2013 IPv6 Summit

>running IPv6 on an individual box with the default apps the distro provices is trivial.

Yes

>Getting good (reliable, fast) IPv6 connectivity to the Internet is not.

Why not? I live in a rural county called Somerset in the UK, My town has a population of ~40,000. We do not have the best of anything internet related. Yet despite that _for my home connection_ I have my own two DNS servers and IPv6. Yes, I have had to pick my ISP and I am a nerd. Do this:

$dig pf1.roseandjon.gerdes.co.uk AAAA

(I reserve the right to remind you that my locality is pretty rural)

>Making sure that IPv6 is as secured as IPv4 is not. It's IP! Doh! You have to add rules to your router that look at IPv6 - yes it's a pain having two rule sets.

>Reviewing old application code to make sure that all connections are done with IPv6 safe routines is not. For a business, where is the ROI?

OK - I'm a crap programmer but I am an MD of an IT consultancy and the ROI for me is rather different than what your question supposes ...

>now, in the case of LWN, geek cred and testing new stuff is part of what they do, so yes, they have far more reason than most to implement IPv6. But those same drivers that push them to do IPv6 are pushing them to release the source that drives the site, and that is a project they have not been able to get done for a lot longer than IPv6 has been a possible issue.

I can't directly influence the phenomenal resource that LWN is or how they govern themselves but I can be a loud pest!

I regularly read articles in LWN that are (to me) mind bendingly complicated. I love it. The last application I developed used VB6 and ActiveX to query a 300,000 object Novell eDirectory thingie to manage groups - not exactly kool kid stuff.

I am a 42 year old nerd and I personally perceive a fair few tech websites who trot out the same old IPv6 news items and yet they don't themselves provide access over IPv6. It really isn't rocket science, you just have to care.

I only whinge about a lack of IPv6 on tech sites - we are nerds for goodness sake - start acting like one.

Cheers
Jon

>> Without public IP, you can no longer do remote desktop, you can no longer play many games as port forwarding doesn't work any more, you can not ssh into your home server, you can not access data on your home computers, you can not host servers, you can't do peer to peer communication and many other things stop working without public IPs as well.

> I'll point out that with most ISPs (at least in the US), these things are almost all prohibited by the terms of service of the ISP (and people do have their connections terminated if the ISP catches them doing them) and actively blocked by their firewalls.

> So for a very larger percentage of users, the predicted dire consequences of not moving to IPv6 don't look noticeably different than their current connection.

> Yes, for some people, these sorts of issues are important, but those people already have to carefully pick their ISP (and/or pay substantially more to get a 'business' connection)

Obligatory zealot comment- here is a link to my 53 page manifesto on the issue that I've had bounce between the FCC (initial <1000 character 2000F complaint) and the Kansas Attorney General. It is currently under some 'Enforcement review' procedural step at the FCC. I've yet to get the FCC or Google to offer a single sentence or two of explanation as to why my interpretation of Network Neutrality here is wrong. Namely I believe that such aforementioned terms of service blocking home servers are an instance of violation of the 'blocking' network neutrality rule. Likewise, I loathe this concept of 'business class' users as much as I loathe differentiated pricing based on geographic region for DVDs, or, no doubt throughout human history, things like sex, skin color, and religious affiliation. Digressing- how is a residential home user using a VPN to work for their employer, and the Google Ads network to exchange their visual attention for the utility of access to advanced computing services delivered over the internet, not engaging in 'business'. I think the real bottom line is that the terms of service barring home servers are really just a convenient way for the establishment to thwart competing services based on home servers. I.e. that 'pure' vision of the internet with everyone with their own effectively free dns domain, non-scarce IP addresses, and email servers secured and simplified through natural FOSS evolution. Instead of the masses glomming onto things like gmail, that use the content of their messages to psychologically manipulate them into buying more of the products sold by google's advertising clients. Bah... get off my lawn- (FCC complaint ref#12-C000422224 http://cloudsession.com/dawg/downloads/misc/kag-draft-2k1...)

> If everyone has IPv6, then I expect carrier grade NAT to die off, it's expensive, creates network bottlenecks, and increases troubleshooting compared to a native IPv6 everywhere network.

I don't see this happening in the foreseeable future (10-20 years), what I see is dual-stack lite where everyone has an RFC1918 private IPv4 address and a real routable IPv6 address with providers maintaining CGNs indefinitely to deal with a long-tail of services which never convert over. There will be a short time where most of the traffic will go through the CGNs which will taper off as more devicess get native IPv6 to offload the traffic, but never quite reach zero. At this point though it's too late to have a network without permanent CGNs, IPv4 was allowed to get too big to allow it to fade quietly into the night, maybe in our lifetime IPv4 will be disabled, we can hope at least.

I don't see the point of NAT64 though, it dosen't seem to have any advantages over dual-stack and CGN and seems to require more infrastructure and introduce more flakiness (proxying DNS). Having IPv6-only edge infrastructure seems to be more of a geek-cred thing than a practical benefit.

It's much easier to allow incoming connections for services you want to run when each internal host has its own globally unique address and/or to stop enforcing policy on the router/switch at all. The world which spawned network packet filters was one where the hosts had no effective network security controls, now full feature packet filters are ubiquitous on edge hosts, edge host packet filters also have more knowledge about the application using the network than network packet filters. The main advantage of the central firewall service is centralized policy control but any kind of automated configuration management system like puppet or Active Directory Group Policies can accomplish this. There are certainly some outliers, systems which for whatever reason choose not to implement effective policy controls even though they are available on any host which can do IPv6, but those can be handled as the exceptions that they are.

I think you are mistaken. Consumer IPv6 routers should and probably will come with a restrictive firewall by default, I agree. But all current routers provide a way to configure port forwards, many also support a "wildcard" forward where all unused public ports are forwarded to a local IP address (with an appropriate security warning). They stop there because they're limited to 1 IP address, not because they're mean.

I'm pretty sure that once IPv6 becomes prevalent, consumer routers will have means to unblock certain ports on hosts or all connectivity for certain hosts -- equivalent to port and wildcard forwards, but potentially with improved user experience and less tampering.

And even if restrictive firewalls are enforced upon customers, we still will have killed NAT, which is the stumbling stone for many current TCP extension proposals such as ECN. It also has benefits because IP routing is stateless -- BitTorrent won't fill the router's NAT table and your TCP sessions can survive router reboots.