Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Federal Agencies Must Use IPv6 by 2008

Zonk posted more than 9 years ago | from the quick-turn-over dept.

Networking 295

MoiTominator writes "The White House Office of Management and Budget announced on Wednesday that all federal agencies must deploy IPv6 by June 2008. So far, Defense is the only agency which has made any progress toward implementing the new protocol." From the article: "While we know that IPv6 technologies are deployed throughout the government we do not know specifically which ones, how many there are, or precisely where they are located...For cost, the agencies must report on estimates for planning, infrastructure acquisition, training and risk mitigation."

cancel ×

295 comments

Sorry! There are no comments related to the filter you selected.

Not ready for Prime Time (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12968094)

While IPv6 fixes many problems in IPv4, the developed world will not
embrace IPv6 until many shortcomings in the protocol are addressed.

1. Cisco routers suck at IPv6. Many of cisco's routers use the
router's CPU to process IPv6 packets instead of the fast-path. The
reasons for this are explained in the next few points. While Juniper's
routers are substantially better at IPv6 than cisco's, IT managers are
often restrained by insane corporate policy that dictactes the use of
cisco.

2. There are too many addresses. There are 16.7 million addresses per
square metre of the earth's surface, including the oceans. This is
overkill. The world does not need more than the 4 billion addresses
available with IPv4, and I challenge you to come up with an
application that requires that many. Assuming that you can actually
come up with one, it could easily be solved with Network Address
Translation, or NAT as it is commonly known.

3. IPv6 addresses are too large. An IPv6 address is 128 bits in size -
64 bits of which are reserved for addressing hosts, and 64 bits of
which are reserved for routing. One thing that is cool with IPv6 is
address autoconfiguration. Take your 56-bit MAC address on your
ethernet card, ask for 64-bits of network prefix, bang it together
with EUI-64 and you are set. The problem with a 64-bit network prefix
is that routing tables become massive. Just do the math and you'll see
that extreme amounts of memory are required to hold routing tables.

4. The IPv6 header is too large. An IPv4 header compact at 20 bytes in
length, while the IPv6 is bloated at 40 bytes. That's right people,
each one of your IP packets has twice as much overhead as before.
While this may not sound much, IP networks have a requirement that the
minimum MTU supported must be 576 bytes. That means that where you
might have got 556 bytes of data in your IP packets, you now get 536
bytes. This means that downloading stuff will take 3.4% longer.

Sure, IPv6 allows for nice hacks like those described in this article,
but is it really ready for prime time?

Re:Not ready for Prime Time (3, Interesting)

lw54 (73409) | more than 9 years ago | (#12968134)

Well, I'll bite.

IPv6 has such a large address pool to allow autoconfiguration of addresses for now and in the future. It basically redifines the whole issue of keeping up with who has which IPs. Just keep up with their network number and autoconfig the rest.

While the addresses may be 4 times the size and the header is twice the size, the header itself can be processed and delivered faster.

Re:Not ready for Prime Time (0)

Anonymous Coward | more than 9 years ago | (#12968473)

DNS request wait time is now only 30 Minutes !!

Re:Not ready for Prime Time (1)

OverlordQ (264228) | more than 9 years ago | (#12968136)

Yes because NAT sucks.

Re:Not ready for Prime Time (5, Insightful)

Uhlek (71945) | more than 9 years ago | (#12968142)

Obviously you only read trade mags and know nothing about networking:

1) You're thinking older Cisco equipment. But, the same argument could be made for any number of enterprise/carrier routing vendors. If you have a router/multilayer switch designed for IPv4, you're going to have to either upgrade it with IPv6 ASICs, or replace it completely. That's part of the price of transisition, and there's no way around that.

2) No one with any level of education in the matter says "We're running out of addresses." We're running out of address SPACE. Big difference. The huge class A and B networks issued to large US corporations and the military means those countries who got online later on are losing out. Case in point...I was on the redesign team at a USAF base that had two class B networks -- for 30,000 customers.
And NAT is only a stopgap. You end up with a massive number of interoperability problems when you start NATing. With IPv6, there simply isn't the need for it, and you remove those problems.

3) Memory and CPU performance hasn't been a major issue with most routers in a long time, especially BGP routers. Massive OSPF networks, yeah, the Dykstra algorithm hits hard, but there are other, less CPU-intensive options like IS-IS, or just design your network right from the ground up and summarize properly.

Again, the problem we're going to run into here is the specialized memory used for wire-speed packet switching. But, if you're doing wire-speed, you're going to have to replace the ASICs anyway, so the TCAM gets replaced too.

4) You're right, minimum MTU size in IPv4 networks is 576 bytes. But that's a difference of 3.5% versus 7%. Not a major issue -- especially since most MTUs are in the range of 1250-1500, or even higher in pure GigE networks.

The road to IPv6 will be bumpy, but the only issue you mentioned with any real weight is the first, and that's an easy one. You just throw money at it.

Where the problem is going to lie is in long-haul data transport, IPv4 interoperability, and legacy application support. The network's the easy part.

Re:Not ready for Prime Time (2, Informative)

Uhlek (71945) | more than 9 years ago | (#12968169)

Looked up something interesting. Minimum MTU in IPv6 is 1280 bytes. So, now you're talking a difference of 1.5% versus 3.1% (rounded). Even less of a big deal.

Re:Not ready for Prime Time (4, Interesting)

knipknap (769880) | more than 9 years ago | (#12968178)

1) You're thinking older Cisco equipment.

Wrong. Recent IOS releases still have the same problems, they are also quite catastrophic from a usability point of view in comparison with the IPv4 features.

