Will Vista Overload the DNS?

Jamie Northern writes, "Thanks to new directory software, Windows Vista could put a greater load on Internet DNS servers. But experts disagree over whether we're headed for a prime-time traffic jam or an insignificant slowdown. Paul Mockapetris,inventor of DNS, believes Vista's introduction will cause a surge in DNS traffic because the operating system supports two versions of the Internet Protocol (IPv4 and IPv6). David Ulevitch, chief executive at OpenDNS, a provider of free DNS services, said Vista's use of IPv6 will not disrupt the Internet at large. 'DNS can be improved, but predicting its collapse is just spreading FUD.'"

But without FUD...

[arthurpaliden]

There would be no news....

Re:

[diersing]

OK Mr. Smarty Pants, take all the FUD out of the news and then what? Huh? There'd be nothing for us to post on, and then what? Huh? Work? Are you freaking serious?

Although I must concede your point and would have modded it up if it wasn't already a +5.

Re:

[interval1066]

Less news than the Y2K issue, if anyone remembers that. With probably about the same amount of impact. I'm not Mockapetris, but I do a lot of DNS configuring and client programming, and my hunch is that; as hideous as any M$ product is to me, the impact of Vista's DNS/Bind client impl will not even be noticable.

Re:

[Mister Whirly]

Yep, time to buy portable generators, bottled water, and 50,000 rounds of ammunition in sealed drums. Oh wait, I guess all that stuff is still in my Y2K bomb shelter, I'm set!

Re:But without FUD...

[bcattwoo]

It is considered insightful to remark that you consider someone else's comment insightful? Without even expounding the slightest on how it was so?

If that is the case, I must say that your pointing out the insightfulness of the GP was in itself quite insightful.

Please mod me up.

Re:

[tolkienfan]

Maybe he was refering to his own post.
Plus I disagree. This is the most insightful comment.

one solution comes to mind

[Tjebbe]

just friggin deploy ipv6

Re:

[hpavc]

So what if Vista supports ipv4 and ipv6, that doesn't mean its going to have ipv6 flipped on. Didn't win98 support ipv6 with some sort of install from MS to network control panel?

Windows IPv6 support

[shani]

If memory serves, Microsoft had an IPv6 stack for Windows 2000 that you could download from Microsoft's research site. In XP, IPv6 is included, but is disabled by default. A single command enables it. My understanding is that in Vista, IPv6 will be enabled by default.

Honestly, we're going to run out of new IPv4 addresses to hand out in a few years. We need IPv6, and I think Microsoft would be foolish not to enable it by default in Vista.

Re:

[A5un]

Yes, you can install IPv6 stack for WinXP with a single command. However, the stack does not support DNS query in IPv6 (not AAAA query via IPv4), which kind of destroy the hope of deploying pure IPv6 network.

Re:

[shani]

However, the stack does not support DNS query in IPv6 (not AAAA query via IPv4), which kind of destroy the hope of deploying pure IPv6 network.

You don't need a "pure IPv6 network".

You can give private IP addresses [faqs.org] (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to users' computers for talking with your recursive DNS servers.

They can use IPv4 to talk to your DNS server, and IPv6 to talk to the Internet (or anyplace else they need a globally unique IP address).

Of course, you'd need to use non-Microsoft software o

Re:Windows IPv6 support

[TubeSteak]

we're going to run out of new IPv4 addresses to hand out in a few years.

I agree with you that it'll happen in the long term.

BUT, in the short term, (w/c)ouldn't the shortage be helped by redistributing some of the address floating around unused on Class A & B networks?

It's funny, because some of the arguments made by Class A holders against giving back their block, is that they don't want to spend the time & money and/or go through the hassle of renumbering their networks if the arrival of IPv6 is going to moot the issue.

And of course, nobody wants to spend the money to implement IPv6 unless they have to.

Re:Windows IPv6 support

[TDRighteo]

What you're missing is that the cost of that static address is administration (and pure profit), not rarity. Dynamic IPs on ADSL don't save ISPs all that much IP space. Most people have always-on routers these days, not USB modems, so 80%+ users are always connected. Your dynamic IP isn't NATed, so you might be using up as much as a 1/5th of an IP by buying a static one. Big deal, when that same IP could have been used up by somebody on a cheap entry-level plan that costs only slightly more than your $20/month.

