back to article Defcon speaker calls IPv6 a 'security nightmare'

The internet's next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, a researcher said last week. With reserves of older addresses almost exhausted, the roll-out of the new scheme — known as IPv6 or Internet …

COMMENTS

This topic is closed for new posts.
  1. Mage Silver badge
    Badgers

    Hmm. Broken

    Seems they need to skip IPV6 and design IPV7 properly.

    I'll stay with IP4 then thanks.

    1. Chris Miller

      Read the article again

      In many respects, IPv6 is significantly more secure than IPv4. The problem (as ever) will be with people implementing it before they're ready and when they don't fully understand the implications of what they're doing.

      1. Nathan Meyer

        Complexity Of Implementation Is A Problem

        Given the complexity of RFC mash-ups like IPv4 or v6 and it's bloody difficult to "fully understand the implications" of turning it on. RFC 791 was issued nearly 30 years ago and most sysadmins still configure by rote, fingers crossed and praying powerfully. Much less Harry The Homeowner and his Open Zombie Wireless network. You can't fire-proof a paper house. If you want to have a secure network, you need a protocol that is secure by design, not by implementation. Produce a product for general use by the public, and it needs to default to safe settings and not require years of experience to configure safely. Especially when acquiring years of experience could be very painful and expensive. This is just more wanker-ware designed by people with too much time on their hands and no ability to take off those Unix/IP blinders. It would be insanely funny if it weren't so important.

      2. Anonymous Coward
        FAIL

        @Chris Miller

        Having setup and configured IPv6 test labs, I don't believe the hype around IPv6.

        Yes it gives a greater number of addresses, but I fail to see how it make the network any more secure than IPv4. On a private network it may be harder to spoof a source address, but it's not going to be any harder to spoof a source address across the internet. And any network service that is vulnerable under IPv4 will still be vulnerable under IPv6.

        In addition, as these researchers say, given that nobody's IPv6 implementation has seen extensive vulnerability testing, there is likely to be scores of bugs that will make everyone less secure.

        As for running out of addresses.... that's what NAT is for... every network device doesn't need a globally accessible IP address, in fact it makes it them harder to attack directly if they are not globally accessible (ok so there is still the problem of how to secure the application layer, but that's a different problem).

        1. Christopher E. Stith

          not just NAT.

          One of the big culprits of IP exhaustion is SSL. There's no real reason for SSL to require a unique IP address for every host name. You've been able to run thousands of small sites on a single server for years, whether they have the same IP address or multiple ones. Having the RIGHT address and the private key should be plenty, and requiring the IP to be unique adds nothing to security ever since virtual hosting became possible.

          1. Anonymous Coward
            Pint

            But ...

            SSL doesn't require a unique IP address for each hostname.

    2. Chris Miller

      @Nathan

      It's true there are nearly 6,000 RFCs for IPv4 - that in itself might be a pretty good argument for moving to IPv6 - but 99% of them are either obsolete or relate to subprotocols that are so obscure that you're unlikely to have heard of them, let alone seen them in operation (I certainly haven't). It sounds like your beef is with the selection of defaults by manufacturers - which I agree is woeful, particularly in the domestic market where end users can't be expected to have much security awareness.

      I'd love to see a "secure by design" set of protocols, can I get a "secure by design" operating system on which to run them, as well? I am reminded of the wise words of St Bruce of Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

      1. Nathan Meyer

        @ Chris

        A secure OS would be nice. Certainly neither Unix nor Windows can qualify. Guardian and System 360(latest version) would be ok; except everybody runs a Unix partition on them now for web services. It's pretty bleak out there. All that said, I would argue that the more immediate problem is the great open door of web services and IP. Close that aperture and it becomes less critical to fix the rest. It would be nice to return to the days when our biggest fear was a disgruntled Assembler programmer bypassing internal controls.

  2. Anonymous Coward
    Grenade

    They keep saying...

    They keep saying they are nearing the end of IPV4 address, which I believe, but I question whether they are taking into account all the NAT (private) addresses out there. Our entire company is based on private IP addresses. That's a lot of computers. And with IPV6 they will all need public IP addresses for every machine as it doesn't support NAT.

    1. Charles 9

      Relax. IPv6 has got plenty of room.

