Military Pressuring Vendors On IPv6

netbuzz writes "US military officials are threatening IT suppliers with the loss of military business if they don't use their own wares to start deploying IPv6 on their corporate networks and public-facing Web services immediately. 'We are pressing our vendors in any way we can,' says Ron Broersma, DREN Chief Engineer and a Network Security Manager for the Navy's Space and Naval Warfare Systems Command. 'We are competing one off against another. If they want to sell to us, we're asking them: Are you using IPv6 features in your own products on your corporate networks? Is your public Web site IPv6 enabled? We've been doing this to all of the vendors.'"

Say it!

[Anonymous Coward]

Say you love IPV6, damn you! Say it!

Re:Say it!

[c0lo]

I never thought I'll be agreeing with the idea of "army applying pressure" would bring anything good... until now.
(note to myself: seems like I'm growing old faster than I thought).

Re:

[c6gunner]

Easy. The rear admirals are well known for applying pressure on the poop deck. They heard that the internet is a series of tubes, and, well, there ya have it ...

Re:

[gtall]

Comedy aside, the Navy is the most technologically adept of all the U.S. military services. They do a lot of their own research as opposed to the Air Force which contracts out most of its which leaves the Air Force pretty much clueless. The AF are the guys who attempted to take over "cyber" work in military until Gates stepped on them. Their idea of cyber security is "standardizing on Microsoft products"....and actual edict from their most senior people.

Well

[zero.kalvin]

I'll be pretty suspicious if Steve jobs tried to pitch me a mac while he is running fedora on his personal laptop. Point taken, good job I suppose.

Re:Well

[ushering05401]

Yeah, good job and more please.

Whoever writes the speeches @ 1600 Penn ought to make sure this one at least gets some lip service. While not a big deal for the general public, it is something that shows some common sense due diligence and proactive thinking from a widely vilified branch of our Federal machinery.

Re:

[arth1]

More likely the military loves IPv6 because it's by nature a lot more traceable -- it defaults to unique addresses for each host, and even contains routing information.

Granted, you can set up a fc::/7 network, and fake-NAT outgoing traffic, but even then your internal address is likely unique. When intelligence find a HD or USB key with an internal IP 192.168.0.15 in a log, it doesn't help when there are millions of networks out there with 192.168.0.0/255 networks, but if the address is fd17:192b:3fa7:0031

Re:Well

[SuricouRaven]

One better, actually: Auto-allocated addresses include the host's MAC address. Get someone's IPv6 address, and you can figure out roughly what motherboard or network card they have - and if you can sieze their computer, confirm if that computer actually has that MAC. Some OEMs might even keep MAC-to-Customer-Address databases.

All this assuming that the user doesn't just fake their MAC address of course, which is trivial.

Re:

[Cyberax]

"Auto-allocated addresses include the host's MAC address."

Unless privacy extensions are used.

Re:Well

[caerwyn]

Actually, it really depends on the company you're looking at. One of the biggest problems isn't so much the $2000 hammer, but the "not invented here" syndrome that causes it.

The government, and DoD especially, does procurement and research based on contracts. The problem is that the results of contract A are not well shared with the contractor for follow-on contract B- which means that they end up reinventing the wheel, and doing all the same work that A did, just to work on the problem that B was supposed to handle.

Hence, many of the companies that do the work are, in isolation, especially the smaller ones, reasonably efficient. But the system as a *whole* is horribly inefficient, and the *big* companies that are involved in this whole thing can rake in huge profits and support huge bureaucracies in the process, so they have a vested interested in lobbying for the status quo.

Re:

[adavidw]

Well, Steve Jobs spent at least a few years pitching macs while running NextStep on his personal ThinkPad (1998 to around the time of OS X release in 2001). Not quite the same, since NextStep in a way represented the future of the product. But still, there's no better to way to reinforce the perception that the current direction of the company is a dead end than for the CEO to not use the company's products.

How long will IPv6 last?

[Anonymous Coward]

Based on current rates of growth and industry trends, how long will it be before the IPv6 space is exhausted? Given how hard this transition is, would it be better to go directly to IPv8 or some kind of variable-length scheme?

Re:

[TheDarAve]

640k of address space should be enough for anyone.

Re:How long will IPv6 last?

[owendelong]

There is a difference here. IPv6 would be the equivalent of IBM saying something more like:

640 exabytes ought to be enough for anyone.

(note by exabyte I mean 1000 terabytes, not Exabyte the brand name of many 8mm digital video tape drives).

340*10^36 (the IPv6 address space) is more than 10^26 times the current demand for addresses.
Compare to 640k which was roughly 10^1 times the standard memory size for machines of the day.