The problem comes with ADSL is that you have to have the IPs to be in the game. You need static IPs for everybody (not because you couldn't NAT, but because users expect a REAL IP) which means a /16 only buys you about 65024 customers. (Some networks don't like you handing out IPs that look like broadcast or network addresses in a /24, so you'd be lucky to use the full 65536 IPs.)

So, even with migration from dialup, usage is going up, and if current trends continue then IP space is going to get rather tight from all the ADSL users.

IPv4 space exhaustion

[shani]

Why yes, Geoff Huston has analyzed the problem pretty thoroughly:

http://www.potaroo.net/tools/ipv4/ [potaroo.net]

So, we're looking at just under 6 years.

BTW, Geoff Huston is a guru.

Re:

[gkhan1]

XP does ipv6 perfectly, you just have to turn it on (WinKey+R -> "cmd" -> "ipv6 install"). If Vista just "had it", there would be no difference, would there? No, Vista will support ipv6 natively and it will by default be turned on.

Re:one solution comes to mind

[Martin Blank]

IPv6 is going to be forced along by the US Dept of Defense, which is pushing to get its networks on IPv6 within the next couple of years. This will cause much of the rest of the federal government to do the same starting with those agencies that work most closely with the military (such as DHS), which in turn have close working relationships with other agencies and will drag them along. States will be pulled into it as a result of their ties with the federal government, and then local governments will be forced to come along for the ride eventually. With all of these ties in place, more ISPs will start directly supporting IPv6.

Incidentally, IPv6 support has only just been added to the DOCSIS standards with the release of 3.0. However, even by 2011, barely more than half of the nationwide cablemodem infrastructure will be DOCSIS 3.0-compliant under current estimates, and that doesn't mean that the cablemodems themselves will be compliant, as DOCSIS 3.0 is backwards-compatible. I'd go for it now if I could, but somehow I suspect that Time-Warner isn't going to have things ready next month.

Why any different than Linux or MacOS X?

[Midnight Thunder]

Linux and MacOS X are both capable of having both IPv6 and IPv4 stacks, and in many cases this is active by default. Why would Vista cause any more problems?

If you have a good setup then you will have a lookup cache on your local machine storing both IPv6 and IPv4 addresses for each site. Therefore only one lookup should need to be done.

Re:

[rob1980]

Why would Vista cause any more problems?

Because Vista is going to be used by about a couple hundred million more people than Linux/OSX. Even if there is no real threat, it's worth it just to investigate and make sure.

Re:

[Midnight Thunder]

Because Vista is going to be used by about a couple hundred million more people than Linux/OSX. Even if there is no real threat, it's worth it just to investigate and make sure.

Maybe I should ask the question differently: why would there be any more requests than there are now with Windows? After all a single DNS lookup should easily get the AAAA and A address in one shot, unless I am misunderstanding the protocol.

Re:Why any different than Linux or MacOS X?

[kickdown]

> why would there be any more requests than there are now with Windows? After all a single DNS lookup should easily get the AAAA and A address in one shot, unless I am misunderstanding the protocol.

I think you are: you can only request one record type at a time. So you ask either A or AAAA; and given that the rule of thumb is to prefer IPv6 if present, first goes your AAAA and then your A question.
What you _could_ do is ask for the type ANY, which will make the server return everything it happens to know. But then you have no guarantee the info is exhaustive: the server will only give back those records that it already has in its cache; it will not ask the authoritative name server. So then you might miss something.

What generates a lot more DNS traffic than AAAA records is the fact that the world has forgotten that URLs terminate with a trailing dot. If you leave it out, it's a _relative_ URL and the resolver on your machine has to trial-and-error if you perhaps meant it with a dot.

Example: you type www.foo.com in your browser. Your resolver is configured to append bar.org. to relative URLs. Then you'll generate a completely useless request for www.foo.com.bar.org. just to find out it doesn't exist, and then guess the domain www.foo.com. is meant. That depends on your search order and cleverness of your resolver of course, you might as well be lucky and it works out.

Re:

[EnderGT]

First of all, you can request more than one record at a time - the specification explicitly allows for more than one Question in the message. Second, the server will frequently return other records that it thinks will be helpful or will be requested shortly. For example, if the original request maps to a CNAME, the mapping could be followed and the correct A record returned (this is called additional section processing). In fact, the AAAA spec requires that queries that trigger additional section processing

Re:

[Tweekster]

A couple hundred million more? You act as if suddenly everyone with XP will instantly have Vista. It will take years to replace even half the machines running XP.

Re:

[Danga]

You act as if suddenly everyone with XP will instantly have Vista. It will take years to replace even half the machines running XP.

