back to article Sitting pretty in IPv4 land? Look, you're gonna have to talk to IPv6 at some stage

We can be forgiven for not having weaned ourselves onto IPv6 earlier. It's been around in draft form since late 1998, but was only released as a standard in July 2017 (that'll be RFC 8200). That this has finally happened, though, means we're being told more loudly than ever that we no longer have an excuse. So do we have one? …

  1. Lee D Silver badge

    *COUGH*

    dig AAAA theregister.co.uk

    ....

    Still nothing. Coming on to 8 years of me saying this now. It only took 6 years to get SSL'd, though.

    And the bit about running dual-stack on everything is a nonsense. What you run internally makes absolutely no difference at all. Sort out your edge first, so you can talk modern protocols OUT. The inside bit literally doesn't matter as you'll never run out of addresses or see any IPv6 advantage on an internal network, unless you literally have 16,777,216 devices inside your network (the limit of the 10.0 ranges).

    To my knowledge, there's not a single piece of software that *demands* IPv6 internally all the way to the net. However, it won't be long before websites *demand* that you access them over IPv6. So all you need is your edge/gateway/router/proxy to support IPv6 and translate / proxy accordingly (gosh, if only there was a technology that could perform Network Address Translation.... oh, no, sorry, some fools condemned all that because "IPv6 would fix it all"... all that stuff that's not actually broke...)

    1. Marco Fontani

      Meanwhile, dig AAAA regmedia.co.uk will give you a result. We've had IPv6 on the domain used to serve most images from since donkeys ago, as it was easy enough. For the main domain, there's still a bit of work to do.

      As I stated the last time, IPv6 is an ongoing "icing on the cake" thing, with no "business priority" whatsoever. It'll get finished when feasible.

      As you also state, there's no requirement to demand IPv6 at this point in time.

      Even if you had a IPv6 only connection, you'd still be able to access an IPv4 only site via a tunnel, in the exact same way I'm currently accessing the IPv6 web, since my "business" ISP is utterly unable to give me a native IPv6 connection.

      It'll come, Soon® (but unlikely to come this month)

      1. Steve the Cynic

        since my "business" ISP is utterly unable to give me a native IPv6 connection.

        And yet my consumer ISP switched me to fibre from ADSL a couple of years ago, and fully native IPv6 came with it (and just worked).

        1. Marco Fontani

          Different countries' ISPs have different priorities regarding IPv6 roadmaps :/

          1. Steve the Cynic

            Different countries' ISPs have different priorities regarding IPv6 roadmaps :/

            You're not wrong. My ISP is the "incumbent" in France (although I'm guessing you knew the "in France" part), France Telecom (that bought Orange and then took Orange's name for itself). They had a reputation (among French ISPs) for dragging their heels on IPv6 (and I believe that on ADSL lines they still are, somewhat), but on their new fibre network (full FTTP, thanks), they hand out /56 prefixes.

      2. Lee D Silver badge

        As always, it's not the technicality it's the hypocrisy.

        You can't write articles that have the following quotes and keep a straight face while you're claiming that you don't need IPv6 as a priority:

        ---

        "That this has finally happened, though, means we're being told more loudly than ever that we no longer have an excuse."

        "As the world moves to IPv6, you need to support it for your internet-facing devices. Expect people using your extranet portal to insist on IPv6. Expect people with whom you establish IP tunnels over the internet to demand it too. So, you could take the unilateral decision to stick with just IPv4 on your internet-facing setup, but as the world changes it'll leave you behind."

        "You therefore need to start supporting IPv6, even if your heart still belongs to IPv4."

        "You still need to support IPv6 to some extent, even if you're not deliberately using it."

        "but externally you have to support both IPv4 and IPv6 if you're to ensure that everyone can get at, say, your website."

        "Let's imagine you have a web server, because you probably do. In our brave new world, you need to make it available to people via both IPv4 and IPv6 – because like it or not, there will soon be people out there who only do IPv6 and you increasingly need to support them."

        ---

        Why should I tolerate an article from a group of people who writes telling me what I *should* / *must* / *ought to* do, every month, for years, without fail when a) I've already done that, b) they haven't even done it themselves!

      3. ZeroSum

        > It'll come, Soon® (but unlikely to come this month)

        Actions speak louder than words.

    2. Steve the Cynic
      Pint

      *COUGH*

      dig AAAA theregister.co.uk

      ....

      Still nothing. Coming on to 8 years of me saying this now. It only took 6 years to get SSL'd, though.

      I came to the comments page expecting some snark about El Reg's lack of AAAA, and the very first post totally failed to disappoint. See icon as congratulations.

    3. Anonymous Coward
      Anonymous Coward

      > dig AAAA theregister.co.uk

      I think that would be a fair criticism if ElReg was a consultancy, but they're a news outlet. So it's legitimate to yell "FAKE ipv6 address!" but less legitimate to say "AAAA.news".

    4. Anonymous Coward
      Anonymous Coward

      @LeeD

      You can't translate between IPv4 and IPv6 on a router in the same way as something like NAT. Both sides need to support IPv6 and everything inbetween.

    5. Anonymous Coward
      Anonymous Coward

      "won't be long before websites *demand* that you access them over IPv6"

      Huh? Given that countless thousands of websites can be hosted from a single IP address, I don't see any pressing need for websites to try to push people towards IPv6 access, even in countries that are by necessity adopting IPv6 well ahead of us laggards in the US and UK.

      Why would websites demand IPv6 access? What's in it for them? How does reducing their potential audience benefit them in any way? How much more could their hosting provider really charge them for the use of a tiny fraction of one IPv4 address?

      I wouldn't be shocked if I could carry on ignoring IPv6 and using IPv4 alone for the next twenty years. Maybe it'll stop working then, because of unfixed Y2038 problems that were ignored because "no one will still be using IPv4 by then".

      1. Nanashi

        Re: "won't be long before websites *demand* that you access them over IPv6"

        Facebook have measured their site as loading 10-15% faster over v6. That seems like something that websites ought to be interested in, no?

