Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IETF Mulls Working Group For IPv6 Home Networking

timothy posted more than 3 years ago | from the router-vendors-salivate-copiously dept.

Networking 104

alphadogg writes "The Internet Engineering Task Force is considering establishing a working group to smooth some of the impending issues around setting up and maintaining IPv6-based Internet connections in homes. 'A collection of protocols needs to be agreed upon, so vendors of equipment used in home networks will have an interoperable suite of protocols available,' said Ralph Droms, a distinguished engineer for Cisco and among those who want to form the IETF working group. Home networking is a fairly new area for the IETF. Many of its standards were designed for large-scale organizational networks, rather than home use."

Sorry! There are no comments related to the filter you selected.

Huh? (2)

XanC (644172) | more than 3 years ago | (#36685820)

Having read the article, I remain uninformed about exactly what it is they're talking about standardizing. Also, why does a publication called "Network World" assume that I know zero about networking?

Re:Huh? (5, Informative)

mellon (7048) | more than 3 years ago | (#36685890)

The idea is to come up with a standard for what home routers for IPv6 ought to look like. We'd like to preserve end-to-end transparency, which current home routers break, but at the same time we'd like to avoid creating serious security risks for people who are accustomed to the current home router security model. Support for things like DNSSEC and multihoming are also on the proposed charter.

Home Networking working group description is here. [ietf.org]

Re:Huh? (2, Funny)

GofG (1288820) | more than 3 years ago | (#36685928)

Readers be aware, please, that the parent has a 4-digit UID and if Appeal to Authority were not fallacious, this user's word would be fact.

Re:Huh? (1)

sonamchauhan (587356) | more than 3 years ago | (#36693176)

Hah. that's so old school. I started with a modern, 6-digit UID myself. I understand some really cutting-edge folks use 7-digit ones.

Back in the 90's, it had become obvious that the 4-digit range was going to run out one day... it was just a matter of time.

Unlike ipv6, the geniuses at slashdot designed their ID system such that a 6-digit and 4-digit ID can communicate directly!

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#36685958)

It is especially amusing that this is coming form Cisco seeing as to how their home products STILL lack IPv6 support beyond stealth 6to4 in some cases.

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#36686086)

The E4200 now fully supports IPv6: native dual-stack and 6rd with DHCPv6 prefix delegation, assignment of a /64 to the LAN side interface, etc.

http://blogs.cisco.com/consumer/linksys-e4200-wireless-router-supports-ipv6/

- Ralph

Re:Huh? (1)

mellon (7048) | more than 3 years ago | (#36686820)

Actually, this builds on a bunch of work done by Apple, who have been shipping IPv6 support for quite a long time. All of your bonjour are belong to IPv6, for example, and if you have a Time Capsule or Airport Extreme, that supports IPv6 as well. Apple got a bit burned a while back because they enabled 6to4 by default, so at this point I'd say they have a fair amount of street cred in the IPv6 home gateway space.

Re:Huh? (1)

XanC (644172) | more than 3 years ago | (#36687870)

I wouldn't say they got burned because they enabled 6to4 by default; I'd say they got burned because their desktop systems then preferred to use 6to4 over native IPv4, which they're not supposed to.

Re:Huh? (2, Insightful)

hairyfeet (841228) | more than 3 years ago | (#36688854)

That brings up something I've been wondering for awhile...how long should a government allow "designed for the dump" products be brought in before saying no? Because IIRC they had rules with regards to digital tuners in TVs for a decent amount of time before the switch, yet here we are officially out of IPv4 addresses and still the vast majority of routers on NewEgg have NO IPv6 and most likely never will. In fact short of the expensive Apple offerings I don't think there is a single consumer router on NewEgg that supports IPv6.

Now since we know that when the switch does finally happen these routers are landfill fodder, shouldn't the government step in and "just say no" to bring in this crap? Because from the looks of it until the government does step in the sub $60 routers are gonna be strictly IPv4.

Re:Huh? (3, Informative)

TheReaperD (937405) | more than 3 years ago | (#36685986)

Yes, all of that and one major point you are missing: Doing all of this with as little to no interaction with the user. The current standards assume a network tech to configure the router. With the home user, that is almost never going to happen. They want to create a set of "defaults" that everyone can rely upon for the auto-configuration.

Re:Huh? (1)

mellon (7048) | more than 3 years ago | (#36686658)

Yup, that's correct.

Re:Huh? (1)

davester666 (731373) | more than 3 years ago | (#36691152)

Don't forget, they also need a way to definitively link an IPv6 address with a name, address, home phone number and current drivers license photo.

Re:Huh? (1)

TheReaperD (937405) | more than 3 years ago | (#36693272)

Though being paranoid about such things, especially in the MAFIAA controlled US, never seems to be as tinfoil hat as it should these days, it won't matter. Faking an IPv6 address will be a trivial task for even a script kiddie and won't be to hard for anyone willing to read an article they Google. The stupid will still get caught but, the cops have always enjoyed the low hanging fruit of the criminal world to make it look like they do actual work.

Before anyone gets offended, I know and have met honest, dedicated and smart cops. Sadly they're usually the exception, not the rule. Criminal enterprise has always paid better so they tend to get the better talent as morals don't pay the bills.

Re:Huh? (1)

jrumney (197329) | more than 3 years ago | (#36690808)

UPNP IGD works over IPv6. Even if you are not NATed, it seems it would be a good idea to block all incoming ports at the router unless a client inside the local subnet specifically asks for it to be forwarded. Apple messed up badly on this one by making their equivalent Bonjour based protocol specific to NAT.

Re:Huh? (1)

shtrom (1251560) | more than 3 years ago | (#36692596)

Stuart Cheshire, the Apple guy behind the mDNS and DNS-SD (a.k.a. Bonjour) Internet-Drafts, is currently involved in the Port Control Protocol (PCP) Internet Draft: http://tools.ietf.org/html/draft-ietf-pcp-base-13 [ietf.org] .

“The Port Control Protocol allows an IPv6 or IPv4 host to control how
      incoming IPv6 or IPv4 packets are translated and forwarded by a
      network address translator (NAT) or simple firewall, and also allows
      a host to optimize its outgoing NAT keepalive messages.”

Re:Huh? (1)

perlchild (582235) | more than 3 years ago | (#36686050)

It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market. (Some of those risks can be lessened by default configurations, proper web based configurators and the like). And the last slashdot discussion of ipv6 lef me with the certitude that LTE at least, was IPv6 based.