The OP never said it wouldn't take years either, he said "Because Vista is going to be used by about a couple hundred million more people than Linux/OSX."

I don't know if his figure of 100's of millions will ever surface, but definitely 10's of millions is feasable.

Re:

[Tweekster]

Well there are already 10's of millions of Linux and MacOSX machines 10's of millions of each.

Re:

[Danga]

There are also already 100's of millions of Windows users, so what is your point?

Re:

[azuretek]

I'm pretty sure that was his point, there are 100s of millions of users with ipv6 already and it's not causing issues.

Re:

[Danga]

No, that was not his point. He responded to me after I responded to his comment: You act as if suddenly everyone with XP will instantly have Vista. It will take years to replace even half the machines running XP."

So the issue we were talking about was not about the current amount of ipv6 users, it was how many and how fast people will switch over to Vista.

Re:

[Ryan Amos]

It will take corporate customers 3 to 5 years to make the transition. Many companies have just recently phased out all their Windows 2000 boxes.

Re:

[rabbit994]

Most Corporate networks will run their own DNS servers and cache results so the increase in traffic will happen but it won't be the disaster the article is predicting. DNS packets are pretty small.

Re:

[DingerX]

Maybe because nobody believes that a major portion of the PCs connected to the internet next year will suddenly start running MacOS X or Linux?

Nor does anyone believe, for that matter, that many PCs currently running Linux or MacOS will be "upgraded" to Vista.

Re:Why any different than Linux or MacOS X?

[Antique Geekmeister]

Linux and MacOS tend to be a lot saner about caching behavior, and are often properly configured with a local caching DNS server in more sane setups than the millions of Vista machines expected to be built when Vista is finally released. And as corporate environments switch hundreds or thousands of updated or new machines to Vista, the load on upstream DNS servers, especially the root servers, can be expected to climb quite drastically at some very odd times.

The DNS for Microsoft itself is one of the most vulnerable possibilities: if that goes down for an hour or so, as all the Internet Explorer servers and mis-programmed default Internet Explorer search settings hit microsoft.com for their default web page, those servers are going to take very large loads. And spreading out the load for such hits on the root servers for .com is not a small task: they may have to get services from Akamai to survive the hits.

I'm sure that Microsoft also *hates* having to use Akamai servers for anything, due to Akamai's understandable reliance on Linux for core services.

Re:

[Tim C]

are often properly configured with a local caching DNS server

I don't know about Vista, but one of the services that runs by default in XP is the "DNS Client" service. This is actually rather poorly named, as it is in fact a DNS caching service.

So, while I can't speak for Vista, XP definitely ships with a DNS caching service enabled by default in both Home and Pro; I can't imagine that Vista would be any different.

Re:

[MrWa]

Linux and MacOS X are both capable of having both IPv6 and IPv4 stacks, and in many cases this is active by default. Why would Vista cause any more problems?

How many Linux and MacOS X installations are currently active? What is market share of Windows? How many Windows Vista installations will there be 1, 2, 5 years from release? If having both stacks could cause a problem, doing that in Windows could have a much greater impact, right?

Re:

[Breakfast Pants]

"Why any different than Linux or MacOS X?"

I can think of several hundred million reasons (hmm, for some reason this number is right up there with MS's userbase...).

This is ridiculous

[eln]

For a guy who "invented DNS," he sure doesn't seem to have much of a grasp of how the current DNS infrastructure works.

First off, most DNS servers are very lightly loaded. DNS in general doesn't take a whole lot of traffic (relative to other protocols), and most DNS servers are way overpowered for what they need to do.

Secondly, as the article states, Vista is not going to just blindly do two queries, one IPv4 and the other IPv6, for every request. It is a little more intelligent than that (shocking, I know). For systems that don't have an IPv6 address (which will be virtually all of them given the current adoption rate of IPv6), no IPv6 DNS queries will be done at all.

Linux and other Unix-like OSes have supported IPv6 for years, and they haven't managed to kill DNS yet. Most Vista installations, like most Linux installations these days, are going to have IPv6 disabled anyway, so this is not going to have any real impact at all.

Re:This is ridiculous

[LnxAddct]

He works for a company that sells DNS solutions, so obviously he's just trying to scare up some more business.
Regards,
Steve

Re:This is ridiculous

[Randolpho]

I think you are exactly right. Note how the original article points to an article where Mockapetris claims that DNS servers are going to slow down broadband because they're operating near capacity. Oh, and happily, Nominum (the company he chairs) will provide new, bigger, faster, more scalable DNS solutions for a nominal fee. I wonder if Nominum has had better than nominal business lately. Maybe we can nominate somebody to check into it?

