What's claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption. Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Saturday 3rd March 2018 10:02 GMT Tom Samplonius

"With a few notable exceptions – like Facebook and LinkedIn – most companies that have started introducing IPv6 networks do so by running IPv4 and IPv6 in parallel, often with two different teams."

What is this supposed to even mean? There are only two types of IPv6 deployments that I've seen, dual-stack IPv4+IPv6 and IPv6 only (usually because of the lack of IPv4 addresses). Most of the top 100 sites are dual stack. What does "in parallel" mean?

Different teams? I've setup IPv4 and IPv6 peering with a number of different networks, and I've never encountered IPv6 run by a different team than IPv4. Do you have even a single example of an organization using different teams for IPv4 and IPv6?

26 2 Reply
1. Saturday 3rd March 2018 10:27 GMT Anonymous Coward
  
  I don't have any practical evidence but I could easily imagine a scenario where an IPv6 project team is brought in or created specifically to do an IPv6 project while the core IT team still deal with the everyday IPv4 system. Therefore the normal network team are still managing the IPv4 DHCP and setting up devices on using IPv4 while the project to look at implementing IPv6 takes place in a test environment and gradually into a live environment.
  
  3 2 Reply
  1. Saturday 3rd March 2018 10:42 GMT diodesign
    
    "an IPv6 project team is brought in or created specifically to do an IPv6 project"
    
    Yup. IPv6 is hacked on as an afterthought. Not at all orgs, but quite a few, it seems.
    
    C.
    
    9 1 Reply
2. Saturday 3rd March 2018 11:08 GMT Len
  
  I think it refers to the practice that companies like Facebook are using of not running IPv4 at all. All their systems are IPv6-only with the exception of their edge servers. They simply removed IPv4 networking from all their internal servers, desktops, engineers dev stations etc. That way developers and architects don't have to worry at IPv4, test everything twice, worry about attack vectors using the other protocol etc. They just have to make it work on IPv6 and let the webservers translate it to IPv4 for those users who still have IPv4-only connections.
  
  9 2 Reply
  1. Saturday 3rd March 2018 15:49 GMT Anonymous Coward
    
    "translate it to IPv4 for those users who still have IPv4-only connections"
    
    "Those users" being the vast majority of people online at the moment.
    
    12 0 Reply
  2. Sunday 4th March 2018 02:34 GMT Anonymous Coward
    
    @Len - That's pretty easy
    
    when you don't have three or four decades old critical mission 24/7 systems crucial for your business.
    
    3 0 Reply
    1. Sunday 4th March 2018 08:43 GMT Anonymous Coward
      
      Re: @Len - That's pretty easy
      
      That's pretty easy....when you don't have three or four decades old critical mission 24/7 systems crucial for your business.
      
      True. But since the IPv6 draft standard was published in 1998, after almost two decades of work, anybody claiming legacy business critical systems as an excuse should be tied to a gate and have their arse kicked for a week.
      
      The IT world have been on notice over IPv6 for two whole decades, and arguably a few years more going back to 1994 and the IETF's IPng. If a quarter of a century isn't long enough, how long would the recidivists have needed?
      
      4 6 Reply
      1. Sunday 4th March 2018 09:35 GMT Anonymous Coward
        
        Re: @Len - That's pretty easy
        
        "The IT world have been on notice over IPv6 for two whole decades, and arguably a few years more going back to 1994 and the IETF's IPng. If a quarter of a century isn't long enough, how long would the recidivists have needed?"
        
        The fact that its been around for that long yet there's still resistance to using it should perhaps be a teensy clue to its designers that it brings little to the table over IP4 other than extra network addresses (which NAT mainly solves since most firms don't want all their machines with a publicly accessable address anyway) and is more complex to set up and manage. I'm wondering just how many more decades it'll take for it to sink in that IP6 is an overcomplex dog.
        
