Microsoft pulls plug on IPv6-only Wi-Fi network over borked VPN fears Microsoft has scrapped plans to go IPv6-only on one of its internal networks over fears its campus visitors would be unable to use their virtual private networks (VPNs). The decision to mothball a full shift to the new protocol for that particular network was detailed by Microsoft network architect Veronika McKillop on Monday …
"Seems like we need a compelling reason to switch, some dire emergency, such as running out of IPv4 addresses, for example.
Oh wait..."
I remember the same argument being made several years back, but here we still are.
There was (and maybe still is) a website set up to educate the public aboiut IPV6.
It was also the first time I read a statement on an official site that said that "you should not expect privacy on the interenet" and gave the ominous warning that said: "In fact, we may be watching you even now" (or something similar)..
Back then,many sites regarding "hardening" of computers suggested disabling IPV6.
We don't need an emergency, we need a deadline. Humans are incapable of responding to open-ended emergencies (see: global warming), but they can cope with deadlines even for the most unimportant crap.
The problem is that there's nobody in a position to enforce a deadline on the global internet.
A deadline won't work either.
vSphere 5.5 end-of-general support is tomorrow (19th). You can get extended support but it's intentionally expensive. EoS announcement was a couple of years ago.
Was recently at a large hospital that still hadn't completed the planning for how they were going to upgrade, never mind actually go do it.
Not long ago was at a major police force who were still running hundreds of Windows 2003 instances.
Same in the private sector. Most people work on a 'it's not broke, don't fix'. I wonder how many people upgrades to IOS 12 on day 1?
Anon, for obvious reasons.
Virgin Media will stop giving customers their own IPv4 address when they roll out DOCISS 3.1 and IPv6 (next year?), everyone in the same area will share a single IPv4 address.
BT have already started rolling out CG-NAT for IPv4.
People will suddenly start to care a lot more about IPv6 when they get told by customer support "Sorry your internet connection doesn't support online gaming/VOIP/whatever because your connection uses CG-NAT".
"Sorry your internet connection doesn't support online gaming/VOIP/whatever because your connection uses CG-NAT".
Unfortunately, with things like skype going cloudy and not peer to peer, that won't be affected.
Might have an issue with torrents? IDK, one would assume that someone has been working on a way around that.
Hosting your own server though, that's the kicker.
If only the process of getting dedicated IPV6 sections for a single unit were more convenient. I had cause to try to get one, going for one block for an organization rather than getting one from the ISP because we have multiple areas served by different ISPs. I figured we could assign subsections to each area and have a coherent block. Of course, blocks for end-user use are only allocated at /48 blocks, because there is never any way we could run out of addresses if they hand quadrillions to each person who has a reason, but also it turns out to be nye impossible to get an ISP to accept a block that isn't directly from them. So, of course we're using blocks allocated from the ISP themselves, losing any coherence provided by the structure, and making firewall rules (E.G. people from location A may connect to the server at location B, but people from the wide internet cannot) more complex. This happens because we have to know each subnet that the ISP has provided if someone at one place wants to run up something internal, rather than knowing our address section (which, IANA, could be a /96 without causing us any problems whatsoever). I think they might have constructed that a bit better.
"Unfortunately, we had to stop this work because we came across something that the previous internal testing had not uncovered," she revealed. "A team member attended a conference where internet access was provided as IPv6-only and 99 per cent of attendees could not get their VPN clients to connect on this network."
What bubble do MS developers work in that they wouldn't know that many (most?) commercial VPNs are IPv4-only?
Microsoft has an arrogance problem. They think if they want, or did something, everyone else will just fall in line.
They need to answer their outside phones and read their outside e-mails for clues that they might be having problems that they don't recognize as such.
If the people who designed v6 answered their outside phones, they'd spend all their time talking to crackpots and people who don't understand what they're on about.
v6 is already designed about as well as it can be given the constraints it's working under: it works almost exactly the same as v4 does (the two changes I can think of being SLAAC and NDP instead of ARP for neighbor discovery, both pretty simple things), and it's as backwards compatible with v4 as it is possible to be.
