MIT Technology Review Slams IPv6 709
PCM2 writes "In the MIT Technology Review, Simson Garfinkel, noted author of Internet security books, writes that "the next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure." His article goes on to explain that all IPv6 code is untested and therefore insecure; that IPv6 makes encourages 'peer-to-peer based copyright violation systems'; and of course, that the switch is never going to happen anyway (and yet, somehow, the United States is 'falling behind')."
IPv6 Support (Score:1, Interesting)
It's just not active in...........anything else. No routers have it. No providers have it.
I dunno what the problem is, but if MS can beat it to market, there's something wrong.
Out of IPv4 addresses? (Score:4, Interesting)
Of course if you increase the number of assignment blocks, routers will need more memory and were back to the same reason no one will route a
NAT is bad? (Score:4, Interesting)
NAT is bad, NAT is good (Score:5, Interesting)
Walker sees NAT as encroaching oppression by the "powers that be", whereas Garfinkel seems to take the "powers that be" point of view! Simson how you've changed!
In fact, Walker is skeptical that even IPv6 could promote "consumers" back to "peers":
Re:Is this technical or political? (Score:1, Interesting)
Hurmph (Score:5, Interesting)
I'd love that thought applied to space.. It's so confusing, and hard to do, we should tuck our tail between our legs and run! This change will happen one router at a time.. correct me if I'm wrong.. but I do believe IPv4 addresses will coexist with IPv6. And lets face it.. for the most part, this will be done my highly experienced techs at the ISPs, and filter down to very experienced end users at business. Dialup and High Speed users could use IPv4 for ages sitting behind their ISP's big gateways.
"The deployment of IPv6--the sixth version of the Internet Protocol--will be a massive undertaking that will require the reconfiguration of more than 100 million computers."
It's not like this will happen over night.. and one day all the end users (hi mom) will have to become IPv6 Gurus. Once again, we're back to.. It's hard.. lets run away.
"But when the IPv6 rollout is finally done, not all the effects will be positive"
Argh.. this guy bugs me.. He seems to totally forget about the evolution of software.. Of course it'll be slow at the beginning.. then some company like Nortel will put it all into a hightech ASIC chip.. and we'll leave IPv4 in the dust. For each of his arguements.. there's a swell counter arguement, that's never far from reach.
Faz
Re:NAT is bad? (Score:3, Interesting)
In all honesty, though, most of my hardcore IP networking friends -- the kind of people who always use FreeBSD over Linux because of FreeBSD's superior, time-tested, proven TCP/IP stack -- pretty much agree with Garfinkel's assertion that NAT is the Devil. I've never really understood that viewpoint, though. Or at least, it seems to me that NAT is here to stay until something radical happens (like switching to IPv6).
OK, granted the Internet was designed such that every machine would have a unique IP address. It's evolved away from that early model, however. Wouldn't it be better to deal with it, rather than complain? (I, obviously, am nobody's idea of a network engineer.)
Japan, China, South Korea will develop IPv6 (Score:5, Interesting)
US firms now dominate the market for equipment like routers that serve as the infrastructure for the current IPv4-based Internet.
By working together, the three countries aim to take the lead in developing technologies for a world in which all equipment is connected to the Internet"
Re:Oops (Score:2, Interesting)
2^32 does indeed set an upper bound for the number of possible IPv4 Internet addresses (at least, the number that are addressable from any particular node at any point in time). However since many of them are preallocated for special purposes, the actual number of possible useable addresses is much smaller.
Finding one upper bound doesn't mean that there isn't a tighter (and in some sense, better) upper bound that you could find.
