How Feds are Dropping the Ball on IPv6 299
BobB-NW writes "U.S. federal agencies have six months to meet a deadline to support IPv6, an upgrade to the Internet's main communications protocol known as IPv4. But most agencies are not grabbing hold of the new technology and running with it, industry observers say. Instead, most federal CIOs are doing the bare minimum required by law to meet the IPv6 mandate, and they aren't planning to use the new network protocol for the foreseeable future."
As things go ... (Score:5, Interesting)
So there is plenty time for someone to wake up, wanting it yesterday.
CC.
Re: (Score:2, Insightful)
Re: (Score:2)
Its bloody useful. No need to skimp on IPs with it.
Re: (Score:3, Interesting)
The last of the freely available
If all the unused/unannounced/reserved
Re: (Score:3, Insightful)
Re:As things go ... (Score:4, Interesting)
When I said ALL big blocks being reclaimed into the available pool, that included all the remaining
The block allocated for Amateur radio operations was reclaimed a couple years ago, as well as the ones for Interop and other early networking groups. Those allocations are either already gone or back in the free pool.
HP has already announced plans to rent their addresses to customers who buy their big servers with a maintenance/service plan, and put the servers in partner data centres. So, in a few years, all those companies who want to get on the internet and can't wait a year or more for their allocation request to be fulfilled, they can throw a lot of money at HP and be up and running much faster. At least, that's what HP is counting on. If you think HP is going to willingly return any of their allocations when they can make US$10/month per IP address, you must be smoking some strong belly lint.
the AC
Re: (Score:2)
Re:As things go ... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
When an "environmentalist" scream about oil shortages, the oil industry gets to raise prices, irrelevent how much oil is or is not in the ground.
End of the internet... (Score:4, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
ipv6 has been needed 'real soon now' for 20 years. Yes we'll need it eventually, but it's so far from commercial deployment that it's just not an option - most infrastructure simply doesn't support it (in fact trying to run ipv6 over active directory will utterly screw it up because of the conflict between xp supporting ipv6 ad clients and 2003 n
Re: (Score:2)
I guess that depends on your definition of "most." It's been in Solaris since Solaris 8. It's been in Linux since 2.2. Cisco supports it as does Juniper. Right there you capture most of the Internet server market and underlying infrastructure. As for Microsoft, if they can't get their act together, you can run IPv4 pools translated to IPv6 without an issue. So really, it is an option and it
Re: (Score:2)
Looking around me I see a VOIP phone (ipv4 only), printer (ipv4 only), wireless router (ipv4 only), server (HP, ipv4 only, support contract does not allow OS reconfiguration), the cisco router which actually does ipv6 and this laptop.
So I could enable ipv6 between two devices. Except the leased line doesn't su
Re: (Score:3, Insightful)
* v6 address isn't there until ~10 mins after boot or until you disable+enable the interface
* SMB/CIFS over v6? no way
* you can't use DNS over v6
On a complete unrelated note: your name sounds Polish. No major ISPs support v6 here, but the tunnel brokers are awesome. On SixXS I get connections to most oversea places *BETTER* by at least 10ms ping than routed directly through tpsa/Neostrada, tpsa/IDSL, tpsa/PolPak or Netia.
Re: (Score:3, Insightful)
Re: (Score:2)
The IPv4 address space will always be exhausted four years from the present time.
I don't blame anyone for avoiding IPv6, (Score:5, Insightful)
I don't blame anyone, even government in this case, for avoiding the hassle of getting everything converted to IPv6. Maybe eventually we all will have to be there, but there always seems to be workarounds that work for everyone, minimal hassle, minimal pain.
If you wanted a Starbucks coffee, and it was one street down, and someone told you you had to go through the in-between building, climb up and down its twenty flights of stairs just to get to the next street for you coffee, and you knew you could just walk around the building on the sidewalk, what would you do? Now, if the building were only two stories high, and the block to walk around were 600 ft each side, it might be a different choice.
An interesting aside, meeting the mandate only requires they are IPv6 capable, not running it. This is the same height bar the government set for Microsoft in the early nineties when Microsoft delivered the DOA POSIX-compliant (never to be really used) NT. NT, with its barely implemented POSIX subsystem (only implemented the library portion, btw, not the user interface) got to put a check in the POSIX checkbox for government contracts.
Lesson to be learned? If you want to make an effective mandate, make it a mandate for implementation, not capability.
The government:
What is IPv6 compliance? (Score:5, Interesting)
- Upgrading routers, firewalls et al to support IPv6.