        24 1 Reply
        
        Sunday 4th March 2018 11:31 GMT Anonymous Coward
        
        Re: @Len - That's pretty easy
        
        The fact that its been around for that long yet there's still resistance to using it should perhaps be a teensy clue to its designers that it brings little to the table over IP4 other than extra network addresses
        
        Most address systems get used far beyond their designer's original intentions (eg UK postcodes), so the shortcomings of IPv4 were inevitable. The single most important thing about IPv6 was making available extra network addresses, and if that meant a certain amount of difficulty, so be it. If the Post Office mess about with the postcode format you'd see a similar difficulty, with everybody whining that geographic coordinates were user unfriendly, too long, too complex etc.
        
        Even with corporate solutions to avoid IPv6, that only defers the problem because consumers have growing numbers of internet connected devices (I've got no IoT devices, there's still 14 devices in this household with IP addresses). IPv6 may be complicated, but it is the only address system designed for the volume of addresses that will be needed.
        
        2 9 Reply
        
        Monday 5th March 2018 09:29 GMT Anonymous Coward
        
        Re: @Len - That's pretty easy
        
        "Pv6 may be complicated, but it is the only address system designed for the volume of addresses that will be needed."
        
        Bollocks. 128 bits was way overkill. 2^64 is twice as many grains of sand as there are on earth so 64 bits would have been more than enough even divided into subnets with the resultant network addresses being far more manageable and the address itself being able to fit into a 64 bit integer with the resultant faster processing in the CPU and NIC.
        
        2 2 Reply
        
        Sunday 4th March 2018 14:06 GMT Mage
        
        Re: @Len - That's pretty easy
        
        Also security was an add-on fudge. The original idea of direct use of MAC address to automagically create an IP6 was a total privacy fail. At least they fixed that.
        
        Setting up a firewall so none of your LAN resources or addresses are exposed seems complicated. Maybe it isn't, but the goal of EVERYTHING having a public IP address, just because you can was plain wrong. A dream for big exploitive companies, governments and criminals.
        
        8 2 Reply
      2. Monday 5th March 2018 10:37 GMT Hans 1
        
        Re: @Len - That's pretty easy
        
        @Ledswinger
        
        True. But since the IPv6 draft standard was published in 1998, after almost two decades of work, anybody claiming legacy business critical systems as an excuse should be tied to a gate and have their arse kicked for a week.
        
        So spot on!
        
        I am sure people will call "Ahhh, easy, hindsight et al" to which I have the right answer ... NO, it is called foresight which is hard to come by these days ... I regularly get downvoted because I push for TLS 1.3 adoption by all and sundry asap, with preparations starting everywhere NOW ... and that is not even foresight, it should be common sense!
        
        Don't come with corporate ^dwpolicy fallacy, enterprise IT, mission critical flying pink unicorns, or other lame excuses, if you don't seriously take care of security, insecurity will seriously take care of you.
        
        2 3 Reply
  3. Sunday 4th March 2018 13:58 GMT Mage
    
    Facebook not running IPv4 at all?
    
    Nonsense. They have to run it somewhere or most of the victims wouldn't be able to connect!
    
    How many phones & tablets actually connect via IP6?
    
    How many broadband ISPs fully support IP6?
    
    ping www.facebook.com
    
    PING star-mini.c10r.facebook.com (31.13.73.35) 56(84) bytes of data.
    
    64 bytes from edge-star-mini-shv-01-dub4.facebook.com (31.13.73.35): icmp_seq=1 ttl=55 time=11.6 ms
    
    2 4 Reply
    1. Sunday 4th March 2018 22:57 GMT dkerago
      
      Re: Facebook not running IPv4 at all?
      
      "All their systems are IPv6-only with the exception of their edge servers."
      
      1 0 Reply
    2. Sunday 4th March 2018 23:41 GMT Nanashi
      
      Re: Facebook not running IPv4 at all?
      
      Their edge servers have v6 too, it's just that those are the only machines with v4 that Facebook run (with the exception of some HVAC control units in some of their datacenters). Some versions of ping are v4-only so I'm not sure that's the best tool to demonstrate anything with.
      
