Nope. It's going to take a much more user friendly IPV7 before anyone makes any serious moves.
Global IPv4 address drought: Seriously, we're done now. We're done
You may have heard this before, but we are really, really running out of public IPv4 addresses. This week, the regional internet registry responsible for Latin America and the Caribbean, LACNIC, announced it has moved to "phase 3" of its plan to dispense with the remaining network addresses, meaning that only companies that …
COMMENTS
-
-
-
Thursday 16th February 2017 09:23 GMT Anonymous Coward
"Canute. What a loser. Can't even hold back the sea. It's just water. We're going to be so tough on the sea. Canute was too soft. Sad."
Donaeld The Unready - pretty off-topic but worth sharing :)
Oh, and also completely missed the point Cnut was supposedly making, it is Donaeld the Unready, after all ..
-
Thursday 16th February 2017 10:22 GMT Jason Bloomberg
Actually IPv5 would have done it; just add an extra octet.
Okay; it's a bit more complicated than that but I think everyone would have understood it, got behind it, and embraced it more readily than IPv6.
They could have extended the first octet to be 16-bit and most people would have hardly noticed any change, just discovered 256.x.x.x to 65535.x.x.x had sprung into existence. Yes, things would have had to change to support that, but probably not half as much as they have had to in adding IPv6 support.
And maybe they could have added a trailing octet or two, used that like a TCP/IP port to specify a local device on the LAN if included, with a 0 default if not.
It's not perfect, but I would expect everyone who understands IPv4 reading this can understand the proposal while I suspect most haven't a clue when it comes to IPv6. The problem with IPv6 is it attempts to do more than just solve the shortage of IPv4 addresses; KISS.
-
Thursday 16th February 2017 10:48 GMT find users who cut cat tail
Everyone would have understood it but since it would break everything anyway, the implementation would progress only slightly faster. Low-level networking code would definitely not need to change as much, but higher level stuff would need to change pretty much the same: there the main burden stems from having to support two different address types at all.
And finally, most people whining here about IPv6 would whine here about such solution equally loudly and call it a stupid half-measure. I welcome your downvotes, bloody hypocrites.
-
Thursday 16th February 2017 14:46 GMT I am the liquor
It's true that the effort to implement IPv4+1 or IPv4+2 would be of a similar order to implementing IPv6. But the problem with IPv6 isn't how long it takes to write the code for it. It's the fact that no-one wants to use it.
Maybe someone could write up an RFC for IPv4+2 and we all just start implementing it in our open source projects, and see how long it takes to overtake IPv6.
-
Thursday 16th February 2017 22:16 GMT Anonymous Coward
> It's true that the effort to implement IPv4+1 or IPv4+2 would be of a similar order to implementing IPv6. But the problem with IPv6 isn't how long it takes to write the code for it. It's the fact that no-one wants to use it.
The problem is that people want to talk to the Internet, and the vast majority of the Internet isn't reachable via IPv6.
So you are forced to have IPv4.
But if you have IPv4, you no longer need IPv6.
-
-
-
-
Thursday 16th February 2017 10:53 GMT Warm Braw
Actually IPv5 would have done it; just add an extra octet.
I'm afraid that once you change the length of an address it doesn't really matter if you change it by "just a little bit". The TCP/IP networking API requires a raw address when making a connection so any change in address format is an API change with all that stems therefrom.
It also means that old hardware/software that isn't upgraded will never be able to communicate with new systems that have only new-format addresses.
I have been skeptical about IPv6 for (literally) decades now, but the issues of migration have nothing intrinsically to do with the number of octets in an IPv6 address. Indeed I'd say it was the continual rethinking and tweaking of IPv6 by people who thought they had a slightly better idea that has just kept the can being kicked down the road.
-
Thursday 16th February 2017 11:46 GMT Peter2
I'd have had IP6 as just IPv4 with an extra two octets for an increase in the network space to
Ip4+2 = 272,781,427,081,216 addresses. This is up from IPv4's address space:-
Ipv4 =............. 4,162,314,256 addresses.
Moving from 4 billion addresses plus change to two hundred seventy-two trillion, seven hundred eighty-one billion plus change addresses would convincingly solve the space problems as you could increase the size of the world population by a factor of a hundred and give every one of those people a hundred addresses and still have some 231 trillion addresses spare. The only realistic way you'd end up using that lot is individually assigning addresses to nanobots.
Everybody carries their existing IPv4 knowledge across. There's no opposition from entire generations of admins as the changes are almost cosmetic.
But no, that would be too simple. Let's give everybody an unrequested and unwanted nightmare requiring retraining entire leigons of people who weren't ever actually trained in IPv4 but who have learnt it over the last forty odd years on the job. These same people are expected to push through IPv6 purchase requests for absurdly over expensive firewalls and ancillery equipment against incredibly bitter opposition from finance and management precisely to obselete their skillsets for absolutely no gain to them.
Yet for some reason people act surprised that the IPv6 rollout is moving at the speed of a kneecapped sloth. I'm not, personally.
-
Thursday 16th February 2017 12:37 GMT Charles 9
Part of the problem is routing. With 128 bits to work with instead of 48 allows you to provide more than enough bits for physical routing to match up and seriously simplify your routing tables, which was one big concern as IPv4 started getting crowded and the routing got all messed up. Now two 90. addresses didn't necessarily go to the same geographic region, for example. This is important as routing tables started getting SO big that stuff started breaking.
-
Thursday 16th February 2017 14:35 GMT Anonymous Coward
What would have been nice would be if the v6 header had been designed such that an IPv4 router which got an IPv6 packet could at least have processed it enough to route it to some catchall proxy system. That could have been based on some IPv4-alike address fragment, perhaps by making IPv6 addresses out of a fixed IPv4 part + a v6 extension. Such a catchall system would have a dual-stack that could then fully process the IPv6 address. In that way IPv6 systems that found themselves connected through v4 networks could still communicate, albeit inefficiently via a proxy. Instead we need tunnels, special configs, etc.
-
Thursday 16th February 2017 15:28 GMT Steve the Cynic
"What would have been nice would be if the v6 header had been designed such that an IPv4 router which got an IPv6 packet could at least have processed it enough to route it to some catchall proxy system."
Well, actually, it was designed in such a way. Maybe not by intent, but...
The first four bits of an IP packet are the version number. Most IPv4 packets begin with an ASCII capital E, hex 45, meaning IPv4, header has 5*4=20 octets. ALL IPv6 packets begin with hex 6X (X=0-F).
So you could design your router to forward all IP packets that begin 6X to a specific machine. Or Teredo them, or something.
And IPv6 uses a different ethertype to help avoid version compatibility issues.
-
Thursday 16th February 2017 15:49 GMT Roland6
"to route it to some catchall proxy system."
This is now feasible at a reasonable cost, ie. due to advances in hardware it would be possible to incorporate this functionality into the DSL/router/firewall box, particularly given that the typical home user probably won't access more than a few thousand different IP addresses in their lifetime.
However, the use of proxy servers and gateways seems to have fallen out of favour.
Also I think people are over reacting, IPv4/v6 Internet access only really becomes an issue when websites turn off IPv4 access and/or ISPs also stop supporting IPv4 and thus people have IPv4 systems that need to talk to an IPv6 world. I suggest we are decades away from an IPv6 only world.
-
Thursday 16th February 2017 19:03 GMT Ken Hagan
"Also I think people are over reacting, IPv4/v6 Internet access only really becomes an issue when websites turn off IPv4 access ..."
For existing web-sites, that may be true. Do you have some reason for believing that we've hit "peak website" and that new sites are going to be a rarity from now on? To me, it seems more likely that at some point in the fairly near future the "next great thing" will just happen to be IPv6 only because that's all the founders could get hold of when they were a start-up.
"...and/or ISPs also stop supporting IPv4..."
New ISPs will face the same problem. (At least, I hope they do. God help us if we have actually hit "peak ISP" and are stuck with the current lot.)
-
Tuesday 21st March 2017 23:30 GMT Alan Brown
"Also I think people are over reacting"
You haven't lived or spent time in parts of the world where the only way you can get any IPv4 is from behind a couple or three layers of NAT because the ISPs only have a dozen they can hand out.
Yes really. It's worse than it sounds. Not only does it break any 2 way connections, the NAT systems are invariably so overloaded that a 2400bps modem would look speedy by comparison.
-
Monday 25th June 2018 14:48 GMT AbeChen
There Might Be A Hope
On the surface, what you said is true. Upon looking deeper, there are hidden possibilities. A few years ago, we accidentally ventured into studying the IPv4 address pool exhaustion challenge, perhaps due to the curiosity from our telephony background. We now have submitted a proposal, called EzIP (phonetic for Easy IPv4) to IETF:
https://tools.ietf.org/html/draft-chen-ati-adaptive-ipv4-address-space-03
EzIP will not only resolve IPv4 address shortage issues, but also largely mitigate cyber security vulnerabilities, plus open up new possibilities for the Internet. These should relieve the urgency to move onto the IPv6. Originally, our efforts were inspired by two regularly updated worldwide statistics:
https://ams-ix.net/technical/statistics/sflow-stats/ether-type
https://stats.labs.apnic.net/ipv6
So, we thought that the initial EzIP targets would be emerging regions and rural areas of developed countries where assignable IPv4 addresses are in short supply. A recent article about the Internet activities provided a surprising new perspective:
https://dyn.com/blog/ipv6-adoption-still-lags-in-federal-agencies/
It concluded that the IPv6 adoption even at US Federal Agencies was moving at "a glacial pace". This seems to imply that the entire market for alternatives to the IPv6 approach, such as the EzIP, is now open. The general public should be equally informed of this kind of choices, instead of being led by the existing industrial interests that have been in deployment for nearly a decade. A current article on this website reported the debates between ITU_T of UN and IETF:
https://www.theregister.co.uk/2018/05/30/internet_engineers_united_nations_ipv6/
The ITU-T consisting of governments of states representing the citizens / subscribers has no need to get involved, if the Internet is robust and without continued "surprises". The current ITU-T participation in the "political fight" is a good sign for the sake of the consuming public's rights.
Feedback and comments would be greatly appreciated.
Abe (2018-06-25 10:48)
-
Sunday 19th August 2018 02:32 GMT AbeChen
IPv4 Address Pool Expanded
Hi, Alan:
Our study now indicates that there is practically no more shortage of IPv4 address, let alone going through the trouble to deploy IPv6.
https://tools.ietf.org/html/draft-chen-ati-adaptive-ipv4-address-space-03
Since EzIP can multiply each public IPv4 address by 256M (Million) fold without affecting current equipment, this enables over 75% of nations to serve their respective countries starting from just one IPv4 address that is already assigned to that nation. This is in addition to the current Internet services.
Essentially, the CIR (Country-based Internet Registry) model administrating IPv6 proposed by ITU-T a few years ago can now be stealthily implemented under IPv4, even without forming the sixth RIR at all.
With two styles of operation disciplines and conventions, the consumer will have truly two options to choose from.
Thoughts and comments would be much appreciated.
Abe (2018-08-18 22:30)
-
-
-
Thursday 16th February 2017 19:19 GMT Anonymous Coward
So you could design your router
And there's the problem. Any solution which begins with "redesign your IPv4 system" will fail. Any compatible approach needs to work with IPv4 kit as it is now. If you have to change it you might as well replace it with something that talks IPv6, and the problem just comes back.
-
-
Friday 17th February 2017 01:02 GMT Yes Me
some catchall proxy
Routers aren't the problem, they have supported v6 for years. Dual stack ISP backbones are common; tunnel providers will soon be only a memory. You're worrying about problems that were solved ten years ago. The gap today is hosting providers and the like - theregister.co.uk is a good bad example. https://nir.regmedia.co.uk is IPv6, BTW.
-
-
Tuesday 21st March 2017 23:27 GMT Alan Brown
"Part of the problem is routing. "
The other part is word length.
IPv4 is 32 bits (unsigned integer). The next logical step is 64 bits and the idea of going to 128bits is to avoid having to do it again before the heat death of the universe.
Bear in mind that IPv4 was a "hacky kludge only intended to last 5 years" until the official Internet Protocol was released. (That turned out to be IPX, which was unroutable, hence keeping IPv4)
-
-
Thursday 16th February 2017 16:20 GMT AndrewDu
"give every one of those people a hundred addresses and still have some 231 trillion addresses spare."
That's only true if you keep away from structuring those numbers.
As soon as you (e.g.) start incorporating MAC addresses into the IP address (just to pick a completely random example...!) then the number of available addresses starts to shrink rather quickly.-
-
Thursday 16th February 2017 17:27 GMT PNGuinn
"The only realistic way ... assigning addresses to nanobots."
"The only realistic way you'd end up using that lot is individually assigning addresses to nanobots."
Would that be the nanobot of things or the Internet of nanobots?
Shirly you'd never have enough address space for both at once (unless we move to IPv9)?
Enquiring minds etc etc ...
-
Thursday 16th February 2017 22:15 GMT Anonymous Coward
> I'd have had IP6 as just IPv4 with an extra two octets for an increase in the network space
Well, that's more or less what you've got.
Since the stupid IPv6 addressing plan says that every LAN segment (subnet) must be a /64, in order for users to be able to create multiple subnets and route between them they need a bigger space (shorter prefix).
At the moment each user gets a single IPv4 address space and NATs behind it; but in future you'll need a /48 (*) IPv6 prefix. The first three bits are fixed, so IPv6 addresses are effectively 45 bits long.
(*) /48 was the original recommendation. People then realised that that this would quite likely mean IPv6 exhaustion before the end of the century. So instead you can now give your end users a /56, in which case IPv6 addresses are effectively 53 bits long. But it's still stupid.
-
Saturday 18th February 2017 06:15 GMT David Crowe
Is 2^48 enough?
If there were truly only 4 billion IPv4 addresses, we'd be f***ked already. But in reality the IPv4 address is essentially combined with the port number (16 bits) through NAT. That gives a theoretical limit of 2^48 addresses, which is: 281,474,976,710,656. Not as many as IPv6, but more than enough. Sure, not all of them could be used, because a server with a static IP address might hog the equivalent of 65k addresses. But there are a lot more client devices out there than servers - mobile devices, IoT modules etc. Basically anything that doesn't need a static IP address to be reached will only use a fraction of a single IPv4 address. And the harder it becomes to get an IPv4 address, the more value there is in reorganizing your network and selling off the majority of the addresses you don't need, and the more creative people will become with efficiency of use of IP addresses and port numbers.
-
-
Friday 17th February 2017 00:56 GMT Yes Me
... just add an extra octet
For the N'th time, that simply doesn't work.
IPv4 has no provision for any form whatever of address extension. Adding an extra byte, or an extra bit for that matter, will fail on every single IPv4-only computer, router, etc. There is, mathematically, logically, no way round a new version that is necessarily incompatible on the wire. That's why the *only physically possible solution* is a new packet format. That has a lot of implications, most of which are independent of the design details.
IPv6 just works, these days, as far as domestic, cell phone, or small offices are concerned. Yes, there's work to do for larger enterprise networks, hosting providers, and ISPs. No way out of that, but it's part of the price of doing business these days, or should be.
