back to article China sets goal of running single-stack IPv6 network by 2030, orders upgrade blitz

China's Central Cyberspace Affairs Commission and Cyberspace Administration have set out a plan for massive adoption of IPv6. A Notice on Accelerating the Large-scale Deployment and Application of IPv6 posted last Friday calls for China to have 700 million active IPv6 users by 2023, plus 200 million Internet of Things devices …

  1. Snake Silver badge

    A possible truth?

    "China's efforts are seen as essential to its security, and achieving other national priorities including mass 5G rollouts to support pervasive use of IoT devices monitoring and telemetry, all feeding data into mighty AI engines that let the Communist Party optimise the nation's affairs track and penalize dissidents through the edifice of enforcing 'social harmony'."

    FIFY?

    1. gandalfcn Silver badge

      Re: A possible truth?

      Sounds like the USA then. OK.

      1. gandalfcn Silver badge

        Re: A possible truth?

        To the ignorant, bigoted downvoter

        Bush signed a presidential order in 2002 allowing the NSA to monitor, without a warrant, domestic telephone calls and e-mail messages.

        FISA created the kangaroo courts that currently dole out secret FISA warrants to legalise spying on Americans.

        The PRISM surveillance programme.

        The network of “Fusion” centres.

        Ever heard of Snowden?

        The Patriot Act. The Freedom Act.

        The USPS spies on Americans by monitoring their social media.

        The NSA shares data with the FBI.

        1. Snake Silver badge

          Re: A possible truth?

          List the UK equivalents, please. Otherwise your glass house is showing.

          1. gandalfcn Silver badge

            Re: A possible truth?

            Why? As you are so upset why don;t you?

        2. Mark Exclamation

          Re: A possible truth?

          To the ignorant, bigoted poster gandalfcn:

          Your posts have commonality:

          Throwing insults at anyone who dares to disagree with you

          Complete hate for the West

          Support for China

          Boring and repetitive political crap

          Not sure why you read/post on a tech website as none of your posts are tech-related. I'm sure there are more suitable political websites for you to frequent.

          1. gandalfcn Silver badge

            Re: A possible truth?

            Bless. If you weren't so blinkered and bigoted you will have, or should have, noted I frequently criticise the PRC and praise "the West" and also post tech-related.comments.

            Seems you gave a complete hate for facts and truth.

            I also note you are part of the long established woke cancel culture.

            1. Mark Exclamation

              Re: A possible truth?

              "I also note you are part of the long established woke cancel culture."

              Was that meant to be another of your belittling comments?

              I actually have no idea what you mean. What is "the long established woke cancel culture."?

              You really should get some help.

              1. gandalfcn Silver badge

                Re: A possible truth?

                I don't doubt for a second you don't understand, and that is part of your problem. Wilful, arrogant ignorance.

                You really should get some help don't you.

      2. Potemkine! Silver badge

        Re: A possible truth?

        Not really. USA has no Laogai for its dissidents. People there can still claim they don't like their leader.

      3. bombastic bob Silver badge
        Unhappy

        Re: A possible truth?

        I hope not (but I fear you are right)

        now if USA could get a fire lit under the collective asses of the appropriate people, maybe our ISPs would be supporting IPv6. Until then I have an he.net tunnel (which sort of needs a fixed or at least stable IPv4)

    2. gandalfcn Silver badge

      Re: A possible truth?

      Bush signed a presidential order in 2002 allowing the NSA to monitor, without a warrant, domestic telephone calls and e-mail messages.

      FISA created the kangaroo courts that currently dole out secret FISA warrants to legalise spying on Americans.

      The PRISM surveillance programme.

      The network of “Fusion” centres.

      Ever heard of Snowden?

      The Patriot Act. The Freedom Act.

      The USPS spies on Americans by monitoring their social media.

      The NSA shares data with the FBI.

      FIFY

      1. DoctorNine

        Re: A possible truth?

        The rhetorical error you are here exhibiting, is called 'false equivalency'.

        You need to lay off the pipe weed, Chinese Gandalf.

