IPv6 Adoption Grows by 1,900%, Says Internet Census

[exfileme]

We may not reach the Dead End on the Internet after all if Go Daddy continues to push IPv6 like a mad salesman.

IPv6 Adoption Grows by 1,900%, Says Internet Census : Read more

 

[memadmax]

I just wish that IPv6 was more user-friendly.
IPv4 was pretty good in terms of human understanding, if you knew what the groupings stood for.

 

[Stardude82]

Go Daddy is the biggest internet registrar by far. I think it's like half the market. It should be able single candidly force IPv6 adoption.

 

[LuckyDucky7]

One question: Why are we promoting such a flawed system?

There's a couple reasons why people haven't adopted IPv6 and why we should really just be pushing for a better standard.
The people who made IPv6 have refused time and time again to change the protocol- which is flawed for the following reasons:

-No NAT and different networking
Consider every computer having a unique IP address. With the advent of IPv6, this is now possible.

Now, let's think about the implications for security here. Sure, there aren't any NAT concerns to worry about, but the computers in any area are at the mercy not of a company's numbering system but of a system outside of their control.

You can't "wall off" a section of IP addresses like you could in IPv4- for private use this was great, as you could guarantee that any computer inside your network would get a uniform address. But IPv6 changes that.

And what if you want to bring a device into the network with a different hardware set? Its IP address will be completely different than the ones your network uses itself.

Now that that's gone, it's impossible to communicate easily with specific machines on your own network and your neatly organized network becomes one big cluster****. IT nightmare.

-Too-complex numbering system
IPv4 has human-memorizable addresses. IPv6, stupidly, does not. 12 numbers were enough to memorize (especially since the first few were usually common). But 128 numbers and letters is just too much. Even if the first 78 are zeros, that's still a large address to chew on.

64 bits is enough. Even 48 will be fine for the forseeable future (just look at MAC addresses). Just double the size of the address (or make it so that the current IPv4 naming convention is followed but double the size of the registrar- so the highest you'd get is 511.511.511.511. Or something like that).

-Privacy
Know why China's been a forefront adopter of IPv6? Because here's the secret: all IPv6 addresses are tied to the computer's MAC address. Which, as you know, is unique.

So now, a malefactor would be easily able to pick out what machines do which things. So if you want to track down someone questioning human rights in your country, you can "van" people with greater efficiency than before.

SOPA/E-Parasite would just be the beginning if this were to gain widespread adoption. Why? Because you can't tie an IP address to a person but you CAN tie a device to a person.


With these concerns in mind, can't we just build a better protocol? One that guarantees the ease of use and openness that the Internet today currently enjoys?

 

[amk-aka-Phantom]

I'm totally NOT looking forward to this... the addresses are SUCH a pain in the a$$ to remember as compared to IPv4!

 

[Ragnar-Kon]

I've had my IP address, as well as other IP addresses memorized for years now. Sadly, I'm pretty sure I know more IP addresses than phone numbers.

I need a new challenge. Bring on the IPv6!

 

[Ragnar-Kon]

[citation][nom]Ragnar-Kon[/nom]I've had my IP address, as well as other IP addresses memorized for years now. Sadly, I'm pretty sure I know more IP addresses than phone numbers.I need a new challenge. Bring on the IPv6![/citation]
Having said that, the systems admin side of me sees many future problems that I am not looking forward to solving. Might as well set up a bed in my server room when the switch-over happens.

 

[Thunderfox]

Someone will develop a way to hide an IPv6 LAN behind a single address, both for security and privacy reasons. Whether such things become commercial products depends on whether the average person ever understands enough about the problems the new protocol presents.

Also, Go-Daddy is a stupid as hell name for a registrar. I cannot take them seriously as a technology company with that name and their dumb logo, and Danica Patrick slutting it up for no good reason in all their lame as hell ads.

 

[tanjo]

@LuckyDucky7: The 255 limit on is based on a byte or "FF" in hexadecimal.
1 hex = 1 byte = 8 bits so 64 bits(IPv4) = 8 bytes = 4 pairs of hex. 128 bits(IPv6) = 16 bytes = 8 pairs of hex.
Just double the length if an IPv4 address and you'll get IPv6 which is composed of 8 pairs of hexadecimals separated by colons instead of a dot. It's really just like MAC address only for IPs.
The possible number of combinations said above is just the equivalent of hexadecimal FFFFFFFF (+1 for all zeros address).

 

[chad1011]

@LuckyDucky7: Most of what you stated is incorrect.

Can't assign address - A company or individual can still assign addresses statically or by DHCPv6. This how you can have cute addresses like Facebook: 2620:0:1cfe:face:b00c::3. You can even use autoconfiguration to get a random address in your network block automatically by enabling privacy extension to your device. As for your network turning into a jumbled mess of address, you can still subdivide your address block anyway you see fit. This way you can have your servers on one network, clients on another, monitoring on another, etc...