- Some application software still not being fully IPv6 ready.
- A large number of sites still don't have IPv6 DNS addresses
I think the problem, like many government proposals is not the recommendation, but the lack of research guidelines or instructions on how to make the infrastructure IPv6 compliant or what it means to be IPv6 compliant. For example is simply having a 6to4 gateway considered IPv6 compliance.
All this said and done, has anyone here on
Re: (Score:2)
Apple uses IPv6 for Bonjour...printer sharing, etc. Been that way for some time. China & Europe have large networks in action as well.
Re: (Score:2, Insightful)
You're assuming that
1: They are using "recent desktops"
2: The image that they are loading onto the desktop will support IPv6
Neither of those assumptions are anything resembling a "sure bet".
I'd bet on the Dolphins beating the Patriots next weekend before I'd bet on the above.
Re: (Score:2)
The Mandate probably didn't come with any funding attached to it and it gives the Agencies a cheap way out... what do you think they're going to do?
Re: (Score:2)
(By comparison, it took about 1.5 years for the US Navy to switch from one e-mail system to a more secure alternative, due to reliability issues, security problems and brain-dead contracting.)
Re: (Score:2)
- Upgrading an IPv4 CISCO network device, such as router, gateway or firewall, is this: 100% software, hardware upgrade and are does CISCO charge you for the pleasure:
- Other than Apple Airport Extreme, are there any IPv6 ready ADSL/Cable routers?
Re: (Score:2)
Well it depends on the device.. you'd need a recent IOS if your image doesn't support it.
Presumably you have a support contract on the device so you can download it directly.. of course there's the whole QA, Testing thing you have to do before deployment. It's not a 5 minute job.
Ciscos ipv6 firewall is actually quite passable, but you can
Re: (Score:3, Interesting)
That's the biggest complaint I've had recently with Cisco for IPv6 rollouts. They refuse to put IPv6 into their base image, on the assumption that if your networking needs include more advanced protocols, then you are a carrier and should be paying for IPservices or IPkitchensink images. It's one of the biggest roadblocks on IPv6 rollout in the world. They've been shamed at technical conferences, their customers are abandoning them in droves for
Re: (Score:3, Interesting)
Routers can be a big issue (Score:5, Informative)
What happens on a large, high speed, network is that your routers rely on hardware acceleration to be able to pass traffic as quickly as you want, while still implementing all the rules you want. What that means is there are ASICs of various kinds that can handle various kinds of traffic. On older hardware (and some newer too), these are for IPv4. So anything else has to be handled by the router's CPU, which really isn't very powerful.
So, what that means is that you can technically support IPv6 by just turning it on, but only if you are willing to do it poorly. If we enabled it on all the routers, we would effectively support IPv6 internally. Great, and initially everything would work fine. However if any significant number of people actually decided to use it, network performance issues would come up in a hurry.
To really support it we have to buy new routers that support IPv6 in hardware. This could be done, but it would be expensive. Last time it was looked at the price tag was over $5 million. As you can probably guess, the university wasn't that interested in spending money like that for what was perceived to be no gain at all.
So while in a smaller network, where there's only an edge router and it isn't very high speed, yes IPv6 can be as simple as some software updates and turning it on for all devices. However when you have a larger, higher performance, network, you often need new hardware. That's a lot of money, and it is hard to justify that being spent for no real gain.
Re:What is IPv6 compliance? (Score:5, Interesting)
Yes it is.
Desktops are only the start.
Your servers need it (no ipv6 AD support).
No ipv6 network printer support.
No ipv6 VOIP support.
Poor to nonexistant ipv6 router support, and of those that do most of them don't support firewalling it.
Poor to nonexistant connectivity. Try asking the average ISP for an ipv6 address and they'll just look at you funny. It's not just consumer ISPs either - this business park I'm in at the moment has *no idea* what ipv6 is and has no timescale to look at it either.
Then there's the bits and pieces.. Dies Blackberry support ipv6? I know iphone doesn't, and Symbian's implementation is broken (relies on a dhcpv6 server and even then seems to need some kind of proprietary extension to that).
Re:What is IPv6 compliance? (Score:5, Insightful)
That's the biggest problem. Until I can reach every server with IPv6, I'll still need IPv4. Since I need IPv4, why should I bother with IPv6?