In fact, today, I doubt you can identify many (any?) machines with more than a terabyte of RAM.
In fact, it's rare to find more than 128GB of RAM capacity in most machines. (64GB is roughly
100,000 times the original 640KB number, so 128GB would be 2*10^5 times 640KB).

To put the comparison in some perspectives you might be able to wrap your head around...

If you were to allocate an almond M&M for every 256 IPv4 addresses, the resulting amount
of almond M&Ms laid out in a 1-M&M thick layer would cover only 70 yards of an american
regulation football field (NFL, not FIFA). (16.7 million M&Ms, 1 for each IPv4 /24 prefix)

Contrast that with the number of IPv6 /64 prefixes (a bit more than 18 quintillion) which
would provide enough M&Ms to fill all of the great lakes.

Where each /24 can accommodate a single router and up to 253 other hosts, each
IPv6 /64 can accommodate more hosts than you could ever physically put on any
conceivable scale of network gear (18 quintillion+ hosts).

There will not be a likely shortage of IPv6 addresses in any of our lifetimes.

Re:

[smash]

Sorry can you please post the size of the ipv6 pool in something people can relate to, such as libraries of congress?

Re:How long will IPv6 last?

[owendelong]

I'll try...

I have no idea of any meaningful measurement of Library of Congress for comparison, sorry.

It takes 39 digits to define the number of addresses in IPv6. Only 10 digits to define the number of addresses in IPv4.

If you treat each address as a unit of mass and consider IPv4 to have mass equivalent of 7 liters of water, then, IPv6 would have mass equivalent roughly to Earth. (The whole earth, including all the oceans, lakes, land masses, people, buildings, etc.)

In IPv4, there are more than 1.5 people alive today for every address.

In IPv6, there are 50,041,524,547,196,832,862,260,971,681 addresses for each person alive today.

Or, perhaps consider the following:

The US public debt is 13,848,000.000,000. If IP addresses were pennies, we would need 3,462 IPv4 internets to pay it off. The IPv6 address space, converted to pennies, OTOH, would pay the public debt more than 24,572,672,365,752,344,270,896,491 times.
(If anyone wants to send me even a single IPv6 /64 network worth of pennies, please
email me for contact information.) ;-)

Hope that helps.

Re:How long will IPv6 last?

[Cinder6]

I'll try...

I have no idea of any meaningful measurement of Library of Congress for comparison, sorry.

Got one for you. The Library of Congress has (according to Wikipedia) 21814555 catalogued books. There are 2^128 IPv6 addresses. Thus, each book can have roughly 1.56 * 10^31 addresses assigned to it.

Re:

[arth1]

Actually, there's a myria between mega and giga, but it isn't used much, because we tend to only think in terms of 1000^N or 1024^N. Oh, and because while it's part of the metric system, it's not an SI unit (but then again, neither is mega when used for 1024*1024).

But the next time you want to screw with someone's head, you could say 100 myriabytes instead of a gigabyte.

Re:How long will IPv6 last?

[Nethead]

You try to design a router ASIC with variable length addresses!

Re:How long will IPv6 last?

[Drishmung]

You try to design a router ASIC with variable length addresses!

You and I might struggle, but Tony Li [lightreading.com] didn't seem to have a problem with it. Really. Go and look at Google Groups for info.big-internet around 1993-1994 and see Tony provide pseudo-code that demonstrated that variable length was not a problem for ASICs, nor was it any slower.

Yes, it is obvious that fixed length must be better than variable length. Yes, that is incorrect. What everyone 'knows' may be far from the truth.

Now, continue surfing using the more efficient, cheaper ATM (fixed size cells) NIC rather than that inefficient , expensive Ethernet (variable size frames) NIC.

Re:

[Anonymous Coward]

Until the surface of Earth resembles Coruscant.

Re:

[Byzantine]

Trantor is prettier.

Re:

[Professr3]

+1

Re:How long will IPv6 last?

[zero.kalvin]

2^128 unique address. I don't think we'll be exhausting them any time soon. That's like each person on earth have access to roughly 10^38 unique address.

Until nanotech networks need addresses.

[Ungrounded Lightning]

2^128 unique address. I don't think we'll be exhausting them any time soon. That's like each person on earth have access to roughly 10^38 unique address.

Huh?

That's not enough to address the cells of one human body.

(Of course putting your medical nanobots on the internet would be a pretty dumb move. DoS attacks would sink to a new level - about six feet under, while BSoD would become quite literal.)

Oops. Off by a few orders of magnitude. B-(

[Ungrounded Lightning]

Oops. Need to check my math BEFORE posting. B-(

About 47 bits to address the cells of one body (if you only have one device with one port each and nothing for other stuff). Another 33 for the current population. That's only about 2/3 of the bits.

