[LINK] There is no Plan B: why the IPv4-to-IPv6 transition will be ugly

Kim Holburn kim at holburn.net
Fri Oct 1 22:25:58 AEST 2010


http://arstechnica.com/business/news/2010/09/there-is-no-plan-b-why-the-ipv4-to-ipv6-transition-will-be-ugly.ars

>  Twenty years ago, the fastest Internet backbone links were 1.5Mbps.  
> Today we argue whether that's a fast enough minimum to connect home  
> users. In 1993, 1.3 million machines were connected to the Internet.  
> By this past summer, that number had risen to 769 million— and this  
> only counts systems that have DNS names. The notion of a computer  
> that is not connected to the Internet is patently absurd these days.
>
> But all of this rapid progress is going to slow in the next few  
> years. The Internet will soon be sailing in very rough seas, as it's  
> about to run out of addresses, needing to be gutted and reconfigured  
> for continued growth in the second half of the 2010s and beyond.  
> Originally, the idea was that this upgrade would happen quietly in  
> the background, but over the past few years, it has become clear  
> that the change from the current Internet Protocol version 4, which  
> is quickly running out of addresses, to the new version 6 will be  
> quite a messy affair.
>

.....
>  The end result is a bit of a mess: all IPv6 systems support  
> stateless autoconfig; Windows Vista and 7 support DHCPv6, but  
> Windows XP and Mac OS X don't; on open source OSes a DHCPv6 client  
> can usually be installed if one doesn't come with the distribution;  
> and Vista and 7 also use the temporary, random number-derived  
> addresses by default, whereas other OSes don't.
>

.......

> Firewalling
> In the early 2000s, Windows shipped with lots of insecure protocols  
> enabled by default, and an unintended side effect of NAT—the  
> service prevents all the machines behind a shared IP from receiving  
> incoming connections—actually became a marketable feature in home  
> routers. But since IPv6 has no NAT (nor does it have any need for  
> NAT), NAT routers had to create the same firewall effect using a  
> stateless firewall.
>
> However, NATs only break incoming connections by accident, so  
> applications can work around that pretty easily (see the port  
> mapping method described above). Firewalls, on the other hand, break  
> connectivity on purpose, so it's generally not possible to easily  
> work around them. And there are no port mapping mechanisms for IPv6  
> (—there's no NAT, remember)? All of this means that peer-to-peer  
> protocols such as VoIP solutions and BitTorrent work worse over IPv6  
> than over IPv4. This situation probably won't be resolved any time  
> soon, as people with "security" in their job title refuse to  
> consider passing through unsolicited, incoming packets in any way,  
> shape, or form.
>

......

> IPv6 NAT
> In the meantime, there are heated discussions inside the IETF about  
> whether to specify the dreaded IPv6 NAT after all. The argument  
> against it is architectural disgust—. (The IETF also passed on  
> creating an IPv4 NAT specification, at first—.) But the argument in  
> favor is that a well-behaved IPv6 NAT wouldn't break as much  
> software as an IPv4 NAT recompiled for 128-bit addresses. The thing  
> that creates most of the problems with NAT is the address sharing.  
> With IPv6 NAT, it would be possible to create 1-to-1 address  
> mappings rather than the 1-to-many used with IPv4 NAT, So it would  
> still be possible to obfuscate an internal network that uses private  
> addresses, but peer-to-peer applications—, if allowed through a  
> firewall,— could work with a little extra logic.
>
.....

> Plan B
> There is no plan B.
>

.......

> But no matter how the IPv4 address space is sliced and diced, it's  
> not going to sustain a global network in a future where countries  
> like China and Brazil are rapidly catching up to the many countries  
> in the developing world which don't even have anything close to  
> their fair share of addresses, yet. So, even though we're still  
> trying to figure out the question, the answer will have to be "IPv6."



-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request













More information about the Link mailing list