Re:

[weeble]

I expect that Windows will have the IPv6 link local address enabled.

Thus just as Linux currently has an IPv6 interface enabled by default - even if it is not connected to any other machines over IPv6 it will still do AAAA lookups just as Linux does.

The host that it might be looking for may be itself on the IPv6 loopback interface.

Re:

[porkThreeWays]

Very true. But even if it did two blind queries, DNS uses almost no bandwidth. I'm fairly certain a DNS query and response each only use a single UDP packet. That's NOTHING. Our DNS bandwidth accounts for less than 1% total usage. Even if it were to double, we'd still be at less than 1% bandwidth usage.

Re:

[Vaakku]

True. But what was REALLY intresting is that other article told that he's working for comppany which sells DNS solutions. =)

Of course it won't cause an overload

[A beautiful mind]

When Vista comes out, it will be introduced gradually compared to the millions of installed Win98/NT/XP systems.

It will take years until/if it reaches considerable marketshare. ISPs have plenty of time to upgrade in the meantime.

Useless to blame this on Vista

[casualsax3]

This has to do with the necessary gradual migration from IPV4 to IPV6, and has nothing to do with Vista. Besides, only routers that support IPv6 will even route the DNS requests to DNS servers. If we want to switch to IPV6, every OS out there is going to have support both in tandem like this. You can't bitch about the slow adoption of IPV6, and then turn around and bitch again when there are insignificant consequences related to the transition.

Re:

[Midnight Thunder]

Besides, only routers that support IPv6 will even route the DNS requests to DNS servers.

Exactly, and:
- people behind corporate routers usually use an internal DNS server
- people with home routers, using NAT, can't actually get to a DNS server unless they are using IPv4. The only effective transition technology that supports NAT is Teredo ( implementation here: http://www.simphalempin.com/dev/miredo/ [simphalempin.com] )
- if home users aren't using NAT or are using a router that does support IPv6 (few t

Re:

[TCM]

Besides, only routers that support IPv6 will even route the DNS requests to DNS servers.

This has nothing to do with IPv6 transport but rather IPv6 records (AAAA).

Moo

[Chacham]

I'm sure Microsoft will have a tool in the Network Setting applet, to upgrade DNS servers to be Vista compatable. If MS has a hand in the DNS servers, it will greatly improve interoperability.

Re:

[jacksonj04]

It was damn easy to update my network's servers (Active Directory, Gateway, DHCP, local and cached DNS etc.) to IPv6, and that was with the tech preview tool. I see no reason for Vista to cause any headaches, and updating an entire corporate network along with every server on it is a simple sweep of a group policy from what I can remember.

Re:

[ScrewMaster]

If MS has a hand in the DNS servers, it will greatly improve interoperability ...

... with Windows, which is precisely why nobody wants Microsoft's hand in anything to do with Internet/Web standards.

Ahh...

[prothid]

... so that's what FUD stands for! ;)

Re:

[fm6]

Yeah, I always thought it was a reference to Elmer [intergalacticjester.com].

Complicated mumbo jumbo

[Asrynachs]

That's just a bunch of meaningless technical jargain. They seem to forget that DNS overhead was down by 34% since last year and it's projected to drop by another 20% midway through 2007. So any 'slow downs' as they call them would be soaked up by the rent left from the overhead surplus. yingers

Re:

[geekoid]

why is it declining?

Re:

[Asrynachs]

Strangely enough it's largely due to the number of viruses today. So many people are filtering everything they view through firewalls and virus scanners it's decreasing the load on the DNS.

Huh?

[RAMMS+EIN]

Why would Vista overload the DNS system? slashdot.org is already in my local DNS cache anyway...

Re:

[griffjon]

Good point. Really, if /. cared about the net community, it would balance this increased load on the DNS servers by pointing the article links directly to their IP addresses. As the geeks who surf slashdot hopefully outnumber the dweebs who'll be "upgrading" to Vista, it should more than balance out the problems.

Quite right...

[GillBates0]

Microsoft needs to understand that the Internets are not something you just dump something on. They're not luck big trucks.

They're like series of tubes. And if they don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.

Re:

[Anonymous Coward]

Guess you didn't get it [wikipedia.org].

Mistake in assumption.