Still, IMHO that's starting to get a little tight. You'll probably want more than one bot per cell, one port per bot, and that's not even counting things like the intestinal bacteria (which out-count the body cells by enough to reduce the body cells to a footnon

Re:How long will IPv6 last?

[Junta]

Though things aren't likely to exhaust any time soon, that's a fairly naive perspective on it.

2^121 addresses are knocked out by ULAs, 2^118 knocked out by link-local addressing, 2^120 are only available for multicast. In aggregate, a small chunk, but sizable.

Then, there is the inefficiency of distribution. Nothing smaller than /64 is ever supposed to be given to any single network segment. Currently, nothing smaller than a /48 is supposed to be given to an entity allowed to do routing (e.g. houses), though some have proposed allowing /56. Just like some places have 16.7 million IP addresses that don't need them, similar inefficient allocations will be made in IPv6 world.

In order to do a competent assessment, a more complex projection is required.

Re:

[Gerald]

There are 2^125 *global* addresses, you resource-hogging Earthist pig.

Re:

[Nethead]

Er, which globe are you talking about then?

Let me know when you get that fiber drop in the Jupiter system. I'll need to add Europa to my bogon list so I don't accidentally send traffic there.

Re:

[Gerald]

Apparently you haven't heard of the Interplanetary Internet [wikipedia.org].

Re:

[Charliemopps]

I remember someone saying the same general thing to me when I bought my first 80Mb hard drive. You could practically install every piece of software ever written for a PC on that one drive! Why would you ever need anything bigger.

Re:

[Arancaytar]

Yeah, but if nano-scale computers are ever mass-produced...

(...it would still take longer than the age of the universe to run out of addresses.)

Re:How long will IPv6 last?

[Nethead]

We're down to the last 5 IPv4 /8 netblocks. A little late for that.

Re:

[Aqualung812]

Doesn't matter. I want IPv6-NAT...

You want to learn about security. There is nothing good about IPv6-NAT, and security through obscurity isn't security.

And anyway, IPv6 addresses are ugg-ly.

Learn DNS. You should only be looking at a IPv6 address if you are a network engineer.

Re:

[mark-t]

You presume that people might want NAT for security... when they may simply want it for its notion of compartmentalization. Many devices in your home may be able to benefit from internet connectivity, for example, but not all of them would benefit from being visible on the global Internet, and neither would it be desirable for them to be... again, not from an issue of security, but simply from an issue of what would make any sort of sense (of course, the same reasoning could apply to why some devices shoul

Re:

[asdfghjklqwertyuiop]

So "compartmentalize" them all you want with public addresses. It really doesn't matter if your air conditioner is at 192.168.74.91 or 206.221.38.55. You're just losing NAT and non-unique addresses and gaining more work when you renumber (which IPv6 makes easier).

Re:

[asdfghjklqwertyuiop]

What kind of firewall? If it is something with a textual sort of configuration you can just set your prefix once in a variable and use the variable throughout the configuration.

Re:

[RapmasterT]

Doesn't matter. I want IPv6-NAT...

You want to learn about security. There is nothing good about IPv6-NAT, and security through obscurity isn't security.

There's a lot more to NAT than security. You might want to read up on it.

And anyway, IPv6 addresses are ugg-ly.

Learn DNS. You should only be looking at a IPv6 address if you are a network engineer.

You do know where you are right? "only if you are a network engineer" is going to be a significant part of the Slashdot population. Also, "learning DNS" without learning the underlying protocol (IPv6) is not learning anything, you're just using an app.

Re:

[Yvanhoe]

Actually DNS appearing to be the pressure point that censors will use to switch down website, I say it is interesting to be able to memorize a few or to write them down quickly.

Re:

[Nursie]

Not having machines publicly addressable is most definitely a security advantage.

I hear this all the time, that it's insecure, but I have yet to hear an actual good reason, do you have one?

Because NAT is perfect for plug-n-play devices with questionable per-device security. Why on earth should consoles and internet-aware appliances at my folks house need a public address? They don't know much about security and getting rid of in-home NAT just exposes them to far more risk.

NAT == BAD seems to be a religious

Re:

[walshy007]

Why on earth should consoles and internet-aware appliances at my folks house need a public address?

VOIP is one application, being the game host in a multiplayer game is another. Nat essentially makes the internet one-way and to get around it involves serious hacks.

NAT == BAD seems to be a religious expression more than anything actually practical.

Suuure, because being against seriously breaking networks is a religion...

As for DNS... are we going to have a DNS server in every home now too?

router does this job, most modern ones already do. get a domain for your network and allocate subdomains from your router.

Re:

[Yaztromo]

Because NAT is perfect for plug-n-play devices with questionable per-device security. Why on earth should consoles and internet-aware appliances at my folks house need a public address? They don't know much about security and getting rid of in-home NAT just exposes them to far more risk.

