* Posts by Nanashi

352 publicly visible posts • joined 19 Sep 2016

Page:

We are absolutely, definitively, completely and utterly out of IPv4 addresses, warns RIPE

Nanashi

Re: "We have now run out of IPv4 addresses"

In the early 80s perhaps, but in the early 90s? By that stage, I think there were enough people involved that you would never have got universal agreement. You can't even get people to agree that v6 is necessary today, and v4's problems are widespread and obvious now. That was not so much the case in 1990.

I wasn't around at the time, so perhaps my idea of the size of the internet at that time is a little distorted, but I'm pretty sure it was reasonably widespread and there were far more than a handful of actors involved. I'd love to read a book that covered the history and growth of the internet in that period though, if anybody can recommend one.

Nanashi

Re: Easy Peezy

There are a ton of problems with NAT, and returning unused blocks just isn't going to fix any of them. v4 is too small. You'd just be rearranging deck chairs on the Titanic.

Nanashi

Re: "We have now run out of IPv4 addresses"

You talk about "academic institutions" like they're one entity, but they're not. There was nobody in a position to force them all to cooperate.

You would've had to individually convince all of them to a) rewrite all their software to handle longer addresses, b) deploy the new protocol on all of their computers and routers, c) do a coordinated drop on the old protocol.

And you want to do this early, when there were only a handful of institutions with minimal deployments as opposed to hundreds/thousands with substantial software and hardware deployments... so basically you'd need to do it at a time when v4 legitimately was sufficient for all the people involved; at a time where everybody understood it to be an experiment. You'd be doing it before work on the new protocol even began. And you'd be doing it in an environment where there were already multiple other competitors to v4 (remember that v4 only won everywhere in the late 90s; lots of people were still using IPX and god knows what else until then).

I'm honestly sceptical about your chances, there.

Nanashi

Re: Lies, damned lies, and statistics that don't lie.

Sure, you can use a proxy, but it's pretty obvious that just about everybody wants direct network connections rather than proxies, because otherwise they wouldn't be complaining.

...or who am I kidding. People frequently complain that v6 can't do X even though it can. They'd happily complain forever that "v6 can't be proxied" even when presented with evidence that it can be, based on the fact that they do that with most of v6's other capabilities. But what can I do about that?

Nanashi

Re: why did IPv6 use 128bit Hex?

IP addresses are assigned by the network you connect to. You can't use them like IMEIs or MACs, because they don't travel between networks. They simply aren't hardware identifiers.

Nanashi

Re: Backwards compatible

v4 divides its addresses up in exactly the same way. Registries get assigned their prefixes from IANA, ISPs get their prefix from the registries, sites get their prefix from the ISP, LANs get their prefix from the site. It's the same as in v6, with the only real difference being that v6 actually has the space to do sparse, aggregated allocations at all levels.

Nanashi

In the real world you'll be using DNS, so it doesn't matter what the IPs are.

The address you gave is... well, invalid, but it's also intended to be a link-local and you're unlikely to actually use that. If you get your v6 addresses from a DHCP server like you do in v4, then your address will look like the one I gave in my original post. You'll only need to remember the "1::192" bit, which is basically no different to v4.

Nanashi

Re: "What's wrong with a /64 prefix?"

Compared to the status quo of v4, sure, a single /64 is better than no v6. But we can aim a little higher than that. There are things you can't do with a single /64 but you can do with a /56, which is why you shouldn't be getting a single /64.

(Or to be more precise, it's why a single /64 shouldn't be the max you can get. If a user only requests one /64 then go ahead and only give them that much, but they should be able to get more without hassle if they want to.)

Nanashi

Re: IPv6 not that hard... seriously

Because you need v6 to reach v6 servers. If you don't know at least that much then you're not in a position to comment on this stuff. v6 also lets you sidestep all of the problems caused by NATing, which is another strong reason to be using it.