        Having v6 on your website doesn't reduce your potential audience. I'm not entirely sure where you got that idea from.

        1. Anonymous Coward
          Anonymous Coward

          Re: "won't be long before websites *demand* that you access them over IPv6"

          I'm not aware of anything inherent in IPv6 that makes it more efficient at carrying TCP/IP. Maybe the routing is more efficient, but that's certainly not a reason for a website to demand people access them over IPv6.

          1. gnarlymarley

            Re: "won't be long before websites *demand* that you access them over IPv6"

            Ummm, I think we gave up with the IPv6 demands about five years ago. Instead we just went with NAT64 gateways back then. If folks really want to know the real IP of who is connecting instead of the gateway, they would be using IPv6 going already.

    6. Jamie Jones Silver badge

      (gosh, if only there was a technology that could perform Network Address Translation.... oh, no, sorry, some fools condemned all that because "IPv6 would fix it all"... all that stuff that's not actually broke...)

      Wrong. IPv6 NAT exists, and is as easy as IPv4 NAT.

      Just because some "fools" say you no longer need to NAT, you can if you want. Heck, there is also DHCP6 and IPv6 private-lan address ranges if you really want to stay old school and stick with ip4 type restrictions.

      Please don't make stuff up to suit your argument, or call people fools because they understand the headaches NAT can cause. It makes you sound like Trump.

    7. David Crowe

      Why would any network demand that you use IPv6 to access it? Unless it wants to cut itself off from a lot of the world?

  2. Palladium

    NAT

    Damn you NAT, why are you still so good at your job?

    1. Anonymous Coward
      Anonymous Coward

      Re: NAT

      So good, in fact, that I can send this from a private IPv6 address through a router that is using a dynamically assigned IPv6 address in an IPv6 block which it was assigned yesterday when I turned it back on.

      IPv6 supports NAT and Dynamic IP 100%, people telling you differently are spreading fake news.

      1. FIA Silver badge

        Re: NAT

        IPv6 supports NAT and Dynamic IP 100%, people telling you differently are spreading fake news.

        Isn't that the point? I must confess I've not read up on IPv6 for a while now, but the impression I got last time I did the reading is that I'd have all my internal devices on the private range (terminology??) and then use NAT to translate the first 64bits (or whatever size subnet the ISP gives me) to the external range.

        Then I'd have fixed internal IPs and bidirectional NAT would still allow everything to be externally addressable if I so desired as there's a one to one mapping with the last 64 bits.

        Or has all this changed or I misunderstood?

        Seemed like an elegant way of having a dynamic IP and publicly addressable stuff.

        (Obvs there'd be a firewall in there too so you'd have to explicitly allow access, but still...)

        1. Nanashi

          Re: NAT

          Normally you would just use your global addresses on the LAN. If you have a dynamic prefix and you want a fixed LAN range, you can run ULA on the LAN at the same time as the global addresses. It's not necessary to invoke any form of NAT at all to do any of this.

        2. Steve the Cynic

          Re: NAT

          Or has all this changed or I misunderstood?

          It hasn't changed, and you have misunderstood. I think.

          At home, my router is given a fixed IPv6 prefix, 2a01:stuff::/56, by my ISP. That doesn't change, even though the public IPv4 of its WAN interface changes every time anything reboots or disconnect/reconnects the router. (The key point, I think, is that that prefix belongs to the LAN interfaces of the router, not the WAN interface.)

          The router then distributes this prefix to the machines in my local network that need it(1). Being a 2a01 prefix, it's globally valid, not ULA, and there is no IPv6 NAT needed.(2)

          And yes, there's a firewall in there. A UTM, more specifically, which does a substantial amount of intrusion prevention and stateful inspection (and is even configured to tolerate this and that and the other alarm-raising behaviour ONLY from that small list of external addresses. (Some wacky behaviour on the part of the Steam store CDN, mostly.)

          (1) The Windows 2000 VM that I boot up occasionally does not have IPv6 configured, so it doesn't have any need of this stuff.

          (2) That's almost true, but the IPv6 NAT that's needed is done by the UTM/IPS firewall to redirect DNS requests that are supposedly going to the WAN routerbox to instead go to an RPi that's running an Active Directory DC on Samba 4+ and Samba's internal DNS support. Windows 10 seems to behave very oddly if you configure automatic addressing and a forced DNS server address. Internet access *works* just fine, but the "you have Internet connectivity" detector thinks you're not connected.

          1. Jamie Jones Silver badge

            Re: NAT

            Steve and FIA, you're both right!

            Steve, what you are describing is the "typical" fixed network setup - much the same as if in the IP4 world, you had a block of IP4 addresses allocated to you.

            What FIA is remembering is IPv6-to-IPv6 Network Prefix Translation (NPTv6), which is more or less as he/she remembers, but is designed not as a solution for home networks (obviously, there are enough IPv6 addresses around where this isn't necessary.), but for portable networks, or networks which might change provider, and/or certain multihome situations. More reasons why this would be useful are in the first link:

            https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/nptv6-overview

            http://www.rfc-editor.org/rfc/rfc6296.txt

            But yeah, as Steve described, the general experience will be with a permanently static address range - NPTv6 would have more niche uses.

    2. naive

      Re: NAT

      And reverse web proxies like HaProxy, who by using SNI, significantly reduce the need for external ip-addresses.

      1. Lee D Silver badge

        Re: NAT

        Reverse proxies also allow access to IPv6 websites when you have no internal IPv6 whatsoever. Kind of the point of a proxy, in fact.

  3. A Non e-mouse Silver badge

    Birth of IPv6

    Whilst July 2017 may be the date of the (latest) RFC for IPv6, some of us have been running IPv6 for over a decade...

  4. AustinTX
    FAIL

    Never!

    IPv6 is all who-knows-how it works all-behind-the-scenes and I have no way of knowing if a hostile entity is punching straight through my firewalls or even re-routing my traffic because he knows the IPv6 secrets and my stupid SOHO router merely "supports" it.