No, a stateful firewall is what is protecting them, not NAT. Nobody is suggesting that homes will no longer need a "router" device for their computing devices, consoles, media players, and other net-enabled devices to sit behind, which by default block all incoming port requests. That will remain the same. Having a private internal address doesn't fix those less-secure devices -- it's the device at the gateway to your home that permits or denies access. This won't change with IPv6, but you'll be able to h

Re:

[geniusj]

ASNs+BGP for every home!!!

Re:

[Cwix]

*shudder*

Re:

[DarkOx]

First of all I really hope not, and second I suspect most homes will remain edge networks so the ISP can handle all the routing to and from the Internet.

Re:

[segedunum]

Oh God, please don't let sensible practicality get in the way of this. You should know by now that private addressing and NAT is completely evil and there are absolutely no reasons at all why you should be doing this.

Re:

[asdfghjklqwertyuiop]

Do what without private addresses? Assigning static addresses or setting up A or AAAA records works about the same with public or private addresses.

Re:

[Rising Ape]

You can have private addresses with IPv6. You can also have multiple addresses per interface, so you could advertise/withdraw the appropriate route advertisements for public addresses as needed, in addition to the static, private one, with the public ones being used for external communications. So all your internal communications work with fixed addresses.

Whether the tools have been implemented to make the administration of that practical is another matter entirely, but is rather the key issue.

Re:How long will IPv6 last?

[TheRaven64]

At a minimum, each home user is going to be assigned 2^48 IPv6 addresses. That's enough for your private network to be 2^16 times bigger than the current Internet - wasting addresses is not really a problem. Will this leave enough for routing? It means that the netmask will be 2^80 bits. To put that in perspective:

Imagine a network arranged like a tree. At the top level, you have as many routers as there are IPv4 addresses - roughly as many as there are Internet-connected devices now. Each of these routers controls a subnet the same size as the IPv4 address allocation, so you have a network the size of the Internet, where every node is a network the size of the Internet. Each of these leaf nodes is actually a network, connecting 65336 computers. The total number of computers on this network is the number of networks that IPv6 allows with this allocation scheme.

Or, to put it in human terms, there are currently around 6x10^9 people on the Earth. If every person had as many networks as there are people alive today (each one, 2^16 times bigger than the current Internet), then we would be using just over 0.002% of IPv6 addresses.

In fact, you want to waste addresses with IPv6, because it makes routing simpler. Every time you split an allocation into two subnets, just steal another bit for the subnet mask. An ISP would not allocate you a single IPv6 address, because it would make their routing tables horribly complicated.

As to NAT - you can do it, but there's really no point. If a node should not be globally reachable, tell your firewall to drop packets to and from it. You may want your IP addresses to remain constant when you switch ISPs, but I'm not sure why. Using DNS (or mDNS) to identify machines is more sensible. You seem to be trying to solve a problem that doesn't exist.

Re:

[TheRaven64]

Nonsense. An IPv6 firewall could be configured to, out of the box, allow all outbound and block all inbound connections. This would be exactly the same, in the default case, as NAT, only slightly more secure (some rebinding attacks that work on NAT would not work). You'd need to explicitly open ports, but you need to do that with NAT anyway and there are already simple interfaces in all consumer routers for doing it (and it would be easier with a simple firewall, because you'd just be opening ports, not

Re:

[Nethead]

I want to see you try that rant on the NANOG list.

Re:

[vijayiyer]

There are large corporations with whole class A blocks that expose all their internal addresses because it has nothing to do with security. So much for your "no organisation" argument.

Re:

[asdfghjklqwertyuiop]

Nobody wants to expose all their internal addresses. Period. Which part of that can you dumb fucks not understand? No organisation is going to want to implement that.

Exposing your internal addresses should be irrelevant to security unless you're doing something else wrong. Those of us that understand that are OK with our internal addresses being exposed and want them to be. A lot of organizations already do implement that even with IPv4. Which part of that do you dumb fucks not understand?

Re:How long will IPv6 last?

[CyprusBlue113]

You should refrain from lumping the rest of the world in to your little delusions, the rest of the internet that actually works in networking, do not in fact, share your paranoid view of "OMG PEOPLE SEE MY IPS! THEY CAN HACK ME!" and are actually quite comfortable in the significant distinction between stateful fire-walling and IP masquerading / Network Address Translation.

You may have actually had a smidgen of an argument if you had brought up PI space as opposed to using assigned space in your uninformed rant due to portability issues when switching carriers or multihoming, but unfortunately, you avoided even the one tiny hope of an argument you could have made in your favor.