Less biased than the summary... (Score:5, Interesting)
As to the notion of never running out of address space 'never, never' as he puts it, I wouldn't be so sure. The 32-bit address space provides 4.2 billion addresses. With that in mind, we are much nearer to exhaustion than current usage would dictate. It is all about the allocation, and if sloppy allocation occurs, the 128-bit address space of IPv6 could be exhausted too. For example, the architecture of current implementations make it so that the smallest subnet anyone will likely allocate are 64-bit networks, and use MAC addresses (or something else, but still 64-bit, because it's easy), so immediately you take the address space down tremendously. Still should be well more than enough for everyone on earth to have a
As to security implications, it is true that implementations will be for the short term future less tested and therefore likely to contain critical flaws, but still IPv6 code is receiving a fair amount of testing, and critical flaws will not be quite so devastating as you may think, no more than an Apache, Linux Kernel, or MS security exposure, which we have seen all of in fairly recent history without the sky falling.... Of course the wrinkle in this is a lot of the 'home router' concepts that happen to protect common home systems will cease to provide that protection. They provide NAT features, therefore masking to an extent the system behind the device. Despite what the author says about NAT being bad because it doesn't protect against things like browser exploits and physical intruders, NAT is on the level of firewalling in terms of protection. Any reasonable network security person will realize that browser exploits, email worms, and physical intrusion must always be kept in mind, and it has nothing to do with NAT or firewalling. NAT remains effective at, for example, fending off web server and rpc attacks from unsuspecting or experimenting workstations. If NAT goes away (hopefully), people need to be mindful of good old firewalling strategies. Implementations are maturing (experimental ip6tables implementation, for example, is approaching closely the ipv4 iptables featureset). If cable/dsl 'routers' revert to hubs in a wealth of addressing, I expect either cable/dsl 'firewall' devices or increased ISP vigilance to deal with the more widespread system exposure.
All that said, I like IPv6 (my desktop, gateway, and laptops are using IPv6 and each have public IPv6 addresses, keep NAT on IPv4 on some systems), but I (and everyone else) has been waiting and watching a long long time and no encouraging migrations are yet to be seen, and I doubt the near future will bring any incentive to push such a change.
Re:MIT is one to talk (Score:5, Interesting)
IPv6 isn't just about having enough IPs for all the computers in the world. It's about having enough IPs for all the *anything* in the world - your toaster, your house-cleaning robot, whatever. Even things like RFID tags could potentially be given their own subset of the IPv6 address space - it's that huge.
Using the IPv4 space more efficiently might deal with the problem for a while, but it will not allow the expansion IPv6 would.
Broadband ISPs (Score:4, Interesting)
What with Win95 being EOL'd, a fair number of them will be upgrading to Windows XP (or Linux, OK?) with it's built-in support. Maybe the best approach would be from the bottom up?
Chip H.
Do we need IPv6 ? (Score:4, Interesting)
The IPv4 addresses are inefficiently distributed. MIT for instance has 16.7 millions of them. IBM too.
Entire classes of addresses are reserved for things we don't REALLY use like multicast and so on.
Plus we now have NAT and CIDR that help save some addresses.
I bet we could use IPv4 for 20 more years. IPv6 is to complex, bulky and inefficient.
I studied it and the fact that MAC addresses are in it blows me away.
Aren't the IP addresses a logical layer that prevents problems when you change a NIC ? If each time you change your NIC you have to change you address I foresee lots of trouble here.
And 128 bits addresses, okay, but entire classes are already wasted (multicast, network IDs, etc) and in the long term we could run into the same problems !
Anyway its too expensive and slow for the moment. Nobody wants to pay 1 million dollars for the last Cisco router with IPv6 where the one we bought last year for another million is working just fine.
Why not just add an extension to IPv4 if we really need these addresses ? I know it has a lot of flaws but hey, why change EVERYTHING ?
Re:2nd (Score:5, Interesting)
Let's assume every single one of the 100 billion stars in the galaxy is inhabited, and each star has a population of 10 trillion humans in orbit around it, and each human has 1 billion devices that need IP addresses. In that case, only 1/340,282nd of the possible 128-bit IPv6 addresses would need to be assigned.
Humanity will never run out of IPv6 addresses? (Score:4, Interesting)
Is this like: "I think there is a world market for maybe five computers."?