The energy cost of NATing (and subsequently recalculating the packet checksum) is worse for the environment than the few extra bytes in the header. The energy cost of the routers, servers and client machines involved are orders of magnitude worse however, to the point that worrying about a few bytes that are <1% of the packet size is utterly silly.

Nanashi

Re: Backwards compatible

People already moan constantly about how "complicated" v6 is, despite v6 using the same addressing and routing model as v4. I can only imagine how bad it would be if you introduced variable-length addresses, which would be an actual additional complication over v4.

But also I don't think making v6 have variable length addresses would help much, because the thing you're trying to make it compatible with is v4 and v4 doesn't have variable-length addresses, so it wouldn't be able to cope with any address length beyond 32 bits. "Send your packets to 100.64.10.10 with the extra address bits stored somewhere else in the packet" sounds an awful lot like 6to4, which already exists in v6, so if that's sufficient for being backwards compatible then v6 is already there.

Variable length addresses wouldn't save you from needing to fix software to handle the new address family (and that's going to be fun, what with all existing code being designed around fixed-length addresses. The prevalence of buffer overrun bugs suggests that many programmers can't cope with things that have variable length...).

The other major issue is that routing performance wouldn't be great, since handling a variable length address in hardware is not very fast. That would probably result in adoption happen slower rather than faster.

Nanashi

Dude... DNS.

And if you insist on dealing with the IPs themselves, why did you pick an address like "fdaa:bbcc:ddee:0:7c8a:a8c9:d4fb:acf1" when you could just as easily have picked "fd01::192", which is even shorter than the v4 address you used as a comparison?

Nanashi

Re: @Nanashi - "We have now run out of IPv4 addresses"

I guess I didn't. But I have now, and the general point still stands: v6 routes are going to be for prefixes 64 bits or shorter. The large address size also means you have more aggregation, and thus fewer routes to look through.That should make your job of spotting anomalies easier than a shorter address length (with its corresponding higher fragmentation) would've done.

Nanashi

Re: Here's some IPv4 addresses for RIPE

Great, that buys us a two hour supply of IPs. That'll solve our address shortage. Brilliant plan.

Nanashi

Re: why did IPv6 use 128bit Hex?

Your post seems to be mostly made up.

Every handset would need 4,096 IPs? No, I've never heard that. IPs would be used like IMEIs/IMSIs/MACs? No, that's specifically not what IPs are used for (use a UUID if you want a 128-bit identifier, but it won't work as an IP). ISPs wanted user tracking from MACs in v6 addresses? No, they already know who their users are, either from the prefix or the connection port. Global address on phone lets you escape their walled garden? No, they can still firewall you or do whatever they could do with RFC1918 addresses, public addressing doesn't change one bit of that.

Designed by committee? It has roughly the same design as v4. Ops community has to work out the security implications? Most of them are the same as v4, and for the ones that are different... well, it's your job to deal with them.

Nanashi

Re: "We have now run out of IPv4 addresses"

Transitioning quickly away from v4 wouldn't make v4 forwards compatible, it'd just take us off of the incompatible protocol quickly (which would avoid the problem, sure). I don't think you could've done that in 1995. Even 1985 probably would've been too late for that.

> Also that the only real difference was the length of addresses, with the leading 4 bytes effectively being padding and thus could be simply discarded or padded as necessary.

If the leading 4 bytes are padding then there's no point in them being there.

Nanashi

Re: Lies, damned lies, and statistics that don't lie.

You're thinking of 6in4. (6to4 is basically an automatically-provisioned 6in4 tunnel for every v4 address.) Teredo lets a single client connect to v6 servers over a v4 network.

All of those let you do v6 over v4 infrastructure. I'm not seeing how that's not backwards compatibility.

Nanashi

Re: "What's wrong with a /64 prefix?"

SLAAC on two networks, e.g. main plus guest or IoT networks. You don't need any more justification than that.

/56 isn't a big allocation. In terms of fraction of the total available space, it's 1/256th of a single TCP port of a single v4 IP. Nobody should need to deal with an allocation size smaller than that, and the question of whether a /64 is sufficient or not should never need to be asked by anybody.