As to your DNS vs IP comment, (although this applies to your previous ranting as well) To quote a favorite movie of many:
What you just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

Thank you for warning the rest of the internet of your ignorance, I have as such, marked you as -1 in my list, and appreciate the gracious warning so that I may avoid your drivel in the future. Have a nice day =)

Re:

[wolrahnaes]

Nobody wants to expose all their internal addresses. Period. Which part of that can you dumb fucks not understand? No organisation is going to want to implement that.

1. Deny all default inbound rule on the firewall. Done. Same level of security as NAT.

2. There are still link-local addresses if you want to configure machines or services to be local-only.

NAT is a bad thing. It's a hack to resolve a problem (limited IPs) that IPv6 eliminates, so get rid of it.

Re:

[onionman]

I'm afraid that IP addresses are a very real part of working on networks today, and making them relatively easy to remember is pretty important. Mixing numbers and letters together in hexadecimal (a numbering system humans don't use) was something cobbled together by some tit who had no idea about the practicalities of maintaining a network.

The base in which you choose to represent the number is not really relevant. The computer is storing it all in binary anyway. You can write your applications to accept them in decimal if you wish, and let the computer convert them to binary. The reason that the standard is hexadecimal is because it is much quicker to convert from hex to binary in your head than from decimal to binary.

The binary representation allows you to see the network topology (and hence the routing rules) much more quickly. There's

Re:

[techno-vampire]

Mixing numbers and letters together in hexadecimal (a numbering system humans don't use) was something cobbled together by some tit who had no idea about the practicalities of maintaining a network.

As a matter of fact, the term "hexadecimal" [wikipedia.org] goes back to 1954, decades before the first computer network and the use of letters (although not always, at first, A through F) goes back to at least the 1940s. Using them in IPV6 addresses is simply using the system in the standard fashion; anything else would be c

Re:

[Nethead]

Why IPv8? Why not IPv9?

http://www.rfc-archive.org/getrfc.php?rfc=1606 [rfc-archive.org]

Re:

[sjames]

Screw it, 11 is one louder!

Re:

[Relic of the Future]

Think of it this way: each current IP address could have its own private entire IPv4 address space... and then each of THOSE private addresses could have its own private entire IPv4 address space... and then each of THOSE addresses could have its own private entire IPv4 address space.

It'll last a while.

Re:

[mattventura]

Not quite. The nat network would only have a (relatively) small private address space, not the whole IPv4 address space. GP is correct, since the raw IPv4 space is 2^32 and the raw IPv6 space is 2^128.

Re:

[icebraining]

No, parent is not saying IPv6 works that way, but that IPv6 will give you the equivalent number of addresses.

But if you use the entire address space for your local network, you won't be able to access the internet at all; you can only use reserved IPs, which aren't used on the Internet, or else you might not be able to access some services.

Re:

[Bookwyrm]

Going to a variable-length scheme is one possible (if tricky) solution.

The major problem is that 'end-to-end' has become blind ideology rather than useful design methodology. As a result, people keep fighting tooth and nail against the very idea of NAT and encouraging development of applications that are tightly coupled to the underlying network.

Instead of pushing for IPv6, there should be an effort towards developing against a more abstract network model such that applications do not care if they are usin

Re:

[Nethead]

Instead of pushing for IPv6, there should be an effort towards developing against a more abstract network model such that applications do not care if they are using IPv4 or IPv6 or IPv42, such that protocol translation between different network families can be implemented where necessary.

You mean something like the OSI model?

http://en.wikipedia.org/wiki/OSI_model [wikipedia.org]

Re:

[sjames]

Take every single network interface ever created from the very beginning. They will all fit into just 1 /64 with room to spare. Now, have every machine currently on the Internet replaced with every network interface ever created. Repeat that 4 billion more times and we'll have to start changing standards around a bit to conserve space.

We could give each human cell it's own IPv6 address and still not run out. Not even if we expand to a million other planets.

We have a few to spare...

Re:How long will IPv6 last?

[bcmm]

Based on current rates of growth and industry trends, how long will it be before the IPv6 space is exhausted?

(Deep breath)
When we have colonised the entire observable Universe (at a (hugely over)estimated one habitable planet per star), our descendants* will be able to own about three-quarters of a million cellphones each.** [wolframalpha.com]

Given how hard this transition is, would it be better to go directly to IPv8

If you mean we should skip a step while we're at it, we are: we're going straight from 32-bit to 128-bit, rather than 64-bit.

* In before "this is Slashdot".
** 715,925 cellphones should be enough for anyone!

Re:

[j-beda]

But, man, is it going to be a pain to switch to IPv8 at that point!

Re:

[smash]

We can simply start using NAT... :D

Re:

[marcosdumay]

Based on current rates of growth, it won't last until the heat death of the universe. But, for the required number of clients to come into reality, we'd have to be displaced through the biggest part of our galaxy, and IPv6 copes very badly with interestelar communication, so we'll need another protocol anyway.

