The Inquirer-Home

The state of IPv6 has to be seen to be believed

Defcon 2006 Short story: a bit of a mess
Sun Aug 06 2006, 22:49
THERE WAS AN update on the state of IPv6 at Defcon today, not really picking it apart, more where things are at. There is good and bad, but as always, much of it depends on the users and their motives.

Lets start out with the good, IPv6 ends the whole idea that IP addresses are a scarce commodity once and for all. IPv4 has 32 bit addresses, v6 has 128, or 2^96 addresses for each v4 address, that is well more than enough. Better yet, Vista Beta 2 supports it natively, none of the mucking around that you needed to do with XP to get it running. Yay progress.

On the bad side, the plethora of addresses removes the need for NAT, or at least that is the prevailing theory. This is fine if you are using NAT for more IPs, but if you are using it for light duty security or anonymity, that is more problematic. Privacy has a good chance of going bye-bye with v6, but again, there are mechanisms to pseudo-randomize that info for a little safety.

The rest of the stuff falls into the messy middle, some up sides, some down. The whole idea of traceroute is now gone, so you lose one of the more useful tools out there because of Record Route is history. Ditto for broadcasting, but multicast is much better supported. Up and down sides to abound.

The idea of ludicrous numbers of IPs has good and bad things that go along with it. Try scanning a network for computers, if you have 256 IPs, you can do it in a minute, 2^64, well, problems unless you want to wait a few millennia. There needs to be new mechanisms for discovery, and more importantly tools that use these things.

On the up side, with a new ground up networking protocol, you can arrange it geographically and in a more hierarchical fashion. On the down side, it depends on people actually doing it with foresight and your best interests rather than their pocketbooks in mind.

Then comes some of the more interesting thing with the packets themselves, crypto, tunneling, and other header related games. A lot of what was in headers, is now in the packets themselves allowing them to be more arbitrary and extensible. You can now tunnel things within tunnels and extend that in ways not at all possible with v4.

To make crypto more ubiquitous, IPSec is mandatory in v6 stacks. Before you jump up and down with joy at the secure future this brings, IPSec means PKI infrastructure, something that to date has proven remarkable resistant to large scale implementations. Toss in the fact that tunneling things over IPSec is a great way to avoid firewalls and security that are not part of the loop, and you have a bunch of new headaches that are potentially worse than the old.

If you are waiting for v6, don't hold your breath. The US government pretty well mandated a June 30, 2008 as an implementation date, or at least the OMB did. The Department of Commerce more or less laughed at them on technical grounds. So you have a deadline, reality and politics, any guess which will win out?

What will happen is a gradual transition, starting with tunneling v6 over v4, basically what we have today. Soon enough, there will be a move to hardware that can natively understand both protocols, and that will lead to v4 being tunneled over v6. Eventually, v4 support will go away, but again, don't hold your breath.

Last up, if you see v6 addresses, you will often see them as long strings of hex digits like 1180:0:0:8:700:200A:0:4B7A, a sheer joy to type. To make things easier to input, it is now acceptable practice to shorten 0 fields to ::, nicknamed 'box'. The above address can now be conveniently typed in as 1180:::8:700:200A::4B7A, piece of cake. Thank anything you worship for DNS. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?