Recent Features
| |||||||||||||
LCA: IP address exhaustion and the end of the open netLCA: IP address exhaustion and the end of the open netPosted Jan 26, 2011 13:23 UTC (Wed) by kleptog (subscriber, #1183)Parent article: LCA: IP address exhaustion and the end of the open net
The port number issue is interesting. I've seen situations where the same (src ip, src port, dest ip, dest port) are reused within 3 seconds of the FIN from the first connection coming past. A large corporation NATted behind a single IP. Luckily the sequence numbers are far enough apart to avoid problems, but I'm sure it's violating some RFC.
My experience with IPv6 has been pretty good, but it's a biased view since I haven't managed to get Firefox to open an IPv6 connection yet. Everything else works pretty good (except there's so few IPv6 sites around).
I'm disappointed the ISPs are so reluctant to do anything to help, and surprised that consumer equipment hasn't just worked around the problem using automatic 6to4 tunnelling.
(Log in to post comments)
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 13:37 UTC (Wed) by foom (subscriber, #14868) [Link]
> I'm disappointed the ISPs are so reluctant to do anything to help, and surprised that consumer equipment hasn't just worked around the problem using automatic 6to4 tunnelling.
...Remember when Apple did *just that* by default with the Airport wireless router and got flamed to a crisp for it?
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 13:48 UTC (Wed) by kleptog (subscriber, #1183) [Link]
From what I can find they got flamed because they provided no firewall in the default config. But were there problems besides that?
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 14:43 UTC (Wed) by foom (subscriber, #14868) [Link]
Yes, they allowed incoming TCP (and every other kind of) connections in IPv6 -- restoring End-to-End connectivity, just what everyone wanted, right? Oops.
Then they asked IETF what they should've done instead. IETF said "duh you need a stateful firewall"; Apple said "but wait? you mean we still need all that crappy NAT-code, just without translating the network address? And didn't you decline to standardize on what exactly such a thing needs?". Argument ensues over how mean Apple is for daring to say that stateful firewalls have the same impacts on end-to-end connectivity as NAT...or something like that.
In order to build a in-network firewall, you need to have a application-level understanding for a bunch of different protocols (FTP, IRC, SIP, H323, PPTP, RTSP, at least). And you need a protocol for endpoints to ask the firewall to pretty please actually allow it to allow incoming connections on some port (so that bittorrent and similar protocols requiring incoming connections work)
Both of these have existed for IPv4 for a long time, but IETF had declined to standardize them. And neither NAT-PMP or uPNP (at that time -- I don't know if they do now) supported IPv6 addresses.
And at least NAT-PMP *intentionally* only supported IPv4, because at the time they figured it was just a bad hack before residential gateways could let endpoints handle their own traffic again with IPv6, and restore the End-to-End principle like in the good old days.
I dunno what the current status is...I think there's still no such protocol support.
Some more history:
The Apple guy in question has since taken it upon himself to write down in RFC form what such a home router should be expected to do...apparently said RFC was just approved two days ago, after over 3 years of discussions. And I'll note also that it's somehow turned from a "BCP" into "Informational", too.
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 16:14 UTC (Wed) by spaetz (subscriber, #32870) [Link]
> http://www.rfc-editor.org/rfc/rfc6092.txt
Ironically this resolves to an ipv6 address here which does not respond to a ping (other ipv6 sites work just fine). So loading that page took 5 minutes until it fell back to ipv4. :-)
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 17:55 UTC (Wed) by the2masters (subscriber, #27656) [Link]
works here
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 18:38 UTC (Wed) by foom (subscriber, #14868) [Link]
Oh, and in case it wasn't clear: the lack of uPNP/NAT-PMP IPv6 makes using IPv6 through such a stateful filter a *WORSE* experience than using IPv4 through NAT currently is.
Applications on home endpoints still can't directly accept incoming connections (wasn't the like the whole point of IPv6?), and unlike with IPv4 there was (is?) no widely-accepted/implemented protocol to allow random endpoints to request such access.
IPv6 for the home, if we're to have a stateful firewall between all users and the internet, seems basically useless -- it doesn't enable applications like video chat or p2p filesharing to work any easier or more reliably than on IPv4...
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 23:37 UTC (Wed) by drag (subscriber, #31333) [Link]
> IPv6 for the home, if we're to have a stateful firewall between all users and the internet, seems basically useless -- it doesn't enable applications like video chat or p2p filesharing to work any easier or more reliably than on IPv4...
If you have more then one person using the same protocol it can make all the difference in the world.