Re:

[c0lo]

IPoAC [wikipedia.org]?

Re:

[Antity-H]

For just one second and because this is /. I thought you were proposing IP over Anonymous Coward , and started wondering how it would work ...

Re:

[Yvanhoe]

I remember someone actually calculating the density of nanobots you would need per cubic meter in the whole atmosphere to fill the IPv6 address space. You can do it, but that day we will have some more serious concerns...

I'm okay with this

[Byzantine]

As long as they're applying this across the board and not playing favorites (at least not without a damn good in-writing reason), I'm okay with this. I fact, I don't really see IPv6 being adopted soonish absent measures like this.

Re:

[dasdrewid]

It is kind of funny. I rail and rail against the power and might of the military-industrial complex. Then things like this happen and I am thankful for the DoD for advancing the state-of-the-art in ways that the general market is incapable/unwilling too. It's...frustrating. Why do they have to make things so complex!

Adding IPv6 is not difficult

[The_Dougster]

I upgraded my systems to ipv6 even though I just have IPv4 by signing up for a free tunnel broker service. I recommend SixXS [sixxs.net] if you are serious, or one of the others if you just want to flirt around with IPv6. Basically, you open a tunnel on one of the machines, it starts radvd which activates ipv6 on every machine on your LAN automagically, and thats all you do. Perhaps edit a config file here or there to turn on ipv6 if its lacking for some reason. The radvd machine broadcasts on your net and provides som

Re:

[Abcd1234]

Hurricane is far better than SiXXs, IMHO. They seem to have better peering arrangements (the additional latency for me over v6 is negligable), and you don't have to go justify to HE why you want a tunnel. You ask for one, you get it. Plus, then you don't have to deal with SiXXs killing your tunnel without warning [sixxs.info].

What's the big deal?

[DeathSquid]

Anyone with IPv4 addresses can use 6to4 right now to provide IPv6 connectivity. Software support for IPv6 is common, e.g. apache, postfix, etc. Operating system support is widespread, e.g. linux, *bsd, etc.

There are no real barriers to having IPv6 public facing services for vendors except rank incompetence.

Re:

[DeathSquid]

You missed the bit where anyone with v4 connectivity can use 6to4 right now. No need for massive router upgrades or ISP cooperation, etc. Just turn it on. If you plan for a 10 minute upgrade, you'll have time to make a coffee as well. Assuming basic sysadmin competence.

I'm mystified as to why you think switches (which are layer 2) would need upgrading to support IPv6,

Of course, in the longer run, native v6 support from your ISP is highly desirable for optimal routing. But end users don't need to wait for th

Re:

[segedunum]

You missed the bit where anyone with v4 connectivity can use 6to4 right now. No need for massive router upgrades or ISP cooperation, etc. Just turn it on. If you plan for a 10 minute upgrade, you'll have time to make a coffee as well. Assuming basic sysadmin competence.

You know, I despair at people who say utterly brainless shit like this because they obviously have not a clue about how large some organisations are and how long it's taken to get their existing network infrastructure sorted and working. You cannot do this in ten fucking minutes.

I'm mystified as to why you think switches (which are layer 2) would need upgrading to support IPv6,

A lot of switching equipment can be protocol aware.

Re:

[Cwix]

Go to google and type in layer three switch.

I found this though if it helps you. Emphasis mine.

"Some MLS's are also able to route between VLANs and/or ports like a common router. The routing is normally as quick as switching (at wirespeed). According to Cisco, Level 3 switches are basically routers that switch based on Layer 3 information , the basic difference being processing speed and/or the way they do the switching; Level 3 switches use ASICs/hardware instead of the CPU/software that a router would."

Re:

[Nethead]

That must have been why I had OSPF questions on my Juniper "Enterprise Switching" cert test.

Re:

[Nethead]

You're right, for a switch it wouldn't matter.

Management stack.

Also, most "switches" these days also do layer three. Hell, the Juniper EX-4200 does BGP and it's sold as an enterprise top-of-rack switch.

Re:

[beanpoppa]

Not to mention, even my lowly access switches have multicast snooping functionality, which would require IP6 capability to continue function. And non-access distribution and core switches tend to be layer 3 'switches'.

Re:

[Bengie]

you missed that most backbones have been supporting IPv6 for years. It's ISPs that are dragging their feet.

Only half the fight

[bwindle2]

IPv6-enabled content is the first half... now to get a big ISP to enable it across all their systems (someone like Comcast, but more competent)

Re:

[gnapster]

Actually, Comcast is currently conducting trials of IPv6 [comcast6.net] with their subscribers. I am not participating right now because I had to cancel my service, but I was very close to participating six months ago.