        1. gandalfcn Silver badge

          Re: A possible truth?

          Really? So you are yet another denier of facts and reality. Still sore your god lost?

          1. Mark Exclamation

            Re: A possible truth?

            You really love your attempts at belittling comments, don't you?

            You must be a hoot at parties.

            1. gandalfcn Silver badge

              Re: A possible truth?

              As you obviously feel belittled they are not attempts. OK.

              "You must be a hoot at parties." You really love your attempts at belittling comments, don't you?

              I posted my comment twice just to see the result. A lot of people agreed with me, other than the obviously hurt Septics who somehow deny reality. It is why you had an orange moron as BLOTUS.

              1. DoctorNine

                Re: A possible truth?

                The number of reader upvotes or downvotes does not correlate with the veracity of the observation.

                Especially when it involves the CCP.

                On a side note, you should probably learn English better before posting in an English language tech forum. Your attempts at insults are making everyone laugh, because they are either meaningless or just plain silly.

                Cheers.

                1. gandalfcn Silver badge

                  Re: A possible truth?

                  Bless. In the context, the last resort of the ignorant and bigoted, be a Grammar Nazi,

                  "Your attempts at insults are making everyone laugh,"

                  Correction

                  My pointing out your ies insults are making everyone laugh at you.

                  "The number of reader upvotes or downvotes does not correlate with the veracity of the observation." Yes dear, that is why you are a hypocritical failure, proved by "Your attempts at insults are making everyone laugh,"

                  1. Mark Exclamation

                    Re: A possible truth?

                    Geeze, you really are bitter and twisted.

    3. DoctorNine

      Re: A possible truth?

      Euphemisms. I just love euphemisms.

  2. -tim
    Facepalm

    At least they won't have to worry about international payment security

    The payment security standard PCI-DSS still seems remarkable quiet on the IPv6 front to the point where 5 of the top 5 PCI external security scanners can't even scan an IPv6 server at all. The rules say to scan all protocols that are enabled and ping ::1 works on almost all modern hardware so IPv6 needs to be scanned.

    1. vtcodger Silver badge

      Re: At least they won't have to worry about international payment security

      For those who are as baffled as I was by this post, PCI-DSS = “Payment Card Industry -- Data Security Standard.”

      There's a Wikipedia article at https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

      My immediate reaction was to wonder whose security we're worried about here -- the card user's, the merchant's or the card issuer's? It appears that my concerns might not be entirely ill-found. From the Wikipedia article ... "The PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines 'are profitable to them'."[16]

      I don't know anything about this. I just found it interesting.

      I do doubt whether China much cares about the preferences/interests of round-eye Credit-Card issuers.

      1. Anonymous Coward
        Anonymous Coward

        Re: At least they won't have to worry about international payment security

        In which case, let's have a look at the case in question shall we?

        https://www.wired.com/2012/01/pci-lawsuit/

        U.S. Bank seized about $10,000 from the McCombs' account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero's had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards.

        So that's the context behind it. The next relevant section is this:-

        The McCombs hired two firms, Cybertrust and Cadence Assurance. Both examined Cisero's point-of-sale system (POS) and servers and found "no concrete evidence that the POS server suffered a security breach which led to the compromise of cardholder data" and no evidence that insiders had installed skimmers on card readers to collect account data. Cadence in fact determined that no evidence existed that payment card data of any kind was improperly taken from Cisero's systems.

        The audits, however, did find that the POS system the restaurant used -- a system made by Micros -- was storing unencrypted customer account numbers as they were read from the magnetic stripe on bank cards.

        Since storage of unencrypted card data is a violation of the PCI security standards, Visa and MasterCard imposed fines.

        So; the McCombs stored unencrypted format card data, this card data was found to be circulating in the wild and there is "no concrete evidence" that it was stolen from them in particular so they think that they shouldn't be fined despite breaching the security standards they promised to implement and maintain in exchange for having a card machine.

        This paragraph:-

        The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties.