[jellomizer]

Fact not everyone is going to upgrade to Vista overnight. Heck there are still people with 3.1 out there. Or 95 on Brand New Computers. Even if it does put a load on the DNS Server it would rise gradually over time, As people get Vista one at a time. By the time it would be considered a problem the DNS Server will probably just need an upgrade, and it will probably happen when the DNS upgrade is due. Vista is due after the Back To School and Holoday season so all the people who would rush to get the new O

huh?

[MyDixieWrecked]

Now, I'm all for M$ bashing, and I realize that they've made some dumb mistakes in the past, but I mean, seriously... Vista isn't the first OS to support both IPv4 and IPv6... OSX does. Linux does.

I can't imagine microsoft making such a horrible design mistake such as this. Shouldn't it be as easy as checking which protocol is being used before sending a request?

talk about FUD.

Re:

[Feyr]

Shouldn't it be as easy as checking which protocol is being used before sending a request?

in short, no. unless your system supports ipv6 but has no ipv6 address allocated (like most of the vista installs i'd say)

dns is what will tell you what you should speak to the remote system. but as others pointed out, this FUD is just that, FUD. dns requests are small enough to not impact the servers much

Re:

[Octorian]

Heck, even Windows XP supports IPv6. (it just isn't enabled by default)

Stupid

[infolib]

So, many Internet providers have handled 1000% growths over the last few years, but they can't handle a doubling of DNS load over the time it will take everyone to upgrade to Vista?

Yeah right.

The knee in the curve, mentioned by Paul

[davecb]

When working with response time instead of %CPU, the curve is quite different from what one normally sees.

It starts off level, at some number of milliseconds (mostly the round-trip time) and stays that way until the load hits 100%, then increases rapidly and without bound.

For example, if a lookup takes 1/10 second, it will continue to take 1/10 second until there are 10 requests per cpu per second.

After that a queue builds up, and the requests are delayed. Brutally. At a mere 100 requests/second, the delay is 10 seconds, instead of one tenth.

Now imagine that at the huge loads the DNS servers typically handle.

When someone says "they've hit the knee of the curve", he really means "they're about to fall in the toilet" (;-))

--dave

Overload

[Kamineko]

Toaster: "Well lets just hope you don't get an overload..."
Holly: "What if I do get an overload..."
Toaster: "You'll explode!"

A few more comments...

[davidu]

It's also worth pointing out that while Vista might come out on a single day it won't be rolled out in a single day -- it'll take months to years to rollout.

So even if there is an increase in DNS load because of the AAAA before A DNS requests it won't cause rolling blackouts or major network failures.

FWIW, we see about 20% of our requests as AAAA requests. I don't have the number of those that are retried as A requests but I'd guess it's pretty high since we aren't (yet) listening on IPv6 interfaces. We do support AAAA dns requests, of course.

-david

I have a solution

[Quiet_Desperation]

Take the average and use IPv5. :-) IPv5 don't get no love.

Non-news?

[CCFreak2K]

And there was one guy who said the introduction of Windows XP and its raw sockets API would allow programs to "generate the most damaging forms of Internet attacks." [grc.com] And we all know that the Internet fell apart because of that, right?

FUD.

How IPv6 DNS works.

[mikeal]

Nobody seems to understand how IPv6 DNS works.

First off, when your box asks for any address from your dns server, the dns server hits the public internet root name servers and gets the Start of Authority (SOA). This tells your dns server (or you if you wanna set up one locally) where to get DNS information for that domain. None of that changes with IPv6.... NOTHING. It can still make all of those requests over IPv4 and it doesnt' matter and it will never duplicate the requests.

Now that your dns server knows

Re:

[TCM]

if the dns server is configured to get the entire zone file and not just query for a single entry (this is the proper way to configure a dns server that intends on supporting IPv6 because if you don't get the entire zone file then you don't know which protocol to prefer

That's just plain wrong. Getting the whole zone file is done via AXFR requests and should only be allowed for slaves of the server. No client will ever do an AXFR to query a record.

The preference of IPv6 vs. IPv4 is done by the client only.

Re:

[thegameiam]

minor nitpick - the XP IPv6 stack bug isn't that it always uses IPv4, it's that it NEVER uses IPv6 for DNS queries. I verified this through lots of testing recently, and it totally cheesed me off... :(

And here I was so happy that they included the auto-config fec0:0:0:ffff::1 - 3 DNS server addresses, but XP won't send a request either to them or to a manually configured V6 server.