      I have no idea where people get the idea that v6 is complex. It's no harder to use than v4, and in fact it's easier than v4 in practice because NAT is de-facto required on v4 but can be avoided on v6.
      
      (I guess multicast NDP is a bit more complicated than broadcast ARP, but how many people reading this are writing NDP implementations? At a user level, with v4's NAT involved, v6 is less complicated than v4.)
      
      6 3 Reply
      1. Monday 5th March 2018 10:04 GMT Degenerate Scumbag
        
        Re: Facebook not running IPv4 at all?
        
        V6 is so complicated that my entire home network automatically configured when they activated it on my connection. It was so seamless it took me a while to notice.
        
        The extra address space may be the driving force behind deployment, but it's not the only advantage. Built in multicast has the potential to reduce streaming bandwidth considerably. Imagine being able to stream video directly to a million people from a home internet connection. With ipv6 this is possible.
        
        5 6 Reply
        
        Monday 5th March 2018 12:17 GMT Anonymous Coward
        
        Re: Facebook not running IPv4 at all?
        
        "V6 is so complicated that my entire home network automatically configured when they activated it on my connection. It was so seamless it took me a while to notice."
        
        Well thats ok then, so long as your mickey mouse home network can auto configure it must mean IP6 is a cinch for all the corporate and ISP admins out there too.
        
        "Imagine being able to stream video directly to a million people from a home internet connection."
        
        What could possibly go wrong with a global IP broadcast system.
        
        4 1 Reply
        
        Monday 5th March 2018 20:32 GMT Degenerate Scumbag
        
        Re: Facebook not running IPv4 at all?
        
        It is indeed a cinch for those worth their salt. It does tend to rile up the low-iq dead wood who have trouble picking up new skills.
        
        For example, the types of people that don't understand the difference between the concepts of network broadcast (a scatter-gun that sometimes goes wrong) and multicast (peers subscribe, routers relay packets only to subscribed peers, perfect bandwidth efficiency and no potential to cause a storm).
        
        1 3 Reply
        
        Tuesday 6th March 2018 08:54 GMT Anonymous Coward
        
        Re: Facebook not running IPv4 at all?
        
        "perfect bandwidth efficiency and no potential to cause a storm"
        
        Ah bless, so naive, so naive :)
        
        1 0 Reply
      2. Wednesday 7th March 2018 10:53 GMT tip pc
        
        Re: Facebook not running IPv4 at all?
        
        @Nanshi
        
        I have no idea where people get the idea that v6 is complex. It's no harder to use than v4, and in fact it's easier than v4 in practice because NAT is de-facto required on v4 but can be avoided on v6.
        
        When people write nonsense like ^^ you know they have no clue what they are talking about.
        
        because NAT is de-facto required on v4 but can be avoided on v6.
        
        you do realise that NAT can easily be avoided on IPv4. Do you even know what NAT is?
        
        0 1 Reply
        
        Saturday 10th March 2018 11:14 GMT Charles 9
        
        Re: Facebook not running IPv4 at all?
        
        Yes, it's that thing that seems to be required in Asia to get everyone connected, given there are more users than IPv4 addresses there. Which raises a problem of unassisted peer-to-peer connections when BOTH ends are behind a NAT or two.
        
        0 1 Reply
    3. Monday 5th March 2018 01:38 GMT Yes Me
      
      Re: Facebook not running IPv4 at all?
      
      > 64 bytes from edge-star-mini-shv-01-dub4.facebook.com
      
      See that? "edge-star..." Yes, their CDN offers IPv4. You have no idea from that what they operate internally.
      
      2 1 Reply
3. Saturday 3rd March 2018 11:09 GMT Jason Bloomberg
  
  What does "in parallel" mean?
  
  I assumed it meant side-by-side; one stack for handling IPv4 and another for IPv6, incoming packets handed off to the appropriate stack as they arrive. Dealt with by one team proficient in IPv4 another trying to be in IPv6.
  