      IPv6 takes your concerns into consideration. Consider this. IPv4 has a total of 2^32 possible addresses (a little over 4 billion). IPv6 has an absolute total of 2^128 addresses. That is perhaps 4 whole orders of magnitude more addresses available (about 10^38), so many that every man, woman, and child on Earth could have a handful and it still wouldn't even be halfway. IPv6 thus applies the space in a structured manner. In your hypothetical case, an entire class B (IPv4) subnet only requires 2^16 unique addresses. An IPv6 address is usually addressed in hex for simplicity; your unique addresses would comprise the rightmost word of an eight-word IPv6 address. Let's just say there's plenty of room to go around.

      1. Trevor_Pott Gold badge
        FAIL

        @Charles 9

        Plenty of IPs to go around...

        ...but your ISP wills till give you two (dynamic) and charge you $5 for each additional you use.

        I will believe in IPV6 when I see IPV6 NAPT/NAPT-PT in home routers or legislation /requiring/ handing out proper subnets to home users. Not before. (Spoken as someone with 27 IP-enabled devices in his home for 3 people. Phones, routers, computers, consoles, etc.)

        Also, it’ll be lovely when I’m forced to use auto-configuring addresses for my own internal network. I’LL LOVE THAT. None of this simple being able to remember your addresses easily; who ever wanted to do silly things like that? Great technology in theory. Complete failure on behalf of everyone involved to think for 0.00005 seconds about how it would be implemented in the real worl.

        Yeah. IPV6. I remain distinctly unimpressed.

        1. Justin Thomas
          Go

          Autoconfigure

          I do use it and do appreciate it.

          But that doesn't mean you can't set your own addresses for servers and whatnot. While my clients are unmemorable numbers and letters, I've set my gateway to 2001:470:xxxx::1. Easy peasey.

          1. Trevor_Pott Gold badge

            @Justin Thomas

            Your statement assumes that your ISP will let you use anything except auto configure, or DHCP6 or some such. With no private IP space, you don't get to decide what your IPs look like, your ISP does. Perhaps you have a useful ISP who plays ball and gives you a real amount of address space. Bully for you. Many others aren't so lucky.

    2. Lou Gosselin

      Re: They keep saying...

      "I question whether they are taking into account all the NAT (private) addresses out there."

      We really do need more ip addresses.

      Though it's been adopted out of necessity, NAT really does cause numerous headaches, breaks protocols, causes inefficiency. It was a stop gap measure while waiting for a real fix. Also, NAT should not be a replacement for a genuine firewall.

      IP6 addresses the primary 32bit addressing issue, however it also introduces numerous other features whether or not we want them.

      Article quotes:

      "It means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty, like download copyrighted material, they would know"

      I have wondered why the spec calls for such a personal identifier in every packet, especially as it's not necessary to make ip6 work. It lends a lot of weight behind the conspiracy theory that it was designed to track people. Given how easy it is to forge in practice, I would hope that it could never pass as "evidence".

    3. Gerhard Mack

      IPv6 doesn't support what?

      IPv6 supports NAT just fine and has for years.

  3. Anonymous Coward
    Thumb Up

    Don't worry...

    Really, IPv6 gives us a truly crazy number of IP addresses to play with, 2^95 for each person on the planet, 39614081257132168796771975168, each.

    I don't think your company has anything to worry about, unless you're the Director of IT...

    1. Anonymous Coward
      Pint

      640k ought to be enough for anyone

      "IPv6 gives us a truly crazy number of IP addresses to play with"

      I bet someone said that about IPv4 too :)

      1. Roger Campbell

        640K

        I remember 16K, then 32K, then 64K being impressive. I still have 2 meg in my Apple ][e.

        Where's the Woz icon?

  4. ShoveUrMMA
    Welcome

    Sheesh kids

    Was always in the design... Host based firewalls and whitelisting... Its a dependency shift, move along.... All of a sudden, those AV companies look good again <buystock>

    thats all for now...

  5. Anonymous Coward
    Grenade

    The company where I'm working now uses

    a whole class B IP4 public network address internally and of course, they're NATing it into the ISP assigned public range in order to go to Internet. They say it would cost them too much to change, it's too complex and so on, so they'll never bother with it. I wonder how many others do the same.

    1. Lance 3

      IPv4 will be around

      A company has an Internet connection running IPv4. It will continue to run IPv4 and te ISP's will be turning on IPv6 on them. When the ISP is out of IPv4 addresses, new customers will be getting IPv6 only.

      IPv6 gets rid of DHCP servers as the computer asks the router for the IPv6 network and then the MAC is used to generate the host portion. The big issue though, DNS. How does the computer get DNS servers? It doesn't because there are no DNS servers. You also run into an issue if the entire path is not IPv6 capable and the computer gets an IPv6 address during a DNS query.