If you think I'm wrong about that last one, all you need to do is respond and tell me how, exactly, you'd make v6 have better backwards compatibility than it does. And I suspect you'll end up demonstrating my first paragraph.
it's as backwards compatible with v4 as it is possible to be
One of the interesting (if now entirely academic) lessons of the DECnet Phase V debacle is that technical backwards compatibility per se turned out not to be a major driver of take-up. Phase V implementations supported both Phase IV and Phase V, allowed local subnetworks and the interconnecting backbone to be in different phases and provided triggers that could automatically flip parts of the network over as migration proceeded. It ought to have been a trivial exercise.
However, by the time it was deployed, Phase IV addresses had already run out in the networks at which Phase V was targeted and proxy servers (a kind of alternative to NAT) were in widespread use. Unpicking those turned out to be more complicated than transitioning the core network and it turned out that migrating to IP wasn't a great deal harder.
The saving grace for IPv6 is that there isn't any obvious alternative, apart from more NAT, so perhaps we might get there eventually.
Nanashi wrote:
If the people who designed v6 answered their outside phones, they'd spend all their time talking to crackpots and people who don't understand what they're on about.
And once those people who don't understand have got off the phone, they then proceed to El Reg to downvote those who do know what they're on about, because apparently there's an anti-ipv6 cult around here that prefers to hear comments that align with their world-view rather than actual facts...
So, it's been 11 days since I could bring myself to check the comments here, and I see that lots of people managed to downvote me but nobody managed to tell me how to make v6 more backwards compatible. I think that makes my point, no?
(I didn't forget to mention "v4 on the inside, v6 on the outside and NAT between". I didn't mention it because it doesn't work. That said, even if it did work it wouldn't require any changes to v6, so it wouldn't be a way of improving v6's design.)
@ITS Retired,
Microsoft has an arrogance problem. They think if they want, or did something, everyone else will just fall in line.
That seems unnecessarily uncharitable in this instance. It's not like they're making Windows itself IPv6 only, or any of its services. They're just trying to roll out IPV6 on its own campus and finding it very hard. OK, they may have been slow to the party in that regard, but it's not like they're the very last.
So really we should be grateful that they're sharing their experience doing this because that helps us all appreciate the difficulties, and what might be done about them.
Well, I suspect that the IPv6-only network where they made this great discovery was the one at IETF meeting 100 in Singapore last November, where IPv4 support was switched off experimentally during some sessions (but a NAT64/DNS64 service was available to reach IPv4-only sites). It was expected and observed that many corporate VPNs were broken by this.
Sorry to disillusion you, but IPv6 is rolling out in a pretty big way these days. On account of we've run out of IPv4 addresses.
The story is about trying to run an IPv6-only network, as opposed to a dual stack network. And what it shows is that it's still premature to run IPv6-only on a general purpose BYOD network. Dual stack is a very robust solution. NAT64 is brittle. That shouldn't be news to anyone.
>That shouldn't be news to anyone.
Whilst I agree that MS (and others) should be applauded for attempting to trialing IPv6 only networks, to see what breaks and then telling everyone about it, I dsagree about this not being (tech) news.
I remember back in the late 80's and early 90's, government ITT's all included requirements around a vendors commitment to Open Systems and OSI. Naturally, we all responded positively about our commitment etc. however, not once was I cross-examined on just what this meant in practice. I suggest what we are seeing here is a company trying to put things into practice and discovering environmental gotchas...
I therefore suggest the lesson here is that if you are using a VPN solution, the time has now come when you need to get vendors to demonstrate their currently shipping products capabilities to support dynamic usage of IPv4, dual stack and pure play IPv6 (yes my dual stack client should be able to use a VPN product over whichever protocol stack is available to it, which will almost certainly vary between hotspots (eg. Office, Underground, Station Cafe, Train, .Home). I suspect that, prior to this news story, no one was actually testing the real-world IPv6 capabilities of VPN products...
"I therefore suggest the lesson here is that if you are using a VPN solution, the time has now come when you need to get vendors to demonstrate their currently shipping products capabilities to support dynamic usage of IPv4, dual stack and pure play IPv6"
Many VPN providers refuse to touch IPv6 with a ten-foot-pole at the clients' request because they feel it's too much of a security risk, particularly for those clients who are using VPNs to work around "problems" such that just ONE slip and the game's up.
everything is available on IPv4
But it isn't. Most things are on IPv4, but there are some IPv6 only things out there, and over time they will get to be more numerous. At some point you will find that you want to access something that can only be accessed over IPv6, and if you are in the "why bother with IPv6 at all" camp then you'll be disappointed.
