User: Password:
|
|
Subscribe / Log in / New account

World IPv6 Launch: this time it's for real (ars technica)

A successor to last year's World IPv6 Day is the subject of an article over at ars technica. World IPv6 Launch will take place on June 6 and this time the plan is to leave things up and running on IPv6 after the day has ended. "Also new this year is that several Internet service providers will be participating by enabling IPv6 for at least one percent of their customers—with more to follow. These ISPs include not only those that have already put a toe in the IPv6 waters before, such as Comcast, Free Telecom in France, and XS4ALL in the Netherlands; but also Time Warner Cable and AT&T. Last but not least, Cisco/Linksys and D-Link will be enabling IPv6 support in the default configurations of their home routers."
(Log in to post comments)

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 0:38 UTC (Fri) by JoeF (subscriber, #4486) [Link]

Well, I'll see if AT&T will give me native IPv6 support for my U-Verse DSL account...
I doubt it. And if, they'll probably going to charge more.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 0:51 UTC (Fri) by Kit (guest, #55925) [Link]

I would imagine that the "1%" will likely be in areas where they have done any necessary equipment upgrades / auditing to make sure everything is ready for a test deployment, not simply a random assortment of individuals from a geographically disperse areas.

Hopefully it won't be too long before IPv6 access for residential users will be fairly common place... although, in the areas where DSL is still king, or there's only one form of broadband (or none!), IPv6 might not be even considered for many, many years. I don't see dialup providers rushing to upgrade their networks to IPv6.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 1:42 UTC (Fri) by JoeBuck (guest, #2330) [Link]

We're out of IPv4 addresses, so IPv6 can no longer wait for "many, many years".

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 2:33 UTC (Fri) by ebiederm (subscriber, #35028) [Link]

Note also that this 1% target is not 1% of the users will have access to ipv6 but 1% of the users will actually be visiting sites over ipv6 on world ipv6 launch day.

So this really looks like an effort to break the back of the problem and have a usable ipv6 Internet in the US with 1-3million+ users.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 7:36 UTC (Fri) by niner (subscriber, #26151) [Link]

We're not really out yet. IANA distributed the last remaining blocks to the regional registries about a year ago. Asia's APNIC went out of addresses shortly after (they are keeping a /8 for easying transition to v6). Europe's RIPE will probably go out in about half a year. North America's ARIN a year later. http://ipv4.potaroo.net for details.

But even the regional registries going out does not mean that we are really out of addresses. There's still the local registries and then the ISPs and hosting companies will just have to make due with what they already got.

So even though I've been an IPv6 fan since I first read the RFCs more than ten years ago, I have to admit, that it might still take a couple of years till it becomes a reality for me.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 12:36 UTC (Fri) by copsewood (subscriber, #199) [Link]

Factors likely to slow the transition are going to include:

  • How long it takes for web applications to recognise addresses in the new format,
  • How long it takes to train up people who develop and maintain networks and hosts,
  • How long it takes to upgrade routing hardware etc. etc.

We don't want to have to start doing all of this at a time when the IPV4 Internet is getting worse each year due to address conservation measures, e.g. carrier grade NAT making it impossible to run servers on most network connections. For me this kind of knowledge is what I sell, so I completed the Hurricane Electric free IPV6 certification program last summer - and now a couple of my students are taking this course too as part of their IPV6 related degree projects. I can't recommend this programme too highly.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 18:42 UTC (Fri) by jeleinweber (subscriber, #8326) [Link]

niner is correct that IPv4 exhaustion happens in stages, first IANA, then the five RIR's, then the ISP's, last the subscribers. However, I think he's underestimating the conversion pressure. Running out of v4 changes the economics. Dual stack native in v4-rich areas like the US and NAT64/DNS64 (native v6, partial v4) in the v4-tight areas like India or China are going to offer a better, faster, cheaper experience than lingering on v4 and using carrier NAT44. In the US, the amount of ISP logging needed to satisfy CALEA on a carrier-grade NAT44 device is completely insane, not to mention the tech support costs of troubleshootig folks behind double NAT44 (once at home, again at the carrier). The tipping point on consumer preference may only be 2 years out; v6 traffic could be over 50% of the backbone total by 2016; and both AT&T and Cisco are predicting that backbone routing of v4 will stop by 2020. v4 will linger on in the machine rooms for another decade or so, but "the Internet" really is going to transition to v6.

