Forgot your password?
typodupeerror
The Internet

How Feds are Dropping the Ball on IPv6 299

Posted by CmdrTaco
from the go-long-go-long dept.
BobB-NW writes "U.S. federal agencies have six months to meet a deadline to support IPv6, an upgrade to the Internet's main communications protocol known as IPv4. But most agencies are not grabbing hold of the new technology and running with it, industry observers say. Instead, most federal CIOs are doing the bare minimum required by law to meet the IPv6 mandate, and they aren't planning to use the new network protocol for the foreseeable future."
This discussion has been archived. No new comments can be posted.

How Feds are Dropping the Ball on IPv6

Comments Filter:
  • by anticypher (48312) <anticypher&gmail,com> on Monday December 17, 2007 @12:55PM (#21726356) Homepage
    Every major OS has IPv6 installed and enabled. Vista and XP, MacOS-X, all the BSDs, all the major Linux distros, Solaris. Older OSes like XP-SP1 or Win2k can get IPv6 installed or enabled with little trouble. It's a package install on Linux if it isn't there already.

    Every major networking equipment supplier has IPv6 support on their product lines, although some still charge for turning it on. All the high-end Cisco routers and switches support it natively, but charge extra for the IOS image that can use it. Foundry's current product line supports it everywhere. Juniper has pretty much always had IPv6. Working down the list of less popular suppliers shows most of them have some level of IPv6 support. Sure, most of the older networking equipment can't deal with v6 traffic, and the useful life for old kit is long enough that it's still probably 70% of the installed base.

    Most internet enabled mobile phones have IPv6 built in, but it tends to be invisible to the user because the phone companies are only using it for local communications, if at all. All the Nokias support IPv6 in their network stack, but I haven't seen one system that takes advantage, yet. iPhones and iPod Touches have v6 enabled by default, and if they connect to a WiFi system that has v6 router announcements, they'll autoconfigure and Safari will use it transparently.

    Where IPv6 support falls down is in super-cheap consumer networking products. All those little $40 DSL modem+firewall+4 port switch boxes just don't support v6 at all. The only good news is from when I was in discussions with the Chinese company behind many of these boxes. The versions released in China are all IPv6, it's only the versions sold outside China where they just don't include it because there is no market demand.

    The only real problem right now is with ISPs. Until the engineering staff inside ISPs and hosting companies take the responsibility to start turning it on, sales and marketing will remain blissfully unaware that it can be sold.

    One of the largest IPSs in Europe turned on IPv6 to all 8 million users this week. They've done the right thing and made it opt-in for now, their customers have to go to their control panel web page and turn it on, but almost 50,000 people did in the first 24 hours. They turned it on, and their Macs and Win machines started using IPv6 with no need to do anything other than tell Firefox and Tbird to start using IPv6 for DNS lookups. Because this one major ISP did this, their main competitor has been forced to make plans to enable IPv6 in January. After that, any ISP that doesn't have IPv6 turned on will be branded as "obsolete" or "incompetent".

    the AC
  • Re:why not an IPv4.1 (Score:5, Informative)

    by jandrese (485) <kensama@vt.edu> on Monday December 17, 2007 @01:01PM (#21726454) Homepage Journal
    Because there is no space in the IP header for that, and no router support. This means you'd have to extend the IP packet header by creating a new protocol number and once you get all of that stuff done and implemented, you have done just as much work as you would have done to switch over to IPv6 (which is afterall just another protocol number). One of the primary design goals of IPv6 was to avoid ever having to make this transition again (look how painful it has been already), so halfassed solutions that will require us to make yet another transition down the road are less than appealing.
  • by Sycraft-fu (314770) on Monday December 17, 2007 @01:10PM (#21726564)
    That is the reason why we don't do IPv6 where I work (university). A lot of people think it is easier, and more importantly cheaper, than it really is because they've worked on small networks, or have been at a place that did IPv6 wrong.

    What happens on a large, high speed, network is that your routers rely on hardware acceleration to be able to pass traffic as quickly as you want, while still implementing all the rules you want. What that means is there are ASICs of various kinds that can handle various kinds of traffic. On older hardware (and some newer too), these are for IPv4. So anything else has to be handled by the router's CPU, which really isn't very powerful.

    So, what that means is that you can technically support IPv6 by just turning it on, but only if you are willing to do it poorly. If we enabled it on all the routers, we would effectively support IPv6 internally. Great, and initially everything would work fine. However if any significant number of people actually decided to use it, network performance issues would come up in a hurry.

    To really support it we have to buy new routers that support IPv6 in hardware. This could be done, but it would be expensive. Last time it was looked at the price tag was over $5 million. As you can probably guess, the university wasn't that interested in spending money like that for what was perceived to be no gain at all.

    So while in a smaller network, where there's only an edge router and it isn't very high speed, yes IPv6 can be as simple as some software updates and turning it on for all devices. However when you have a larger, higher performance, network, you often need new hardware. That's a lot of money, and it is hard to justify that being spent for no real gain.
  • by coolGuyZak (844482) on Monday December 17, 2007 @01:16PM (#21726658)

    the onerous idea of tracking every conceivable device right down to bullets fired (look it up) is staggeringly senseless overkill.

