Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re: Fricking finally. (Score 1) 294 294

Ok, you can think all you want.

You're wrong. I get to handle messed up issues where folks can't reach ipv4 sites on a fairly regular basis.

Our customers do not call the company of the website they're having a problem reaching. They call us. And when we find out that the problem isn't on our end, our folks have to get in touch with their provider, who will then either fix it (if it's their fault) or talk to their customer and get them to fix it.

If the big ISP's decided to take a 'you will use ipv6 only stance', then grandma would be mad at us if she couldn't read and post on her basketweaving forum.

Now, don't get me wrong, I'd love it if we'd be ballsy enough to make such a move. But the average end user is not understanding or reasonable. They expect their stuff to just work, and when it doesn't just work, they get mad at the people they're paying money to in order to make it work.

In a market that's saturated and the only growth comes from taking your competitors customers, we'd be handing our competitors a golden opportunity to stick it to us. I can see the ad campaigns now 'Comcast won't let you get to your basketweaving website? Come to AT&T! We have full internet connectivity!'

Comment: Re:Security and IPv6 (Score 1) 294 294

Are you saying that IPv6 address can not be placed behind a firewall? Just because it's a publicly addressable block doesn't mean it can't be firewalled off. There are entire companies running on 'real' ipv4 addresses right now that can't just be nmaped because they are secured with a firewall. NAT is not required to create that curtain, proper network security (firewall, acls, gateways, routing, etc) is.

The rest of it, well i'm not expert so I can't comment.

But why can't we just get major ISPs to start handing out ipv6 addresses for external communication and just use ipv6 to ipv4 nat technology internally?

I suspect that is where a large part of it is going to go. I think alot of ISP's are going to start employing v6 to v4 gateways.

The problem with that, however, is going to be DNS.

Let's say my host is native v6 only, no ipv4 address. And I'm trying to reach a site that has ipv4 connectivity only, no v6 DNS records.

About the only way that's going to work is if the DNS server I'm using returns a result that points me to a v6 to v4 gateway for sites that don't have AAAA DNS records. I seem to remember folks getting up in arms when someone tried that for non-existent ipv4 domains.

Fortunately, that problem has already been solved. NAT64/DNS64 are viable migration alternatives, and one I'll be implementing on the home network as soon as my ISP decides they want to actually roll out native IPv6 connectivity (though I am a Comcast employee, I do not live in a Comcast area. Sometimes, there is a downside to being a telecommuter)

Comment: Re:Security and IPv6 (Score 1) 294 294

Good luck trying to scan an ipv6 range...
The smallest subnet is a /64, even scanning every host there for a single port would take a LONG time.

That's not even close to true. You need big subnets if you're going to use autoconfigs based off of MAC Address sure, but with DHCPv6, there's no 64-bit boundary, you can break your subnets into whatever chunks you want and allocate IP's out of that.

Now, the subnets are still going to be big. I mean, if you break your allocations down into /96 blocks, for example, and hand those to the end users, you'd still be needing to port scan the equivalent of the entire ipv4 address space.

Comment: Re: Fricking finally. (Score 1) 294 294

They don't call the businesses that they're trying to reach and can't though.

They call the ISP.

Since Comcast now has more Internet customers than cable subscribers, taking an ipv6 only stance would be committing suicide. The subscriber loss (and therefore, revenue loss) that would incur would piss off the shareholders, who would murder the company for failing in their fiduciary responsibility.

Instead, Comcast is fully dual-stacked. As companies transition over to ipv6, the Comcast network is ready and fully capable of supporting them.

Comment: Re:I've got some I can sell ya (Score 1) 294 294

Never going to happen. IPv4 network stacks are hard coded to not recognize anything 224 and above as valid host addresses. In order to actually use the multicast space, you would quite literally need to update every single network and host device in existence to support that. And not just the v4 stacks, it'd also be lower level things like the dynamic routing protocols that use link local multicast for neighbor discovery.

The amount of cost and pain it would cost in order to reclaim the Multicast and experimental ranges far outstrip the costs and pain to simply migrate to ipv6, especially since the amount of space gained is paltry compared to the growth needs.

Comment: Re:Cell phone uses IPv6 (Score 3, Informative) 294 294

My cell phone has been on IPv6 for years. Everything I have is ready for the conversion. What is holding it up?

Suckage.

I recently disabled IPv6 on my router because too many sites were slow loading. It was particularly bad with Wikipedia, which usually just timed out after a few minutes. OTOH, IPv4 works fine for the same sites.