3) Memory and CPU performance hasn't been a major issue with most routers in a long time, especially BGP routers.

This is always an issue, as memory costs money. The global routing table has just passed the RAM barrier a few months ago for many routers; most Cisco routers holding that table now require 512MB minimum route memory. (of course it also depends on what else the router has running, but as a general rule, the mark was hit.)

Either way, IPv6 means more memory and resource requirements, which in turn means a lot of investment with no return. That's why IPv6 will only come when it has become absolutely necessary. Which will take a few years still. So no, it is not "ready for prime time".

Re:Not ready for Prime Time (2, Interesting)

Uhlek (71945) | more than 9 years ago | (#12968233)

I was referring to what is available for purchase, not what's currently deployed. I still work with production Cisco 2501's on occasion, so believe me, I know that the IPv6 transision is not going to be cheap, or easy.

Thing is it'll never be absolutely necessary here in the US, at least not for a long time to come. Enough kludges have been developed for NAT that it's "good enough" for the time being, espeically to IT managers facing the hard choice between sticking with NAT or dumping a metric ass-ton (roughly equivilant to an Imperial crapload) of money into an IPv6 infrastructure.

The "prime time" buzzword has been an excuse for the last few years, even though no one can really give a hard definition of what "prime time" is.

Re:Not ready for Prime Time (2, Funny)

fataugie (89032) | more than 9 years ago | (#12968289)

So what you're telling me is, that what is needed here is for some articles to be written and a few people to go on news shows and say how life as we know it will cease to exist, that the Y2K/\/\IPv4 bug will eat us alive. We'll be back in the stone age because our Computer/TV/Radio/can opener with embedded chips/\/\/I mean IPv4 addresses can't possibly function.

Re:Not ready for Prime Time (1)

vidarlo (134906) | more than 9 years ago | (#12968256)

This is always an issue, as memory costs money. The global routing table has just passed the RAM barrier a few months ago for many routers; most Cisco routers holding that table now require 512MB minimum route memory. (of course it also depends on what else the router has running, but as a general rule, the mark was hit.)

While the addresses itself gets longer, the routing tables will become easier. Because it can be consistent routing, i.e all that has 3ffe: goes in that direction, d4ae:f9821: goes in that direction. So I guess you'll se less change in routing table size than you guess. Remember, one of the goals with ipv6 was to minimize routing tables.

Re:Not ready for Prime Time (1)

thogard (43403) | more than 9 years ago | (#12968418)

If the *NICs were dishing out only /24s then you could do the same thing with 16 megabits of memory per interface. For a typical largish dual homed company that means they need nearly 4 megabytes of ram to hold the current routing state. Now that assume that routers used content addressable ram which they don't.

Re:Not ready for Prime Time (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12968226)

"4) You're right, minimum MTU size in IPv4 networks is 576 bytes. But that's a difference of 3.5% versus 7%. Not a major issue -- especially since most MTUs are in the range of 1250-1500, or even higher in pure GigE networks."

In a world where an ever increasing percentage of IP traffic is streaming, the MTU is becoming irrelevant, and the header size a huge burden.

Re:Not ready for Prime Time (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12968270)

The grandparent was obviously a pre-rolled troll. I mean, come on, it's huge and it's like the first post.

Re:Not ready for Prime Time (1)

empaler (130732) | more than 9 years ago | (#12968334)

It's called subscription, noob.

Re:Not ready for Prime Time (1)

kernelpanicked (882802) | more than 9 years ago | (#12968393)

Subscription my ass, AC hit it dead on

Re:Not ready for Prime Time (2, Interesting)

empaler (130732) | more than 9 years ago | (#12968438)

Yeah, he probably IS right. It's not as much connected to the article as the IPv6 thing, or more precisely, only to the IPv6 part.
Still, someone typing fast, who knows what he wants to say and has the foresight to spot something he wants to comment on in the mysterious future might pull this off.

Re:Not ready for Prime Time (1)

WebCrapper (667046) | more than 9 years ago | (#12968470)

Actually, it not... See previous post [slashdot.org] or you can look on google and find many more where its been used...

Re:Not ready for Prime Time (1)

superid (46543) | more than 9 years ago | (#12968314)

re point 2....my *.mil is a class B servicing around 4k hosts :(

Re:Not ready for Prime Time (0)

Anonymous Coward | more than 9 years ago | (#12968144)

1 is a valid point: switching to IPv6 is going to be a bitch as far as hardware is concerned.

In reference to 2 & 3, I can't see how you can have too many IP addresses, and network speed has increased by more than enough to deal with IPv6's mildly increased header size.

In reference to 4, the minimum MTU for IPv6 is much larger at 1280 bytes.

Re:Not ready for Prime Time (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12968176)

Smells like we got a troll [slashdot.org] in the house.

Re:Not ready for Prime Time (4, Insightful)

MathFox (686808) | more than 9 years ago | (#12968180)

1. Cisco routers suck at IPv6.
Cisco will have to fix that or go dodo...
2. The world does not need more than the 4 billion addresses available with IPv4.
Think VOIP: it would be nice if my "Mobile communicator", home PC and work PC could be directly accessed from all over the world. With 6 billion people on earth, I estimate a demand for 18 billion IP addresses.
3. IPv6 addresses are too large.
Moore's law: The capacity problems will be solved in a few years. And routers don't need to keep full routing tables (they never did!)
4. The IPv6 header is too large.
Network speeds have boomed... 8 Mbit ADSL is affordable and available nearly everywhere in the Netherlands. When you redo your computation with a MTU of 1500 (ethernet), overhead increases by a bit more than a %.