But next year is likely to be ugly: perhaps 15% of worldwide clients (particularly mobile) with v6-only, and ISP's and web-sites not fully converted. If you are worried about an IPocalypse, 2013 will be the year.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 15:32 UTC (Fri) by nhippi (subscriber, #34640) [Link]

Yes we can wait. Say hello to ISP-wide NAT (in the NAPT variant), . Common already in many developing countries... Fortunately MPAA/RIAA are technically too incompetent to see that they could lobby ISP-wide NAT as an anti-piracy tool..

Now please stop throwing the rotten tomatoes, I'm just a messenger!

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 25, 2012 14:20 UTC (Wed) by gvy (guest, #11981) [Link]

> We're out of IPv4 addresses
To me that's rather Cisco's scam: "DEAR SIR AND/OR MADAM, we've got new router business proposal etc etc etc". There's still *plenty* of IPv4 for *server* side.

Disclaimer: I'm not a network engineer but that's my understanding of the words told by *very* competent person.

PS: launching v6 on 06/06 looks somewhat kabbalistic, any jeh*dons over there? :)

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 21, 2012 6:26 UTC (Sat) by csamuel (✭ supporter ✭, #2624) [Link]

Internode here in Australia have been running an IPv6 pilot (dual stack) for customers for many months now and recently went into production with it - as an opt-in system (no cost). A couple of days ago announced that they would turn this dual stack option by default for all new users.

http://ipv6.internode.on.net/access/

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 0:54 UTC (Fri) by ebiederm (subscriber, #35028) [Link]

AT&T plans to upgrade peoples firmware on their dsl routers to support ipv6. http://www.att.com/esupport/ipv6.jsp

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 2:00 UTC (Fri) by paravoid (subscriber, #32869) [Link]

IfMaybe LWN should join and offer the site over IPv6 then? :)

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 8:53 UTC (Fri) by rvfh (subscriber, #31018) [Link]

Does not IPv6 mean that all my machines currently hidden behind my IPv4 router suddenly become visible on the whole internet? That's how I understood it, which would mean party-time for hackers.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 9:30 UTC (Fri) by niner (subscriber, #26151) [Link]

You need two iptables rules to let your machines access the internet with IPv4.
You need two iptables rules to prevent unauthorized access to your machines from the internet with IPv6.

Since you probably did not write the IPv4 rules, it's pretty safe to assume that you will not have to write the IPv6 rules. Those come with your router's firmware. So in fact nothing will change for you. Except that it will be much, much easier to make a machine accessible completely from the internet.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 9:49 UTC (Fri) by paravoid (subscriber, #32869) [Link]

The difference is what happens in the absence of those rules: in the first case, you have no Internet connectivity and throw your router out of the window immediately; in the second case, everything works and you may not realize you've exposed e.g. your printer to the rest of the world.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 9:57 UTC (Fri) by jengelh (subscriber, #33263) [Link]

Just use this patch and push it with all your might to the maintainers, and you get the secure-by-default variant.

diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index c9e37c8..7915be9 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -43,8 +43,7 @@ ip6table_filter_hook(unsigned int hook, struct sk_buff *skb,
 
 static struct nf_hook_ops *filter_ops __read_mostly;
 
-/* Default to forward because I got too much mail already. */
-static int forward = NF_ACCEPT;
+static int forward = NF_DROP;
 module_param(forward, bool, 0000);
 
 static int __net_init ip6table_filter_net_init(struct net *net)

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 11:52 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Please no.