Re:What is IPv6 compliance? (Score:5, Informative)
I've done it. And now that I have a couple of posts in this thread banging the drum FOR IPv6 and correcting serious misconceptions, I'll use this thread to trash IPv6
On most networking equipment, turning on IPv6 is no more complex than a global "ipv6 routing" and setting the address on interfaces just like you do for IPv4. I'll use a pseudo-cisco example
interface Gig0/0
ip address 223.123.40.1 255.255.224.0
ipv6 address 2001:1a1:98b5:1::1/64
After that, most modern OSes on that segment will recognize the router announcements, autoconfigure, and start using IPv6. That's the easy part.
All routers and switches introduced to the market in the last two or so years seem to support v6 traffic, in VLSI hardware for the higher end kit. In fact, I haven't seen one new product announcement in at least two years that didn't have wire speed IPv6, no more passing unknown packets to CPU. But new kit is only put in slowly, and old kit has a useful lifespan of around a decade. Try passing IPv6 traffic on an older layer2 switch over a dedicated vlan, and many older switches can't deal with production traffic levels.
Once you start climbing the protocol stack you run into more problems.
With the sole exception of OpenBSDs pf firewall, there isn't a firewall out there that does IPv6 fully. Many firewall manufacturers will announce IPv6 support, but all that means is they have a rule for detecting IPv6 packets and either dropping them or passing them. They can't filter on address ranges or higher level protocols. One big manufacturer of firewalls now claims they support IPv6 because although their equipment doesn't yet support it, their tech support will take feature requests. Network security software (types like nmap) have little to no support, mostly because the authors have no real world examples to code around.
Services vary in their v6 support. Bind is fantastic. Apache kind of supports it, but many modules in Apache2 choke when it's turned on. The web programming languages are all a mess in their support; perl, PHP, java, python and the rest are a complete gamble, and even when support is mostly there, bugs crop up all over the place. The databases used behind many websites, such as MySQL and Postgres have spotty support, and if you don't go back and clean up your database code, they'll return all kinds of shit if the webserver starts passing in IPv6 addresses where someone hardcoded 4 bytes. Some of the freeware/GPLed/opensource projects like ircd and jabberd seem to have full support, and there are very few service daemons that don't at least acknowledge IPv6 existence.
Up at the application level, all modern browsers will use IPv6 correctly. Many apps written for Apple OSX make use of IPv6 if it's present, the only exception I know of is skype. All my networks, and most of my client's networks are dual stacked, so I never even notice that all my SSH sessions are over IPv6, as are all my web connections to nagios or cacti machines, our instant messenger traffic and most everything else. At least at the user application level, there has been years of preparation and it shows. On Vista, what little playing around I've done shows almost no application level support except IE7 which works as well as IE7 possibly can.
Small networking appliance support is almost non-existant. Except for Apple's wireless networking box, there isn't a DSL or cable modem on sale in the west that has support. In China, Korea, Japan and a few other south-east asian countries, most CPE boxes have IPv6 support, because most ISPs are forced to use it as they can't get enough IPv4 addresses for their end users. Much of the IPv6 web traffic I see outside my own little European island is to sites in the far east, where support is widespread.
Mandatory IPSec security is a joke, many v6 n
Re: (Score:2)
Re: (Score:2)
I don't know, what is the weather like? What's the crime r
Blame Yourself (Score:2)
Well, what if somebody told you that if you didn't start doing th
Re: (Score:2)
I'd tell them that firsly a few rich people had hoarded all the coffee and they needed to give it back, and everyone else can just share cups until that happens. Oh and in the worst case the coffee isn't going to run out for 10 years plus anyway.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Anyway I digress... jumbo frames have been supported on ipv4 for years.
Re: (Score:2)
That's why they roast them too long. One burned coffee bean tastes just like another.
A classic demonstration of how good marketing and branding can move a worthless product.
Well, look where Starbucks got started (Seattle). They learned from the masters (a certain software company located in a Seattle suburb).
Re: (Score:2)
I don't understand. Could you rephrase that as a car analogy?
The Military's fuck up in Iraq is a warning. (Score:2)
Oh well...that's government for you.
Re: (Score:2)
Well, every other industrialized nation makes national healthcare of some sort work; covers everyone; and pays less per capita to do it. Maybe, just maybe it isn't that hard a problem.
It is worth noting that most health care experts think that Medicare -- federalized healthcare with a lot of holes -- is probably the least screwed up segment of the US medical care system. It probably isn't that the government does things all that well.