  5 1 Reply
  1. Saturday 3rd March 2018 11:14 GMT Tom 7
    
    RE What does "in parallel" mean?
    
    That may explain the lags I'm seeing .I'm sure a router of some form would be quicker than a team.
    
    11 0 Reply
  2. Monday 5th March 2018 01:32 GMT Yes Me
    
    side by side, not
    
    "one stack for handling IPv4 and another for IPv6"
    
    That's an abstraction; in real life the stacks are well integrated with common code and a largely common configuration interface.
    
    "Dealt with by one team proficient in IPv4 another trying to be in IPv6."
    
    That would be really short-sighted. Yes, your lead engineers might be the first to get IPv6 expertise, but the goal is to have your whole ops team just as familiar with v6 as v4. Apart from being the cheapest solution, it also prevents you ending up in a few years having to fire a whole team of legacy staff who are incompetent in IPv6.
    
    2 2 Reply
    1. Monday 5th March 2018 20:14 GMT Degenerate Scumbag
      
      Re: side by side, not
      
      Indeed. If a company has an "ipv6 team", then it's function should only be ensuring the regular network team are fully up to speed and assisting them with deploying the upgrade. Any model of seperate teams is pure idiocy.
      
      2 0 Reply
4. Sunday 4th March 2018 13:54 GMT Mage
  
  IP6 & IP4 in "Parallel"
  
  It would be pointless to have a Website be IP6 only, since the vast majority of potential visitors only have IP4.
  
  So anyone deploying IP6 also has IP4. The exact technical mechanism isn't relevant to the word "parallel", which here means as well as.
  
  Why do I feel like Lemony Snicket?
  
  8 2 Reply
  1. Monday 5th March 2018 01:35 GMT Yes Me
    
    Re: IP6 & IP4 in "Parallel"
    
    Yes, the front end facing the Internet needs to provide both services. But the rest of the data centre, CDN or whatever it is can be 100% IPv6 - some operators have already found this to be significantly simpler and cheaper to operate for a whole lot of reasons.
    
    2 2 Reply
Saturday 3rd March 2018 11:34 GMT Chris Hills

Downside???

"But on the downside, pretty much every modern mobile device and PC has IPv6 support included and turned on as a default"

This is a very GOOD thing!

6 8 Reply
1. Saturday 3rd March 2018 11:40 GMT Anonymous Coward
  
  Re: Downside???
  
  Until they pwn your IPv6 stack...
  
  11 2 Reply
2. Saturday 3rd March 2018 15:54 GMT Anonymous Coward
  
  Re: Downside???
  
  "This is a very GOOD thing!"
  
  Why? What exactly does IPv6 bring to the table for your average user that IPv4 doesn't? Answer: absolutely bugger all. Well, unless you're a fan of hexadecimal , then you're rocking with the incomprehensible and impossible to remember ip6 addresses.
  
  28 8 Reply
  1. Sunday 4th March 2018 23:45 GMT Nanashi
    
    Re: Downside???
    
    Um. The internet? Or specifically, it allows us to continue to bring the internet as it grows without losing performance and functionality. Surely that's something people want?
    
    Also, v6 addresses aren't necessarily hard to remember. For example, here's a URL for accessing a site over v4: https://www.sprint.net/, and here's the v6 equivalent: https://www.sprint.net/. It's hardly more difficult to remember the second than it is to remember the first.
    
    2 8 Reply
    1. Monday 5th March 2018 03:03 GMT eldakka
      
      Re: Downside???
      
      Also, v6 addresses aren't necessarily hard to remember. For example, here's a URL for accessing a site over v4: https://www.sprint.net/, and here's the v6 equivalent: https://www.sprint.net/. It's hardly more difficult to remember the second than it is to remember the first.
      
      The first thing you do when diagnosing/troubleshooting IP-based issues is totally ignore DNS (since it's not acually part of IP) and start throwing around IP addresses.
      
