[LINK] There is no Plan B: why the IPv4-to-IPv6 transition will be ugly
Kim Holburn
kim at holburn.net
Fri Oct 1 22:25:58 AEST 2010
http://arstechnica.com/business/news/2010/09/there-is-no-plan-b-why-the-ipv4-to-ipv6-transition-will-be-ugly.ars
> Twenty years ago, the fastest Internet backbone links were 1.5Mbps.
> Today we argue whether that's a fast enough minimum to connect home
> users. In 1993, 1.3 million machines were connected to the Internet.
> By this past summer, that number had risen to 769 million and this
> only counts systems that have DNS names. The notion of a computer
> that is not connected to the Internet is patently absurd these days.
>
> But all of this rapid progress is going to slow in the next few
> years. The Internet will soon be sailing in very rough seas, as it's
> about to run out of addresses, needing to be gutted and reconfigured
> for continued growth in the second half of the 2010s and beyond.
> Originally, the idea was that this upgrade would happen quietly in
> the background, but over the past few years, it has become clear
> that the change from the current Internet Protocol version 4, which
> is quickly running out of addresses, to the new version 6 will be
> quite a messy affair.
>
.....
> The end result is a bit of a mess: all IPv6 systems support
> stateless autoconfig; Windows Vista and 7 support DHCPv6, but
> Windows XP and Mac OS X don't; on open source OSes a DHCPv6 client
> can usually be installed if one doesn't come with the distribution;
> and Vista and 7 also use the temporary, random number-derived
> addresses by default, whereas other OSes don't.
>
.......
> Firewalling
> In the early 2000s, Windows shipped with lots of insecure protocols
> enabled by default, and an unintended side effect of NAT—the
> service prevents all the machines behind a shared IP from receiving
> incoming connections—actually became a marketable feature in home
> routers. But since IPv6 has no NAT (nor does it have any need for
> NAT), NAT routers had to create the same firewall effect using a
> stateless firewall.
>
> However, NATs only break incoming connections by accident, so
> applications can work around that pretty easily (see the port
> mapping method described above). Firewalls, on the other hand, break
> connectivity on purpose, so it's generally not possible to easily
> work around them. And there are no port mapping mechanisms for IPv6
> (there's no NAT, remember)? All of this means that peer-to-peer
> protocols such as VoIP solutions and BitTorrent work worse over IPv6
> than over IPv4. This situation probably won't be resolved any time
> soon, as people with "security" in their job title refuse to
> consider passing through unsolicited, incoming packets in any way,
> shape, or form.
>
......
> IPv6 NAT
> In the meantime, there are heated discussions inside the IETF about
> whether to specify the dreaded IPv6 NAT after all. The argument
> against it is architectural disgust. (The IETF also passed on
> creating an IPv4 NAT specification, at first.) But the argument in
> favor is that a well-behaved IPv6 NAT wouldn't break as much
> software as an IPv4 NAT recompiled for 128-bit addresses. The thing
> that creates most of the problems with NAT is the address sharing.
> With IPv6 NAT, it would be possible to create 1-to-1 address
> mappings rather than the 1-to-many used with IPv4 NAT, So it would
> still be possible to obfuscate an internal network that uses private
> addresses, but peer-to-peer applications, if allowed through a
> firewall, could work with a little extra logic.
>
.....
> Plan B
> There is no plan B.
>
.......
> But no matter how the IPv4 address space is sliced and diced, it's
> not going to sustain a global network in a future where countries
> like China and Brazil are rapidly catching up to the many countries
> in the developing world which don't even have anything close to
> their fair share of addresses, yet. So, even though we're still
> trying to figure out the question, the answer will have to be "IPv6."
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list