      1. Anonymous Coward
        Anonymous Coward

        Reply to post: IPv4 will be around

        IPv6 doesn't get rid of DHCP servers, though you do have the option not to use one. DHCPv6 works fine and actually allows you a way around using your MAC address as part of the IP address.

        If you do use the routing approach you can use a multicast DNS server, since the routing server doesn't broadcast that information.

        It is also possible to run IPv6 over IPv4, though it requires a tunnel be created between two points.

      2. Lou Gosselin

        @Lance 3

        "IPv6 gets rid of DHCP servers"

        "there are no DNS servers."

        Hmm, I suppose that neither of these are strictly necessary if you configure everything via static ip addresses. However these can both continue to play a role on ipv6 networks.

        "It will continue to run IPv4 and te ISP's will be turning on IPv6 on them. When the ISP is out of IPv4 addresses, new customers will be getting IPv6 only."

        The main problem (the reason we haven't upgraded sooner), is that ipv4 and ipv6 addresses cannot communicate directly with each other, period.

        An ipv4 client cannot address an ipv6 server, and an ipv4 server cannot reply to an ipv6 client. This necessitates rather undesirable ipv4/6 proxy servers.

        The loss of direct connectivity is a major stumbling block. Once major portions of the internet are version 6 only, then people will want ipv6 addresses, until then people will want/need ipv4 ones. Catch-22.

        1. Lance 3

          Stateless

          Most ISP's are going to use stateless. There is no reason for them to use DHCPv6 as they are going to give you an address block. By doing so, you have a DNS issue. No DHPC = no DNS servers assigned automatically. If companies do the same thing, how does one use the Internet at home using a company PC? The company would set the DNS servers and they wouldn't be reachable at home.

          That poses an issue.

          The ISP and carriers are starting to plan for IPv6. Once the address space is out, it is hard to attract new customers. So it is not a Catch-22. The major issue, the majority of the population is not technical enough to actually understand it and thus be able to make any changes necessary for IPv6 to work.

          The carriers are not going to do a proxy. They will be using CGN and issuing new customers a private IP.

          The major issues the ISP's have, how do you market IPv6? You can't charge extra for it; the majority won't pay for it. So it is a necessary expense item to continue to provide service to new customers. Internally many companies are trying to find what budget it should come out of.

          1. Lou Gosselin

            Re: Stateless

            Firstly, DHCP is still used on ipv6 networks.

            http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-dhcp.html

            Secondly, DNS is still needed to resolve names on ipv6 networks, regardless of how it gets configured in the first place (stateless or stateful dhcp mode).

            "The ISP and carriers are starting to plan for IPv6. Once the address space is out, it is hard to attract new customers. So it is not a Catch-22."

            Of course once the numbers are out, they'll have no choice put to stop issuing publicly addressable ipv4s, but I'm still right that an IPv4 endpoint cannot send a packet *directly* to a IPv6 one.

            Despite your remarks, I don't think we actually disagree on this point, since you acknowledge the need for NAT.

            "They will be using CGN and issuing new customers a private IP"

            This of course comes with all the shortcomings of not being able to connect directly to people/devices behind the NAT or Proxy. People get around these shortcomings today on their own routers with port forwarding and UPNP. It is likely that ISPs are going to be reluctant to do this on their NAT routers. Therefor clients behind NAT will inevitably loose connectivity, particularly P2P (such as games, voip, bittorrent, etc).

            Anyone solely on IPv6 will be at a loss until everyone else joins them. No reason to deny a catch 22 here.

  6. Anonymous Coward
    Badgers

    Wouldn't..

    ..a properly configured private network - such as a business or gov't - have only a handful of public addresses?

    And wouldn't a properly configured home network, have only one public address?

    Gaming consoles? Don't need a public address.

    Phones? Maybe, maybe not, depending on the service provider. But not everyone has or - gasp - wants a smartphone.

    I really think it doesn't have to be as dire as they're saying it is. And even so, the proper way to do it is not to force everyone onto an unfinished standard that LOWERS security. Finish the standard, finish the compliance, make it as least AS secure as IPv4 is with all its current add-ons, make it something that people without photographic memory can read the addresses. Then deploy it. Is it nice to make people wait? No... but it's evil to make internet security actively worse because of hysteria and projection trends.

    1. Pascal Monett Silver badge

      Internet connection requires an address

      Thus, if a gaming console has Internet connectivity, it must have an IP.

