Ist it something like only 40% of IP4's are actually used the rest were bought up and never used?
Global IPv4 address drought: Seriously, we're done now. We're done
You may have heard this before, but we are really, really running out of public IPv4 addresses. This week, the regional internet registry responsible for Latin America and the Caribbean, LACNIC, announced it has moved to "phase 3" of its plan to dispense with the remaining network addresses, meaning that only companies that …
-
-
Thursday 16th February 2017 08:13 GMT Nanashi
You say that as if 40% is a small amount to be using. It's actually a really damn high amount to be using. Because of the way IPs are allocated and used, you want the number of actively-in-use-by-a-machine IPs to be less than a few percent. If you reach that high then you start hitting the need to conserve address space and things start to get annoying and expensive to deal with (which is a particularly silly situation to be in, because we're not dealing with a physically-constrained resource here -- these are just numbers).
It's a bit like fragmentation on your hard disk, where things slow down if you fill the drive, but worse because fragmenting IP allocations is really bad and there's no defragger you can run. And your disk is way too small anyway.
-
-
Thursday 16th February 2017 08:08 GMT Anonymous Coward
And still there are those "legacy" IPv4 blocks...
... that ARIN cannot revoke and crooks are "free" to use, if the can get someone to route them.
Need a /16 block? Follow the instruction here:
https://www.spamhaus.org/news/article/732/network-hijacking-on-the-rise
Of course fighting spammers and other cybercrooks would free IPs as well for legitimate users - yet it will be still stopgap measures.
We'll have to swallow IPv6, and its outdated design. Just, ensure you have a powerful firewall behind your router....
-
-
Thursday 16th February 2017 10:05 GMT Anonymous Coward
Re: And still there are those "legacy" IPv4 blocks...
and the (at least) 12 networks at /8 that are assigned to US DoD, the two /8s of HP, the two of Level 3, the two of AT&T, and the one that seems to belong to the U S Postal Service? etc.
Not a great reason for not moving to IPv6 or something better, if that comes along - but the UK (for example) already has the best part of 2000 IP addresses per person, so even if companies as legal persons have ten each, there will still be a lot left to reallocate to countries less well served. Then we could start saying what about the nearly 5000 / person in the US, and the outrageous 21000 per person in just one city in Italy ;-)
-
-
Thursday 16th February 2017 12:00 GMT jMcPhee
Re: And still there are those "legacy" IPv4 blocks...
Also, there are those who got allocated Class B IPv4 space 20+ years ago... then keep almost all of it behind a firewall and use less than 20% of the addresses.
Maybe if IPv4 owners had to pay a monthly fee for the public resources they are using, they'd be allocated more efficiently.
Why should we have to mess with v6 so IT fails, like intellectual pygmies described above, don't have to learn about private address blocks?
-
-
This post has been deleted by its author
-
Friday 17th February 2017 12:37 GMT tony.dunlop
Re: Y U NO IPV6 BRO
Don't worry it's in the pipeline, as people have said before here, there's often a lot of stuff to do before you can "just" switch on IPv6. In our case mostly around geotracking and logging, but there are also other concerns.
Elreg tech team is just 3 people, but promise it's on the way soon®
-
-
Thursday 16th February 2017 08:44 GMT Lee D
So, when are The Reg publishing their AAAA records?
NEARLY SIX YEARS NOW we've been asking this same question, and you still keep publishing articles about the death of IPv4.
(And NAT will not die. I can convert an ENTIRE network to IPv6 with one address change and IPv6 support from the ISP - I'm only missing the latter EVERYWHERE, but that's besides the point - without touching a single other internal machine. There's no reason to change hundreds of clients and certify compatibility for hundreds of network programs that work just fine on IPv4 and only operate internally - and you can then start on a sensible "build new clients with tested IPv6 support" gradual rollout until full migration if absolutely necessary).
-
Thursday 16th February 2017 09:01 GMT Anonymous Coward
So, how do I go about implementing it?
So, as an IT person familiar with IPv4 networking, where would I start if I wanted to migrate my home to IPv6?
Anyone got any handy primers for a home user using a DrayTek Vigor 130 VDSL Ethernet Modem, Linksys WRT1900ACS router and BT Infinity Broadband?
Of course, not everything on my home network supports IPv6 so I'm gonna need help to integrate these devices somehow too.