I see a lot of reasons to go IPv6, especially now China (1.3 billion people) and India (1 billion people) get connected.

Re:Not ready for Prime Time (2, Interesting)

TheRaven64 (641858) | more than 9 years ago | (#12968313)

Not to mention the fact that with IPv6 we are back to a situation where addresses can be assigned hierarchically, and so the routing tables can be quite compact, dealing with a small number of rangers rather than a large number of network addresses.

Re:Not ready for Prime Time (2)

Armadni General (869957) | more than 9 years ago | (#12968203)

Somebody really needs to mod this down. This exact comment has been posted multiple times before on Slashdot: Googe results [google.com] .

Oh its on now! (1)

0xdeaddead (797696) | more than 9 years ago | (#12968281)

1 this is the whole point of software. I know people insist on compiling their stacks to asics, but check this out bub, I can route ipv6 on a 2500. Im sorry but flexibility of IOS trumps any stupid asic. Oh and on the lameness of cisco, yeah they do make some really lame products (*8500*) but have you actually compared CCO vs the others? Give me a break, if anything this tells me that you have never done any *REAL* networking on anything bigger than a 2500 or a 1900. Belive me the cat 6500 with sup3s kill any crappy 3com (you would be tottaly fucking nuts to go back to 3com after they dropped everyone) or foundry.

If you dont belive me, just search the tech support online. Then call TAC.. notice how they have REAL 24x7 support all around the world???

2 Ok now you just said you know NOTHING about applications. Do you have any idea how much NAT has held back application development? Yea that right, what about VOIP, video conferencing?? IM shouldnt need a centeral server, clients should be able to contact eachother, my cellphone should have an ip, hell even my car. Mobile ipv6, and the 2^24 ip address will fix this hands down. Belive me stupid thinking like this has stagnated real app development in the last 10 years. Just ask any CORBA application to nat.

3 What kind of routers are you using? Gee get on the clue train, its 2005, and I can get 512MB dimms for 43$ USD! With the advent of 64bit cpus (cisco loves MIPS, which are 64bit) a router with 512 or a couple of gigs isnt un heard of. Not to mention have you seen any papers on how ipv6 is layed out? Its not ipv4 with /17 split horizon nonsense. This isnt ipv4, and its not 1970!

4 What the hell are you worried about 20bytes for? What are you using dialup?? If so please cancel your AOL account, and go back to watching American Idol. Please for the sake of the internet.

Ugh (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12968095)

NAT should take care of any lack of IP-space.

Re:Ugh (1)

bjoeg (629707) | more than 9 years ago | (#12968108)

How, NAT wont help that 1 IP-adress can only have one owner.

Re:Ugh (1)

MathFox (686808) | more than 9 years ago | (#12968122)

And I need at least 2 IP addresses: One at home and one for my co-loc server...

I beg to differ: NAT can do it, and well too (2, Insightful)

CdBee (742846) | more than 9 years ago | (#12968299)

Intelligent use of NAT can get a lot of users into one IP. 9 out of ten surfers only need outgoing-initialed connections (web surfing, email, instant messaging, IP-based broadcasting and legal music download software).

Most surfers are considerably safer behind NAT anyway, as shielding incoming TCP connections on ports 135-139, 445 and 593 kills 9 out of 10 Windows remote exploits stone cold dead. Deploying technologies like uPNP in the ISP routers can negate the inability to accept incoming packets nmany low-grade server style apps (Messenger, VoIP)

In an ideal world yes, every device could be addressed by its own IP address, but in this world I don't want some cracker port-scanning my fridge and getting a backdoor through a butter overflow exploit.

I don't trust any modern operating system enough to run it without a hardware firewall device, and I always keep that (it's a linux-based consumer router) well-patched up to date and with all remote admin functions disabled and locked down.

As a regular fixer of friends PCs, I would love to see ISPs provide the option of fully-NATted connections. I'd recommend them. It'd save me so much time trawling eBay for bargain routers for my friends.

Re:I beg to differ: NAT can do it, and well too (4, Informative)

TummyX (84871) | more than 9 years ago | (#12968360)


Intelligent use of NAT can get a lot of users into one IP. 9 out of ten surfers only need outgoing-initialed connections (web surfing, email, instant messaging, IP-based broadcasting and legal music download software).


But if you want to do video conferencing or VOIP then you're screwed unless you go via proxy servers and give up speed and security.


In an ideal world yes, every device could be addressed by its own IP address, but in this world I don't want some cracker port-scanning my fridge and getting a backdoor through a butter overflow exploit.


It doesn't matter whether you use NAT or IPV6 . There's no reason why your fridge ith an IPV6 address should not sit behind your home firewall. At least, when you need to be able to open certain ports (at which point you're vunerable to buffer overflows regardless of the protovcol), you'll be able to do so using router rules rather than port mapping (which can only go so far). In both situations you'll have to buy an additional device -- an IPV6 router/firewall or a NAT based IPV4 router/firewall. There is no reason why an IPV6 router/firewall needs to be configured by default to permit all incoming connections.

Nice to see that... (4, Insightful)

cato kaze (770158) | more than 9 years ago | (#12968097)

Its nice to see that government is implementing IPv6, but I'm more curious as to when it will be implemented by the private sector and widely used. (Is there an FCC ruling or guidelines for transition time somewhere or are we just oozing towards it?)

Re:Nice to see that... (3, Interesting)

jacksonj04 (800021) | more than 9 years ago | (#12968333)

Oozing slowly.