Trying to secure things by ineptly closing off local networks should immediately cause one to be barred from using any computers for at least 20 years. This model is fundamentally flawed in the modern world. 10 years ago it was fine, since most organizations had just a few connections to the outside world that could be easily monitored.

Not anymore.

Now most people have wireless (hey, do you know that your guest's laptop has a virus?), 3G phones that can connect both to local WiFi and 3G network, drive-by browser/PDF/whatever exploits and so on. Attempting to secure network by forbidding incoming packet forwarding is worse than useless because it gives a false sense of security.

What should be done instead?

I have no idea. We need to make _each_ device to be reasonably secure when exposed to the Internet (because they already are, really). And that in itself is a complex task.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 20:39 UTC (Fri) by raven667 (subscriber, #5198) [Link]

That's pretty much already done for desktop systems although less-so for appliances and other network devices. Every major desktop OS has a built-in packet filter firewall enabled by default and should be pretty safe to plug into the wild IPv6 Internet without any additional firewalling IMHO. In addition, IPv6 networks are much harder to scan remotely because the subnets are essentially infinitely large, of course a local device can easily inventory other local devices using the Neighbor Discovery Protocol. A better way to scan would probably be to break into web servers and pull addresses out of the log files rather than going blind, and even then the use of Privacy Addresses makes that info much less useful.

The big security vulnerability of modern Desktop OSs are the client applications, the web browser, image and video viewers, etc. Packet filters have no effect on those kinds of security threats.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 21, 2012 7:51 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

>That's pretty much already done for desktop systems although less-so for appliances and other network devices. Every major desktop OS has a built-in packet filter firewall enabled by default and should be pretty safe to plug into the wild IPv6 Internet without any additional firewalling IMHO.

That's a very small piece of required functionality. For example, a lot of home routers have easy passwords like "admin" by default. It should be fine since management interface is not exposed on WAN ports, right?

Well, wrong. There's at least one worm that tries to login into D-Link routers and hijack DNS server settings. And as home routers get more powerful it's quite easy to conceive them making man-in-the-middle attacks on SSL or spying on network printing protocols.

Then there's an issue of updates. There's no infrastructure for centralized updates of things like network printers and routers.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 22, 2012 17:03 UTC (Sun) by raven667 (subscriber, #5198) [Link]

In all honesty there will probably be a lot of bad equipment out there that does stupid stuff, esp. with a whole new Internet Protocol to make mistakes with but these problems aren't unsolvable. For example IPv6 has link-local networking support, which is already used in home gear because it's more robust than trying to do IPv4 link-local networking. Only binding the admin interface or service on the link-local network address unless specifically configured otherwise could take a lot of the pain out of home devices like routers and printers. In any event, worms trying to take over home routers, whether they do that via internet-exposed admin interfaces or by bouncing through a local machine through browser exploits is somewhat unrelated to the actual protocol used. Actually a lot of the precautions necessary on the IPv4 internet might have a lower benefit to cost ratio in IPv6 just because the address space is so large, making scanning unfeasible and making security-by-obscurity a more viable strategy.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 15:10 UTC (Mon) by drag (subscriber, #31333) [Link]

You need IPv6 link local for Windows 7 to do home networking.

It's a hard requirement. If you disable the IPv6 protocol in modern Widnows systems it fundamentally breaks stuff.