    1. HighTension

      Re: Never!

      NAT is *not* a security feature! Firewall policies and rules are applicable to IPv6 in the same way as IPv4. Eg in shorewall, a policy for a simple two-interface firewall looks like:

      #SOURCE #DEST #POLICY #LOG LEVEL

      int net ACCEPT

      fw net ACCEPT

      all all DROP info

      works equally well for both - accept outbound connections from the internal network and the firewall, drop and log everything else. It's really not that complicated, and with no NAT way more flexible (no more port-forwarding!)

      1. Sam Liddicott

        Re: Never!

        > NAT is *not* a security feature!

        and yet it successfully prevents unwanted external access for so many users, while permitting desired external access through uPNP and NAT helpers.

        Have you tried pushing an unexpected connection through a NAT router?

        1. HighTension

          Re: Never!

          With /horrible/ things like uPNP on consumer routers (which more often than not implement it and other things badly or incorrectly), it's not NAT that really provides the real security, it's the firewall (which on every consumer router I've seen in the last decade is turned on by default).

          And just to reiterate, at no point did I claim that NAT is not possible with IPv6. It's just not necessary.

          1. defiler

            Re: Never!

            And just to reiterate, at no point did I claim that NAT is not possible with IPv6. It's just not necessary.

            I was under the impression that NAT was regarded as a "bad thing" on IPv6, and that since everyone had a publicly routable address you shouldn't ever be using it.

            I do get people's reticence to abandon the safety net of IPv4 NAT, but it's really as simple as dumping any packets that aren't on an "established" session on the firewall. Shit, Draytek do that straight out of the box (although they didn't initially - oops!)

            My bugbear with IPv6 is that it was invented by somebody (or 1000 somebodies) looking at IPX with all of its autoconfiguration, and they pinched bits. But not enough to just let the client figure itself out. In the meantime we got stuff like DHCP for IPv4 and we're happy with that, but we suddenly have to configure using two mechanisms for IPv6? The firewall is absolutely the least of my worries...

            1. SImon Hobson Bronze badge

              Re: Never!

              I was under the impression that NAT was regarded as a "bad thing" on IPv6

              It's a "bad thing" on IPv4 as well. The problem is that so many people have never seen the efforts that have gone into working around the breakage it causes, haven't seen the countless piles of cash that (for example) VoIP providers have had to invest in proxy machines to work around how NAT breaks SIP. Not even good old FTP works without help from an ALG in the NAT gateway.

              Besides, with "home" routers coming with uPNP turned on by default, your security from NAT is (while not completely useless) severely compromised since ANY device on your network can ask the router "please open wide these inbound ports for me" and get them.

              So in response to the printer comment, all it takes is for ANY internal device to fake a uPNP request from the printer to the router and the printer can be accessible from the outside.

              There may be things that make IPv6 "difficult" - not using NAT isn't one of them.

        2. Christian Berger

          Re: Never!

          "Have you tried pushing an unexpected connection through a NAT router?"

          Well that usually doesn't work when you want it to work... usually thanks to ALGs you can sometimes get it to work by spoofing some data on a seemingly unrelated connection. (i.e. downloading a file over HTTP which contains FTP commands)

        3. Nanashi

          Re: Never!

          Have you tried pushing an unexpected connection through a NAT router?

          I have -- it worked fine. The form of NAT that we're talking about here (`iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`, right?) only applies to outbound connections (that's the "-o wan0" part); it has no impact on inbound ones, which won't match the rule above.

          If you have a router that's NATing outbound connections, you can still do inbound connections just fine unless some other aspect of the router or network setup (such as... a firewall) prevents it.

          (I know that most networks have those aspects, but I set one up that NATed outbound connections yet still had working inbound connections just to prove that doing so does in fact work, and that it's not the NAT that's breaking the inbound connections.)

          1. Charles 9

            Re: Never!

            "If you have a router that's NATing outbound connections, you can still do inbound connections just fine unless some other aspect of the router or network setup (such as... a firewall) prevents it."

            How does one actually connect to an RFC1918 address behind a NAT without the inside connecting first? That's one reason a NAT is considered a safeguard: bease it allows the LAN to use addresses that normally aren't routable on the outside, a defense in itself like an unpublished phone number.

            1. Anonymous Coward
              Anonymous Coward

              Re: Never!

              Exactly. Whoever wrote that obviously doesn't understand NAT, and that it doesn't need a firewall to provide security. How is anyone going to send packets to a PC at 192.168.1.100 from outside the NAT unless ports are being forwarded, or even send packets to the router unless there are open ports on the router on the WAN interface side. Typically management from e.g. HTTP is only enabled on the LAN by default, so the clueless home user doesn't have to worry about it.

              Security may not have been the reason for its existence, but it was a highly serendipitous benefit.

              1. Terafirma-NZ

                Re: Never!

                @DougS

                Wow and if you dig a hole in your driveway that should stop thieves getting to your house, or least by your description.

                NAT provides no security whatsoever, the printer mentioned above only needs to initiate a single outgoing packet to the router that will then open a port public side and any (that is ANY!) internet traffic that hits that port public side will be sent to the printer. About time people stopped confusing the basic "established" firewalls rules used in home router devices for NAT providing security!

                As for how can someone route to your 192.168.1.0/24 IP space at home behind your NAT device. Quite easily remember the box is just a router passing traffic from any connected subnet to another. This assumption just says I expect my ISP to not forward traffic using private addressing on the source or destination and most don't do this. There are varying methods to get traffic destined to your private range at home to pass over the net.

                NAT simply states if traffic passing the router meets this rule then change the source/destination IP and/or port to something else, if it does not meet this rule then pass it unmodified. <- here see no security at all!

                Your firewall is what says if this traffic is from the WAN and is not for an established connection in the connection tracking table then drop it usually via the implicit deny any any rule at the bottom.

                Sure plenty of you will go on thinking NAT provides security until your IPv6 printer starts spitting out pages of unwanted messages - of course it won't as your ISP will have enabled the firewall by default.

