According to news reports, the US federal government is adopting IPv6 within the next three years.
However, the reactions are as expected. On the NANOG list, the 1990s efforts by the US federal government to get OSI networking off the ground (see GOSIP) were brought up to underscore the assumption that this effort would fail as well.
As always, the discussion on Slashdot quickly deteriorated to the level of "NAT is good enough" and "We don't need that many addresses anyway".
Makes you wonder what a modern Thomas Edison would do. Give up after the first try and stick with gas light, I expect. (Edison tried thousands of different materials as filaments in light bulbs before he found something that was reliable enough to be useful.)
To be fair, others on the NANOG list pointed out important differences between OSI/GOSIP and IPv6 that make this effort very different.
Permalink - posted 2005-07-04
EarthLink Research and Development has released experimental firmware for the Linksys WRT54G wireless residential gateway that supports IPv6. See the announcement.
This is good news because the residential gateway (forgive me for not saying "router", I know what a real router looks like and these things ain't it) is often the thing that makes it hard to get IPv6 connectivity. Obviously it's always possible to use a Cisco 82x SOHO ADSL router for this, but most home users find those too expensive. Because residential gateways invariably use network address translation (NAT), it's hard to set up an IPv6 tunnel through them. This is especially true for 6to4 automatic tunneling, which works completely automatically without NAT.
I'm not sure if Earthlink's firmware for the WRT54G supports tunnels, but it does support native IPv6 routing, and, apparently, DHCPv6 prefix delegation, and you can sign up for that as an experimental service on their network.
(Also see the WRT54G article on Wikipedia.)
Permalink - posted 2005-05-27
The first thing I did after installing Tiger was check out the new IPv6 features. That didn't take long... It doesn't look like there is more IPv6 functionality in Tiger than in Panther, except for one thing:
Unlike earlier versions (including the recent 1.3 release) Safari 2.0 now uses IPv6 by default (when available, of course).
This is very nice: no more mucking about with the debug menu. It also means that you get to use session keepalive with IPv6: rather than open a new TCP session for each HTTP request, Safari will try to keep sessions open and reuse them for subsequent requests. This can be very helpful if you don't have a high bandwidth, low delay link because you don't have to suffer the TCP setup and slow start delays for every single image on a page.
Looking at this stuff in tcpdump I can't help but notice that HTTP is a very wasteful protocol. A GET can easily be 700 bytes, and many web designers use images that are only 100 bytes...
I also noticed that Safari now says Accept-Language: en, while I have English, Dutch and German (ok, slight case of hybris for that last one) set up as my languages in the system preferences. This is a shame, because my carefully crafted language detection at http://www.muada.com/ now no longer knows I speak Dutch so it shows me the English version of the page.
However, the switch to Tiger wasn't entirely problem-free in the IPv6 department: the new Mail has a pretty serious bug: SMTP won't work over IPv6 anymore. To add insult to injury, Mail won't all back on IPv4 for SMTP, so if your SMTP server has an AAAA record in the DNS and you have IPv6 connectivity, you won't be able to send mail. The workaround is to configure a DNS name for the SMTP server that doesn't have an AAAA record, or the SMTP server's IPv4 address. See bug 4113850 in Apple's bug reporter (you must have a developer account to log in) for more details.
Permalink - posted 2005-05-16
The MIT Advanced Network Architecture Group runs a Spoofer project. You can view the results and/or download a client in order to participate.
The goal of this research project is to determine to what degree hosts connected to the internet can spoof source addresses in outgoing packets. The problem with spoofing is that it can be used to hide the true origin of malicious packets that are used in denial of service (DoS) or distributed denial of service (DDoS) attacks.
The current wisdom was/is that DDoSers have such an easy time launching their attacks from compromised hosts ("zombies") under their control, that spoofing isn't worth the trouble these days. (And NATs may rewrite the spoofed address into a non-spoofed address.) Unfortunately, there is little public information about the (D)DoS problem, but anecdotal evidence suggests that most DDoS attacks indeed use real addresses, but there is still a class of attacks that uses spoofed addresses.
Note that the trouble with spoofing is not just that the source remains hidden, but also that it's impossible to filter out the packets based on source address. Some people argue that the number of sources is so large that this doesn't matter, but I'm not convinced by this argument.
Anyway, it's interesting to see that many networks don't allow outgoing packets with spoofed sources, but there is also a large class of networks that allows them. And it's not entirely a binary thing: some networks filter, but not with 100% success.
It's interesting to note that as of Service Pack 2 Windows XP no longer allows programs to send spoofed packets. (But taking part in the Spoofer project is still encouraged for WinXPSP2 users because it shows important data points.)
Permalink - posted 2005-05-06
Paul Wilson, Director General of the Asia Pacific Network Information Centre (APNIC), and Geoff Huston, Senior Internet Research Scientist at APNIC, have written an article published on CircleID which was well- received on the NANOG list:
Could IP Addressing Benefit from the Introduction of Competitive Suppliers?
Today, IP addresses are distributed by five Regional Internet Registries that each serve part of the world:
In the article Paul and Geoff argue that competition between IP address suppliers would lead to a "race to the bottom": the only aspect on which these suppliers can compete is the (de facto) ease of getting addresses, so the current policies that are in place to conserve the 1.2 billion remaining IPv4 addresses (out of 3.7 billion usable ones) but at the same time allow legitimate use would cease to exist and the remaining IPv4 space would be used up a lot faster.
On the other hand, if the ITU gets its way, each country gets to do this on their own which can lead to both competition as some countries give out addresses to foreign businesses, or hoarding and buying/selling addresses, which leads to addresses not being used. (And the fragmentation of the address space leads to a larger routing table which mean more expensive routers for all ISPs, which is one of my main concerns here.)
Permalink - posted 2005-04-28
Because some IETF documents such as RFC 3489 and draft-ietf-sipping-nat-scenarios-00.txt talk about ISPs putting their customers behind a Network Address Translation device, Philip Matthews posed the question to the NANOG list about how wide spread this practice is.
Some people followed up with examples. Most of these are for things such as GPRS and 802.11, but there are also a few ISPs that do this for "regular" services such as DSL. According to Philip in a summarization of private replies:
"It seems that there are quite a few providers who do this. I was told of at least 24 providers in the U.S., as well as providers in Canada, in Central America, in Europe, and in Africa which which do this."
Unfortunately, there is little or no information why service providers do this except for examples where small ISPs are unable to get enough addresses or get their own address block routed from a large incumbent telco/ISP in non-deregulated markets.
In the IETF, NAT has a bad reputation because it breaks many protocols and because it's hard (if possible at all) to run services on NATed systems. Users who run their own NAT device (which is probably the majority of all "always-on" IP users) can configure their NAT to allow certain incoming traffic, but this won't work with service provider NAT because a single port number must be shared across several customers.
Permalink - posted 2005-04-23