      When doing tcpdumps, network/router tracing, no-one gives a toss about DNS.
      
      To use DNS requires registering something somewhere i.e. additional paperwork and/or configuration. Which is pointess when running up a quick service to do/check something.
      
      Most of the organisations I've worked at don't use DNS inside device/appliance configurations, e.g. all the firewall devices use IP addresses, not DNS. Load balancers likewise (i.e. when configuring new end services, the networking team who look after the firewalls, load balancers, and other devices want IP addresses, not DNS names).
      
      When you are diagnosing a problem from an end user out in la-la land, the only DNS address you are interested in is the one they are hitting initially. From that point in through the rest of the infrastructure, it's all IP addresses that are looked at.
      
      Original DNS -> IP -> firewall1 -> Load balancer (IP) -> multiple endpoint IPs -> security service IP -> Load balancer (IP) -> multiple IPs -> firewall2 -> end points -> more load balancers ...
      
      And there may very well be multiple NATs in there as well for security purposes (and ease of configuration in some cases, especially in B2B VPN situations).
      
      7 0 Reply
      1. Tuesday 6th March 2018 02:09 GMT Nanashi
        
        Re: Downside???
        
        I thought we were talking about the average user? The average user does none of those things.
        
        But sure. Use the IPs if you want: https://208.24.22.50/ and https://[2600::]/. I don't know about you, but I can only remember one of those off-hand, and it ain't the v4 one.
        
        0 1 Reply
3. Monday 5th March 2018 14:13 GMT Anonymous Coward
  
  Re: Downside???
  
  > "But on the downside, pretty much every modern mobile device and PC has IPv6 support included and turned on as a default"
  
  > This is a very GOOD thing!
  
  Nuke icon noted. Have an upvote :)
  
  1 0 Reply
Saturday 3rd March 2018 13:18 GMT Anonymous Coward

stating the obvious

This doesn't appear to be an ipv6 attack per se but simply most modern operating systems will use ipv6 if it is available by default and indeed perform dns lookups using it by preference.

If you are a network engineer or security specialist surely as part of your 'normal' working practices you would apply the same diligence to ipv6 as ipv4.

Appears to be more 'fear' advertising.

14 0 Reply
1. Saturday 3rd March 2018 16:20 GMT Anonymous Coward
  
  Re: stating the obvious
  
  "Appears to be more 'fear' advertising."
  
  Surely they'd all have been OK if they'd implemented DevoPS properly? Click here for the whitepaper.
  
  12 0 Reply
Saturday 3rd March 2018 18:55 GMT J. R. Hartley

IPv6 is a mess

Such an unbelievably stupid design. IPv4 with carrier grade NAT should be sufficient.

5 14 Reply
1. Saturday 3rd March 2018 20:00 GMT Kevin McMurtrie
  
  Re: IPv6 is a mess
  
  NAT means we're all slaves to commercial portals for serving data. No f'ing thanks.
  
  9 5 Reply
Saturday 3rd March 2018 19:52 GMT Kevin McMurtrie

IPv6 consumer devices are a dumpster fire

ISPs and IoT makers have set the stage for huge IPv6 DDoS attacks that could take years to fix once they've started. Half of IPv6 devices have zero security and half of them are WAN hardened for peer-to-peer connectivity. Routers from ISPs make that difficult or impossible to manage. At best, they require you to create custom firewall rules for inbound IPv6. No doubt the most popular solution is going to be the wildcard-to-wildcard ALLOW rule that non-technical people can copy & paste. At worst they have one big "on/off" switch and it needs to be "on" anyways because the firewall is buggy. This mess has been building up for years and it won't get fixed anytime soon.

12 3 Reply
1. Tuesday 6th March 2018 01:58 GMT Nanashi
  
  Re: IPv6 consumer devices are a dumpster fire
  
  Or not so much. I know it's popular to rag on IoT stuff, but let's actually think about it for a moment. Let's imagine someone who buys a network camera, and who then configures their network so the camera is accessible from the internet so that they can look at it from work (because why else buy a network camera?).
  