                This doesn't even account for the open wireless access point installed on most home printers these days (a quick scan of my neighborhood shows plenty)

                1. Charles 9

                  Re: Never!

                  "Wow and if you dig a hole in your driveway that should stop thieves getting to your house, or least by your description."

                  Well-known and technique. It's called a fosse. Now the thief has to cross the gap first, and most thieves don't come with ladders.

                  "As for how can someone route to your 192.168.1.0/24 IP space at home behind your NAT device. Quite easily remember the box is just a router passing traffic from any connected subnet to another. This assumption just says I expect my ISP to not forward traffic using private addressing on the source or destination and most don't do this. There are varying methods to get traffic destined to your private range at home to pass over the net."

                  But how does it work the other way the way wardrivers are probing for devices behind the NAT. Since they're the ones initiating the connection, not the inside, how would they get through if the address is RFC1918 or some other range that's not supposed to be routable, or even routable to more than one destination?

                  1. HighTension

                    Re: Never!

                    Because, in the absence of a firewall, they can probe all ports on the public IP, and if they find any open, one or more of those could be the open external port of a NATed session. If they connect to said IP/port, they can reach the device behind the NAT.

                    1. Charles 9

                      Re: Never!

                      Exploting an open connection is always an option, NAT or no. But if the internal device is purely internal (does not connect to the outside), then you basically have no way in if you're trying to connect from the outside, and you don't need the firewall for that; it's simply a matter of the basic rules causing incompatible routing. I originally said an unpublished number but it's more like a PBX: without a pre-existing route or help from the front desk, you can't just dial into any old extension in the system.

                      Put another way: why is Carrier-Grade NAT considered such a PITA if not for that catch?

                      1. HighTension

                        Re: Never!

                        @Charles9 One of the commentards was talking about a Home/SOHO router. You have to assume in this case that most devices behind it will be trying to talk to something on the outside (looking for updates, phoning home, checking for mail/tweets etc). And if nothing is connecting in or out you'd not really need any NAT awyway!

            2. Nanashi

              Re: Never!

              How does one actually connect to an RFC1918 address behind a NAT without the inside connecting first?

              Hey, I didn't say anything about RFC1918. We're talking about NAT here (the thing you get from doing `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE` with netfilter, yes?). You can use RFC1918 without NAT and you can use NAT without RFC1918; they're two separate things.

              It's true that running a network on RFC1918 will drastically limit the set of people that can connect to it, but a) some people (e.g. your ISP, your government) can still connect, so it's not secure, and b) RFC1918 isn't NAT, so even if you think using RFC1918 makes you secure, it's still not NAT that's doing it.

              If anybody doesn't believe me, feel free to set up a few VMs and test it for yourself.

              1. Charles 9

                Re: Never!

                Wouldn't really matter either way. It's just that using RFC1918 addresses makes it that much more likely the packet stays inside.

                And I've got a better one for you. Why don't you prove it actually happens in real life by describing the means to do it using a spare home router, meaning one can easily do it at home using actual physical devices and wires?

      2. HighTension

        Re: Never!

        Wow, two thumbs down for that! Some real IPv6 loathing on here!

        1. Anonymous Coward
          Anonymous Coward

          Re: Never!

          Two thumbs down for repeating the myth that supporting IPv6 requires you to ditch your NAT.

          1. Chronos

            Re: Never!

            I don't see where HT said you must ditch NAT. What was said was that creating the exact same stateful filtering that NAT serendipitously provides is piss easy if you want to use globals on your internal network.

            The real myth here is that NAT is some kind of firewall. If that were true, why do we keep seeing C&C channels tunnelling in and out of RFC1918 nets?

            There's also the little "incompatibility" myth, which is shorthand for "oh fuck, we're going to have to do it properly this time" because you don't have the crutch of NAT being required to make your link to the outside world useful, which is what this argument really boils down to: We've all got comfortable with assuming there's a NAT layer there to do all your state tracking for you. Now you're going to have to write the dreadfully complicated few lines of firewall rules yourself. Mercy!

            Cue the "I can't remember prefixes with hex words in them" wailing and gnashing of teeth.

            1. Anonymous Coward
              Anonymous Coward

              Re: Never!

              Now you're going to have to write the dreadfully complicated few lines of firewall rules yourself. Mercy!

              No you're not.

              IPv6 supports everything IPv4 does. There's no need to make adopting it unnecessarily difficult by demanding people study long sysadmin courses just to set up their home network.

              1. Nanashi

                Re: Never!

                It's not exactly horribly difficult though, is it? If you know how to run these four commands:

                iptables -P FORWARD DROP

                iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

                iptables -A FORWARD -i lan0 -j ACCEPT

                iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE

                then you already know how to run these three commands:

                ip6tables -P FORWARD DROP

                ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

                ip6tables -A FORWARD -i lan0 -j ACCEPT

                It doesn't take a long sysadmin course to learn how to not run one command! What's everybody so afraid of?

                For the other 99% of people who don't know to set up the necessary firewall rules for a NATed network in v4, it's even simpler: just plug in the ISP-provided dumb box and away you go, just like you've always done it.

              2. Chronos

                Re: Never!

                IPv6 supports everything IPv4 does. There's no need to make adopting it unnecessarily difficult by demanding people study long sysadmin courses just to set up their home network.

                There, you just did it again. Please stop putting words into people's mouths. Nowhere did I say that home users will have to do this; the router folks can and should do it by default. It's utterly trivial for a consumer router to know which interface is the LAN and which is the WAN and construct the firewall with or without NAT to a safe default. Of course, they probably won't given the historical state of uPNP, WPS and so on being similar in quality and thought for the end user as a British Leyland car built in the 70s but that's not my problem unless and until I get a job at Draytek et al.

                We, the El Reg commentards, are not consumers. If you want a discussion on consumer broadband, head on over to ThinkBroadband or Kitz where you will find untold thousands of like-minded users. The article addresses, therefore the comments are about, proper networking rather than consumer "hit generic chipset with a lump hammer until it sort of works, apply logo to /fs-overlay/var/www/images and ship" routers.