You do NOT need IPv6 support in your ISP or your network equipment to have IPv6 access to the internet, also.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 26, 2012 16:01 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

I agree with all that you say, but you should have called attention to the fact that there is a *particularly* hot spot in Hell reserved for those who DROP instead of REJECT. That's *undiagnosable* gratuitous network breakage, rather than just gratuitous network breakage.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 26, 2012 20:48 UTC (Thu) by dlang (subscriber, #313) [Link]

REJECT has it's own problems, namely that forged source packets sent to you will cause you rejection to go to the forged IP. so by doing a REJECT instead of a DROP, you allow yourself to be used as part of a DDOS attack (never mind the extra bandwidth and processing power it eats up to do the REJECT instead of a DROP)

security best practice is to do DROP instead of REJECT, both for this reason and also BECAUSE it gives no feedback to the attacker, so they can't easily tell what's going on.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 26, 2012 21:09 UTC (Thu) by raven667 (subscriber, #5198) [Link]

How much of an amplification is a REJECT compared to the incoming traffic anyway? ICMP dest-unreach is pretty small... In any event, for many security admins, the usability failure of DROP over REJECT is worse than any security risk of using REJECT instead of DROP. I've certainly made that conclusion myself.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 26, 2012 21:40 UTC (Thu) by dlang (subscriber, #313) [Link]

it's not an amplification of the attacker, but it does spread the inbound traffic so that the target has a harder time blocking it.

I tend to agree with you on the visibility issue, but I think it's a close call, with different answers for different people, and nowhere close to "there's a special place in hell reserved" for people who do this.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 27, 2012 9:39 UTC (Fri) by ekj (guest, #1524) [Link]

Well, when you REJECT, you risk becoming a DDOS-mirror, someone will bounce their attack of you, which makes it hard for the victim to block.

My firewall will REJECT the first 100 disallowed packets coming from a given IP, but do it 101+ times, and all your packets that'd otherwise cause REJECT, will cause DROP instead. (it's a leaky bucket of size 100, that leaks 1/minute)

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 16:41 UTC (Fri) by iabervon (subscriber, #722) [Link]

If your printer supports IPv6 at all, it would presumably use its link-local address, meaning that the router simply won't route for it (and even if your home router did, your ISP's router wouldn't know how to get packets to it). IPv6 lets manufacturers assign permanent link-local IP addresses to devices, which makes it meaningfully easier to be a LAN-only device than an internet-visible device. Of course, the danger shifts to buggy console games getting hacked and attacking your printer within your LAN.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 16:53 UTC (Fri) by dlang (subscriber, #313) [Link]

and that means that you can't access your wired printer from your wireless network (as the link local addresses won't route)

somehow I don't think that link-local only is going to be the default

Moscow common configuration will work

Posted Jan 20, 2012 17:06 UTC (Fri) by khim (subscriber, #9252) [Link]

Most WiFi routers bridge wired and wireless network thus local network addresses will work just fine.

Moscow common configuration will work

Posted Jan 21, 2012 16:49 UTC (Sat) by jch (guest, #51929) [Link]

> Most WiFi routers bridge wired and wireless network

Which has horrible consequences for performance -- just run a multicast session on your wired network and watch as the wireless gets congested.

Using link-local addresses is a horrible idea, since it will prevent routed home LANs in the future. Please don't do that.

--jch

Funny for you to say that...

Posted Jan 22, 2012 1:06 UTC (Sun) by khim (subscriber, #9252) [Link]

Which has horrible consequences for performance -- just run a multicast session on your wired network and watch as the wireless gets congested.

Funny for you to say that: this is exactly how my home network is configured. Are you sure you are using Linux 2.6.34+ kernel on your router? IGMP snooping was added in this version and works very well indeed.

IGMP... how about MLD?

Posted Jan 22, 2012 3:03 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

Since this discussion is about IPv6, did they also implement snooping MLD packets (in IPv6 this feature was included into ICMP as MLD rather than getting a separate protocol ala IGMP in IPv4) ?

IPv6 is a much more comfortable place to be doing multicast, not least because the larger address range means you won't constantly trip over other people's address + port choices. Ethernet turns out to be able to handle billions of distinct multicast addresses, and the IPv6 Ethernet transport makes better use of this. So collisions (where two unrelated multicast streams both have to be sent across a link towards recipients who want only one of them, because the switch can't distinguish them without implementing most of a higher level protocol) are infrequent.