-
Thursday 16th February 2017 09:21 GMT Steve the Cynic
Re: So, how do I go about implementing it?
Well, let's see. I'm in northern France (literally: I live in the département du Nord, "nord" == "north"), and I have recently (like, as in, you know, the 23rd of December) had an Orange technician (OK, two technicians, one to push and one to pull) switch me from "up to 20 Mbps" ADSL2+ to "at least 200 Mbps" FTTH.
And the new service, unlike the old, supports IPv6. I have a 2a01:stuff/56 prefix with public IPs on all the machines inside the network as well as IPv4-by-NAPT.
And I have a firewall. Well, a bit more than just a firewall. I have a full-on deep-inspection IPS that supports IPv6. I know it supports IPv6 because I built the core IPv6 support into it. Because it's a work loaner.
And Windows 10 booted up after the installation and its IPv6 support just worked. Wireshark shows IPv6 connections when I go on the Web, and various tools show that my iPhone and iPad get IPv6 addresses from the Livebox. Even my aging Fedora 14 VM works as it should on IPv6.
Advice: hunt down the instructions on the Internet on disabling Windows 10's Teredo service because it is in no way needed when you have real IPv6 support.
-
Thursday 16th February 2017 09:54 GMT Lee D
Re: So, how do I go about implementing it?
Wait for your ISP to tell you they support IPv6 (almost all British ISP's don't).
Then turn on the IPv6 on your main router/gateway if it supports 6-4 and 4-6 NAT.
Done.
Personally, I have a DrayTek Vigor 2860VN+, which is a serious piece of kit for a home router, and it supports all kinds of stuff - at least five different IPv6 IP discovery / tunnelling protocols, for instance. But no IPv6 support from Virgin Media despite years of promises, so unless I want to tunnel all my traffic through yet-another-third-party, I can't do a thing.
-
Thursday 16th February 2017 11:13 GMT wyatt
Re: So, how do I go about implementing it?
Same here, for my work and the wifes business(s). I'm still on VM residential as I've not heard anything good about VM business and fixed IPs, guess one day something may happen but nothing soon. By then BT may have rolled out some smaller green cabinets and I 'may' have switched, doubt there will be IPv6 though!
-
-
Thursday 16th February 2017 11:07 GMT Dwarf
Re: So, how do I go about implementing it?
BT already does IPv6 address allocation and the Draytek supports IPv6 according to their manual, so you should just need to ensure you are running the latest firmware for your router then configure the router for an ISP delegated range. Everything else should just work. Your client will get multiple IPv6 addresses, the Internet routable ones are the ones that don't start fe80: These are for link local and device configuration.
You can check if your IPv6 is working by going to IPv6 config checker or even "Whats my ip address" into google. It will return a V6 address if one is configured.
For those who's ISP's don't support IPv6 yet - raise a support ticket asking for it or change to an ISP that does.
Alternately, Hurricane Electric (and previously SixXs) do IPv6 tunnel brokers that allow you to get on IPv6 when the ISP is a bit backwards. There are loads of guides out there for different hardware to do this on. I started on a Raspberry Pi before my ISP finally woke up, it was a good way to skill up.
Just remember that only Layer 3 of the OSI 7 layer model changed.
Handy sites :
Ripe's IPv6 primer
Here are some pointers for those who want to learn IPv6.
1. Forget NAT. Its not necessary any more. however, if you really, really want to, there is no difficulty in doing the same thing in IPv6, there is just little point. Don't forget NAT was a bolt-on to the original IPv4 to conserve addresses once the internet started to grow, it broke end-to-end routing.
2. Mostly forget about variable length subnet masks. Masks are generally /64 or more. /64 and /48 are common for home and corporate use. This is partly for automatic client configuration (SLAAC) and to ensure that routing tables remain small - fixing a problem on the Internet today. The 16 bits between /64 and /48 are effectively for subnet use, so you get 64K subnets in your address block. The bits up to /48 are used for the backbone routing and are of interest to ISP's
3. Forget ARP, its been replaced with link local IPv6 addresses which start with fe80::0/16
4. Forget the hype about address tracking - user tracking is a problem on IPv4 and the IP address is just one of the things they track on. On IPv6 you can choose to have client addressess generated automatically by SLAAC (which uses the MAC address, you can use DHCPv6 if you wish or you can generate dynamic privacy extension addresses if you want. (see RFC4941)
5. Broadcast traffic has gone, everything is unicast (same as IPv4) or multicast.
6. IPv6 uses ICMP a lot more, so you cant just filter it at your perimeter
7. Security in depth. This shouldn't come as a shock, in 2017 - You need a firewall on ALL devices, not just at the perimeter. The majority of devices shipped in recent years have defaulted to firewalls on due to more sophisticated malware. This does not change for IPv6, however your perimeter firewall rules can generally be simpler.