                For the avoidance of doubt, nobody was or is saying that v6 doesn't support NAT, that NAT should be ditched on consumer networks or that it'll require at least a CCNA to set up v6 in the home.

            2. HighTension

              Re: Never!

              Thanks for your support Chronos. Unfortunately it seems stating facts is not a way to popularity. Perhaps it was the wording "with no NAT", which I should have phrased as "no requirement for NAT".

              Having end-to-end addressing is also vastly more convenient for difficult protocols like SIP/RTP, IPSec, FTP and so on, without having to work around endless brain-dead ALGs and helpers that never work properly.

              1. Anonymous Coward
                Anonymous Coward

                Re: Never!

                Arguing over NAT isn't productive for encouraging people over to IPv6. Better to explain that they can still use a feature than to try to convince them that they don't want that feature.

                Characterising the downvotes on your post, which was about why not to use NAT, as people downvoting a post in favour of IPv6 will inevitably have escalated that issue.

              2. Chronos

                Re: Never!

                Thanks for your support Chronos. Unfortunately it seems stating facts is not a way to popularity. Perhaps it was the wording "with no NAT", which I should have phrased as "no requirement for NAT".

                Having end-to-end addressing is also vastly more convenient for difficult protocols like SIP/RTP, IPSec, FTP and so on, without having to work around endless brain-dead ALGs and helpers that never work properly.

                See my other reply to the accusation of wanting to turn Auntie Mabel into the BOfH when I said nothing of the sort. It seems we're going to have to become proficient in the sort of anal retentiveness QCs need to read and redraft proposed legislation if we want to comment on here in future - which sort of makes the transition to IPv6 seem like child's play by comparison.

            3. JohnFen

              Re: Never!

              "The real myth here is that NAT is some kind of firewall"

              I don't see anyone here claiming that it is.

              1. Chronos

                Re: Never!

                "The real myth here is that NAT is some kind of firewall"

                I don't see anyone here claiming that it is.

                Okay, you got me on that one. Hypocrisy from my side, for which I apologise.

          2. HighTension

            Re: Never!

            Can you point out exactly where I said that? All I was trying to point out is that you don't really /need/ NAT for IPv6 and it certainly doesn't automatically mean any real loss of security. I see I know have ten thumbs down for a technically correct post!

      3. katrinab Silver badge

        Re: Never!

        "NAT is *not* a security feature!"

        Except that it is. For example, I don't need to worry about the possibility that spammers might decide to print ads on my printer, because I haven't forwarded any ports from outside to it.

      4. Bob Camp

        Re: Never!

        NAT isn't technically a security feature. And collusion isn't technically a crime. However, collusion has over a dozen different crimes associated with it. And all of THOSE crimes ARE illegal. Quit playing the semantics game, as an American I'm well aware of this game and am tired of it.

        IPv4 NAT forces you to use your router, which in turn forces you to use your router's firewall. And if something breaks, it fails safely and blocks all Internet traffic until you fix it. That is a security feature, and one that the industry has used as a crutch for a long time. Home users doubly so.

        1. Anonymous Coward
          Anonymous Coward

          The security comes from FORCING people to use NAT

          If IPv4 addresses were plentiful enough NAT never existed in consumer level products, most people would have had their PC and other home devices directly exposed to the internet. Wireless APs would not be routers, because they wouldn't need to route. They'd bridge your wireless and wired nets, and wireless devices would be directly exposed to the internet.

          The average person would be at the mercy of their ISP for security, hoping that their cable/DSL modem provided a firewall, and that firewall defaulted on. OK, in 2018 even crappy ISPs like Comcast would do that, but 10 years ago? Many people would have been unprotected, and even though things would be bad and ISPs would encourage people to enable the firewall would be loathe to force the config on everyone because they'd know how many things that used to work would break and how many support calls they'd get. They'd wait until the user upgraded something and needed a new modem, and give them one with the firewall on by default.

          The hacks they could blame on the end user, or Microsoft, or anyone else but themselves. If they pushed a new config on people's equipment they'd have to take the blame from angry customers themselves.

    2. Anonymous Coward
      Anonymous Coward

      Re: Never!

      So set your stupid SOHO router to use one of your IPv6 addresses and NAT the rest of your network using the private IP range fd00:whateverthehellyoulike.

      Discard the remaining public IPv6 addresses, people are giving them out in bulk because they cannot envisage a day when we'll ever need that many. Learning from history is not a part of the IPv6 spec.

      1. springsmarty

        Re: Never!

        Learning from history is not a part of the IPv6 spec.

        That's the most insightful sentence in this discussion.

  5. Primus Secundus Tertius

    DNS is the answer

    I don't need IPv6. I browse www.theregister.co.uk, and I email news@theregister.co.uk.

    The funny numbers behind that are someone else's problem.

    1. hmv

      Re: DNS is the answer

      Well yes and no.

      The DNS names work fine as long as the funny numbers behind the scene continue to work. Those in charge of funny numbers have decided IPv4 is broken and the fix is IPv6; argue as much as you like but if you ignore IPv6 and refuse to implement it, sooner or later your Internet breaks. Probably later, but no guarantees.

    2. JohnFen

      Re: DNS is the answer

      "The funny numbers behind that are someone else's problem"

      I guess I must be that "somebody else", because I use raw IP addresses on a daily basis. (Before everyone dogpiles on me, I'm not saying that IPv6 addresses are so complex that they are a huge problem -- but they do increase the necessary cognitive load.)

      1. Anonymous Coward
        Anonymous Coward

        Re: DNS is the answer

        a) We're running out of numbers!

        b) We'll add more numbers.

        a) There are too many numbers!

        1. JohnFen

          Re: DNS is the answer

          "a) There are too many numbers!"

          That's not the issue. The format is the issue.

  6. Wellyboot Silver badge

    IPX - blast from the past

    >>You couldn't talk to an IPX-based NetWare server using IP<<

    At the time an IP stack was a expensive memory eating add-on for most systems.

    We had enough trouble with IPX keeping all the monolithic drivers using the same 802.2 or 802.3 frame type. (VLANs before the term was invented!)

    1. A Non e-mouse Silver badge

      Re: IPX - blast from the past

      You couldn't talk to an IPX-based NetWare server using IP

      In NW3 & 4 you could use a package (Can't remember its name, memory fading) that allowed you to encapsulate IPX inside IP.

      NW5 had first class IP support (Although it took a long time for third party software/devices to catch up)

  7. monty75
    Joke

    Take the MacBook Pro I'm typing this on, whose Network control panel tells me that my IP address is 192.168.1.150

    Aha! Now I can hack The Reg and extort you with my l33t ransomware!

  8. Anonymous Coward
    Anonymous Coward

    Zero mention of firewall problems?

    There are a few more gotchas, which is why I applaud the comment about making sure you can spot IPv6 devices on your network.

    The challenge IPv6 brings is that it has more features that your firewall either doesn't know about, or that will force you into a decision to support it or not.

    The extensible headers in IPv6, for instance, were identified as a risk some good 10 years ago because you can easily build a covert communications channel with those. The problem with all those features is that, the Internet being the Internet, someone will come up with a way to use them that may be useful and then you'll be facing the problem of traffic inspection et al.

    One of the nice features of NAT was that it made a device less addressable if it didn't originate the connection because there was no return map for the traffic (the router would not know which internal IP address to forward the traffic to). IPv6 can allow direct interaction with devices on your LAN if there's no similar approach in place, and that is a recipe for all sorts of problems.

    Yes, we have to IPv6. No, it won't be easy. We will now have to learn what countries of Japan have already gone through a while back. Ironic, because the US limited the IPv4 pool Japan could have, they're now something like a decade ahead in IPv6 deployment and use..

    1. Anonymous Coward
      Anonymous Coward

      Re: Zero mention of firewall problems?

      They're ahead in IPv6 use, but what advantages does that give them over IPv6 laggards like the US? None that I can see. If anything, being a laggard is a good thing because all the bugs will have been worked out of IPv6 implementations by the time us foot draggers finally join in. And perhaps the powers that be will have decided on ways to fix the issues with IPv6, by for instance blocking the ill-conceived extensible headers in a firewall by default.

  9. Giovani Tapini
    Mushroom

    Well configured edge firewall

    How many shops now have firewall rules for IPV4 lots of rules and equivalent of no rules for IPV6 by pretending its not really there. Also likely to lead to little monitoring or traffic etc. Hack via IPV6 for unlimited access and no alarms in the near future for the masses then...

    1. hmv

      Re: Well configured edge firewall

      Well with my firewall (effectively IPv4 only), I can turn on IPv6 and the rules automatically apply to that traffic too.

      A firewall that allows unknown traffic is fundamentally broken.

      1. Charles 9

        Re: Well configured edge firewall

        "A firewall that allows unknown traffic is fundamentally broken."

        It is also par for the course and expected behavior on today's Internet. Trust no one, not even yourself.

  10. ExampleOne

    ...you've not upgraded switch,...

    Surely the switch shouldn't care, as it's all just ethernet frames with some content to the switches?

    1. jima

      L3 switching (AKA routing), switch management...yes, some switches care about IPv6, just not the dumb ones.

  11. Anonymous Coward
    Anonymous Coward

    Maybe it's time

    Someone updated this:

    http://lorry.org/Docs/pixie.html

    IPV6 pixies: Unusually large pixies with massive heads that speak a strange language so arcane that even network managers don't understand them

    Only anon cos I'm posting from work

  12. Christian Berger

    IPv6 is probably best thought of a separate network...

    ...which it technically is. It just shares some infrastructure (like DNS) with the legacy IP network. Don't even try to think of it being the same network. This saves you from lots of headaces and suddenly things make sense. Like if you cannot call an IPv6 phone from a legacy IP phone, you know that that call needs to go over some sort of gateway between the different networks.

  13. defiler

    Plusnet

    Good luck with IPv6 if you're on Plusnet. Yeah, you can tunnel, but really? I mean it's not even as if they're a small ISP. They're part of BT, the biggest consumer ISP in the UK. They trialled IPv6 years ago, and then promptly pushed the genie back into the bottle and said "well that's that then".

    I'm at the point where I'm thinking about ditching them, because IPv6 would be bloody handy for me now.

  14. Stephen McLaughlin

    Overly Gloom and Doom 90's Predictions

    I remember being in a conference in the late 90's and the "experts" were predicting we were going to run out of IPs at some time in the near future if everyone didn't adopt IPv6 - and here were are some 20 years later and it's still not being adopted in many if not most networks.

    1. SImon Hobson Bronze badge

      Re: Overly Gloom and Doom 90's Predictions

      <emthe "experts" were predicting we were going to run out of IPs at some time in the near future</em>

      Which we did - except that some b***ard invented NAT and lots of people went "oooh shiney, that fixes things" while completely ignoring everything that it broke. If all the manhours spend dealing with the fallout of that had been spent on going to IPv6 then we'd now be asking "what's an IPv4 address ?" in the same way that some youngsters now ask "what's tape ?".

      1. Nate Amsden

        Re: Overly Gloom and Doom 90's Predictions

        So a better solution to "breaking" a few things with NAT, is to break *everything* with IPv6 right?(because back then what really supported IPv6) Then they can be forced to update everything because everything is broken, then everyone will be happy. Yeah I can see why that didn't happen.

        I've been doing networking stuff since the late 90s(not really my primary role), these days load balancers, firewalls, vpn, layer 3 switching, though no dynamic routing protocols etc, and even I have zero interest in ipv6(along with a lot of others I'm sure). In fact I don't recall ever even having a conversation/chat with anyone outside of toy(home tunnel) deployments who was excited about IPv6.

