Military Pressuring Vendors On IPv6 406
netbuzz writes "US military officials are threatening IT suppliers with the loss of military business if they don't use their own wares to start deploying IPv6 on their corporate networks and public-facing Web services immediately. 'We are pressing our vendors in any way we can,' says Ron Broersma, DREN Chief Engineer and a Network Security Manager for the Navy's Space and Naval Warfare Systems Command. 'We are competing one off against another. If they want to sell to us, we're asking them: Are you using IPv6 features in your own products on your corporate networks? Is your public Web site IPv6 enabled? We've been doing this to all of the vendors.'"
Well (Score:5, Insightful)
Re:How long will IPv6 last? (Score:4, Insightful)
You try to design a router ASIC with variable length addresses!
I'm okay with this (Score:5, Insightful)
As long as they're applying this across the board and not playing favorites (at least not without a damn good in-writing reason), I'm okay with this. I fact, I don't really see IPv6 being adopted soonish absent measures like this.
Re:How long will IPv6 last? (Score:5, Insightful)
We're down to the last 5 IPv4 /8 netblocks. A little late for that.
Re:Well (Score:5, Insightful)
Yeah, good job and more please.
Whoever writes the speeches @ 1600 Penn ought to make sure this one at least gets some lip service. While not a big deal for the general public, it is something that shows some common sense due diligence and proactive thinking from a widely vilified branch of our Federal machinery.
Re:How long will IPv6 last? (Score:3, Insightful)
But, man, is it going to be a pain to switch to IPv8 at that point!
Re:Say it! (Score:5, Insightful)
(note to myself: seems like I'm growing old faster than I thought).
Re:IPv6 is a Failure (Score:5, Insightful)
IPv6 has been around since 1998 ( http://tools.ietf.org/html/rfc2460 [ietf.org] ). That's Windows '98/NT territory. If Windows Server can't handle it, it's not because it hasn't had long enough to be tested in that configuration.
To address your ideas in turn:
1. Auditing by who? The first crisis with IPv4 allocation is the inability to allocate new chunks. Organisations with enough IPv4 addresses already aren't going to be bothered by this for a long time.
2. So... you're avoiding the cost of configuring networks to be dual protocol, by re-configuring servers... why is that necessarily cheaper?
3. Reclaiming IP addresses is akin to solving a lack of phone numbers for the NY area by claiming back some from a less populated state. It would rapidly lead to routing tables that are infeasibly complicated.
4. Again, you're suggesting an alternative way of investing time to solve a problem instead of solving it properly, and I'm not sure why this is inherently faster.
5. Possibly some variation on the SRV records, but... again, why is replacing every OS world-wide (absolutely nothing supports that, so everything will need upgrading) cheaper than enabling IPv6 on systems that are already out there?
Sticking with IPv4 means constructing an ever more elaborate set of workarounds on top of each other. For a while it will work, but I can't see the result remaining workable, or being cheaper in the long term.
Too little, too late... (Score:5, Insightful)
There might be some pressure in the States to push IPv6 adoption, but there's none here in Australia.
Every consulting project I've been on in the last two years, I've asked this standard question: "Do you have a business requirement or mandate to deploy IPv6 now or in the future?"
Inevitably, the answer is "No."
Here in Australia, at both private enterprise and government, nobody has even begun to think about IPv6 at any level. Nobody requires IPv6 capability when purchasing software or equipment, and even when the capability is available, nobody turns it on. The more "IPv6 aware" clients turn it off to avoid compatibility issues. Even when I offer to implement IPv6 for some new system ("no extra cost, I'll just turn it on"), nobody wants it.
Pure IPv6 networking will be particularly hard to implement. I've tried experimental setups with products from various vendors. The usual result is that with IPv6 only most things work, but some things break. Stop and think about this for a moment: imagine if that sentence was: "the usual result is that with IPv4 addresses most things work, but some things break." That would be totally unacceptable for any enterprise software, yet it's "perfectly acceptable" for every major vendor to ship software where that's the situation with IPv6, because... nobody cares. The failures are often quite pathetic too, like dialog boxes that require an IPv4 address to be entered, even if it's never used or needed, or only accept IPv4 address for things like DNS servers. Clearly vendors have never tested their products in pure IPv6 environments, or did test them and decided it's too much effort to fix for something nobody cares about.
Let me whip out my crystal ball and predict that when IPv4 addresses run out and organisations scramble to implement IPv6, it's going to be a rush job, and we'll start hearing horror stories of incompetent admins that inadvertently bypass or break firewall rules by enabling IPv6 and cause major issues. These reports in turn are going to scare off management, who'll assume "IPv6 is bad", because they "read about some horror story of how Incompetent-r-Us Pty Ltd was hacked when they turned IPv6 on, hence, IPv6 must be insecure". Combined with stories of broken software and issues like IPv6-connected browsers waiting 30-60 seconds for IPv6 requests to time out, I'm certain that nobody is going to start using it until absolutely forced to.