I don't know where the trouble is, Wikipedia or my ISP (U-Verse) or somewhere in between or some problem with my computer... but in its current state, I can't endorse switching.

I actually see alot of this. Customers complaining about slow surf, and these days, that's one of two things - A. Capacity B. Bad IPv6 routing. Since v6 is preferred, if the v6 path is bad, it'll take awhile to time out before it falls back to ipv4, and looks alot like network latency.

A large part of the problem is that companies are defining AAAA DNS records without making sure that their upstream provider has actually gotten their v6 routing in shape, but even the ones that have done that doesn't help when the end user is connected to a network that isn't directly connected to their destination, and the end users provider doesn't have their v6 routing in shape.

The real holdup, however, are the end user networks. Most of them simply aren't built to be accessible over ipv6. It's possible for the ISP's to provide entirely transparent v6 connectivity to it's end users, but if the places they're trying to go isn't v6 capable, that engineering has gone to waste. It's still wise to do it, as a migration to v6 is inevitable, but it's hard to justify the money making it right.

Unfortunately, I suspect that most folks will simply try and use stopgap measures. Carrier grade NAT, transparent gateway proxying, etc.

Eventually there will come a point where someone smart will say 'you know, we're spending alot of time and effort and adding more points of failure to the network to try and keep this legacy connectivity alive. It will actually simplify operations if we just go ipv6 native'.

If you're smart, and you have the opportunity to build out a network in this time and place, you do it dual stacked, and treat ipv6 connectivity as seriously as you treat ipv4 connectivity.

Comment: Re:It's the end of the world as we know it! (Score 1) 294 294

Alot of that growth is actually due to Comcast.

Cable Modem IP's were changed over to use IPv6 for their management addresses a couple years ago. Most Comcast CMTS's have very little space allocated for IPv4 management (usually a single /23) for those who are still running older modems that can't do IPv6 at all.

Likewise, DHCPv6 has been deployed for a couple years as well. So if you're using a consumer grade router that has IPv6 capability, it will pull a v6 allocation.

Since virtually every single modern OS has v6 capability, it's turned on by default, and it's preferred over v4, there are quite a few people out there who are going to popular v6 enabled websites (google, facebook, etc) without even realizing it.

I'm a network ops monkey for Comcast, so have direct experience in all this (one of my primary job functions was to get all the routing kinks worked out for a large part of the network before IPv6 day back in 2012), and while we're not on the verge of running out of v4 space, it's alot tighter than it used to be, and we're pretty careful about how we allocate them, we have a team dedicated to managing the v4 space, and they're pretty good at making sure we don't have large gobs of v4 space sitting around allocated but unused. We do alot of work to drive as much to v6 as we can without making it hard on the customer.

It wouldn't surprise me if there are other major ISP's who are doing the same. You can expect growth in this area as more and more networks realize the same thing, and as folks upgrade their old gear.

Comment: Re:Corruption is it's own reward (Score 1) 161 161

Every toll road has a toll for X years. Then after X years... it keeps the toll. Every time, no one can turn the tap off.

That's actually not entirely true. Georgia State Road 400 was a toll road. It was supposed to keep it's toll for 20 years, expiring in 2011. However, Governor Purdue and the State Road and Tollway Authority voted to extend tolls until 2020.

However, despite the above extension, Governor Deal and the SRTA decided to end tolls. In December, 2013 the toll plaza's on GA 400 collected their last tolls.

So while they did get a couple extra years of toll collection out of it, they did actually turn it off like planned.

Now, I don't think that they were entirely altruistic about it. It happened after they put in the toll express lanes on I-85, and alot of Georgians used GA 400, but alot also avoided it because of the tolls. I-85 is a little more difficult to avoid, and when you're stuck on the I-85 parking lot, that 2 bucks to use the express lane becomes alot more appealing.

Comment: Re:GTT/Nlayer (Score 1) 181 181

You do realize, that in the example provided, Comcast to Nlayer was a steady 21Mbs, while AT&T was the sub Mbs carrier, right? The problem wasn't Comcast to Nlayer.

The funny thing is, if you read the article, that is the only time in the entire thing Comcast's name is mentioned, and it's not in a negative way.

But I guarantee you that everyone is going to assume Comcast is one of the five mentioned in the summary just because of the general bias.

Comment: Re:Why use ISP email? (Score 1) 265 265

And actually, I should say this -

By switching over to Google Apps, I actually saved money. I was paying Linode 10 bucks a month for a VPS. I pay Google 8.33 a month for 2 users (me and my wife), so I ended up saving money and time with the change over. It was a no brainer

Comment: Re: Google (Score 1) 265 265

I'm pretty sure the only thing they drop is mail with infected attachments. Everything else they think is junk gets sent to the spam folder.