        I go out of my way where I can to disable IPv6 on systems because it can still cause issues(perhaps mainly when there is no IPv6 network), one example that came up again recently is BIND by default will query IPv6 name servers unless IPv6 is explicitly disabled on the service itself (having it disabled at the operating system is not sufficient), which results in many query timeouts.

        I do remember being "excited" I suppose that the big core switches I purchased in 2004 supported IPv6 in hardware, though other than a bullet point on a spec sheet my interest stopped there.

        IPv6, much like SDN still seems to me firmly only beneficial in the service provider/large enterprise space at this time. For most folks I think running out of IPs isn't a critical issue.

        It was much more so an issue back before SNI -- I was at one company about 13 years ago where we had a couple hundred SSL certs(many different domains too) that had to be exposed externally -- so of course each required it's own IP. Getting those IPs wasn't difficult at the time but these days such a setup could easily be consolidated even as far down to a single ip address with SNI.

        For the stuff I do (managing production e-commerce infrastructure), if the time comes where we NEED inbound IPv6 then my strategy would be as the article suggests - though I would just have our CDN do the conversion for us. If the time comes where we NEED outbound IPv6 for something then I imagine my strategy would be to do IPv4->v6 NAT (never looked into it before). Though if either of those situations appear in the next 5 years I'll be quite shocked.

        1. Christian Berger

          Re: Overly Gloom and Doom 90's Predictions

          IPv6 doesn't break anything, it's just a new network. If you want to say with IPv4 that's fine, but don't complain about the people that move on, either because they just don't have IPv4 addresses, or because they want to have something that works.

          And unlike older networks like the Telex network, the X25 network or ISDN, IPv6 doesn't really have any serious disadvantages over IPv4. It's not like IPv4 was isochronous or provided you with identifiers a governmental organisation guaranteed you or anything like that.

          I mean people still operate "Mailbox"-style services you can access via your modem. That's still a thing. People also still exchange medium amounts of data (e.g. the print files for a newspaper) over bonded ISDN channels. There's no reason why IPv4 goes on for decades in niche usecases.

          1. JohnFen

            Re: Overly Gloom and Doom 90's Predictions

            Let me start with a disclaimer -- I'm not against IPv6 even a little. But...

            "IPv6 doesn't really have any serious disadvantages over IPv4"

            I'm not sure what you consider "serious", but in my view the biggest pain point with IPv6 is the discoverability issue. Without taking active measures to mitigate the problem, IPv6 reveals far more about my devices and network than I'm comfortable with. I count this as a disadvantage.

            Also, IPv6 has a lot more moving parts than IPv4, and I'm nowhere near confident that I know enough to be able to secure such a network adequately. While that will be resolved once I reach the summit of that learning curve, the extra complexity of IPv6 certainly counts as a disadvantage in this sense.

            1. Nanashi

              Re: Overly Gloom and Doom 90's Predictions

              It doesn't really reveal that much about your network. v6 is so sparse that it's hard to even find your network, let alone devices on the network, and all it typically reveals is that you have internet-capable devices; it doesn't even reveal how many. And it only does that much to people in a position to sniff your traffic, and only if you actively allow your devices to talk to the internet, which you don't have to do.

              It does share a lot of issues with v4 (e.g. "you can download malware over v6"), but you can't really count those as a disadvantage for v6 when v4 shares the same issues.

              1. JohnFen

                Re: Overly Gloom and Doom 90's Predictions

                "It doesn't really reveal that much about your network"

                This is correct, if the network is properly configured. But it's not quite as true otherwise. The sparseness of IPv6 doesn't make my network hard to find. All it takes is for something in my network to talk to something over the internet, and the address space is seriously narrowed down.

                "And it only does that much to people in a position to sniff your traffic"

                You say that as if being in a position to sniff my (or anybody's) traffic is rare, but I contend that it's not rare at all.

                "only if you actively allow your devices to talk to the internet, which you don't have to do."

                True, whether IPv6 or IPv4, if nothing in my network talks to the internet, the security issue is much easier to handle.

                "you can't really count those as a disadvantage for v6 when v4 shares the same issues."

                I don't think that IPv4 shares the same issues that I brought up.

            2. SImon Hobson Bronze badge

              Re: Overly Gloom and Doom 90's Predictions

              and I'm nowhere near confident that I know enough to be able to secure such a network adequately

              Ah, that fallacy.

              When you were at the same level of knowledge with IPv4 as you are with IPv6 now - did you have the knowledge to secure it ? No ? Well neither did I Presumably if you reckon to have that knowledge now then you learned it - so go off and learn the differences (which actually aren't that great, the principles are much the same).

  15. Anonymous Coward
    Anonymous Coward

    SBS 2011 switch off IPv6 and the following happens

    •Microsoft Exchange services fail to start

    •Server hangs at “Applying Computer Settings…” (can eventually logon after 30 – 60 minutes)

    •Network icons show as offline

    SBS 2011 uses IPv6 for internal communications

    1. defiler

      You lost me at SBS

      I have wrestled that demented beast far too often in the past, with its 10.0.0.1/8 IP and its .local AD domain baked in. Bah.

    2. J. Cook Silver badge
      Boffin

      Some Anonymous Coward said:

      SBS 2011 switch off IPv6 and the following happens

      •Microsoft Exchange services fail to start

      •Server hangs at “Applying Computer Settings…” (can eventually logon after 30 – 60 minutes)

      •Network icons show as offline

      SBS 2011 uses IPv6 for internal communications

      I can attest that Exchange running on a full server 2012 R2 install breaks horribly if you shut the IPv6 stack off. (and I do mean horribly. Plus, MS Support won't touch it until you turn it back on.)

    3. Alistair
      Windows

      Java 1.6.48 through 1.6.128

      -Djava.net.preferIPv4Stack=true

      quite simply because there was no ipv6 in the environment, but WL decided to try anyway.

  16. martinusher Silver badge

    IPX???

    If you want to host IPX traffic over TCP/IP you just wrap it in a UDP packet.