MLD was added later...

Posted Jan 22, 2012 15:02 UTC (Sun) by khim (subscriber, #9252) [Link]

Yes, both IGMP and MLD are supported. Kernel 2.6.34 supported only IGMP in IPv4, for MLD you need kernel 2.6.35+: here is appropriate commit.

Funny for you to say that...

Posted Jan 23, 2012 12:49 UTC (Mon) by jch (guest, #51929) [Link]

> IGMP snooping was added in [Linux 2.6.34]

Interesting, thanks for the info.

Still, IGMP snooping really is a hack -- switches have no business looking at layer 3 packets --, and it prevents us from evolving the layer 3 protocols. I'd much rather people implemented the naturally efficient architecture (routing) rather than working around the inefficiencies of switching using this kind of hacks.

--jch

Thoughts from ivory tower?

Posted Jan 23, 2012 16:12 UTC (Mon) by khim (subscriber, #9252) [Link]

I'd much rather people implemented the naturally efficient architecture (routing) rather than working around the inefficiencies of switching using this kind of hacks.

Sorry, but no. With IGMP snooping you can actually use multicast sessions over wireless (because only my notebook is involved but my phone and tablet are not overwhelmed by useless packets), without it it's hopeless. And if you need IGMP snooping anyway then routing solution is not needed.

Besides logically it's one network (I sometimes connect my laptop using 1Gbit Ethernet and sometimes using much slower, but more convenient WiFi): either you use bridge and then you need to use hacks like IGMP snooping or you use routed networks and then you need hacks to translate some kinds of packets from one segment to another (to make sure your clients can find each other). In both cases you need hacks but bridge works faster (as was noted before).

Moscow common configuration will work

Posted Jan 22, 2012 10:26 UTC (Sun) by pkern (subscriber, #32883) [Link]

>> Most WiFi routers bridge wired and wireless network
> Which has horrible consequences for performance -- just run a multicast session on your wired network and watch as the wireless gets congested.

True enough for multicast. As for normal traffic I found that my OpenWRT consumer router with a fairly fast'ish CPU (680 MHz MIPS) only manages about half of the bandwidth (50-60 Mbit/s) when routing between wired and wireless compared to bridging the traffic (100 Mbit/s, the wifi being 11a/n). The bridging is done by the Linux kernel in software and deactivating ip(6)tables in the routing case doesn't really make a difference, as it basically just hits the state rule in the beginning of the rule set.

It's enough for me, as connecting by cable gives me gigabit, but given this bottleneck I understand why vendors configure it that way.

Moscow common configuration will work

Posted Jan 22, 2012 23:13 UTC (Sun) by dlang (subscriber, #313) [Link]

the overhead of doing connection tracking is very large. However this is not something that you can disable after the fact, you need to compile the kernel without the conntrak module to avoid this overhead.

Moscow common configuration will work

Posted Jan 23, 2012 12:51 UTC (Mon) by jch (guest, #51929) [Link]

> deactivating ip(6)tables in the routing case doesn't really make a difference, as it basically just hits the state rule in the beginning of the rule set.

That's your problem, you shouldn't be doing connection tracking for traffic between your LAN and your WLAN.

--jch

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 17:20 UTC (Fri) by paravoid (subscriber, #32869) [Link]

My printer is an 2-year old HP Laserjet that does SLAAC out-of-the-box if there are router advertisements in the LAN.

Granted, it's not very easy to guess the printer's address, but from the 128-bits, you have 64-bits for the prefix (known from your computer's address, via e.g. HTTP logs), 16-bits known (ff:fe) for the EUI-48->64 conversion and 24-bits for HP's OUI, leaving 24-bits or ~16.7 million addresses (a bit hard with today's speeds but not impossible).

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 17:53 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Not really. I was surprised that my network printer actually supported IPv6 with SLAAC and DHCPv6.