I'll move to IPv6

[AVryhof]

....as soon as Consumer/SOHO routers that support it are in the right price range.

Right now, the lowest priced item on Newegg that comes up for IPv6 is a cable modem, which I don't need, and that's $77.

Then there is the Cisco router starting at ~$133 on sale.

OpenWRT does it, and it looks nice, but I don't have the time to fiddle with flashing a router right now.

When are we going to see a company hack something together with inexpensive chips, and flash that is dedicated to just running OpenWRT, then sell it

Re:

[blueg3]

...but I don't have the time to fiddle with flashing a router right now

Ten minutes of your time is that expensive?

Re:I'll move to IPv6

[Drakino]

Newegg doesn't sell them, but the Apple Airport Express (and any 802.11n based Apple router) supports IPv6. $99 and up. Buffalo had one out in 2007, before their WiFi lawsuit, and has a few more out now. DLink does too.

http://www.sixxs.net/wiki/Routers [sixxs.net] has a good list.

It will be interesting to see what router manufacturers decide to be nice and offer IPv6 formware upgrades, and which ones push people towards new equipment.

Too little, too late...

[bertok]

There might be some pressure in the States to push IPv6 adoption, but there's none here in Australia.

Every consulting project I've been on in the last two years, I've asked this standard question: "Do you have a business requirement or mandate to deploy IPv6 now or in the future?"

Inevitably, the answer is "No."

Here in Australia, at both private enterprise and government, nobody has even begun to think about IPv6 at any level. Nobody requires IPv6 capability when purchasing software or equipment, and even when the capability is available, nobody turns it on. The more "IPv6 aware" clients turn it off to avoid compatibility issues. Even when I offer to implement IPv6 for some new system ("no extra cost, I'll just turn it on"), nobody wants it.

Pure IPv6 networking will be particularly hard to implement. I've tried experimental setups with products from various vendors. The usual result is that with IPv6 only most things work, but some things break. Stop and think about this for a moment: imagine if that sentence was: "the usual result is that with IPv4 addresses most things work, but some things break." That would be totally unacceptable for any enterprise software, yet it's "perfectly acceptable" for every major vendor to ship software where that's the situation with IPv6, because... nobody cares. The failures are often quite pathetic too, like dialog boxes that require an IPv4 address to be entered, even if it's never used or needed, or only accept IPv4 address for things like DNS servers. Clearly vendors have never tested their products in pure IPv6 environments, or did test them and decided it's too much effort to fix for something nobody cares about.

Let me whip out my crystal ball and predict that when IPv4 addresses run out and organisations scramble to implement IPv6, it's going to be a rush job, and we'll start hearing horror stories of incompetent admins that inadvertently bypass or break firewall rules by enabling IPv6 and cause major issues. These reports in turn are going to scare off management, who'll assume "IPv6 is bad", because they "read about some horror story of how Incompetent-r-Us Pty Ltd was hacked when they turned IPv6 on, hence, IPv6 must be insecure". Combined with stories of broken software and issues like IPv6-connected browsers waiting 30-60 seconds for IPv6 requests to time out, I'm certain that nobody is going to start using it until absolutely forced to.

It's a bad, bad sign that all the major websites like Google and Facebook have "ipv6.normalurl.com". That's because practical IPv6 implementations are often broken, and if enabled it on the main website, it breaks it for a huge fraction of users. If Google and their like can't implement IPv6 transparently without issues, and are forced to create "experimental" websites, then what hope does the typical admin have?

Re:

[dakameleon]

Let me whip out my crystal ball and predict...

Come back in 6 months and you'll be able to start testing your predictions. We're down to 4 or 5 free blocks to allocate to the RIRs, and then they'll allocate onwards. Not that IPv6 is on any publically visible agenda, at least until this article came along.

That said, the internet we have today is largely a set of conventions based on patch jobs that were later formalised in the RFC process - IPv6 at least has been around for a while. Someone's going to make a lot of money out of this stuff - if you're hal

Re:

[bkk_diesel]

The more "IPv6 aware" clients turn it off to avoid compatibility issues.

Interestingly, a google search for "how to turn on ipv6" [google.com] has the first three results instructing me how to turn OFF IPv6, which seems to bolster your argument.

Re:

[smash]

Not sure where you've been looking but Telstra have a public "Transition to IPV6" document available after a simple google search. The Aussie government has a time frame of 2008-2009 for preparation, 2010-2011 for transition and 2013-2015 for "implementation" whatever that means.

Plans are most certainly afoot, I'm currently awaiting a response from my account rep, but he's just left for the christmas break.

Re:Too little, too late...

[bertok]

check your facts: http://www.google.com/ipv6 [google.com] it is native on Google...