      IPv6 has squintillions of available addresses, and that is a good thing. Unfortunately, humanity has a track record of occupying available resources until their exhaustion. That trend is already well underway for IPv6 as well.

      Just think about it : smartphones, consoles, even some BluRay players have Internet connectivity already. There is talk about connecting fridges, televisions and freezers as well. Cars will end up connected one day.

      So, let us imagine a future where a 4-person household has the following elements connected to the Internet :

      - 2 cars

      - 3 televisions

      - 4 media players

      - 3 consoles

      - 7 smartphones

      - 2 fridges

      - 1 freezer

      - 1 dog

      Yes, the dog. Don't tell me that they won't end up with GPS-tracking collars you can follow on your PC, because they will. Add as many dogs as you want.

      So that makes a total of 23 IP addresses required for 1 house of 4 people.

      Today ? We have 1 IP connection per household, with NAT inside the house.

      The ration is then 1 to 23.

      Yep, that IPv6 is well on its way to becoming saturated as well.

      1. Ole Juul

        Re: Internet connection requires an address

        Indeed, is there any reason that a single device couldn't find a use for 10, or 100, or more ip addresses? I think you're right, once this gets going we'll be using them up in no time.

        1. Anomalous Cowherd Silver badge

          Good point

          If nothing else it means no more name-based virtual hosting for Apache. Got a couple of dozen domains? Assign each one an IP address, but continue to run them all off the same box. Will certainly make setting up HTTPS a lot easier.

      2. Charles 9

        That was taken into consideration.

        Even if every man, woman, and child on earth were given a ridiculous number of IPv6 addresses, it would hardly scratch the proverbial roll. The number given was mentioned previously in the comments, but basically, with 10^38 addresses to distribute among about 10^10 people, address exhaustion is not likely to be an issue in the foreseeable future.

        1. perlcat
          Go

          "...taken into consideration" taken as a challenge

          I appreciate the unwitting irony in that statement, which wholly ignores all past IT history.

          Just so you know, Charles "640K ought to be good enough for anybody" 9, I have my doubts that the millions of monkeys with typewriters generating content/crapplications on the internet will stop being what they are. Call it a hunch.

          1. Charles 9

            But there comes a point...

            ...when you have to step back and realize that, eventually, you encounter a number so high that you have to realize, "That's BIG.". That's the thing with exponents: they get BIG and FAST. And giving my above example (10^38 addresses among 10^10 people), that means each person can have 10^28 IPv6 addresses and you still wouldn't run out. Based on my chemistry knowledge, that's greater than the Avogadro constant (~6.02x10^26). When the numbers get THAT high, you're likely to run afoul of physical limitations (either the sum energy capacity of the planet or the capacity to install addressable units) before you threaten exhaustion. Now, I'll grant you that this will likely only apply in a terrestrial situation, but given current limitations on communication of an extraterrestrial nature, I seriously don't think address exhaustion will become a problem unless we find a way to get around c, first.

            1. perlcat
              Go

              right in current applications, wrong in future assumptions.

              Just because we don't have that many people doesn't mean that we can't cook up a way to use that many addresses. It is possible to write an application that uses 64,000 UDP ports. Why would anybody do that? I dunno -- I'd say that half the new application developers needed their heads examined, but that's not because they're crazy -- just that I don't understand what they're doing.

              Just because it doesn't seem like a good idea at the time to you doesn't mean that a future application (or host of them) won't. It just means that You Don't See A Way To Use Them. I'm just saying that type of phrase has been used before, and the pattern so far is 1. make utterance in public. 2. Be proven wrong. 3. repeat. I would hedge my bets on this, rather than go down in history with another silly quote to my name to the effect of "If man were supposed to fly, the Almighty would have given him wings".

              1. Charles 9

                Only 64,000?

                What happened to the other 1,536 (JOKE)?

                But, back to serious stuff, I still stand firm on the idea that IPv6 was designed so that physical limitations hit before logical ones (unless, like I said, someone finds a way around the speed of light--c--first).

                It's the same way of thinking that determined the logical limits of the ZFS filesystem. They were set so high that the entire physical capacity of the planet Earth would be insufficient to create a drive system bigger than ZFS can accommodate. Sure, the human mind has infinite imagination, but he only has finite resources to exploit.

  7. trejrco

    Close to accurate ...

    ... but not quite. At the very least, two of the attacks mentioned are already resolved.

    (Type 0 RHs have been deprecated, and appropriate guidance developed ... and P2P links now recommend /127s, and most vendors have removed this vuln anyway).