  On v4, the camera is found by scanners within a few hours, because the v4 space is tiny and easy to exhaustively scan. On v6? Not so much. You could spend a million times the effort scanning v6 and not even scratch a single /64, let alone all of the rest of the /64s. The camera is relatively unlikely to be found, and thus relatively unlikely to be exploited. This is still the case even if someone completely shuts down their firewall (which I suspect isn't really going to be the most common configuration).
  
  Now, it's true that security by obscurity isn't security and there are various ways to narrow down the search space, but nevertheless if you make it much harder to find your IoT devices it's going to make it correspondingly hard to do anything to them. If anything, v6 seems like it should make the situation better rather than worse.
  
  0 1 Reply
Sunday 4th March 2018 02:44 GMT aqk

What about my IoT devices?

Does this mean I'll have problems querying my refrigerator from the supermarket when I forgot what I was supposed to buy?

2 0 Reply
1. Sunday 4th March 2018 09:43 GMT Pascal Monett
  
  Re: What about my IoT devices?
  
  No need to ask that : if you have IoT devices, you will have problems.
  
  10 1 Reply
2. Monday 5th March 2018 03:08 GMT eldakka
  
  Re: What about my IoT devices?
  
  > Does this mean I'll have problems querying my refrigerator from the supermarket when I forgot what I was supposed to buy?
  
  Nah, just ask the supermarket, as the fridge manufacturer has already sold that information to the supermarket.
  
  10 0 Reply
Sunday 4th March 2018 03:35 GMT The Average Joe

One ISP I know...

one of the tech guys there said he can't wait for IPv6 so that firewalls will be obsolete and we can throw them out... I kid you not. "There's a sucker born every minute"

13 0 Reply
1. Sunday 4th March 2018 14:12 GMT Mage
  
  Re: firewalls will be obsolete
  
  No, just only deployed by the clued. An IP4 LAN with one public IP needs a NAT router. Technically a firewall is a separate thing and still needed between your LAN and ISP on IP6 only. Admittedly people might not have one as modem + switch will "work".
  
  1 2 Reply
2. Monday 5th March 2018 10:56 GMT Hans 1
  
  Re: One ISP I know...
  
  one of the tech guys there said he can't wait for IPv6 so that firewalls will be obsolete and we can throw them out... I kid you not. "There's a sucker born every minute"
  
  Well, don't we all hope for miracles ? IT is such a broad subject that you cannot master everything, agreed, TCP/IP is pretty basic stuff, but still ... he probably heard that with IPv6 you no longer needed NAT and this guy confused NAT and firewall, certainly not his area of expertise. I have heard worse and have probably made equally lame remarks ... we all make mistakes ... as long as the guy admits he's wrong he can learn from his mistake, and that is EXACTLY how we learn best ... shame is an incredibly efficient learning-aid ;-)
  
  1 1 Reply
Sunday 4th March 2018 11:37 GMT Anonymous Coward

"Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks"

.... so its the same story as "I une a Max/Linux so I don't have the security problems all those windoze lusers have"

6 1 Reply
Sunday 4th March 2018 13:43 GMT Blotto

FUD

These issues only really apply to servers who’s IPv6 addresses have been published, for example by DNS. the traffic will likely be traversing the same dual stack ipv4/6 infrastructure meaning routers, firewalls, load balancers etc which all need configuring to pass traffic which means someone’s taken the time to do it so why would they not apply the same security as they would for ipv4?

Most IPv6 stacks for home users will change their addresses frequently meaning the whole allocated subnet will need scanning for vulnerable machines who’s ip’s will change. The attacker could get lucky but it requires a lot more compute and sophistication to perform the attack.

So this article is all about spreading fear uncertainty and doubt.

The funny thing is that securing IPv6 means breaking the end to end philosophy many state as one of its positives.