Basically, install an IPv6 stack on everything you can and use IPv6 ready software/hardware over IPv4. Eventually upstream people will see IPv6 all over the place using Toredo, and implement an IPv6 network.

My school runs on IPv6, along with a few others in the area, and our upstream provider is already implementing an IPv6 network for us.

Re:Nice to see that... (1)

anthony_dipierro (543308) | more than 9 years ago | (#12968407)

Its nice to see that government is implementing IPv6, but I'm more curious as to when it will be implemented by the private sector and widely used.

My guess, probably never.

Re:Nice to see that... (1)

Mysticalfruit (533341) | more than 9 years ago | (#12968492)

I agree. NAT effectively killed IPv6. That and the baulkanization of the internet.

Everybody has their own citadel with their data servers up in pearly white towers. The only clear access to the information desk is across a gantry high above a wall of fire. As you walk across this gantry your every step is watched by a 50 eyed beholder...

It will when major ISPs start supporting it (2, Insightful)

js3 (319268) | more than 9 years ago | (#12968435)

The #1 reason the private sector isn't picking is up is the vast majority of the big isps don't offer it, as long as they remain on ipv4, ipv6 isn't going anywhere fast.

Re:It will when major ISPs start supporting it (2, Insightful)

anthony_dipierro (543308) | more than 9 years ago | (#12968499)

And the major reason the vast majority of the big isps don't offer it is because there is no demand for it. Anyone offering a useful service on the web can afford a few bucks a month for a static IPv4 address, and I don't see that fact going away, ever. So what do you get by going with IPv6? AFAICT, nothing but incompatibility problems.


IPv6 would have been better than IPv4, if we were building the internet from scratch. But Beta is better than VHS too, and I don't know very many people with Beta cassette players.

Re:Nice to see that... (2, Insightful)

jav1231 (539129) | more than 9 years ago | (#12968490)

Why should they? What is gained by IPv6? Nothing currently. Oh you get to say, "Dude! I'm IPv6!" Big deal. NAT has stifled IPv6 for the masses and brought at least some level of security to Winblows users around the globe. The idea that the whole government should be on it is probably the compulsion of a bunch of advocates. In the case of the government, I can live with it. As for the rest of us it's really just a solution who's problem has largely already been solved.

Re:Nice to see that... (3, Interesting)

neal n bob (531011) | more than 9 years ago | (#12968520)

OMB gets off an making these grand IT pronouncements! I spent the last few years watching them blow millions of taxpayer dollars on their last bunch of IT crap they pushed down which was poorly planned and even more poorly managed. Hearing them mandate this by 08 is the funniest thing I have ever heard. All the agencies already have their budgets pretty well known through FY07, so where will they get the money? Some agencies like DOI don't even have a fully functional network - parts of it are not allowed to connect to the internet by court order because their security was so bad. So how the hell will that non-functioning entity move to IPv6?

What the hell? (-1, Troll)

Talez (468021) | more than 9 years ago | (#12968105)

Which nerd lobbied hard and sucked enough cock to get that announcement?

You'd think out of all the things that are important, IPv6 would not be one of them. Good on them though. It takes one hell of a push to get people out of the mediocre and onto something better because it offers no immediate benefit to them.

Re:What the hell? (3, Insightful)

Njovich (553857) | more than 9 years ago | (#12968116)

Oh, I don't know? Cisco? Microsoft? IBM? There are lots of people having interest in computer infrastructure investments.

Unless... (3, Funny)

Allrod (883869) | more than 9 years ago | (#12968110)

Another choice quote: Microsoft's next operating system, dubbed Longhorn, will be "fully IPv6-capable," Khaki said. That should really be: Microsoft's next operating system, dubbed Longhorn, will be "fully IPv6-capable, unless that gets dropped too..." Khaki said.

Re:Unless... (1)

Fred_A (10934) | more than 9 years ago | (#12968243)

Wasn't XP already supposed to be fully IPv6 capable ?

Re:Unless... (1)

value_added (719364) | more than 9 years ago | (#12968317)

Wasn't XP already supposed to be fully IPv6 capable ?

From the article:

Jawad Khaki, corporate vice president for Microsoft [said] Microsoft's next operating system, dubbed Longhorn, will be "fully IPv6-capable,"

Re:Unless... (1)

TheRaven64 (641858) | more than 9 years ago | (#12968321)

Windows XP includes a `Preview' (read: beta) IPv6 stack, and it is downloadable for NT4 and 2000. Trumpet (remember them?) ship a production-readly IPv6 stack for Windows 95 and later.

Source [ipv6.org]

Re:Unless... (1)

Zaknafein500 (303608) | more than 9 years ago | (#12968421)

Wow, Trumpet. That brings back very scary memories of trying to configure Trumpet Winsock on Win3.11 to connect to a PPP server at a local BBS. That was the single flakeyest program I think I have ever used.

Re:Unless... (1)

Faynor (827219) | more than 9 years ago | (#12968382)

Isn't this off topic?

Re:Unless... (1)

marco13185 (888912) | more than 9 years ago | (#12968427)

Actually, I don't see this one getting cut. As the alpha's of longhorn already have it very well integrated and functional. Longhorn automatically configures an IPv6 address through DHCP with my router, it's also completely functional. But then again, so was the sidebar, WinFS, and every other core technology in longhorn, until they removed them. But, yeah, they keep stripping longhorn of features to the point that the only new features are the GUI. Which M$ is going to port back to XP!!! Also, when WinFS and the works come out, they will also be ported back to XP!!! They might as well name it "Windows XP with Avalon , Aero, and WinFS".