8. IPv6 fixes a lot of whats broken in IPv4, for example built in features to help identifying the remote endpoint, so that problems such as SPAM can be resolved. There is embedded IPSEC encryption, larger frame sizes. Oh and there are a few more addresses ;-)
9. To type an address into a browser, you need to do it in an RFC2732 format,basically you enclose the address in square brackers, so it looks like this http://[2001:db8::2]:8080/folder/file.html
10. A host will have multiple IPv6 addresses, for example its self-assigned link local address, its old IPv6 address and its new IPv6 address if something allocates a new one (ie privacy extension, DHCP etc). The old one will work for current sessions, but will not be allocated to anything new, it will show in ipconfig /all as (deprecated)
11. Modern DNS servers can provide IPv4 or IPv6 responses, you don't need a V6 DNS to resolve V6 addresses. V6 addresses are AAAA records as opposed to IPv4 A records. Fun fact - A=32 bits in IPv4, AAAA was chosen for IPv6 as 4xA = 128 bits just like an IPv6 address.
12. Reverse addresses are the same as the current in-addr.arpa form, except that each octet of an address is separated out, so just like IPv4 192.168.1.0 gives 1.168.192.in-addr.arpa. For IPv6 2001:2b8::2 converts to
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. 1h IN PTR host1.example.com. Note that the :: address compression does not apply here (its a simplification for users).
13. A lot of IPv6 is automatic, for example location of routers, client IP address allocation, etc. radvd, the router advertisement daemon is the process on Linux that does some of this.
14. IPv6 isn't perfect and will continue to evolve as issues are identified and RFC's are raised to resolve them. This is no different to IPv4's history.
15. IPv6 is not going away. Growth is continuing, see <ahref="http://ipv6-test.com/stats/country/US">US graph.
-
-
Thursday 16th February 2017 13:35 GMT Boothy
Re: So, how do I go about implementing it?
If you're on Sky Broadband, IPv6 is enabled by default, (once the local hardware is updated to support it of course).
I've got a ~3 year old Sky Hub, and noticed about a year ago, while I was looking into network configurations for a VM, that my desktop now had a v6 address assigned, as well as a v4. A quick look at the router config, and sure enough I now had a v4 and v6 Internet address, and v6 was routing to the local LAN.
As an example, the above mentioned test site (http://test-ipv6.com/) gives me a 10 out of 10 score on my Desktop PC.
Just as a warning, not all devices at home will support v6 yet, although I was surprised at how many did support it in my house once I checked them out!
As an example, my Sky Box (standard HD box from about 4 years ago, not the newer Q version), only picks up IPv4, and my NAS server is also only IPv4, although the later is simply me not getting round to doing anything about it yet (It's a Linux OS, and had v6 disabled by default).
But all other devices I have, do seem to support IPv6. So that's an XBox One S, two Android phones (OS 6 and 7), my TV (an LG smart from a couple of years back, although is usually disconnected from the network), an old Android LG Tablet that was never supported past 4.4.2, and also my first gen Nexus 7 (2012), all support IPv6!
-
-
-
Thursday 16th February 2017 17:42 GMT Anonymous Coward
@AC - Re: So, how do I go about implementing it?
Easy pie! Just go to your medium/large multinational company's CFO/board, ask them for millions of dollars, warn them that the fully redundant 24/7 99.999999999...% uptime back-end, mission critical systems will probably be impacted without any sound business reason except the fact that outside Internet is running out of IPv4 addresses. Wait until they stop laughing and say "No, seriously! This IPv6 is so cool, it does offer increased address space, IPSec, eases the pressure caused by large routing tables, does away with NAT and... Please don't leave! Hello! Anyone ?"
-
Thursday 16th February 2017 20:09 GMT Dwarf
Re: @AC - So, how do I go about implementing it?
Presented differently....
Telling the board that a project to implement external IPv6 connectivity to maintain the ability of customers to connect to the services we offer in the coming years is very normal. It makes no difference if its a noddy application or a bunch of highly available systems, the approach is the same. also IPv4 and IPv6 are designed to co-exist and parallel run, just like IPX and IP used to in days gone by.
Change is what IT teams do and if its done right, you do your normal release management via dev and non-prod platforms first to get the badge to allow release to production and DR. This is no different to the implementation of a new storage platform, an OS upgrade from version X to version Y, a database engine update to keep in maintenance. Corporate's are used to projects that maintain their steady state. and keep their customers coming to the front door. This is really not a big deal.
If you are worried by this, then I'm for hire and I can help :-)
-
-
-
-
Thursday 16th February 2017 10:39 GMT Neil Alexander
Re: class D address space
"Why don't we use class D addresses ? It's not really used for multicast"
Most IP stacks have special behavior hard-coded for the "special" IP ranges, i.e. multicast, link-local, etc. It would be an absolutely mammoth task to make those address ranges globally routable.
-
-
Thursday 16th February 2017 10:36 GMT sean.fr
Address allocated but not live
If all these people and companies are refusing to move to IP6 after so many years of pushing it, you have got say there is soming very wrong with it. The basic IPv6 model makes the is wrong assumption we want everything on the internet. We ( low level, part time and amateur network support folk) want to stay with what we know, and there are many more of us than ISPs and backbone peering super egg heads.
We are fine with IPs and Internet peers using IPv6, if you keep on the dirty side of the firewall. We want none of it inside our companies and homes. We are happy with or 10 and 172 addresses. We have are comfortable with NAT, OSPF, Vlans and tags. We DO NOT WANT an internet for every device. I do NOT want my LED light bulbs or my garage door on the internet, because I can not protect them. It is hard enough to keep the PCs safe. I can patch the PC, but not the coffee distributer, or the toilet water pump.
So make it easy to keep IP4v inside, and you can use whatever you want outside.
It simply is not true the IPv4 addresses have run out. They are allocated, but much are not actually used on the internet.You can check this yourself using ping. Pick some random addresses, and ping. Yes some people block at the firewall, but most companies do not as it is really hard to debug your internet connection if you do.
Monthly charges for each IPv4 address.
You will get lots of scrappy bits returned. So like was done for phone numbers, you need to weaken the link between the number and routing. Another layer of mapping is required, But on the firewall or the dirty side of the firewall. Plus if you are billing individual addresses, you can fine / block addresses used for DDOS / spam / scam. You would encourage encrypting on everything - firewall to firewall - so everything is signed - end to end - and harder to snoop / spoof.
-
Thursday 16th February 2017 10:57 GMT Nanashi
Re: Address allocated but not live
No, I'm pretty sure that most people do want their stuff on the internet. That's why they bother to deploy NAT -- to get their machines on the internet even in the face of a lack of IP space to do it with.
And it definitely is true that there's not enough v4 space for everybody. It's also true that you can find unused v4 addresses, but... there aren't anywhere near enough (and fragmentation is a big issue). v4 is just not big enough.
(Also I shouldn't really need to say this again and again, but using v6 doesn't magically mean that all of your devices are accessible from the internet. Rejecting v6 because you think it means that is mistaken.)
-
Friday 17th February 2017 00:39 GMT Doctor Syntax
Re: Address allocated but not live
"No, I'm pretty sure that most people do want their stuff on the internet."
More likely people want the internet on their stuff but not necessarily the other way around. They want to connect their laptop, desktop, tablet, phone etc to the net. What they don't want is Joe Random on the net connecting to the above. It's a one way thing.
A smaller set of stuff doesn't get connected either way - my printer and NAS don't need to see the net, nor do they need to be visible from outside.
Then there's another class of stuff that some folk do want on the net: their Nest, their webcam etc. And just look at the problems that's causing for everyone else; most of us would be happier if none of that had got on the net. It's been a big illustration of the problems that happen when Joe Random can connect to their stuff.
The first case has been handled well by IPv4 & domestic routers for a long time and a part of that is that NAT ensures that the individual device can't be directly addressed from the wider net. At the same time the services behind the router/firewall/whatever can talk to each other; I can print from my laptop or exchange files with my NAS. Somebody in another comment mentioned NAT breaking end-to-end routing. That's just what these use cases need.