        So in context they feel that they shouldn't have to comply with the payment card industry data security standards everybody else on the planet has to comply with to have a card machine because forcing them to maintain the security of your card data is infringing on their rights to store your card data indefinitely in plain text if you ever buy something from them, and the fines for non compliance when data is stolen is "a system for raking in profits via penalties".

        1. idiot taxpayer here again

          Re: At least they won't have to worry about international payment security

          @a/c

          But did they know that they were storing unencrypted data?

        2. Anonymous Coward
          Anonymous Coward

          Re: At least they won't have to worry about international payment security

          Because the credit card companies designed and run an insecure system. They don't care because they are rolling in 3% surcharge they make. They are only interested in protecting their royal monopoly.

          I use only a debit card because I don't want a card that a least has a pin. But the banks have gone around that now and debit cards can automatically be used as debit cards without a pin.

          They don't give a damn about fraud risk because they know they have the political power to push the cost onto merchants and the public at large.

      2. Nick Ryan Silver badge

        Re: At least they won't have to worry about international payment security

        While the PCI-DSS requirements are pretty solid, where much of the problem comes from is organisations that adhere strictly to the PCI-DSS standards rather than attempt to use any sense and go beyond them, to produce more secure systems. Instead it's often considersed "we're PCI-DSS compliant and therefore don't have to think security ever again".

    2. NoneSuch Silver badge

      Re: At least they won't have to worry about international payment security

      If that means Chinese business will not be able to participate in western economies then full steam ahead.

    3. Joe Montana

      Re: At least they won't have to worry about international payment security

      It's worse than that, if you put in a site name eg "www.google.com" into the vast majority of scanners they will pick one IPv4 address to scan at random even if the site address resolves to multiple addresses (eg load balancing round robin dns).

      If you have multiple IPv4 addresses, they will be totally ignored.

      If you have IPv6, it will be totally ignored.

      Security scanners typically report "by exception", so if there are no issues raised in the report you assume they are not present. No suggestion is made anywhere that issues are not present because not all of the target addresses were actually scanned.

  3. mark l 2 Silver badge

    Once China have gone fully IPv6 only I suspect everyone will essentially get a static IP address which will stay with their device forever, making it easier for the Chinese authorities to monitor their citizens only activity.

    1. Ken Hagan Gold badge

      That would be a routing nightmare. It would also be unnecessary since the state controls the network you are logging into and probably the OS on the device, too, so the tracking you suggest is almost certainly already happening.

      1. Roland6 Silver badge

        >That would be a routing nightmare.

        Could be, however, we should remember there was a time when many in the IPv6 community believed that static addresses was a good thing. Privacy in the form of address randomisation, first seen in iOS and now in Android came later.

        1. richardcox13

          you mixing up MAC address randomisation (which Android and iOS do) with IP afdresses.

          1. G2
            Linux

            re: address randomisation

            @richardcox13

            IPv6 address randomisation is actually a thing too, look up RFC 8981, 4941 and 3041. Randomised MACs have their purpose, randomised IPv6 addresses have a slightly different purpose.

            https://datatracker.ietf.org/doc/html/rfc8981

            such an address

            - does not depend on the device using a randomised MAC address or not.

            - has been supported by the Linux kernel for quite some time.

            https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html

      2. bombastic bob Silver badge
        Devil

        correct - unless you use a tunnel (where the tunnel provider does the routing), the IPv6 would be a function of the ISP that assigns it, just as it is with IPv4. But you'd have a fixed IPv6 so that automatic assignment (based on things like randomness and your network adapter's MAC address) could sort of randomize the actual IPv6 if you really want it to do that. But most likely it'd be assigned by DHCPv6 or whatever that intrinsic method is that I cant remember (but my network supports). What's funny is that apple devices support one of those methods, and Android the other. SO to support both you need your network to support "whatever other method it is" as well as DHCPv6. Then there's the auto-generated address using the MAC and random numbers, as I recall. But it's in the same subnet so there ya go. Yeah it can be a little confusing until you have toyed with it for a while.