The current recommendation for printers and other similar 'local' devices is to use ULA prefixes (or older site-local prefixes). They are not routed on the wide Internet, but can be routed inside a single organization.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 20:40 UTC (Fri) by raven667 (subscriber, #5198) [Link]

Even then, for example the new network printer I just set up did allow for an IP/mask access list of 8-10 IP ranges so has its own built-in firewalling apparently.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 11:53 UTC (Fri) by pkern (subscriber, #32883) [Link]

So you'd be replacing NAT (which is not a firewall, c.f. the various types of NAT that allow traffic in from the outside) with a stateful firewall. And then we're back to square one in that you need application inspection to open up ports on the firewall, like you did for NAT. No easy end-to-end that IPv6 meant to facilitate, and probably no real benefit from IPv6 neither.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 12:36 UTC (Fri) by ebiederm (subscriber, #35028) [Link]

RFC6092 and RFC6204 specify the expected behaviors of ipv6 home routers.

A stateful firewall is recomended but it is a firewall with less onerous requirements than e3xit for ipv4 NAT.

In particular without NAT it should be possible for a UDP flow to continue even if the home router reboots. TCP flows still look for SYN packets to open the outgoing hole.

IPsec is specced not to be filtered at all.

TCP simultaneous open for peer to peer connections is required to be supported.

Hopefully we can find complaint equipment soon. Certianly it should make filing bug reports easier.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 15:05 UTC (Mon) by drag (subscriber, #31333) [Link]

> IPsec is specced not to be filtered at all.

That is how I have my firewall configured.

IPv6 is 'stateful' in the same manner as IPv4 NAT, but IPsec is transparent. To accomplish this you allow IP protocol 50 (ESP) and 51 (AH) across your firewall as well as UDP port 500 (needed for IKE protocol). This way allows me to take advantage of IPSEC in 'transport' mode (as opposed to IPSEC tunnels). With ESP automatically means that all IP traffic is not only authenticated, but fully encrypted between hosts on the internet.

Totally transparent and completely encrypted host-to-host communication is freaking awesome. No tunnels, no weird routing setups... it is just like it doesn't even exist once it gets setup. All TCP/UDP/ICMP/etc is completely authenticated (and optionally integrity is protected and privacy is protected). Totally transparent and completely automatic.

IPSEC transport is very luxurious, provided you can get past the messy IKE stuff.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 15:13 UTC (Mon) by pkern (subscriber, #32883) [Link]

Indeed it's very transparent. Is there a way for the application to know that the traffic was actually encrypted by IPsec? Of course you can just configure the IPsec stack to only allow encrypted transmissions between two hosts, but if the stack doesn't load properly some safeguard in applications would be nice.

In related notes: Is key exchange with foreign parties (i.e. not hosts controlled by myself) spec'ed in any way?

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 15:07 UTC (Mon) by drag (subscriber, #31333) [Link]

> Hopefully we can find complaint equipment soon. Certianly it should make filing bug reports easier.

You can have IPv6 today if you feel like it. Just buy a router that is supported by OpenWRT and setup a IPv6 with a tunnel broker service.

There are few ways to get IPv6 besides that. If you can have a UDP (even if it's over a NAT and not transparent) then you can have IPv6 today with trivial effort.

VERY TRIVIAL.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 21, 2012 13:17 UTC (Sat) by rvfh (subscriber, #31018) [Link]

Unfortunately, Free Telecom's latest box with latest firmware does not seem to block anything, as reported by an on-line port scanner.

Will disable for now :-(

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 9:53 UTC (Fri) by saloxin (guest, #2377) [Link]

Your machines will have world routeable ipv6 adresses, but your ipv6 firewall should filter unwanted traffic.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 10:38 UTC (Fri) by robert_s (subscriber, #42402) [Link]

"Does not IPv6 mean that all my machines currently hidden behind my IPv4 router suddenly become visible on the whole internet?"