    Yes, IPv6 poses several different types of risks. However, you are much better off deploying IPv6 and managing it properly than trying to pretend it doesn't exist.

    @Mage - Not an option for several reasons, and FWIW IPv6 is "properly designed" - and largely ready to deploy. Also, "v7" wouldn't be the next version ... (Oh, and "staying with IPv4" - without also doing IPv6 - won't really be an option for most of us for much longer ... )

    @Anony - You can either take it on faith, or do the math, or ... ask? ... but yes, IPv6 has more than enough addresses for every company out there to get their public IPs and to not require NAT. (And there are some 'flavors' of NAT that do apply, in some scenarios, to IPv6 networks ...)

    /TJ

  8. Brian

    IPV6

    There is already a IPV6 to IPV6 nat, but it is unneccesary.

    Currently, there are IPv4 address space available. By this time next year all of it will be allocated and there will be no new addresses available. Once this occurs, you will start seeing a market around IPv4 addresses. Those companies that have large ipv4 ranges assigned to them will find themselves restructuring because those adresses will be worth some $$.

    Companies not willing to pay for IP space, will go to ipv6. The next big 'thing' on the net, will likely be on ipv6 only. You heard it here first. :)

    1. Pascal Monett Silver badge

      Won't be enough

      It will never be worth enough to restructure to IPv6.

      And if it does become worth big bucks, then the buying company will, at one point, have to decide to go IPv6 anyway.

  9. Anonymous Coward
    Pint

    Spec's Wrong

    Was looking at IPv6 back in the 90s, concluded that its main flaw is also its main strength; global routable addresses. In an idealistic world it sounds like a great idea to have all interconnected devices, but in reality why does a client device need to be access directly by another internet connected device? Surely this peals back the small, yet helpful layer of security that NAT provides us with.

    IPv6 SOCKS hell yeah!

    Sod routing that junk.

    1. Lance 3

      Firewall

      That is what a firewall is for. There is plenty of security.

      Want to remain anonymous and make it so someone can't see the MAC address (host portion of the IPv6 address) then use a USB dongle or change the MAC on the NIC.

      1. Gerhard Mack

        don't need to do the host portion

        The host portion is just one way to set the ipv6 address. You can still set static ips or use DHCP. I have done both on my test networks with no trouble.

  10. Daniel B.
    Boffin

    So, basically the same complaint I have with IPv6.

    I've always thought that having a /64 'host' block is a huge waste of space; hardwiring this host ID to a MAC address is infinitely stupid as well. Now it seems that the same giant block opens up a world of abuse? O RLY? It shows how that idea was so shortsighted. I'd add that wasting a full /64 block for a router-to-router link is also an enormous waste of space. In practice, we're really squaring the IP address space, as the other 64 bits are pretty useless.

    Fortunately, I've seen that not all IPv6 implementations add the MAC addy into the Host ID, but still, it is kinda lousy to set that kind of behavior as the default. Maybe they should make IPv7, but disregard the dedicated /64 Host ID block and just let us subnet all the way down to /127?

    1. Anonymous Coward
      Anonymous Coward

      Reply to post: So, basically the same complaint I have with IPv6.

      The /64 is just the default.if you use routing advertisement to dole out IPs. If you use a DHCPv6 server, you can choose any size subnet(s) you want. And really, the security issues behind using your MAC address are no different than having a static IP address.

    2. Lou Gosselin

      @Daniel B.

      "I've always thought that having a /64 'host' block is a huge waste of space; hardwiring this host ID to a MAC address is infinitely stupid as well."

      I'm glad that people upvoted your post, since it gives me a slight bit more confidence that in practice we will disregard the publicly routable mac address.

  11. Henry Wertz 1 Gold badge

    startling

    "There is already a IPV6 to IPV6 nat, but it is unneccesary."

    It is in the sense that some people do not want their machines to be fully publicly accessible, and a NAT allows this.

    Anyway, I was rather startled about some of the features included in IPV6, and I think there are a number of ...ahem.. interesting security vulnerabilities that "may" pop up with it. I say "may" because it takes a bit of a kitchen sink approach and it's entirely possible some of the ill-planned functionality will simply not be implemented in practice.

  12. This post has been deleted by its author

    1. Guido Brunetti
      Gates Halo

      No problem

      Let's have a hundred trillion planets with a trillion people each, then every person can still have a trillion IPv6 Adresses. If we ever reach that point, changing to IPvx is going to get tricky, though...

  13. Ysean
    FAIL

    @Daniel B.

    HUH?!