On the other hand, it could just mean that IPv6 has failed, as it's the first time the IPv6 model has been presented as "not good enough for the home". Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

Not necessarily "failed". (2, Interesting)

khasim (1285) | more than 3 years ago | (#36686194)

Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

IPv6 has a section for private use.

FD00::/8

So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

Beyond that, it's just a matter of phrasing. The techs designing the home routers/firewalls know what the technology can do. The issue is phrasing that in a way that the home user can make an informed choice on what options they want to enable for which of their machines (connecting to which machines on the Internet).

Re:Not necessarily "failed". (1)

tlhIngan (30335) | more than 3 years ago | (#36687706)

IPv6 has a section for private use.

FD00::/8

So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

Bingo, you've just hit the major problem with IPv6. Despite NATv6 being proposed, no one really wants to implement it even though it would basically mean a plug-and-play installation - remove your IPv4 only router, put in your new NATv4/v6 router, and be done with it. Bonus points for implementing NAT-PT as well.

After all, one of the nice things with NAT is it means my internal network addresses don't change on the whim of my ISP. They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

Sure the nice thing is having end-to-end connectivity (only to have firewalls break it), but why can't there be a choice? Those who want full end to end connectivity can have it, those who want to put up with the issues with NAT but have their internal network addressing remain stable, can have it too. We have that choice with IPv4 these days - if we want NAT, we get a router, else we get a switch and get issued a new IP for the other device.

Besides, the same NAT traversal tricks already exist, so even existing software doesn't have to care. Then there's always port forwarding which is well understood.

Re:Not necessarily "failed". (0)

Anonymous Coward | more than 3 years ago | (#36687984)

Please note that part of the IPv6 standard implementation is the requirement of supporting multiple IP addresses on a physical link. So you happily can assign a private IPv6 AND your provider-prefixed global IP to a single network interface.

As a matter of fact modern OS can already do this with IPv4. I think even Windows, but that might involve using the CLI and the net commands.

Re:Not necessarily "failed". (0)

Anonymous Coward | more than 3 years ago | (#36688232)

They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

Actually it should be pretty transparent. For internet stuff it'll use the public IP but on your LAN you'll have a fe80:: local address. The last bits of which are
your MAC.

There's also the possibility that some ISPs might end up giving static IP address blocks to all customers. Given the HUGE address space they're being assigned, they have plenty of addresses available to do that. There's no longer a justification for dynamic addresses (reusing oversubscribed addresses).

Re:Not necessarily "failed". (1)

knorthern knight (513660) | more than 3 years ago | (#36690876)

> There's also the possibility that some ISPs might end up giving static IP address blocks
> to all customers. Given the HUGE address space they're being assigned, they have
> plenty of addresses available to do that. There's no longer a justification for dynamic
> addresses (reusing oversubscribed addresses).

That was the thinking when the original internet had /8 addresses handed out. Some people never learn. Fercryinoutloud, a /64 is 2^64 addresses. China's current population is approx 1.4 billion. Assume it grows to 4 billion later this century, a /64 would still supply every man/womand/child in China with 4 billion addresses each.

PA and PI addresses (0)

Anonymous Coward | more than 3 years ago | (#36691942)

No, since one can have multiple IP addresses, there are the concepts of provider assigned and provider independent addresses - particularly handy for an organization that will need an ISP independent network.

Let's say you get a /64 block from your ISP, and they need to redo their prefixes, or whatever. However, you can also yourself directly get a host of addresses, say /48, from ARIN (or your local RIR). The way you do it is set up your network, w/ your addressing schemes, using the addresses that you bought, and let it remain constant regardless of who your ISP is, or what they're doing. You can do this using a combination of SLAAC and DHCPv6.

However, w/ the ISP's addresses, just do a stateless autoconfiguration for every device you want on that network, which also has its corresponding equivalents in the network you just defined. In other words, don't spend much time on them, except getting them 'live'. That way, they are only used for connecting to the internet via the ISP, but other than that, for everything going through your network, you use the network that you picked.

Dynamic addresses do have their advantages however - changing the addresses and not having static ones reduces one's threats, and that can be arranged by DHCP. IPv6 includes DAD - Duplicate Address Detection - which also assigns addresses one of 5 states - Tentative, Preferred, Duplicated, Deprecated and Invalid. Unlike in IPv4, one can't just assign an IP address w/o ND performing a DAD and determining its validity.

Re:Not necessarily "failed". (1)

mikkelm (1000451) | more than 3 years ago | (#36688972)

After all, one of the nice things with NAT is it means my internal network addresses don't change on the whim of my ISP. They give me a 24.x.x.x today and a 70.x.x.x tomorrow? Nothing changes. But if full IPv6 is used, then when my ISP decides they need to do their prefixes, everything in my house gets a new IP as they inherit the new prefix. That's a huge PITA.

If "full" IPv6 is used, then surely your local addressing will be handled using FD00::/8 addresses, and no local issues will arise when you're issued new global unicast addresses by your ISP. It's only a PITA if you do it wrong.

Re:Not necessarily "failed". (0)

Anonymous Coward | more than 3 years ago | (#36689100)

For local addressing, you would typically use the link local address anyway (FE80::). So even if your ISP changes your global prefix, only the global addresses would change on your systems, not the link local addresses.

Re:Not necessarily "failed". (1)

suutar (1860506) | more than 3 years ago | (#36697598)

or even just the link-local addresses (fe80::/10). They're based on MAC addresses so they should be pretty stable, no?

Re:Not necessarily "failed". (1)

mikkelm (1000451) | more than 3 years ago | (#36698156)

If your network will only ever span a single segment, and if you don't plan on connecting via VPN, sure. Link-local addresses don't route, so if you'd need layer 3 forwarding, you'd need FD00::/8 addresses.

Re:Not necessarily "failed". (1)

suutar (1860506) | more than 3 years ago | (#36700472)

Good point. I only have one segment now, and I don't see that changing, but if it did, link local would no longer suffice. (I'm not sure VPN would be helped by FD00::/8, though. Since I'm presumably VPN'ing from outside, wouldn't I need to use a non-private address anyway?)

Re:Not necessarily "failed". (0)

Anonymous Coward | more than 3 years ago | (#36698200)

Just a heads up, NAT-PT has been moved to historical filing. It is not longer used / supported becuase of the bugs it invovles. Mostly due to Application Gateways.

IPv6 scope addresses (0)

Anonymous Coward | more than 3 years ago | (#36691892)

Whereas the addressing always implied "one ipv6 for each of your devices"(almost like rfid for bluetooth devices, on the internet, all the time), they didn't figure out the firewalling ?