    2. Dazed and Confused

      Re: Static IP addresses

      Don't newer versions of Android (and I'm guessing iPhones) default to randomizing MAC addresses? Wouldn't this tend to mean the system ID bit of an IPv6 address varying?

      Not that it will help if they have static address allocation to the router and therefore household.

      Me, I like the way NAT means that lots of peoples traffic is combined onto single IP addresses so that it is a lot less easy to identify users. Mind, my main Internet connections use static IPv4 addresses and I keep getting accused of being from different places. The other evening Amazon and my credit card company managed to locate me at least 200 miles apart for an IP address that prior to GDPR whois would have given my post code.

      1. John Sager

        Re: Static IP addresses

        The bottom 64 bits of an IPv6 address is generally a free-for-all. Lots of servers have mostly zeos in there though a few are more creative - Facebook have 'face:b00c' as part of the address. Putting something arbitrary in there makes them a lot harder to find if they aren't in DNS, especially if it changes fairly often.

        Monitoring my firewall logs I get very few hits on v6 and they are all from China

      2. Anonymous Coward
        Anonymous Coward

        Fingerprinting

        Android: No, I can see the MAC address stays the same on my access point, so Android devices don't randomize MAC address. But also remember that your device has a magic ID it reports to Google at every opportunity!

        Hiding behind NAT: That doesn't work, your browser can easily be fingerprinted to distinguish between hundreds, even tens of thousands of devices, behind a NAT router.

        You might think an encrypted link can only be fingerprinted by the NAT WAN IP address, and timing data, but this is not true either. You could also fingerprint stuff like the supported cipher suite.

        So unless browsers start randomizing the cipher suite, and mimicking each others cipher suites, the fingerprinters/trackers (advertising networks, content deliver networks, etc) will still be able to individually track you and sell that data, even if its an encrypted link and they don't intercept the encryption.

        Re: "The other evening Amazon and my credit card company managed to locate me at least 200 miles apart for an IP address that prior to GDPR whois would have given my post code"

        That's a pretend game. Google+Other Location services sniffs WIFI IDs, bloothtooth ids and coordinate those with your neighbours. If you take your phone to the toilet while you dump, Google knows thats, its super fine grained.

        But hey, they can PRETEND by giving you that location with some randomess added!

        1. Anonymous Coward
          Anonymous Coward

          Re: Fingerprinting

          > Android: No, I can see the MAC address stays the same on my access point, so Android devices don't randomize MAC address.

          Perhaps you need to look at an up to date Android phone. Even my last generation one asks me whether I want a use a random MAC address when adding a new WiFi network. The default is random enabled and IIRC disabling it means going into the advanced settings screen. It then gets a different IPv6 address every time it connects to a network where random MACs are enabled, whereas where it connects to networks which refused to talk to unknown MACs, it gets a constant IPv6 address on each network. I assume since Android is running Linux they have the stable privacy kernel parameter set.

      3. Joe Montana

        Re: Static IP addresses

        You are thinking of EUI-64, where the IPv6 address is derived from the MAC address. This is optional, and not the default on most systems these days.

        Most end user systems pick a random address at install time (of the network driver), which will be the "stable" address of your machine that you can use if you want to make inbound connections to it.

        They will then pick random addresses to use for outbound connections, and rotate them periodically (24 hours by default) so that remote sites will see random addresses within your /64.

        ISPs often allocate dynamic addresses, so a single /64 becomes no more trackable than a dynamic IPv4 address was. The ISP knows who it is, but the external sites you access don't, they can only tell that you're a customer of that ISP.

        NAT doesn't make anything less trackable, quite the contrary. If the ISP provides you routable addresses they can just log who was allocated the address when and leave it at that. If a court orders them to hand over customer information, they do so.

        With NAT the address could be multiple users, so the ISP is compelled to log a _LOT_ more traffic. They basically have to log every state - every TCP connection you make, every UDP flow, every ICMP packet you send etc, and retain this data for as long as the law requires. This gets very expensive very fast, and leaves the ISP with a huge amount of data. Once they have this data, they will seek ways to recover some of the cost, so monetising it and selling the data to advertisers or other such parties becomes an obvious thing to do since they have the data anyway.

        1. Randesigner

          Re: Static IP addresses

          "so a single /64 becomes no more trackable than a dynamic IPv4 address was. "

          IPv4 is 32 bits. IPv6 is 128 bits, so even with /64 randomized, there are still another 64 bits for tracking, double the number of bits of IPv4.

          Randomizing the lower 64 bits is a red herring. The upper 64 bits can still be unique.

          1. Yes Me Silver badge

            Re: Static IP addresses

            "The upper 64 bits can still be unique"

            It's more likely to be 56 or even 48 bits that are unique. My ISP assigns me a /56 and it's static until my router disconnects for any reason, after which they give me a new one.

            So what? My ISP also assigns me a single IPv4 address that is static until the router disconnects. Either of them is equally traceable by serving a warrant on the ISP. In both cases, the trace identifies my household. There is no such thing as address-based privacy. The precise device is obscured by NAT in the IPv4 case or by temporary IPv6 addresses in the IPv6 case, but once Constable Plod is inside your house, they'll take all the devices anyway.

    3. teknopaul Silver badge

      possible?

      I don't think that is how ipv6 works, sure there are lots of new ip addresses but they are still used for routing ip packets they are not arbitrarily assigned.

      1. Anonymous Coward
        Anonymous Coward

        Re: possible?

        Yes, the routing principles are the same.

        What people are getting confused with is that IPv6 will remove the need for dynamic addresses on fixed locations - i.e. all home residents will be able to have the same fixed ip address/addresses from the ISP, additionally, individual devices will not have to be placed behind a NAT.

        There was also talk a while back how everyone could indeed have a permanent address: the last 64 bits would be uniquely assigned to a specific person/device, whilst the top 64 bits would change to the appropriate bits for the connected network. This idea has been abandoned.

        1. bombastic bob Silver badge
          Devil

          Re: possible?

          all home residents will be able to have the same fixed ip address/addresses from the ISP, additionally, individual devices will not have to be placed behind a NAT.

          Right. I've also pointed out before (and was even DOWN voted for doing so - nobody likes the truth I guess) that this (for windows machines, at any rate) is a MAJOR security issue, probably at the core of why "not China" still hesitates to get IPv6 fully supported. The fact that phone networks are generally doing IPv6 suggests that phones (running iOS and Android) are inherenty MORE secure than your average windows machine...

          NAT inherently provides the basic firewalling that open (and otherwise exploitable) ports need to have so that your computers and devices are NOT exploited.

          China forcing this is (maybe) a good move. But they are a totalitarian dictatorship under Communism. It's like "Comply or Die" and "don't you DARE complain!". In the FREE world, people need to WANT it.

          1. Joe Montana

            Re: possible?

            It's not an issue for a number of reasons:

            1) IPv6 makes it *possible* to give every device its own address *at a reasonable cost*. There is no reason you can't do this with IPv4 too, it's just prohibitively expensive and so not commonly done. And there is also nothing actually forcing you to do this with IPv6 - you simply have the option to. People configure IPv6 without NAT not because IPv6 doesn't support NAT, but because they explicitly want to get away from NAT because it's simply a bad thing. You're complaining that a new car doesn't come with a roll of duct tape to hold the doors on, when it has doors that stay closed on their own.

            2) NAT doesn't provide firewalling, NAT requires a stateful firewall but a stateful firewall does not require NAT.

            3) All of the IPv6 capable home routers i'm aware of do not allow unsolicited inbound connections by default.

            4) Protocols like UPNP exist which allow devices inside the network to open arbitrary ports through the firewall - this works on IPv4 too, and is worse on IPv4 (see 5)

            5) IPv6 address space is vast, assuming you do leave something open either intentionally or unwittingly (see 4) the chances of it being discovered by an attacker are extremely small. Attackers routinely scan the entire IPv4 address space so anything left open will be found very quickly and exploited if vulnerable, this simply won't happen on IPv6 because it's not practical to do.

            6) Modern windows devices (and mobile devices, and other operating systems) simply don't have as many vulnerable network listening services by default as they used to. Windows for instance now comes with a software firewall which blocks unsolicited connections by default. It's not like the early days when MSRPC and SMB were exposed by default.

            7) You are putting your device at risk of attack every time you connect to a public wifi network (users on the same network will be able to connect to any services you leave open), but (see: 6) modern software is simply a lot less vulnerable to this kind of attack than it was. Public wifi is everywhere now, and used by millions of people every day.

            The fact that phone networks are more likely to be using IPv6 is because phone networks are newer and have many more users, so they don't have enough IPv4 addresses to provide one to every potential user. Mobile services almost always put you behind CGNAT which causes all manner of problems and costs the operators a fortune to run.

            This kind of ignorance is very damaging to progress.

          2. Anonymous Coward
            Anonymous Coward

            Re: possible?

            Maybe you were voted down for your probable anti-socialism / communism rant? :-)

          3. Yes Me Silver badge
            Thumb Down

            Re: possible?

            Downvote because you're simply wrong. An IPv6 host behind a typical domestic router/firewall is just as safe as an IPv4 host behind the same box with NAT switched on.

            That's not to say there are no IPv6-specific exploits, because I expect there are, just as there are IPv4-specific exploits. But most malicious "incidents" occur at a much higher layer of the stack than that, usually as a result of phishing, which really doesn't care about the IP version number.

    4. Charlie Clark Silver badge

      They already have far more reliable tracking than IP addresses and most Chinese agree with this. This is more about getting ahead industrially than anything else, though presumably it includes upgrades to the great firewall to work with IPv6 traffic. But once China goes completely IPv6 good luck to anyone trying to source IPv4 or even dual-stack kit.

      1. vtcodger Silver badge

        But once China goes completely IPv6 good luck to anyone trying to source IPv4 or even dual-stack kit.

        I think it possible that the Chinese just possibly might be able to manage export versions of their kit that support IPv4 or dual stack just as they currently support various combinations of 50/60Hz 110/220v power with a near infinite number of wall socket variations.

    5. big_D Silver badge

      Our mobile provider (Germany) is moving all users over the IPv6 only when new devices are registered.

      We were having problems with our VPN. In the end, we had to change the APN settings on our phone to use the IPv4 APN and not the IPv6 one that gets defaulted to in the automatic provisioning of the phone.

      The problem is, there simply aren't enough IPv4 addresses out there for everybody, we get around it with NAT at the moment, to a certain extent, and NAT brings an unexpected layer of security through obscurity, by putting everything behind the router on a new network and the external address is the same for every device, but stuck with port forwarding, if you need to access those devices directly, along with UPnP. Far from ideal, but also, assuming you don't have UPnP or port forwarding active, a nice little security bonus, where the network tech doesn't have to actually deal with the "real" problems of network filtering.

      1. stiine Silver badge

        it also puts your attackers behind NAT alongside your paying customers...

  4. Andy E
    Facepalm

    Virgin Media Broadband

    I wonder if this is why Virgin Media don't have a Chinese presence. Their home routers don't support V6 and looking at their support forums it would suggest they have never heard of it.

  5. Panicnow

    Democracy and capitalism fails when it comes to long term planning.

    IPv6 has been "ESSENTIAL" for decades. We had some running when I ran PIPEX 25 years ago!

    NAT is and always has been a disaster. The loss of direct IP to IP addressing, allows a lot of bad stuff to happen. e.g. NAT facilitates third party snooping.

    Using the socket space for address space means we lost well behaved applications. ( Sadly that genie will not get put back)

    Profit seeking ISPs want to do as little as possible, while keeping old kit running as long as possible. Thus they have no incentive to deploy IPv6.

    If only we had the Chinese meritocracy running things over here. Rather than people stupid enough to want to be a UK politician!

    I think our government is against China because it shows just how bad their performance is!

    1. martinusher Silver badge

      Re: Democracy and capitalism fails when it comes to long term planning.

      IP4 is a very elegant and economical design while IP6 (IMHO) has a lot of design flaws that have contributed to its slow adoption. It could even be said that what we need is a IPv7 that has not just an enhanced address space but improvements to both the IP protocol and the rest of the stack. This is probably going a bit far so we're stuck with v6 with 40+ years of improvements to hardware and software mitigating its shortcomings. Since the Chinese need the (address) space and they make most of the kit anyway I guess we're all going IPv6.

      (Can't speak about government attitudes towards China but I can't help noticing that the Chinese don't seem to care. Maybe they know something we don't?)

      1. FILE_ID.DIZ Bronze badge
        Headmaster

        Re: Democracy and capitalism fails when it comes to long term planning.

        Technically the next "production" version of IP should be IPv10. Odd numbers typically are experimental, even numbers aren't and the next three numbers seem to be assigned already.

        https://www.iana.org/assignments/version-numbers/version-numbers.xhtml

        IPv4 is only elegant because millions of people were taught only IPv4 and a great deal of them are stuck in that sand trap. I will say that DNS is the best friend to IPv6. Who gives a shit anymore about remembering 192.168.1.223.

        IPv4 however, is not economical. If it was, the whole world wouldn't need to try to move to IPv6. And if you really want to hold onto IPv4, as a carrier it is very much NOT economical. CG-NAT is a very expensive license to be sure.

        Furthermore IPv6 is especially hard for those used to the belief that NAT is a mode of protection. Firewalls are just as effective with IPv6 as IPv4. NAT is no more secure than Linus' blanket.

  6. AVee
    Meh

    Still not there...

    $ host -t AAAA theregister.com

    theregister.com has no AAAA record

    1. John Sager

      Re: Still not there...

      Their hosting company probably charges extra for dual stack access.

      1. UK DM

        Re: Still not there...

        So what?

        Now someone look up if DNSSEC is also in use?

        At least they have TLS 1.3 lets take a moment to applaud that.

        As bad as Virgin Media.

        Hey we are in 2021 guys. All the other major UK ISPs support IPv6 now, also mobile operators too, as this is a UK centric news site I wonder if it were enabled would more than 50% of the UK traffic be IPv6?

        Maybe the problem is more the other way, charges for IPv4 are a money maker, especially to organisations that have had allocations for years that were granted for free.

        So adoption of IPv6 will make that money spinner come to an end sooner. All entities want to milk that one for as long as possible.

      2. Jamie Jones Silver badge

        Re: Still not there...

        Nope, they are fully connected, but their forum software isn't compatible (I presume they mean IP address logging etc.) - Check out my post and the official response: https://forums.theregister.com/forum/all/2019/11/25/ipv4_addresses_gone/#c_3923843

        1. Joe Montana

          Re: Still not there...

          Well if you can see this reply then it's simply not true.

          I have native IPv6 connectivity, but IPv4 connectivity only through CGNAT because the ISP does not have enough IPv4 addresses for all their customers.

          The IPv6 is fast and stable, while the CGNAT is overloaded, slow and unreliable. Consequently I force everything to use IPv6 whenever possible, and that includes synthesizing AAAA records for the common CDNs if they are not already published (very simple to do with cloudflare). I also have the ipvfoo extension so i can see which protocol is being used for any given site.

          I am connected here over IPv6, and posting using IPv6.

          1. This post has been deleted by its author

          2. Jamie Jones Silver badge

            Re: Still not there...

            Which part isn't true?

            The posts i linked to said that it's accessible over IPv6 if you add the DNS records (which I listed) manually.

            Marco said that if anyone posts to the forum via IPv6 he'll delete their posts, because of forum issues, which is the only reason why they haven't enabled ipv6 yet.

            That was 2 years ago, but the fact they still haven't added the AAAA records implies the situation is the same, but as I said, you can actually use IPv6 by adding the AAAA records.

