Monday, February 7, 2011

Negative aspects of IPv6?

I was reading the comments on LinuxToday.com about an article on the costs of transitioning the world to IPv6 from the present ubiquity of IPv4.

http://www.linuxtoday.com/it_management/2011020701435NWNT

As a network engineer I've often considered this, and have come up with various combinations of tunneling, smart routers, transitional gateways and such to "solve" possible problems. The fact is that no one entity is ever going to fund the re-engineering of every IP capable device in the world all at once. And a Linux powered router can easily act as a gateway between legacy IPv4 hardware on the user side and an IPv6-only "world". So the transition need be neither overwhelming nor even extraordinarily expensive, and it can be accomplished as quickly as people choose to do it.

But for a moment, I would like to explore the problems that Rainer Weikusat, GaAsP, Golodh, Bernard Swiss and Ken Jennings, as of my writing this, have brought up. And of course, any of my own consideration that might arise.


IP Address as Tracking Devices


Yes indeed, IPv6, by being able to directly address "every grain of sand in the oceans", recovers one of the lost attributes of the early Internet: direct connectivity of every device to every other device.

But when every device has its own address, the dreams of those who would track what people do and when are greatly enabled as well. "You downloaded that movie to your toaster!" And with the possibility of being able to take your address blocks with you when changing ISPs, that problem only gets worse.

This is not an IPv6 problem, the problem of Internet tracking exists right now. Every packet can be traced, every connection monitored. Anyone who thinks that IPv6 makes the problem worse may be correct to a degree, but IPv4 does nothing to prevent the problem in the first place. This must be addressed as a problem of networking itself, and the laws and law enforcement terms under which humanity operates.

Yes, You Can Get There From Here

Imagine no more Network Address Translation required for ISPs to eek that many more customers from their allocated block of addresses. I remember, for example, when PGPfone was abandoned due to the rising use of NAT, because it was becoming less and less possible for Joe User to reach Jane User's system with a direct IP to IP link. IPv6 promises a renaissance of such applications, and I'm looking forward to it.

There is also the accidental "security" aspect of NAT which hides a multitude of older and un-patched home systems behind simple unreachability. Those IPv6 routers had better come with stateful packet filtering turned by default, gosh darn it, or the Code Red and Nimda viruses of 2001 are going to look like a neighbor's polite light tapping on the door compared to a hurricane.

IPv6 as Government Job Security


It's only been a few days now since the IPv4 address space was officially exhausted. So does this mean that the IANA has worked themselves out of a job? Oh no! By assigning themselves the exclusive power to allocate IPv6 address, they have effectively given themselves job security until the heat death of the universe.


IPv6 and Second System Syndrome

Time for a pet peeve of mine. IPv6 suffers from Second System Effect. Looked at lightly, IPv6 has every advantage: tremendous address space, simplified packet address headers, standardized packet size. If this had been the only change IPv6 had encompassed, I would greet it with unalloyed joy.

But no, the committees could not possibly leave it at that, could they? They had to build that damned camel. DHCP is built in, IPSec is built in, QoS is built in, specification after specification of what people were already implementing with simple and explicit "first systems", now superseded by some committee's idea of what people really ought to be doing.

Oh well, I find myself an exceptionally small minority on this particular aspect of IPv6, and it's being implemented as designed anyway. Some day I'll just shrug and give up, since I'm deploying it as well.


IPv4 Isn't Actually "Gone", It's Just "Allocated"

But what of IPv4? Looking at the address space allocation table it's obvious that there are a lot of unused addresses still floating around, as well as very effective re-allocation methods such as NAT that can put entire universities or businesses behind a small block of unique addresses freeing up the 16.5 million addresses that each "/8" address block carries with it. Do you hear that MIT? IBM? Apple?

It's not like such companies want or need each internal server and corporate PC to be world-addressable. And with Windows desktops, I wouldn't even want them online, much less reachable by any well-written virus that happens along.

But I digress.

The allocation of scarce resources is best accomplished by market forces and a price system. How about letting those who have been granted IPv4 address space "own" those addresses exactly the same way they "own" registered domain names? Sell them, so they are used as efficiently as it is possible to imagine them being used. A company like IBM could sell 9.0.0.0/8 for lots and lots of money, then use local ISPs for its offices and commercial web hosting, which I fully expect they are already doing since routing all of such a distributed company's world-wide desktop web browsing would be an incredible waste of money.

So how about you? What problems do you see with the world of network addressing? Or would that be, "addressing the network world"?

7 comments:

  1. Anonymous7/2/11 23:17

    Only thing I disagree with is the level of second-system syndrome going on. With new adressing standards for IPv6, you will need an updated version of UDCP and IPSec at least to work with addresses in IPv6 format. The pieces need to work together, and UDCPv4 just won't cut it with an IPv6 network.

    ReplyDelete
  2. As the first poster, Anon, I think you deserve a reply.

    There's no need to worry about the pieces working together, because it's been built into the spec directly. My reason for bemoaning it is not because it won't work, but that now anything like a simple change to DHPCv4 that would have enabled it TO work cannot happen.

    Maybe a better answer to what is in the IPv6 spec would not have been found, but we will never know. In times past, a "reference implementation" would have been created, and then refined. That is the path I would have preferred.

    ReplyDelete
  3. What I'm curious about is how this will actually trickle to the average user. Right now most of us in the USA are using a broadband provider's modem as a NAT box as well. So, for the most part, we don't care if things stay the same or not from inside the house. As long as IPv6 address are resolved when I request them.

    ReplyDelete
  4. Anonymous10/2/11 08:55

    > "A company like IBM could sell 9.0.0.0/8 for lots and lots of money..."

    Another way would be to tax the owners of Class A (and B?) blocks -- priced correctly, unused blocks would be released back to IANA.

    ReplyDelete
  5. Anonymous10/2/11 11:12

    @Anonymous - Great, now all our prices will go up and dedicated IP's will become completely unavailable to smaller companies or individuals. Also once the Government decides to implement a tax it only seems to go up... Gotta subsidise the less fortunate who can't get a pubic IP ya know. No thanks.

    I think a better solution is the one already purposed. Let's just simply move to IPV6... There's nothing stopping us and it's backwards compatible. We just need to make all new products are IPV6 compliant from here on out (and most are) and get our ISP's on board (That might be the hard part).

    ReplyDelete
  6. Anonymous10/2/11 12:39

    "I think a better solution is the one already purposed. Let's just simply move to IPV6... There's nothing stopping us and it's backwards compatible."

    No, it is not backwards compatible. That is one of the issue that has been preventing it's deployment. To use IPv4 and IPv.6 together you need a dual stack implementation, and not all dual stack solutions play well with other dual stack solutions. Second to go from an IPv4 to 6 or back you have to have some kind of translator in the middle.

    If you look at the kinds of issue that still get encountered with NAT on IPv4 to 4 networks, how much worse will it be going between v4 and v6 then back again.

    ReplyDelete
  7. Anon,

    "how much worse will it be going between v4 and v6 then back again."

    Let's be serious and admit that that is simply not going to work for anything more than a simple data stream. No IPSec, for example.

    But just like double static NAT, it could be done and work, but its application is going to be very narrow.

    ReplyDelete