Re:Unless... (1)

learn fast (824724) | more than 9 years ago | (#12968482)

Microsoft's next operating system, dubbed Longhorn, will be "extremely close" to a release by 2008, Khaki said

Progress in DoD (4, Insightful)

dgb2n (85206) | more than 9 years ago | (#12968117)

Although there has been alot of noise around it, actual progress hasn't been so convincing and the 2008 date appears highly unlikely. In many cases its more a matter of "here's how we'd do it if you gave us X dollars" than a funded plan forward.

This has appeared all along like a deliberate attempt to force a "technology refresh" that would be beneficial to major US networking companies than any real response to technical superiority of the IPv6 protocols.

If the technical merit were really there (many of the supposed IPv6 improvements have been backported to v4), my guess is a specific mandate wouldn't be necessary. Business would take care of it.

Re:Progress in DoD (0)

teksno (838560) | more than 9 years ago | (#12968128)

the only tech companies it would be useful to is microsoft and cisco... i fully believe what ever n00b is out there controlling DOD networks doesnt realize the there are alternatives to technology products other then what he see advertised on cnn.

Re:Progress in DoD (0)

Anonymous Coward | more than 9 years ago | (#12968481)

I've worked for the DoD and know that their system admins know what they're doing. They just don't have as much freedom as they would in the private sector. Alot of redtape to get through before they can get anything approved. It's rather rude to ASSume that the people who work for the DoD are all n00bs. They know what's out there, they just can't use whatever they want.

ATTENTION SLASHDOT READERS (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12968120)

You are all fucking retards. Lunix is a shit operating system, and BSD is dead. Apple is for closet homos. Get with the times, use Windows. Open Source is for losers. What other industry is so stupid as to work for free?

Re:ATTENTION SLASHDOT READERS (5, Funny)

debilo (612116) | more than 9 years ago | (#12968131)

What other industry is so stupid as to work for free?

Mothers and housewives?

Re:ATTENTION SLASHDOT READERS (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12968194)

Trust me, they ain't free at all. They live parasitically on their spouse, sometimes after ceasing to provide any service at all.

Re:ATTENTION SLASHDOT READERS (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12968220)

I'm paid well for my linux work. Software is a service, not a product. Once the artificial scarcity of copyright law is eliminated and we return to a free market, I'll still be doing fine. The windows weenies won't be.

Re:ATTENTION SLASHDOT READERS (0, Offtopic)

SlashdotMeNow (799901) | more than 9 years ago | (#12968419)

Dear sir. May I be the first to say: LOL! I wish you a good weekend.

NAT (4, Insightful)

debilo (612116) | more than 9 years ago | (#12968123)

Before people jump and say that we don't need IPv6 because NAT is good enough: No, NAT is not good enough. While I am grateful for NAT (and I am sure every other pood sod stuck with a single address only is grateful too), NAT has some serious shortcomings and limitations which increase the need for sometimes ugly, drastic or awkward workarounds for many things. It would be nice to be able to communicate with machines behind routers directly, though the security aspect that NAT provides really is useful.

Re:NAT (4, Informative)

FrostedWheat (172733) | more than 9 years ago | (#12968195)

though the security aspect that NAT provides really is useful

Nothing a simple firewall can't handle.

Re:NAT (0, Troll)

0xdeaddead (797696) | more than 9 years ago | (#12968294)

yeah sure.. if you have lets say 3000 computers you want to rdp into how do you do that??? Oh and the people connecting are end users, so no registery hacks, thanks... Sorry NAT FUCKING SUCKS.

Not to mention things like voip.

Re:NAT (0, Flamebait)

richy freeway (623503) | more than 9 years ago | (#12968348)

You're ranting at the wrong person, numbnuts.

Re:NAT (1)

FrostedWheat (172733) | more than 9 years ago | (#12968372)

NAT != Firewall. Most NAT systems include some sort of firewall so it's an easy mistake to make. A firewall filters packets without changing them, NAT is a hack that rewrites the headers to get past ISP's only giving out single IP addresses per customer. It's a neat idea, but still a hack.

I'm lucky enough in that my ISP give me a small subnet. I have a machine acting as a firewall to prevent all the usual nasties getting onto the network, limiting what ports external users can connect to. All without NAT - each machine has it's own internet IP. VOIP works nicely.

Re:NAT (1)

Blkdeath (530393) | more than 9 years ago | (#12968465)

NAT != Firewall. Most NAT systems include some sort of firewall so it's an easy mistake to make.

NAT, as implemented by 95% of SOHO routing equipment is an inherrant protection system in that it prevents direct access to the machines connected behind them. In and of itself, NAT is a deny all, allow some mechanism which therefore offers a degree of protection that a simple 'this IP address belongs to this computer' routing setup can't offer. In that case the user must then also create a firewall ruleset based on their network topology. In most cases, I'd wager that ruleset would be a simple case of deny all, allow some anyways.

Re:NAT (1)

swillden (191260) | more than 9 years ago | (#12968501)

In that case the user must then also create a firewall ruleset based on their network topology.

The default ruleset would merely do precisely what the NAT box does: Deny all incoming connections. The network topology in question is simple: One NIC connected to the outside world, another connected to a switch to which all of the interior computers are connected.

With respect to security, NAT offers nothing that a simple stateful firewall does not.

Re:NAT (0)

Anonymous Coward | more than 9 years ago | (#12968446)

You should be using VPN for that, Einstein.