Re: (Score:2)
Re: (Score:2)
What is the abortion rate in those countries? Amnio-test abortions would improve the "average life expectancy" for cultures that have no stigma against it, cultures that most certainly w
Re: (Score:2)
Re: (Score:2)
Why are they obese? (Score:3, Interesting)
Try to cut fructose out of your diet. It is almost impossible. Soda has fructose (in the US) but everyone knows that... Bread has fructose in it. (Huh?) Not only does ketchup have it but mustard has fructose in it. (Why?!!!) Look
No real drive (Score:5, Interesting)
I think AOL will be the first (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
I can't see any reason it wouldn't work.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Existing $29 NAT boxes aren't upgradeable (Score:2)
IPv6's designers didn't expect users to need NAT - they're providing a /64 or bigger, so
Re:I think AOL will be the first - nope (Score:2)
In France, the ISP Free telecom offers the possibility [journaldunet.com] [fr] to migrate to IP V6 already.
Re: (Score:2)
The ISP i use offers native IPv6 over any connection you can get from them (dsl, dialup, leased line, colo, iptransit etc)... But getting a DSL router that actually supports v6 was a pain, i had to buy a pricey cisco in the end.
Re: (Score:2)
Bussiness dont want ipv6 (Score:2)
A rough guide as to why... (Score:4, Interesting)
Re: (Score:2)
Just look at Efnet or IRCnet, lots of kiddies using ipv6 there.
From their perspective, larger number of IPs freely available means easier vanity hosts for ircing from, and it makes it a little harder for other kiddies to dos them offline.
Re:A rough guide as to why... (Score:5, Interesting)
Re: (Score:2)
Grades: I'm almost certain that none of IPv6's security enhancements will help the Agency's grades in the slightest. They're not graded on whether they're hacked or not...they're graded on how well or how badly they're keeping up and managing security. It is entirely possible (and quite probable) that the Feds will still manage security badly, even if they're on IPv6.
Automatic configuration: no one is going to run stateless au
Debunking the claims (Score:2)
No, it doesn't. The IPSec header field in IPv6 works in the exact same way that it does in IPv4. The possible benefit of including it in the spec is that it'd theoretically be easier to have interoperable implementations of IP6Sec. The reason .gov gets a D- or F doesn't have to do with the level of or quality of the encrypti
This presumes that IPV6 is a good idea (Score:2, Insightful)
Those that do only the minimum to achieve IPV6 addressing are in my perso
Re: (Score:2)
Re: (Score:3, Insightful)
Yup, and the rest is second-system syndrome [wikipedia.org] too.
Re:This presumes that IPV6 is a good idea (Score:5, Informative)
I tried to look up the result on Google [google.com] multiple [google.com] times [google.com] and wikipedia [wikipedia.org], finding nothing. Interestingly enough, your post is the first quote in the first google search.
If you're going to ask us to research something ourselves, please have the courtesy to provide enough information for the search.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
In any case, there is no incentive for government, business or anyone else to adopt IPv6 unless and until it costs them to get IPv4 addresses. ARIN and the other RIRs need to announce *now* that by, say, 2009, they will start charging for IPv4 address allocations.
That's a lot of trolls for one article! (Score:5, Interesting)
There isn't a lot of hoarded Class B space out there - if anything, most of the hoarding is at the
IPv6 had a lot of optimistic goals, some of which (like security and autoconfiguration) have been achieved in other ways (like IPSEC and DHCP), and others (like hierarchical simplification of routing structures) don't look like they'll really happen. But the IPv4 space is going to run out, and we're not going to be able to squeeze much past 2012 - especially if a billion people want data on their cellphones, or if the Chinese economy adds a couple hundred million broadband users, which won't take long, or a couple million businesses, which won't take long either.
The IPv6 address space is very rationally designed, and yes, managing it does take work - but it's big enough that there's room to experiment, unlike IPv4 which ran out of slack well over a decade ago.
Where is the carrot? (Score:4, Insightful)
Obviously not, because if the benefits outweighed the costs, no mandate would be necessary. Agencies would have long ago switched on their own.
And since costs outweigh the benefits, who can blame agencies for doing the bare minimum to achieve compliance? The writeup makes it sound like agency obstinance, but I view it is good budget stewardship. Agencies don't seem to want to flush good budget down the IPv6 toilet.
Re: (Score:2)
It's a chicken and egg situation, organisations don't switch because other organisations/individuals they deal with haven't either.
On the other hand, if you enable v6 now you get a step ahead. Eventually the v4 addresses will run out, and people will have no alternative but to start using v6. Those of us who already use v6 will be good to go by then, and already have the kinks ironed out of our setups.
Re: (Score:2)
But my point still remains. If agencies felt they could benefit from the adoption of IPv6 more than said adoption would cost, no mandate would be necessary. So who can blame agencies for doing the bare minimum to comply with this mandate?