    I tried to look up the result on Google [google.com] multiple [google.com] times [google.com] and wikipedia [wikipedia.org], finding nothing. Interestingly enough, your post is the first quote in the first google search.

    If you're going to ask us to research something ourselves, please have the courtesy to provide enough information for the search.

  • by postbigbang (761081) on Monday December 17, 2007 @02:40PM (#21727992)
    For further info, look at the bottom of this page in PCWelt: http://www.pcwelt.de/index.cfm?pid=839&pk=51740&p=5 [pcwelt.de]; it describes it nicely.
  • by anticypher (48312) <anticypher&gmail,com> on Monday December 17, 2007 @02:51PM (#21728140) Homepage
    has anyone here on /. actually upgraded a network to be IPv6 compliant and what can you tell us about real world experience.

    I've done it. And now that I have a couple of posts in this thread banging the drum FOR IPv6 and correcting serious misconceptions, I'll use this thread to trash IPv6 :-)

    On most networking equipment, turning on IPv6 is no more complex than a global "ipv6 routing" and setting the address on interfaces just like you do for IPv4. I'll use a pseudo-cisco example
    interface Gig0/0
    ip address 223.123.40.1 255.255.224.0
    ipv6 address 2001:1a1:98b5:1::1/64

    After that, most modern OSes on that segment will recognize the router announcements, autoconfigure, and start using IPv6. That's the easy part.

    All routers and switches introduced to the market in the last two or so years seem to support v6 traffic, in VLSI hardware for the higher end kit. In fact, I haven't seen one new product announcement in at least two years that didn't have wire speed IPv6, no more passing unknown packets to CPU. But new kit is only put in slowly, and old kit has a useful lifespan of around a decade. Try passing IPv6 traffic on an older layer2 switch over a dedicated vlan, and many older switches can't deal with production traffic levels.

    Once you start climbing the protocol stack you run into more problems.

    With the sole exception of OpenBSDs pf firewall, there isn't a firewall out there that does IPv6 fully. Many firewall manufacturers will announce IPv6 support, but all that means is they have a rule for detecting IPv6 packets and either dropping them or passing them. They can't filter on address ranges or higher level protocols. One big manufacturer of firewalls now claims they support IPv6 because although their equipment doesn't yet support it, their tech support will take feature requests. Network security software (types like nmap) have little to no support, mostly because the authors have no real world examples to code around.

    Services vary in their v6 support. Bind is fantastic. Apache kind of supports it, but many modules in Apache2 choke when it's turned on. The web programming languages are all a mess in their support; perl, PHP, java, python and the rest are a complete gamble, and even when support is mostly there, bugs crop up all over the place. The databases used behind many websites, such as MySQL and Postgres have spotty support, and if you don't go back and clean up your database code, they'll return all kinds of shit if the webserver starts passing in IPv6 addresses where someone hardcoded 4 bytes. Some of the freeware/GPLed/opensource projects like ircd and jabberd seem to have full support, and there are very few service daemons that don't at least acknowledge IPv6 existence.

    Up at the application level, all modern browsers will use IPv6 correctly. Many apps written for Apple OSX make use of IPv6 if it's present, the only exception I know of is skype. All my networks, and most of my client's networks are dual stacked, so I never even notice that all my SSH sessions are over IPv6, as are all my web connections to nagios or cacti machines, our instant messenger traffic and most everything else. At least at the user application level, there has been years of preparation and it shows. On Vista, what little playing around I've done shows almost no application level support except IE7 which works as well as IE7 possibly can.

    Small networking appliance support is almost non-existant. Except for Apple's wireless networking box, there isn't a DSL or cable modem on sale in the west that has support. In China, Korea, Japan and a few other south-east asian countries, most CPE boxes have IPv6 support, because most ISPs are forced to use it as they can't get enough IPv4 addresses for their end users. Much of the IPv6 web traffic I see outside my own little European island is to sites in the far east, where support is widespread.

    Mandatory IPSec security is a joke, many v6 n
  • Re:As things go ... (Score:2, Informative)

    by mrbcs (737902) * on Monday December 17, 2007 @04:43PM (#21730454)

    World production of crude oil maxed out at 85 million barrels per day this year. (yes they have a slight hiccup for October at 86 million, probably due to rounding)

    http://www.worldoil.com/INFOCENTER/STATISTICS_DETAIL.asp?Statfile=_worldoilproduction

    We will only know when the peak is AFTER the peak. If we cannot reach 85 or 86 mbpd next year, then we've gone past peak. This information is so obvious and yet there are lots of people in denial. Oil hit $100 a barrel this year. Next year look for $200 a barrel. The entire world economy is about to self destruct and we have millions of people taking the blue pill.

    Why in hell would we be trying to get oil out of the tar sands if there was lots of sweet crude in the 1000 meter holes typically found in Alberta? We've used most of it up and nobody wants to say so because of the panic that would ensue.

    If you want to take the red pill and find out how bad it really is, read kunstler. http://jameshowardkunstler.typepad.com/clusterfuck_nation/ [typepad.com]

Thus spake the master programmer: "When a program is being tested, it is too late to make design changes." -- Geoffrey James, "The Tao of Programming"

Working...