At the moment that is a small risk. But there are already hosting outfits that will by default give you a shedload of IPv6 addresses - but charge extra (per address) if you want IPv4. Some ISPs are now waking up to the fact that it's getting more expensive to keep IPv4 going - many will no longer give you a public IP of your own because they don't have enough and they either can't get more or they are too expensive.
And once you are behind CG-NAT then you no longer have the freedom to forward ports as you want. Good luck torrenting or doing anything else that's peer-peer then.
TL;DR version. We're not there yet, but eventually there WILL be something you need IPv6 to access - and it'll be a lot easier and less hassle using real IPv6 than some bastardised workaround to fudge access from your IPv4 address.
"We're not there yet, but eventually there WILL be something you need IPv6 to access - and it'll be a lot easier and less hassle using real IPv6 than some bastardised workaround to fudge access from your IPv4 address."
OR businesses will just pony up for the IPv4 addresses to STAY in business. Put it this way. Everyone's in the existing marketplace, and there's no compelling reason to move to the new one as storefronts will just pony up whatever it takes to stay in the old market where all the customers are.
Plus Internet traffic has evolved to work around even CG-NAT. Push solutions mean port forwarding is less of an issue (besides, most ISPs discourage home server use), and most consumer services like Skype and online gaming have servers that can be reached even through CG-NATs because things like "servers" are too geeky for consumers to grok.
25 years ago, when IPv6 first came out, I had an Amiga 4000. That has long since been retired. Is there any guarantee that it will reach big-time within the lifespan of my current equipment.
Other than a spinning logo on an IPv6 test website, can you name anything that is currently IPv6 only?
"Most things are on IPv4, but there are some IPv6 only things out there..."
Like what? Nobody is going to put their stuff only on IPv6, except those trying to make a point about using IPv6, for the simple reason that they don't want to risk being invisible to the majority of Internet users. And until there are enough useful things only available on IPv6, very few people are going to bother with IPv6.
The majority of Internet users wouldn't care about not having a unique IPv4 address, even if the issue were explained to them.
"And yes, yes, yes, before you point it out, The Register is still not IPv6 compatible either. We're working on it. Really. "
1. Why are you working on it? What benefit(s) do you expect?
2. If IPv6 is such an easy, natural option, what's preventing the Register from rolling it out tomorrow?
@redpawn
> 2. The IPv6 seed might need to have its outer coating scored or scorched before it will sprout.
I see you've tried to grow lychee from seed too. I've further found that the seedlings need to be constantly kept moist or they die the instant they dry out. Please feel free to extend this factoid to your analogy.
1. The benefit is improved access for users (such as millions of smartphone users) that have native IPv6 support that is actually faster than their translated IPv4 support.
2. I don't know what their hold up is. Many sites get IPv6 by simply asking their CDN provider to switch it on. But at least where I sit, El Reg doesn't seem to use a CDN. So maybe it's their server load balancer that can't handle IPv6. Most of them can.
My Vodafone Australia gives me both IP addresses but phone prefers to use IPv6 whenever possible. Which results in total inability to download anything from Play Market while on 4G connection. The only way around it when phone is not on IPv4 Wifi connection is to use IPv4 only VPN. That how good it works in real world.
They are actually behind Cloudflare, which means v6 is just a toggle away. It also means that, with appropriate hosts file entries, you can talk to El Reg over native v6 even without them explicitly enabling it. The last time I tried this, it worked fine except that attempting to post a comment didn't work. The post just disappeared into the aether, and never showed up.
What did show up, however, was a post from an admin complaining that they had to manually drop my post from the queue.
I'm guessing some part of the post pipeline can't handle long addresses (e.g. a database with a short VARCHAR column). Cloudflare have a workaround to deal with that though (hashing the v6 address into 240/4) so maybe there's something else that needs the real address (geolocation/spam filtering?). Hard to tell exactly unless they feel like showing up here and telling us.
As it happens, I do have a way to summon admins...
They are actually behind Cloudflare, which means v6 is just a toggle away. It also means that, with appropriate hosts file entries, you can talk to El Reg over native v6 even without them explicitly enabling it. The last time I tried this, it worked fine except that attempting to post a comment didn't work. The post just disappeared into the aether, and never showed up.
Yes and any properly designed back end will just use any protocol in front of their web server without issues. Why log the IP inside the database post, when there are a few IPv4 providers change addresses using dhcp more than once a day. A system that is properly designed, I.E. uses the username to track anonymous posts and such, should work successfully with the flick of that switch.
