IPv4 Declared Historic – Draft(datatracker.ietf.org) |
IPv4 Declared Historic – Draft(datatracker.ietf.org) |
This is in no way some proclamation that IPv4 is no more, it's more like the obituaries that news papers have sitting around for public figures just in case they die. The IETF isn't quick at getting RFCs published, and it definitely won't be with something as big as this.
[1] “We reject kings, presidents, and voting. We believe in rough consensus and running code” - Dave Clark, quoted by http://arstechnica.com/tech-policy/2011/01/25-years-of-ietf-... for example
That's not entirely true. An RFC can get published very quickly. At this point there are almost 8000 of them.
Perhaps you are thinking of an Internet Standard document:
http://www.timewarnercable.com/en/support/faqs/faqs-internet...
Sure, it's been superseded, and it's great to move the ball forward. But somehow I think this legacy technology will be in use for a long, long time.
The few use cases I see that have a hard requirement for IPv6 typically involve arbitrary drivers like government regulations for unique addressing. I have yet to see much demand for IPv6 driven by functionality.
Not for purposes like:
* I want the IP header I'm transmitting between these two nodes to be as small as possible
* I want a CPU and memory efficient TCP/IP stack for an embedded system.
Pretty much no successor of anything is better than its predecessor for "every purpose", just every purpose that the speaker happens to care about.
Re: business interests: Cloud businesses can acquire IP addresses at price points far higher than the average developer can. Now that the ARIN address space is exhausted, cloud providers will begin to buy more and more IPv4 space until they have a complete monopoly and large portions of IPv4 are controlled by just a few companies. This will price other companies out of offering cloud services that are IPv4 compatible.
Re: security: Sure, the original intended purpose of NAT was not security, but people use it for that, and will continue to do so. If you want to put multiple boxes behind a single IP address, IPv4 is the easiest way to do it. In fact, IPv6 seems to be a step backward in terms of security. Every device does not need to be openly addressable from anywhere on the Internet, and developers will always choose the path of least resistance, especially when it's more secure.
IPv6 also allows you to do weird stuff like using a single IP address per connection, which makes it even harder to address a single computer from the internet.
IPv6 is just as safe if not safer than IPv4, if you use it correctly.
NAT is not the same as firewalls, and firewalls do not require NAT. NAT is just an ugly hack to stretch IPV4's inadequate address space, and it's one that breaks quite a few protocols and generally makes a lot of things painful and complex.
Remember back when there were two dozen different networking layers vying for the ability to link Docker containers? (There still are, but Docker's hype wave has crested so you don't see them every 5 minutes on here.) With IPv6 and no NAT, none of that is necessary. Just give every container a real address, set your firewall rules accordingly, and every container anywhere can talk directly to every other container without any added complexity. Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host. Since IPv6 specifies that an ISP should hand out /64's to customers, each customer can have 4 billion container hosts.
Getting rid of NAT makes everything orders of magnitude simpler.
I do wonder about monopoly resistance. I wonder if IPv6 has been shunned by Amazon, Google, and Microsoft clouds because they see a long term advantage in preventing adoption. IPv6 makes peer to peer systems a lot easier to build, and peer to peer is direct competition to the 'run absolutely everything through the cloud' model. IPv6 could actually reduce the cloud's importance (especially for data transit) if it were widely deployed.
A /80 for Docker is preferred because it can map 1 to 1 onto the mac address for SLAAC.
see also: https://docs.docker.com/v1.5/articles/networking/#ipv6
Please edit acerbic swipes out of your comments to HN. It's distracting, provoking and detracts from your otherwise substantive comment.
Today I blow your mind: https://en.wikipedia.org/wiki/Unique_local_address https://www.sixxs.net/tools/grh/ula/
I don't see that being effective. IPv6 is here, and you can't put the genie back in the bottle. See above where somebody linked to the TWC page where they point out that they have reach 100% IPv6 coverage. And they are one of the largest ISP's around. (And from my subjective perception, one of the laggards on implementing IPv6). Common home routers have been shipping with IPv6 support for years, and probably a huge swathe of the 'net population (in America anyway) have dual-stack and just don't know it.
And IPv6 adoption is only going to keep growing. Pretty soon there won't be any consumers who are stuck on v4, so there will be no reason to try and establish a monopoly on v4 addresses.
IPv6 has usability problems (I've written on this), but these are unrelated to security in any direct way.
The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption. It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.
There's a ton of superstition and cargo cultism in network security, since most people -- even developers -- don't understand much about how networks work.
>The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption.
In all fairness, the common NAT implementation involves L4 params and the requisite state for ingress traffic. It makes like a filter that is "drop any" with respect to the NAT IP address (with the exception of in-state traffic). Further, it also limits the IP protocols available. Example, you will not likely be doing SCTP across your NAT and certainly it would be difficult to send directed OSPF packets during this[0] fun thing. It still leaves things to be done (like dropping internal IP space traffic on the external IFs), but the requisite components supply a lot.
I think I've seen the problem though. In general, network engineers have failed to break down the components of NAT: 1) State, 2) Rewrite, 3) A filter dropping traffic not matched by state. Fundamentally, the only thing we need to do in IPv6 is 1) state and 2) a filter. Their failure, combined with the packaging of components that NAT provides, feeds the valid points of the superstition while neglecting the details (what happens when we look at too big of a picture, or philosophical thing).
>It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.
The ignorance of management and "netwerk sekurity esperts" aside, NAT does have use cases in IPv6. Example, if we're performing renumbering frequently, does it make operational sense to roll over prefixes with RAs/DHCP? Maybe the expectation is for multiple prefix advertisement, but then which IP should be used for internal vs. external? Should all applications always rely on DNS? What are the implications for routing networks that may be designed with separate number spaces? The reasons for why these things may be done are not absolutely "wrong" or "bad design" and should not necessarily adopt a purist model.
[0]https://tools.cisco.com/security/center/content/CiscoSecurit...
Before you suggest DDNS, for some companies, the length of unavailability between a changed IP and the DDNS client noticing and updating can be fatal.