Re: (Score:2)
These agencies don't care about long term, since their budgets are done on a yearly basis. That's where the problem lies.
Re: (Score:2)
In which case why bother? You don't need two protocols to connect.. only one.
You *do* need ipv4 because a lot of applications, services, even websites are strictly ipv4 only - and for bespoke applications probably always will be.
There are no ipv6 only applications, services or websites. So you're just spending money for zero benefit.
Show a sound business case for adoption of ipv6 and you'll get adoption. Until that happens yo
Re: (Score:2)
Why bother? (Score:2, Insightful)
Besides, how long did it take government computer networks to switch from proprietary systems like IBM's SNA, Microsoft's NetBIOS, Banyan's VINES, Digital's DECNET, Apple's Appletalk, and others to IPv4? IPv4 came out in the early '80s. I'd venture to say more than one government office was still using a completely-non-IPv4 network well into the '90s.
No, unless there is
Re:Why bother? (Score:4, Insightful)
Switching to IPv6 often involves hardware switchovers and the elimination of old services that simply cannot interoperate with it because they weren't designed to, and should have been discarded years ago but haven't been, and the original author has very much moved on.
NAT introduced *lots* of problems (Score:2)
why not an IPv4.1 (Score:2)
Re:why not an IPv4.1 (Score:5, Informative)
Academic Attitude (Score:5, Insightful)
Re: (Score:2)
Secondly, there are some excellent online guides to IPv6, describing the packet structure, the additional capabilities, history, and so on. There are also several mailing lists, the 6Bone archives, and pretty much all of the information circu
Cisco's new CCNA does IPv6 (Score:2)
What doesn't support IPv6 these days? (Score:3, Informative)
Every major networking equipment supplier has IPv6 support on their product lines, although some still charge for turning it on. All the high-end Cisco routers and switches support it natively, but charge extra for the IOS image that can use it. Foundry's current product line supports it everywhere. Juniper has pretty much always had IPv6. Working down the list of less popular suppliers shows most of them have some level of IPv6 support. Sure, most of the older networking equipment can't deal with v6 traffic, and the useful life for old kit is long enough that it's still probably 70% of the installed base.
Most internet enabled mobile phones have IPv6 built in, but it tends to be invisible to the user because the phone companies are only using it for local communications, if at all. All the Nokias support IPv6 in their network stack, but I haven't seen one system that takes advantage, yet. iPhones and iPod Touches have v6 enabled by default, and if they connect to a WiFi system that has v6 router announcements, they'll autoconfigure and Safari will use it transparently.
Where IPv6 support falls down is in super-cheap consumer networking products. All those little $40 DSL modem+firewall+4 port switch boxes just don't support v6 at all. The only good news is from when I was in discussions with the Chinese company behind many of these boxes. The versions released in China are all IPv6, it's only the versions sold outside China where they just don't include it because there is no market demand.
The only real problem right now is with ISPs. Until the engineering staff inside ISPs and hosting companies take the responsibility to start turning it on, sales and marketing will remain blissfully unaware that it can be sold.
One of the largest IPSs in Europe turned on IPv6 to all 8 million users this week. They've done the right thing and made it opt-in for now, their customers have to go to their control panel web page and turn it on, but almost 50,000 people did in the first 24 hours. They turned it on, and their Macs and Win machines started using IPv6 with no need to do anything other than tell Firefox and Tbird to start using IPv6 for DNS lookups. Because this one major ISP did this, their main competitor has been forced to make plans to enable IPv6 in January. After that, any ISP that doesn't have IPv6 turned on will be branded as "obsolete" or "incompetent".
the AC
Re: (Score:2)
No they don't - apple ripped the ipv6 support out when they ported osx to them.
Re: (Score:2)
Re: (Score:2)
No mention outside slashdot of *any* ISP doing this though that I can find.. google let me down.
Of course explaining how to get all the linksys/dlink/etc. routers that their customers have to act as RA servers.. that's hard. I don't envy the ISP that need to do it.
IPv6 still does nothing (Score:3, Insightful)
Until that happens, NOBODY can adopt IPv6. That's the law, and no legislation can change that.
Miredo (Score:2)
Re: (Score:2)
Try it behind a corporate firewall and you're hosed... never seen it work here for example.
Re: (Score:2)
For the ISP to be a able to distribute ipv6 to multiple machines in they way you imply you'd need something forwarding the RA requests to them.. normally you don't do that - you get a
If they're using their own routers I guess they could do it.
Security isn't the iss