-
Sunday 19th February 2017 08:53 GMT Blotto
Bit Boundaries
@Jason Bloomberg
you cant just add an octet, ipv4 addressing lies at a 32 bit boundary, for 16 bit computers it was just 2 cycles, 64 bit its half. you want the addressing scheme to be relatable to a cpu bit boundary for efficient processing.
nothing wrong with ipv6 addressing, its the protocol implementation and designed characteristics that are iffy. the design goals just don't fit with our current requirements. IPv4 didn't either and extensions where added, like nat & pat, to make it work better, ipv6 deliberately set out to prevent nat & pat, instead of building upon it and letting natural selection take care of it.
-
-
-
Thursday 16th February 2017 16:31 GMT Stevie
Re:It's the Esperanto of the Interwebs!
If only ...
Esperanto actually makes life simpler.
But you have to overcome a century of FUD (large amounts of it French in origin for reasons having to do with Charlemagne and the diplomatic service) to discover that. Stalin was reportedly terrified of it. A language that could be picked up to fluency in a matter of weeks? Ban this filth now!
If IPV6 had had the same basic blueprint it would probably have a decent user base by now - like Esperanto, which the last time I looked was one of the 200 most spoken languages in the world. I'd bet more people are on X25 than IPV6 today (said grinning).
Certainly the story of Esperanto versus Volapuk in the early 1900s is the sort of story the IPV6 architects wish they could claim with respect to IPV4.
Nope, I'm not an active Esperantist. I see the point, can speak a few measly words, but I have no real interest. It's much easier to just speak English loudly and slowly.
And I'm not using IPV6 either. I'm waiting for IPXP.
-
-
-
-
-
Thursday 16th February 2017 00:06 GMT dajames
Re: IPv6 usage soaring?
1 in 6 is a bit low considering how many users are on large ISPs which have enabled ipv6 like Sky and BT.
I wonder how many users of the ISPs like BT that have now finally started supporting IPv6 are still using routers and other networking equipment that can only handle IPv4?
It's only very recently that IPv6 support has become anything but hard to find in domestic/SOHO networking hardware, and there is a lot of kit out there that is too old to have it.
-
Thursday 16th February 2017 05:02 GMT streaky
Re: IPv6 usage soaring?
It's only very recently that IPv6 support has become anything but hard to find in domestic/SOHO networking hardware
Nonsense, it's been in there for decades they've just been going out of their way to turn it off. We used to have an ancient hub for adsl in our old apartment that was owned by our company which had been there for years, had full IPv6 support, looked reasonably competent - it was all turned off and you literally couldn't pay BT to enable it. At the latest it was a 2005 model. Latest.
Meanwhile we're on hyperoptic right now, all their gear was probably bought when at least Europe had run out of IPv4 addresses - IPv6 had been a thing in production for years at that stage - and they just inappropriately enabled CGNAT on probably the most competent inet service the country had (emphasis on the *had*) and they keep saying IPv6 "soon". There's no hardware or software issues in play they're just too moronic to enable RAs and call it job done.
All the consumer ISPs are minimally competent when it comes to literally any degree of networking technology is the real issue here.
-
Thursday 16th February 2017 08:47 GMT Anonymous Coward
"it's been in there for decades they've just been going out of their way to turn it off"
No, actually most SOHO devices sold in the past years, especially the cheaper ones, have no IPv6 support - their software was often built without - especially when the underlying OS didn't support IPv6. Another issue is the IPv6 support of any device behind the router.
-
Thursday 16th February 2017 19:18 GMT Ken Hagan
Re: IPv6 usage soaring?
"Nonsense, it's been in there for decades they've just been going out of their way to turn it off."
By "going out of their way" I assume you are referring to the common practice of rolling their own build of Linux rather than simply ensuring that suitable drivers are pushed upstream each time they use a new piece of hardware. If they did that, they could all be running one of the maintained and fully-featured distros listed here: https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions.
But no. Apparently it is "better" to roll your own, so that the crap support can be used to "tempt" users into buying another router each time they want a software change. Imagine if Patch Tuesday didn't exist and everyone was supposed to fix zero-day holes in Windows by buying a new machine.
Actually, no. Don't give them ideas.
-
Friday 17th February 2017 06:00 GMT streaky
Re: IPv6 usage soaring?
6 thumbs down - everything I said was 100% true. I didn't know the Trump white house team were such avid readers of the register.
By "going out of their way" I assume you are referring to the common practice of rolling their own build of Linux rather than simply ensuring that suitable drivers are pushed upstream each time they use a new piece of hardware
No I mean that the routers fully support it.
-
Friday 17th February 2017 14:37 GMT Peter2
Re: IPv6 usage soaring?
For the N'th time, that simply doesn't work.
IPv4 has no provision for any form whatever of address extension. Adding an extra byte, or an extra bit for that matter, will fail on every single IPv4-only computer, router, etc. There is, mathematically, logically, no way round a new version that is necessarily incompatible on the wire. That's why the *only physically possible solution* is a new packet format. That has a lot of implications, most of which are independent of the design details.
And for the N'th time, we know that. We also know that:-
1) Nobody besides a handful of academics actually *wants* IPv6 for any other reason than "we've run out of IPv4 addresses" and will only grudgingly deploy it then. This is why the IPv6 deployment is moving so slowly.
2) IPv4 +2 would (while requiring the same implementation changes as with IPv6) actually get done because people could:-
A) Carry over 40 odd years of knowledge on IPv4.
B) Avoid having to relearn network fundamentals from scratch.
C) Avoid the need to learn how to frustrate the "information wants to be free!!!!" design goals of IPv6, making all PC's addressable on the internet, as if you work for a business then you'll probably consider this to be an unwarranted disaster creating security holes that then have to be fixed with additional hardware, firewalls, training, threat awareness and general hassle that nobody has ever asked for or wanted other than a handful of script kiddies.
While the changes are technically speaking of a similar magnitude to do the coding for IPv4+2 to IPv6 the actual IPv4+2 deployment can be done trivially as soon as the coding is done as people want it *because* it requires no retraining or conceptual changes to how anything works.
This avoids insane retraining costs and any reason for user opposition.
-
-
-
-
Thursday 16th February 2017 00:11 GMT Phil Endecott
Re: IPv6 usage soaring?
> ISPs which have enabled ipv6 like Sky and BT.
Well, BT have recently enabled it for users who have their newest router. Mine is 5 years old, and is unlikely to be replaced any time soo; it says: "IPv6 will be disabled on your BT Home Hub and BT Broadband Network until supported by future services"
-
Thursday 16th February 2017 09:47 GMT John Miles 1
Re: IPv6 usage soaring?
IPv6 may have taken ages to start, but for the last three years usage has been roughly doubling each year.
At that rate, another two years gives 4 x 16% = 64% ipv6.
As with any new protocol usage grows slowly initially, then a period of rapid take-up as more clients and servers adopt it followed by a leveling off as it approaches 100% with a few 'hold-outs' and non-compatible systems (the classic S-shaped 'sigmoid' curve).
But on this basis ipv6 may well cross the 50% level in a couple of years or less.
-
Thursday 16th February 2017 10:23 GMT Anonymous Coward
Re: IPv6 usage soaring?
A home user that does nothing special will be running it without knowing or caring.
I explicitly turned it off - I discovered that most privacy measures are focused on IPv4, and if you're not careful you can actually end up with a permanent IPv6 address as an ID tag, even behind a router. *Not* good.
-
Thursday 16th February 2017 13:51 GMT AndrueC
Re: IPv6 usage soaring?
considering how many users are on large ISPs which have enabled ipv6 like Sky and BT.
But note that other large ISPs, like the BT subsidiary Plusnet, have not yet enabled IPv6. They ran a trial for a while but their recent network upgrade meant withdrawing the gateways that supported IPv6 so now no-one on Plusnet has IPv6.
Progress - they've heard of it :-/
-
-
Thursday 16th February 2017 12:08 GMT A K Stiles
Re: IPv6 usage soaring?
Interesting that that Google graph linked to by le.zap has a 7 day cycle on the %age - peaks every Saturday, slight slip to Sunday then a drop off through the rest of the week until the following Saturday...
Suggests there's more IPv6 via home providers than commercial internet connections perhaps?
-
-
Wednesday 15th February 2017 23:39 GMT Anonymous Coward
How many users actually need a permanent real IPv4 address?
I have had a Demon one for nearly 15 years and have never needed it for unsolicited incoming requests. Unfortunately the non-business user option - to have a NAT in that ISP's network instead - was discontinued a few years ago.
It appears that even traditionally peer-to-peer client services are now tending to be distributed via a call to a central server.
Web hosting seems able to multiplex on a few IP addresses - and then differentiate by the domain name in the request headers.
-
-
-
-
Thursday 16th February 2017 13:50 GMT Roland6
>Most VPN scripts (especially OpenVPN) really prefer a fixed point to connect:
In my experience the key is the fixed point to connect to. With business SSL VPN's (remote client calling in) all that is and should be important is the domain name of the central system, obviously on top of this you can add certificates, RSA keys etc. to enhance authentication, but there really is no need for fixed IP addresses with SSL VPNs.
With IPsec VPN's yes life is different and having fixed public IP addresses is a requirement.
However, I do note that many routers whilst supporting a variety of VPN technologies, do tend to keep things very simple and only allow the explicit usage of IP addresses in their VPN configuration.
-
-
-
-
-
Wednesday 15th February 2017 23:45 GMT Blotto
IPv6 is fundamentally broken
roll out IPv7 fixing IPv6 and adding greater privacy guards including NAT, and other useful features that will enable many addresses to easily hide behind a single or small group of addresses without the remote party being able to track individuals across connections
-
-
Thursday 16th February 2017 03:51 GMT Anonymous Coward
Re: IPv6 is fundamentally broken
Yeah. Haha. That would be funny if it weren't so true. NAT is cool and serves a wonderful purpose for those of us with fleets of computers that just need to get to websites to yack on Facebook or watch Youtube. We don't want outside stuff able to get to those computers because there's no need, and NAT fits that bill simply and easily. So figure out a NAT process for IP6 and maybe, just maybe, you'll see more of us hold-outs start moving over. And if you could find a way to restrict IP6 addresses to like 6 octets ( I mean, hell, 4 octets have lasted a long, long time, so imagine if we had 65,535 more of our current Internets...), then we'd all move over, I'm pretty sure. But that would probably mean it's actually IP7 or 8 and all of the IP6 evangelists have been stoned to death because if there's one thing us IP4 holdouts know about you smug IP6 bastards, it's that you will NEVER, EVER ADMIT THERE IS A BETTER WAY or that IP6 is anything less than perfect and the rest of us poor stupid sods are just too fucking stupid to see how wrong we are and that we are IT heretics and Luddites for sticking with something that just fucking works and is simple to comprehend. Not all of us suffer from autism and can calculate IP subnets in our head like Rainman. Some of us are just trying to get our people to Youtube and Facebook and the rest of the Internets with the least amount of fuckery required. And that's what NAT gives us - a simple and comprehensible way to do something that needs doing.
And now I'm off to take my meds.
-
Thursday 16th February 2017 07:51 GMT Nanashi
Re: IPv6 is fundamentally broken
You think NAT blocks connections and provides security, you don't know about DNS and you think that subnetting v4 is easier than v6, and yet you have the nerve to complain about "smug v6 bastards" not listening to you?
Just for starters, compare v6 addresses:
2001:db8:42:1::2
with the pair of addresses you get with NAT in v4:
213.0.113.42+192.168.1.2
The v6 is _shorter_. Why are you complaining about shorter? And once you put them in DNS you end up with "google.com" vs "google.com" and the length doesn't even matter.
This is the reason people aren't listening to you.
-
Thursday 16th February 2017 13:20 GMT Jason Bloomberg
Re: IPv6 is fundamentally broken
2001:db8:42:1::2
But what the fuck does that mean?
Maybe it's just that I'm so familiar with IPv4 that it has become easily understandable over many years, or perhaps IPv4 ir simply so simple that I have even been able to explain it to non-techie friends.
I haven't had the time to investigate IPv6 nor the inclination. With a bit of luck I'll be out of the game before I have to. I suspect I'm not alone in that hope.
-
Thursday 16th February 2017 14:02 GMT sean.fr
Re: IPv6 is fundamentally broken
The basic problem is an INTER network problem so it is logical to between the networks and leave the networks untouched. An ISP problem not, not a user problem.
Apps on internal devices do not send IP addresses, they send to names.
They expect the IP stack to resolve the name to an IP address and a MAC.
They do not care if you are using really using ATM or NetBois or MPLS so long as the IP stack is happy.
If your ISP can couple your ISPs DNS to IPv6-IPv4 NAT, THEY can allocate a temporary IPv4 address to the Ipv6 address and sort it out with NAT at the at ISP. It would be invisable to us. We should allow us to keep the investment in apps, knowhow and hardware. The crappy bit can be regroup into a DNS/Firewal application (1U 19inch rack box) if you do not want the ISP to do it. But they already provide DNS, and are running BGP4 routing, plus a lot of stuff not really in my best interests like logging every url I use for the government, blocking sites banned by the government, throttling if I use SSH in Iran.
-
Thursday 23rd February 2017 06:48 GMT Charles 9
Re: IPv6 is fundamentally broken
"Apps on internal devices do not send IP addresses, they send to names."
Actually, ALL IP devices send to numbers. They MUST, as that's all the protocol recognizes. Names get sent to resolvers which return numbers for the app or device to use. But they can still break.
-
-
Thursday 16th February 2017 19:52 GMT Ken Hagan
Re: IPv6 is fundamentally broken
"2001:db8:42:1::2
But what the fuck does that mean?"
You seriously expect an IP address to mean something? Odd. But let's have a go anyway...
The 2001:db8 means this is a unicast address with global scope. The equivalent in IPv4-speak is "not in the 224.x.x.x/4 block, and not in 10.x.x.x/8, 172.20.x.x/12, 192.168.x.x/16 or 169.254.x.x/16 either".
The 42:1 is your network. Short, isn't it? Lucky you. Mine is a few characters longer, but to be honest I can't remember it because there is this thing called DNS so I don't have to. For a SOHO user, the 42.1 is the moral equivalent of the external IP address of your NAT. It is the bit that someone might use to track "you" rather than a particular network adapter that you own.
The ::2 is your address within that network. It's also short and I assume that someone has deliberately engineered that address because they occasionally need to type it directly rather than relying on DNS. For a SOHO user, the ::2 is the moral equivalent of the internal IP address of your NAT.
I occasionally hear objections to IPv6 on the grounds that you can't remember the addresses, but the only bit that needs remembering on a machine-by-machine basis is this ::2 bit and the only machines you need to remember are your routers and DNS servers. If you can manage this feat in IPv4 then IPv6 is not going to trouble you. Also, if this had been a multicast prefix, the ::2 suffix would have meant "all routers in this scope", because IPv6 addresses, if anything, are more expressive than the IPv4 ones they replace, so the number of machine addresses you need to remember might actually be fewer in IPv6 than in IPv4.
-
Thursday 16th February 2017 21:43 GMT Ken Hagan
Re: IPv6 is fundamentally broken
"The 2001:db8 means this is a unicast address with global scope."
Actually, if I can jump in before anyone else nit-picks, it's a unicast address with no scope whatsoever because this particular prefix is reserved for documentation (RFC3849). :(
But it's definitely not a multicast address, so I was right in spirit, er...