Did you read all the way to the end? Where it says: "If your network meets these requirements and you'd like to receive Google over IPv6, please see our FAQ for how to request access."

In other words, it would be broken if enabled, and it's not enabled for everyone, unless access is explicitly requested by an ISP network administrator. I even tested this, take a look:

nslookup
> set type=AAAA
> www.google.com
Server: ####.#####.###
Address: 151.178.210.155

Non-authoritative answer:
Name: www.google.com

> ipv6.google.com
Server: ####.#####.###
Address: 151.178.210.155

Non-authoritative answer:
Name: ipv6.l.google.com
Address: 2404:6800:8004::68
Aliases: ipv6.google.com

In other words, the organisation that is likely the world's most competent "Internet host" in terms of pure technical skill had to develop a procedure to enable ISPs to dip their toe in the water and enable IPv6 access only if they're very very certain it won't break anything.

If that's the state of IPv6 adoption in 2010, mere months from IPv4 address space exhaustion, we're in big trouble.

And there is a quite active IPv6 forum in Australia, and AARNET is IPv6 for a long time...

Talk is cheap. There's no action, particularly in management.

Imagine if in late 1999, there would have been "active forums" for some techos to talking about "testing" the possibility of rolling out 4-digit dates just as soon as management approves it. Not too quickly though, because it might "break things". Meanwhile, the world's biggest banks have "experimental" 4-digit date support, if you open a new "test" account.

They ask in the RFP/RFI time, but don't install it

[(H)elix1]

In practice when I've worked with these guys (as a vendor) and been game on, lets install this in your IPv6 environment - things get quiet real fast. This is only about them trying to squeeze more from their budget dollars. They *have* software today that works in that environment. Guess what? They won't install it in anything but IPv4 networks.

That $400 hammer looks like a bargain when you deal with these folks. Sure, the engineering for the actual hammer costs $40, but all the other crap they 'want' t

Military is the trendsetter

[Spy Handler]

back in 1946 the military got rid of racial segregation, and opened up any post to anyone of any color. It took the rest of the government 20+ years to catch up.

How about the entire federal gov't follow the army's lead and REQUIRE ALL COMPUTERS, ROUTERS AND NICS BE PRECONFIGURED FOR IPV6 OUT OF THE BOX from all vendors by end of 2012, or they don't get a gov't contract. How about it, Nancy Harry and Barry?

Re:

[Cwix]

What kind of military contractor? If you sell sights for guns, I doubt they care what version IP you use. If you sell software or computer hardware, then apparently they are interested. Either that of your just not important enough to know what the military says to your boss.

Re:

[PsykoDemun]

Following your argument: I live in Northern Virginia. They are constantly doing road construction here. Why? Why didn't they just plan out for today's traffic needs thirty years ago? That is the argument you are using. A technology that was designed in the 70's was supposed to miraculously anticipate the explosion of the internet and net enabled/connected devices that we are seeing today. That is a logical fallacy. That's like saying the roads that they built in the early 1900s should have been ready to ro

Re:IPv6 is a Failure

[Xugumad]

IPv6 has been around since 1998 ( http://tools.ietf.org/html/rfc2460 [ietf.org] ). That's Windows '98/NT territory. If Windows Server can't handle it, it's not because it hasn't had long enough to be tested in that configuration.

To address your ideas in turn:

1. Auditing by who? The first crisis with IPv4 allocation is the inability to allocate new chunks. Organisations with enough IPv4 addresses already aren't going to be bothered by this for a long time.

2. So... you're avoiding the cost of configuring networks to be dual protocol, by re-configuring servers... why is that necessarily cheaper?

3. Reclaiming IP addresses is akin to solving a lack of phone numbers for the NY area by claiming back some from a less populated state. It would rapidly lead to routing tables that are infeasibly complicated.

4. Again, you're suggesting an alternative way of investing time to solve a problem instead of solving it properly, and I'm not sure why this is inherently faster.

5. Possibly some variation on the SRV records, but... again, why is replacing every OS world-wide (absolutely nothing supports that, so everything will need upgrading) cheaper than enabling IPv6 on systems that are already out there?

Sticking with IPv4 means constructing an ever more elaborate set of workarounds on top of each other. For a while it will work, but I can't see the result remaining workable, or being cheaper in the long term.

Re:

[Bengie]

Nearly all infrastructure has supported IPv6 for A LONG TIME. All major OS's have supported IPv6 transparently for the past 1-2 years. The only thing left is ISPs to set aside some of their huge cash flow and upgrade. If a company hasn't been preparing for IPv6 over the past 6 years, that's their own fault. Seems to me that any competent network admin thinks IPv6 is cake. It's all the people who are scared of learning something new that spread FUD.

IPv6 is almost the same as IPv4, except with IPv6, you don't