IPv6 has a section for private use.

FD00::/8

So the home router manufacturers could have the exact same configs as today (with IPv4) with IPv6. With all the same benefits and problems that we have today. And that people are familiar with. And familiarity is the important thing here.

Beyond that, it's just a matter of phrasing. The techs designing the home routers/firewalls know what the technology can do. The issue is phrasing that in a way that the home user can make an informed choice on what options they want to enable for which of their machines (connecting to which machines on the Internet).

Make that FC00::/7, as per the IETF definition for unique local unicast [iana.org]

But in IPv6, a device can have multiple IPv6 addresses from different networks (unlike in IPv4). One from the ISP, but then if the consumer happens to have his own /64, he has IPs for say his own website, cellphone, IPAD, and so on. Let's say he's trying to connect to his work VPN - he'd get an address from there as well. So he'll have a bunch of addresses, and anyone from within any of those networks should be able to access him, so long as he's online.

So if he's doing a home networking, getting private addresses here may be redundant. As for the routers, I can see them being more like site-local addresses (think of a gateway address in IPv4). So the address of a wireless router would be something like ff05::2, as a router on the site. Natting wouldn't be done here, since that would disrupt the peer to peer paradigm which is why one would want it in the first place. But these addresses are automatically assigned - you have

0 reserved
1 interface-local scope
2 link-local scope
3 reserved
4 admin-local scope
5 site-local scope
8 organization-local scope
E global scope
F reserved

and multicast groups

1 node
2 router
5 OSPF IGP router
6 OSPF IGP Designated router
9 RIP router
a EIGRP router
b mobile agent
109
d PIM router
16 MLDv2 capable router
fb DNS server
101 NTP server
108 NIS+ server
1:2 DHCPv6 relay agent or server
1:3 DHCPv6 server (but not relay agent)

As a result, one would have multicast addresses like

ff02::1 All nodes on the local link
ff05::1 All nodes in the organization
ff02::2 All routers on the local link
ff05::2 All routers in the site
ff02::fb All DNS servers on the local link
ff08::fb All DNS servers in the organization

Note that all these addresses are automatically created when an IPv6 address is created - the node doesn't have just one IP. All this alone would allow the devices to work within that local network.

Re:Huh? (2)

Old time hacker (302793) | more than 3 years ago | (#36686548)

It also might mean they don't fancy going against a router model made up of bsd and linux software-based routers on appliance hardware in the home market.

As far as I know, most of the home routers today are based on open source platforms. [Yes, I know that some models use proprietary operating systems as it allows less RAM to be provided on the box]

I'm just about to install networked thermostats into my house. The current model is that it connects to a central server somewhere, and, in order to control my thermostat, I also have to connect to that site. This is crazy. I should be able to talk directly to my thermostat (over v6) from my smartphone (without needing to type in a v6 address!) Somehow my home firewall (without configuration) has to know that it can let my traffic in, but not other people who want to change the setting on my thermostat.

The trick is finding a way to make this happen securely and without configuration. On the face of it, this seems like a challenging task.

Philip

Re:Huh? (1)

0123456 (636235) | more than 3 years ago | (#36686720)

The trick is finding a way to make this happen securely and without configuration. On the face of it, this seems like a challenging task.

Philip

I believe you mis-spelt 'impossible'.

Somehow you need to configure your thermostat to tell it which devices to accept connections from, or you have to open it up to everyone. Otherwise you're expecting magic.

And the last thing I want is random IPV6 devices opening holes in my firewall by themselves; UPnP is a security disaster zone.

Re:Huh? (2)

isj (453011) | more than 3 years ago | (#36687912)

http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01 [ietf.org] has some interesting ideas. At least it is a starting point - we don't want to end up with the same situation as for IPv4 where everything has to be piggybacked on inside-initiated HTTP connections.

Re:Huh? (1)

sjames (1099) | more than 3 years ago | (#36690644)

It won't happen without a change of firmware on the thermostat. Even starting fresh, there would have to be some configuration, especially since your prefix is subject to change over time.

As for security, a pairing would be needed. For example, the app on your phone could generate a random key. To pair them, you contact the thermostat with the phone and then approve the connection on the thermostat itself to prove you have physical access.

Re:Huh? (1)

knorthern knight (513660) | more than 3 years ago | (#36690930)

Howsabout a home server that accepts ssh connections (key-only, no passwords to brute-force). Connect the thermostats to your home box as "the central server", and ssh to your server when you want to do stuff.

Re:Huh? (1)

sjames (1099) | more than 3 years ago | (#36692060)

That's probably still going to be a firmware update to make the central server configurable.

Re:Huh? (1)

Darinbob (1142669) | more than 3 years ago | (#36686654)

Anywhere that IPv6 is not good enough for the home, IPv4 will also not be good enough.

Re:Huh? (1)

mellon (7048) | more than 3 years ago | (#36686734)

Eh? The IPv6 model hasn't been presented anywhere as "not good enough for the home." The problem is that IPv4 home gateways evolved kind of in the same way that layers of barnacles evolve, and we'd like it if IPv6 home gateways had a standard they could check off on their feature list that actually meant something. You know, "Supports RFC8192," where RFC8192 specifies behavior that will work well in the home environment, and won't invalidate all the work that's been done to date to make IPv6 an actual improvement over IPv4.

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#36686212)

You may want to preserve end-to-end transparency; I'm still not convinced that LocID Split will solve the routing problems, and would rather see a recursive networking architecture.

Re:Huh? (1)

slashmydots (2189826) | more than 3 years ago | (#36686530)

Really? That sounds logical and all but it sounds to me more like they just want people to have to get a new phone, laptop, and Xbox when they buy a new router. I don't need IPv6 inside my house. That's pointless and some of my devices don't support it. I'm concerned that my ISP needs to get me a modem that can take an IPv6 address and start issuing them to it but that gets forwarded to the department of not my problem. They're the ones running out of addresses, not me. My home network is doing fine lol.

Re:Huh? (1)

mellon (7048) | more than 3 years ago | (#36686712)

Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity. Anyway, based on your use of idiom, I suspect you live in the U.S., or possibly Canada, so you will be able to continue using IPv4 at least until your current set of networked devices wears out and stops working. The world on the whole is quite a bit different that it might seem from where you are sitting—there are places where an IPv6 address is going to be a *lot* more useful than an IPv4 address, in the very near future. Not your problem, but still work worth doing.

