World IPv6 Launch Day Underway 236
A number of readers have written in with stories related to today's permanent rollout of IPv6 by several major organizations. From the looks of it, for the 1% or so of end users with IPv6 support, everything is going smoothly. For those not so lucky to have IPv6 already, an anonymous reader writes with (mostly) good news: 60% of ISPs intend to enable IPv6 by the end of 2012. For business users, darthcamaro provides some words of caution: "...the Chief Security Officer of VeriSign doesn't think IPv6 should be turned on by a whole lot of people. The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed.
'If you don't have that visibility into IPv6, you should probably consider explicitly disabling IPv6 on your systems until you can take a very concerted approach to enabling IPv6 in a secure manner,' McPherson said."
Verisign != Verisign (Score:5, Informative)
slashdot? (Score:5, Insightful)
So when is slashdot going to leave the dark ages?
Re:slashdot? (Score:5, Funny)
Pff, first you want unicode support and now this.
Re:slashdot? (Score:5, Funny)
Re: (Score:2)
According to http://ip6.nl/#!slashdot.org [ip6.nl] it scores 1/5 stars, and calmly states that "slashdot.org isn't quite ready for IPv6 yet."
I am the 1% (Score:5, Funny)
Re: (Score:2, Informative)
No you are not... at most you are the 0.5% with IPv6, I have it to!
Re: (Score:2)
My internal network supports IPv6 (at least the machines routed through the switch, since the 4 ethernets in the router is 8 too few for my network), but I have to wait for CenturyLink to replace the old Qwest PPPoE infrastructure to support it on my web server outside the router. I'm not holding my breath. Yeah, I could switch providers, but I live in one of the unmotivated Comcast-CenturyLink areas that is formerly Qwest where lack of competition results in no motivation to upgrade services. This is commo
so what is ipv6 good for? (Score:2, Interesting)
other than having every single device have a unique public IP that is a wet dream for google and other marketers?
Re:so what is ipv6 good for? (Score:5, Interesting)
Peer to peer (the way connections were intended) actually works without strange workarounds.
Re: (Score:2)
Re: (Score:3)
Ignoring implementation details like whether their existing switches can handle IPv6 traffic as efficiently as IPv4, the change should be a net positive in terms of ISP infrastructure. ISPs which already hand out public IPv4 addresses will just do the same with IPv6. Their routing tables may get a bit simpler due to IPv6's mostly-hierarchical address structure. ISPs which currently use NAT will be able to skip it for IPv6 traffic, reducing CPU load and the management overhead of mapping private IPs onto a l
Re: (Score:3)
IPv6 is hierarchical in a way that lets routing table become much, much smaller. It's a huge win in the complexity department, especially with its fixed-length headers that make hardware acceleration vastly easier to implement.
Re:so what is ipv6 good for? (Score:5, Insightful)
Well, no more fiddling with port forwarding to make game servers, video chat or anything else work. No more dealing with public/private IPs, or the whole NAT shitpile.
Oh, and it also makes mandatory certain things like IPsec, and should speed up packet processing by eliminating fragment reassembly (which was also, historically, a common source for security exploits).
Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*. So anyone trying to track visitors based off IPv6 address will be easily fooled by anyone who tries.
Re:so what is ipv6 good for? (Score:5, Insightful)
And yet I predict internally companies will still use public/private IPs (10.x.x.x anyone?) and use NAT. My internal private network will continue to use a NAT'ed firewall.
I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.
Which just sounds like more admin work that people won't want to do.
I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate. And I can also see a huge amount of consumer type stuff taking years before it has transitioned. IPv4 isn't going to go away overnight.
Re:so what is ipv6 good for? (Score:5, Interesting)
I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.
Addressable and reachable are two different things. I'd love to lose all the NATs around here.
One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.
Honestly it will make the firewalling and routing much more strait forward, easier to quickly understand the impact of changes on and therefore far more secure.
Re: (Score:2)
To me it seems more like you'd be leaking information out by letting that address be visible to the outside world.
If they don't have any information about your internal stuff, they can't try to figure out how to exploit it.
I can definitely see a lot of organizations deciding to see how this works out for
Re: (Score:2)
Look up IPv6 privacy extensions.
Also, realize that corporate environments are probably going to push you through an HTTP proxy server...which will then appear to be the origination point for traffic. Your workstations don't need to be exposed.
Re:so what is ipv6 good for? (Score:4, Interesting)
You are not leaking much information of any real use.
Your routing tables beneath your gateways won't be visible to anyone outside. So they won't learn anything about your network topology.
If as I suggested you proxy everything, something you should do in a secure environment because you need to know everything that is going in and out, they won't see the address anyway! So they won't know you are using public IPs or not.
Even if you do leak that your internal addressing scheme is to use the public IPs without knowing the topology, and your company having at least a /48 it tells them exactly nothing about how to locate hosts. Think about it a /48 is still many orders of magnitude larger that then the entire RFC1918 space today. Its to big to SYN scan if they have pwnd your gateway, and they can assume you are using RFC1918 address currently not to big to SYN scan.
So even if you don't NAT they still now LESS about your network then they do on ipv4.
Re: (Score:2)
Look up ULA addresses. You're going to love them.
Re:so what is ipv6 good for? (Score:5, Interesting)
In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).
It's still something to admin, and something that'll be a PITA to configure for gaming and what not, at which point people will just say "what does it get me?"
Hell, assuming most people will have their IPv6 machines firewalled off (they'd go to Best Buy and pick off a Linksys "firewall router" for IPv6 to prevent their PCs from getting hacked) and they'd still be poking holes in it to run some game or other, the normal user would definitely start wondering why they bothered spending another $50 on a new router when their old one worked just fine.
And marketers would love the trackability down to the PC level - sure there's the privacy IP thing, but it's defeated if there's a long-running IP connection still established (unless IPv6 has the ability to inform remote hosts that your IP was changing... which has some very interesting implications). Even so, it's usually a day's worth of tracking and a cookie can be used to bridge between days.
Sure malware has a more difficult time scanning a larger range, but htat just means scanning won't be an option. Not that it ever will be purely because firewalls or other things will prevent it from being useful in the first place. Instead they'll just adapt and figure out how to detect new IPs on a local LAN segment and proceed that way (or given the Windows majority, they'll use standard Windows browser techniques to discover).
Between UPnP, ZeroConf (Bonjour) and other methods of discovery, malware will cope just fine.
Re: (Score:2)
Everything you point out as "bad" about IPv6 is the same or worse for NAT.
Re: (Score:2)
In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).
No not really in a corporate environment you NEED to be doing application level gateway with our without NATing. Egress is just as dangerous and ingress. So you are going from FW NAT ALG ALG And marketers would love the trackability down to the PC level
As I have explained before I don't see this giving marketers more or less capability than they had before. They are going to pretty much just assume that each /64 subnet is one person or family just like they assume that each address is today. Might
Re: (Score:3)
The first part - there will still be a need for private addresses, not for NAT, but for people who need to communicate within LANs, not the entire Internet. They'll do fine w/ link-local addresses, or as you say, be dual-stacked - be IPv4 in the inside, and IPv6 on the outside.
The multiple IP thing doesn't have to imply admin work. While people can set up DHCP6 configurations to assign certain addresses to certain computers, vary them and so on, what it means is that when a device is on a foreign networ
Re: (Score:2)
I definitely agree with that.
Years ago at another job someone needed more network drops in his office than were physically available. So, he bought himself a little firewall/router to use, and it defaulted to the 192.168 block.
Apparently he caused a collision with one of the really important servers and caused an outage
Re: (Score:2)
policies. LOL. 802.1x is what you need.
Re: (Score:3)
Which is fine and lovely if your IT department is willing to implement it.
At the time when the guy was asking for this the response from IT was "we don't care, you have two network drops, that's all you get". So he said the hell with them and got himself the router. They eventually had to resolve his issue because he had about 6 computers in his office.
In many places, IT is still operating like they did in the 90's -- with users needing to beg for scraps because the
Re: (Score:2)
Why did he use a router? A hub should have sufficed.
Re: (Score:2)
ULA addresses are good for having 'private' address ranges. Don't rely on link-local. As sexy as it sounds, a lot of tools (especially browsers) don't handle them well; they get hung up on the concept that an IP address may be valid only when combined with an interface.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
People whose computers are Windows 7, rather than XP, will find that IPv6 is the default for internal networks, unless they choose to disable it for IPv4. And if they have a bunch of toys, all of which recognize IPv6, then some link local addresses will do just fine.
NAT just segments a network, and forces a handover of packets before a destination has been reached. It's true that all devices don't need to be on the internet, just being in their LANs will do. In which case, giving them a link local addr
Re:so what is ipv6 good for? (Score:5, Interesting)
Most companies will probably keep their internal network on IPv4.
Which is fine. My IPv6 hosts don't need to care. Of course they'll eventually need to ensure that they have a reliable v4-to-v6 bridge setup either locally or at their ISP, but that will most likely be easier to setup than changing their whole network to IPv6 would be.
There's no way they're going to want all of their machines with an internet addressable location.
They won't any more than they do now. Public facing routers/firewalls will simply be set not to pass through any incoming connections unless otherwise instructed, just like IPv4 routers do. NAT is a read herring here - before NAT was common things worked fine much the same way as they will work under IPv6 (just with a much smaller address space) in that regard. Most big corporate networks control outgoing connections too (which an IPv4+NAT-only setup generally won't by default) so the one incoming default "block" rule is not going to be a significant amount of extra admin.
I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate.
Certainly some will, though not all that many in the near future. I suspect it will quickly become normal for new networks to be IPv6, and IPv4 will vanish that way rather than due to mass conversions.
It may not be the case here or where you are but it is already getting to the point in some parts of the world that people will have to be IPv6 all the way as their ISPs have too few IPv4 addresses to hand out to the connecting modems. Said ISPs use some form v6-to-v4 bridging so that IP4v-only servers will be contactable, but while your website will be fine not all protocols will work well through this arrangement. I don't know how common it is, but I know people who have been in Hotels out east where the provided network connections are IPv6 only (presumably with some 6-to-4 system in place so v4 only hosts can be contacted). IPv4 may not die any time soon, but that doesn't mean IPv6 use won't grow rapidly.
The big win I see is for mobile devices like phones - it will make the job of large network providers for those devices easier.
And I can also see a huge amount of consumer type stuff taking years before it has transitioned.
Which is rather unfortunate as these devices are where one of the key IPv4 problems exist (Including phones as mentioned above).
IPv4 isn't going to go away overnight.
No, but IPv6 might grow very rapidly so you can't avoid interacting with it for long even if you stick with IPv4 internally.
Re:so what is ipv6 good for? (Score:5, Interesting)
Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP.
You and the grand parent are missing the obvious outcome.
For the most part home users are going to end up with /64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.
Does that mean you can put 1,50,100,1000,10000 addresses on device sure, but the network portion the addresses will be the same. That network address is going to uniquely identify your household just like your full ipv4 address does today. Marketers will just assume that each /64 subnet is unique to a user or house hold. Just like the assume on ipv4address is an entire house hold behind NAT.
It changes little to nothing with regard to track ability.
Re: (Score:2)
Except that when one has to track, one would have to either target the complete 8 word IPv6 address, or take the 4 word address and do a scan. If they tried doing a multicast to every node on the network (since broadcasts are no longer there on IPv6), their own system would grind to a standstill. And if they tried scanning the entire subnet of 2^64, it'd take them forever.
Also, that would be quite an assumption on their part. While households that have multiple devices may want an IPv6 link, those that
Re: (Score:3)
They don't need to 'scan' anything to track you for marketing purposes they just log where the requests are coming from. When they process their logs they simply only look first 64bits of any ipv6 address, and then enhance reliability the correlation that its the person/device using the same tricks they use now, also including the user agent string, cookies, referrers, date times, etc.
Re: (Score:3)
You are assuming that the source addresses are permanent. However, privacy extensions to autoconfigured addresses makes them temporary addresses, so even if they log them, it's of now use. And if they just take the first 8 words of the address, either they have to know what the new address is, or they have to do a 'broadcast' (actually a multicast to all nodes in that network) or do a scan.
If they do a multicast to all nodes in an IPv6 subnet, they'll just be drowned in unreachability error messages whi
Re:so what is ipv6 good for? (Score:4, Insightful)
I think we are talking about different things. I am trying to get at marking droids attempting to answer questions like,
How many unique visits to our website did we get?
How many people who visitied our flagship site ultrap0rn.com also visited our FaceSpace page?
How many days a week did Jon Doe surf ultrap0rn.com?
Did John Zoogle ultraDildos after visiting ultrap0rn.com
I don't think in practice ipv6 is going to make this significantly easier or harder for them to do, or have much impact on the quality of their data; for the reasons I have mention.
Re: (Score:2)
You have to have multicast routing set up between you and the networks you want multicast to go to...and the clients have to 'subscribe' to your multicast group. They won't hear anything from you until they tell their local multicast router they want to talk to you.
So, yeah, multicast doesn't generally work unless you're on the same subnet. That said, here's a fun one to run under Linux:
ping6 -c2 ff02::1%eth0
Any hosts configured to respond to ICMP6 echo requests will send a reply. I once counted several hun
Re: (Score:3)
Re: (Score:2)
Tracking ability is going to be driven more by browser request headers than by IP address, anyway.
I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:
Varying links (Score:2)
Tracking ability is going to be driven more by browser request headers than by IP address, anyway.
I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:
This I agree w/, and I think that ISPs could probably have a 3 tiered choice to offer customers:
On
Re: (Score:2)
Just curious: Where do you fit privacy extensions in that scheme?
Re: (Score:2)
You do realize you can cut up the /64 into several smaller subnets, right?
Re: (Score:2)
You do realize that breaks SLAAC, right?
Re: (Score:2)
The standard, the way it's currently written (and w/ which I disagreed above - see my post above Varying Links), supports either /128, or /64 or less. There is no way one can have b/w /128 and /64, unless an ISP decides to break the standard and write a router that recognizes boundaries somewhere other than the half way mark.
Comcast is currently going the /128 route, where it's giving a single address to every household, assuming that that's all it needs. There is no router there or anything, and from C
Re: (Score:2)
> no more fiddling with port forwarding
Uh, no. By default all your internal addresses will be blocked by the firewall on your router, so you will still have to enable them manually. Even though NAT will no longer be necessary, nobody should be leaving access opened by default. Security is done in layers. Blocking all external access to hosts that do not need to be accessed is one such obvious layer.
Re: (Score:2)
Privacy addresses?
I mentioned them to you when you last posted that [slashdot.org]. Do you not read the replies to your own posts?
Re: (Score:2)
Well, you won't need to pay ridiculous fees in order to get a static IP address.
Just to give one example, right now, if I want to be able to SSH directly into the computers on my network from the Internet, it's a pain. I have to pay $100/month extra to upgrade to my ISP's business account to get even 1 static IP address, and getting multiple can be expensive/difficult. I can use a dynamic DNS service instead, which depending on the service might be expensive or unreliable-- just another thing that can go
Re: (Score:2)
The beauty of this whole thing is that if you have a /64 and DHCP6, you can configure it to give yourself a whole bunch of static IPs for each of your servers. Furthermore, you could define a pool range that would be dynamic addresses used by all the computers in your network - including visiting family members. If you have multiple virtual web hosts, each one can have its own IP address - no need to share anymore. Same for if you have a mail server, an ftp server or any other server.
Also, since NAT is
Re: (Score:2)
I'll point out the major reason, we have kinda run out of IPv4 addresses. Not fun when you sign up for new link from your ISP and the response is "Here's your link but we have no ips for you to use it with".
Reason enough? All the other stuff are (useful) side-effects.
As to the security implications, thats the job of a firewall, of which NAT is just a dumb (although statefull) version of.
IPv6 multi-homing status (Score:3)
Did folks ever get IPv6 multi-homed routing straightened out?
It always felt like conflicting goals at work -- on one hand, people wanted to simplify and shrink the size of the backbone routing tables, but on the other, a purely hierarchical routing space removes redundancy. That is, a tree graph has the property that there is only *one* path between any two nodes, which means a purely hierarchical routing arrangement would mean that the idea of 'routing around censorship' would go into the waste bin because there are no alternative routes possible. (Note that I am differentiating this from redundant *physical* links -- this is a matter of administrative links. If there is no multi-homing and the upstream provider is blocking/filtering/limiting traffic, there is no network route around it, physical redundancy not withstanding.)
So any current best practices for IPv6 multihoming for small ISPs/businesses?
Re: (Score:2)
The purists hate NAT, but for SOHO, NPt can help with that.
http://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 [pfsense.org]
Re: (Score:2)
Set up an application-layer proxy on a host with both addresses, same as you would with IPv4.
So, set up a machine running Squid, where that machine has IPs from both your upstream ISPs. All your internal clients can use that Squid proxy to get out. SIP? No problem; use a SIP proxy.
Since you're pushing the 'logical, not physical' link angle, you can go one step further and set up a tunnel to another endpoint on the Internet, and use that as another possible route. (i.e. I have IPv6 access because I use a pro
Re: (Score:2)
There are three options:
1) Order internet from two different ISPs. Get a router from each. Connect both routers to your internal network. Done.
Yes for most people and small business nothing more is required. What will happen is that every computer will get two IP-addresses, one from each ISP. As part of IPv6 every computer monitors the routers and automatically chooses one that is responsive. If you unplug a router every computer will start using the other with a failover time of maximum 30 seconds.
This opt
Re: (Score:2)
1) Is out for people who want automated failover
2) Is prohibitively expensive for most
3) Is interesting, but still early
4) Works fine, now, and provides functional multi-homing. Why discard it? NPt isn't pure evil. It's not ideal, but it gets the job done without requiring all of that extra setup or dynamic routing protocols on top.
Re: (Score:2)
The cost for PI space and peering is still rather high, even at the "discounted" time-limited rates that are supposed to encourage adoption. I doubt many SOHO operations are going to want to shell out several thousand per year extra for that.
Sure that is the "right" way, but there are other ways (see my other post under this parent).
REally.... (Score:4, Informative)
"The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed."
Funny, The ones here do. In fact the last firebox update said it covered ipV6.
What out of date garbage are people running out there that will not scan ipV6?
Re: (Score:2)
What out of date garbage are people running out there that will not scan ipV6?
Norton '95.
Define "enable?" (Score:3)
For example, when I look at Comcast's site [comcast6.net], I see "When Comcast decided to participate in World IPv6 Launch, we committed to enabling at least 1% of our customers with IPv6 by June 6, 2012." So, how does that figure into the 60%? If there are 50 ISPs in the world, but Comcast has 5% of the subscriber base, is that 2% out of the 60%? Or is it 5% Or is it .002%? I'm curious how this 60% number was calculated.
Re: (Score:2)
I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.) Most consumer routers that are currently deployed don't support IPv6 and some older ones that do might not work properly with prefix delegation. They may only enable it for modems that they have certified for IPv6.
Re: (Score:2)
More or less. The Comcast blog [comcast.com] says "To meet this goal, we launched and enabled IPv6 in over one-third of our broadband network ... we observe roughly 5% of users can take advantage of this. That percentage can increase dramatically if vendors act to enable IPv6 by default in software updates for existing devices an
Is there a list of ISPs... (Score:2)
...that are going to enable IPv6 for all customers by the end of 2012? Does it include CenturyTel?
Working great here for 1yr (Score:2)
I've been using IPv6 via he.net tunnels on pfSense 2.1 for over a year now, and it's working great.
Really happy to see my Netflix streaming going over IPv6 this morning, too.
pFSense support for IPv6? (Score:2)
I'm glad to see you mention that. While under the FreeBSDs, Monowall has supported BSDs for a while, the same hadn't been true about pFSense. I wanted to know whether pFSense 2.1 supports IPv6 or not. Checking out their site [pfsense.org], it stated
Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.
We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.
IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.
Incidentally, which version of FreeBSD does pFSense 2.1 correspond to?
Re: (Score:2)
[Disclaimer, I am a pfSense developer, employee, and book author so I'm a bit biased] :-)
pfSense is based on FreeBSD 8.3 with quite a few things patched in the kernel and base system. We've been doing quite a lot of work lately on getting the last few bits of IPv6 going along with some other features we have in the chamber for 2.1. IPv6 support is the main focus of pfSense 2.1 so changes in other areas have happened but they have been minimal in comparison.
Here is a spreadsheet covering the current status o [google.com]
Re: (Score:2)
Had to look into my tunnelbroker.net account: it's already 4 years of running it. About once a year there is some hiccup at their Frankfurt node, I 'll write a mail to their support stuff then and about 20 mins later some friendly supportnic asks me to check if I can still repro the problem...
And free dns server (ipv6-ready, with glue records), and free ipv6 training & certification - HE has been really helpful for me,
Need IPv6 at home? (Score:2)
Run OpenWRT [openwrt.org] on your router, then.
Re: (Score:2)
And watch your latency rocket (Score:3)
Yeah, maybe things have improved, but I played with IP6 tunneling for a short time. It was kind of cool, but on IPv4, my typical ping times are 20-80ms to reach most hosts. On IPv6 with tunneling, the latencies were typically >100-300ms. Which, is mostly fine for web browsing, but sucks for other applications.
Fun addresses (Score:2)
If Nagios fails to ping google.. (Score:2)
..or other hostnames with AAAA records:
Add -4 to ping_check command, restart nagios and carry on.
Dan
Re:It will be a pain in the ass to remember... (Score:5, Informative)
Google for this thing called 'DNS' it has been around for a while....
Re:It will be a pain in the ass to remember... (Score:5, Funny)
Re:It will be a pain in the ass to remember... (Score:5, Informative)
This is IPv6 Launch day. He needs to go to 2a00:1450:4016:801::1000
Re: (Score:3)
He needs to go to 2a00:1450:4016:801::1000
That's not a correct URL. You need to enclose it in brackets for any uses that don't expect a bare IP address. Oh, and Slashcode destroys IPv6 literals in <a>.
Re: (Score:2, Insightful)
Thanks smartass, but some of us who run large scale networks and use computers for more than porn and Facebook need to access things by IP, need to be able to look at a routing table and have it mean something, need to look at traffic capture and know what we're looking at, and about a million other ways in which I use IPs on a daily basis. Doing a reverse lookup for every goddamn IP I ever see would be completely impractical. I do recognize the need for it, and realize it's going to happen eventually, bu
Re: (Score:2)
you don't even need large scale networks - I need to remote desktop to VMs on a LabManager server - currently every single one of those is an IPv4 IP and I don't think we'll switch to IPv6 anytime soon, but I dread the day we do, since currently all I really need to do is remember the last number and have the first three memorized (the IPv6 auto generation by MAC address will likely make me have to memorize more or all of the IP). All of these are accessed by IP and all of these require hand editing files a
Re:It will be a pain in the ass to remember... (Score:5, Informative)
You have many options, DHCP6, you don't have to use autoconfigure you can still assign all nice consecutive address to each machine if you like. Setup DNS that actually works and use the host names. Best yet and actually probably the easiest to do and still be secure both (dhcp6 server can do the DNS updates so the hosts don't need to).
This is not that difficult, and if you think it is you are in the wrong industry.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
I think the simple answer is if you need to address a machine by IP you shouldn't be using stateless autoconfiguration for it. IMO stateless autoconfiguration should be used only for client machines where it doesn't matter much that the addres is hard to remember or that the address changes when the network card is replaced.
Re: (Score:2)
Except that thanks to IPv6 you will have one IP per server to memorize (and this means you can put it in DNS). It's only in IPvCrap that you need to manually configure layers upon layers of VPNs just to connect to something in a remote network.
IPv6 is the final solution to the NAT question.
Re:It will be a pain in the ass to remember... (Score:5, Insightful)
IPv6 is the final solution to the NAT question.
Now we just need a cure to the people who have been beating their heads against a wall long enough that they think that NAT is/was a good thing.
Re: (Score:2)
Wait.... you are running a 'large scale network' and looking at packet captures... yet are unable have your tooling do the reverse lookup automaticly?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
That thing is broken. Even the default values is transformed wrong. It transforms 127.0.0.1 to 0::7f00:1 but the correct answer is ::1. Then it transforms ::1 to 0.0.0.1. And 0.0.0.1 becomes 2002::1 (WTF?).
What good is it if does not know about the special cases?
Re: (Score:3)
You sir needs to read up a little on the subject: http://en.wikipedia.org/wiki/IPv6_address [wikipedia.org]
Let me simply quote a few things for you on that page.
"::1/128 — The loopback address is a unicast localhost address. If an application in a host sends packets to this address, the IPv6 stack will loop these packets back on the same virtual interface (corresponding to 127.0.0.0/8 in IPv4)."
So 127.0.0.1 should become ::1.
Alternatively, if you do not want to actually use it for anything, it could be converted into
Re:It will be a pain in the ass to remember... (Score:5, Informative)
Doing a reverse lookup for every goddamn IP I ever see would be completely impractical.
Hyperbole much? Recognizing IPv6 addresses is not that different from recognizing IPv4 ones, especially if you assign local parts manually, which you should do for the servers instead of relying on autoconfiguration, for reasons which should be obvious. So, 2001:db8:0:1001::4 is...?
With a bit of practice, parsing the IPv6 addresses you deal with frequently will become second nature. If it doesn't, then maybe you're not such a hot network admin.
Re: (Score:3)
Some solutions: (Score:5, Interesting)
Well, others have already mentioned some, but let's try to get a list of possible solutions to this problem listed:
* DNS, access machines by name
* For frequently accessed machines, assign "short numbers", e.g.
1234:5678::25 (where 1234:5678 is your IPv6 prefix). For a little bit of added convenience, assign your network prefix to an environment variable, and you can, e.g.
$ ping ${IP6_Prefix}::25
* Run IPv4 *internally* as well as IPv6, then you can access machines on the local network using the EXACT SAME IPv4 private network addresses you've been using for the last 20 years. IPv6 is most useful for accessing hosts on OTHER networks on the global internet, no reason you can't use IPv4 for internal networking.
* If you use IPv6 auto-config based on Mac addresses, and you have a database of mac addresses on your network, I bet vendors will be releasing tools which allow you to automatically parse out the mac address from an IPv6 and show you which machine the address belongs to. That's good enough for machines you don't need to frequently lookup (like individual workstations of employees). For servers, printers, etc, assign "short numbers" as described above, in blocks (e.g. routers and switches might be ::1 through ::100, printers ::200-::300 , servers ::500-::600, etc, then you just have to remember what the short numbers of frequently used devices are.
Re:It will be a pain in the ass to remember... (Score:5, Funny)
Humans have different needs than computers. It's almost like we need a table of easy to remember names that can be used to look up IP addresses automatically by a computer. Then that table needs to be distributed automatically to all the ISPs in the world. That'll never happen. Sounds impossible.
Re: (Score:3)
DNS, or even a hosts file if you must
Also, the hex makes it easier to make words in statically-assigned addresses.
Re: (Score:2)
Re: (Score:2)
the hex makes it easier to make words in statically-assigned addresses.
This message brought to you by the DEAD BEEF CAFE
Re: (Score:3)
Those long IPv6 addresses are a pain in the ass to remember. So, I'm not looking forward to this.
Use the for..err dns... or manually select your 64-bits of id and things aint soo bad.
It's auto-configured SLAAC addresses which are impossible to remember but it need not be that way if you don't want it to.
Use manual configuration or DHCPv6 to assign reasonable addresses.
Some lucky stiffs have IPv6 addresses shorter than anything possible with IPv4.
Sprint for instance...
http://2600/ [2600]
Re: (Score:2)
Some lucky stiffs have IPv6 addresses shorter than anything possible with IPv4.
Sprint for instance...
http://2600/ [2600]
Ok you know what if slashdot insists on living in the past and sitting on its thumb when it comes to IPv6 deployment so be it...but for godsake munging valid IPv6 URLs into invalid IPv4 addresses is crossing the line.
I entered 2600:: and slashdot posted 0.0.10.40...
Re: (Score:2)
I will not use it at my home. I have an IPv4 address, and always will.
I'm still hanging on to NCP [wikipedia.org] you insensitive clod!
Re: (Score:2)
Anything you can put *WRT or similar on can do it (as others have mentioned in this post). Or if you want to run a software firewall on some spare hardware, pfSense (2.1 beta), m0n0wall, and some others support IPv6 also.
I have seen some ZyXel routers that had IPv6 support in their GUI, which gives me hope. Though I don't recall the specific model. Wikipedia> and [wikipedia.org] Sixxs [sixxs.net] have lists of routers that do support IPv6 out of the box.