As it stands, SSL and such work the same over both IPv6 and IPv4. Shouldn't be that hard for dual stacking the server.
2. I don't know what their hold up is. Many sites get IPv6 by simply asking their CDN provider to switch it on. But at least where I sit, El Reg doesn't seem to use a CDN. So maybe it's their server load balancer that can't handle IPv6. Most of them can.
Me neither. If most people's CDN do not support IPv6, they do support the ability to get a tunnel. Took me about ten minutes to set it up and then another two weeks to realize that the concepts behind IPv6 and IPv4 were very similar. IPv6 is really not that hard. And like other folks have mentioned, on cloudflare, it is just the click of a button to enable.
One overlooked advantage for companies is user tracking... A users ip6 address is much more likely to be static that their ip4 address, and as providers move to cg-nat, the ip4 address will be even less valuable for tracking purposes.
Don't tell El Reg that though!
A users ip6 address is much more likely to be static that their ip4 address
The 20th century called and asked for it's Old Wives Tale back.
"Fixed" IPv6 addresses (aka EUI-64, IIRC) were deprecated years ago for exactly that reason. Now the standard is for devices to generate (multiple) random addresses within the 2^64 address space available to it and to change them over time. Tracking by IPv6 address is impractical.
You can track by /64 netblock, but then you get no more information than by tracking a network of devices behind a NAT gateway. My IPv4 address is as static as my /64 IPv6 block.
The staticness of both the IPv4 address and IPv6 allocation is not inherent in either protocol - it's entirely down to the allocation mechanism done by the ISP - in some cases you can request a static IPv4, in some you can only have a dynamic one, in some cases you can only have a static one.
It's still a pre-small LANs approach. As if all devices are simple clients only connecting to external resources carefully managed by dedicated people, and never servers offering services to others. If you have, for example, a NAS, it can't really generate random addresses and change them over time, because how would you be able to access it? Every time check what damned addresses, in hex, it generated?
If you want to access your other PCs, should you look every time at what random addresses they got first? What about my router and access points?
IPv6 wholly underestimated the need to match addresses with a working name resolution mechanism, because you can't really expect people memorize IPv6 addresses, especially when they change.
IPv6 was designed in an era when people where expected to have a single *client*, which just needed an address to make its calls.
But now even in small networks you have many devices, and you need something like DHCP+DNS (or anything equivalent), especially when you use VLANs/subnets and simpler resolution methods for network discovery does not work.
Just, does Android support DHCPv6 now? On the other end, Windows didn't support RDNSS until some recent version of Windows 10. That's because IPv6 instead of being built on clear standards didn't address clear, obvious needs, leaving them to implementations acceptable in 1996 only. And refusing to address them properly and fully later. IMHO SLAAC was a bad idea from the beginning, especially from a management perspective.
Still, you may want some machines to have static addresses to access them even if the name resolution system doesn't work, and thereby you may also want to avoid to make them visible outside.
An IPv6 roll out needs a simple way to manage the network, assign addresses and map them to host names automatically. While systems managed by dedicated and skilled people may have little issues, it could become soon a nightmare for smaller systems which doesn't have the required skills available, unless network devices have the required software to make the configuration, and the transition, easy.
If you have, for example, a NAS, it can't really generate random addresses and change them over time, because how would you be able to access it?
mDNS ? Also, a device can have many addresses - indeed it is set out in the specs that devices MUST support multiple addresses. So it's quite easy for a device to have static addresses on which it serves up services, and multiple dynamic addresses it uses for outbound connections.
does Android support DHCPv6 now?
No, and it probably never will. Politics (as well as technical issues) has resulted in overlap between protocols. DHCP cannot (by design) provide router/routing info to hosts - they have to get that from routers via RAs. The official line is to separate addressing/host management from routing/network management because these are often managed by different groups in large organisation. My feeling is that even where that is the case, the two teams CANNOT work in isolation.
But the technical reason why Google won't support DHCPv6 in Android is that it doesn't provide a fast method for revoking leases when the network changes. For a mobile device, the network can change rapidly as a device moves around (handoff between cells, switching between mobile and WiFi. With RAs, the network can be quickly reconfigured by sending RAs for the disconnected addresses with a lifetime of zero - with DHCPv6 there's no such easy mechanism. There is a DHCP6 client for Android - but not from Google.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