Re:Huh? (1)

Obfuscant (592200) | more than 3 years ago | (#36688042)

Sure, except for all the things you can't do with it, because you don't have end-to-end connectivity. But you don't know about those things, because nobody is selling those products, because they don't work, because everybody's home gateway boxes break end-to-end connectivity.

Which, for most users, is a Good Thing, not A Problem. It allows most users to simply install iTunes on their peecee and turn on sharing so they can access their music library from other peecees without having to worry about someone outside scamming their music. Their "gateway" is keeping the bad guys out by "breaking end to end connectivity", at least when the initiating end is outside the home.

It is that last item that makes "breaking" a Good Thing.

Can you give some clues (or even be more explicit) on what mechanisms are being considered to allow "no configuration" end-to-end connectivity to occur? How does the gateway at your house know the address of your phone unless you tell it? Yes, it can know the address your phone is using, but how does it know that it is YOUR phone and should be allowed in?

Re:Huh? (1)

mellon (7048) | more than 3 years ago | (#36688798)

There are a number of proposals to solve that problem on the table. Perhaps you should consider participating.

Re:Huh? (2)

Stupendoussteve (891822) | more than 3 years ago | (#36688986)

Get rid of NAT and the gateway has to work as a real firewall, that is all. That is not some security nightmare, unless companies do not actually put a worthwhile default firewall policy into the gateway. Things like port forwarding would not be needed, but only allowing connections on specific ports could still be controlled pretty well and locked down by default, the gateway just doesn't forward the traffic through to the internal interface. The upside is you could allow multiple devices to be accessed on the same port, rather than being forced to use different ports as it is today.

If your gateway is working correctly as a router, it should not be broadcasting things like iTunes outside the network anyway.

For your phone bit... a gateway can tell what interface traffic is coming from. If traffic with the correct address is coming from the correct interface, it's a good chance it is an authorized device. If not, then you've probably got bigger problems than someone outside on the internet. If you are speaking of a phone on the external network, it would have to do what any device should have to do with port forwarding today, the phone would have to authenticate to whatever machine it wanted to connect to. It's not like you're giving unfettered access to the entire network just because you remove NAT, if you wanted the phone to have that access then you should use a VPN.

Re:Huh? (1)

tomherbst (888500) | more than 3 years ago | (#36687134)

I expect your house may be either doing or capable of doing a lot of IPv6 if the devices, software, etc are fairly current. Apple and Microsoft both use IPv6 for many functions, transparent to what the user sees. Apple has used IPv6 (linklocal) for configuring their Airport routers, for example. Many of the cloud based services like back to my mac are tunneling IPv6 in IPv4. Microsoft tunnels IPv6 for their cloud services, also.

Re:Huh? (2)

petermgreen (876956) | more than 3 years ago | (#36687276)

I'm sure some form of v4 service will be maintained for a long time to come. However due to IP shortages some users will not get public v4 IPs, instead their v4 service will will go through a NAT controlled by the ISP. Since the user doesn't control this NAT they will not be able to accept incoming v4 connections. Depending on how the ISP implements that NAT they may or may not be able to use NAT traversal techniques (or they may be able to use them but not reliably). These NATS may well be overloaded in terms of either public IP space or in terms of processing hardware making v4 service in general unreliable.

So while we don't need to immediately replace everything that doens't support ipv6 it is prudent to make sure it is supported in new kit going forwards. The problem is that most critical work as to how IPv6 is to be deployed in the home environment has yet to be done or is still in it's infancy. In theory we could deploy it in the same way we do v4 with NAT in the home router but there are many who would like to see NAT die alongside IPv4 (whether it actually will or not remains to be seen).

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#36686910)

Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf)

Re:Huh? (1)

WaffleMonster (969671) | more than 3 years ago | (#36688740)

Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf [minisip.org] )

What are the "security reasons" for NAT vs SPI? What is the difference?

Re:Huh? (1)

mellon (7048) | more than 3 years ago | (#36688808)

That's because NATs exist to share (not save) addresses. You can get the exact same security characteristics with a firewall, if that's what you want.

Re:Huh? (1)

Stupendoussteve (891822) | more than 3 years ago | (#36689006)

The security reasons for using NAT are easily overcome with a real firewall, which at this point is not outside of the processing limits of home routers.

Re:Huh? (1)

asdfghjklqwertyuiop (649296) | more than 3 years ago | (#36690358)

The IETF has consistently and adamantly refused to accept that NATs exist for security reasons

And that's because it doesn't.

Re:Huh? (1)

baerm (163918) | more than 3 years ago | (#36696414)

Perhaps you should include engineers from the real world in your deliberations. The IETF has consistently and adamantly refused to accept that NATs exist for security reasons (NOT JUST TO SAVE ADDRESSES!!) and are not going to go away with IPv6. In that regard, please stop inventing protocols that require a masters degree thesis to pass through NATs. (Thesis here: http://www.minisip.org/publications/Thesis_LaTorreYurkov_feb2006.pdf [minisip.org] )

Perhaps, many within the IETF understand that NATs exist to generate more address space and they also provide some firewall-like security features. Perhaps some of them might even think that when the additional address space needs are unnecessary, the use of NATs as a firewall is also unnecessary. You might even just use, I don't know, something that is explicitly a firewall and not bother NATing.

If you really want security, having a device which functions explicitly for security might be better than, "Hey, I'm doing this NAT thing because I want more address space at home instead of that stinking single static (most people dynamic, sigh) IP my ISP is giving me. But now that I have 18 quintillion IP addresses at home I can't possibly get rid of NAT and use a firewall that blocks incoming connections because, ..., Bueller?"

Re:Huh? (0)

Anonymous Coward | more than 3 years ago | (#36686060)

networkworld and itworld use slashdot as a marketing affliliate to drive pageviews. You can find links to their stories approximately every day on slashdot, when often it's a retread of a story from elsewhere.

Because its written for CIOs? (1)

Marrow (195242) | more than 3 years ago | (#36686930)

Just a guess. :)

IPv4 all gone? (0)

Anonymous Coward | more than 3 years ago | (#36685844)

I thought the end of IPv4 rapture was meant to have happened already but there have been no end of the world style articles recently....

Re:IPv4 all gone? (1)

SuricouRaven (1897204) | more than 3 years ago | (#36686112)

IPv4 should have run out by now, but its dominance is being prolonged by many organisations doing whatever they can to postpone the very difficult and very expensive upgrade process. Eventually there will come a point where the difficulty of continuing to keep IPv4 running through scarce addressing and multi-level NAT will grow so great that switching to IPv6 will seem easier, but that point is many years away. For now, it's always easier to buy time with a little more improvisation.

hardware needs updates for IPV6 and software as we (1)

Joe_Dragon (2206452) | more than 3 years ago | (#36686502)

hardware needs updates for IPV6 and software as well.

lot's of routers can't do IPV6 and others say we are working on IPV6 updates.