    You do realize that in REAL WORLD environments you'll have subnets much smaller than a /64. Just like you have subnets as small as 2 usable IPs now.

    The whole /64 thing is actually the smallest amount that IANA/ARIN will hand out. That doesn't mean that we will all be getting our own /64. And, for right now most anyone can get a /64. But, that won't be a permanent thing either.

    1. Lance 3

      ISP's

      Some ISP's will be issuing a /61 to DSL/cable customers.

    2. Justin Thomas

      Try /48

      I have a /48 from Hurricane Electric (as do many of their customers). That allows for the deployment of many /64s to accommodate the automatic addressing based on MAC address.

      If you use that auto-addressing, then /64 really is as small as you want to go.

  14. Yes Me Silver badge
    Megaphone

    Stop the myths!

    Well, we've heard the myth that IPv6 is super-secure, from the IPv6 Forum. And we've heard the myth that it's super-insecure, from this and other professional security scaremongers. The fact is: the design of IPv6 is so similar to IPv4, apart from bigger addresses and a few fancy auto-configuration features, that is has *exactly* the same security issues. The problem is that not all security products are fully IPv6-ready yet. Well, if your firewall vendor doesn't support IPv6 properly, get a new vendor.

    Oh, and there's a myth right there in the story:

    "Some operating systems, including Windows Vista and Windows 7, have privacy settings turned on by default that cause the string to be randomly generated. While this setting helps preserve anonymity, it also has the potential to break many end-to-end communications, so it may not always be available, Bowne warned." Er, BS. IPv6 privacy addresses in no way break e2e communications. Your computer might switch to a new IPv6 address for a *new* e2e communication (that's a TCP connection in plain English) but it won't switch in the middle of an existing one. Anyway, you only need to use those privacy addresses if you're paranoid about your MAC address. If you're that paranoid, there are much worse traceability problems to worry about.

    Oh, and for those who believe that IPv4 exhaustion is a myth, see http://www.potaroo.net/tools/ipv4/

    1. Anonymous Coward
      Anonymous Coward

      There is plenty of IPv4 space - don't believe the hype

      Some of the comments on here from the armchair experts are truly astonishing with most just plain wrong.

      IANA doesn't make end user assignments. Slash 32 is the normal allocation to ISPs. Slash 48 is the longest prefix you should expect to see in the global routing table though there are discussions going on for longer prefixes for traffic engineering purposes. LIRs (ISPs) assign to end users. Slash 48 or 56 is what everyone will get at home.

      I numbered my p2p links with slash 64s on the ISP backbone according to the RFCs.

      Anyone that says IPv4 is running out misunderstands the issue. It is only running out in terms of what IANA has available to allocate to RIRs such as RIPE. What Geoff Huston is monitoring is correct but the interpretation by lay people is wrong.

      Many ISPs have large IPv4 allocations which are still unused. Myself included. If the allocations were properly managed back in the Wild West days of the internets then we wouldn't have all this drama and hype now.

      I designed and deployed v6 in the main traffic areas on our ISP backbone in a month. Dual stack but only because some customers were asking for reachability to our v6 DNS servers. I haven't yet decided how to deploy to subscribers but if Hurricane Electric are doling out slash 48s I will probably go with that. Sub-netting is essentially a thing of the past. And if I need more, RIPE already have a second slash 32 right next to the first pre-assigned ready for me if I ever need it.

      People need to get away from that mentality of address space wastage. It's designed that way. Simplicity is key. From our slash 32 RIPE allocation, I use 16 bits to get 65k slash 48s. I use one of those 48s to subnet again with 16 bits to give me 65k 64s which I use for backbone or Infrastructure data-links. Of which so far I have used around 20 to interconnect IXPs and data-centres. Servers get a slash 64 in a VLAN.

      Network Engineers that are dividing up slash 64s into slash 127s for p2p links are being too anal wasting their time and living in the past - though there are security implications for this.

      To the person who claims he cannot deploy v6 in dual stack because he has a slash 16 deployed, I would suggest that you shouldn't - among others - be working in IT.

      There is no such thing as class A, B or C addressing schemes.

  15. Anonymous Coward
    Anonymous Coward

    letters and/or digits

    "Chief among the threats is the issue of incompatible firewalls, intrusion-prevention devices, and other security appliances"

    When someone takes a wheel off your car you don't drive off before they put the new one on.

    In other words, surely you would just upgrade your firewall?

  16. jonfr
    Boffin

    Mac address and IPv4

    You also can get mac address from IPv4. The only difference is that it is not used to make a IP address like in IPv6, where part of the mac address you have comes from your nic.