            1. Joe Montana

              Re: Still not there...

              The part about deleting forum posts, because as you see my reply (sent over ipv6) is still visible after 3 days, as are other posts i've made.

              I'm not sure if he was implying that posts would be deleted manually, or if posts would fail entirely, but neither seems to be happening for me. If i don't access the site over ipv6, half the time it times out because the cgnat connection here is very flakey.

              On another note, cloudflare ipv6 addresses are typically a hex encoding of the ipv4 address so very easy to work out. For fastly, akamai and some others there are usually multiple dns aliases which are with or without ipv6 so it's also quite easy to force ipv6 on.

      3. Joe Montana

        Re: Still not there...

        Except they use Cloudflare, which supports IPv6 by default at no extra cost. They have explicitly turned it off by removing the DNS entry. The site is actually reachable via IPv6 using the address 2606:4700::6812:516 (try adding it to your hosts file). All Cloudflare sites are reachable like this, the IPv6 address will be 2606:4700:: followed by the IPv4 address encoded as hex.

        IPv6 is actually cheaper than IPv4, because the addresses are more plentiful. Some providers charge less for IPv6-only access as it costs them less to provide. If you're using cloudflare as the frontend to your site then you can benefit from hosting the backend on an IPv6-only host:

        Cloudflare handles the costs of IPv4 and hassles of dual stack, you don't need to worry about it and legacy users can still reach your site.

        Your IPv6-only server won't be subject to constant scans and other background noise that plagues the legacy IPv4 internet.

        You save money by not having to pay for an IPv4 address - a scarce and therefore expensive resource.

        I run several sites like this, Cloudflare for the frontend, backend IPv6-only.

    2. Anonymous Coward
      Anonymous Coward

      Re: Still not there...

      Thank god. Because I use Linux, and PLP (people like Poettering) are in charge, ipv6 is always preferred when performing DNS lookups, even if ipv6 is disabled. Its like the people who updated the dns client really should have been kneecapped.

    3. Jamie Jones Silver badge
    4. bombastic bob Silver badge
      Unhappy

      Re: Still not there...

      probably costs more (it's CloudFlare as far as I can tell)

  7. Rob F

    I thought IPv9 was being ratified

    and resolved some of the shortcomings of IPv6. https://www.researchgate.net/publication/340381435_Comparison_Research_on_Future_Network_Between_IPv4_IPv6_and_IPV9

    The problem may be that the copyright and ownership is Chinas.

    1. bombastic bob Silver badge
      Unhappy

      Re: I thought IPv9 was being ratified

      if China owns the copyright, it should be rejected on that basis alone...

      1. A.P. Veening Silver badge

        Re: I thought IPv9 was being ratified

        if China owns the copyright, it should be rejected on that basis alone...

        While I agree with the sentiment, I suggest a reciprocal approach to how China (ab)uses non-Chinese copyrights, e.g. we just use it and ignore the Chinese copyright, let them scream.

  8. Mnot Paranoid

    Thankfully,

    My Firebrick is already fully tooled up for blocking /48s in the same BLOCK-CHINA firewall hosts list.

  9. BOFH in Training

    Running out of IPv4 addresses maybe

    It's possible that they are expecting alot more devices to come online in China which are internet addressable and so want to make sure all of them can get public IP addresses (regardless of reason, from government tracking/spying to allowing people to do something new with it).

    It's possible that they don't expect to be able to get millions or billions(am aware IPv4 does not really have more then about 3.7 billion public addresses for the whole world) more IPv4 addresses in the near future and so are planning accordingly.

    Imagine every mobile device, computers, cctv cams and other assorted IOT devices being publicly addressable (regardless good or bad idea). I think China probably has over a billion devices with IP addresses easily. How many more will it be in another 5 years? 10 years? They can "gently" start depreciating NAT for it's people over time to make it easier for them.

    They can always use the "great firewall" to prevent external parties from gaining access to most of China's addresses whereas giving the internal authorities the ability to know exactly which device is connected to what and it's functionality.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021