It's these first use cases that need to be addressed simply by IPv6. Being told that address randomisation answers users' concerns by preventing being tracked is a failure to understand the issue. My printer isn't going to be tracked anyway but what I don't want is someone coming across my printer on its current randomised address and either dropping a load of stuff to be printed just because they can or taking advantage of a zero-day to enrol it into a botnet.
-
Friday 17th February 2017 03:23 GMT TheNSA
Re: Address allocated but not live
"I don't want is someone coming across my printer on its current randomised address"
A correctly configured firewall is the solution but just so you have some idea how unlikely that would be --
Assuming a scanning rate of 1,000,000 IP6 addresses per second it would still take nearly 600,000 years to fully scan a /64 bit prefix (2 ^ 64).
Adoption of IP6 only would have the additional benefit of eliminating those pesky scanning botnets (Mirai comes to mind) as locating IOT devices even on non-firewalled randomised IP6 addresses would be a virtually impossible task.
-
-
Friday 17th February 2017 08:28 GMT Charles 9
Re: Address allocated but not live
Security by EXTREME obscurity. If you're looking for a few bone needles in a planet-sized haystack, eventually the return on effort gets too small. If you had a week to search a million lead lockboxes, even if you could check them once a second, you'd only get about two thirds of the way before time ran out (it would take nearly 12 days).
-
-
Saturday 25th February 2017 07:31 GMT Kiwi
Re: Address allocated but not live
Assuming a scanning rate of 1,000,000 IP6 addresses per second it would still take nearly 600,000 years to fully scan a /64 bit prefix (2 ^ 64).
So 1,000,000 machines scanning one address per sec would take 6 years. 10,000,000 would take a matter of weeks.
Tell me... How many devices are we now seeing on botnets? What will the numbers look like when those botnets start getting hold of other IoT stuff that is on IP6 scanned by a home user who thinks "It'll take them 60,000 years to find my poorly configured firewall" or worse, a home user who has no idea what a firewall is? We have people in this thread talking about making sure every device has a decent firewall and not needing the same strength perimeter security - how well will that happen with IoT?
Your SBO model will quickly break, and I do mean quickly. A year or two and we'll have botnets that can scan your " /64 bit prefix" in a matter of days, or hours.
locating IOT devices even on non-firewalled randomised IP6 addresses would be a virtually impossible task.
I addressed this in another post a few months back, but suffice to say.. Not that long ago it was considered impossible for man to travel beyond 30mph (IIRC, number may be wrong). I've done that several times today. Not long ago man could not fly. Not long ago you could not possibly build ships out of iron. Go back 20 years and say you'll be able to stream HD videos to your home, to more than one device. And a device the size of packet of matches could play said movie on your TV. Hell, in my life time it was considered impossible that gays would ever be allowed to legally have relationships, let alone marry!
What you consider impossible today will be done tomorrow and will be taken for granted next week. Or in security-by-obscurity, what is considered impossible to break today was considered a joke by hackers last week, and trivially broken some months back.
-
Monday 27th February 2017 08:13 GMT Charles 9
Re: Address allocated but not live
No, that's a million machines scanning a million IPv6's per second. How many machines out there can scan that fast? How many can the inbound gateway handle?
Put it this way. If you had THAT much computing power at your disposal, you'd probably have bigger fish to fry, like trying to solve for encryption or factoring algorithms.
-
-
-
-
-
Thursday 16th February 2017 12:10 GMT Dwarf
Re: Address allocated but not live
@sean.fr. Its not that simple. IPv4 has had its day, its lasted well, but change has to happen as we have just outgrown its capabilities.
Just because something does not respond to ping doesn't mean its not there, it just means that it refuses to talk to you or perhaps it can't be used. Remember that some addresses are not usable (for example the all 0's and all 1's on each subnet), so the more you break things down, the higher the level of wastage becomes.
Secondly the more fragmented the ranges become, the larger the routing tables become on all the backbone router. This makes routing slower - as it takes time to parse the tables for each frame.
The bigger issue is that on backbone routers (ie not the home grade stuff), the routing decisions are done in hardware to speed things up, you can't expand the tables without new hardware and that's very expensive in terms of hardware and projects to swap them. IPv6 fixes this by streamlining the routing to reduce the overhead and improve performance.
For an "ordinary home network", everything you know today about your home LAN with its different VLAN's, local routing, etc still works the same, you just end up with a different prefix. Where you probably use 192.168.xxx.yyy with the 3rd octet for the subnet, in IPv6 it just becomes the 4th block in the address, so 2001:db8:abcd:xxxx:: and the yyy bit becomes yyyy:yyyy:yyyy:yyyy. If you don't care what the yyyy bit is, then let dnsmasq take care of this and use proper device names. If you do care about addresses (ie your DNS is not working), then you can DHCP allocate and end up with addresses like 2001:db8:abcd:xxxx::yyyy. You still end up with an xxxx and yyyy portion so its virtually identical to what you are used to today.
The idea of 6to4 and 4to6 connectivity whilst simple on paper generally don't work well as v4 clients can't put a 128 bit address in the 32 bits of storage compiled into the older apps. This is the whole reason why there has been a deliberate long period of parallel running,
As to firewall separation, you can still configure your home router/firewall to allow the bits you want to access externally whilst protecting your garage door just like you do today. IPv6 firewalls work just like IPv4 firewalls do.
-
Thursday 16th February 2017 12:51 GMT Charles 9
Re: Address allocated but not live
"As to firewall separation, you can still configure your home router/firewall to allow the bits you want to access externally whilst protecting your garage door just like you do today. IPv6 firewalls work just like IPv4 firewalls do."
And in fact, one-to-one NATs in IPv6 can do some pretty neat tricks (and yes, they're in the spec). For example, ephemeral addresses for outgoing connections (meaning they're used just for that session and then disconnected). Lot harder to hack by reversing outgoing connections this way. Another example, you can have the router randomize the subnet addresses of exposed machines, making all of them look like a jumbled mess to an outside network mapper. Makes it harder to guess the topology and use that knowledge in an intrusion.
-
-
Thursday 16th February 2017 14:10 GMT Charlie Clark
Re: Address allocated but not live
In other words don't move my cheese.
IPv6 isn't perfect but the lack of addresses in only one problem that it attempts to solve for which there is no solution in IPv4. IPv4 was designed for a couple of million devices (address contention is not a problem you ever want to have on a network) and it's a testimony to how well it was designed that it copes with billions of devices on it and the huge volumes of streaming traffic it handles.
A comparison with HTTP is imperfect but still perhaps useful. For many years it was acknowledged that HTTP 1.1 had limitations (no TLS, no multiplexing) but there was a lot of inertia to overcome so no work was done on HTTP 2. A few years ago, Google and others started working on an imperfect replacement SPDY to help mitigate some of the problems they had due directly to HTTP 1. The ideas formed the basis of HTTP 2, which while still not perfect is being rolled out around the world and will soon be given privileged access. This, in my opinion, is how the IETF is supposed to work and I wouldn't be surprised if Google and others start privileging IPv6 traffic once the numbers are right.
-
Thursday 16th February 2017 14:21 GMT Neil Alexander
Re: Address allocated but not live
"We want none of it inside our companies and homes. We are happy with or 10 and 172 addresses."
This is a really naive attitude and it is exactly this attitude (and ignorance) that makes the IPv6 transition so difficult.
Ignoring the really obvious problem of being expected to unnecessarily translate between IPv6 and IPv4 on your network boundaries, why are IPv4 private address ranges preferable? The answer is they aren't.
Even if you are hell-bent on your outdated thinking, you could use ULA address ranges in IPv6 for places that you do not want to be globally routable.
The correct tool for the job of controlling network traffic in and out of your network is a firewall. A device with a globally routable IPv6 address behind a correctly configured firewall is just as safe as a device with an internal IPv4 address behind a NAT configuration on a firewall.
Repeat after me: NAT is not a firewall. NAT does not provide security. NAT makes absolutely no guarantees.
"We have are comfortable with NAT"
No, globally, we're not comfortable with NAT.
NAT creates massive headaches and fundamentally pushes us towards service centralisation, as we are forever having to create applications that have to "call outbound" instead of being able to work in true peer-to-peer fashion. It makes even simple applications complicated as we have to constantly be concerned with NAT traversal, or UPnP, or NAT-PMP.
NAT is a hack. It was a hack when it was first implemented, and it's still a hack now. Unfortunately it's a hack that people are sadly attached to.
"OSPF, Vlans and tags."
None of this changes with IPv6 apart from an uplift to the OSPFv3 protocol. VLANs and tagging do not change - those are part of Layer 2, not Layer 3. Please see the OSI model.
"We DO NOT WANT an internet for every device."