-
-
-
-
Thursday 16th February 2017 07:53 GMT P. Lee
Re: IPv6 is fundamentally broken
>Haha, check it out guys. This one wants NAT.
Yeah! Let's use a firewall to break the whole connectivity model instead of just blocking access.
There's lots that is hard and probably wrong in IPv6, but not needing NAT ain't part of it. We need to use it and iron out the kinks, not avoid it.
-
Thursday 16th February 2017 08:20 GMT Anonymous Coward
"Let's use a firewall"
The issue with a firewall is it requires network skills to be properly configured. NAT implies a simple "all inbound connections denied" default rule, and can't be turned off fully. I'm quite sure what most lusers would do with their firewall when encountering a connection issue - i.e. some game doesn't work - would be an "allow everything" rule. There are already many stupid "how to" around that shows how to solve such issues crippling security completely.
-
Thursday 16th February 2017 12:00 GMT Aqua Marina
Re: "Let's use a firewall"
"The issue with a firewall is it requires network skills to be properly configured. NAT implies a simple "all inbound connections denied" default rule"
I think the issue is, that you have only ever used domestic / SOHO routers that appear to have merged the NAT and firewall functionality together, blinding you to the fact that they are 2 separate functions. You are blindly trusting the manufacturers of these devices to have made this choice for you and that it works in the manner you believe. Here's the eye opener for you, you are wrong. Many of the SOHO / domestic routers look like they work how you believe, but in reality they have fudged the interface to give you that impression. Have a dig down in the advanced settings, there you will see that the default settings are not configured as you believe (sometimes you have to enter the CLI), and that you have to do do some tinkering to make your network as secure as you think it is now.
TLDR: SOHO / domestic router manufacturers have lulled you into a false sense of security by hiding technical stuff.
-
Thursday 16th February 2017 12:38 GMT Dwarf
Re: "Let's use a firewall"
All firewalls allow you to configure "any outbound" rules, similarly, all firewalls by default will block everything that is not listed in the rules base. that's the key difference between a router and a firewall.
Did you notice that I didn't mention NAT, IPv4 or IPv6 in the above - as its the same thing for v4 or v6 and is completely different to NAT. NAT is not a security technology.
Perhaps those saying it won't work will actually take a look and realise that they were misinformed.
-
Thursday 16th February 2017 13:36 GMT Anonymous Coward
Re: "Let's use a firewall"
"all firewalls by default will block everything...."
And there we go again assuming that all firewalls are identical and with the same default settings.
Can I just re-iterate that "default" in computer terms does not mean, "normal" or "correctly". It means either "in a state of error" or "requiring configuration". By using default settings, you are not configuring the device with the appropriate settings for the task at hand. At best you are going along with what someone else thought worked well with their configuration, and at worst you are going along with random entries that made it into the firmware image. It frustrates me when someone calls me for support stating "but it's using default settings, it should work". Default means "error" not "correct"!!!
-
Thursday 16th February 2017 13:51 GMT Dwarf
Re: "Let's use a firewall"
A router connects networks together and gets traffic from A to B, it does not filter data.
A firewall is a router that starts by restricting everything and you tell it what to pass. It takes its name from the material used to prevent fire getting from one place to another (i.e. another blocking technology)
So, I'm 100% certain that the "default" for firewalls is exactly as I stated previously.
The source of some of the confusion is that in the home environment, people call their box that connects to the Internet a router, when its actually multiple devices - a router, a firewall, a wireless access point, a printer sharing location, a mini-NAS, etc. In any other environment, nobody would consider mixing multiple roles onto a firewall as it makes it less secure.
-
Thursday 16th February 2017 14:13 GMT Anonymous Coward
Re: "Let's use a firewall"
"A firewall is a router that starts by restricting everything and you tell it what to pass"
A firewall that has had the final rule set to "deny all" works in this way. I've come across many enterprise routers where this setting has to be configured out of the box. You're confusing best practice with "all routers work this way". A firewall is a unit that allows traffic to pass back and forth, that can have rules applied to that traffic. Assuming that someone else has pre-configured best practice is asking for trouble. In 20 years probably 50% of the firewalls I've worked with have needed the final rule setting to "deny all".
Very helpfully some firewalls come with it pre-configured, but this isn't guaranteed. I have a Zyxel USG firewall here to hand, that out of the box has "default" as it's final rule. However I have to go into 2 sub-sections of settings to configure that "default" is "deny all". In it's current "allow all" default, the firewall allows all traffic through, only blocking any rules I create with the "deny" tag.
-
Thursday 16th February 2017 14:56 GMT Dwarf
Re: "Let's use a firewall"
I've come across many enterprise routers where this setting has to be configured out of the box. You're confusing best practice with "all routers work this way".
You are still talking about routers, not firewalls. Routers will indeed allow all by default - see my original posting.
You are also confusing the generally invisible default deny rules that firewalls have from those that are put in under good practice so that the organisation can log what was dropped by the rules base. The default rules do not provide logging and are there to ensure that they do not fail open. Any opening is by user rules only. Enterprise firewalls often have hardware offload and the default drop is in hardware, which is another reason why the UI doesn't show it.
Of course its possible that some vendors will not have implemented industry best practice, but I guess that's also why they are not used in enterprises. Its hard to get sign off on a product that is not evaluated (Common criteria or FIPS), does not follow recognised industry good practice or have an industry reputation for being robust.
Irrespective of the above, a software configuration for a firewall module or a software configuration for a NAT translation (which is how this thread started) makes little difference, either is configurable and can be configured correctly or incorrectly, this is where skill and things like penetration tests come in.
Correctly configured firewalls are recognised as a security barrier without any NAT in place, this is irrespective of the version of IP protocol flowing through them.
Even in the home markets if a vendor has preconfigured their firewall, generally the consumer trusts that it works as designed, once again the IP version is not relevant to the argument. ISP's are already providing pre-configured IPv6 firewalls with equivalent functionality to drop unsolicited inbound connections.
There is no issue here for home network security.
-
This post has been deleted by its author
-
Thursday 16th February 2017 19:55 GMT Dwarf
Re: "Let's use a firewall"
A +20 year enterprise experienced "better than CCNA" who can't tell the difference between a router and a firewall and hasn't mentioned out-of-band management ports or pinholes from the single firewall management console or single jump host - and you expect me to take you seriously about good practice on firewall setup ??
I agree that making mistakes is part of learning and we all do that after training courses (i.e. in the real world), but this has nothing to do with the original debate about NAT being "better" than firewall rules.
What you have summarised is that firewalls are very effective at performing their role of preventing access between networks - irrespective of the state of any other technologies such as NAT.
IPv4 firewalls are trusted like an old car - people are used to it, IPv6 is no different, its just a different car that you've not got used to yet. It's still a car and it still transports things, just differently. You can stick a NAT trailer on the it if you wish, but why bother, this one is an estate and has a boot !
-
-
-
-
-
Thursday 16th February 2017 14:20 GMT Roland6
Re: "Let's use a firewall"
>"Default means "error" not "correct"!!!"
'Default' for many years, before security became the big issue it now is, was the most permissive settings. Hence why many people installed personal firewalls and wondered why they appeared to not be doing anything... I seem to remember this was one of the issues with early releases of Windows Firewall, as MS didn't want it to break stuff, whereas now I have to explicitly tell a Windows client to enable inbound RDS for example, which will cause the installer to modify relevant Windows Firewall settings.
I also remember debates about the merits of 'Stealth mode' (no response to unsolicited inbound traffic) available on some firewalls; now I expect this setting to be not only provided as standard but enabled out-of-the-box as default. Interestingly, I find some people are still debating the value of outbound firewalling.
I think it was only the "big boys" toys ie. serious network security products, that came with everything shutdown, so just to get them to pass anything you had to explicitly enable/open ports.
-
Thursday 16th February 2017 17:40 GMT Anonymous Coward
" think it was only [...] serious network security products, that came with everything shutdown
You're being naive. What vendors fear is that once installed the product could cause issues to the company business, and the customer complains.
Thus, usually, the rule is exactly to allow all. I've seen it in Cisco and Fortinet products. It's up to you to close down what you need, and of course, you should do the opposite - close everything and open only what you need - but that requires a clear understanding of how your network works...
As long as the customer is happy.... "hey, I'm safe because I installed a firewall!!!"
-
-
-
-
Thursday 16th February 2017 19:26 GMT Ken Hagan
Re: "Let's use a firewall"
"The issue with a firewall is it requires network skills to be properly configured. NAT implies a simple "all inbound connections denied" default rule, and can't be turned off fully. I'm quite sure what most lusers would do with their firewall when encountering a connection issue - i.e. some game doesn't work - would be an "allow everything" rule. There are already many stupid "how to" around that shows how to solve such issues crippling security completely."
You appear to be arguing with yourself here. If NAT provides a simple "all inbound connections denied" rule that can't be turned off fully, then you'll be delighted to know that this is equally easily arranged in an IPv6 firewall as well. In fact, if it isn't the default then you need to publish the name of the router vendor so that we can all condemn them for reckless cluelessness and tell all our friends and relatives that they should not touch said vendor with a 20-foot pole.
If, on the other hand, you enjoy the fact that you can punch a hole in your IPv4 NAT whenever a game asks you to then you'l be delighted to know that this is also possible and no more reckless on IPv6 than it would be on IPv4.
-
Thursday 16th February 2017 21:35 GMT Roland6
Re: "Let's use a firewall"
One of the nice things about NAT, as widely used in domestic situations is that it allows routers and other devices to 'know' out-of-the-box and thus assume that any address starting with 10. , 172.16. & 192.168. is private and thus local.
Yes IPv6 has the concept of private address space (anything starting fcxx or fdxx.), however it's envisaged usage is different to the current usage of IPv4 private address spaces.
As others here have pointed out, for Joe Public users, the kit has to be preconfigured and work out of the box ie. zero configuration required by typical end users. Also users will expect that local network services such as mDNS (aka Bonjour) to also simply work, so for example Airprint enabled printers either work out-of-the-box or simply need Airprint enabling.
This isn't to say that IPv4 and NAT is wonderful, only that IPv6 has to deliver the totality of the current IPv4 network environment user experience.
-
Thursday 16th February 2017 22:22 GMT Nanashi
Re: "Let's use a firewall"
You actually can't assume that 10/8, 172.16/20 and 192.168/16 are local. What if your ISP configures 192.168.254.1 on their end and talks to your network from that? It would be RFC1918 but it wouldn't be local.
Determining what's local is done via either the routing table or the interface. For a router, you declare any traffic coming in on the local interface as local, and anything coming in on the WAN interface as global, regardless of what IP it uses. For end hosts (which only have one interface) you treat it as local if you have an on-link route for the prefix.
So, this stuff will work out of the box just fine in v6. Did you know that Windows does this with its firewall? If you set it to the Home profile, it allows connections from the local LAN but blocks them from other networks, and it does it in v4 and v6 without hardcoding the RFC1918 ranges. (If you set it to Public then it blocks connections from the local subnet too.)
-
-
-
-
-
-
-
Thursday 16th February 2017 08:49 GMT Charles 9
Re: IPv6 is fundamentally broken
NAT isn't what blocks incoming connections. It's your firewall, and any firewall worth its salt has a DROP or REJECT rule for incoming connections by default. Without the firewall, an ISP (perhaps under pressue) can route directly into your LAN. The firewall doesn't go away with IPv6. Nor does NAT; it's just redone as one-to-one reconfigurable and ephemeral NATS which actually provide better protection by scrambling the visible topology.
-
Thursday 16th February 2017 09:49 GMT Anonymous Coward
Re: IPv6 is fundamentally broken
"NAT isn't what blocks incoming connections."
The NAT could be multiplexing many users' internal IP addresses' connections onto one external IP address's ephemeral TCP ports.
In that case an unsolicited incoming request has no route to a specific user - unless there is a rule to make the association. The rule can either be explicit fixed routing to an internal IP address - or determined from the content of an outgoing connection like FTP.
-
-
-
Thursday 16th February 2017 12:05 GMT Christian Berger
Re: IPv6 is fundamentally broken
a) IPv6 can do NAT just the way IPv4 could... nobody uses it, but I think it's even in the Linux kernel.
b) For browsers and stuff you can use a proxy server
c) If you are using a browser you cannot hide anyway, because your browser and OS will have a fingerprint.
Nobody does tracking via IP addresses as it can change at any moment (particularly with IPv6). What trackers do is to use cookies or your font list and screen resolution. It's a layer 5 problem, not a layer 3 one.
-
Thursday 16th February 2017 12:46 GMT sean.fr
Re: IPv6 is fundamentally broken
In a company, you are more likely to use a company proxy and your OS and browser are talking to the proxy, and the site should only sees the proxy, and your IT probably pay a service to keep you way from the more risky sites. You have the option to erase on exist or block cookies. Your font list and screen res are not unique. Not perfect - but not that bad either.
-
-
Wednesday 15th February 2017 23:55 GMT Anonymous Coward
It's all Excel's fault
When planning out a new subnet in IPv4, it's easy to put a few rows in Excel, then select and drag to have the number auto-increment. If Excel added a cell type of IPv6 so that auto-increment respected the IPv6 specific rules then more network designers would implement IPv6 internally and so have more confidence to implement for external facing addresses as well.
I'm only half joking. Maybe free IPv6 planning tools are what we need?
-
-
-
-
-
Sunday 19th February 2017 03:32 GMT Long John Brass
Re: It's all Excel's fault
DMZ machines run both stacks. IPv4 and IPv6, these machines are in a DMZ and can talk to world+dog it also has a connection back to the legacy back-end. On these machines you run a protocol proxy EG Varnish, SMTP relay or whatever. This setup is pretty common for IPv4 only networks.
Back-end only talks IPv4
For outbound traffic you pull the same trick EG Squid transparent proxy. Hmmm I wonder if there are IPv4 to IPv6 translators.... May make and interesting project. Shouldn't be that hard .... tcp/udp traffic doesn't know or care about IP/v4/IPv6
The big issue is that most internet providers only offer IPv4 :(
-
Thursday 23rd February 2017 06:56 GMT Charles 9
Re: It's all Excel's fault
Still doesn't address the problem. Target device has a 128-bit IPv6 address. Source can only send 32-bit IPv4 addresses. It's like a native Frenchman trying to talk to a native German. Nothing in common, and you can't relay your way past the language barrier because IPv4 has no room for extensions that the (nonupgradeable) device can comprehend.
-
Friday 24th February 2017 11:16 GMT Kiwi
Re: It's all Excel's fault
Nothing in common, and you can't relay your way past the language barrier because IPv4 has no room for extensions that the (nonupgradeable) device can comprehend.
If you're using a device on the public internet, you should seriously be considering it to be a problem if it can't upgrade. 1
But I'm pretty sure what you say is doable, as ISP's do seem to be doing it. Eg there doesn't seem to be any IPv6 here in NZ but I am pretty sure it's in widespread use, just we don't know it.
One way my tired brain is suggesting I could tackle it is effectively a gateway/translator box, eg El Reg's IP6 addy is bun:cha:wei:rd:num:bers which my IP4 only machine cannot see. So gateway simply tells IP4 that El Reg is 192.168.1.44 and lets the IP4 device get data on that IP, while it fetches the data from El Reg's IP6 address. Almost like NAT or proxying in a way. In fact someone even mentioned Squid in a recent post....
1 Yes I know, need to upgrade my own kit. When I have funds.
-
Friday 24th February 2017 20:27 GMT Nanashi
Re: It's all Excel's fault
You'd have to synthesize fake A records to DNS queries and coordinate with a NAT46 instance (so it would be stateful and wouldn't work for v6 literals) but your idea is actually fundamentally possible, unlike so many others that I've seen. It would be useful for dealing with legacy v4-only hardware. I'm not aware of any implementations (TAYGA can do NAT46 but requires static config of each mapping).
It wouldn't be suitable for running at scale though; you wouldn't use it for your whole network, just for any stubbornly v4-only devices that you can't replace for whatever reason. I'm not kidding when I say that deploying v6 on a home network is very easy: over 30 million households in the US have done it, so it really can't be hard (despite what other posters would have you believe). You would just do that, rather than deal with the downsides of translating for every device.
About 8% of NZ users have v6 (deployed right to their end machines), so it sounds like you can get v6 if you want it over there.
-
-
-
-
-
-
-
-
-
-
Thursday 16th February 2017 08:13 GMT Nanashi
You say that as if 40% is a small amount to be using. It's actually a really damn high amount to be using. Because of the way IPs are allocated and used, you want the number of actively-in-use-by-a-machine IPs to be less than a few percent. If you reach that high then you start hitting the need to conserve address space and things start to get annoying and expensive to deal with (which is a particularly silly situation to be in, because we're not dealing with a physically-constrained resource here -- these are just numbers).
It's a bit like fragmentation on your hard disk, where things slow down if you fill the drive, but worse because fragmenting IP allocations is really bad and there's no defragger you can run. And your disk is way too small anyway.
-
-
Thursday 16th February 2017 08:08 GMT Anonymous Coward
And still there are those "legacy" IPv4 blocks...
... that ARIN cannot revoke and crooks are "free" to use, if the can get someone to route them.
Need a /16 block? Follow the instruction here:
https://www.spamhaus.org/news/article/732/network-hijacking-on-the-rise
Of course fighting spammers and other cybercrooks would free IPs as well for legitimate users - yet it will be still stopgap measures.
We'll have to swallow IPv6, and its outdated design. Just, ensure you have a powerful firewall behind your router....
-
-
Thursday 16th February 2017 10:05 GMT Anonymous Coward
Re: And still there are those "legacy" IPv4 blocks...
and the (at least) 12 networks at /8 that are assigned to US DoD, the two /8s of HP, the two of Level 3, the two of AT&T, and the one that seems to belong to the U S Postal Service? etc.
Not a great reason for not moving to IPv6 or something better, if that comes along - but the UK (for example) already has the best part of 2000 IP addresses per person, so even if companies as legal persons have ten each, there will still be a lot left to reallocate to countries less well served. Then we could start saying what about the nearly 5000 / person in the US, and the outrageous 21000 per person in just one city in Italy ;-)
-
-
Thursday 16th February 2017 12:00 GMT jMcPhee
Re: And still there are those "legacy" IPv4 blocks...
Also, there are those who got allocated Class B IPv4 space 20+ years ago... then keep almost all of it behind a firewall and use less than 20% of the addresses.
Maybe if IPv4 owners had to pay a monthly fee for the public resources they are using, they'd be allocated more efficiently.
Why should we have to mess with v6 so IT fails, like intellectual pygmies described above, don't have to learn about private address blocks?
-
-
This post has been deleted by its author
-
Friday 17th February 2017 12:37 GMT tony.dunlop
Re: Y U NO IPV6 BRO
Don't worry it's in the pipeline, as people have said before here, there's often a lot of stuff to do before you can "just" switch on IPv6. In our case mostly around geotracking and logging, but there are also other concerns.
Elreg tech team is just 3 people, but promise it's on the way soon®
-
-
Thursday 16th February 2017 08:44 GMT Lee D
So, when are The Reg publishing their AAAA records?
NEARLY SIX YEARS NOW we've been asking this same question, and you still keep publishing articles about the death of IPv4.
(And NAT will not die. I can convert an ENTIRE network to IPv6 with one address change and IPv6 support from the ISP - I'm only missing the latter EVERYWHERE, but that's besides the point - without touching a single other internal machine. There's no reason to change hundreds of clients and certify compatibility for hundreds of network programs that work just fine on IPv4 and only operate internally - and you can then start on a sensible "build new clients with tested IPv6 support" gradual rollout until full migration if absolutely necessary).
-
Thursday 16th February 2017 09:01 GMT Anonymous Coward
So, how do I go about implementing it?
So, as an IT person familiar with IPv4 networking, where would I start if I wanted to migrate my home to IPv6?
Anyone got any handy primers for a home user using a DrayTek Vigor 130 VDSL Ethernet Modem, Linksys WRT1900ACS router and BT Infinity Broadband?
Of course, not everything on my home network supports IPv6 so I'm gonna need help to integrate these devices somehow too.
-
Thursday 16th February 2017 09:21 GMT Steve the Cynic
Re: So, how do I go about implementing it?
Well, let's see. I'm in northern France (literally: I live in the département du Nord, "nord" == "north"), and I have recently (like, as in, you know, the 23rd of December) had an Orange technician (OK, two technicians, one to push and one to pull) switch me from "up to 20 Mbps" ADSL2+ to "at least 200 Mbps" FTTH.
And the new service, unlike the old, supports IPv6. I have a 2a01:stuff/56 prefix with public IPs on all the machines inside the network as well as IPv4-by-NAPT.
And I have a firewall. Well, a bit more than just a firewall. I have a full-on deep-inspection IPS that supports IPv6. I know it supports IPv6 because I built the core IPv6 support into it. Because it's a work loaner.
And Windows 10 booted up after the installation and its IPv6 support just worked. Wireshark shows IPv6 connections when I go on the Web, and various tools show that my iPhone and iPad get IPv6 addresses from the Livebox. Even my aging Fedora 14 VM works as it should on IPv6.
Advice: hunt down the instructions on the Internet on disabling Windows 10's Teredo service because it is in no way needed when you have real IPv6 support.
-
Thursday 16th February 2017 09:54 GMT Lee D
Re: So, how do I go about implementing it?
Wait for your ISP to tell you they support IPv6 (almost all British ISP's don't).
Then turn on the IPv6 on your main router/gateway if it supports 6-4 and 4-6 NAT.
Done.
Personally, I have a DrayTek Vigor 2860VN+, which is a serious piece of kit for a home router, and it supports all kinds of stuff - at least five different IPv6 IP discovery / tunnelling protocols, for instance. But no IPv6 support from Virgin Media despite years of promises, so unless I want to tunnel all my traffic through yet-another-third-party, I can't do a thing.
-
Thursday 16th February 2017 11:13 GMT wyatt
Re: So, how do I go about implementing it?
Same here, for my work and the wifes business(s). I'm still on VM residential as I've not heard anything good about VM business and fixed IPs, guess one day something may happen but nothing soon. By then BT may have rolled out some smaller green cabinets and I 'may' have switched, doubt there will be IPv6 though!
-
-
Thursday 16th February 2017 11:07 GMT Dwarf
Re: So, how do I go about implementing it?
BT already does IPv6 address allocation and the Draytek supports IPv6 according to their manual, so you should just need to ensure you are running the latest firmware for your router then configure the router for an ISP delegated range. Everything else should just work. Your client will get multiple IPv6 addresses, the Internet routable ones are the ones that don't start fe80: These are for link local and device configuration.
You can check if your IPv6 is working by going to IPv6 config checker or even "Whats my ip address" into google. It will return a V6 address if one is configured.
For those who's ISP's don't support IPv6 yet - raise a support ticket asking for it or change to an ISP that does.
Alternately, Hurricane Electric (and previously SixXs) do IPv6 tunnel brokers that allow you to get on IPv6 when the ISP is a bit backwards. There are loads of guides out there for different hardware to do this on. I started on a Raspberry Pi before my ISP finally woke up, it was a good way to skill up.
Just remember that only Layer 3 of the OSI 7 layer model changed.
Handy sites :
Ripe's IPv6 primer
Here are some pointers for those who want to learn IPv6.
1. Forget NAT. Its not necessary any more. however, if you really, really want to, there is no difficulty in doing the same thing in IPv6, there is just little point. Don't forget NAT was a bolt-on to the original IPv4 to conserve addresses once the internet started to grow, it broke end-to-end routing.
2. Mostly forget about variable length subnet masks. Masks are generally /64 or more. /64 and /48 are common for home and corporate use. This is partly for automatic client configuration (SLAAC) and to ensure that routing tables remain small - fixing a problem on the Internet today. The 16 bits between /64 and /48 are effectively for subnet use, so you get 64K subnets in your address block. The bits up to /48 are used for the backbone routing and are of interest to ISP's
3. Forget ARP, its been replaced with link local IPv6 addresses which start with fe80::0/16
4. Forget the hype about address tracking - user tracking is a problem on IPv4 and the IP address is just one of the things they track on. On IPv6 you can choose to have client addressess generated automatically by SLAAC (which uses the MAC address, you can use DHCPv6 if you wish or you can generate dynamic privacy extension addresses if you want. (see RFC4941)
5. Broadcast traffic has gone, everything is unicast (same as IPv4) or multicast.
6. IPv6 uses ICMP a lot more, so you cant just filter it at your perimeter
7. Security in depth. This shouldn't come as a shock, in 2017 - You need a firewall on ALL devices, not just at the perimeter. The majority of devices shipped in recent years have defaulted to firewalls on due to more sophisticated malware. This does not change for IPv6, however your perimeter firewall rules can generally be simpler.
8. IPv6 fixes a lot of whats broken in IPv4, for example built in features to help identifying the remote endpoint, so that problems such as SPAM can be resolved. There is embedded IPSEC encryption, larger frame sizes. Oh and there are a few more addresses ;-)
9. To type an address into a browser, you need to do it in an RFC2732 format,basically you enclose the address in square brackers, so it looks like this http://[2001:db8::2]:8080/folder/file.html
10. A host will have multiple IPv6 addresses, for example its self-assigned link local address, its old IPv6 address and its new IPv6 address if something allocates a new one (ie privacy extension, DHCP etc). The old one will work for current sessions, but will not be allocated to anything new, it will show in ipconfig /all as (deprecated)
11. Modern DNS servers can provide IPv4 or IPv6 responses, you don't need a V6 DNS to resolve V6 addresses. V6 addresses are AAAA records as opposed to IPv4 A records. Fun fact - A=32 bits in IPv4, AAAA was chosen for IPv6 as 4xA = 128 bits just like an IPv6 address.
12. Reverse addresses are the same as the current in-addr.arpa form, except that each octet of an address is separated out, so just like IPv4 192.168.1.0 gives 1.168.192.in-addr.arpa. For IPv6 2001:2b8::2 converts to
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1h IN PTR host1.example.com. Note that the :: address compression does not apply here (its a simplification for users).
13. A lot of IPv6 is automatic, for example location of routers, client IP address allocation, etc. radvd, the router advertisement daemon is the process on Linux that does some of this.
14. IPv6 isn't perfect and will continue to evolve as issues are identified and RFC's are raised to resolve them. This is no different to IPv4's history.
15. IPv6 is not going away. Growth is continuing, see <ahref="http://ipv6-test.com/stats/country/US">US graph.
-
-
Thursday 16th February 2017 13:35 GMT Boothy
Re: So, how do I go about implementing it?
If you're on Sky Broadband, IPv6 is enabled by default, (once the local hardware is updated to support it of course).
I've got a ~3 year old Sky Hub, and noticed about a year ago, while I was looking into network configurations for a VM, that my desktop now had a v6 address assigned, as well as a v4. A quick look at the router config, and sure enough I now had a v4 and v6 Internet address, and v6 was routing to the local LAN.
As an example, the above mentioned test site (http://test-ipv6.com/) gives me a 10 out of 10 score on my Desktop PC.
Just as a warning, not all devices at home will support v6 yet, although I was surprised at how many did support it in my house once I checked them out!
As an example, my Sky Box (standard HD box from about 4 years ago, not the newer Q version), only picks up IPv4, and my NAS server is also only IPv4, although the later is simply me not getting round to doing anything about it yet (It's a Linux OS, and had v6 disabled by default).
But all other devices I have, do seem to support IPv6. So that's an XBox One S, two Android phones (OS 6 and 7), my TV (an LG smart from a couple of years back, although is usually disconnected from the network), an old Android LG Tablet that was never supported past 4.4.2, and also my first gen Nexus 7 (2012), all support IPv6!
-
-
-
Thursday 16th February 2017 17:42 GMT Anonymous Coward
@AC - Re: So, how do I go about implementing it?
Easy pie! Just go to your medium/large multinational company's CFO/board, ask them for millions of dollars, warn them that the fully redundant 24/7 99.999999999...% uptime back-end, mission critical systems will probably be impacted without any sound business reason except the fact that outside Internet is running out of IPv4 addresses. Wait until they stop laughing and say "No, seriously! This IPv6 is so cool, it does offer increased address space, IPSec, eases the pressure caused by large routing tables, does away with NAT and... Please don't leave! Hello! Anyone ?"
-
Thursday 16th February 2017 20:09 GMT Dwarf
Re: @AC - So, how do I go about implementing it?
Presented differently....
Telling the board that a project to implement external IPv6 connectivity to maintain the ability of customers to connect to the services we offer in the coming years is very normal. It makes no difference if its a noddy application or a bunch of highly available systems, the approach is the same. also IPv4 and IPv6 are designed to co-exist and parallel run, just like IPX and IP used to in days gone by.
Change is what IT teams do and if its done right, you do your normal release management via dev and non-prod platforms first to get the badge to allow release to production and DR. This is no different to the implementation of a new storage platform, an OS upgrade from version X to version Y, a database engine update to keep in maintenance. Corporate's are used to projects that maintain their steady state. and keep their customers coming to the front door. This is really not a big deal.
If you are worried by this, then I'm for hire and I can help :-)
-
-
-
-
Thursday 16th February 2017 10:39 GMT Neil Alexander
Re: class D address space
"Why don't we use class D addresses ? It's not really used for multicast"
Most IP stacks have special behavior hard-coded for the "special" IP ranges, i.e. multicast, link-local, etc. It would be an absolutely mammoth task to make those address ranges globally routable.
-
-
Thursday 16th February 2017 10:36 GMT sean.fr
Address allocated but not live
If all these people and companies are refusing to move to IP6 after so many years of pushing it, you have got say there is soming very wrong with it. The basic IPv6 model makes the is wrong assumption we want everything on the internet. We ( low level, part time and amateur network support folk) want to stay with what we know, and there are many more of us than ISPs and backbone peering super egg heads.
We are fine with IPs and Internet peers using IPv6, if you keep on the dirty side of the firewall. We want none of it inside our companies and homes. We are happy with or 10 and 172 addresses. We have are comfortable with NAT, OSPF, Vlans and tags. We DO NOT WANT an internet for every device. I do NOT want my LED light bulbs or my garage door on the internet, because I can not protect them. It is hard enough to keep the PCs safe. I can patch the PC, but not the coffee distributer, or the toilet water pump.
So make it easy to keep IP4v inside, and you can use whatever you want outside.
It simply is not true the IPv4 addresses have run out. They are allocated, but much are not actually used on the internet.You can check this yourself using ping. Pick some random addresses, and ping. Yes some people block at the firewall, but most companies do not as it is really hard to debug your internet connection if you do.
Monthly charges for each IPv4 address.
You will get lots of scrappy bits returned. So like was done for phone numbers, you need to weaken the link between the number and routing. Another layer of mapping is required, But on the firewall or the dirty side of the firewall. Plus if you are billing individual addresses, you can fine / block addresses used for DDOS / spam / scam. You would encourage encrypting on everything - firewall to firewall - so everything is signed - end to end - and harder to snoop / spoof.
-
Thursday 16th February 2017 10:57 GMT Nanashi
Re: Address allocated but not live
No, I'm pretty sure that most people do want their stuff on the internet. That's why they bother to deploy NAT -- to get their machines on the internet even in the face of a lack of IP space to do it with.
And it definitely is true that there's not enough v4 space for everybody. It's also true that you can find unused v4 addresses, but... there aren't anywhere near enough (and fragmentation is a big issue). v4 is just not big enough.
(Also I shouldn't really need to say this again and again, but using v6 doesn't magically mean that all of your devices are accessible from the internet. Rejecting v6 because you think it means that is mistaken.)
-
Friday 17th February 2017 00:39 GMT Doctor Syntax
Re: Address allocated but not live
"No, I'm pretty sure that most people do want their stuff on the internet."
More likely people want the internet on their stuff but not necessarily the other way around. They want to connect their laptop, desktop, tablet, phone etc to the net. What they don't want is Joe Random on the net connecting to the above. It's a one way thing.
A smaller set of stuff doesn't get connected either way - my printer and NAS don't need to see the net, nor do they need to be visible from outside.
Then there's another class of stuff that some folk do want on the net: their Nest, their webcam etc. And just look at the problems that's causing for everyone else; most of us would be happier if none of that had got on the net. It's been a big illustration of the problems that happen when Joe Random can connect to their stuff.
The first case has been handled well by IPv4 & domestic routers for a long time and a part of that is that NAT ensures that the individual device can't be directly addressed from the wider net. At the same time the services behind the router/firewall/whatever can talk to each other; I can print from my laptop or exchange files with my NAS. Somebody in another comment mentioned NAT breaking end-to-end routing. That's just what these use cases need.
It's these first use cases that need to be addressed simply by IPv6. Being told that address randomisation answers users' concerns by preventing being tracked is a failure to understand the issue. My printer isn't going to be tracked anyway but what I don't want is someone coming across my printer on its current randomised address and either dropping a load of stuff to be printed just because they can or taking advantage of a zero-day to enrol it into a botnet.
-
Friday 17th February 2017 03:23 GMT TheNSA
Re: Address allocated but not live
"I don't want is someone coming across my printer on its current randomised address"
A correctly configured firewall is the solution but just so you have some idea how unlikely that would be --
Assuming a scanning rate of 1,000,000 IP6 addresses per second it would still take nearly 600,000 years to fully scan a /64 bit prefix (2 ^ 64).
Adoption of IP6 only would have the additional benefit of eliminating those pesky scanning botnets (Mirai comes to mind) as locating IOT devices even on non-firewalled randomised IP6 addresses would be a virtually impossible task.
-
-
Friday 17th February 2017 08:28 GMT Charles 9
Re: Address allocated but not live
Security by EXTREME obscurity. If you're looking for a few bone needles in a planet-sized haystack, eventually the return on effort gets too small. If you had a week to search a million lead lockboxes, even if you could check them once a second, you'd only get about two thirds of the way before time ran out (it would take nearly 12 days).
-
-
Saturday 25th February 2017 07:31 GMT Kiwi
Re: Address allocated but not live
Assuming a scanning rate of 1,000,000 IP6 addresses per second it would still take nearly 600,000 years to fully scan a /64 bit prefix (2 ^ 64).
So 1,000,000 machines scanning one address per sec would take 6 years. 10,000,000 would take a matter of weeks.
Tell me... How many devices are we now seeing on botnets? What will the numbers look like when those botnets start getting hold of other IoT stuff that is on IP6 scanned by a home user who thinks "It'll take them 60,000 years to find my poorly configured firewall" or worse, a home user who has no idea what a firewall is? We have people in this thread talking about making sure every device has a decent firewall and not needing the same strength perimeter security - how well will that happen with IoT?
Your SBO model will quickly break, and I do mean quickly. A year or two and we'll have botnets that can scan your " /64 bit prefix" in a matter of days, or hours.
locating IOT devices even on non-firewalled randomised IP6 addresses would be a virtually impossible task.
I addressed this in another post a few months back, but suffice to say.. Not that long ago it was considered impossible for man to travel beyond 30mph (IIRC, number may be wrong). I've done that several times today. Not long ago man could not fly. Not long ago you could not possibly build ships out of iron. Go back 20 years and say you'll be able to stream HD videos to your home, to more than one device. And a device the size of packet of matches could play said movie on your TV. Hell, in my life time it was considered impossible that gays would ever be allowed to legally have relationships, let alone marry!
What you consider impossible today will be done tomorrow and will be taken for granted next week. Or in security-by-obscurity, what is considered impossible to break today was considered a joke by hackers last week, and trivially broken some months back.
-
Monday 27th February 2017 08:13 GMT Charles 9
Re: Address allocated but not live
No, that's a million machines scanning a million IPv6's per second. How many machines out there can scan that fast? How many can the inbound gateway handle?
Put it this way. If you had THAT much computing power at your disposal, you'd probably have bigger fish to fry, like trying to solve for encryption or factoring algorithms.
-
-
-
-
-
Thursday 16th February 2017 12:10 GMT Dwarf
Re: Address allocated but not live
@sean.fr. Its not that simple. IPv4 has had its day, its lasted well, but change has to happen as we have just outgrown its capabilities.
Just because something does not respond to ping doesn't mean its not there, it just means that it refuses to talk to you or perhaps it can't be used. Remember that some addresses are not usable (for example the all 0's and all 1's on each subnet), so the more you break things down, the higher the level of wastage becomes.
Secondly the more fragmented the ranges become, the larger the routing tables become on all the backbone router. This makes routing slower - as it takes time to parse the tables for each frame.
The bigger issue is that on backbone routers (ie not the home grade stuff), the routing decisions are done in hardware to speed things up, you can't expand the tables without new hardware and that's very expensive in terms of hardware and projects to swap them. IPv6 fixes this by streamlining the routing to reduce the overhead and improve performance.
For an "ordinary home network", everything you know today about your home LAN with its different VLAN's, local routing, etc still works the same, you just end up with a different prefix. Where you probably use 192.168.xxx.yyy with the 3rd octet for the subnet, in IPv6 it just becomes the 4th block in the address, so 2001:db8:abcd:xxxx:: and the yyy bit becomes yyyy:yyyy:yyyy:yyyy. If you don't care what the yyyy bit is, then let dnsmasq take care of this and use proper device names. If you do care about addresses (ie your DNS is not working), then you can DHCP allocate and end up with addresses like 2001:db8:abcd:xxxx::yyyy. You still end up with an xxxx and yyyy portion so its virtually identical to what you are used to today.
The idea of 6to4 and 4to6 connectivity whilst simple on paper generally don't work well as v4 clients can't put a 128 bit address in the 32 bits of storage compiled into the older apps. This is the whole reason why there has been a deliberate long period of parallel running,
As to firewall separation, you can still configure your home router/firewall to allow the bits you want to access externally whilst protecting your garage door just like you do today. IPv6 firewalls work just like IPv4 firewalls do.
-
Thursday 16th February 2017 12:51 GMT Charles 9
Re: Address allocated but not live
"As to firewall separation, you can still configure your home router/firewall to allow the bits you want to access externally whilst protecting your garage door just like you do today. IPv6 firewalls work just like IPv4 firewalls do."
And in fact, one-to-one NATs in IPv6 can do some pretty neat tricks (and yes, they're in the spec). For example, ephemeral addresses for outgoing connections (meaning they're used just for that session and then disconnected). Lot harder to hack by reversing outgoing connections this way. Another example, you can have the router randomize the subnet addresses of exposed machines, making all of them look like a jumbled mess to an outside network mapper. Makes it harder to guess the topology and use that knowledge in an intrusion.
-
-
Thursday 16th February 2017 14:10 GMT Charlie Clark
Re: Address allocated but not live
In other words don't move my cheese.
IPv6 isn't perfect but the lack of addresses in only one problem that it attempts to solve for which there is no solution in IPv4. IPv4 was designed for a couple of million devices (address contention is not a problem you ever want to have on a network) and it's a testimony to how well it was designed that it copes with billions of devices on it and the huge volumes of streaming traffic it handles.
A comparison with HTTP is imperfect but still perhaps useful. For many years it was acknowledged that HTTP 1.1 had limitations (no TLS, no multiplexing) but there was a lot of inertia to overcome so no work was done on HTTP 2. A few years ago, Google and others started working on an imperfect replacement SPDY to help mitigate some of the problems they had due directly to HTTP 1. The ideas formed the basis of HTTP 2, which while still not perfect is being rolled out around the world and will soon be given privileged access. This, in my opinion, is how the IETF is supposed to work and I wouldn't be surprised if Google and others start privileging IPv6 traffic once the numbers are right.
-
Thursday 16th February 2017 14:21 GMT Neil Alexander
Re: Address allocated but not live
"We want none of it inside our companies and homes. We are happy with or 10 and 172 addresses."
This is a really naive attitude and it is exactly this attitude (and ignorance) that makes the IPv6 transition so difficult.
Ignoring the really obvious problem of being expected to unnecessarily translate between IPv6 and IPv4 on your network boundaries, why are IPv4 private address ranges preferable? The answer is they aren't.
Even if you are hell-bent on your outdated thinking, you could use ULA address ranges in IPv6 for places that you do not want to be globally routable.
The correct tool for the job of controlling network traffic in and out of your network is a firewall. A device with a globally routable IPv6 address behind a correctly configured firewall is just as safe as a device with an internal IPv4 address behind a NAT configuration on a firewall.
Repeat after me: NAT is not a firewall. NAT does not provide security. NAT makes absolutely no guarantees.
"We have are comfortable with NAT"
No, globally, we're not comfortable with NAT.
NAT creates massive headaches and fundamentally pushes us towards service centralisation, as we are forever having to create applications that have to "call outbound" instead of being able to work in true peer-to-peer fashion. It makes even simple applications complicated as we have to constantly be concerned with NAT traversal, or UPnP, or NAT-PMP.
NAT is a hack. It was a hack when it was first implemented, and it's still a hack now. Unfortunately it's a hack that people are sadly attached to.
"OSPF, Vlans and tags."
None of this changes with IPv6 apart from an uplift to the OSPFv3 protocol. VLANs and tagging do not change - those are part of Layer 2, not Layer 3. Please see the OSI model.
"We DO NOT WANT an internet for every device."
This is not a problem with IPv6, but instead with your network topology. Put them on a VLAN that doesn't route to the Internet, or use a firewall to prevent traffic to/from them. There are correct tools for this job. Avoiding IPv6 forever is not.
"I do NOT want my LED light bulbs or my garage door on the internet, because I can not protect them."
See above statement.
-
-
Thursday 16th February 2017 16:10 GMT Neil Alexander
Re: Address allocated but not live
"too hard for most home users."
On the contrary, it is very typical for ISP-provided (and even off-the-shelf) routers to be configured with default-deny for incoming connections. In that case, most home users would never need to change a thing.
For those that do go in and make uneducated changes to the firewall settings, well, you can't protect users from themselves even in IPv4 land.
-
-
Thursday 16th February 2017 17:11 GMT Charles 9
Re: Address allocated but not live
"Ignoring the really obvious problem of being expected to unnecessarily translate between IPv6 and IPv4 on your network boundaries, why are IPv4 private address ranges preferable?"
Because you have devices on your network that cannot be replaced or upgraded and can ONLY grok IPv4. Now what do you do?
-
Thursday 16th February 2017 17:22 GMT Down not across
Re: Address allocated but not live
Ignoring the really obvious problem of being expected to unnecessarily translate between IPv6 and IPv4 on your network boundaries, why are IPv4 private address ranges preferable? The answer is they aren't.
I don't think you can speak for everyone on what is preferable to them.
I certainly would take issue if anyone felt they could decide what is preferable to me.
-
Friday 17th February 2017 00:47 GMT Doctor Syntax
Re: Address allocated but not live
"This is a really naive attitude and it is exactly this attitude (and ignorance) that makes the IPv6 transition so difficult."
What makes the transition so difficult is an almost will-full refusal to look at the the problems it causes on the ground.
"This is not a problem with IPv6, but instead with your network topology. Put them on a VLAN that doesn't route to the Internet, or use a firewall to prevent traffic to/from them."
Right. Tell me how Joe Soap, who can't put his webcam on the net without getting it bounced into a botnet within minutes is going to accomplish all that. Because that's the core problem.
-
-
-
Thursday 16th February 2017 10:58 GMT Anonymous Coward
Meanwhile...
I just wanted to upgrade my soho wifi router... and ran into the invoices for all the previous models I ever owned in a shoebox, long after their power supplies had fried from being plugged on 24/7.
They all had IPv6 ever since it was invented.
My ISP, however, enabled it just 3 months ago.
-
Thursday 16th February 2017 11:17 GMT Anonymous Coward
Really
That's odd because hosts are still handing out ipv4 addresses like confetti, softlayer for instance give you 16 addresses each time you set up a cloud server in a new location. Great for future expansion but a bit wasteful if there is a drought.
KCOM don't even support ipv6 in their data centre never mind for residential users.
-
Thursday 16th February 2017 12:19 GMT Lee D
Re: Really
Because they already have an allocation and can just shufty them around.
But new allocations are dead in the water.
Tagadab (part of ClaraNet) are basically into the charge-per-IP now, whether you buy a dedicated server or a VPS. Other companies are following suit.
But if you're not growing your userbase and you have "enough" IPv4's, you have a little insurance. Meanwhile, everyone else is ALREADY giving out IPv6 for free like it's going out of fashion but charging for each individual IPv4.
-
-
Thursday 16th February 2017 11:23 GMT jonfr
NAT is a problem
Just having NAT on IPv4 connections is a problem, specially when dealing with all the problems that come with it.
As I plan on moving to Germany in few years time, I was searching for a way to get static IP address since I need that for few things I run on my home network. No private IPv4 address to be had, few days ago I discovered that the ISP I'll be using once I move supplies an IPv6 to all new connections. That is going to allow me connect my own WAN router to the cable modem router and get a proper connection to the internet and allows me to run the services I want (I hope) without problems. My WAN router has IPv6 firewall, so that security aspect is good.
Currently my Danish ISP doesn't offer IPv6 at the moment. It has statics IPv4 addresses, but I don't know how long that is going to last.
NAT breaks your internet: https://blog.webernetz.net/2013/05/21/why-nat-has-nothing-to-do-with-security/
There is no IPv6 NAT: http://www.internetsociety.org/deploy360/blog/2015/01/ipv6-security-myth-3-no-ipv6-nat-means-less-security/
-
-
Thursday 16th February 2017 17:57 GMT simpfeld
Re: NAT is a problem
Yes there is IPv6 NPT (Network Prefix Translation) that is a way mapping of an internal address space to an external address space, by just changing the prefix. This is pretty good, as it maps preserves IPv6's end to end connectivity (it's a one to one address mapping, much better that IPv4 NAT). I get the feeling corporates may well look to use this, rather than public IP addresses internally (especially as it allows you to easily have multi ISP's outbound for resilience).
I believe there is also further (and not as clean) IPv6 NAT6, but I think this is still a mapping of address to address not a different port on a different address but a non-static mapping...but could be wrong on that. Someone else can probably clarify.
I was looking at the NAT6 on OpenWRT is? Whether this is NPT or a fuller NAT6..isn't clear to me yet. Still learning.
https://wiki.openwrt.org/doc/howto/ipv6.nat6
-
-
Thursday 16th February 2017 13:09 GMT Anonymous Coward
"nat-has-nothing-to-do-with-security"
We have all seen what happened when instead of routers with NAT; people had "modems" which directly attached the computers to the Internet - a lot of systems compromised with ease. One of the reasons SQL Slammer expanded so fast were desktop machines with MSDE installed, directly connected to the Internet.
NAT is not a security feature per se - but still helped a lot to keep insecure devices outside the reach of simple scan-and-exploit attacks - at least before UPnP start to dig holes into it. Especially, it was something that protected the most naive users who utterly lack the knowledge to configure a firewall properly, and when faced with issues, have a high probability of disabling it altogether.
Especially since many low-end routers firewalls have minimal features and usually a ugly web UI to configure them. Thinking everybody now will run a pfSense behind their router is pure sci-fi.
Without NAT, the number of compromised machines would have been quite larger. OS firewall may be not enough because some idiot installers (MySQL....) open ports without asking.
-
Thursday 16th February 2017 16:43 GMT Charlie Clark
Re: "nat-has-nothing-to-do-with-security"
We have all seen what happened when instead of routers with NAT; people had "modems" which directly attached the computers to the Internet - a lot of systems compromised with ease.
I think you'll find that millions of systems are compromised with ease at any one time. Protection via NAT was coincidental, much like security through obscurity, and it didn't take long for hackers to work around any "protection" afforded by NAT.
-
Thursday 16th February 2017 17:29 GMT Anonymous Coward
Re: "nat-has-nothing-to-do-with-security"
NAT is not a "security by obscurity". It's the equivalent of a DENY ALL rule for incoming connections. If it doesn't have a rule to deliver a packet, it will drop it. Raw, simple, but effective. And - important - cannot be disabled but for a single host, usually.
"you'll find that millions of systems are compromised with ease" behind expensive firewalls as well. Because some users behind the firewall are true lusers, and because some firewall administrators are lusers as well (writing and maintaining sensible fw rules require some efforts..). So let's get rid of firewalls?
I've seen companies with lame fw rules, and buttocks saved by the NAT ones. Layered defense is not exactly "security by obscurity".
-
Thursday 16th February 2017 20:19 GMT Charles 9
Re: "nat-has-nothing-to-do-with-security"
"NAT is not a "security by obscurity". It's the equivalent of a DENY ALL rule for incoming connections. If it doesn't have a rule to deliver a packet, it will drop it. Raw, simple, but effective. And - important - cannot be disabled but for a single host, usually."
But that's NOT the NAT at work. That's the firewall that's INCLUDED with the NAT. If the firewall wasn't there, the ISP (which provides your connection so you're subservient to it) WOULD have the ability to route directly onto your LAN if it knows your topology (and if the ISP can do it, the LAW can pressure the ISP to do it on their behalf). Someone demonstrated such a route about a month ago. It's ONLY the firewall that prevents this, NOT the NAT.
-
Monday 20th February 2017 18:30 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
"But that's NOT the NAT at work. That's the firewall that's INCLUDED with the NAT. If the firewall wasn't there, the ISP (which provides your connection so you're subservient to it) WOULD have the ability to route directly onto your LAN if it knows your topology"
its not the firewall, it is NAT that prevents inbound routing to addresses behind NAT.
NAT builds a relationship table with with the inside IP and PORT & outside IP and port and changes the inside IP & port as the router forwards the traffic on. There is no way something from outside can route to something inside when the mapping has not been created. The NAT router cannot route from outside to an inside address when its table does not contain the inside IP or port to map to. It is conceivable that a poorly written router will route from outside to an inside (even an rfc1918) address but whomever is on the outside would need to know an address on the inside to target, and the router would not be using its NAT table to facilitate the comms.
-
Tuesday 21st February 2017 18:12 GMT Nanashi
Re: "nat-has-nothing-to-do-with-security"
No, it's not NAT that blocks connections or prevents routing. NAT doesn't do anything at the routing layer, it's purely an L3 thing, and also only applies to outbound connections in the typical setup. If you just send the router a packet with the correct dest address set already, then there's no inbound mapping required and no addresses need to be translated -- because the packet already has the right address. (As you say, the router won't be using its conntrack tables to deal with the packet, but that doesn't mean that the packet is impossible to process.)
The end of your post seems to indicate that you knew all of this already, so I'm not sure how you still managed to reach the wrong conclusion, but you're welcome to go and test this with some virtual machines, or even real routers, if you don't believe me. You'll find that they do in fact pass inbound traffic unless that traffic is blocked by a firewall.
-
Wednesday 22nd February 2017 23:11 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
@Nanashi
with NAT the address headers of outbound traffic has the source IP of the router. In order to route to something on the inside of the router you need to know its IP. If your directly attached to the router you can possibly sniff the traffic and discern the addressing within, else you can scan a number of IP's and see what responds, this only works if your router (i'm talking domestic here) doesn't block unsolicited traffic from the WAN by default typically via a statefull firewall only possible by the same tables as used by NAT.
beyond the carriers WAN router or infrastructure, its impossible to route from the net directly to an rfc1918 address or other non routable from the internet IP address. Non routable from the internet addresses include those valid public IP addresses who's owners route to null or FW as viewed from the internet. those non routable from the internet IP addresses are still able to connect to the internet via an internet routable address and NAT. Its an important distinction that is used by billions of IPv4 users that is completely lost without NAT.
Session based obfuscation in IPv6 causes its own headaches for administrators. Currently when a user says they aren't able to connect to something, for example a website, i can ask for their IP and check the various logs to find out whats going on. while i can search logs for the current DNS resolved destination there is no guarantee the remote site has 1 IP and some certainty the client has a changing IP if its using session obfuscation. even if i'm on the phone when testing how do i know what the ip that browser session used? My work load goes up exponentially, i'll need extra access to other systems like AD or LDAP for finding what user had what IP for each session. Does each web call have its own IPv6 address? how many web calls per page will have a unique IP, each ad, each pic, each iframe? i suddenly need to know intimate detail on web design to have a chance to troubleshoot moving source IP's on what was a strait forward comms issue.
Troubleshooting IPv6 will be a huge headache, add in out sourcing to all corners of the world with different levels of competency (i've worked with idiots at home and exceptional engineers in the former colonies, a foreign accent doesn't automatically mean incompetence), its a recipe for disaster that will cost us all more in money and security.
-
Thursday 23rd February 2017 19:21 GMT Nanashi
Re: "nat-has-nothing-to-do-with-security"
Yep, that's the deal: if you have no firewall then your ISP (or anyone that can order them to cooperate) can connect to your LAN machines. Yes they'd have to work out what IP range you're using, but that's not very hard. And yes, your router would have to have no firewall. No, "your ISP" doesn't mean "the entire internet".
The key point is that it doesn't matter if you're using NAT -- if you want to block all inbound connections, you need a firewall, and if you have a firewall then inbound connections are blocked, so clearly the NAT isn't necessary for blocking inbound connections. You don't need to be scared about not using NAT.
"Session based obfuscation in IPv6 causes its own headaches for administrators"
In some cases, but not the ones you're thinking of there. Privacy addresses for a machine all come from the same /64, so for random internet clients you just match on the first 64 bits of the address. This is morally equivalent to matching on the WAN address of a NATed v4 network. I'll also tell you that privacy addresses are only changed once per day (or whenever you reboot or restart networking), so no, you don't see one IP per resource request and you won't need intimate web design knowledge to find log entries for a client.
Have you given any thought to what will happen when ISPs start putting people behind CGNAT for v4, and you end up with multiple different people accessing you from the same source IP? How do you plan on finding them in the logs then?
"Troubleshooting IPv6 will be a huge headache"
You don't have much experience with v6, do you? It's much easier to maintain and troubleshoot a network when there's no NAT involved. Since NAT is a de-facto requirement on v4, it's v4 that ends up being the huge headache to deal with (ever had to merge two networks with clashing RFC1918 ranges?), and it's is only going to get worse as the address crunch gets even more acute.
-
Saturday 25th February 2017 10:06 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
"In some cases, but not the ones you're thinking of there."
you need to get your crystal ball checked out and cleaned mate as your clearly off course, which is no surprise as your also way off the mark re NAT.
i specifically mentioned troubleshooting internal users accessing external systems, random users accessing websites is a different topic all together which IPv6 has severe privacy issues with.
imagine you work in a tech office with a hundred other techs, your all on the same admin subnet, but with different disciplines banded within subnet boundaries within that subnet (network admins in a different /29 to unix admins etc.) with IPv4 its easy to ensure the different systems to be managed are only accessible by a specific subnet or group of IP's. how the hell do you do that in ipv6 if the source IP will change every session/day? you'd have to permit the whole subnet, not just the small bounded range in the subnet that is possible now. The reason for securing things this way is that the only a small subset of people will know the range and a still smaller range of people will have the skill to understand how to ensure they can connect. its not security by obscurity, just limiting the number of possible addresses a device can be managed or attacked by, thereby enhancing security.
talking of subnets, how many enterprises have you worked in that have a single L2 domain? multiple L2 domains are good for numerous reasons, its also 101 to ensure your users are not directly attached to an internet routable router. the proxy is likely to be in a dmz itself at least 1 hop from the net but likely 2, users are likely at least 2 routed hops from the proxy. its just absolutely stupid to have internet routable addressing that far in your network, especially when the internal addresses within your LANS will change frequently. tell me this, when you need to investigate a logged connection from 2 weeks ago, how do you attribute that connection to a machine? The dhcp server hasn't issued the address, no MAC records as several hops to any logging system, proxy auth if it went through a proxy but what if its a log on a firewall or server with no user auth associated?
ipv6 raises many many issues, you clearly have no clue about security or accountability & are clearly happy you can run ipv6 at home which is great, but most of us Network Geeks couldn't give a stuff about our home networks (beyond buying quality kit that is configured correctly and securely requiring minimum ongoing faffing), we don't get paid to fiddle with that constantly and our home users don't like it.
-
Saturday 25th February 2017 14:40 GMT Anonymous Coward
Re: "nat-has-nothing-to-do-with-security"
You have 64 bits to work with (the back half of the address). Just work from that. Instead of /29 subnets, use /72s, /80s, or /96s.
And if ephemeral IPv6's are an issue for you because you're more paranoid about outgoing than incoming connections, then turn it off. Two commands in an elevated command prompt can do it for Windows:
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled
And as for ignoring IPv6, it's your funeral. I'd suggest learning more about how to manage it before it becomes a necessity (and it WILL, it's a matter of WHEN, not IF).
-
Saturday 25th February 2017 20:02 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
"You have 64 bits to work with (the back half of the address). Just work from that. Instead of /29 subnets, use /72s, /80s, or /96s."
you don't seem to comprehend the concept of curtailing access to the minimum number of hosts possible.
"And if ephemeral IPv6's are an issue for you because you're more paranoid about outgoing than incoming connections, then turn it off. "
so now you've got internet routable addresses deep within your network. A mistake in your firewall or other security infrastructure and suddenly an internet miscreant has access to internal clients by just knowing its address and can hack away at will, that can't happen with RFC1918 or other non internet routable addresses in IPv4.
a well known and adopted security posture is to ensure no end to end connectivity by breaking the session using some type of proxy or bastion. Permitting direct end to end connectivity as envisaged by those who designed IPv6 is considered an attack surface and one discouraged by any security auditing.
i'm not ignoring IPv6, i've been playing with it for ~ 10 years now and still don't like it. It has to be at least as security conscious as the current mature IPv4 its replacing, but its not and introduces a whole host of problems long since mitigated and resolved in IPv4.
-
-
Sunday 26th February 2017 20:57 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
@Charles 9
its not my paranoia, its just effective means to minimise and mitigate against attacks. its not a case of doing 1 thing or another, you do as much as you can.
if you've a bastion breaking the session, any attack has to first exploit the bastion before it can attempt to hack the real target. It hugely increases the difficulty in compromising a public addressable system.
UK gov (cesg) publishes a good practice guide:
https://www.ncsc.gov.uk/content/files/guidance_files/GPG%2013%20-%20Protective%20Monitoring%20for%20HMG%20ICT%20-%20Issue%201.7%20October%202012%20-%20NCSC%20Web.pdf
have a read, and make sure your securing your systems appropriately.
-
-
-
-
Sunday 26th February 2017 11:49 GMT Nanashi
Re: "nat-has-nothing-to-do-with-security"
You're right, I do need to get my crystal ball cleaned, since you didn't make that very clear.
If I had lots of people in an office that I wanted to split up into groups, then I'd put them on separate VLANs with their own /64s. If I didn't want to split them up, then I wouldn't. Though I'd also prefer to do auth based on something like certificates, rather than relying on IPs and hoping that everyone is polite enough to use the addresses I've asked them to use. If you care about security then you need to make things actually secure -- and you can do that just as well on v6 as you can on v4. Or at least *I* could.
"random users accessing websites is a different topic all together which IPv6 has severe privacy issues with"
I can't believe you've been looking at v6 at all seriously if you still think this. It doesn't have any severe privacy issues for this scenario, above and beyond the ones that v4 already has.
-
Sunday 26th February 2017 21:29 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
"Though I'd also prefer to do auth based on something like certificates, rather than relying on IPs"
I never wrote anything about solely relying on ip's, I specifically mentioned curtailing access to a small number of users. certs are good until they are stolen. Access restricted to a small number of IP's, using ssh or tls with a centrally managed authentication system (tacacs, radius, ldap, ad) is whats needed. its a whole bunch of measures, not just 1 thing. we are discussing IPv6 and the volume of usable addresses is an issue that is not an issue in IPv4. you clearly don't get it.
maybe have a read
https://www.ncsc.gov.uk/content/files/guidance_files/GPG%2013%20-%20Protective%20Monitoring%20for%20HMG%20ICT%20-%20Issue%201.7%20October%202012%20-%20NCSC%20Web.pdf
-
Monday 27th February 2017 08:39 GMT Charles 9
Re: "nat-has-nothing-to-do-with-security"
The thing is, your problem isn't the IPv6 protocol but rather the greater Internet itself. Your problem IOW isn't in L3 but in L2, and you need to address your issues there with things like physical proxy servers that provide a physical layer of separation. Internally, your choice of protocol is up to you and irrelevant here. Externally, you may want to find a way to talk to IPV6 destinations before you get shut out, but by your standard that a problem for your gateway to solve. You don't HAVE to keep end-to-end connectivity if you don't want to, but it's better far to have the option open and not use it instead of not having the option when you need it.
-
Monday 27th February 2017 09:46 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
@Charles 9
"Your problem IOW isn't in L3 but in L2"
L3 is the problem not L2. You have to be directly attached to the same logical segment for L2 to be a problem. 1 L3 hop stops L2 being a problem. L2 is a physical access issue controlled by other means.
L3 is what gets traffic from an entity outside of your control to you via other peoples infrastructure, Proxies do not work at L2.
If IPv6 didn't discourage NAT but embraced it instead most people would have converted already. NAT, its derivatives and technologies derived from it are key to securing networks. IPv6 dismisses that security in depth by trying to ensure end to end connectivity which is not always desirable. You mentioned back hacks in a response to someone else, most of the crudest back hacks are broken by breaking sessions via a bastion or proxy, end to end comms brings a lot of those old exploits we have mitigated against back into play.
You clearly don't see any issues with IPv6. Being blind to problems in IPv6 is a mistake many will make and pay dearly for it. Good luck to you.
-
Monday 27th February 2017 20:09 GMT Charles 9
Re: "nat-has-nothing-to-do-with-security"
AGAIN, NAT isn't what blocks incoming connections, and I'll prove it.
You get your IP address from your ISP. Which means your network is subservient to it and you're technically INSIDE the ISP's INTRAnet. Which means they can route packets within their INTRAnet willy-nilly. That includes the RFC1918 ranges. If they know the IP address of a target machine you have, they can just route the packet directly onto it, no translation necessary because it's THEIR network which you're riding on. You could do the same thing if there was a NAT in your corporate intranet. A network expert confirmed this to be possible by disabling a home router's firewall several months ago.
So NO, NAT is NOT what you really want. It's in fact a false sense of security in the face of an ISP that gets served a warrant.
The device that provides the minimum degree of separation you want is the firewall, which doesn't change with IPv6, and if you don't even trust that, you want something stronger like a proxy server that allows you to better safeguard from both directions. And if you want to go one step further, then yes I'm saying use something at the L2 level (and yes, you CAN have an L2 proxy just as you can an L2 firewall; it uses TWO interfaces and the proxy bridges them according to its rules).
-
Wednesday 1st March 2017 12:58 GMT Blotto
Re: "nat-has-nothing-to-do-with-security"
i can see by your use of technical terms the level of proficiency you have on networking.
Your ISP is always going to be able to route to you rfc 1918 and other reused IP's as they are directly attached. it becomes harder to impossible the further out you go. A reason for using NAT is not protection from your ISP, its protection from someone else who does not have access to control your ISP's kit to be able to access hosts behind your nat device. If your ISP is hacking your network you've got other problems a firewall alone will not secure you against.
A device with 2 interfaces does not make it a L2 proxy, you clearly don't understand the distinction between L2 & L3. There devices that control what L2 devices can talk to other L2 devices, but they are not proxies or firewalls. A managed switch will do that by creating L2 domains otherwise known as vlan'ing. A proxy is not a firewall.
If you understand the significance of L2 & L3, and some of the history, you'd start to question IPv6 and the motives behind hex addressing and the desire to incorporate the MAC in the IP address.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Thursday 16th February 2017 11:46 GMT tonyw2016
The bad decision that keeps on biting back
It's interesting how bad decisions made 25 years ago are still screwing up the Internet.
When the IPv4 addressing problem first came up, it was a choice between adopting the variable addresses of the Decnet/OSI approach of CLNP and a new protocol with bigger fixed length addresses. The former was an evolutionary approach while the second was a step change with no obvious migration path. The second one was chosen largely because the IETF at the time was dominated by academics who distrusted the "commercial" attitudes of the OSI camp. They also favoured the class based routing approach then used. I recall being told by one of those pushing IPv6 that he supported it because his VAX and PDP11 based routers worked with 16-bit routing tables and he just could not comtemplate the idea of variable length prefix matching algorithms.
Of course, not long afterwards, BGP-4 and prefix based routing became the norm but no-one could bring themselves to reverse what had been a terrible decision. That is introducing both a new addressing plan and a new protocol, rather than keeping the existing address plan, introducing a new protocol (with simple old to new gatways) and only when that new protocol had been fully adopted would the address plan be extended.
Let's hope that future network engineers learn from the mistakes of the past.
-
-
Thursday 16th February 2017 16:23 GMT Mage
Re: The bad decision that keeps on biting back
Websites were 1990s. Internet is about 10 years older in use, and designed earlier still.
The address size wasn't an issue for CPU word size or CPU address size.
A basic problem is that no internet resource using IP6 can turn off IP4 till everyone is using IP6 as there is zero interoperability.
At present "clients" have to use IP4 too, even if using IP6 because too much of the internet isn't accessible on IP6 only.
It's a mess.
-
-
-
Thursday 16th February 2017 16:33 GMT CheesyTheClown
CGNAT?
I'm using my phone right now to post this. It has a private IP over LTE and works just fine. When I tether my laptop, it works just fine. I regularly visit sites behind load balances that multiplex at layer-5, in fact, there are often tens of thousands of major websites operating sharing a single IP.
Our current IPv4 problem is entirely greed based and artificial. There is absolutely no reason we can't solve the problem. With less than 100,000 registered active autonomous systems on the internet, we certainly should be able to make due with a few hundred thousand /24 networks.
-
Thursday 16th February 2017 17:25 GMT Dwarf
Re: CGNAT?
I would be interested to know where the 100,000 registered systems statistic comes from, it sounds like a made up on the spot statistic. After all, you don't have to "register" a system to use it on the Internet.
Remind me again what happens when someone on that CGNAT service does something bad such as sending a bunch of SPAM and the real time blacklists block that single public IPv4 address - Yep, nobody else can send e-mail. Now translate this to one of the DDoS filtering platforms - anyone else want to access the protected web site - tough luck you cant.
These are yet more reasons why NAT is continuing to break different bits of the Internet, but if you are happy with that sort of service level and believe that only good people hang out on the Internet and it won't affect you, then that's your choice.
On the flip side, I can browse at ease, use whatever inbound services I want, not have to use dyndns type services to locate me on the Internet; use newer technologies that are IPv6 only and not have to worry about any of the "running out" issues. I also get some shiny new skills on my CV.
Yes its different, but so were things when you used acoustic couplers and dial-up to get to BBS's. Does anyone really yearn for those days now ??
Its only technology evolution and this is supposed to be a technical forum.
-
Thursday 16th February 2017 17:56 GMT Charlie Clark
Re: CGNAT?
I would be interested to know where the 100,000 registered systems statistic comes from, it sounds like a made up on the spot statistic.
You tend to hear it from anyone involved in peering, so CDN vendors or the like. But for them 100,000 systems is an awful lot of stuff to manage: routing on IPv4 is getting worse as a result of growth here.
-
Thursday 16th February 2017 20:33 GMT Dwarf
Re: CGNAT?
I assume you are referring to AS's ?
I agree that top level routing table size is a problem (I mentioned this previously within the forum). This is fixed in IPv6 by the hierarchical structure, although i'm interested to see how the PI netblocks fit into this as it will clearly undo some of that goodness, just like it did in IPv4.
The use of PI address space comes from the fear of auto-re-addressing / RA's that is built in and theoretically makes things easy when you change ISP. However the question I've asked repeatedly and only recently got a partial answer on is about inter-region failover between ISP's and what you actually use within your corporate at the various locations, particularly if one ISP's connectivity is interrupted and the RA's stop.
I note that RFC4193 exists and its an IPv6 equivalent of RFC1918 and details non-routable internal use IP addresses
I also found the following which is handy for those learning IPv6, it summarises the different allocations of IPv6 address blocks and their use
-
-
-
Thursday 16th February 2017 16:37 GMT Anonymous Coward
If they'd just stuck a couple of octets are the start of IPV4 addresses, this would be solved by now.
Current addresses would just work, either as 0.0.whatever or as their current address, no hassle, nothing new to learn, just software being slowly updated to support the longer ranges.
But no, it had to be new and different.
-
Thursday 16th February 2017 19:55 GMT Anonymous Coward
Some of you guys worry me greatly.
Why? Because you're meant to be "tech" people (whatever the hell that means this day of the week) or sysadmins etc and your arguments are "IPv6 addresses are too long and remembering almost the same number of characters (in most cases) as an ipv4 address but with rules for making them shorter and more readable makes my head hurt" and "but NAT means I don't have to setup a firewall properly".
Good grief.
-
Friday 17th February 2017 01:03 GMT Doctor Syntax
Re: Some of you guys worry me greatly.
you're meant to be "tech" people (whatever the hell that means this day of the week) or sysadmins etc
It might have escaped your notice but there are now several people who aren't network admins, sysadmins, DBAs or whatever who actually have internet connections to their homes.
In fact there are a lot of them.If IPv6 is ever going to be rolled out it's got to work, work well and work securely for all these people as soon as they lift their router/firewall/whatever-naming-hair-you-want-to-split out of its cardboard box. When I read comments about how any competent sysadmin should be able to set up IPv6 routing I know this issue isn't being addressed and a successful roll-out is just receding into the distance.
-
Friday 17th February 2017 10:47 GMT Dwarf
Re: Some of you guys worry me greatly.
That's why the ISP's provide pre-configured routers with all the "hard stuff" taken care of, anyone can now plug in their incorrectly named modem / router / wireless router / Internet gateway and get to things on the Internet - irrespective of the protocol used under the hood.
Outsourcing the difficult bit to someone who understands a particular field is very common. How many of us actually maintain our own cars, chop down our own tree, build our own house or repair our roofs ? Most tend to use people who specialise in that field and have a good grasp of that technology and the correct tools. Networking and security is no different.
Consider this - national providers such as BT and Sky were able to roll out IPv6 with minimal user involvement and in a manner that provides similar security to whats in people's homes today. Traffic stats show that IPv6 carries about 50% of the Internet's traffic today, yet a small subset of people here seem to believe that IPv6 is witchcraft and x doesn't work like IPv4 when in fact it works equally well or significantly better, but hey, if you want to stick your head into the sand then that's your choice. I wonder though what you position will be when IPv4 is obsolete as has happened with previous connectivity technologies such as IPX, dial-up and X.25 before it..
-
Saturday 25th February 2017 21:14 GMT Kiwi
Re: Some of you guys worry me greatly.
That's why the ISP's provide pre-configured routers with all the "hard stuff" taken care of, anyone can now plug in their incorrectly named modem / router / wireless router / Internet gateway and get to things on the Internet - irrespective of the protocol used under the hood.
That would be those "pre-configured routers" with all the "the "hard stuff" taken care of like telnet into the router, default username and password of "admin", world accessible configuration web page with same defaults (ie http://your.ip:51005 (iirc) for some Thompson/speedtouch/whateverothername) models) you're referring to then? The ones that, on the internally visible config pages, had no mention that telnet and/or ssh was open to world+dog and no function to turn it off? Those "pre-configured routers" ? The ones that (in the case of Telecom NZ) had WiFi configured to be completely open out of the box, requiring no passwords to enter the WiFi and no passwords to change unimportant things like which DNS servers were used? Those "pre-configured routers"?
Mate is getting one next week. Will be interesting to see what I can access over the net OOTB.
Wish I saw your post 10 days ago...
-
-
-
Thursday 16th February 2017 19:55 GMT bombastic bob
at least we're not running out of MAC addresses...
hey we might be running out of IPv4 addresses, but at least we're not running out of MAC addresses. yet.
Until then, just make the cheaper IPv4 networks use NAT and the 10/8 block for DHCPv4 assignments. And offer IPv6 for everyone. Once people get used to it, things should shift on their own that way.
(that assumes that Micro-shaft gets their collective heads out of their collective RECTUMS and fixes all of the open ports that are unnecessarily exposed by IPv6 to the world)
-
Friday 17th February 2017 09:07 GMT John Crisp
KISS
The problem with adoption is for the average grunt it isn't so simple, and lack of compatibility. It may seem simple if you are CCNA or whatever, but that doesn't apply to swarms of users.
IPv6 may be the coolest thing since sliced bread, but if they had wanted rapid adoption then it has to be made easy to do. It just isn't, plain and simple.
The issues with lack of IPv4 addresses can be skated around with NAT so there is no hard ceiling to force adoption.
And whilst large swathes of ISPs don't offer it, how can users try it? The ISPs will be the driver for change. If they don't offer it then you can't blame users for not adopting it.
My own big bug bear is I don't want to be beholden to my ISP running my dhcp for every client, which is what some seem to want to do, presumably so they can keep a closer eye on me.
Until ISPs convert fully and it is offered to everyone, and it is easier to migrate, this will continue to be a global mess and a lingering sore which we'll be moaning about for decades to come.
-
Friday 17th February 2017 09:19 GMT PTW
Dear network geeks, IPv6 is crap because...
1. The addresses are dire and impossible to remember.
People love IPv4 addresses because humans can easily remember three digits, that's why the old UK and other countries car number plates have three numbers on them. Moving to four digits makes things harder, moving to four alphanumeric characters is just fucking stupid.
How many MS licence keys can you remember compared to the number of IPv4 addresses? Oh! You do networking so don't know what a MS licence key looks like?
1a. Before you start with "well you only need remember :xxxx: or :xxxx:yyyy:" what about dialling into another 40 networks?
2. "...properly configured firewall, blah, blah" excludes 99% of users/devices on the net, it's a little less useful than saying "if current IoT firmware was secure and upgradable..."
2a. As stated previously, the majority of users don't care and shouldn't have to care, and whether you like it or not NAT has stopped people's multitude of devices being visible on the net simply by turning off UPnP.
What would have been wrong with prefixing IPv4 with an alpha and two numerics? Alpha is the give away it's an IPv5 so an IPv4 device shold drop it & u21.217.121.2.53 is a little easier to remember than 2001:db8::ff00:42:8329 or even 2001:0db8:0000:0000:0000:ff00:0042:8329
/rant
-
Friday 17th February 2017 10:51 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
Have you read any of the other comments on this article? Pretty much everything you brought up has already been addressed.
To briefly go over them again: addresses go in DNS so you don't need to remember most of them (I bet you can't remember El Reg's IP, can you? Yet you posted a comment to the site just fine.)
40 other networks? If you can remember the WAN IPs and RFC1918 range for all of those networks then you can remember the v6 prefix for them all too. (But why would you when you would just ssh to a hostname?)
Properly configured firewalls covers most users on the net, because their ISP hardware and OSs come with them out of the box. As you say, most of these users _don't_ care -- IPv6 just works for them.
(I find it interesting that in one paragraph you claim that nobody can configure anything, yet in the next you say "simply by turning off UPnP". These two paragraphs are inconsistent. Do you believe people can configure this stuff or not?)
And finally, the main thing wrong with "just prepend a letter and two numbers" is that it only adds 11 bits to the address. That's not enough. Why on earth would we go through all of the effort of migrating IP protocol, only to not add enough addresses and then have to go through it all again shortly afterwards? If we're going to migrate, let's migrate to something that's definitely big enough.
The only thing that hasn't been mentioned elsewhere is that 4 hex digits is a hell of a lot easier to subnet than anything involving decimal, because each hex digit corresponds exactly to 4 bits. That doesn't matter much to most people, but it's handy for network admins.
-
Friday 17th February 2017 12:31 GMT PTW
Re: Dear network geeks, IPv6 is crap because...
I was trying to sum up previous comments, and I didn't say "nobody can configure anything". I can talk my Grandmother through turning off UPnP over the phone, do you want to talk her [or anyone else] through setting up firewall rules?