That's the idea, but we're yet to see whether ISPs "get it" or whether they just give us ine IPv6 address and continue to expect us to use some sort of NAT. Or start charging us per address.

And as others point out there shouldn't be any security worries as long as your router's firewall is doing its job.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 17:34 UTC (Fri) by lordsutch (guest, #53) [Link]

Comcast's initial dual stack deployment is giving only one IPv6 address, but they're explicitly not supporting anything other than one PC connected directly to a DOCSIS 3.0 cable modem at this stage.

If you use 6to4 with Comcast (which sorta-kinda works now but probably will go away as the pilot rolls out, since Comcast's long-term strategy is dual-stack) you get a big chunk of addresses - either a /64 or /48, can't remember which; I ended up disabling it because things were too flaky on my DIR-825 (I'd have IPv6 for a while, and then it'd just stop working until I kicked the router), and haven't really tried again with the WNDR3700 I replaced it with.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 21:05 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

6to4 always gives you a /48. The 48 bits are constructed from a well-known 16-bit prefix, hexadecimal 2002 followed by the 32 bits of your IPv4 address. This allows any other node with working IPv4 connectivity to know how to forward the 6to4 packets to you over the IPv4 internet.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 18:49 UTC (Fri) by jeleinweber (subscriber, #8326) [Link]

IPv6 regains the end-to-end transparency that we lost with the introduction of NAT in 1994, but that doesn't mean you have to expose everything. Most high value stuff now is hiding behind:

non-routable addresses <-> application proxy <-> stateful firewall

and you can use that architecture with v6 just as well as with v4, only minus the NAT.

However, it's currently a bad idea to mix private v6 ("unique local addresses", fc00::/7 prefix) and global public v6 (2000::/3 prefix) on the same host. Stick to just one or the other.

The bonus side of end-to-end transparency is that you don't have 500 million NAT devices standing in the way of protocol innovation and multicast. We might stave off the next congestion collapse yet ...

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 19:05 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Mixing ULA and global addresses actually works pretty OK. Just make sure that your Internet gateway announces only the global prefix.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 21, 2012 3:33 UTC (Sat) by foom (subscriber, #14868) [Link]

Well, there's not actually end-to-end transparency while you have that stateful firewall box sitting in the middle there...and since every home network is likely to have a stateful firewall that blocks everything by default, there's really no improvement in terms of what application protocol developers can expect to see in the real world.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 3:40 UTC (Mon) by Lukehasnoname (guest, #65152) [Link]

Could one not use stateful bridging firewalls?

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 14:51 UTC (Mon) by drag (subscriber, #31333) [Link]

> Does not IPv6 mean that all my machines currently hidden behind my IPv4 router suddenly become visible on the whole internet? That's how I understood it, which would mean party-time for hackers.

That is assuming that your IPv4 hosts are actually 'hidden' because they are on a privately addressed network segment. Which they are not. Not anymore then they would be behind a perfectly fine and simple ipv6 firewall.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 20, 2012 13:37 UTC (Fri) by arekm (subscriber, #4846) [Link]

kernel.org should join, too! ;)

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 26, 2012 17:18 UTC (Thu) by justincormack (subscriber, #70439) [Link]

The Ubuntu mirrors mostly seem to have ipv6 support, but I don't think I use a lot of other ipv6 traffic generally. Hoping this will change in June or bfore.

World IPv6 Launch: this time it's for real (ars technica)

Posted Jan 23, 2012 22:36 UTC (Mon) by PaulWay (subscriber, #45600) [Link]

The Linux Conference Australia has been running dual-stack conferences for years - since 2009 at least in my direct experience. There might be a few problems here and there but for the most part *everything just works*. It self-configures, sites load correctly, traffic routes correctly, and nothing fails for the vast majority of people. As a proof that we're ready for full IPv6 deployment, I think that's one of the better ones.

Have fun,

Paul


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds