[BBLISA] Last night's IPv6 talk

Edward Ned Harvey bblisa3 at nedharvey.com
Thu May 13 23:23:21 EDT 2010


Oh, for what it's worth, I see things like this:

 

If there's sufficient consumer demand for IPv6, then .  ISP's will roll it
out and charge extra for the premium service.  That's the definition of
"sufficient consumer demand" in this case:  the ISP's see sufficient demand,
that they feel it's in their own best interests to do something about it.

 

But evidently, that's not what's happening.

 

Instead, if there's insufficient consumer demand.  Then ISP's will still
want to make money on it somehow.  They wait around.  They enable IPv6
everywhere, and when there is an opportunity for public perception of IPv4
starting to cost more, then they charge extra to use IPv4.  It's in their
best interest to make IPv6 wait till the last minute, so all the hulu's and
facebooks (and your employer's VPN) out there might still only offer service
via IPv4.  The quieter things stay for now, the more profit they're able to
extract from it.

 

But they don't want to be caught with their pants down, so they'll perform
some regional test rollouts.  (Sound familiar?)  Surely, the results of the
present Comcast / Verizon test regions are:  "It works, but there's no DNS
and that's a showstopper."

 

Also, they know approximately how long their routers last at peoples' homes.
So they're planning the slow and systematic upgrade strategy.  I have good
reason to believe, for my house on FiOS, they only need to push out a
firmware upgrade when they want to.  But a lot of people are still living on
"the shark fin" or similar devices.  Old, archaic cable and DSL modems that
haven't been replaced in a decade.  The ISP's want people to get as much
life out of these things as physically possible, to avoid the upgrade
expense.

 

You will see the IPv6 DNS problem solved before there's any serious effort
by ISP's.  It may be DHCPv6, or RFC a,b,c,d.  But there's positively no way
ISP's can charge extra for IPv4, as long as IPv6 is insufficient by itself.
So for now, they wait.

 

You will see the Hurricane Electric countdown reach zero.  And then IPv4
will start to become more expensive.  And finally, things start moving.

 

Those are my predictions.  Booweeeewwwooooo..  In the year 2000.   Magic.

 

 

 

 

From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On Behalf
Of Edward Ned Harvey
Sent: Thursday, May 13, 2010 8:25 AM
To: bblisa at bblisa.org
Subject: [BBLISA] Last night's IPv6 talk

 

Even though I wasn't the organizer last night, I want to thank everyone who
showed up and participated.  I found it very informative and interesting,
and apparently so did many other people, reluctantly getting up to go home
after 9, for the sake of needing to go home *some* time.  ;-)

 

There were several points of interest I thought were valuable to stab a
little deeper into:

 

Even as ISP's roll out IPv6, they will not kill IPv4 anytime soon (not in
the next 5 yrs.)  So for now, that's the solution to the DNS problem.
Apple, MS, etc have plenty of time to work out the details of DNS
deployment, DHCPv6 and so on.  Someday, you might have to pay extra to have
IPv4 enabled on your network connection.

 

The references that I cited were:  Running IPv6, Iljitsch van Beijnum.  It's
good for an understanding of IPv6, but since it's like 5 yrs old, it's
out-of-date in terms of configuring IPv6 on your system.  Fortunately, that
doesn't matter at all, because nowadays, enabling IPv6 is trivial.

 

I could share it with anyone if they want, up to 2 weeks, if you happen to
have a kindle (or willing to use the mac or windows amazon kindle reader).
That should be enough to read the whole thing for all the interesting parts.
Also, I said it was $10.  Sorry, my mistake, it's $35 to buy.

 

I mentioned NAT-PMP.
http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol

And I couldn't remember the name of IGD.
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

These are protocols that allow a NAT IPv4 device to communicate with the
perimeter firewall, to auto-configure a hole through the firewall, to enable
inbound traffic, to support peer-to-peer traffic.  Today, these protocols
are not widely built-in to firewalls.  But some do support it.  Generally
speaking, professional level security appliances don't support it, but
hopefully that will become optional in the near future (and controllable via
system policy), because I feel it's a very valuable thing, to enable
peer-to-peer video conferences for example.

 

The thing that's nice about NAT-PMP and IGD is that the client must
explicitly request the hole opened at the perimeter firewall before it's
allowed in.  So this is an additional layer of security, above just your
software firewall.  Obviously, nobody feels very comfortable simply exposing
all their internal IP's to the Internet.  So this helps facilitate
communications without sacrificing security.

 

Today, if you want to do p2p, the recommendation would be IPv4, with one of
these.  Most p2p apps support it (skype, bit torrent, and many H323 or SIP
clients, etc).  The question that remains is whether or not your perimeter
firewall supports it.

 

Moving forward, if you have world routable IPv6 addresses, there's no need
for NAT and hence no need for NAT-PMP or IGD.  However .  As mentioned
before, the only security that NAT offers you is implicitly blocking inbound
unknown traffic.  Moving forward, the recommendation would be to still
enable the firewall to block inbound unknown traffic.  In which case, the
recommendation would be to use IPv6, *and* NAT-PMP or IGD, or the
alternative du-jour.

 

Not previously mentioned, the other security that NAT offers is internal
network roadmap masking.  That is, somebody outside has no way of knowing
your internal network topology or subnet ranges and possible router hops.  

 

Believe it or not, IPv6 can be NAT'd if you want to.  (Though implementation
may be sparse or nonexistent right now.)  Many of the IETF idealists would
scoff at that as being sacreligious and defeating the purpose, but you can
see how slowly things move when you're trying to be ideal.  If striving for
perfection, then critical components (DNS, DHCP) get left out by the time
you need to use them.  So, just as you can expect people to use DHCPv6
despite extremist objections, so you can expect some organizations to do
IPv6 NAT sometimes despite the extremist views of individuals in the IETF.
Specifically because they don't want to expose the internal network roadmap.


 

One thing that's cool is:  If you do NAT your IPv6, you have a very large
number of external IP's.  So you could do a one-to-one mapping of internal
IP's to external IP's, instead of the many-to-one mapping that's generally
used in IPv4.  Thus, you eliminate the p2p problems that IPv4 NAT has, and
you're still able to do NAT.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20100513/34f24432/attachment.htm 


More information about the bblisa mailing list