We weren't talking OS we're talking modem/routers so I'm not sure of you're point. But can you tell me which version of Windows, or indeed Linux ships with a fully configured firewall out of the box? And what if the user adds some obscure software?
host name, massive assumption of DNS or that the servers in question have entries if it exists, once again take off you blinkers and look at the real world. Are you working on Verify by any chance?
Prefix and suffix then, FFS! g34.245.23.1.159.*23* is still easier to remember than 2001:db8:85a3::8a2e:370:7334 [at best]
I was merely offering an option [specifically alpha prefix to signify IPv5] to cause IPv4 kit to drop the packet.
And, pointing out the humans prefer groups of 3 digits as they are easier to remember.
But you seem to be in "la, la, la, I'm not listening" mode. Or setting up straw men to look good/feel better, whatevs.
Have a beer anyway it's Friday
-
Friday 17th February 2017 14:24 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
The same can be said for you because your solution doesn't solve the problem and introduces complications. IPv4 CANNOT talk to anything that's not IPv4, plain and simple. So who bother messing with IPv4's address space and simply start fresh. Put simply, you CANNOT bolt ANYTHING onto IPv4 without breaking EVERYTHING. Remember that not everything can be upgraded to understand a malformed packet (which is what you're proposing). If an embedded device with a fixed (to spec) IPv4 vocabulary receives one of your proposed packets, the behavior cannot be predicted. Are you TRYING to make things easier for malware writers?
And BTW, most license plates I see are alphanumeric and includes letters AND numbers, including letters beyond F, making them MORE difficult to remember. Telephone numbers are ten digits or so, postal codes have the same issues as license plates, and so on. And some people can't even remember their telephone numbers, their memories are THAT bad. So they just do what anyone would do given something tricky to remember. WRITE IT DOWN.
-
Friday 17th February 2017 14:55 GMT PTW
Re: Dear network geeks, IPv6 is crap because...
Once again, a false argument, where did I say "bolt" anything to IPv4?
I specifically said use an alpha prefix so IPv4 kit DROPS the packet!
No! Seriously! Licence plates have more than just 3 numbers, well fuck me blind! I never knew! Which of course completely upturns my argument that groups of three numbers are easier to remember than alphanumeric groups of 4 and that's why they were chosen.
But I currently don't need to WRITE DOWN IP addresses as they are in an EASY TO REMEMBER FORMAT - that's the point of my argument *sigh*
I'd offer you a beer but you appear to be blind drunk
And no need for AC, I have no interest in hunting down your posts just to down vote you as I'm not 14. I don't hate you because we disagree, opinions differ, I'm just trying [my missus says very!] to offer up reasons and alternatives. Have a D- for debating skills and a jolly good weekend!
-
Friday 17th February 2017 16:15 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
Then you're just being nonsensical, because you can't add a prefix to v4 addresses like that. There's only 32 bits in the v4 header for the address to go in, and all those bits are filled by the v4 address already (which is sort of the whole problem in a nutshell right there). But if your goal is just to get v4-only hosts to drop the packet then you don't need to play games with the address; there's a version field in the IP header and v6 is already making use of it.
Windows Vista, 7, 8, 8.1 and 10 all ship with a dual-stack firewall enabled out of the box. (XP SP2+ ship with a firewall but it's v4 only, but XP itself is v4-only out of the box anyway so that's okay.)
You might be able to talk your Grandmother through disabling UPnP, but don't forget that you also need to talk her through setting up NAT in the first place. That's harder than talking her through setting up a firewall, so this is yet another case where v6 would be better... if your Grandmother needed to set up either of them instead of just plugging in the ISP gear, which is already set up correctly.
-
Friday 17th February 2017 16:28 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
"But I currently don't need to WRITE DOWN IP addresses as they are in an EASY TO REMEMBER FORMAT - that's the point of my argument *sigh*"
Just because things are easy to remember doesn't mean I always trust my memory. I've gotten telephone numbers wrong in the past, and there are times when I won't get a second chance, so if I'm going somewhere where I won't have ready access to things, I write them down and keep them in my wallet. That way I can be sure of things.
"I specifically said use an alpha prefix so IPv4 kit DROPS the packet!"
You can't be sure of that, though. A malformed packet with an alpha prefix could cause strange, even unwanted behaviour. Don't invite the malware writers into this, please.
-
Saturday 18th February 2017 09:30 GMT Roland6
Re: Dear network geeks, IPv6 is crap because...@AC
"I specifically said use an alpha prefix so IPv4 kit DROPS the packet!"
This action is achieved by the protocol version number changing from v4 to v6.
The real problem with v6 is that migration from v4 to v6 and interworking was never a real consideration in its design. In part this was deliberate, if things eg. applications, were potentially going to break then might as well force a total break.
Such thinking was fine back in the late 80's early 90's ie. before circa 1995 when the WWW went public. I think the fundamental mistake made by the v6 working group was to not be delivery focused and thus get a first cut out before "1995 and the rest is history".
The very real problem we have now is that ISPs are selling to normal users two broadly incompatible Internet services under the same 'Internet' brand, when from a marketing viewpoint they really want to sell: Internet 1(IPv4) and new improved Internet 2 (IPv6) - just like the mobile telco's have sold 2G,3G, 4G which solves many support problems...
-
-
Friday 17th February 2017 20:23 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
"But I currently don't need to WRITE DOWN IP addresses as they are in an EASY TO REMEMBER FORMAT - that's the point of my argument "
^^ This.
I can remember that my internal DNS servers are at 172.18.10.10 and 172.18.10.20 because I can easily remember that I'm using the 172.18 subnet, the .10 octet is for Windows servers, and their numbers are .10 and .20. See, that all makes sense. And if both DNS boxes crap their pants? I can still remember the IPs so I can get to the DNS servers to bring them back to life.
I dunno about the alpha prefix - that still boils down to an ASCII number in the packet, so it becomes a 5-octet address. I'd prefer 6 octets as that would give us more elbow room for future growth ASSUMING that ARIN and the rest wouldn't start handing them like candy at a fat-kids convention. However, I will concede that 6 octets would not be optimal in the hardware, since that's 48 bits and wouldn't fully align on byte/word boundaries. Although... they could reserve the remaining 16 bits for use in 2040 when they move to 8 octet addresses.
I've never understood why the IPv6 supporters are so adamant that IPv6 is the Best Way Forward. Some of us who deal with IPv4 every day on a local level just don't see it that way. Sure, IPv6 has some good stuff in it, but the addressing scheme definitely isn't part of that. And we all know DNS never fails, right? But there's no compromise, it's all or nothing. I'm hoping I hit retirement before this becomes a major issue. I've got 15 years left, so I might just make it...
-
Saturday 18th February 2017 03:31 GMT Charles 9
Re: Dear network geeks, IPv6 is crap because...
We're trying to future-proof the damn thing so we don't have to deal with this again in a few decades as uptake could spike and we jump from 48 bits gone to 64 bits gone faster than we go from 32 to 48. And before you say why won't we hit 128 bits gone, physical limits kick in. There just isn't enough matter in the universe to do that. That's why ZFS uses 128-bit limits.
-
Saturday 18th February 2017 06:20 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
It's because they've actually used v6, and thus have discovered that most of the things you're complaining about aren't really a problem.
I don't understand why you think you can remember 203.0.113.42+172.18.10.10 and 203.0.113.42+172.18.10.20, yet won't be able to remember 2001:db8:113:10::10 and 2001:db8:113:10::20. The v6 versions make just as much sense as the v4 versions, and on top of that they're shorter. Yet you were complaining they're too long? I don't get it.
-
Monday 20th February 2017 20:26 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
"I don't understand why you think you can remember 203.0.113.42+172.18.10.10 and 203.0.113.42+172.18.10.20,"
Eh, where did all that 203.0.113.42 stuff come from? Are you using that "new" math?
2001:db8:113:10::20
I count 19 characters there.
172.18.10.10
I only count 12 characters there.
In the math I learnt in school, 12 is less than 19 almost every time, usually by around 7 characters. So my original point still stands - the IP4 addresses are shorter.
-
Tuesday 21st February 2017 10:28 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
The v4 network is behind NAT though, right? So you have to include the WAN address because it's part of the addressing of the network. Excluding it and then concluding that v4 is shorter because you've ignored half of the addresses involved is a little unfair, don't you think?
-
Tuesday 21st February 2017 10:49 GMT Charles 9
Re: Dear network geeks, IPv6 is crap because...
But doesn't V6 behind a one-to-one NAT mean you have to remember MORE addresses, because you have to remember TWO addresses PER node if they're Internet-facing, especially since with address scrambling (which is in the spec) there's no relation between the interior and exterior addresses, particularly if it's something like a gateway that wouldn't be allowed to use things like DNS (because it runs BELOW it) to smooth things over?
-
Tuesday 21st February 2017 19:33 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
You should be getting enough address space to not need to NAT on v6, and if you do so anyway then you've brought all of the associated problems onto yourself, so you don't get to complain about them. This is, after all, kinda the reason v6 was designed with enough address bits in the first place (this plus routing aggregation).
Meanwhile v4 on NAT is necessary for the vast majority of people. That's why I'm doing the comparison between v4+NAT vs v6 without NAT.
-
Wednesday 22nd February 2017 14:33 GMT Charles 9
Re: Dear network geeks, IPv6 is crap because...
"You should be getting enough address space to not need to NAT on v6"
The idea with NAT on IPv6 isn't to allow many machines to share one address (a one-to-many NAT) but to allow you to keep outsiders guessing about your network topology. NATs in IPv6 are meant to be one-to-one, taking advantage of the vast address space to scramble addresses in two ways.
One, outgoing connections get temporary IPv6 addresses, only good for those sessions. This helps prevent backtracking. Two, you can scramble the relations between external and internal IPs so that network snoops can't figure out hour your network is structured from the Internet-facing addresses listed. The Internet gurus don't mind one-to-one NAT because it preserves end-to-end connectivity (and thanks to the firewall that remains with IPv6, that connectivity remains yours to control or disable at your choice).
-
Wednesday 22nd February 2017 22:14 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
You should not be NATing at all on v6. It's true that 1:1 NAT is less terrible than masquerading, but it still involves rewriting addresses on packets. Just give your public addresses directly to your machines; I promise it's way less effort than NATing.
There are a few limited cases where NAT is useful (I'm thinking failover when using ISPs that refuse to support PI blocks), but in general you shouldn't be using it -- and as I say, if you do so anyway then you don't get to complain about it.
-
Thursday 23rd February 2017 13:09 GMT Charles 9
Re: Dear network geeks, IPv6 is crap because...
"You should not be NATing at all on v6. It's true that 1:1 NAT is less terrible than masquerading, but it still involves rewriting addresses on packets. Just give your public addresses directly to your machines; I promise it's way less effort than NATing."
But also riskier since an outsider could sniff out the network topology by ID'ing a few machines, and without ephemeral outgoing addresses, machines can be back-hacked. That's why BOTH are now in the IPv6 spec, to protect against those prospects, both of which cropped up in the IPv4 Net. And neither of these can be easily blocked by the firewall, either (the former because all the info is gleaned from the outside, the latter because you're re-using an already-established connection).
-
Friday 24th February 2017 20:58 GMT Nanashi
Re: Dear network geeks, IPv6 is crap because...
More like no difference at all for the vast majority of people. The topology of most networks is "all hosts on one L2 domain", and if it's any more complicated then it's probably multiple L2 domains directly off of the main router. NPTing those will not change their topology.
Some networks have internal routing which could be quashed with NPT, but... if the visibility of a hop or two in a traceroute is a security vulnerability for you, then you've got bigger problems, and you should be focusing your admin effort on fixing those rather than wasting it on NAT.
...and I have no idea what "back hacking" is here. It sounds like Hollywood hacking rather than something you'd need to worry about.
-
Saturday 25th February 2017 14:43 GMT Charles 9
Re: Dear network geeks, IPv6 is crap because...
The term "back-hacking" is from Ghost in the Shell. It simply means running a hack in the reverse direction from the original connection (backwards, IOW, thus you're "hacking back"). If the original connection's still in place or is being otherwise remembered, a firewall exception is still in place, meaning you can piggyback on it to get through.
-
-
-
-
-
-
-
Wednesday 22nd February 2017 14:15 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
"The v4 network is behind NAT though, right? So you have to include the WAN address because it's part of the addressing of the network. "
Eh, no. I just have to remember the "external" IP on the NAT box that gets me to the machine on the "inside". From the outside, the internal IP doesn't matter. Which, um, seems to be the whole point of NAT.
-
Wednesday 22nd February 2017 14:35 GMT Charles 9
Re: Dear network geeks, IPv6 is crap because...
"Eh, no. I just have to remember the "external" IP on the NAT box that gets me to the machine on the "inside"."
Unless you're trying to set it up, in which case you WILL need both internal and external addresses so that you can configure your gateways to reroute the connections.
-
Wednesday 22nd February 2017 17:00 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
"Unless you're trying to set it up, in which case you WILL need both internal and external addresses so that you can configure your gateways to reroute the connections."
Yeah, but you only have to set it up once, so "remembering" the inside address isn't really applicable in the long term.
-
-
Thursday 23rd February 2017 03:55 GMT Anonymous Coward
Re: Dear network geeks, IPv6 is crap because...
"It does if you change things around, change providers, or move. Then you have to look everything up again."
Which happens every few years, maybe? Compared to connecting to the NATted box via telnet/ssh/RDP/FTP several times a day where remembering the external IP is all that's needed.
-
Saturday 25th February 2017 21:51 GMT Kiwi
Re: Dear network geeks, IPv6 is crap because...
It does if you change things around, change providers, or move. Then you have to look everything up again.
Mate of mine has his broadband on a dynamic IP that changes every now and then. I do some update stuff for him plus until my situation changes I have my cloud server housed there. I have a sub domain that points to his house.
So every few weeks I have the incredibly difficult task of changing the DNS settings. Not one jot of this is done on the gear at his house. Once I have his IP I log into the domain register and change the IP on their systems, and a little while later the sub domain points to his house again. At no time do I need to change this on his system.
On a more complex network I used to admin, when we changed providers and so on I, er, well, I had to go into the domain register and change the registered IP for our domains. I did have to configure the router on one of those occasions, but that was because we also got to change from ADSL to VDSL which had become available, and of course had new hardware. If we'd kept the old hardware, I would not have needed to see it's screen.
Network topology and internal DNS/DHCP was designed so that it did not need to change and largely could be administered by a clueless noob.. Which is good because for a lot of this stuff compared to many here on El Reg I barely even rate as CN..
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Sunday 30th August 2020 20:30 GMT AbeChen
Making Use of IPv4 240/4 Netblock
Dear Colleagues:
0) Here are two pieces of updated information for share:
1) The following is a discussion thread on the "state of IPv6". The findings are quite surprising.
http://www.circleid.com/posts/20190529_digging_into_ipv6_traffic_to_google_is_28_percent_deployment_limit/
2) Then, you may like to have a look at the feasibility demonstration report below about our proposed architecture for expanding IPv4 address pool, addressing ITU's CIR proposal, etc.:
https://www.avinta.com/phoenix-1/home/RegionalAreaNetworkArchitecture.pdf
These should provide some material for furthering the dialog.
Abe (2020-08-30 16:29 EDT)