LCA: IP address exhaustion and the end of the open net Posted Jan 28, 2011 11:27 UTC (Fri) by i3839 (guest, #31386) [Link]
That is total rubbish.
The way for an application to open an incoming port is, well, to open a socket on that port and listen to it. That's it. It magically works with no stupidity going on.
People have forgotten this because NAT madness and overzealous firewalls have entrenched themselves deeply enough.
You only need a firewall if you, as a user, want to restrict who and what may access what or who else. If applications can change that policy then you can as well have no firewall at all.
Firewalls are overrated. In this case Apple did the right thing and should have ignored all the whiners.
LCA: IP address exhaustion and the end of the open net Posted Jan 26, 2011 19:01 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]
a large part of the reason why consumer equipment doesn't support NAT64 is that for many, many years every time someone suggested NAT in relation to IPv6 the response from the IPv6 people was 'NAT is evil, NAT is not needed, NAT is not allowed on an IPv6 network, go away until you agree with us'
it's only in the last year or two that I have seen people admitting that there will need to be NAT between IPv4 and IPv6
LCA: IP address exhaustion and the end of the open net Posted Jan 27, 2011 14:25 UTC (Thu) by RobSeace (subscriber, #4435) [Link]
Well, NAT is evil, and should be abolished, yes... However, as long as there are still IPv4 hosts that need to be interacted with, there will need to be some kind of NAT for dealing with them... But, pure IPv6 hosts don't need to be behind NAT (from other IPv6 hosts); that's the point people tried to make... And, the argument was always with people who wanted NAT as a firewall replacement, instead of being bothered to just use a real firewall... NAT is a kluge to solve a specific problem; one which no longer exists if the world is all on IPv6... In that world, indeed no one should ever have any kind of NAT anywhere... Of course, I'm not sure I'll ever live to see that world... ;-/
role of NAT in the v4 -> v6 transition Posted Jan 29, 2011 17:22 UTC (Sat) by jeleinweber (subscriber, #8326) [Link]
The IETF and IAB still hate the idea of NAT66, they want to return to the end-to-end transparency of the 1980's, once again allowing protocol innovation to flourish. See e.g. RFC-5902 from last July.
NAT46 such as NAT-PT has been given up on; e.g. RFC-4966. In addition to all the usual NAT issues you have the killer problem of being unable to reliably fake DNS A records for servers which have AAAA only at ISP scales. The implication is that v4-only clients will be cut off from v6-only services. Once v6-only services become interesting, consumers will demand v6 from their ISP's.
It's easy to dual-stack clients, except that we are out of v4 addresses. So new clients with public v6 trying to access the legacy v4 network have two basic options, both involving NAT translation. You could ditch v4 and do some kind of NAT64 gateway. That is probably going to lose out to dual-stack-lite, where instead you give the client private v4, tunnel it over v6 to a carrier NAT44, and only have to eat the usual NAT issues, not NAT plus the protocol translation issues. Expect at lot of dual-stack-lite on cell phone networks and in Asia.
While we are waiting for ISP's to finish eradicating the v4-only DSLAMS and CMTS from their networks in the US and Europe, expect a lot of 6rd, where clients with upgraded dual-stack modems and upgraded wifi routers use protocol 41 tunnels over v4 between their modem and a gateway at the ISP. This looks almost like native v6 at the client, incrementally and easily migrates to full native v6 as the ISP fixes its pipes, and is cheap and quick to deploy.
Recap: ISP's need to offer v6 to their business customers yesterday, and 6rd or native v6 to their consumers soon. Businesses need to dual stack their services ASAP, or the new v6 customers will have a terrible experience, the legacy v4 customers won't be able to reach them, and the v4 refugees from a degrading v4 multiple-NAT morass won't have any refuge to run to. Consumers can wait until the v6 availability improves, say 2013, and then go dual-stack in whatever fashion, lite or heavy, their ISP allows.
Teredo is only for masochists.
role of NAT in the v4 -> v6 transition Posted Jan 29, 2011 22:01 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
what company is going to be willing to setup an IPv6 only service that 99.7% of the end-users will not be able to reach?
give it a couple of years with a lot of publicity and that number may drop down to 90% (a 30x increase in the number of people with usable IPv6) and the question remains.
one of the problems with killing off IE6 is that there are sill 20-30% (approximatly, I've not looked it up recently) users who have that browser, and companies are not willing to refuse to serve those customers. until the number of IPv4 only users drops to a number significantly lower than the current number of IE6 users, businesses won't be willing to cut them off.
|
|||||||||||||