Re:hardware needs updates for IPV6 and software as (1)

SuricouRaven (1897204) | more than 3 years ago | (#36687120)

That would be the 'very expensive' part of the upgrade process.

How much of IPv4 is really gone (1)

billstewart (78916) | more than 3 years ago | (#36688442)

  • IANA has given out all of its IPv4 space to the Regional Internet Registries (RIRs.)
  • Some of the RIRs still have one or two /8s they haven't given out to ISPs and End-Users yet, and APNIC will probably run out this fall; they're all giving it out more slowly now.
  • Existing ISPs mostly have some space left to give out to End Users, and maybe they can get a bit more from their RIR, but not much, and small ISPs may be able to get a bit more from their upstream ISPs.
  • End Users will have a much harder time getting Provider Independent space from their RIRs, and may have to get Provider Assigned space from their ISPs instead. But many end users do have enough space for their existing sites, as long as they're not trying to open new sites.

Re:How much of IPv4 is really gone (1)

SuricouRaven (1897204) | more than 3 years ago | (#36691166)

They can NAT, then double-NAT. If they really need addresses, they can buy from someone else who has some left over. Now that IPv4 addresses are in shortage, they become a commodity.

Re:IPv4 all gone? (0)

Anonymous Coward | more than 3 years ago | (#36686748)

It was supposed to happen in 1994.

Hmmm... (-1)

Anonymous Coward | more than 3 years ago | (#36685994)

mulled working group, I prefer mine with cinnamon and not too much sugar.

This does not inspire confidence (1)

Marrow (195242) | more than 3 years ago | (#36686378)

"Home networking is a fairly new area for the IETF." -- this statement does not inspire confidence. The majority of the networks in the world are small NAT based networks. Small businesses based abound a NAT firewall are indistinguishable from these home networks. And now they say they are just getting around to thinking about the vast majority of networks?

Re:This does not inspire confidence (1)

Zombie (8332) | more than 3 years ago | (#36687026)

Residential networking has been booming lately, and we're only scratching the surface compared to what's about to come. We want to make sure that the home has all the goodness of properly configured, secure, scalable networking without any of the administration overhead. I may be my family's IT department, but I shouldn't have to be. Stuff should just work. That's what this is about.

Re:This does not inspire confidence (0)

Anonymous Coward | more than 3 years ago | (#36687028)

Absolutely right. The IETF has been in denial about NATs and why they exist for many, many years. "LA LA LA. NATs don't exist, NATs don't exist. The vast majority of business surely do not use NATs! LA LA LA. I can't hear you..."

Re:This does not inspire confidence (1)

petermgreen (876956) | more than 3 years ago | (#36687674)

The thing is with NAT they don't need much thinking about because a NAT box looks like a router with a fixed configuration to it's clients and looks like an end device to the ISP. Therefore no special protocols are needed to make everything work automagically (beyond configuring login details etc if the WAN side is PPP).

However the powers that be have decided (rightly or wrongly) that NAT is evil and not an option for v6 deployment. In the absense of NAT the task of a home router gets quite a lot more complex since it must receive a somewhat dynamic* block of IPs from the ISP and supply those IPs to it's clients. A more complex firewall administration system is also needed (the default policy of the firewall will presumably be outgoing connections allowed, incoming connections denied to match the behaviour of existing NAT boxes)

* exactly how dynamic is likely to vary from weeks to years.

Re:This does not inspire confidence (1)

upuv (1201447) | more than 3 years ago | (#36690340)

I honestly can't believe that NAT will not be implemented by vendors of home equipment.

Of course it will.

All it will take is a ISP to issue a ridiculously small range to home users and Boom NAT comes into existence as a means of getting around the issue. ISP's are going to try and make money as they do today from issue static ip ranges to users. You can make more money if you make the ranges small. It's obvious that a money grab will cause home NATing.

Secondly small devices in the home will be connected as well. I mean everything from alarm clocks to dishwashers. It strikes me as insanity to expose these devices addresses to the network at large with out going through some sort of internal filter mechanism. The filter being a combination of firewall / NAT / Data aggregation. These small devices are a rich target space for hackers. As they are going to be basically little Trojan horses in every household inside the protect home network. I most definitely will want them masked behind NAT and a lot of other obfuscating technology.

So will there be a need for home networking protocols? Absolutely. Stuff that doesn't exist today? Yep. The reason is that more and more minor devices are going to be networked. Stuff that we do not think of as needing it today will be. Most likely all of it wirelessly too. If I can bring home a clock radio that I only ever have to plug into the wall and it magically connects to the home network to get time sync, my favourite music stations, my work calendar and the weather. I'm fairly positive that I don't want hackers into this now smart device that now has access to important personal data. At the same time I want this to magically work when I bring it home.

There is no standard for this sort of thing today. ( This is where someone brings up some esoteric reference to a standard no one really uses. ) Remember the standards are not just around communication protocols. It will also have a direct influence on the simple user interface conventions. Why? Well simply put we need a method of adding a device to the home network in a very easy and intuitive way. This method must provide a level of trust and security. It must also somehow be able to proxy the users authority. Since many home devices will belong to different individuals in the home each device will most likely have to be branded to a user or set of users. So in the end if there is no standard around these interfaces and protocols there will be a reduction in the quality, usability and security of home networks.

Back around to the parent post. So I absolutely see a need for home networks to NAT. NAT as just one of many tools used to secure and personalise the home network.

Nessesity of it all (0)

Dragon_Eater (829389) | more than 3 years ago | (#36686406)

Why not maintain the IPv4 for the home scale devices (5 port routers) with a IPv6 WAN side connection?

It seems very overkill to push IPv6 to the home level even with "network light bulbs" how many can one house have? 20 - 30 would be a lot of lights and even if everything in your house came with built in WiFi I don't think you could fill up 255 addresses on 99% of homes out there.

Also for a tech perspective can you imagine the support calls with customers rattling of IPv6 addresses all the time?

  my $0.02 anyways.

Re:Nessesity of it all (0)

Anonymous Coward | more than 3 years ago | (#36686558)

I think the point is to do away with NAT entirely.

Re:Nessesity of it all (1)

0123456 (636235) | more than 3 years ago | (#36686742)

I think the point is to do away with NAT entirely.

The question is why that's considered to be a good thing. I like the fact that random web site can't tell which device in my house is connecting to it becuase they all have the router's IP address.

Re:Nessesity of it all (1)

WaffleMonster (969671) | more than 3 years ago | (#36686856)

The question is why that's considered to be a good thing. I like the fact that random web site can't tell which device in my house is connecting to it becuase they all have the router's IP address.

Like web sites have any trouble doing that today with fingerprinting and (flash) cookies.

Re:Nessesity of it all (1)

0123456 (636235) | more than 3 years ago | (#36688028)

Like web sites have any trouble doing that today with fingerprinting and (flash) cookies.

Yeah, because that's so much easier than just looking at the IP address.

Nor will they have a great deal of luck when all the computers in the hosue run the same OS and clear flash crap every time they reboot.

Re:Nessesity of it all (1)

WaffleMonster (969671) | more than 3 years ago | (#36688832)

Yeah, because that's so much easier than just looking at the IP address.

Site owners use tools written by others who have done all the difficult work for them. They have no reason to care about a distinction between easy and easier.

Nor will they have a great deal of luck when all the computers in the hosue run the same OS and clear flash crap every time they reboot

Do you really clear cookies every time you reboot? Why not just turn on IPv6 privacy extensions?

Re:Nessesity of it all (1)

not-my-real-name (193518) | more than 3 years ago | (#36688052)

With IPv6, you could have the router come up with a new IP address for each connection. So instead of everything looking like it comes from the same IP address (as with NAT), you could have every connection look like it comes from a different address.

Re:Nessesity of it all (1)

cjb658 (1235986) | more than 3 years ago | (#36688142)

I wonder if we'll start seeing ISPs billing you extra for every additional device you connect to your home network.

Re:Nessesity of it all (1)

arglebargle_xiv (2212710) | more than 3 years ago | (#36691502)

I think the point is to do away with NAT entirely.

The question is why that's considered to be a good thing.

It's not a good thing or a bad thing, it's an IETF article of faith. To the IETF, NAT has been an abomination upon the earth for as long as it's existed, to the extent that they've designed some protocols to deliberately break NAT (why do you think IPsec via IKEv1 and AH was so hard to get through a NAT?) in the hope that it would discourage its use (of course the exact opposite happened and NAT discouraged the other protocol's use). To the IETF, NAT doesn't exist, and where they're forced to acknowledge its existence, it's only to the extent that it has to die. The histrionics over NAT in some IETF RFCs would be almost comical if they weren't so sad.

Re:Nessesity of it all (0)

Anonymous Coward | more than 3 years ago | (#36700648)

It could be that almost all other internet protocols were designed to break NAT. Or perhaps the IETF is correct and NAT pretty much breaks how the internet is designed and breaks the other protocols.

"If you think your protocol is sane, but all the other protocols think yours is crazy, you may just be a NAT."

Re:Nessesity of it all (0)

Anonymous Coward | more than 3 years ago | (#36692028)

But NAT didn't exist even in IPv4 for a long time - it was just introduced as a stop-gap arrangement until IPv6 was ready. And it was recognized that it would break end-end connectivity, and that it's just a temporary way of getting around addressing limitations.

Bottom line - there needs to be a firewall for all devices, instead of tossing it all into the gateway where the NAT addresses are resolved

Re:Nessesity of it all (2)

WaffleMonster (969671) | more than 3 years ago | (#36686770)

Why not maintain the IPv4 for the home scale devices (5 port routers) with a IPv6 WAN side connection?

What would the point of that be? Some of us care about using P2P services like Skype and don't particularly want random people on the Internet to be intermediaries for our traffic just because you are adverse to change. The cold hard fact there is zero security difference between SPI and NAT. If you count the crap folks are able to pull off in the state machines of 1:many ALGs SPI is MORE secure.

It seems very overkill to push IPv6 to the home level even with "network light bulbs" how many can one house have?

As many as we fricking want!

Also for a tech perspective can you imagine the support calls with customers rattling of IPv6 addresses all the time?

I can't imagine end users ever needing to. LLMNR, DNS, ND, DHCP autoconfig... I don't ever have to manually configure an IP Address to get to or do anything in the IPv4 world today. Why would that change for IPv6?

why? (0)

slashmydots (2189826) | more than 3 years ago | (#36686482)

I'm no networking expert, which is probably why I don't know this, but why do I need to support IPv6 in my home? As long as my modem gets an IPv6 address, if it can assign IPv4 addresses on the internal side of the network after that point, who cares if my router still assigns IPv4 addresses to my laptops, phones, and PCs? I'm not going to go over however many billion addresses in my own home. Since nobody else can directly access my internal network devices via the internet without going through that one final IPv6 address at the modem, why would anyone bother to convert all their home equipment?

Re:why? (0)

Anonymous Coward | more than 3 years ago | (#36686652)

If you want to stay with IPv4 for your existing home network ... all the power to you.

One of the issues driving IETF consideration of this specific working group relates to the IPv6 based devices and technologies that are on the very near horizon. Zigbee IP based HANs, Android@Home, etc. The arrival of the Internet of Things ...

http://www.webofthings.com/2011/06/08/ipv6-day/

Re:why? How can you send to IPv6 from within LAN? (1)

yoghurt (2090) | more than 3 years ago | (#36687042)

Assume that you get an IPv6 address assigned to your router. Assume that a computer on your LAN wants to talk to a internet host with IPv6. The NAT box can translate replies from the internet host to IPv4. But how are you going to talk to the IPv6 host? How can you send a packet to an IPv6 address if all you got is IPv4 on your LAN?

I suppose the NAT box could run DNS and make a look-up table mapping IPv6 internet addresses to IPv4 for your home computer to use. This seems a bit of a kludge and it doesn't help you with raw IPv6 addresses.

Clearly, we are stuck with IPv4 for legacy devices for at least 10 years (estimate based on time for floppy to die after it became somewhat useless). Assuming IPv6 does come (I am not certain we won't be living with some awful kludge instead), you will want to also do IPv6 within your LAN.

Re:why? How can you send to IPv6 from within LAN? (0)

Anonymous Coward | more than 3 years ago | (#36692132)

Yeah. The issue ain't the number of private addresses one can have on one's home network - it's also having all the networks follow the same protocol. As it is, it's impossible to come up w/ an IPv4 compatible protocol that solves the address issue, which is why we're w/ IPv6. But then, the LAN, and the home networks all have to work w/ IPv6: you don't want to do any NAT46 or NAT64.

As it is, one gets site-local, organizational and other IPv6 addresses, which one can use in the home/local network.

Cisco has its own interoperability issues (1)

linuxwebadmin (694411) | more than 3 years ago | (#36686514)

I've run Cisco SOHO devices such as RV042, RV082, RV016, RVS400, RVL200, and WRV210. In my experience setting up VPNs and firewalls on these devices, they often have interoperability issues between themselves. Also, I've worked with a SRW208 whose web management interface requires you to use IE to manage the device. Based upon these experiences, I'd suggest that Cisco needs to work on interoperability between their own devices before they can provide guidance to others on how to make interoperable devices for home users.

Re:Cisco has its own interoperability issues (1)

Relayman (1068986) | more than 3 years ago | (#36688528)

Isn't it time to look for an alternative to Cisco? I left them after a customer paid $2,500 for a 16-port switch.

Issue #1 (1)

Megane (129182) | more than 3 years ago | (#36686878)

Get the ISPs to provide IPv6 to their customers.

Re:Issue #1 (1)

tftp (111690) | more than 3 years ago | (#36689882)

Get the ISPs to provide IPv6 to their customers.

That's the chicken's side of the problem, and IETF just suddenly realized that the egg is also somehow involved. ISPs can't deploy IPv6 because:

  1. There are too few managed (or otherwise) routers that they can use to provide dual stack services.
  2. There is no understanding who does what. For example, who provides DNS for my toaster? I'm not going to enter the IPv6 address each time I want to ping it.
  3. Who is doing the IPv6 autoconfiguration?
  4. Finally, how the customer is going to transition?

In my dreams I envisioned a box that could have been sold years ago; the box is IPv4 and IPv6 capable, can do IPv6 NAT, can do IPv6 firewall, can do tunnelling if there is no WAN IPv6. Such a transitional box could be deployed right now, and it would work in all networks, and if one day the ISP enables IPv6 the box would simply switch from a tunnel to a proper link.

I believe such box is required, and I posted here several times stating that. IETF just now started thinking about it; that is fairly late, don't you think? I can live with a VMware appliance, just give me that image and I will embrace IPv6. My LAN is already IPv6, since my last XP boxes are ready for the landfill. My server is already IPv6, and that's how I like it. But I have no Internet connection via IPv6. I was looking at pfSense and other things, they look good, but honestly I don't have time to mess with them - I have my own work to do.

Re:Issue #1 (1)

upuv (1201447) | more than 3 years ago | (#36690380)

How about my ISP providing ipv6 DNS at all. You would be stunned to find out how few actually do.

Without DNS providing ipv6 addressing ipv6 is a dead end.

Note DNS for your toaster would most likely have to come from your own personal router. As the toaster would be using your home ipv6 prefix. It only makes sense that with in the address block the sub domain names would be supplied internal to your home. So the name would be like "4slicetoaser.419rigwaystreet.Chicago.us". Where you home domain is "419rigwaystreet.Chicago.us".

Box #6 (0)

Anonymous Coward | more than 3 years ago | (#36692346)

Given that DHCPv6 is a totally different animal from DHCPv4, the idea of a box did occur to me as well, but w/ the following functionality:

Given a particular network prefix - /32, /48, /40, etc, the box should be able to generate subnets and addresses, depending on definitions like max #subnets, #devices, etc.

The box should configure the network by assigning the gateway address, the various host addresses and ranges, and assign the initial static and dynamic addresses

The box should then optionally record stateless addresses obtained by various devices if asked.

The box should also have something like an alias listing, maybe of things like virtual hosts, DNS entires and so on

The box should then enable some of the devices on the network obtain stateless IP addresses, but using random interface IDs, not EUI-64 addresses. Such addresses should also be noted in the DHCP server, so that they can be used, say, as website addresses

The box can act as a dual stack router, which I can use w/ an ISP's native v4 or v6 service. Whenever the service becomes v6, what I'll have will be dual-stack lite. Prefer not to do tunneling if I can avoid it. Translation a definite no-no.

If needed, the box can be a NAT64/46 b/w an IPv4 LAN and an IPv6 WAN, if someone likes the 'security' provided by NAT.

The box can also inventory each of the IP addresses on every device on the network - PA, PI, local-link, site, organization, etc

The box can also include a list of gateways of each of the networks that the devices on this network belong to. In other words, be a central repository for all that info

Or just let IPv6 die (0)

Anonymous Coward | more than 3 years ago | (#36687898)

Since only about 1/2 of one percent of the world's network traffic is using IPv6 yet, Why not just admit that after 18 years IPv6 is a dismal failure, and go on to IPv8?

This time, you can insure success by 1) Making it interoperable with IPv4, 2) Including an authentication layer instead of an encryption layer, 3) Add capability for isochronous delivery so voice and video will finally work well, and 4) Add the capability for deterministic bandwidth allocation so telco's can assign channels with fixed bandwidth to virtual circuits.

And that is how you build a protocol that will actually get more widely used than the Esperanto language.

Re:Or just let IPv6 die (0)

Anonymous Coward | more than 3 years ago | (#36688558)

Since only about 1/2 of one percent of the world's network traffic is using IPv6 yet, Why not just admit that after 18 years IPv6 is a dismal failure, and go on to IPv8?

IPv6 is being lit up left and right all over the world. In the US all major ISPs are running trials with plans to go production in the next 1-3 years. Every usage graph I see shows expontential growth of IPv6.

This time, you can insure success by 1) Making it interoperable with IPv4

By definition this is impossible. The issue has nothing to do with the format of a packet header. The core issue is ADDRESSING. You can only fit soo many marbles in a tin can. A can the size of the sun can hold a lot more marbles. It is not possible to have every unique marble in the sun sized can uniquely map to the tin can. This is REQUIRED for direct communication between peers.

When all IPv4 addresses are gone IPv8 hosts still need some kind of NAT device to talk to the IPv4 network and IPv4 network to communicate with the IPv8 network. At that point we are left with EXACTLY the same problem we have today.

2) Including an authentication layer instead of an encryption layer

It is called IPSec. There is no encryption without authentication/trust.

, 3) Add capability for isochronous delivery so voice and video will finally work well

Cross domain TE at Internet scales is even more foolish and nonsensical than global scale trust anchors for PKI and DNSSEC. All you really need is minimal queue management to fix buffer bloat and enough capacity to meet demand. Large popular read only content need to be cached in the network closer to the user to reduce aggregate utilization in the core of the network.

4) Add the capability for deterministic bandwidth allocation so telco's can assign channels with fixed bandwidth to virtual circuits.

Becareful what you wish for.

Re:Or just let IPv6 die (2)

Gerald (9696) | more than 3 years ago | (#36688852)

How old is your data? It's about 3.2% on my servers and growing. I'm going to pop open a bottle of champagne when the percentage of IPv6 users exceeds the percentage of IE6 users.

Re:Or just let IPv6 die (1)

ahtnos (1636401) | more than 3 years ago | (#36696440)

What about the IE6 users coming in over IPv6?

Internet hippies at IETF (1)

knorthern knight (513660) | more than 3 years ago | (#36691184)

Some people seem to live in la-la-land. I don't care about the difference between SPI and NAT, but some people do, all in the interest of "end-to-end connectivity". Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09 [ietf.org]
> In managed, enterprise networks, virtual private networking tunnels
> are typically regarded as an additional attack surface. and they are
> often restricted or prohibited from traversing firewalls for that
> reason. However, it would be inappropriate to restrict virtual
> private networking tunnels by default in unmanaged, residential
> network usage scenarios.

Hello?!?! WTF should my home network be any less secure than a network at an office???

> Therefore, this document recommends the DEFAULT operating
> mode for residential IPv6 simple security is to permit all virtual
> private networking tunnel protocols to pass through the stateful
> filtering function. These include IPsec transport and tunnel modes
> as well as other IP-in-IP protocols.

WTF?!?! So when some manufacturer makes a bunch of fridges or toasters or washer/dryers that respond to default UserIDs and passwords over a VPN, they'll accessable to the outside world *BY DEFAULT*.

It gets worse. http://tools.ietf.org/html/draft-vyncke-advanced-ipv6-security-01 [ietf.org] says...

>The intention is to provide an example of a security model which allows most traffic,
> including incoming unsolicited packets and connections, to traverse the CPE...

Ex-bleeping-scuse me. This SPI "security" is a joke. You'll pry NAT out of my cold dead fingers.

> ...unless the CPE identifies the traffic as potentially harmful based on
> a set of signatures (and other correlation data and heuristics)

IDIOTS!!! One of the basic rules of internet security is to enumerate good, *NOT* to enumerate evil. There are new exploits being created all the time. You simply can't keep up with a list of exploits. You're a lot better off deciding what minimal stuff to allow through.

> that are kept up to date on a regular basis.

Oh boy. My ISP's router/modem will come with a 90-day trial subscription to Macafee/Norton/whatever. And when I'm watching a movie on Netflix, or whatever, I'll get get a popup warning me that the free anti-virus subscription expires tomorrow and that I *MUST SIGN UP NOW*. And the router/modem will have a quad-core processor, but still be dog slow, because it'll be continuous ly scanning packets, and looking through a list of a gazillion exploits. And just like craplets on new PCs, it'll be almost impossible to uninstall. Like I said, you'll pry NAT out of my cold dead fingers.

I haven't been a NAT fanboi, but if the internet hippies at IETF get their way, NAT will indeed be the safest way to go.

Re:Internet hippies at IETF (1)

arglebargle_xiv (2212710) | more than 3 years ago | (#36691556)

Some people seem to live in la-la-land.

That's certainly been true of the IETF for NAT (specifically, they're in "la-la-la-I'm-not-listening-la-la-la land"), but also for IPv6.

Some of their suggestions are totally brain-dead. E.g. http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-09 [ietf.org]

This is now RFC 6092 [ietf.org] , but your comments are still valid. It's a pretty scary read, things like:

By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound SYN packet

because, you know, port-scanners have to be given a chance too. There's a bunch of other longing-for-the-good-old-days 1980s hippie-isms in there as well, the only thing missing is a requirement that we all hold hands and sing kumbaya:

Someone's SYN-flooding lord, kum-ba-ya, ...

Re:Internet hippies at IETF (0)

Anonymous Coward | more than 3 years ago | (#36691978)

You're tearing sentences out of context.

> Therefore, this document recommends the DEFAULT operating
> mode for residential IPv6 simple security is to permit all virtual
> private networking tunnel protocols to pass through the stateful
> filtering function. These include IPsec transport and tunnel modes
> as well as other IP-in-IP protocols.

You ommited the reason for this:

      If the security
      functions of an IPv6 residential gateway can be bypassed through
      Teredo [RFC4380], then application developers will be encouraged to
      use it even at nodes where native IPv6 service is available. This
      will have the effect of impeding the completion of the transition to
      native IPv6.

Section 2.3 says:

      The general operating principle is that transport layer traffic is
      not forwarded into the interior network of a residential IPv6 gateway
      unless it has been solicited explicitly by interior nodes, e.g. by
      matching the reverse path for previously forwarded outbound traffic,
      or by matching manually configured exceptions set by the network
      administrator. All other traffic is expected to be discarded or
      rejected with an ICMPv6 error message to indicate the traffic is
      administratively prohibited.

So the RFC says that the default mode of operation for inbound traffic is to drop it, just like what NAT would do if there is no entry in the NAT table for an existing outbound flow or an administratively configured static nat.

IPv6 support is easy if you do it right (1)

arglebargle_xiv (2212710) | more than 3 years ago | (#36691404)

I work for a sizeable (> 50K people) distributed organisation. On World IPv6 Day we disabled IPv6 on everything where it could be disabled (which in some cases required re-imaging machines where there was no way to turn it off completely), and disconnected/shut down anything where IPv6 couldn't be disabled. We had absolutely zero problems or incidents during the entire IPv6 day.

It's so simple when you think about it. I really don't understand what all the fuss is about.

Re:IPv6 support is easy if you do it right (0)

Anonymous Coward | more than 3 years ago | (#36692576)

When most of the world has gone over to IPv6, you can solve your connectivity problems by disabling IP period and disconnecting/shutting down everything else networked where IP cannot be disabled. Nobody will be more secure than you - zero data transmitted implies most secure!!!

WiFi made a big mistake (0)

Anonymous Coward | more than 3 years ago | (#36692800)

WiFi should have been IPv6 from the get-go; there's no excuse for not having written that into the standard back in '99 to use at least locally routeable IPv6, and to have tunneled IPv4 over it.

It would have been a very natural fit, but the fact that they didn't do this has totally messed up IPv6 migration, as well as caused difficulties for WiFi itself (IPv6 has built-in encryption, so they probably wouldn't have required all the WPA nonsense.)

Oh by all means (1)

ThatsNotPudding (1045640) | more than 3 years ago | (#36692808)

let's have Cisco at the table, even if only to act as a moral compass.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?