What *if* molecular nanotechnoloy takes off? Humanity then decides to build a large space based object, which will be built by a massive number of 'replicators', each working within a 100nm per side cube. (Raw material will come from a passing asteroid.) It is decided that each replicator is to be individually addressable. The number of IP addresses required is then (<linear size>^3)/((100nm)^3). 2^128 addresses will be required to build a 700km cube.
Sure this far fetched, and there are lots of other technologies which need to be invented before something like this can happen, but lots of today's things were far fetched in recent history.
Re:*NEED* (Score:2, Interesting)
[sarcasm] Typical Non-American viewpoint. [/sarcasm]
Not all Americans are the same. Some of us don't eat cheeseburgers, or watch football (that's !soccer to you non-americans), or drive gas guzzling SUV's.
And how exactly is China or India less ethno-centric?
I couldn't agree more about the usefulness of IPv6, but calling an entire country ignorant is neither here nor there.
Second System Syndrome (Score:2, Interesting)
The substantial increase in overhead in every packet increases traffic without increasing data being transfered.
The substantial increase in overhead at the router level to deal with all the added "functionality".
But let us discuss the rational for doing it at all: The increase in available space is nice all by itself, and could be accomplished, again, all by itself, by simply increasing the number of octetts in the address.
Rather than a "dotted quad", how about a "dotted sextet"? 65.188.192.168.4.4
That is in fact what I thought "v6" meant when I first heard about it. A simple and direct improvement in the one place where it could serve to be improved.
Bob-
Re:MIT is one to talk (Score:5, Interesting)
Nat is a horrible and evil thing. Ever tried to run 4 ftp servers behind nat? Doesn't work very well does it? Right now there are barely enough ip's for every person to have one... but wait, what about work? oops now everybody needs two, but *gasp* your cell phone! Now everybody needs 3... we are already at 3 times what IPv4 can provide with what is already out there and popular and is pretty much guaranteed to be as essential tommorow as having a hammer or screwdriver.
What's more, people get new cellphones, they throw old ones away, sometimes have multiple phones, sometimes multiple computers. IPv6 would provide 5000 addresses for every micrometer of the surface of the earth. Giving everyhousehold on the internet a full 255 address block would be a fairly conservative approach in relation ot the address space.
Don't you want to see that world? Especially knowing it doesn't mean your can't have a router to share a net connection, and knowing that you can still be firewalled? Having public addresses means that you can configure your router not to block port x on ANY computer in your network, instead of being able to forward port x to ONE computer in your network.
Let's just hope when IPv6 becomes mainstream one can register for addresses without a fee right up on a website instead of the political review that is required now.
Re:Is this technical or political? (Score:2, Interesting)
Re:IPv6 Support - everywhere important (Score:5, Interesting)
But as the whingey Garfinkel points out, the U.S. is very much behind the curve in IPv6 rollouts. Typical corporate american incompetence.
As for routers, all real routers have it. It takes more effort today to get a cisco router without IPv6, because all the machines being delivered recently come with a version of IOS which has IPv6 installed. Just waiting for a Cisco Certified Button Pusher to configure it correctly, and bob's your uncle.
I have my own
While typing this response, I ran some statistics on web servers I manage. Approximately 5% of the traffic was IPv6 during the month of December, up from about 2% last June. That means that 5% of the PCs out there have IPv6 enabled, connected to an ISP offering IPv6, and are using an IPv6 capable browser like mozilla or IE6.
the AC
Flaws a little more dramatic than the political... (Score:4, Interesting)
I went through the entire current posted responses, and I'm suprised people missed mistakes that - in the words of my girlfriend - must mean that the author was simply having a bad day and couldn't be writing this as a serious article.
The most important thing that IPv6 does is quadruple the size of the Internet address field from 32 bits to 128 bits.
Quadruple? 2^32 * 2 != 2^128. In fact, there is a very distinct difference. I would hope a writer for the M.I.T. Tech Review would know the difference.