128bits is too much - They went with 128 so as not to repeat what they did with IPv4. As you said, the network part of the address stays the same so all you have to remember is the host part. Make it easy xxxx:xxxx:xxxx::1, ::2, ::3, ::4. If your network is too large to remember all those addresses, use a local DNS server. Just doubling the size of the address space will not fix the problem. You still break the current IPv4 implantation and address use is growing exponentially. That mean that twice as many addresses will last half as long and we have to revisit this problem again in the near future.

Privacy - do you realize how big a normal address block (a /64) that is assigned to a user is? Please try and find my HTPC and laptops in my /64: 2001:470:36:34c::/64. Have fun portscanning 18,446,744,073,709,551,616 addresses. It would take you 5.84554531 × 10^6 centuries if you scanned 1,000 addresses a second. I am pretty sure my router would ban your ip after the first second or two. Use more computers and it just becomes a DDOS attack. It is not like hiding a needle in a haystack but hiding a needle in the middle of the ocean.

No NAT - To me this is a good thing. The Internet was designed to allow any node to directly connect to any other node on the Internet. The lack of IPv4 address necessitated a kludge know as NAT in order to allow for expansion till a new system could be found.

Security - EVERY computer should have a firewall. Even on an IPv4 network. Nothing changes except that the target is a little harder to find in an IPv6 address space.

Wikipedia has a great piece on IPv6 at http://en.wikipedia.org/wiki/IPv6. Think many of your concerns would be put to rest if you read it.

 

[chad1011]

@tanjo: IPv4 is 32 bit not 64 bit. 255.255.255.255 is equal to FFFF:FFFF (FF FF : FF FF). An IPv6 address is FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF or 255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255 if written in decimal like IPv4. Think of it this way. IPv4 is 32 1s and 0s and IPv6 is 128 1s and 0s per address.

 

[tanjo]

^^ Oh right, sorry I'm wrong 😛. I got my hex numbers wrong. 1byte = two hexes * 16 = 32 hexes (8 * 2 pair groups) and 32 bits = 4 bytes = 8 hexes (4 pairs).

On a side note, there'll be no shortage in IPs. We can all have static IPs and assign them to hostnames so no need to remember long numbers.

On the privacy part, maybe use NAT64 and use IPv4 locally 😀

 

[palladin9479]

Chad,

It's reasoning like yours that caused IPv6 to be extremely slow to be adopted.

Privacy - do you realize how big a normal address block (a /64) that is assigned to a user is? Please try and find my HTPC and laptops in my /64: 2001:470:36:34c::/64. Have fun portscanning 18,446,744,073,709,551,616 addresses. It would take you 5.84554531 × 10^6 centuries if you scanned 1,000 addresses a second. I am pretty sure my router would ban your ip after the first second or two. Use more computers and it just becomes a DDOS attack. It is not like hiding a needle in a haystack but hiding a needle in the middle of the ocean.


No NAT - To me this is a good thing. The Internet was designed to allow any node to directly connect to any other node on the Internet. The lack of IPv4 address necessitated a kludge know as NAT in order to allow for expansion till a new system could be found.


Security - EVERY computer should have a firewall. Even on an IPv4 network. Nothing changes except that the target is a little harder to find in an IPv6 address space.

Absolutely no need to scan your IP range, just wait for your client to send a packet and I already have your IPv6 address. You do enough communication that obtaining this address is trivial if I was a nefarious bad guy and setup a honeypot. Plus it's not the bad guys who will be counting your hosts, its your ISP hoping to tap a new "revenue source". Current IPv4 NAT mechanism makes it impossible for your ISP to know how many PCs, consoles and phones your using.

No NAT - VERY VERY BAD IDEA. NAT wasn't created by an industry task force or engineering group, it was originally created as a layer 3 network proxy by a guy in a basement. He wanted to connect multiple systems to the internet through a single phone line. The technique passed on from person to person until it morphed into the Network Address Port Translation that we use now. It become a standard not because it was desired, not because some industrial group wanted it to. The very purpose of NAT is to hide a private network from a non-private network, the extra IP address's was a bonus. There still is a requirement as is obvious by the sheer number of people asking for it.

FW, every computer does have a FW, but home users are not security experts. Not only that, but IPv6 devices are in a exclusive deny mode "allow all unless exclusively denied" by default. This provides nearly no protection at all, every user is at the mercy of whatever internet bad guy happens to know their IP address. IPv4 NAT provided a security layer through two methods, first being obscuring the local infrastructure, second being restricting the target silhouette. The attack has to penetrate a hardened linux / unix FW device with minimal services running that isn't accepting any unknown packets (client must initiate connection). This is vs the attacker penetrating a Windows OS from an OEM, who ships it with services turned on that shouldn't be, that is accepting connections from anywhere in the world.