-David

IPv6 + XP = Broken

[thegameiam]

I disagree that it's not a huge issue: it means that you can't actually deploy an IPv6-native (i.e. no IPv4) service where there are ANY Windows XP hosts, unless you want to distribute host files (brrrrr....) or have some god-awful tunnelling enabled.

-David

Oh noes...

[araemo]

So lets see if I'm understanding this right. Dude who sells DNS server software, is saying that an extra DNS query now and then is going to cause 'massive slowdowns'.

Maybe in user interaction. Perhaps, once IPv6 is used now and then, that second dns query will cause an extra 100 ms delay on top of the first 100 ms delay for the first dns query.. causing a human-noticeable slowdown after clicking a link.

This is a slowdown due to round trip times, not because of bandwidth or processing limits. More sequential round trips = more latency. Nothing new. And the second time you visit a given site? It's cached, no round trip at all. So yes, people might, maybe, kinda notice a difference.. on the first visit to a given website on a given reboot of their computer.

But I don't think an extra lookup will be a huge inconvenience even given the sorry state of ISP dns servers(Which, in my experience, aren't that bad unless they can't look up an address. Timeouts are are bad, mmkay? The correct response is nxdomain, not 'server did not respond' 'lets try the next!' 'server did not respond'.....

Never happy...

[4D6963]

Come on, it's about time Windows adopts IPv6. We would criticize Vista if it didn't, and as it does we criticize it for it anyways. I'm as pro-M$ as the next /.er but sometimes part of the geek crowd won't even let M$ a chance.

Experts Agree: This is BS

[Effugas]

This is Dan Kaminsky, from the article.

Here's what I threw on my blog on this matter. Note, the fact that this got presented as even a debate annoyed me enough to start posting on my site again.

--

Paul Mockapetris says Vista is going to take down the Internet's DNS infrastructure. Paul is the inventor of DNS; I met him at Black Hat last year and was half starstruck, half relieved he didn't hate me for the things I'd done to his creation :) Paul knows DNS. It's his creation. But you'll note in this story that Joris Evers can't actually find anyone who agrees with Paul.

There's a reason.

First, while there are indeed a couple underprovisioned name servers, there's far more that have lots and lots of slack capacity. You need slack capacity to deal with shock load. The networks that would fail because of Vista's release, would fail because of a three day weekend.

Second, Vista's not getting deployed all at once. This is no service pack that's deployed to a hundred million desktops via Windows Update! Mockapetris is correct in that there will be a noticable increase in DNS traffic, but that increase will be spread out over the course of a couple years. Slow increases like this tend not to cause the sort of catastrophic failure that Mockapetris refers to.

Finally, and most importantly (in the sense that Mockapetris should know better): Most of the work done to service the IPv6 request, is cached and available to service the IPv4. To complete a DNS lookup, you have to locate a particular server, known as the authoritative server for a domain. The same authoritative server that hosts the IPv6 (AAAA) record also hosts the IPv4 (A) record. So even if Vista sends twice the traffic, the upstream nameserver is certainly not experiencing twice the load.

Full disclosure: Microsoft has had me looking at Vista for much of this year, as part of their "Blue Hat Hacker" external pen-testing squad. But then, Mockapetris has written a really impressive name server for his company, Nominum, that can handle about 4x the load of BIND. But this isn't about who we are; it's about what is or isn't going to collapse. There are things to worry about. This isn't one of them.

As rarely as I can say it...

[Belial6]

As rarely as I can say it, MS seems to be doing EXACTLY what should be done. In fact this could be the tipping point that moves us from IPv4 to IPv6. With 95% of the worlds desktops using IPv4 exclusivly, it made no sense worrying about IPv6 in the routers, and it would have been suicide to go to a pure IPv6 implementation. With Vista, most people will, in a few years, upgrade to Vista, switch to Linux or OSX, or be ready to accept being cut off from direct access to the internet. That means that 95% of the worlds desktops with be IPv6 first and formost, and ISPs can confidently move to an IPv6 backbone without fear of cutting off their customers.

Either way, I don't think that NAT is dead. It might change form a bit, but those in control of the numbers are not likely to just start giving them away, just because they have an over abundence of them any more than the Media Barons just give out music just because they have an over abundance of copies of that.

Remeber 2002

[SlOrbA]

Didn't we get this thing tested in 2002. Haven't we learned anything? or has it all been forgotten?

http://www.internetnews.com/dev-news/article.php/1 486981 [internetnews.com]

Even when Vista comes out it won't have instant effect on the over all system, but the load will grow in time and the system will have to be customed for that.

Not the real problem

[rs79]

A friend of mine sent this to me this morning when we were discussing this:

"I manage the operation of about 70% of the world's root DNS servers, and run authoritative TLD servers (mostly secondaries) for about 30% of the world's TLDs (mostly CCtlds). We measure carefully.

IPv6 isn't even 0.01% of the total, and doesn't matter.

The real load on name servers comes not from IPv6 but from Windows machines flooding the world with RFC1918 in-addr requests and with lookup requests in the .LOCAL TLD. The last time I looked, about 40% of the traffic to global name servers was this bogus windows shit. If Vista fixes that, then its release will be a net positive.

We started and sponsor the AS112 Project ( http://public.as112.net/ [as112.net] ) to try to mop up some of the Windows mess. No one believes that we'll need to extend it to IPv6, but we're paying attention."

He is of course right, the nonsense windows does has been a problem for years.

Re:

[cortana]

When you say NAT you really mean firewall. Dropping NAT will not improve security.

Re:

[IHawkMike]

When I say NAT, I don't mean firewall, I mean Network Address Translation. True, its function is usually performed by a firewall or gateway, but I'm not talking about stateful inspection or anything like that. NAT simply replaces the source and destination addresses in IP packet headers to allow multiple private IPs to use a single public IP (keeping track of conversations and such). More importantly for security, however, NAT prevents uninitiated outside connections from reaching devices inside the priv

Re:

[cortana]

When I say NAT, I don't mean firewall, I mean Network Address Translation. True, its function is usually performed by a firewall or gateway, but I'm not talking about stateful inspection or anything like that.

Neither do I!

NAT simply replaces the source and destination addresses in IP packet headers to allow multiple private IPs to use a single public IP (keeping track of conversations and such).

True enough so far...

More importantly for security, however, NAT prevents uninitiated outside connections from rea

Re:

[cortana]

Right, but my point is that they do have a firewall, they just don't know it. And with IPv6 and the death of NAT this won't change--your average home user will buy a small box that 'shares' their network connection (in reality acts as a router and a firewall) just as they do now. :)

Re:

[cortana]

You do seem to understand my point... but in your original post you implied that dropping NAT would decrease security, which is not the case.

We have to get rid of NAT as soon as possible. In some countries users are already behind as many as five levels of NAT [lwn.net]!

Re:Remove the need for NAT?

[TCM]

NAT. Has. Nothing. To. Do. With. Security. Period.

With plain NAT and no filter, someone on your outer segment (malicious ISP, hacked ISP, other customers of some cable ISPs, ...) can simply set a route to your LAN via your external gateway. The only thing that helps security is a packet filter - which will work just fine with or without NAT.

Get rid of NAT now, the sooner the better.

NAT no security?

[phooka.de]

Of course NAT has nothing to do with security. All those worms probing specific ports for known vulnerabilities are not stopped at all be the fact that NAT hides the unused but open ports to the outside world and redirects the others.

Bullshit.

NAT does help against a certain sort of attack. Maybe only against this sort of attack. Fortunately, against the propably most common sort of attack you can't do anything about. (You can to something about infected websites: use a different browser).

Security is not

Re:

[whoever57]

Dropping NAT will not improve security.

NAT is a two-edged sword regarding security. On the one hand it provides a means by which incoming packets will be dropped if they don't match an existing connection. On the other hand, NAT breaks some end-to-end security measures and has resulted in ugly hacks to get these some protocols to work (for example, IPSEC and NAT-T). Essentially, NAT makes man-in-the-middle attacks more likely.

Re:

[cortana]

Whoops. I meant, dropping NAT will not decrease security! :)

Re:

[Octorian]

And people who have become "comfortable with NAT" because they don't understand firewalls and routers (neither of which implies NAT) are probably going to be one of the more annoying hurdles to IPv6 adoption. Evil things like NAT totally break the end-to-end connectivity paradigm of the Internet, and make it only useful for client-server interactions.

Re:

[jafiwam]

Like what?

What the is it that you expect the average NAT user to be doing that matters with the "end to end paradigm of the internet"?

I am a geeky person, and know what? My NAT-ing Linksys router has never failed to meet my needs for my home internet/home network. In fact, it has a bunch of stuff that I am never likely to use. Ever.

Why are you putting any value on "end to end" when one of those legs is nothing but a threat to the average user (unsolicited inbound).

If it is NOT a threat and you want the i

Re:

[jbeaupre]

I've wondered if IPv6 can provide some accidental security, giving some equivalence to NAT. With IPv4, you could probe a bunch of systems by just incrementing through all the addresses you cared to try. You were almost guaranteed to find somebody at each address. IPv6 has so many possible addresses it's far less likely to stumble upon something connected at each one. Especially if addresses are handed out non-sequentially. Now you have to have a list of potential victims before you can start polling.

N

Re:Remove the need for NAT?

[TCM]

If you call it "accidental" yourself, it's not security in the first place. That's like "hiding" a flawed service on a non-standard port and calling it secure.

Re:Insignificant

[Intron]

It probes for ipv6 first, then falls back to ipv4. This is the default setting for many unix systems as well. You usually find your system running slowly, then find a setting for this and turn it off to eliminate the timeout delay.

As for how big a spike it can cause, see this [caida.org] for the effect of Windows' active directory update scheme on the root servers.

Re:

[TCM]

If your system "runs slowly" because of an enabled but not-connected IPv6 stack, it plain sucks. If you have no IPv6 connectivity, don't set a default route for it. The fallback is instant and nothing runs slowly on a proper system.

Likely set to both

[jd]

Hey, I'd love it if Microsoft's Vista was going to take out the Internet - it would discredit Microsoft on a near-permanent basis. However, even if that were to happen, it won't happen because of DNS or IPv6. IPv6 is not going to put any kind of significant load on anything. Now, it might put a teensy little bit of strain on ISC's BIND, because the reverse DNS record is written in a really crappy format, with a dot between each hex digit. That means that there's going to be a little more text processing inv

Re:

[Tweekster]

It is called "Scaling" you obviously are not familiar with it...
If it were your choice you probably would just say. "Just add another digit, that will take care of the problem" (for a couple of years)

Re:

[TCM]

Ah yes, the fear of the uninformed.

IPv6 makes routing much easier because most of those addresses won't be allocated to anything. They serve to keep the address space non-fragmented, so routers will have much smaller routing tables. Also, routing IPv6 is much easier because of a reduced set of options and a streamlined packet format, reducing the processing required by routers.

If anything, IPv6 makes things nicer and cleaner. If you wanna know about ugly, look at NAT and CIDR and the hack it brought to reve

There is no fear. Really. IPV6 is still insane.

[postbigbang]

Let's see. You say:

"IPv6 makes routing much easier because most of those addresses won't be allocated to anything"

How droll. Do you realize what you've said in justification? Have you done router tables, ever?

Then, you say:

"They serve to keep the address space non-fragmented, so routers will have much smaller routing tables"

Sure. A lot smaller. The number of devices needing unique addresses will shrink and that's why IPV4 is "....about ugly, look at NAT and CIDR and the hack.." In fact, using NAT and CIDR b

Re:

[TCM]

I realize there are always people afraid of change because they don't understand it. Luckily, they become obsolete while the rest moves on.

Have you done router tables, ever?

If you had and had understood what I wrote, you wouldn't be asking.

ARP works with both

There is no ARP with IPv6.

Why don't you go inform yourself before you go on crusades against things you don't understand?

Re:

[postbigbang]

And that time will happen in the year 19202 if expansion parallels population growth.

Really. DO THE MATH. IPV6 IS INSANE!!!!

Re:At the risk of further insult....

[vadim_t]

Ok, then you're way too attached to the old times. Nobody I know gives a damn about a couple percent extra overhead in network traffic (especially when the available bandwidth keeps growing, and my ISP upgrades it for free once in a while), however, everybody loves the idea of getting rid of NAT, having a /48 for themselves, automatic address configuration, and lots of other nice things that come with IPv6. Probably also lower ping times, due to improved routing. I wish they also upgraded the port numbers to 32 bits, but ah well.

IPv6 means your TCP packets will get 20 bytes larger. That means that your downloads will take about 1.5% longer. Oh the horror!

Re:

[geekoid]

As I understands it there are a couple more Wintel machines then Mactel* machines.

Personally I think it's a non-issue, but that's the only reason I can see for a difference.

*you heard me, Mactel.

Re:

[SEMW]

Ah, but you misunderstand the point. When Apple implemented it, they were making their software more compatible, more forward looking, and more future-standards compliant. Microsoft, despite doing exactly the same thing, are clearly doing so in order to maliciously slow the entire internet down to a crawl. Isn't it obvious?