One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there's never a good time to have people start deploying systems that are only V6--that's because somewhere, somebody is going to have a machine that's V4 only, and they won't be able to communicate with you.
This is so horribly backwards, he must be joking. One of the points of IPv6 is that IPv4 can be routed within and through it. (visa-versa too, but let's assume we're taking about an all v6 net) The real worry would be when someone created a v6 only site that some v4 person wouldn't be able to address.
Ugh. I think IPv6 upgrade path will be similar to analog and digital cell phones. They're still able to route to each other, and the improved features and quality of connections have caused people to leave older analog phones. The older phones still have better coverage; but, the newer phones are still able to switch to analog mode if necessary.
Problems with a v6 peer not being accessible to a v4 peer aren't too worrying to me. The same technologies enabling Akamai and NAT will almost certainly solve that.
One obvious solution is an automated DNS -> TCP/IP forwarding service:
Amy is cute.
Re:NAT is bad? (Score:5, Interesting)
Your appliances can surf the Web even through NAT, it is perfect for that. The difference begins when your service center can ssh into your fridge and troubleshoot it remotely. That you can not have with a standard, untweaked NAT.
This is not a contrived example, BTW. I have a fridge in my rental apartment which sometimes vibrates a lot, but often it does not. Since I don't own the fridge, I don't care as long as it's minor. But a properly designed modern fridge would be able to monitor itself, signal the service center when something bad happens, and upload the diagnostics data for the mechanic to see.
As another example, I have a bread maker. It has a timer, but how would I know when I am going home a whole working day ahead? So I don't use it. If I have an internet connection to the bread maker, I could begin the baking cycle 3 hours before going home, and get a nice loaf exactly when I need it.
It is also hard to argue that you'd like to ssh into your VCR or Tivo and program them to record something that you just remembered. More than once people called me and asked to tape Buffy or something because they forgot :-)
Some of my friends are seriously involved with home automation. They have tons of gadgets, sensors, motors and everything else. Currently, a Web server is used to control all that. But that is extra complexity. With IPv6 you add devices as you need them, and they are instantly online, accessible to you as long as you have the IPSec key or whatever you choose to secure them.
Re:Another "IPv6 won't be here soon" article... (Score:3, Interesting)
Slashdot vs MIT Tech Review, well Simson Garfinkel...
If people actually read the article... so it is Slashdot blathering as usual.
Simson is only saying out loud what everyone who has anything to do with the real Internet has known for years. There is a crushing need for IPv6 and the IETF plan for transition is about as practical as a manned space trip to Mars - not impossible but likely to cost a couple of trillion dollars and take until 2030.
The IETF have been blowing smoke on this one for ten years now. The IPv4 transition took place when the users of the Internet could all meet together in the same room.
Rather than daemonizing NAT, the IETF should have worked out a way to co-opt NAT technology as a means of gatewaying between the IPv4 and IPv6 worlds. Instead a bunch of people got all bent out of shape because the real world did not fit their architecture the way they thought it should.
Simson does not get the security issue quite right, NAT is not a perfect security solution, but it does have definite advantages. I don't have to worry about any of the machines behind my NAT box being probed on an unexpected port - important if you run alpha releases of stuff. Basically you need some form of perimeter security, you also need protocols designed to play nice with perimeter security. Unfortunately a lot of videoconference protocols are completely unworkable firewall wise - they use hundreds of ports for no real reason.
Re:Another "IPv6 won't be here soon" article... (Score:2, Interesting)
- The IPv4 transition took place when the users of the Internet could all meet together in the same room.
And it wasn't "The Internet" back then. It was ARPANET. Plus, the researchers using the network didn't really care if it was broken for a few days; they had other means of communicating.People have been crying wolf over the addres space for decades. Year after year, it's the same prediction. We will eventually run out of IPv4 addresses, but I doubt I'll be alive then.
Simson also fails to realize the greed of ISPs. If you think your going to get more than one static, public IP(v4/v6) address, you're an idiot. Very few ISPs explicitly allow more than one computer per account. And almost none provide static addresses -- even if your DSL/cablemodem has held the same address for months, it's still dynamic and subject to change.
Re:Typical (Score:2, Interesting)
Not all of the IPv4 address space has been parceled out. ICANN has a lot of the original "Class A" space available. The space from 65-126 was never allocated as Class A; it has been parceled out to the three worldwide number assignment bodies on a demand basis. Quite a bit is left. There are also some Class As that can probably still be reclaimed, in whole or in part. NAT has also helped a lot in holding down demand for numbers.
Even if numbers were in desperately short supply and IPv4 couldn't handle the job, IPv6 wouldn't be the answer. It's plug-ugly, the bastard child of two amateurish hacks by IETF insiders (Steve Deering's SIP -- the current SIP is at least the second holder of the name -- and Paul Francis/Tsuchiya's PIP), melded together sloppily in order to get "consensus". IAB had already accepted TUBA, a far cleaner solution, but Vint changed his vote. What a friggin' disaster. TUBA (TCP and UDP over a CLNP profile) had already been implemented on all of the major routers of the day. It just hit a wall of "NIH", since its creation was tained by its OSI connection.
But that was all before the Internet was big or open. If a replacement for v4 were really needed, it should not be yet another old hack. It should be something built with today's requirements in mind, not 1990's. Real network research, alas, seems to have shut down at about the time that the Internet became commercially important. Too valuable to question, I suppose, and all the newcomers from Microsoft to SCO must imagine that it must have been well thought out in the first place (hah! it was government research, still alpha or maybe early beta work in progress) but that is a terrible way to maintain it.
And back to our Asian friends: Software has never been their strong point. Nor has questioning authority; too many, I suspect, assume that the TCP/IP suite has too much authority behind it. Asia's marvelous at mass-producing hardware, an art which involves being able to reproduce things perfecty in media that make it difficult to do so. So if they accept IPv6, it is not necessarily proof that it's, say, Toyota-grade technology. Even Japan has its clunkers. Remember Pink Lady and Jeff?)
Re:Do we need IPv6 ? (Score:3, Interesting)
You don't use multicast. There are large organizations that use it for transferring huge quantities of data across the globe.
Re:Another "IPv6 won't be here soon" article... (Score:5, Interesting)
The solution is for routers sold with IPv6 support to come configured by default to have rules that prevent any incoming connections from the 'outside', wherever that may be for the router in question. That's just as secure as NAT, and doesn't have the stupidity of non-adressable nodes that somehow still get IP traffic from the outside.
Have you ever thought that IPv6 might actually increase security? It makes address scanning completely impractical. The method by which Code Red, and several other worms have spread would no longer work at all.
Re:Another "IPv6 won't be here soon" article... (Score:2, Interesting)
Thus:
2002::::/48 or in hex:
2002:c000:0202::/48 compresss that a bit:
2002:c000:202::/48
Now, IPv6 has 128 bits, minus the 48, leaves you with 80 bits for yourself which is the default site delegation, we use a
a
But.... 6to4 looks good, it won't be as long as there are no relays close to you and there are only few of those. See The 6to4 list [kfu.com] or check your traceroutes to the anycast address...
What a Load of Hokum (Score:3, Interesting)
I haven't read such a pack of bunk in a long time--it's not worthy of the MITTR.
Garfinkel claims that IPv6 won't be viable to roll out because routers need to be upgraded. Dude, that is an ongoing process. Does he think that today's IPv4 routing hardware can handle tomorrow's IPv4 traffic? Let's see, how many protocols did the early Internet support? I guess they never merged to IP, because it was too expensive.
Also, he's a bit of a pollyanna about NAT--NAT is not a reason for why IPv4 is going to survive. It's a fiendishly shit kludge. Ask anyone that received a 10.0.0.1 answer from Verisign DNS last week. NAT sucks. It's a fix, but it sucks.
Lastly, IPv6 shouldn't be deployed because it relies on _software_ being changed? Oh gee, I'm sorry mr. Garfinkel, but I'd completely forgotten that every single networked application, nameserver, mail server, and web server has evolved code-wise to a layer of abstraction and perfection that we never have to worry about another security hole again! Aren't we happy that we've all reached BIND25, which never ever has to be touched again for as long as we live?
What an idiot.
Logical Fallicies = more money from us (Score:2, Interesting)
First, OK, NAT IS THE DEVIL. But the authors security argument about NAT was that people were using wireless lans and getting in through the backdoor to attack the PC's. IPv6 doesn't do anything to mitigate that.
Second, the idea that having every object in your house have a two way freeway to the internet has to be a ddos attackers dream come true. Sure I can see my 67 year old dad setting up a firewall to keep his web enabled toaster from sending out bad and evil packets onto the internet. Right after he wins the XPRIZE for that orbital Refrigerator he has been working on. Get real, most users can't figure out what an icon really is, and now they will be the key to securing this brave new world.
Third, does this not let ISP's charge more now that we will be using 100's of IP addresses?
4th, think of all the applications that haven't even been thought of yet. Come on. At least with the new ipv6 we will be able to watch his daughter go to college, and probably follow her on dates and to the bathroom. PROGRESS? Not meant to be an insult, but the purient aspects of all this technology just floors me sometimes. I guess I am a Luddite.
So in closing, I think it will happen and I for one don't care if we (the US) lags behind. In the long run that will make it cheaper for us and the pioneers can take those arrows for us. And as for using up most of the ipv4 address space, what can be said but "WE RULE"!!!
numerous advantages of ipv6 compared to ipv4 (Score:4, Interesting)
routing - different rirs have now created policies that will make routing much efficient. it will be hierarchal so routing tables will much smaller (thus faster routing.)
headers - the ipv6 headers has been optimized compared to ipv4, data transmitted includes qos (standard)
multicast - no more broadcast. we don't have to worry about too much data storms in our network (better bandwidth utilization.)
autoconfig - ipv6 provides for automatic configuration of ip addresses. this will make transition much easier since most devices can be made ipv6 ready and activated and it will automatically configure itself and run on ipv6.
tunneling - you can do endless tunneling to seamlessly support ipv4 and ipv6 networks together. you can easily put an ipv6 backbone with ipv4 clients running (with all translation under the fe80 range.)
addressing - clear policies has been made with regards to addressing (and routing as well) to prevent problems that have plagued existing ipv4 networks. the division of the
maybe since mit has 16.7million ip addresses, they are afraid of ipv6. based on existing policies agreed upon by rirs (arin, apnic, ripe), you will be allocated a
even if they do not switch to ipv6 (i hope they will be the last one.) the entire world will be running in ipv6. here in asia, it is much harder to get ipv4 addresses. so we are already experimenting with ipv6 (and readying for production grade native ipv6 networks with full peering and routing - we have purchased ipv6 routers in preparation for a full ipv6 backbone with ipv4 tunneled instead.)
software is increasing its support with ipv6. windows xp already has support (not so savvy end users can now start benefiting from ipv6.) linux and apps already has support. most network equipment now supports ipv6. heck my mobile phone can access an ipv6 network natively!
final words. go ipv6! it's about time. (and note to all admins, experiment with ipv6 and you'll see.)
p.s. slashdot was inaccessible for a few minutes before i posted this content
heard that one before (Score:1, Interesting)
I have heard statements like this before... networked nanotechnology and RFID tags anyone?
Re:Excuse me but... (Score:2, Interesting)
Re:Another "IPv6 won't be here soon" article... (Score:3, Interesting)
This is kind of silly in more than one way. I have a dozen or so net-connected devices in my house on a broadband connection. Each and every one is on a NAT router/firewall. (there really isnt another way to do it) Would YOU have it any other way? Would you really want your alarm clock to have a global IP address? Until they release an alarm clock with a firewall, mine will be NATed. I really need to get to work on time.