Wishful thinking does not solve what is a very real security threat to consumers. Enterprise entities can easily afford a SPI firewall and the security personal to configure and maintain it, home users not so much.

 

[palladin9479]

Ok forums are broke, posting in the forums area does not have the post appear here. It ate three of mine that way.

To my above post, China use's IPv6 to track their citizens and register every device in a government registry. They then profile their citizens internet usages and use that to discern people who are likely to be problems.

And amazingly enough .... someone already has created NAPT66.

http://code.google.com/p/napt66/

Linux kernel module with source code. Use's the netfilter framework and works like a charm.

You can't engineer away a valid customer need.

 

[palladin9479]

Ohh and your MAC is used for the random IP configuration. It's how it prevents two hosts from obtaining the same IP, your MAC will always be part of your world wide unique address.

 

[aaron88_7]

^^Almost all modern home routers have stateful packet inspection (SPI) incorporated. Check the documentation for your home router, it almost certainly does have this feature. Enterprise firewalls usually have additional features home users don't need and are made of far better quality, which is why they are expensive. As far as the firewall side of things they basically work the same, one just can handle a lot more traffic than the other.

 

[palladin9479]

@aaron88_7 ,

Not really, they have a very cheap / dirty method. All they do is compare it to a known list of attack patterns, if something hits positive they dump the packet. This list is rather small and only protects you from yesterday's attack.

I know this, I've built my own home FW device and the attack database off snort is much larger then the available FW space in a typical home router. Most home routers aren't even running snort, just a very simple packet inspector.

Enterprise grade FW's also do pattern and trend analysis to determine if an attack is underway that might not be in the heuristics database. Consumer FW's can't do this.

 

[hetneo]

[citation][nom]LuckyDucky7[/nom]One question: Why are we promoting such a flawed system?There's a couple reasons why people haven't adopted IPv6 and why we should really just be pushing for a better standard. The people who made IPv6 have refused time and time again to change the protocol- which is flawed for the following reasons: -No NAT and different networkingConsider every computer having a unique IP address. With the advent of IPv6, this is now possible.Now, let's think about the implications for security here. Sure, there aren't any NAT concerns to worry about, but the computers in any area are at the mercy not of a company's numbering system but of a system outside of their control. You can't "wall off" a section of IP addresses like you could in IPv4- for private use this was great, as you could guarantee that any computer inside your network would get a uniform address. But IPv6 changes that.And what if you want to bring a device into the network with a different hardware set? Its IP address will be completely different than the ones your network uses itself.Now that that's gone, it's impossible to communicate easily with specific machines on your own network and your neatly organized network becomes one big cluster****. IT nightmare.-Too-complex numbering systemIPv4 has human-memorizable addresses. IPv6, stupidly, does not. 12 numbers were enough to memorize (especially since the first few were usually common). But 128 numbers and letters is just too much. Even if the first 78 are zeros, that's still a large address to chew on.64 bits is enough. Even 48 will be fine for the forseeable future (just look at MAC addresses). Just double the size of the address (or make it so that the current IPv4 naming convention is followed but double the size of the registrar- so the highest you'd get is 511.511.511.511. Or something like that).-PrivacyKnow why China's been a forefront adopter of IPv6? Because here's the secret: all IPv6 addresses are tied to the computer's MAC address. Which, as you know, is unique.So now, a malefactor would be easily able to pick out what machines do which things. So if you want to track down someone questioning human rights in your country, you can "van" people with greater efficiency than before.SOPA/E-Parasite would just be the beginning if this were to gain widespread adoption. Why? Because you can't tie an IP address to a person but you CAN tie a device to a person.With these concerns in mind, can't we just build a better protocol? One that guarantees the ease of use and openness that the Internet today currently enjoys?[/citation]
Private IP segments are not really private, but virtual. And you can't tie device ti person, not legally anyway.

 

[ojas]

Getting hard to know who knows what in the comments section, guess i'll have to read up on it myself...

However i do know from a book (Computer Networks, Andrew S. Tanenbaum) that NAT was against the openness of the internet and made it easier for ISPs to control and organize their networks. It also lowered the redundancy of the Internet, since now there were these few main nodes, which, if taken out, would cut of lower hierarchical branches.

Having said that, i agree that it makes sense on the security front.

 

[Guest]

I don't think IPv6 was ever intended to solve China's civil rights problems, improve home user's security holes or facilitate covert use of home internet connections. I think you're putting too much expectation on IPv6 to solve problems that are not within it's mission statement.