back to article China requires any new domestic Wi-Fi kit to support IPv6 and run it by default

China has issued an edict requiring all new Wi-Fi hardware to be IPv6 enabled, and enable the protocol by default from the moment it's first switched on. “The production or import of wireless LAN equipment with public network IP address allocation function sold and used in China shall support the IPv6 protocol,” declared the …

  1. david 12 Silver badge

    Big Brother is watching

    Register has slightly misunderstood the announcement.

    They didn't say "all wireless LAN", they said "with public network IP address allocation function".

    That perhaps includes your Games Server, and perhaps your Shopping Centre WiFi, but does not include your home wifi or hotspot.

    As we have been frequently lectured, network address translation is bad, because it makes it difficult to communicate with end points unless the channel is initiated and maintained by the endpoint.

    IPv6 is a technology for big managed networks. It's now a critical part of the internet backbone. It offers less than nothing to homes and businesses.

    When IPv6 was first introduced, we were assured that the address space was so big that no-one would ever find us. Security by obscurity. It's since become clear that was imaginary: most of the address space is not in use, the space that is in use is clearly identifiable, and it's trivial to scan the active address space and to identify active end points, and end points are end-to-end identifiable.

    1. An_Old_Dog Silver badge
      Big Brother

      Re: Big Brother is watching

      IPv6 is a big protocol, with lots of functionality, lots of associated code, and likely with proportionally-higher exploitable flaws than IPv4: a thing important to surveillance-minded organizations.

    2. Nanashi

      Re: Big Brother is watching

      > IPv6 is a technology for big managed networks. It's now a critical part of the internet backbone. It offers less than nothing to homes and businesses.

      Networks like the Internet. The vastly increased network space is useful for homes and businesses wanting to connect their own networks to the Internet; that's not "less than nothing". In fact it's something almost every home and business is doing.

      It's also not trivial to scan the active address space, or to identify end points. If you run, let's say, an SSH server on a random v4 address, it's going to get a constant stream of login attempts within minutes of being set up. On v6, a server running on a random address is unlikely to see any at all. And there's no way to identify a given end point unless the end point itself gives you identifying information, which most don't.

      (That's not to say there aren't ways of finding active hosts, but exhaustively scanning the space is completely out, unlike on v4 where it's trivial. Probably the biggest issue is certificate transparency logs, which pretty much give you a list of hostnames that are likely to be running servers. But you don't need a TLS cert for SSH, and you don't have to accept SSH traffic on the same hostname/IP as HTTP traffic -- there's no shortage of IPs going around, so you can just accept SSH on a different IP to HTTP. And there will be no easy way to find that IP.)

    3. doublelayer Silver badge

      Re: Big Brother is watching

      "When IPv6 was first introduced, we were assured that the address space was so big that no-one would ever find us. Security by obscurity. It's since become clear that was imaginary: most of the address space is not in use, the space that is in use is clearly identifiable, and it's trivial to scan the active address space and to identify active end points, and end points are end-to-end identifiable."

      You know how much address space you, personally, have on a home IPV6 network? A /64, 2^64 addresses. Even if packets were one byte long and you had a ten gigabit pipe running to it, sending a single packet to each of those addresses would take 54 years. They're not finding you because the address space is too big, since there are plenty of those blocks around. Your addresses are found because you either call out from them or have tied something to them. It's trivial to find a server using the address if the server's domain name has been recorded in a public database and you can do a DNS lookup. It's also somewhat easy if you connect out from an address, so they know there's something at that address. The benefit of IPV6 is that you can switch to a new address after doing that.

    4. Yes Me Silver badge
      Big Brother

      Re: Big Brother is watching

      "When IPv6 was first introduced, we were assured that the address space was so big that no-one would ever find us. "

      No, privacy was hardly an issue on the horizon when IPv6 was first introduced. It's really quite recently that temporary addresses were added to the mix, and that interface identifiers were recommended to be pseudo-random. (Not that address-based privacy is very important - most privacy issues arise at higher layers of the stack.)

    5. Yes Me Silver badge
      Boffin

      Re: Big Brother is watching

      "Wireless LAN equipment with public network IP address allocation function". It all depends how you interpret "public network IP address". I suspect it is intended to mean what we call "global IP address" (as opposed to private addresses like 192.168.178.1 or fd63:45eb:ab41:0:6a25:e384:2468:54b9). Maybe someone with better knowledge of Chinese than Google Translate can help us out. If I'm right, every home gateway is affected.

    6. BOFH in Training

      Re: Big Brother is watching

      Yeah was wondering why only wifi devices and not just all devices which connect to networks - regardless wifi or not.

      After all there are many devices sold which connect to networks via ethernet, etc and not have wifi functionality (some IPCAM devices come to mind offhand).

  2. DS999 Silver badge

    Are there any routers that don't?

    I have only messed with default router firmware when I'm wiping it to install DD-WRT, or helping a friend out, but AFAIK recently they've all had IPv6 enabled by default. Windows enables it by default. Linux enables it by default.

    Now in the US we don't really notice that because some ISPs either don't really support IPv6 or they kinda do but it may not work out of the box without some fiddling, and few of us care enough to bother. But I would hazard that the majority of the reported IPv6 usage in the US is completely by accident - people who have an ISP that enables IPv6, supplies them a router or they buy a router/cable modem that has IPv6 enabled, and they run Windows which has IPv6 enabled and it all works together without tweaking so they end up using IPv6 and have no idea.

    1. The Basis of everything is...

      Re: Are there any routers that don't?

      Plenty. My ISP-supplied router (Plusnet) appears to have deliberately disabled it even though the same router from their parent company (BT) apparently works nicely. The first versions of the Draytek Vigor routers I had claimed to be IPv6 ready but in reality their support for it was very basic and nowhere near feature equivalent to what they could do with IPv4. Happily they've got so much better.

      Hurricane Electric provide a free IPv6 tunnel service which works very nicely with the Vigor, and you get a choice of a /64 or a /48 even for a home network - which is billions of internets worth of addresses.

      Even in the day job I've noticed a subtle change from "What's that?" to "yeah, we don't need to worry just yet" when asking if they need to consider IPv6 in their connectivity plans.

  3. Bebu
    Windows

    The Cultural Evolution - little leap forward :)

    I would have thought mandating ISPs preferentially, or only, offering ipv6 address ranges to devices that (soon must) support ipv6 is the not undesirable result.

    If your ISP chucked a /96 (say) routing prefix at your router any number of your devices could happily autoconfigure or dhcp6 from the router. Of course that prefix would identify the customer's traffic which is a problem for some in the Middle Kingdom and elsewhere.

    The default firewall rules on the router should be pretty strict as every device would have a unique routable ipv6 address.

    When I think of the amount of pissing about to make a couple of services on rfc1918 addresses inside an internal network visible externally even this might actually be a win for security.

    New routers presumably would offer one or more 4-to-6 solutions for legacy ipv4 only client devices.

    Getting ISPs to offer and properly support ipv6 for residential customers is the bigger problem in these parts. Perhaps the offer of a state sponsored vacation in a reeducation facility might ginger them up. :)

    1. Number6

      Re: The Cultural Evolution - little leap forward :)

      My ISP gives me a /64 to play with. Everything just works, anything on my home network that supports IPv6 picks up an address and can be used. My router tells me that last month 49.49% of traffic was IPv6. If I want to run a server accessible from the outside, I do have to add a rule to the router, so at least it comes up in a relatively safe condition by default - if you scan the address range from outside then you will only see those few holes in it, regardless of what's happening on my side of the router.

      Looking at my webserver logs (external hosted server), I see a decent amount of IPv6 traffic too, so there are plenty of others who are probably using IPv6 without knowing it, too. A lot of mobile devices will have IPv6 allocated, so if you're browsing using your phone, chances are you're using IPv6 by default. Unless you're reading El Reg, of course, which appears to still only be IPv4.

    2. This post has been deleted by its author

    3. -tim

      Re: The Cultural Evolution - little leap forward :)

      The maximum and minimum "host" part of a ipv6 address using modern v6 stacks is a /64. A /56 lets you create 256 networks from your ISP. Some people find it helpful to think of a /64=class C, /56=class B and the /32 that the ISP was allocated as a class A.

  4. DustFox

    when china set a target

    They always reach it before the target date.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like