It's a bad, bad sign that all the major websites like Google and Facebook have "ipv6.normalurl.com". That's because practical IPv6 implementations are often broken, and if enabled it on the main website, it breaks it for a huge fraction of users. If Google and their like can't implement IPv6 transparently without issues, and are forced to create "experimental" websites, then what hope does the typical admin have?
Re:How long will IPv6 last? (Score:5, Insightful)
You should refrain from lumping the rest of the world in to your little delusions, the rest of the internet that actually works in networking, do not in fact, share your paranoid view of "OMG PEOPLE SEE MY IPS! THEY CAN HACK ME!" and are actually quite comfortable in the significant distinction between stateful fire-walling and IP masquerading / Network Address Translation.
You may have actually had a smidgen of an argument if you had brought up PI space as opposed to using assigned space in your uninformed rant due to portability issues when switching carriers or multihoming, but unfortunately, you avoided even the one tiny hope of an argument you could have made in your favor.
As to your DNS vs IP comment, (although this applies to your previous ranting as well) To quote a favorite movie of many:
What you just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
Thank you for warning the rest of the internet of your ignorance, I have as such, marked you as -1 in my list, and appreciate the gracious warning so that I may avoid your drivel in the future. Have a nice day =)
Re:Too little, too late... (Score:2, Insightful)
Maybe Australia has that problem, but I know for certain that Verizon is switching their cell network to IPv6 to deal with the number of smartphones on the network. They're a client and have insisted that we have everything ready for IPv6 to connect with them by early next year. They'll do 6to4 on the edges and IPv6 internally. It's that or stop selling smartphones, since they're already NATing and have found that that solution doesn't scale well enough to handle the volume they need.
Re:How long will IPv6 last? (Score:5, Insightful)
There is a difference here. IPv6 would be the equivalent of IBM saying something more like:
640 exabytes ought to be enough for anyone.
(note by exabyte I mean 1000 terabytes, not Exabyte the brand name of many 8mm digital video tape drives).
340*10^36 (the IPv6 address space) is more than 10^26 times the current demand for addresses.
Compare to 640k which was roughly 10^1 times the standard memory size for machines of the day.
In fact, today, I doubt you can identify many (any?) machines with more than a terabyte of RAM.
In fact, it's rare to find more than 128GB of RAM capacity in most machines. (64GB is roughly
100,000 times the original 640KB number, so 128GB would be 2*10^5 times 640KB).
To put the comparison in some perspectives you might be able to wrap your head around...
If you were to allocate an almond M&M for every 256 IPv4 addresses, the resulting amount /24 prefix)
of almond M&Ms laid out in a 1-M&M thick layer would cover only 70 yards of an american
regulation football field (NFL, not FIFA). (16.7 million M&Ms, 1 for each IPv4
Contrast that with the number of IPv6 /64 prefixes (a bit more than 18 quintillion) which
would provide enough M&Ms to fill all of the great lakes.
Where each /24 can accommodate a single router and up to 253 other hosts, each /64 can accommodate more hosts than you could ever physically put on any
IPv6
conceivable scale of network gear (18 quintillion+ hosts).
There will not be a likely shortage of IPv6 addresses in any of our lifetimes.
Re:How long will IPv6 last? (Score:4, Insightful)
I'll try...
I have no idea of any meaningful measurement of Library of Congress for comparison, sorry.
Got one for you. The Library of Congress has (according to Wikipedia) 21814555 catalogued books. There are 2^128 IPv6 addresses. Thus, each book can have roughly 1.56 * 10^31 addresses assigned to it.
Re:How long will IPv6 last? (Score:4, Insightful)
At a minimum, each home user is going to be assigned 2^48 IPv6 addresses. That's enough for your private network to be 2^16 times bigger than the current Internet - wasting addresses is not really a problem. Will this leave enough for routing? It means that the netmask will be 2^80 bits. To put that in perspective:
Imagine a network arranged like a tree. At the top level, you have as many routers as there are IPv4 addresses - roughly as many as there are Internet-connected devices now. Each of these routers controls a subnet the same size as the IPv4 address allocation, so you have a network the size of the Internet, where every node is a network the size of the Internet. Each of these leaf nodes is actually a network, connecting 65336 computers. The total number of computers on this network is the number of networks that IPv6 allows with this allocation scheme.
Or, to put it in human terms, there are currently around 6x10^9 people on the Earth. If every person had as many networks as there are people alive today (each one, 2^16 times bigger than the current Internet), then we would be using just over 0.002% of IPv6 addresses.
In fact, you want to waste addresses with IPv6, because it makes routing simpler. Every time you split an allocation into two subnets, just steal another bit for the subnet mask. An ISP would not allocate you a single IPv6 address, because it would make their routing tables horribly complicated.
As to NAT - you can do it, but there's really no point. If a node should not be globally reachable, tell your firewall to drop packets to and from it. You may want your IP addresses to remain constant when you switch ISPs, but I'm not sure why. Using DNS (or mDNS) to identify machines is more sensible. You seem to be trying to solve a problem that doesn't exist.