Nanashi

They might know how to do it (or indeed they might not; have you considered how to handle that case?), but they couldn't do it because their ISP isn't exposing v6 to them.

Nanashi

Re: Lies, damned lies, and statistics that don't lie.

Not if you believe El Reg's armchair network "engineers" it doesn't!

v6 is backwards compatible with v4, but as you say that doesn't mean that v4 is forwards compatible with v6. It also doesn't stop people from moaning constantly about how it's not backwards compatible.

Nanashi

Re: "We have now run out of IPv4 addresses"

What? It had the capacity to be properly firewalled. What are you on about?

And yes, v6 has seen continued development, just as v4 has. This shouldn't be a negative point.

Nanashi

Re: "We have now run out of IPv4 addresses"

64 bits isn't enough. Hardware (EUI-64) addresses are 64 bits, and you need way more than 64 bits of L3 address space to handle 2^64 L2 hosts. The next power of 2 up from 64 is 128, so here we are.

You can already set most of a v6 address to zero (e.g. is 2600:: really so hard to remember?), to the point where anybody can easily make addresses that are ~64 bits of actual stuff plus ~64 bits of zeros. And they go straight into DNS so it's not like you even need to remember them anyway, but if you did then you have the 64 bit addresses you're asking for.

Nanashi

Re: "We have now run out of IPv4 addresses"

If you understand v4, then you understand v6. The operating principles of the two protocols are somewhere around 90% identical.

I'm willing to bet there are a lot of network engineers that don't really understand v4 though. You only have to look around this thread at all the people who somehow think it's possible for v4 to be forwards compatible with v6...

Nanashi

Re: Lies, damned lies, and statistics that don't lie.

Actually, there's a way for a device on a v4-only network (even behind NAT) to get v6: Teredo. Also, every v4 address has a /48 of v6 space tunnelled to it via a mechanism called 6to4.

For some reason, the existence of these protocols doesn't seem to stop people from complaining that they don't exist.

Nanashi

Re: This is probably a dumb question...

Indeed.

v6 is already backwards compatible. Perhaps you wanted v4 to be forwards compatible, but we can't create an IPv7 which v4 is forwards compatible with for the same reason that we didn't create an IPv6 that it's forwards compatible with: because v4 isn't forwards compatible with any address size that's bigger than 32 bits.

If you could fix that problem, then we wouldn't need an IPv7. You could just make v4 be forwards compatible with v6.

Nanashi

Re: The good news is that this crimps IoT deployment

Well, they don't have to use UPnP. They could also shovel all your data via a server that they own.

Sure, they already have an incentive to do that, but now they have an excuse too.

Nanashi

Re: We can take entire 24 ranges back

Good, that should buy us about 3 weeks.

But what then?

Nanashi

Re: This just in.....IETF announces IPv7

This is exactly what v6 does. The "compatibility mode" is v4. What else were you expecting it to be?

And in fact v6 has NAT64, which basically places the v4 address space into a v6 /96 so that v6-only clients can talk to v4-only servers. Is that somehow not good enough for you?

Get ready for a literal waiting list for European IPv4 addresses. And no jumping the line

Nanashi

Re: We need a new approach

I found it by Googling for "apnic ipv6 measurement". There's a more detailed explanation here: https://labs.apnic.net/?p=348.

AMS-IX are the best available public statistics. They're nowhere close to the best possible -- in fact the measurement they make is fairly useless in working out where v6 deployment is at. It misses out on on-net caches (which will be mostly v6 where available) and private peering (again mostly v6 by volume), which apparently account for something like 75% of ISP bandwidth between them. It counts large parts of the traffic from v6-only ISPs that use NAT64 as being v4. It's measuring at the wrong place to figure out what percentage of servers or clients have v6, and it's completely incapable of showing how readily available v6 support is to the people who aren't yet actively using it.

These are not very useful stats, unless your goal is to cherry-pick something that makes v6 deployment look bad.

> 3) What is the traffic volume that your statistics is based upon?

I don't know. But the volume doesn't matter if it's not a representative sample or if you're not measuring the right thing.

Nanashi

Re: We need a new approach

APNIC's methodology is explained here: https://labs.apnic.net/measureipv6/. AMS-IX's graphs are obviously flow statistics from their network only.

Your source was right in that these (plus Google's) are the best publicly available statistics, but they won't be of any use to you if you don't understand what they're measuring.

Nanashi

Re: We need a new approach

My "wide deployment" comment was referring to the things necessary to support a network of the type described in your draft/presentation but using existing v6 transition tech -- mainly that's support for v4, v6, NAT64 and NAT46 in ISP gear, CPEs and client devices. Those are either supported by almost everything or (in the case of ISP gear and CPEs for NAT64/NAT46) supported by enough things that you shouldn't have any trouble getting equipment for them if you want to.

I've looked at APNIC's stats many times, but what they track is the percentage of clients that hit their measurement servers over v6. As it happens, that's not a useful stat when it comes to tracking support for any of the above.

As for the AMS-IX stats, I already explained to you why they're not an accurate measurement of the overall amount of v6 traffic on the internet, but they're also not a useful stat for tracking the above things either.

Nanashi

Re: We need a new approach

We already spent far longer than it deserves discussing the thing last year. What you've come up with can be better handled using technologies that already exist and already have wide deployment.

Nanashi

Re: We need a new approach

I've already done everyone a big favor by going over the draft itself. The presentation is just a summary of the draft; it doesn't change how the draft functions and thus of course doesn't change my conclusions.

Nanashi

Re: We need a new approach

In case anybody cares, I looked at this draft the last time it was posted and came to the conclusion that it's more or less a rehashing of methods that already exist in v6 (that is, 6to4 and NAT64/NAT46).

Like I said earlier in this thread, people's ideas seem to be either impossible or already implemented in v6. This one happens to fall more into the latter.

Nanashi

Re: Seriously, whats wrong with IPV6 ?

...yes, we do. In fact we would need it even more then.

Nanashi

Re: Seriously, whats wrong with IPV6 ?

...no they don't. Even the routers that support NAT66 (which is a minority of the set that support v6) don't set it up by default. Major deployments in the UK (BT, Sky) and the US (Comcast) don't use NAT66. In fact I don't think I've heard of any ISP v6 deployments that rely on NAT66.

I'm under the impression that most new routers support v6, although there's certainly a long tail of crap out there. On the other hand, something like 97% of people use the ISP-provided router, so there's an argument that third-party routers are mostly irrelevant.

Nanashi

So what sort of network would require a complete redesign for v6? I'm sure there's something out there somewhere, but it's not common. People that incorrectly think that v6 would require a complete redesign of their network are a lot more common.

> IPv6 does the job, but it is certainly not the best solution to the problem. If it were, we wouldn't have an uptake problem.

Your second sentence doesn't logically follow from the first. It's entirely possible that the best solution has an uptake problem.

As far as I can tell, it's impossible to make a solution without an uptake problem, and it's my humble opinion that being impossible disqualifies a solution from being the best solution, on virtue of the fact that we couldn't actually do something that's impossible.

To be clear, my basis for believing that it's impossible is that (a) current v4 doesn't support bigger addresses, (b) any method of upgrading it requires lots of people to do something, and (c) it's the "require lots of people to do something" part that causes the problems in uptake.

Lots of people think they have a way around one or the other of those, but their ideas always seem to be either impossible or already implemented in v6.

(As always, you could easily change my mind by giving me something that doesn't fall into one of those categories. But if your idea is "just add another octet" or if it involves pointing me to dozens of pages of draft text, expecting me to read it all and decipher your idea for you and then spend weeks dancing around explaining it to me when I conclude that you've just reinvented something that already exists and ask you to explain how it's different... then you're probably not going to have much luck.)

Nanashi

Re: "Remind us again why the IETF didn't make IPv6 backwards compatible"

Perhaps it would be more accurate to say that v4 as currently specified and implemented everywhere is not forwards compatible with bigger address spaces.

It has multiple places where that forwards compatibility could be added: the version field, option headers, the reserved flag or even a reserved src/dest IP address. (Of those, v6 went with the version field for native operation and the protocol field for operation over the top of v4, which makes sense because that's the intended use of those fields.) But all of these options require upgrading hosts, routers, networks, software etc to handle them, so no existing devices will be compatible with the longer addresses, and none of them allow an unupgraded host to initiate connections to an arbitrary upgraded host.

At the point where you have to change v4 to support bigger addresses, can you really say that v4 is compatible with bigger addresses? Looking at the rest of the thread, it seems to me that "existing, unmodified v4 host can talk to arbitrary v6 host" is what people want, so it looks like their answer to this question is "no".

It might be more accurate to say that, but it's also an awful lot more words to type out every time.

Nanashi

Re: Why didn't they follow the phone system?

That still requires you to do almost everything that v6 requires you to do. It may save you some code in the IP stack, but that's the part we're not having any trouble with. You still have to update protocols, patch all your software, configure new addresses, firewalls etc, and those are the parts we're having trouble getting done.

And v6 has a mode that works like that! You can put a magic number (41) in the protocol field to indicate that the packet contains v6 addresses, and then the v6 addresses go after the v4 header. People doing v6 deployments seem to strongly prefer running it natively though.

Nanashi

Re: IPv6 was designed by theorists

People who care about performance. And yes, computers work for us and not the other way around, which is why you let DNS do the heavy lifting rather than manually dealing with IP addresses. Otherwise you're just doing the computer's work for it, which is backwards.

That prefix is actually just a default, though. If you're setting up your own NAT64 router and you want to use another prefix, you can.

> The v4 hosts don't need to contact all the "extended address" hosts, they would be in their own world, and a dual homed interface (like how IPv6 works now) would let them communicate with the outside world using the new 6 octet scheme.

Okay, so the mapping wouldn't actually do anything that we don't already have in v6. As such, it seems unlikely it would be much different to v6 in deployment time either.

Nanashi

Re: We need a new approach

It does, though? It reduces the amount of CGNAT hardware the ISP needs to provision. I think for EE the figure was something like 70% of their traffic flows over native v6, which cuts the costs of their CGNAT infrastructure by two thirds.

Having v6 also means that the v4 doesn't need to work as well -- being behind CGNAT is a lot more okay if you can side-step it. Also, in many cases you don't need v4 on the client side. For their v6-capable users, EE provide no v4 service on the network. T-Mobile in the US is the same.

(The server side is a little trickier. I do run most of my own personal services over v6 only, so it's certainly doable.)

Nanashi

Re: IPv6 was designed by theorists

64:ff9b:: is checksum neutral, so packets can be translated without needing to adjust the checksum on them (0xffff - 0x64 = 0xff9b, and the rest is all zeros). Since you don't generally deal with IPs directly it's not critical for the prefix to be shorter, while performance is important.

> Had they simply added two octets and made 0.0.x.x.x.x map to IPv4 probably everyone would be using it today.

You clearly didn't think any part of this through. Two extra octets isn't enough, and how would the mapping benefit anybody? How would v4 hosts send packets to the IPs outside of 0.0/16? There are multiple mappings of v4 addresses into v6, but none of them enable v4 to talk to more than 32 bits of hosts, because v4 isn't capable of it -- and v4 will still not be capable of it regardless of the design of the other protocol involved.

Nanashi

Re: We need a new approach

> at home I've got plenty of choice over suppliers and equipment

So you're concerned enough to switch ISPs over it. But if you take shelter under a tree during a thunderstorm, you can't simply move over to the next tree once the first one is drenched.

And if you've never had an RFC1918 clash on a VPN (or M&A) at work, consider yourself lucky.

Nanashi

Re: We need a new approach

The most likely route is that your printer picks itself an address, which it advertises via mDNS. You then use mDNS/autoconf to find it.