This is not a problem with IPv6, but instead with your network topology. Put them on a VLAN that doesn't route to the Internet, or use a firewall to prevent traffic to/from them. There are correct tools for this job. Avoiding IPv6 forever is not.
"I do NOT want my LED light bulbs or my garage door on the internet, because I can not protect them."
See above statement.
-
-
Thursday 16th February 2017 16:10 GMT Neil Alexander
Re: Address allocated but not live
"too hard for most home users."
On the contrary, it is very typical for ISP-provided (and even off-the-shelf) routers to be configured with default-deny for incoming connections. In that case, most home users would never need to change a thing.
For those that do go in and make uneducated changes to the firewall settings, well, you can't protect users from themselves even in IPv4 land.
-
-
Thursday 16th February 2017 17:11 GMT Charles 9
Re: Address allocated but not live
"Ignoring the really obvious problem of being expected to unnecessarily translate between IPv6 and IPv4 on your network boundaries, why are IPv4 private address ranges preferable?"
Because you have devices on your network that cannot be replaced or upgraded and can ONLY grok IPv4. Now what do you do?
-
Thursday 16th February 2017 17:22 GMT Down not across
Re: Address allocated but not live
Ignoring the really obvious problem of being expected to unnecessarily translate between IPv6 and IPv4 on your network boundaries, why are IPv4 private address ranges preferable? The answer is they aren't.
I don't think you can speak for everyone on what is preferable to them.
I certainly would take issue if anyone felt they could decide what is preferable to me.
-
Friday 17th February 2017 00:47 GMT Doctor Syntax
Re: Address allocated but not live
"This is a really naive attitude and it is exactly this attitude (and ignorance) that makes the IPv6 transition so difficult."
What makes the transition so difficult is an almost will-full refusal to look at the the problems it causes on the ground.
"This is not a problem with IPv6, but instead with your network topology. Put them on a VLAN that doesn't route to the Internet, or use a firewall to prevent traffic to/from them."
Right. Tell me how Joe Soap, who can't put his webcam on the net without getting it bounced into a botnet within minutes is going to accomplish all that. Because that's the core problem.
-
-
-
Thursday 16th February 2017 10:58 GMT Anonymous Coward
Meanwhile...
I just wanted to upgrade my soho wifi router... and ran into the invoices for all the previous models I ever owned in a shoebox, long after their power supplies had fried from being plugged on 24/7.
They all had IPv6 ever since it was invented.
My ISP, however, enabled it just 3 months ago.
-
Thursday 16th February 2017 11:17 GMT Anonymous Coward
Really
That's odd because hosts are still handing out ipv4 addresses like confetti, softlayer for instance give you 16 addresses each time you set up a cloud server in a new location. Great for future expansion but a bit wasteful if there is a drought.
KCOM don't even support ipv6 in their data centre never mind for residential users.
-
Thursday 16th February 2017 12:19 GMT Lee D
Re: Really
Because they already have an allocation and can just shufty them around.
But new allocations are dead in the water.
Tagadab (part of ClaraNet) are basically into the charge-per-IP now, whether you buy a dedicated server or a VPS. Other companies are following suit.
But if you're not growing your userbase and you have "enough" IPv4's, you have a little insurance. Meanwhile, everyone else is ALREADY giving out IPv6 for free like it's going out of fashion but charging for each individual IPv4.
-
-
Thursday 16th February 2017 11:23 GMT jonfr
NAT is a problem
Just having NAT on IPv4 connections is a problem, specially when dealing with all the problems that come with it.
As I plan on moving to Germany in few years time, I was searching for a way to get static IP address since I need that for few things I run on my home network. No private IPv4 address to be had, few days ago I discovered that the ISP I'll be using once I move supplies an IPv6 to all new connections. That is going to allow me connect my own WAN router to the cable modem router and get a proper connection to the internet and allows me to run the services I want (I hope) without problems. My WAN router has IPv6 firewall, so that security aspect is good.
Currently my Danish ISP doesn't offer IPv6 at the moment. It has statics IPv4 addresses, but I don't know how long that is going to last.
NAT breaks your internet: https://blog.webernetz.net/2013/05/21/why-nat-has-nothing-to-do-with-security/
There is no IPv6 NAT: http://www.internetsociety.org/deploy360/blog/2015/01/ipv6-security-myth-3-no-ipv6-nat-means-less-security/
Biting the hand that feeds IT
