like saying that Microsoft itself has no idea if a given IP corresponds to a VM in the US or Brazil.
Plusnet is apparently doing that as well although it seems to have got hold of some US addresses.
I'm confused on IPv6 with regard to NATTING equipment behind a firewall.
From what I have read, IPv6 renders the 'need' for using router-based NAT as obsolete. The 192/24 172/16 10/8 ( & CIDR) private network concepts have been obsoleted, by some of the google/youtube research I have done.
The idea of my network hosts being publicly addressable seems like a bad idea to me. I might not be able to PINGv6 an IPv6 address over an IPv6 version of ICMP PING, but vulnerabilities appear all the time. (I'm thinking an IPv6 version of heartbleed).
I would much rather hide my equipment behind an IPv4 router that shields my equipment from hackers running port scans, than adopt IPv6.
I'm really looking for someone to prove to me that my concern is unfounded.
What it all really means is that because there are so many IPv6 addresses it's quite feasible for EVERYTHING to have an address from the public address pool, and theoretically be addressable from anywhere. This is unthinkable nowadays in the IPv4 world, hence the almost universal use of private address ranges. However there are private IPv6 address ranges too, and it would be possible for small networks to use these and have a single public address NATed, as per the current IPv4 method. The debate is whether this is necessary or not.
Unless your ISP allocates a public IPv6 range for all your devices
Most of them are doing. Either a /48 or a /56. My current ISP doesn't offer IPv6 (Plusnet just to shame them a little). My previous one did (IDNet) and they give you a /48. So I became responsible for 2^80 addresses. That is slightly more than I need for all the devices in my house :)
But network administrators be warned. If you currently only know about IPv4 you should train up ASAP. There's quite a few gotchas and apparent 'weirdness' about IPv6 that means it's not going to be just a matter of throwing a switch and sitting back.
For one thing no matter what I tried I couldn't get Windows configured with a static IPv6 address. Anything other than DHCP issued blew the entire stack (IPv4 as well). For my server I ended up disabling the dynamic public addressing (the one that recalculates itself periodically) and just used the MAC derived address.
Oh and the real fun bit - just because two machines can resolve each others names doesn't mean you've got DNS configured correctly.
Strange... I was able to configure a static IPv6 on a physical machine. Not only that... It was a server box, running hypervisor, controlling four VR machines. One DNS, one a Mail server, a honeypot (for fun) that looked like my 2008r2 main. And a client...
After BEATING MY BRAIN AGAINST A BRICK WALL... All it took to make it work correctly, a secondary (physical) NIC that was addressed SOLELY to the VM side. That NIC was essentially "talking to itself" as well as a route configured to my PRIMARY NIC. Primary NIC routes to my gateway and "knows itself"...
(back when I did this, my professor almost popped an eye vein) I was the only person able to make everything "talk" and see everything.
I was INSTANTLY forced to help others try and understand what I was doing...
I STILL don't understand how to explain it... I am better at DO, not explain. ;)
Strange... I was able to configure a static IPv6 on a physical machine. Not only that... It was a server box, running hypervisor, controlling four VR machines. One DNS, one a Mail server, a honeypot (for fun) that looked like my 2008r2 main. And a client...
Nice one. I dunno what the problem was. Click a couple of radio buttons and fill in some fairly obvious fields with information readily available. Only in my case it just caused the machine to lose all network access :(
That was particularly irksome on my server since it runs headless :-/
Anyway fixing the public address did the trick and eventually I even got gmail to send me mail over IPv6. Then I switched ISPs and now it's all academic.
If your ISP doesn't allocate you a public IPv6 range, they are doing it wrong and you should change.
Firewalling v6 is not hard - just drop all new incoming connections and use a stateful firewall to allow replies to outgoing connections on your router - you are now as secure as NAT ever made you.
The addition of privacy addressing means that a remote site can't realistically pin down your IP to a single machine as they regularly change too.
Just make sure you allow ICMPv6 - otherwise nothing will work quite right. Not that there's a good case for blocking ICMP on v4 or v6 anyway.
Unless your ISP allocates a public IPv6 range for all your devices you will to use NATing and private addresses anyway.
The Minimum Allocation Unit for IPv6 is a /64 - meaning each of us gets at least 1.8x10^19 addresses. And yes there are plenty of allocation units - 1.8x10^19 of them, meaning there are enough MAUs for each of us to have at least 10^9 of them...
The IPv6 address space is *enormous*.
Vic.
Network Address Translation. If you have an IPv6 assigned, the "translation" you will be using is between your "physical" address and the internal "post office"... Instead of NAT, why not look into PAT... 65k+ ports... security by obscurity... If I am trying to "hack" your shit, I would need to be able to FIND your IPv6 first. And THEN I would need to beat on every door (port) until I find one that will respond to my advances...
I would reconsider your view of IPv6. Potentially it contains MORE security. One of the reason it has yet to be rolled out... It's REALLY hard to keep track of shit... (Said the NSA)... :)
Hack-On!
Re: NAT and PAT
One of the advantages of the way NAT and PAT are implemented in many ADSL routers is that the PAT is dynamic, making it very difficult to effect an inbound connection to any system on my network unless an inbound translation rule for that specific system has been explicitly set up. I'm not sure how IPv6 can improve on this out-of-the-box security.
Obviously when dealing with enterprises and datacentre's things aren't so simple.
One of the advantages of the way NAT and PAT are implemented in many ADSL routers is that the PAT is dynamic, making it very difficult to effect an inbound connection to any system on my network unless an inbound translation rule for that specific system has been explicitly set up. I'm not sure how IPv6 can improve on this out-of-the-box security.
Set up the firewall to DROP (or reject) inbound connections. Only allow connections to whatever services you need outside connections for. Done! I suspect IPv6 enabled ADSL routers are already doing this anyway.
And in fact, this is what we should be doing in the IPv4 world anyway. NAT was a quick hack-fix because of IPv4's issues concerning private networks and the upcoming IPv4 scarcity.
"The idea of my network hosts being publicly addressable seems like a bad idea to me."
Then set up the filters of your site ingress and egress routers to DROP any datagrams addressed to the IPv6 nodes you want to keep on your private network. That is what happens for the 192/24, 172/16 and 10/8 addresses right now.
Also, just because you use NAT, does not mean your "internal" nodes are any safer!
Also, just because you use NAT, does not mean your "internal" nodes are any safer!
Well it does. It's hard to attack a target if you don't know its IP address and even if you did know its IP address it's not reachable. Put it this way I'm happy to tell you that my laptop's IP address is 192.168.1.13 because there's nothing whatsoever you can do with that information. There is no way you can launch an attack against my laptop based on that knowledge.
But telling you its public IPv6 address (if it had one) gives you something to target. It gives you something to track.
Now sure you can determine my public IP address by looking at the packets I send you and that gives you an address to target. But that's my router. You still can't launch an attack against my laptop because unsolicited packets sent to my public IP address are just ignored. You could try to take control of the router but that's no more likely with an IPv5 NAT setup as an IPv6 setup. Probably less likely due to IPv4 only routers being older and simpler so fewer attack vectors.
So the only other option is to monkey with packets coming back as the result of requests my laptop makes. Now sure that's a risk factor without a firewall but still - NAT has eliminated the brute force 'barbarian at the gates' attack. It has made things safer. A firewall do even more good but NAT is better than nothing. A lot better than nothing in fact.
It's hard to attack a target if you don't know its IP address and even if you did know its IP address it's not reachable. Put it this way I'm happy to tell you that my laptop's IP address is 192.168.1.13 because there's nothing whatsoever you can do with that information.
That's true, but whenever your machines head out on the public Internet then they're exposing themselves to naughties without said naughties ever having to go and pro-actively seek them out. THAT'S the much more likely attack vector, not random incoming scans for vulnerable boxes.
That's true, but whenever your machines head out on the public Internet then they're exposing themselves to naughties without said naughties ever having to go and pro-actively seek them out. THAT'S the much more likely attack vector, not random incoming scans for vulnerable boxes.
Probably, although there's still a lot of port scanning going on so someone is still engaging in random attacks. But I'm not trying to suggest that NAT means you don't need a firewall. I'm just disagreeing with those who say that NAT doesn't make you safer.
In the absence of a firewall, a machine connected via NAT (assuming that implies PAT which it probably always does) is safer than a machine that has a public IP address.
I would wonder, actually, how good the firewall is in your typical router. I've seen commercial routers than can reject packets based on protocol. One caused me grief a few years ago when it rejected Usenet messages that were too large and others that didn't have a valid email address for the poster. Presumably you can get ones with an AV capability these days. But a typical home router - what exactly is that doing other than PAT? I have a feeling they won't do much to protect you from a man in the middle attack or evil server.
started my first Hurricane Electric 6in4 tunnel yesterday. was a piece of cake.
the only slight roadblock was when i slavishly followed the instructions to simply put the configuration info into one of my computers. it ended up making much more sense to put the 6in4 tunnel config into my router and then turn off my one windows machine's teredo tunnel. that's probably what i get for not really reading in detail but i'd rather learn by playing anyway.
also: did you know that facebook is going pure ipv6 internally? checkit: http://www.internetsociety.org/deploy360/blog/2014/03/facebooks-extremely-impressive-internal-use-of-ipv6/
that's certainly one way to filter out martian packets even if your firewall is rumbled ... when they're in the wrong friggin' IP version. crazy, but I love it :)
If they haven't: forewarn customers that IP4 addresses will become scarce and priced much than IP6, started increasing IP4 prices, provided a countdown of addresses for each locale to forewarn people, or shouted where the migration resources are.
I deliberately bought an IP6 compliant SDSL router over a year ago, with a separate IP6 configuration suite including IP6 firewall, because I knew that the countdown to IP4 would become saturated soon. I think I'll get familiar with it, and test enabling IP6 WAN to see if my ISP provides native IP6 access yet, and get security, routing, and other mapping set-up.
other things to consider:
* i think gandi.net and mythic beasts give you a discount if you specify an ipv6-only VPS. gandi.net says "approximately 17%" for that discount last i heard.
* NAT is all fun and games until you get served a v4 IP address that got blacklisted by some other idiot who had it before you - or you're surfing at work and some other idiot who works for your ginormous corporation got your company's public v4 IP blacklisted from, for example, freenode. not that i'd know about that or anything.
Azure is dependent upon IPv4 addresses for external facing, because you cannot talk to IPv4 parts of the internet with only an IPv6 address and, sadly, that's still the vast majority of it. Until people start to take the IPv4 problem seriously, this is going to be increasingly common (as is getting stuck behind double-NAT'd ISP addresses, with all the headaches that causes)
>Azure is dependent upon IPv4 addresses for external facing
Bad thought! This is Microsoft we are talking about who are known to do strange things, one of the few that could force IPv6 usage - eg. ship Windows 8.2 with only an IPv6 stack... But given that Google are getting into infrastructure they may get there first.
Remember the problem isn't so much with the number of servers but the number of end user systems/clients.
"that doesn't mean you lose the legal protections that come with having your server on US soil"
This would be hilarious if it wasn't so sad that most people reading it will believe it makes a real difference. I have no idea about Brazil, but US data protect laws are a joke.
I thought Latin America and hence Brazil had run out of IPV4 addresses or did Microsoft just grab the last ?
From an earlier register article
http://www.theregister.co.uk/2014/06/11/ipv4_addresses_depleted_in_latin_america_and_the_caribbean/
Dave