Re:NAT (1)

asdfghjklqwertyuiop (649296) | more than 9 years ago | (#12968491)


You should be using VPN for that, Einstein.


And then you find out that company with 3000 machines to RDP into is using just about half of RFC1918 space and happens to be using the same portion of it that you are... doh!

Re:NAT (1)

hitmark (640295) | more than 9 years ago | (#12968238)

bingo, while nat is nice for home and small office use for basic sharing for a net connection for web and email. it runs into problems fast if your planing to use it for say an isp enviroment or similar, and to me thats what the grandparent post talks about.

the biggest single nat problem is vpn tunneling. that a nat setup have to rewrite the source or destination part of the header can mess up or make invalid the tunnel if it require packet signing (ie, use private key to add a checksum for the header) from what i recall.

this means that you cant just deploy a isp-wide nat as it may well make a mess for people that work from home or maybe a traveling salesman that connects from time to time with a laptop.

Re:NAT (1)

gclef (96311) | more than 9 years ago | (#12968283)

The biggest problem I see with this attitude (not that I entirely disagree with it) is that it assumes NAT will go away in v6. I sincerely doubt that it will. I know it's unnecessary in v6...but people have gotten used to it, and it's been sold to them as a "security feature". Therefore, they're going to want to use it in v6, whether or not it really does anything for their security.

Re:NAT (2, Insightful)

Baricom (763970) | more than 9 years ago | (#12968376)

Actually, most people I've talked with use NAT not for the security but because they need it to get more than one computer online (the local broadband providers provide one IP address and rent extras for about $10 per month). I think whether NAT continues to be popular or not will probably be influenced by whether residential ISPs become less stingy with the address space.

If NAT goes out of style, the home router people will just focus more on delivering good firewalls, and a lot of people (probably including me) will still buy them.

Re:NAT (1)

anthony_dipierro (543308) | more than 9 years ago | (#12968422)

The biggest problem I see with this attitude (not that I entirely disagree with it) is that it assumes NAT will go away in v6.

What's more likely, if IPv6 does catch on, is that NAT will be replaced by IPv4 to IPv6 tunnels.

But I seriously doubt this is going to happen. Redesigning everything from scratch is a software engineer's wet dream, but in the real world for a system to work it needs to be much more backward compatible than IPv6. It's like DJB said [cr.yp.to] : "The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an alternative to the IPv4 address space, rather than an extension to the IPv4 address space."

Re:NAT (1)

clenhart (452716) | more than 9 years ago | (#12968349)

> though the security aspect that NAT provides really is useful.

All we need is a checkbox on a IPv6 firewall that says "NAT style security and limitations". Is that really that hard for firewall software?

Re:NAT (1)

thogard (43403) | more than 9 years ago | (#12968384)

Thats why they invented SVC DNS records.

We already have have about 2^48 IPv4 addresses for things using SVC records.

The real reason we ran out of IPv4 address is that cisco routers can't cope with a full routing table. Some how quadrupling the amount of memory the same routing table needs isn't going fix the problem.

Re:NAT (2, Informative)

Fished (574624) | more than 9 years ago | (#12968408)

Nawww... you're missing the point that IPV6 is designed to require significantly fewer entries in routing tables for the same number of networks. Yes, the addresses are 4 times as long, but that doesn't make the routing table takes four times the memory.

Re:NAT (1)

thogard (43403) | more than 9 years ago | (#12968445)

I know the theory.
I know the real world isn't as nice. I've been dealing with routing issues since the days of the uumaps collapsing and I've seen where IPv6 is headed.

Re:NAT (1)

Zeinfeld (263942) | more than 9 years ago | (#12968436)

Before people jump and say that we don't need IPv6 because NAT is good enough: No, NAT is not good enough. While I am grateful for NAT (and I am sure every other pood sod stuck with a single address only is grateful too), NAT has some serious shortcomings and limitations which increase the need for sometimes ugly, drastic or awkward workarounds for many things. It would be nice to be able to communicate with machines behind routers directly, though the security aspect that NAT provides really is useful.

The problem I see with IPv6 is that nobody has ever managed to describe a transition strategy that looks remotely viable to me.

One of the big problems is that instead of looking to see what NAT technology could do for them to facilitate the transition what we get is really a flag day strategy under a different name.

What we need is Ipv6 capable NAT boxes that are capable of doinf 4/6 translation on the fly. The main barrier to adoption of that type of strategy is folk who really can't see beyond the end-to-end principle.

Re:NAT (1)

asdfghjklqwertyuiop (649296) | more than 9 years ago | (#12968502)


though the security aspect that NAT provides really is useful.


NAT doesn't have a security aspect. It just rewrites the addresses and ports on outbound packets and keeps track of them to rewrite the corresponding replies. If you don't have filter rules to back it up then any traffic can just flow right into your network. NAT doesn't cause packets to be dropped.

Well, IPv6 is nice (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12968130)

Especially "anycasting". But what about SCTP ? Now that would be worth wide support.

Benefits of IPv6 (5, Informative)

lw54 (73409) | more than 9 years ago | (#12968148)

IPv6 is a powerful enhancement to IPv4. Its primary features are as follows:
  • The larger address space provides new global reachability, flexibility, aggregation, multihoming, autoconfiguration, plug and play, and renumbering. IPv6 increases the IP address size from 32 bits to 128 bits, allowing more support for addressing hierarchical levels, a much greater number of addressable nodes, and simpler autoconfiguration of addresses.
  • The simpler, fixed-size header enables better routing efficiency, performance, and forwarding rate scalability.
  • The numerous possibilities to transition from IPv4 to IPv6 allow existing capabilities to exist with the added features of IPv6. Various mechanisms are defined for transitioning to IPv6, including dual stack, tunneling, and translation.
  • Mobility and security ensures compliance with Mobile IP and IP Security (IPSec) standards.

Page 46, CCNP Self-Study, Paquet Teare

Re:Benefits of IPv6 (0)

tomstdenis (446163) | more than 9 years ago | (#12968171)

I really wish people would stop quoting more address space as a feature.

First off, have you ever tried to enter an IP over a noisy phone connection? Now try it with eight 4-digit groups!

Not all addresses are going to be ::192.168.0.1 ;-)

Second, Do you have any idea how many dark /8s there are? Do you have any idea how many people have /8s that shouldn't? There is no IP shortage problem for now.

Tom

Re:Benefits of IPv6 (1)

SlamMan (221834) | more than 9 years ago | (#12968198)

No, but there's an ip distribution problem.

Look at it from an economic perspective: You have a limited resource imperfectly distributed. If some people who want/need the resource that can't get it, because its already been distributed, then you have an artificial shortage. While reclaiming and redistributing is a valid option, you should never ignore the option of increasing the amount of your limited resource.

Re:Benefits of IPv6 (1)

thogard (43403) | more than 9 years ago | (#12968404)

IPv6 won't fix the distribution problem. The problem is the limited resource is unique routes in key routers and it comes down to the fact that an core exchange router can't cope with millions of networks that would like to be dual homed. The result is you can only truly dual home if you get your own /19 but most of the groups I know would be happy if they could dual home a /26

Re:Benefits of IPv6 (1)

lingsb (192878) | more than 9 years ago | (#12968221)

I can also imagine that the sparseness of the number of IPv6 addresses that point to hosts will be a security benefit: it will make worm propagation a lot harder.

Re:Benefits of IPv6 (1)

nystire (871449) | more than 9 years ago | (#12968366)

Security through obscurity...

Re:Benefits of IPv6 (1)

squoozer (730327) | more than 9 years ago | (#12968431)

While security through obscurity shouldn't be your only defence it is still a valid defence. Moving a service to an odd port will stop the majority of "passer by" attacks (the equivalent fo someone trying your car door as they walk past). It won't stop any one that is determined but if you have removed the noise it is easier to see the determined little *%*£)".

I think it will probably slow down the current worm attacks but I wouldn't be supprised if we also saw a new breed of worm that used a different method to find hosts.

Re:Benefits of IPv6 (4, Informative)

Florian Weimer (88405) | more than 9 years ago | (#12968417)

Reality is quite different and does not live up to the short-sighted analysis you quoted.

The larger address space is meaningless as long as it's harder to get independently routeable IPv6 prefixes than it is for IPv4. IPv6 headers are not fixed-size, especially in enterprise environments, the extension headers make the IPv6 header variable-length, causing endless headaches with hardware-assisted forwarding. Quality of implementation of the transition mechanism often suck, and they introduce new security issues. IPsec for IPv6 is not widely available, in contrast to IPsec for IPv4 -- even though it is mandated by the RFCs.

Right now, IPv6 cannot deliver any of the new features it promises. It makes a lot of sense not to deploy it at this stage.

Likely future events... (2, Interesting)

Spoing (152917) | more than 9 years ago | (#12968158)

...all desktops in the US Federal Government will have unique IPs, making it even easier for the bad guys to exploit a machine many layers deep in a network. After all, why secure the routers when your department managers just keep complaining that they can't connect from home?

Re:Likely future events... (2, Informative)

Taladar (717494) | more than 9 years ago | (#12968324)

Repeat after me "NAT is not a firewall...NAT is not a firewall"

Re:Likely future events... (1)

nystire (871449) | more than 9 years ago | (#12968389)

And yet (at least in shops here) home users who ask about routers are being told that it makes them invulnerable to the "nasty people" on the internet :S

Re:Likely future events... (1)

Spoing (152917) | more than 9 years ago | (#12968420)

Repeat after me "NAT is not a firewall...NAT is not a firewall"

...and firewalls aren't the end all to security. (Thus, the sig.)

NAT is a capability of routers. It's not the only capability of routers, nor is it a necessary feature to enable when configuring them. (I'm talking about a full-featured router and other related devices, not a plug-and-go untweaked home model.)

Mac OSX has had great IPv6 for a while (10.2)! (5, Informative)

Anonymous Coward | more than 9 years ago | (#12968163)

Mac OSX has had great IPv6 for a while (10.2)

http://evanjones.ca/macosx-ipv6.html [evanjones.ca]

And the feds moved back their deadline so many times that even 2008 will be pushed back.

Apple even had a demo of ipv6 in OS9 once, and a long while back was big on it.

Most people, who enjoy semi-anon IP addresses from defacto forced reissue taht I know are against IPv6 and see it for all its regretful faults, despite its wonderful goals and alleged benefits.

In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.

Re:Mac OSX has had great IPv6 for a while (10.2)! (3, Insightful)

Armadni General (869957) | more than 9 years ago | (#12968219)

The feds are always pushing back deadlines. I'm sure regular readers have seen two or three articles here about the total conversion of all broadcast television from analog to digital signals? It's the same case. They need to get tough on these "deadlines," or else nothing'll get done at any pace faster than that of a snail.

And here shall commence the argument about whether or not anonymity on the Internet is a Good Thing or a Bad Thing.

Re:Mac OSX has had great IPv6 for a while (10.2)! (4, Interesting)

Detritus (11846) | more than 9 years ago | (#12968284)

Most people, who enjoy semi-anon IP addresses from defacto forced reissue taht I know are against IPv6 and see it for all its regretful faults, despite its wonderful goals and alleged benefits.

The tin foil hat brigade is on the march, again.

If you want an "anonymous" IP address, there is nothing to prevent you from using a sooper-sekret random number instead of the interface's MAC. See RFC 3041 [ietf.org] .

Re:Mac OSX has had great IPv6 for a while (10.2)! (1)

anthony_dipierro (543308) | more than 9 years ago | (#12968450)

In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.

Hmm, I think just the opposite would be true. Now that every person on the planet can have a billion IP addresses, it'll be feasible to use a different IP address every single minute for the rest of your life. Yes, IPv6 makes it possible for even a dialup server to give out static IP addresses to everyone, but it doesn't require it.

This could have a big impact on sites like Slashdot which rely at least in part on the relative scarcity of IP addresses to keep out the trolls. It'll hurt the spam filters which rely on spammers eventually running out of IP addresses. But these are situations in which the technical ability of anonymity is increased (though one could argue that social controls might tighten to compensate - no more anonymous posts on Slashdot for instance).

Re:Mac OSX has had great IPv6 for a while (10.2)! (1)

asdfghjklqwertyuiop (649296) | more than 9 years ago | (#12968509)


Most people, who enjoy semi-anon IP addresses from defacto forced reissue taht I know are against IPv6 and see it for all its regretful faults, despite its wonderful goals and alleged benefits.

In an IPv6 world... there will be no more anononymity except at a WiFi cafe lacking video cameras.


What are these anonymous IP addresses you speak of? What about IPv6 makes the addresses less anonymous than IPv4?

Situation Normal (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12968222)

In a tough situation, send it the military to sort it out. They take some casualties, and the large contracting companies make a bundle. (They've been hurting since Y2K went away. Semper-Fiscus.)

To guarantee US adoption of IPv6... (5, Funny)

haakondahl (893488) | more than 9 years ago | (#12968298)

..Just declare it part of the metric system. Or is that the other way round?

If what I've heard is correct.... (1)

TwoTailedFox (894904) | more than 9 years ago | (#12968316)

.... You can kiss goodbye tor reliable IPv6 IP Address tracing, that you can do with IPv4.

NAT-PT for linux (2, Interesting)

tolonuga (10369) | more than 9 years ago | (#12968402)

Is there any nat-pt solution for linux?
I don't think anyone wants go through the
pain of double stacks. So to run a ipv6
only network, and connect it with both
v4 and v6, you would need a v6tov4 nat
device (nat-pt). I haven't seen anyone
offering that, at least no linux based solution
(some *bsd might be able to do that, not sure).

Missing improvements (5, Interesting)

Peaker (72084) | more than 9 years ago | (#12968428)

IPv6, to me, was a bit of a disappointment because it lacks two features that I find important:

A) A protocol between the ordinary level2 and IP(level3) (Could be named layer 2.5) that takes care of error-corrections via retransmissions. Not replacing TCP's error-correcting retransmissions, but in addition to those. The reason is that most lost packets are lost packets on a single link because of load issues and such, and not because a whole link falls and breaks a route. In those cases, it is very inefficient to retransmit the whole route, and to add a huge latency-overhead to the packet transmission.

B) Get rid of the silly "port" concept. Ports are just internal-computer addresses, and as such, should simply be part of the address itself. There should be no reason to distinguish between the network address and the host address and thus subnets were created, and that separation no longer exists. Just the same, there should be no reason to distinguish between net/host address an application addresses. Removing the "port" concept and placing it as part of the IP address itself has the following benefits:
I) UDP becomes redundant to IP itself, the whole protocol is about adding the port address and can be discarded.
II) DNS entries can point to applications and not hosts. This would allow www.server.com and www2.server.com to point to different webservers in the same computer. This would allow to discard the "virtual web hosts" feature. It would also allow to support multiple servers of any type (ftp, smtp, etc) on any host, all pointed by dns, without messing with the port supplied to the user.
III) An internal network can route the same application address to any host it chooses, easing the distribution of load. It would also not expose to the external world how applications are served on which hosts.

Anyhow, I look forward to seeing those features in IPv7.

Re:Missing improvements (0)

Anonymous Coward | more than 9 years ago | (#12968483)

that will be fully deployed around 2357. they can't even handle this switch.

Bring on the Vultures (4, Insightful)

Gothmolly (148874) | more than 9 years ago | (#12968452)

I've seen this sort of first thing first-hand. Here's how it goes down:

Consultant: Hey, buddy o'mine in the White House Budget office, lets do lunch.
WhiteHouse: OK
Consultant: You know, if you dont use IPv6, you're obsolete.
WhiteHouse: Really?
Consultant: Yep. You wouldn't want the (Commies|Al-Qaeda|Chinese|French) to be ahead of us, would you?
WhiteHouse: Hell no!
Consultant: Nobody is going to deploy IPv6 w/o a reason. It's hard to do.
WhiteHouse: Hmm, we need to do this, its a matter of Homeland Suck-your-ity. Can you help?
Consultant: Why sure, but you should make sure that only me and a few others are approved for this gig, you wouldn't want any incompatibilities, would you?
WhiteHouse: Damn straight, I think I'll have another Scotch.
Consultant: Go ahead, its on me. *evil cackle*

For those of wou who want to check (1, Informative)

Anonymous Coward | more than 9 years ago | (#12968477)

that their ipv6 installation is working

http://www.whatismyipv6.net/ [whatismyipv6.net]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>