I mean hell, I had more problems with false positives from Outlook marking crap as junk than I ever did from Google, until I decided to just turn off the Outlook junk filtering and trust Google instead

Comment: Re:Why use ISP email? (Score 2) 265 265

For the technically savvy, sure. For the average everday user, this option is right out.

This is what I used to. Unfortunately, keeping my spam filters up to date ended up being a pretty major chore. Even with blocking everything but english, I still spent more time than I wanted training the filters what was spam and wasn't.

So I started to think about how to fix this. Then I realized that my gmail account rarely, rarely gets spam.

So I setup Google Apps for Work and moved my domain email hosting over to that. It's worth the 5 bucks a month.

And I fully agree, anyone using their ISP's email service is a bad nerd. Not being able to take it with you, or having crap like the Comcast fiasco's where they give your email address to someone else accidentally is just shooting yourself in the foot.

Me? I want the control over my email addresses, but I'm perfectly happy to outsource the filtering chore to Google since they're really good at it

Comment: Re:I wonder... (Score 1) 277 277

Windows 8 was doomed simply because it was a radical shift from what people had been used to going back to Win95. Sure, In between Win95 and W2k there was some face lift stuff done to the UI to tweak and polish it, but basic functionality remained the same - Click Start, find your program, click on it, go to work. If you needed to fiddle with settings, you click on start and click on Control Panel

Trying to cram a touch screen style interface down the throats of point and click users..... of course that was going to end badly.

I personally don't upgrade my windows versions quickly and easily. I stuck with Win95 until Win98 SE, then upgraded to W2k after SP2, XP after SP2, skipped Vista entirely, and upgraded to Win7 when games I wanted to forced me to.

Looks like I'll be skipping Win8 entirely too. I will certainly take a look at Win10 when it becomes available, and I might consider upgrading to it if the UI isn't too much of a pain in the ass.

Hopefully Microsoft has learned that there's no money in the desktop OS market anymore, not with other vendors providing cheap or free installs and updates.

If Microsoft makes Win10 something that's not a pain in the ass to use, for a relatively cheap price, and capable of joining an AD domain, I'll probably use it on a more permanent basis, but probably not for the first couple years of it's life unless there's a *really* compelling reason to do so

Comment: Re:Absence?! (Score 1) 595 595

Incorrect. NAT does have a security benefit. Unless ports are opened, there is no direct inbound access into the backend subnet. Yes, firewalls exist and can protect IPv6, but having a NAT simplifies security for most home users.

Ok, that is not a security benefit. If a device doesn't have ports open for something outside to connect to, there's no connection possible period, NAT or no NAT.

If a device does have ports open, that usually implies that you want things to connect to it. In order to make that happen, you have to forward the port on the NAT device, which defeats any 'security' you think seems to exist.

Now, lets say you have a bunch of servers behind your border device that have SSH enabled, and you only want, say, one of them to be accessible from outside the border device, but you don't want the others to be connectable.

All that takes is a rule in the stateful firewall.

There's no security benefit there. I could leave a crapload of publicly addressed Windows boxes with the RDP port open behind a firewall, and no one outside is going to be able to connect to it, because my stateful firewall drops all inbound traffic that isn't part of a flow I initiated by default. I don't need NAT for that.

Comment: Re:Absence?! (Score 1) 595 595

Where I live routers come pre-configured by the ISP (free router with contract, pay shipping, they ask nicely to send it back at the end to recycle but you don't have to). It already has the firewall set up to keep me "safe". The normal user options might allow some games through (NAT, DMZ - the fuckery that IPv4 requires), and the same options, with no visible change to the user, could allow transit to their machines on IPv6.

What's so hard about setting the router to drop (state NEW) traffic by default while allowing (state RELATED,ESTABLISHED) traffic? That is default NAT behaviour. A home router could easily _not_ supply as "allow all the Internet h4x0rs into my LAN" option, so if you want to do that you have to do what you currently do: one machine at a time.

There's your problem, believing that NAT is what drops new traffic. That is not a function of NAT. That is a function of the stateful firewall that is enabled on the NAT device.

If my device is 192.168.1.1 sending on port 10000 (global address 1.1.1.1) to 2.2.2.2 port 80, that creates a NAT entry for that translation. If 2.2.2.2 responds from port 80 to 1.1.1.1 on port 10000, that is going through the NAT, as there's already a state for that translation.

Whether the connection is actually allowed is determined by the stateful firewall, ie is this flow new, related, or established

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Working...