1 3 Reply
1. Wednesday 7th March 2018 11:37 GMT Charles 9
  
  Re: FUD
  
  "The funny thing is that securing IPv6 means breaking the end to end philosophy many state as one of its positives."
  
  No, it's simply a matter of allowing the capability as and when you need it, without having to forward ports and stuff like that or resort to such kludges as (gasp) UPnP.
  
  1 1 Reply
Sunday 4th March 2018 14:01 GMT Mage

IP6 DDOS

Perhaps it's taken a while for there to be enough compromised PCs etc on the Internet actually able to connect anywhere with IP6.

Also what ordinary email or web server for the public ONLY runs IP6?

1 1 Reply
Sunday 4th March 2018 21:50 GMT Enno

IPv6 and CIDR

The biggest issue I see in the glorious IPv6 future is that one of the current (very poor) mitigation strategies used by some ISPs (cough, Telstra here in Oz) is to unroute targeted destination subnets to unload the attack traffic from their links. In the brave new IPv6 world with it's baked in CIDR routing that will of course no longer be possible...

It's all very well having your firewall correctly configured to keep the DDoS traffic out of your systems. But if the link to them is taken down by flooding they still accomplished their goal. Nor clear what it gets them apart from shits and giggles, the occasional bit of corporate blackmail notwithstanding.

3 0 Reply
1. Sunday 4th March 2018 23:48 GMT Nanashi
  
  Re: IPv6 and CIDR
  
  You say "of course" but I can't see how CIDR would make it impossible to null-route a subnet.
  
  1 0 Reply
Monday 5th March 2018 12:20 GMT Spudley

So the upshot of this article is that IPv6 has *finally* gotten enough adoption that it's worthwhile for the black-hats to take time to start attacking it.

After hearing endlessly for most of the last decade about how IPv6 is imminent, all I can say is, it's about time.

Let's be honest, there's no perfect security, so whatever we use, we will get attacked. If we all move to IPv6, we will get attacked via it. But we're currently getting attacked via IPv4, so nothing will change; it's not like IPv6 is more dangerous to use.

1 0 Reply
Monday 5th March 2018 17:02 GMT EnviableOne

I think we need a v7 with an address space that is less overkil, and a bit more privacy built in.

if we used a MAC address sized space (2^48) rather than the Ipv6 monster

headers get smaller, and there is plenty of address space for use, along with scope for nat and feasable dotted decimal repreentations ....

0 2 Reply
1. Tuesday 6th March 2018 05:05 GMT Anonymous Coward
  
  That was IPv5. The devices hiding behind NAT are already well past a 2^48 bit sized address space - EUI-64 had to be introduced years back to extend MAC to 2^64 bit address space. Then there is 2^64 for network route information. Combining those we find ourselves back at the same size *and* layout of an IPv6 address.
  
  3 0 Reply
  1. Friday 9th March 2018 13:09 GMT EnviableOne
    
    IPv5 = RFC1819 Internet Stream Protocol
    
    EUI-64 is just a way to extend a MAC-48 to give a unique IPv6 address (adding FF:FE between OUI and Device Identifier)
    
    The MAC address 0021.86b5.6e10 (48 bit) becomes
    
    the EUI-64 address 0221.86ff.feb5.6e10 (64 bit)
    
    if you employ the same space saving measures used in IPv6 with the smaller address space and extend the ASN field from IPv4 you end up with plenty addresses to use!
    
    2^48 is more than enough address space, and when your talking 4 addresses in an IPSEC packet, it makes a huge overhead difference.
    
    0 0 Reply
    1. Saturday 10th March 2018 11:09 GMT Charles 9
      
      Wasn't the same said about 640KB of RAM?
      
      0 1 Reply
Tuesday 6th March 2018 10:08 GMT j0hnd0e

Not first IPv6 DDOS/DOS/DRDOS

THC.org has demonstrated DoS/DDoS/DrDoS problems with IPv6 over a decade ago. RTFM. So many clueless people thinking they know something nobody can be bothered to even lightly research any claim. No wonder fake news rules.

0 0 Reply