The rest of the world won't know where it is, and won't be able to contact it anyway because inbound connections are blocked.

Nanashi

Re: Why didn't they follow the phone system?

...I posted a reply to this, but apparently managed to completely screw up and post it at top level rather than as an actual reply. It's over here:

https://forums.theregister.co.uk/forum/all/2019/07/31/ipv4_address_queue/#c_3838592

Nanashi

Then you're simply ignorant. Which is fine, because we can't all be experts at everything, but you need to realize that it limits how much useful insight you can have on this issue.

You cannot just "add an octet" to v4. v4 is hardcoded to a fixed address width of 4 octets. The header format is hardcoded with 4 octets for the src and dst addresses, and every single device out there (billions and billions of them) have v4 stacks which are hardcoded for 4 octets.

The telephone network is completely different. Telephone numbers have been variable length since the very beginning, which makes it easy to add extra digits. IPv4 isn't like that, at all.

So what can you do? You can deploy a new IP protocol version which has bigger addresses... and that's exactly what we're already doing.

> People complain about IPv6 because it requires a complete redesign of their networks.

These people are wrong. It doesn't require a complete redesign of their networks. v6 is almost completely identical to v4 in most aspects, including network design. Subnetting and routing in v6 is identical to v4, and the way you design your networks with it is also the same. To get v6 onto your existing v4 network, you just put it there alongside the v4. Your router gets a:b:c:d::1 as well as a.b.c.1, and your hosts get a:b:c:d::x as well as a.b.c.x. Firewalling works the same. You use TCP and UDP like you do in v4, and those work the same too. No redesign is needed.

It didn't have to be this way. There were various proposed alternatives for next generation IP which had variable length addressing, a different routing model or more weird and wonderful features, but we went with a protocol that worked the same way as v4 did.

> 3. Come up with an easier solution that doesn't require a complete redesign of how networks work.

As mentioned, this is what we did. But you're right, people want a unicorn. Even when you do the exact things they suggest, they still complain.

Nanashi

Before IANA runout (almost a decade ago now) we were going through more than one /8 per month, and demand has only gone upwards since then. Reclaiming unused parts of old allocations would buy us a couple of years at best.

And then what? We'd still have to do v6, and anybody who isn't doing it yet isn't suffering from a lack of time; they've had plenty of that. So what's the point? It'd be a massively disruptive and costly exercise to gain us a small amount of extra time which we would then squander. Put that effort into v6.

Nanashi

Re: Meanwhile...

They're behind Cloudflare, who definitely support v6. Actually you can reach El Reg over v6 with the appropriate hosts file manipulation, but the last time I tried to make a forum post when doing that the post apparently got wedged and had to be manually removed.

(Cloudflare do support an option that hashes v6 addresses into 240/4 and uses the hashed address as the apparent source address of the inbound connection, which should work around databases with incorrectly-sized columns or whatever the problem is...)

Nanashi

Re: IPv6 was designed by theorists

You mean like 64:ff9b::xx.xx.xx.xx? We did this. It's a thing you can use, and it works -- it lets a v6 host connect to a v4 host, and it lets the other direction work too if you configure a port forward for the connection (so basically the same as NAT, just with v6 instead of an RFC1918 v4 address).

Why do people keep saying it doesn't exist?

"A 64 bit extension would have made so much sense, it never made sense to me why they went overboard with 128."

Do you know how hard it is to deploy a new IP protocol? That's why they went overboard: so we don't end up needing to go through this a second time.

Nanashi

Re: We need a new approach

I suspect you'll change your mind about how well NAT works the moment you end up behind CGNAT at home.

Also, I keep having long arguments with people who think that NAT works as a firewall. Apparently it's not so easily understood...

Nanashi

Re: We need a new approach

In v6 you'll most likely be using privacy addresses, which randomize the host part of the address regularly. This obfuscates the number of active devices and the identity of each device, if in a slightly different way to NAT.

And there are far easier ways to track you, such as browser cookies. Those work across completely different networks.

Page: