×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

World IPv6 Launch Day Underway

Unknown Lamer posted about 2 years ago | from the it's-finally-1999 dept.

The Internet 236

A number of readers have written in with stories related to today's permanent rollout of IPv6 by several major organizations. From the looks of it, for the 1% or so of end users with IPv6 support, everything is going smoothly. For those not so lucky to have IPv6 already, an anonymous reader writes with (mostly) good news: 60% of ISPs intend to enable IPv6 by the end of 2012. For business users, darthcamaro provides some words of caution: "...the Chief Security Officer of VeriSign doesn't think IPv6 should be turned on by a whole lot of people. The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed. 'If you don't have that visibility into IPv6, you should probably consider explicitly disabling IPv6 on your systems until you can take a very concerted approach to enabling IPv6 in a secure manner,' McPherson said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

236 comments

Verisign != Verisign (5, Informative)

tepples (727027) | about 2 years ago | (#40233479)

This is Verisign the operator of the .com and .net registry, not the other Verisign the certificate racket. The CA business was sold to Symantec in August of 2010. So don't mix this up with the recent news about the $99 fee to get your signed with the UEFI key that will be preloaded on every Windows 8-certified PC motherboard; that's all VeriNorton.

Re:Verisign != Verisign (0)

Anonymous Coward | about 2 years ago | (#40234409)

Aren't both of them evil anyway?

It will be a pain in the ass to remember... (-1)

Anonymous Coward | about 2 years ago | (#40233491)

Those long IPv6 addresses are a pain in the ass to remember. So, I'm not looking forward to this.

Re:It will be a pain in the ass to remember... (5, Informative)

pe1rxq (141710) | about 2 years ago | (#40233555)

Google for this thing called 'DNS' it has been around for a while....

Re:It will be a pain in the ass to remember... (5, Funny)

zill (1690130) | about 2 years ago | (#40233785)

"Google" won't help him. He needs to go to 74.125.226.64 [74.125.226.64].

Re:It will be a pain in the ass to remember... (5, Informative)

daniel23 (605413) | about 2 years ago | (#40234261)

This is IPv6 Launch day. He needs to go to 2a00:1450:4016:801::1000

Re:It will be a pain in the ass to remember... (2)

KiloByte (825081) | about 2 years ago | (#40234939)

He needs to go to 2a00:1450:4016:801::1000

That's not a correct URL. You need to enclose it in brackets for any uses that don't expect a bare IP address. Oh, and Slashcode destroys IPv6 literals in <a>.

Re:It will be a pain in the ass to remember... (2, Insightful)

Anonymous Coward | about 2 years ago | (#40233839)

Thanks smartass, but some of us who run large scale networks and use computers for more than porn and Facebook need to access things by IP, need to be able to look at a routing table and have it mean something, need to look at traffic capture and know what we're looking at, and about a million other ways in which I use IPs on a daily basis. Doing a reverse lookup for every goddamn IP I ever see would be completely impractical. I do recognize the need for it, and realize it's going to happen eventually, but for a lot of us, the non humanreadability of IPv6 is a massive massive headache. Hopefully I'll be out of this shit industry before it becomes prevalent.

Re:It will be a pain in the ass to remember... (1)

Creepy (93888) | about 2 years ago | (#40233995)

you don't even need large scale networks - I need to remote desktop to VMs on a LabManager server - currently every single one of those is an IPv4 IP and I don't think we'll switch to IPv6 anytime soon, but I dread the day we do, since currently all I really need to do is remember the last number and have the first three memorized (the IPv6 auto generation by MAC address will likely make me have to memorize more or all of the IP). All of these are accessed by IP and all of these require hand editing files and injecting the IP into them (so they correctly serve client machines outside of the VM, and these have to be outside the VM because they need hardware graphics acceleration on the head).

Re:It will be a pain in the ass to remember... (5, Informative)

DarkOx (621550) | about 2 years ago | (#40234129)

You have many options, DHCP6, you don't have to use autoconfigure you can still assign all nice consecutive address to each machine if you like. Setup DNS that actually works and use the host names. Best yet and actually probably the easiest to do and still be secure both (dhcp6 server can do the DNS updates so the hosts don't need to).

This is not that difficult, and if you think it is you are in the wrong industry.

Re:It will be a pain in the ass to remember... (1)

bobcat7677 (561727) | about 2 years ago | (#40234753)

What you meant to say is that "there are workarounds for the difficulties". Any way you slice it, it is still a PITA...either to deal with it directly or implement the workarounds. I wish they could have come up with a more sane implementation.

Re:It will be a pain in the ass to remember... (1)

petermgreen (876956) | about 2 years ago | (#40234725)

I think the simple answer is if you need to address a machine by IP you shouldn't be using stateless autoconfiguration for it. IMO stateless autoconfiguration should be used only for client machines where it doesn't matter much that the addres is hard to remember or that the address changes when the network card is replaced.

Re:It will be a pain in the ass to remember... (1)

bn-7bc (909819) | about 2 years ago | (#40234815)

Or you are free to actually configure ipv6 addresses manually, so people would only need o memorise a prefix and the last 2-4 characters Prefix : 2001:0DB8:D:1::/64 VM1 2001:0DB8:D:1::100 VM2 2001:0DB8:D:1::101 etc ok a bit more to remember but the users you refereed to only have to learn the prefix and the part after the last : Will your users grumble a bit? yes, people don't realy like change Will the cope? My guess is yes, a few will have problems the first week or so but after that .....

Re:It will be a pain in the ass to remember... (0)

christianT (604736) | about 2 years ago | (#40234015)

You are welcome to leave at any time. We won't be sad to see you go. I heard McDonalds is hiring burger flippers. You may be qualified for that.

Re:It will be a pain in the ass to remember... (1)

Anonymous Coward | about 2 years ago | (#40234231)

You're doing it wrong if you're flipping burgers at McDonalds. They switched to timed hot presses a while ago.

Re:It will be a pain in the ass to remember... (0)

Anonymous Coward | about 2 years ago | (#40234607)

You really know how to do this - you're an ex-employee of the month at McDonad's?

Re:It will be a pain in the ass to remember... (1)

pe1rxq (141710) | about 2 years ago | (#40234057)

Wait.... you are running a 'large scale network' and looking at packet captures... yet are unable have your tooling do the reverse lookup automaticly?

Re:It will be a pain in the ass to remember... (1)

unixisc (2429386) | about 2 years ago | (#40234075)

For such things, it would only be a 64-bit address you'd be looking at, since half the address falls within subnets. So if one wants to check up routing tables, then only the top half of it is what would matter.

Re:It will be a pain in the ass to remember... (1)

DigiShaman (671371) | about 2 years ago | (#40234343)

but for a lot of us, the non humanreadability of IPv6 is a massive massive headache.

There's an app for that [subnetonline.com].

Google Fu KICK!!! Ha haaa

Re:It will be a pain in the ass to remember... (2)

bbn (172659) | about 2 years ago | (#40234483)

That thing is broken. Even the default values is transformed wrong. It transforms 127.0.0.1 to 0::7f00:1 but the correct answer is ::1. Then it transforms ::1 to 0.0.0.1. And 0.0.0.1 becomes 2002::1 (WTF?).

What good is it if does not know about the special cases?

Re:It will be a pain in the ass to remember... (0)

Anonymous Coward | about 2 years ago | (#40234589)

You do realize that inside of a subnet, just like with ipv4, only the very last part of the number actually changes, so if you're able to make sense of the numbers for one, the other isn't that big of a difference?

Seriously, all it takes is a bit of practice, and a willingness to try, rather than "I fear change, and I shall keep my bush."

Re:It will be a pain in the ass to remember... (5, Funny)

i kan reed (749298) | about 2 years ago | (#40233587)

Humans have different needs than computers. It's almost like we need a table of easy to remember names that can be used to look up IP addresses automatically by a computer. Then that table needs to be distributed automatically to all the ISPs in the world. That'll never happen. Sounds impossible.

Re:It will be a pain in the ass to remember... (2)

bersl2 (689221) | about 2 years ago | (#40233601)

DNS, or even a hosts file if you must

Also, the hex makes it easier to make words in statically-assigned addresses.

Re:It will be a pain in the ass to remember... (1)

saveferrousoxide (2566033) | about 2 years ago | (#40234157)

You could define your subnets to be 120 bits so you only have to remember the 8 bit number at the end (like now) or you could use the IPv4 in IPv6 notation (x:x:x:x:x:x:d.d.d.d) which is not so different really from using 120 bits as your subnet prefix.

Re:It will be a pain in the ass to remember... (2)

WaffleMonster (969671) | about 2 years ago | (#40234835)

Those long IPv6 addresses are a pain in the ass to remember. So, I'm not looking forward to this.

Use the for..err dns... or manually select your 64-bits of id and things aint soo bad.

It's auto-configured SLAAC addresses which are impossible to remember but it need not be that way if you don't want it to.

Use manual configuration or DHCPv6 to assign reasonable addresses.

Some lucky stiffs have IPv6 addresses shorter than anything possible with IPv4.

Sprint for instance...
http://2600/ [2600]

Re:It will be a pain in the ass to remember... (1)

WaffleMonster (969671) | about 2 years ago | (#40234895)

Some lucky stiffs have IPv6 addresses shorter than anything possible with IPv4.

Sprint for instance...
http://2600/ [2600]

Ok you know what if slashdot insists on living in the past and sitting on its thumb when it comes to IPv6 deployment so be it...but for godsake munging valid IPv6 URLs into invalid IPv4 addresses is crossing the line.

I entered 2600:: and slashdot posted 0.0.10.40...

slashdot? (5, Insightful)

pe1rxq (141710) | about 2 years ago | (#40233497)

So when is slashdot going to leave the dark ages?

I am the 1% (4, Funny)

Galestar (1473827) | about 2 years ago | (#40233527)

With IPv6 support

Re:I am the 1% (0)

Anonymous Coward | about 2 years ago | (#40233597)

Anonymous Coward likes this.

Re:I am the 1% (1)

Creepy (93888) | about 2 years ago | (#40234563)

My internal network supports IPv6 (at least the machines routed through the switch, since the 4 ethernets in the router is 8 too few for my network), but I have to wait for CenturyLink to replace the old Qwest PPPoE infrastructure to support it on my web server outside the router. I'm not holding my breath. Yeah, I could switch providers, but I live in one of the unmotivated Comcast-CenturyLink areas that is formerly Qwest where lack of competition results in no motivation to upgrade services. This is common in nearly all Comcast-Qwest space - Seattle was even building a wifi network to work around it (note: it was shut down today for budgetary reasons) and several cities I live near also have built wifi networks to work around it, but I am not in one of these (about 2 miles outside one). I could get the recently offered WiMax from Clear, but their reputation is worse than Comcast. Comcast has built some increased network, but their surcharge for not bundling pay TV keeps me away (my personal belief is that bundling services all owned by the same company for a reduced price should be illegal).

so what is ipv6 good for? (2, Interesting)

alen (225700) | about 2 years ago | (#40233619)

other than having every single device have a unique public IP that is a wet dream for google and other marketers?

Re:so what is ipv6 good for? (5, Interesting)

pe1rxq (141710) | about 2 years ago | (#40233673)

Peer to peer (the way connections were intended) actually works without strange workarounds.

Re:so what is ipv6 good for? (1)

DigiShaman (671371) | about 2 years ago | (#40234383)

Wont this cause more traffic for ISPs, or will it make transfer more efficient for their network? The answer will have huge implications for adoption.

As someone that knows very little of IPv6 (I don't work with) other than the basic concept, someone please enlighten me.

Re:so what is ipv6 good for? (1)

Anonymous Coward | about 2 years ago | (#40233681)

It allows every single device have a unique public IP that is a wet dream for anyone wanting to do P2P communication. Plus, ever try to set up a web or SSH server behind a carrier-grade NAT?

Re:so what is ipv6 good for? (4, Insightful)

gman003 (1693318) | about 2 years ago | (#40233715)

Well, no more fiddling with port forwarding to make game servers, video chat or anything else work. No more dealing with public/private IPs, or the whole NAT shitpile.

Oh, and it also makes mandatory certain things like IPsec, and should speed up packet processing by eliminating fragment reassembly (which was also, historically, a common source for security exploits).

Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*. So anyone trying to track visitors based off IPv6 address will be easily fooled by anyone who tries.

Re:so what is ipv6 good for? (5, Insightful)

gstoddart (321705) | about 2 years ago | (#40233855)

No more dealing with public/private IPs, or the whole NAT shitpile.

And yet I predict internally companies will still use public/private IPs (10.x.x.x anyone?) and use NAT. My internal private network will continue to use a NAT'ed firewall.

I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.

Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP. You could easily assign more addresses to a single IPv6 host than the entire IPv4 internet *has*.

Which just sounds like more admin work that people won't want to do.

I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate. And I can also see a huge amount of consumer type stuff taking years before it has transitioned. IPv4 isn't going to go away overnight.

Re:so what is ipv6 good for? (4, Interesting)

DarkOx (621550) | about 2 years ago | (#40233977)

I predict this will mostly affect stuff outside of the firewall, not inside. Most companies will probably keep their internal network on IPv4. There's no way they're going to want all of their machines with an internet addressable location.

Addressable and reachable are two different things. I'd love to lose all the NATs around here.

One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

Honestly it will make the firewalling and routing much more strait forward, easier to quickly understand the impact of changes on and therefore far more secure.

Re:so what is ipv6 good for? (1)

gstoddart (321705) | about 2 years ago | (#40234205)

One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

To me it seems more like you'd be leaking information out by letting that address be visible to the outside world.

If they don't have any information about your internal stuff, they can't try to figure out how to exploit it.

I can definitely see a lot of organizations deciding to see how this works out for everybody else. Changing to new technology always seems to expose some gaps people haven't really thought through.

And, on the consumer end, the overwhelming majority of home networks using a router/firewall will do nothing at all.

Re:so what is ipv6 good for? (1)

Short Circuit (52384) | about 2 years ago | (#40234225)

Look up IPv6 privacy extensions.

Also, realize that corporate environments are probably going to push you through an HTTP proxy server...which will then appear to be the origination point for traffic. Your workstations don't need to be exposed.

Re:so what is ipv6 good for? (3, Interesting)

DarkOx (621550) | about 2 years ago | (#40234371)

You are not leaking much information of any real use.

Your routing tables beneath your gateways won't be visible to anyone outside. So they won't learn anything about your network topology.

If as I suggested you proxy everything, something you should do in a secure environment because you need to know everything that is going in and out, they won't see the address anyway! So they won't know you are using public IPs or not.

Even if you do leak that your internal addressing scheme is to use the public IPs without knowing the topology, and your company having at least a /48 it tells them exactly nothing about how to locate hosts. Think about it a /48 is still many orders of magnitude larger that then the entire RFC1918 space today. Its to big to SYN scan if they have pwnd your gateway, and they can assume you are using RFC1918 address currently not to big to SYN scan.

So even if you don't NAT they still now LESS about your network then they do on ipv4.

Re:so what is ipv6 good for? (4, Interesting)

tlhIngan (30335) | about 2 years ago | (#40234657)

Addressable and reachable are two different things. I'd love to lose all the NATs around here.

One globally unique identifier will be handy even though I would never dream of letting most machines ingress or egress traffic to the internet without passing through some hardened application layer proxy.

In other words, you're swapping out one box (the NAT) for another (the ALG - application layer gateway, which existed far longer than NAT).

It's still something to admin, and something that'll be a PITA to configure for gaming and what not, at which point people will just say "what does it get me?"

Hell, assuming most people will have their IPv6 machines firewalled off (they'd go to Best Buy and pick off a Linksys "firewall router" for IPv6 to prevent their PCs from getting hacked) and they'd still be poking holes in it to run some game or other, the normal user would definitely start wondering why they bothered spending another $50 on a new router when their old one worked just fine.

And marketers would love the trackability down to the PC level - sure there's the privacy IP thing, but it's defeated if there's a long-running IP connection still established (unless IPv6 has the ability to inform remote hosts that your IP was changing... which has some very interesting implications). Even so, it's usually a day's worth of tracking and a cookie can be used to bridge between days.

Sure malware has a more difficult time scanning a larger range, but htat just means scanning won't be an option. Not that it ever will be purely because firewalls or other things will prevent it from being useful in the first place. Instead they'll just adapt and figure out how to detect new IPs on a local LAN segment and proceed that way (or given the Windows majority, they'll use standard Windows browser techniques to discover).

Between UPnP, ZeroConf (Bonjour) and other methods of discovery, malware will cope just fine.

Re:so what is ipv6 good for? (2)

unixisc (2429386) | about 2 years ago | (#40234183)

The first part - there will still be a need for private addresses, not for NAT, but for people who need to communicate within LANs, not the entire Internet. They'll do fine w/ link-local addresses, or as you say, be dual-stacked - be IPv4 in the inside, and IPv6 on the outside.

The multiple IP thing doesn't have to imply admin work. While people can set up DHCP6 configurations to assign certain addresses to certain computers, vary them and so on, what it means is that when a device is on a foreign network, it can easily get assigned, using autoconfiguration, a temporary but public IP address that will enable it to be as well connected as it was at home. It's not that straightforward when it's going from behind one NAT network to another, b'cos there exists the possibility of it running into an address collision w/ say, another 192.168.0.23

Re:so what is ipv6 good for? (1)

gstoddart (321705) | about 2 years ago | (#40234279)

It's not that straightforward when it's going from behind one NAT network to another, b'cos there exists the possibility of it running into an address collision w/ say, another 192.168.0.23

I definitely agree with that.

Years ago at another job someone needed more network drops in his office than were physically available. So, he bought himself a little firewall/router to use, and it defaulted to the 192.168 block.

Apparently he caused a collision with one of the really important servers and caused an outage (and an outrage).

Needless to say, that caused the need for a new policy that said "under no circumstances may you plug one of those into our network". :-P

Re:so what is ipv6 good for? (1)

Short Circuit (52384) | about 2 years ago | (#40234401)

ULA addresses are good for having 'private' address ranges. Don't rely on link-local. As sexy as it sounds, a lot of tools (especially browsers) don't handle them well; they get hung up on the concept that an IP address may be valid only when combined with an interface.

Re:so what is ipv6 good for? (1)

nine-times (778537) | about 2 years ago | (#40234521)

People won't necessarily switch over to IPv6 for their internal networks right away, since it can be a pain to reconfigure your network. However, there's not really much reason to continue using NAT if there's enough IP addresses to go around.

Re:so what is ipv6 good for? (5, Interesting)

asdf7890 (1518587) | about 2 years ago | (#40234771)

Most companies will probably keep their internal network on IPv4.

Which is fine. My IPv6 hosts don't need to care. Of course they'll eventually need to ensure that they have a reliable v4-to-v6 bridge setup either locally or at their ISP, but that will most likely be easier to setup than changing their whole network to IPv6 would be.

There's no way they're going to want all of their machines with an internet addressable location.

They won't any more than they do now. Public facing routers/firewalls will simply be set not to pass through any incoming connections unless otherwise instructed, just like IPv4 routers do. NAT is a read herring here - before NAT was common things worked fine much the same way as they will work under IPv6 (just with a much smaller address space) in that regard. Most big corporate networks control outgoing connections too (which an IPv4+NAT-only setup generally won't by default) so the one incoming default "block" rule is not going to be a significant amount of extra admin.

I think IPv6 does bring some usefulness, but I just don't foresee everybody changing how their internal networks operate.

Certainly some will, though not all that many in the near future. I suspect it will quickly become normal for new networks to be IPv6, and IPv4 will vanish that way rather than due to mass conversions.

It may not be the case here or where you are but it is already getting to the point in some parts of the world that people will have to be IPv6 all the way as their ISPs have too few IPv4 addresses to hand out to the connecting modems. Said ISPs use some form v6-to-v4 bridging so that IP4v-only servers will be contactable, but while your website will be fine not all protocols will work well through this arrangement. I don't know how common it is, but I know people who have been in Hotels out east where the provided network connections are IPv6 only (presumably with some 6-to-4 system in place so v4 only hosts can be contacted). IPv4 may not die any time soon, but that doesn't mean IPv6 use won't grow rapidly.

The big win I see is for mobile devices like phones - it will make the job of large network providers for those devices easier.

And I can also see a huge amount of consumer type stuff taking years before it has transitioned.

Which is rather unfortunate as these devices are where one of the key IPv4 problems exist (Including phones as mentioned above).

IPv4 isn't going to go away overnight.

No, but IPv6 might grow very rapidly so you can't avoid interacting with it for long even if you stick with IPv4 internally.

Re:so what is ipv6 good for? (5, Interesting)

DarkOx (621550) | about 2 years ago | (#40233889)

Oh, and while every IP belongs to only one device, there's nothing saying every device should have only one IP.

You and the grand parent are missing the obvious outcome.

For the most part home users are going to end up with /64s some ISPs might be generous and hand out something bigger but I suspect most will decide not do so in the end.

Does that mean you can put 1,50,100,1000,10000 addresses on device sure, but the network portion the addresses will be the same. That network address is going to uniquely identify your household just like your full ipv4 address does today. Marketers will just assume that each /64 subnet is unique to a user or house hold. Just like the assume on ipv4address is an entire house hold behind NAT.

It changes little to nothing with regard to track ability.

Re:so what is ipv6 good for? (1)

unixisc (2429386) | about 2 years ago | (#40234281)

Except that when one has to track, one would have to either target the complete 8 word IPv6 address, or take the 4 word address and do a scan. If they tried doing a multicast to every node on the network (since broadcasts are no longer there on IPv6), their own system would grind to a standstill. And if they tried scanning the entire subnet of 2^64, it'd take them forever.

Also, that would be quite an assumption on their part. While households that have multiple devices may want an IPv6 link, those that have just one computer that they're interested in connecting would be fine w/ any ISP that just connects a group of its customers to a single link. And if they use autoconfiguration w/ privacy extensions, or if the ISP uses DHCP6 to assign the addresses, good luck finding out which addresses are in use. They'd be getting a 99.999999999% chance of destination not reachable.

Re:so what is ipv6 good for? (2)

DarkOx (621550) | about 2 years ago | (#40234497)

They don't need to 'scan' anything to track you for marketing purposes they just log where the requests are coming from. When they process their logs they simply only look first 64bits of any ipv6 address, and then enhance reliability the correlation that its the person/device using the same tricks they use now, also including the user agent string, cookies, referrers, date times, etc.

Re:so what is ipv6 good for? (1)

Short Circuit (52384) | about 2 years ago | (#40234531)

Tracking ability is going to be driven more by browser request headers than by IP address, anyway.

I expect ISPs will get beyond /64s within a year or two. Being stuck with only a single /64 is BS; I have my home wired and wireless networks on different subnets for pretty simple (but entirely valid) reasons:

  • Broadcast and multicast traffic on a gigabit link doesn't risk flooding the far-slower wireless link
  • It makes it trivially easy to partition off wireless clients from wired clients, reducing the vulnerability my wireless network gives me. I'll be able to do even better once I split off to two SSIDs, one for guests and one for trusted users; guests wouldn't get access to any of the rest of the network.

Heck, multi-SSID behaviors with varying trust levels are finding their way into consumer routers already (while I'm wardriving, I see a lot of -guest networks coming from residences...even a very non-technical friend of mine has a -guest network that came up by default with their consumer router.), but that can't work if the routers don't have enough address space to work with.

Re:so what is ipv6 good for? (0)

Anonymous Coward | about 2 years ago | (#40234523)

Having multiple IP addresses on 1 interface is part of the standard.

Heck every IPv6 device, at a minimum is supposes to support a local-link and an internet address at the same time.

Re:so what is ipv6 good for? (0)

Anonymous Coward | about 2 years ago | (#40234615)

And everyone that wants to track someone downloading something that's not allowed.
They cannot longer hide behind "someone else used my IP address", because they now can track down to the device used for downloading itself..
Great huh?

Re:so what is ipv6 good for? (1)

nine-times (778537) | about 2 years ago | (#40234639)

Well, you won't need to pay ridiculous fees in order to get a static IP address.

Just to give one example, right now, if I want to be able to SSH directly into the computers on my network from the Internet, it's a pain. I have to pay $100/month extra to upgrade to my ISP's business account to get even 1 static IP address, and getting multiple can be expensive/difficult. I can use a dynamic DNS service instead, which depending on the service might be expensive or unreliable-- just another thing that can go wrong.

But even if I have a single static IP or a dynamic DNS service, I then have to set up port forwarding on my firewall to redirect different ports to different machines, and keep track of which port goes where, or else SSH into one internal server and then SSH from that server to others.

Give everything a unique IP, and I just have to open the ports on my firewall.

Besides, I'm under the impression that IPv6 has more features than just "unique IP addresses for everything" (and preventing us from running out of available IPs). I'm not a super-technical expert, but I thought there were also technical improvements in security and routing.

Re:so what is ipv6 good for? (2)

HappyPsycho (1724746) | about 2 years ago | (#40234651)

I'll point out the major reason, we have kinda run out of IPv4 addresses. Not fun when you sign up for new link from your ISP and the response is "Here's your link but we have no ips for you to use it with".

Reason enough? All the other stuff are (useful) side-effects.

As to the security implications, thats the job of a firewall, of which NAT is just a dumb (although statefull) version of.

IPv6 multi-homing status (2)

Bookwyrm (3535) | about 2 years ago | (#40233621)

Did folks ever get IPv6 multi-homed routing straightened out?

It always felt like conflicting goals at work -- on one hand, people wanted to simplify and shrink the size of the backbone routing tables, but on the other, a purely hierarchical routing space removes redundancy. That is, a tree graph has the property that there is only *one* path between any two nodes, which means a purely hierarchical routing arrangement would mean that the idea of 'routing around censorship' would go into the waste bin because there are no alternative routes possible. (Note that I am differentiating this from redundant *physical* links -- this is a matter of administrative links. If there is no multi-homing and the upstream provider is blocking/filtering/limiting traffic, there is no network route around it, physical redundancy not withstanding.)

So any current best practices for IPv6 multihoming for small ISPs/businesses?

Re:IPv6 multi-homing status (0)

Anonymous Coward | about 2 years ago | (#40234419)

Its called BGP. Get a block direct from ARIN (or whomever) and have your ISPs put it in their table with what ever weight you want. Or, peer with them.

IT sucks though, A lot of SOHO IT folk who want to multi-home are going to have to learn actual routing and not rely so much on some shiny, often over priced, firewall "security" device

Re:IPv6 multi-homing status (1)

Fez (468752) | about 2 years ago | (#40234571)

The cost for PI space and peering is still rather high, even at the "discounted" time-limited rates that are supposed to encourage adoption. I doubt many SOHO operations are going to want to shell out several thousand per year extra for that.

Sure that is the "right" way, but there are other ways (see my other post under this parent).

Re:IPv6 multi-homing status (1)

Short Circuit (52384) | about 2 years ago | (#40234633)

Set up an application-layer proxy on a host with both addresses, same as you would with IPv4.

So, set up a machine running Squid, where that machine has IPs from both your upstream ISPs. All your internal clients can use that Squid proxy to get out. SIP? No problem; use a SIP proxy.

Since you're pushing the 'logical, not physical' link angle, you can go one step further and set up a tunnel to another endpoint on the Internet, and use that as another possible route. (i.e. I have IPv6 access because I use a proto41 tunnel from Hurricane Electric)

If you don't want to go that route, have radvd announce both prefixes on your internal network, and allow clients to select which source address they use. Use short 'preferred' lifetimes, and you can have some daemon tweak your radvd configuration whenever you decide you want to favor one prefix over the other.

But, really, an application-layer proxy is your best option.

Re:IPv6 multi-homing status (0)

WaffleMonster (969671) | about 2 years ago | (#40234695)

Did folks ever get IPv6 multi-homed routing straightened out?

No change of any kind except more bits of TCAM wasted per route on fools who do not need to be multi-homed in the first place.

So any current best practices for IPv6 multihoming for small ISPs/businesses?

Small businesses, mapa ISPs and rich dudes with more money than sense don't need to be multi-homed PERIOD. All your doing is bloating the routing table at the expense of the network in exchange for zero benefit to yourself and others.

If there is no multi-homing and the upstream provider is blocking/filtering/limiting traffic, there is no network route around it

When they say the network routes around censorship this is a myth. The network itself is capable of no such thing. It takes human intervention and brain power to make it happen.

Re:IPv6 multi-homing status (1)

bbn (172659) | about 2 years ago | (#40234783)

There are three options:

1) Order internet from two different ISPs. Get a router from each. Connect both routers to your internal network. Done.

Yes for most people and small business nothing more is required. What will happen is that every computer will get two IP-addresses, one from each ISP. As part of IPv6 every computer monitors the routers and automatically chooses one that is responsive. If you unplug a router every computer will start using the other with a failover time of maximum 30 seconds.

This option does not provide backup if you want to host a web server. But it will work with a mail server because SMTP allows you to simply publish both IP-addresses. Many private persons and small business have no need for a local server so this could be a good and easy solution.

2) Get your own /48 address range from your RIR and get service from two different ISPs. Use BGP to advertise your range. This is exactly the same way as you do dual homing with IPv4.

3) Use LISP. This is not quite ready for primetime yet, but I think it will be there in about a year. It is backed by Cisco et al. http://www.lisp4.net/ [lisp4.net]

LISP is the most interesting option. You get your own /48 just like the BGP option, but LISP allows you to split that up into as many units you want. You can use some of it at the office and give each employee a /64 for their home office. There are no scalability problems.

4*) Other home-made solutions. Some people will try to sell you a NAT66 based solution. Just say no. You could also build a primitive LISP like solution yourself by using a tunnel to a server somewhere.

REally.... (3, Informative)

Lumpy (12016) | about 2 years ago | (#40233659)

"The problem is network security devices in many cases don't scan IPv6. So if you turn IPv6 on, you're screwed."

Funny, The ones here do. In fact the last firebox update said it covered ipV6.

What out of date garbage are people running out there that will not scan ipV6?

Re:REally.... (0)

Anonymous Coward | about 2 years ago | (#40233685)

symantec

Re:REally.... (0)

Anonymous Coward | about 2 years ago | (#40233745)

That's not network security... That's a toy from hasbro that silly people think actually does something.

Re:REally.... (0)

Anonymous Coward | about 2 years ago | (#40233807)

Hardware routers, firewalls, and the like. The big boys like SonicWALL released updates to support and/or manage IPv6 traffic, but the older things... good luck.

Re:REally.... (0)

Anonymous Coward | about 2 years ago | (#40234459)

Truth be told, SonicWall doesn't actually support IPv6 (at least when i looked 6 months ago). It will function as a stateful IPv6 Firewall but all those other "fancy" features people rave about......nope, no luck there.....

why we need IPv6 (1)

Anonymous Coward | about 2 years ago | (#40233675)

a great article about why wee need IPv6 : http://www.forbes.com/sites/firewall/2012/06/05/why-we-need-ipv6-now-and-what-it-means-for-network-security/

The issue isn't just addresses. IPv4 was never meant to be a global business network. It is an experiment that was never turned off.

I've had IPv6 for years (0)

Anonymous Coward | about 2 years ago | (#40233721)

I don't know why everyone is freaking out about remembering addresses... really really easy

12-16 hex digits, That is it... assign static address after that.

Mine: 2001:470:8xxx
that is my /48
then for my /64 networks, I use my VLAN ID

2001:470:8xxx:vlan::1 == router
2001:470:8xxx:vlan100::1 == router

etc...

easy

Do not want (-1)

Anonymous Coward | about 2 years ago | (#40233739)

I will not use it at my home. I have an IPv4 address, and always will. NATing firewall. IPv6 can be used on my LAN, and I'll participate in BitTorrent with an IPv6 address, but this all happens without any thought from me. I can always disable IPv6 in my Windows networking stack if I want, but I won't bother.

I'll be damned if all of my devices get a fucking public IPv6 address. Fuck that. I doubt that I'll ever enable IPv6 on my router.

Regarding my ability to use the internet... I'll let the ISPs and transitional technologies sort that out.

Re:Do not want (1)

Chrisq (894406) | about 2 years ago | (#40233831)

I will not use it at my home. I have an IPv4 address, and always will.

I'm still hanging on to NCP [wikipedia.org] you insensitive clod!

Define "enable?" (2)

Shoten (260439) | about 2 years ago | (#40233769)

For example, when I look at Comcast's site [comcast6.net], I see "When Comcast decided to participate in World IPv6 Launch, we committed to enabling at least 1% of our customers with IPv6 by June 6, 2012." So, how does that figure into the 60%? If there are 50 ISPs in the world, but Comcast has 5% of the subscriber base, is that 2% out of the 60%? Or is it 5% Or is it .002%? I'm curious how this 60% number was calculated.

Re:Define "enable?" (0)

Anonymous Coward | about 2 years ago | (#40233931)

60% of ISPs intend to enable IPv6

The summary does not specify anything about how much of the customer base needs to be IP6ed to qualify the ISP. The link in the summary does not clarify either, although it does give a more detailed breakdown of where the IP6ing is happening.

As for your % subquetion, count all ISPs, divide IP6ing ISPs by total count, find percentage. Ignore actual population details.

Re:Define "enable?" (1)

nxtw (866177) | about 2 years ago | (#40233959)

I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.) Most consumer routers that are currently deployed don't support IPv6 and some older ones that do might not work properly with prefix delegation. They may only enable it for modems that they have certified for IPv6.

Re:Define "enable?" (2)

slamb (119285) | about 2 years ago | (#40234583)

I think ipv6 is available across much (maybe most or all) of the Comcast network, but will only be usable with compatible clients with ipv6 DHCP support (and specifically DHCP6-PD for routers.)

More or less. The Comcast blog [comcast.com] says "To meet this goal, we launched and enabled IPv6 in over one-third of our broadband network ... we observe roughly 5% of users can take advantage of this. That percentage can increase dramatically if vendors act to enable IPv6 by default in software updates for existing devices and in newly shipping devices."

From what I saw on some Comcast page recently (which I can't find again, sorry), there's no prefix delegation yet, although they claim it's coming.

FWIW, I seem to be in the 1/3rd. Today I switched my Netgear WNDR3800's Advanced/IPv6 setting to "Auto Config" (as opposed to "Auto Detect", which uses 6to4...ugh) and it (somewhat oddly) doesn't show a WAN IP but does show a LAN IP of 2601:9:yadda:yadda:yadda/64. Seems to actually work, and once I disconnected my Mac from the wireless network and reconnected, it had an IPv6 address as well in the same subnet. "ping6 www.google.com" works with round trip times around 20 ms, and Chrome actually uses IPv6 - www.comcast6.net says my IPv6 address at the top of the page where it used to say my IPv4 address.

Re:Define "enable?" (0)

Andy Dodd (701) | about 2 years ago | (#40234287)

It seems like the threshold for an ISP to be part of the "launch" is for only 1% of their customers to have IPv6 service.

Yes, you read that right - only 1%.

Making this "World IPv6 Launch Day" nothing but a bunch of marketing hype so slacking internet service providers can make themselves look a lot better than they really are.

1% of your customers isn't a launch - it's severely limited test marketing.

Is there a list of ISPs... (1)

John Hasler (414242) | about 2 years ago | (#40233827)

...that are going to enable IPv6 for all customers by the end of 2012? Does it include CenturyTel?

Re:Is there a list of ISPs... (0)

Anonymous Coward | about 2 years ago | (#40234357)

centurytel? those pathetic inbred swamp dwellers? not a fucking chance.

Working great here for 1yr (1)

Fez (468752) | about 2 years ago | (#40233847)

I've been using IPv6 via he.net tunnels on pfSense 2.1 for over a year now, and it's working great.

Really happy to see my Netflix streaming going over IPv6 this morning, too.

pFSense support for IPv6? (1)

unixisc (2429386) | about 2 years ago | (#40234427)

I'm glad to see you mention that. While under the FreeBSDs, Monowall has supported BSDs for a while, the same hadn't been true about pFSense. I wanted to know whether pFSense 2.1 supports IPv6 or not. Checking out their site [pfsense.org], it stated

Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.

Incidentally, which version of FreeBSD does pFSense 2.1 correspond to?

Re:pFSense support for IPv6? (1)

Fez (468752) | about 2 years ago | (#40234675)

[Disclaimer, I am a pfSense developer, employee, and book author so I'm a bit biased] :-)

pfSense is based on FreeBSD 8.3 with quite a few things patched in the kernel and base system. We've been doing quite a lot of work lately on getting the last few bits of IPv6 going along with some other features we have in the chamber for 2.1. IPv6 support is the main focus of pfSense 2.1 so changes in other areas have happened but they have been minimal in comparison.

Here is a spreadsheet covering the current status of IPv6 in various areas of pfSense [google.com]. Some of those will have to wait for pfSense 2.2.

We just got one key feature holding back 2.1 from being released solved, and there are a few more bugs left [pfsense.org] but progressing rapidly.

Re:Working great here for 1yr (1)

daniel23 (605413) | about 2 years ago | (#40234477)

Had to look into my tunnelbroker.net account: it's already 4 years of running it. About once a year there is some hiccup at their Frankfurt node, I 'll write a mail to their support stuff then and about 20 mins later some friendly supportnic asks me to check if I can still repro the problem...
And free dns server (ipv6-ready, with glue records), and free ipv6 training & certification - HE has been really helpful for me,

bbiznatch (-1)

Anonymous Coward | about 2 years ago | (#40234369)

Ink splashes across ar8ogance was

If Nagios fails to ping google.. (2)

RaBiDFLY (38196) | about 2 years ago | (#40234379)

..or other hostnames with AAAA records:

Add -4 to ping_check command, restart nagios and carry on.
Dan

IPv6 Gateways look forward (1)

Anonymous Coward | about 2 years ago | (#40234393)

To the dozens of new hosts worldwide.

IPv6 home router? (0)

Anonymous Coward | about 2 years ago | (#40234851)

Ok, which home router support IPv6 ? does it support IPv6 WIFI ?

I go to Frys, and mention which router support IPv6 for both internet and Wifi - all I get is a
blank stare.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...