    But random strings in IPv6 already hide those anyway. So people should be pretty secure with IPv6.

  17. Volker Hett
    Thumb Down

    since I first encountered IPv6 mid 90s

    I'm under the impression most hardware and software vendors as well as ISPs hope that it vanishes in a puff of smoke when they just ignore it long enough.

    1. Anonymous Coward
      Anonymous Coward

      Rubbish

      Cisco and Juniper have supported v6 for 10 years. Microsoft and others also.

      Currently there is no demand for it. But any ISP worth its salt is or has deployed in readiness.

      1. Volker Hett

        not so rubbish

        Cisco and Juniper are fine for the Datacenter but we need it in households and at SMBs.

        Where is the Netgear DSL Router with IPv6 and where do I get IPv6 for my home?

  18. TonyHoyle

    Even sooner than that..

    I like to point people at http://www.ipv4depletion.com/?page_id=4

    It's a slightly more pessimistic date (there's apparently a good reason for the difference but I'm not a maths whiz).

    Saying ipv6 is broken because you have a useless firewall vendor is like saying the motorway is broken when your car breaks down. *All* business vendors should be supporting ipv6 by now - if they don't, get a new vendor.

    Consumer routers are the bigger problem. They're done on the cheap so basically all have clones of the same old images with a different web frontend. Even though a lot are linux based.. which supports ipv6 just fine.. they just don't turn it on. That's starting to change - DLink have a couple of ipv6 capable models now.

    Personally I don't give a stuff if someone knows my mac address.. what are they expecting to do with it? The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running. And if you're that paranoid.. either (a) alter the mac address manually, or (b) switch privacy on.

    As for "The big issue though, DNS. How does the computer get DNS servers? It doesn't because there are no DNS servers" I'm not even sure what that's trying to say. even the root nameservers are ipv6 capable now... the major DNS vendors have been ipv6 capable for years. DNS is *not* an issue (other than microsoft not implementing RDNSS yet but that's really a vendor problem).

    1. Anonymous Coward
      Anonymous Coward

      Which OS?

      > The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running.

      Linux version 2.6.24-19-lpia (root@sisko) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)

      1. Anonymous Coward
        Anonymous Coward

        Reveals hardware

        You should really give us the server's public IP as well as your MAC, cos that's what we'd get with IPv6. Anyway, from that MAC we can tell your machine is a virtual box running in VMware (00:50:56), for whatever that's worth. I would think it makes you more exposed to VMware guest vulns though and also puts other guests on the same host in a weaker position.

        For example:

        http://www.scmagazineus.com/vmware-patches-new-critical-security-vulnerability/article/130518/

      2. Lou Gosselin

        Re: Which OS?

        "Linux version 2.6.24-19-lpia (root@sisko) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)"

        Not bad at all. How about this for the ip?

        192.168.44.111

        1. Charles 9

          That's not a public IP.

          192.168/16 is a designated range of IPs meant for use in private networks. It encompasses a span of 256 Class C (/24) blocks. They're the address range of choice for the internal routing of home networks for that reason. Routers are not supposed to pass them along to the greater Internet.

          What this seems to indicate is that the VM received the address from a DHCP server in the 192.168.44/24 range (probably 192.168.44.1). This could be your current physical router or a virtual NAT running in the host machine (both setups are possible in VMWare and VirtualBox).

    2. Lou Gosselin

      @TonyHoyle

      "The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running."

      This is registered to vmware. Of course it was wise not to temp fate, but had you provided an ip address, there are tools to profile the ip stack and reliably derive the operating system in use.

    3. Anonymous Coward
      Anonymous Coward

      Depending on your IPv6 config

      Depending on your IPv6 config, you've just given yourself away...If your switch/router vendor still stuffs the MAC into the IPv6 address. I hope you google'd it before you posted it.

    4. Charles 9

      It boils down to this.

      If you use a stateless IPv6 ISP, which means it does not use DHCPv6 (and incidentally, among the things a DHCP connection tells you are the list of DNS servers to use), how does one know which IPv6 points to the local DNSv6 server? In real world terms, how do you find your way around town without a map, but at the same time, how do you get a map without knowing the location of the map store?

      1. Lou Gosselin

        @Charles 9

        "If you use a stateless IPv6 ISP, which means it does not use DHCPv6...how does one know which IPv6 points to the local DNSv6 server?"

        The answer is very simple, as I've already mentioned, use DHCP.

        Ipv6 has an auto ip configuration option, but that doesn't eliminate the need to use "stateless DHCP" for other information.

        Stateless DHCP is called this because it doesn't need to track ip addresses. This is not to say that there is no DHCP at all, that's the same mistake made by the OP.

        Of course if you disable DHCP entirely, then you'll need to configure your network statically, but this will not be the norm.

  19. John Klos

    No real content...

    They're basically saying that because IPv6 addresses are public, all of the insecure machines which count on being behind NAT and so on will be insecure. This implies that NAT is normal and that the behavior of NAT is what should be expected, but this isn't the case - NAT is an exception, and public, accessible IPs are real life. Thanks, Microsoft!

    Telling people that IPv6 is insecure is assuming that we should all cater to the lowest common denominator - the insecurity of Windows - instead of having higher standards which would include assuming that any machine could be on a public IP at any time.

  20. Anonymous Coward
    Anonymous Coward

    Others' experience

    Feel free to correct my memory, but I understood that Asian countries had fairly extensive IPV6 networks, as their allocation of V4 was quite small to begin with. Has this researcher checked into their experience, or is this conjecture? I do think he's right to make people aware that the move to IPV6 isn't a drop-in replacement, and a lot of dogma is going to have to be re-learned, but I think there's plenty real-world experience to go on, even if it's not from the Western world.

    1. Allan George Dyer
      Stop

      Not a comprehensive answer...

      I'm in Hong Kong and recently asked my ISPs about their IPv6 plans. After the initial, "Huh? What's that", I got past the sales team and got:

      ISP 1) None.

      ISP 2) That's part our our "Premium Business Plan", that will cost you $$$$

      No idea where these Asian countries with masses of IPv6 networks are.

  21. John Smith 19 Gold badge
    Joke

    2^48 was more than enough for Ethernet

    Wasn't it?

  22. Khoos

    The real nightmare

    The real nightmare is a network security vendor (like a firewall vendor) who can't deliver IPv6-capable firewalls when IPv6 has only been in the making for about 20 years, probably longer than some of those network security vendors have been wrestling with IPv4 insecurities. Why was "IPv6 support" not on the must-have list for any network device being bought for the last 3 years?

  23. kwah
    Black Helicopters

    just thinking out loud..

    ''It means that everything you send or recieve is labelled with your real MAC address...''

    Have we just uncovered the *real* reason Google wanted all those MAC addresses tied to geographic locations?

    /me hunts around for my tinfoil hat

  24. Anonymous Coward
    FAIL

    running out?

    There are loads of IP addresses that arent in use. Last time i checked IBM, Compaq and GE had literally millions, (entire \8's)

    I think its time that someone with a set of b*lls asked them to give some of them back. How many forward facing web and FTP servers do they actually need?

    256? possibly, but unlikely. (This is 1/65000 of their IP addresses)

    65536? not likely in any way. (This is 1/256 of their IP addresses)

  25. Christopher E. Stith

    I'm scared of the amount of ignorance in this discussion.

    I hope only a few of you have anything to do with the industry.

    The very idea that more addresses and the option not to use DHCP means there will be no DNS just displays a total lack of understanding. Guess what -- there are options to use other than DHCP now. DNS is needed because people don't remember 32-bit addresses well, even as octets translated to decimal. There's no way it's going to be irrelevant with 2^128 addresses. DNS or some successor will be much more relevant.

    The idea that name-based virtual hosting is so much harder than IP-based virtual hosting is laughable.

    There certainly won't be a dramatic sudden IPv4 to IPv6 shift in large companies like many of you think. New blocks allocated will be IPv6. Eventually, the IPv4 blocks will be routed through a v4-v6 gateway router. After that, there will be v4 NATed networks behind a v4-v6 gateway that is behind v6 NAT even after v4 isn't publicly routable. The companies will still have v4 equipment internally. It will take years to phase out all the v4 in some organizations, even with v6 being the only newly allocated addresses on the public Internet.

  26. druck Silver badge
    Thumb Down

    IPv5

    Should have just gone with a small increment to IPv5 and 64 bit addresses, which is plenty until someone discovers more atoms in the universe.

  27. Anonymous Coward
    Anonymous Coward

    A solution in search of a problem?

    It looks like IPv6 is necessary due to some legacy protocols (like VoIP) which don't play nice with NAT. If the default assumption is that the customer is behind several NAT layers, it would be possible to construct networking protocols that work fine with that.

    So instead of the expensive IPv6 rollout, maybe networks and protocols should become more NAT-friendly.

This topic is closed for new posts.