    Compatibility is really just an expression of will and attitude. Its true that IPv4 and IPv6 don't communicate directly but there is an IP version number field at the start of the IP header which identifies which one you're using. This enables the stack to route the traffic to the appropriate IP layer where it will get unwrapped and presented to the same -- note, the *same* -- upper layers.

    Life is complex enough without Marketing types spreading thick layers of FUD around. The move to IPv6 has been slow because its clunky, especially if it incorporates source routing fields in the frames. For those of us working with smaller scale localized networks (that use -- Gasp! -- NAT) IPv4 works just fine and has the advantage that our local devices stay local, they can't be addressed by the greater Internet without the say so of the edge router. (....I'm old school, I like my networks, like by protocols, layered.....) So let's just use IPv6 where its appropriate.

  17. J. Cook Silver badge

    I'm surprised no one has made a peep about Toredo (and other 4to6 and 6to4 protocols).

    1. Joel Mansford

      NetFlix

      I was using a tunnelling provider then discovered NetFlix wouldn't work on my home network as a result. Not Happy. Am on Plusnet who carry a "won't do" attitude towards IPv6 so limited options here.

  18. Alistair
    Windows

    You couldn't talk to an IPX-based NetWare server using IP, and neither could you talk to an IP-based Unix box using IPX. We therefore have to deal with two different protocols

    I'll allow that on the point of having the word "based" in there - but whilst we were moving from Netware to MS Winders, we had *both* protocols active on the network for about 3 years.

    *shudder*

    And for the first 8 months I was one of two (2) people in the entire org that had identities on both sides of the wall. And was the only one who could reset passwords on both sides.

    *shudder*

  19. Anonymous Coward
    Anonymous Coward

    Enough of this "my home fiewall works with IPv6"

    Can we have here someone speaking for some large, global, multi-site enterprise having a significant number of legacy and/or mission critical systems to tell us a real success story of a migration from v4 to v6 ? A link pointing to an article somewhere on the net ?

    Obviously, Netflix, Google, Amazon and other pure software services provides do not apply here.

  20. carlsonjma

    Treating the promotion of an RFC to "Standard" status as a starting point is a bit of a misunderstanding of the process. (See RFC 2026 for details.) (I sort of hope it was intended as an inside joke, but if not ...)

    Standards-track RFCs start off life as Internet Drafts. As drafts are written and published, most vendors are in the process of producing interoperable implementations. Actual products are sold based on the drafts. Once rough consensus exists, it goes to Proposed Standard and is published for the first time as an RFC. If you don't already have an implementation in the field by this point, you're really a bit late to the game.

    For many protocols, the story peters out there. Proposed Standard is awfully good. You don't have to have multiple interoperable implementations and active deployment underway to get there, but very often you do, and it's often used as an argument in favor of approval when the IESG is evaluating the request to publish. Most of the developers start drifting away to newer and better things at this point. If there are enough die-hards left to do the work of cataloging the implementation status, you might get promoted to Draft Standard.

    After a very long time, a few protocols end up being promoted one last time as full Internet Standard status. But many of the things we rely on every day don't make it that far, because it's mostly an effort of paperwork by then, and not a protocol development exercise. It's a lot like getting a "lifetime achievement award."

    So, yes, the July 2017 change is important for the protocol, but it really means nothing for the mature and robust implementations that have been in the field for 20+ years now.

  21. David Crowe

    It'll never work

    See my recent article in 2600 magazine: https://cnp-wireless.com/ArticleArchive/2600/IPv6.pdf

    1. Charles 9

      Re: It'll never work

      OK. riddle me this, Batman. Since IPv4 has a hard-coded 32-bit address limit, with NO room for expansion anywhere (and no, you can't trust the option field like EzIP proposes, it's not considered trustworthy), how do you expand the address space AND keep your IPv4 compatibility? It's like trying to cram 13 eggs in an egg carton only built for 12. OR having more people than your building's fire rating allows. At some point, you MUST start fresh. That's what IPv6 represents; at which point it's either go with the flow or get off the Internet.

    2. Nanashi

      Re: It'll never work

      I saw that article. It's, ah, how should I put this... wrong on almost all counts. Like, failing to realize that v6 has backwards compatibility, or that v4's lack of forward compatibility can't be worked around by replacing v6, or that Google's stats are fundamentally different and not comparable to IXP traffic stats, or that internet exchanges are a poor measure of v6 deployment, or that NAT causes real unsolvable problems, or just not knowing how DNS works... I could go into more detail, but I think that pretty much covers every single major point.

  22. AbeChen

    IPv4 Address Pool Has Been Expanded Significantly

    The main reason that IPv6 has not been rolling out smoothly is because it ignored the first rule of engineering in upgrading a working product / system, i.e., the backward compatibility to IPv4. Had it done so, the transition would have been completed a long time ago without even being notices. Marketing type of persuasion has its limits, especially after nearly ten years if we do not count that IPv6 work actually started two decades ago. At the current pace of electronic products, it has been nearly half dozen of so life-cycles already!

    Our background in telephony enabled us to approach this Internet challenge from the knowledge of the PSTN (Public Switched Telephone Network) that developed practices to expand the assignable telephone numbers through the PABX (Private Automatic Branch eXchange) and lesser known the CENTREX (CENTRal office EXchange) technologies.

    Instead of digging into the telephony details, we have submitted to IETF a proposal called EzIP (phonetic for Easy IPv4) about the solution from the networking perspectives:

    https://tools.ietf.org/html/draft-chen-ati-adaptive-ipv4-address-space-03

    Essentially, EzIP utilizes the very original IPv4 standard RFC791 and the long-reserved yet hardly-used 240/4 address block to expand each IPv4 public address by 255M (Million) fold. This is capable of serving an area with population up to about 39M which is larger than the largest city (Tokyo metro) and 75% of countries on earth. This capability not only enables governments, but also individuals to offer local sub-Internet services parallel to the current global version. There are other benefits such as mitigating largely the root cause to cyber security issues. These render IPv6 unnecessary.

    Thoughts and comments would be much appreciated.

    Abe (2018-08-28 20:15)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon