IPv6 + June (6th month of the year) + 6th day of the month --> 666

Wake up sheeple!
posted by ZenMasterThis at 12:05 PM on June 1, 2012 [38 favorites]

thus helping complete a changeover started as far back as 1998.

It isn't complete if they're serving IPv4.
posted by eriko at 12:05 PM on June 1, 2012

They're never going to stop supporting ipv4, I don't think.
posted by empath at 12:07 PM on June 1, 2012

Will there be any observable changes for internet users after the switchover?
posted by iamkimiam at 12:08 PM on June 1, 2012

Just in time for Linux on the desktop.
posted by tommasz at 12:08 PM on June 1, 2012 [21 favorites]

I like the Internet and I wish it well in its future endeavors but phrases like THE FUTURE IS FOREVER creep me out.
posted by Trurl at 12:10 PM on June 1, 2012 [2 favorites]

Will there be any observable changes for internet users after the switchover?

The internet will be perpetually CAPS LOCKED, FOREVER.
posted by Blazecock Pileon at 12:11 PM on June 1, 2012 [7 favorites]

Good, because I finally broke down and bought a new router today. Hooray I am ready.

Of course the POS Trendnet gigabit router I have at work doesn't include IPV6 at all. And it's only 2 years old.
posted by caution live frogs at 12:13 PM on June 1, 2012 [1 favorite]

Oh man I am SO PUMPED about this!!! I can't wait to see what Netscape looks like now!
posted by Marisa Stole the Precious Thing at 12:13 PM on June 1, 2012 [3 favorites]

Recent related MeTa.
posted by Chrysostom at 12:15 PM on June 1, 2012

Will there be any observable changes for internet users after the switchover?

Depends on how often you deal with ip addresses directly.

The biggest change, from my point of view as a network engineer, is that you'll no longer need to NAT or use private ips in your home network. There are good and bad aspects to that, since a lot of people rely on NAT for network security.
posted by empath at 12:17 PM on June 1, 2012 [2 favorites]

Will there be any observable changes for internet users after the switchover?

Yes. There will be wide variety of unexpected problems that will cause all of those services to destabilize for a few weeks. One or more of them will go back to IPv4 until they sort those issues out.

Weather report calls for random annoyances followed by a 50% chance of corporate embarrassment.
posted by Tell Me No Lies at 12:20 PM on June 1, 2012 [4 favorites]

The biggest change, from my point of view as a network engineer, is that you'll no longer need to NAT or use private ips in your home network. There are good and bad aspects to that, since a lot of people rely on NAT for network security.

I expect a class action suit against the first ISP to unilaterally turn off NAT for home users.
posted by Tell Me No Lies at 12:20 PM on June 1, 2012

And yes, it is really, really going to happen, because we are out of ip addresses. The ISP I worked for stopped getting new ones months ago, and we didn't have a whole lot left to give out before that. We finished configuring ipv6 on all of our core routers and switches just two or three months ago.

We hadn't started handing out ipv6 addresses yet, though.

I think the real problem is going to be training a million tech support people who barely know how to do a trace route how to use ipv6. That is going to be an absolute fucking nightmare. (and will guarantee employment for CCNA's for the next few years)
posted by empath at 12:24 PM on June 1, 2012 [2 favorites]

I expect a class action suit against the first ISP to unilaterally turn off NAT for home users.

How do you imagine that they would even do that, and why do you think ISP's are responsible for their home user's NATs?
posted by empath at 12:26 PM on June 1, 2012 [8 favorites]

OBEY IPV6
posted by dirigibleman at 12:31 PM on June 1, 2012

Should I pull my money out of the bank and stockpile TP just to be safe?
posted by sourwookie at 12:33 PM on June 1, 2012 [1 favorite]

Let's be reasonable. Buy gold with the money, and bury it in your basement.
posted by Marisa Stole the Precious Thing at 12:43 PM on June 1, 2012 [3 favorites]

Should I pull my money out of the bank and stockpile TP just to be safe?

Did you mean:

Should I pull my money out of the bank and stockpile IPs just to be safe?
posted by pmcp at 12:45 PM on June 1, 2012

Cos I'm not sure it works like that.
posted by pmcp at 12:46 PM on June 1, 2012

There should be serious work being done, and it's like... nothing.

So you're saying we should be CAPITALIZING on this?
posted by Blazecock Pileon at 12:51 PM on June 1, 2012 [4 favorites]

So, toddler's terms, how does this work for those of us who run a home network with NAT? Right now, I suspect, I'd just buy an IPv6/IPv4 hybrid thing, and run IP6 on the ISP side with an IPv4 private network. A NAT with IP6 translation.

In the future, when all my devices go IPv6, how much dickery will I need to do? How will it be costed out? I've got near a dozen devices (computers, cell phones, media stramers, NAS, printers, etc...) some with permanent local network addresses, some not hanging off of my router. Will I need to get addresses individually for each from my ISP? Is that going to be automagic? Will I have to pay for extra connections?
posted by bonehead at 12:53 PM on June 1, 2012

How do you imagine that they would even do that, and why do you think ISP's are responsible for their home user's NATs?

As far as I know the vast majority of home user do not run their own NAT. It's either being done at the ISP or its being done at the cable/dsl modem managed by the ISP at their home.

I don't know about you, I pay extra each month to have a public IP address at home.
posted by Tell Me No Lies at 12:53 PM on June 1, 2012

Note to self: find out what the hell IPv6 might be and whether there is any conceivable chance it's something I should care about.

At some point.

Maybe right after I've finished this excellent Ardbeg.
posted by Decani at 12:54 PM on June 1, 2012 [1 favorite]

I DON'T UNDERSTAND WHAT'S HAPPENING AT ALL
posted by Catchfire at 12:55 PM on June 1, 2012 [9 favorites]

WILL THIS FIX EUROPE
posted by TwelveTwo at 12:56 PM on June 1, 2012 [6 favorites]

As far as I know the vast majority of home user do not run their own NAT. It's either being done at the ISP or its being done at the cable/dsl modem managed by the ISP at their home.

Some ISPs sometimes provide modems which also include router functionality, and have NAT on by default. The ISPs are in no way responsible for managing it, though. They give you a manual, for it, and you are on your own. Try getting an ISP to set up some NAT forwarding rules for you some time.

And as far as doing NAT at the ISP level? Never. Maybe cell providers do it for mobile phones, or metro wireless companies, but it never, ever happens for DSL or cable providers.
posted by empath at 1:01 PM on June 1, 2012 [1 favorite]

Lucky I've still got my bunker stocked with stun guns and beef jerky from Y2K.
posted by roger ackroyd at 1:04 PM on June 1, 2012 [1 favorite]

Now that Duke Nukem Forever and Chinese Democracy are out, this is the logical next step.
posted by inigo2 at 1:04 PM on June 1, 2012 [10 favorites]

I don't know about you, I pay extra each month to have a public IP address at home.


You sure it's not just a static address that you're paying for? I'm always assigned publicly routable addresses at home, but they change on me occasionally.
posted by Nonsteroidal Anti-Inflammatory Drug at 1:09 PM on June 1, 2012 [2 favorites]

Is there a Aztechnology Zen Brain Feng Shui center that can help me remove these hundreds of ipv4 addresses from my memory and remodel my memory habits to make these new ipv6 addressess easier to remember?
posted by chambers at 1:18 PM on June 1, 2012

Now that Duke Nukem Forever and Chinese Democracy are out, this is the logical next step.

Diablo III was the logical next step. This is the next one after that.
posted by The Bellman at 1:23 PM on June 1, 2012

So, is there some non-geek, plain-english site where a regular home-user can go to research what, if anything, he might need to do to not get trumped-up by IPv6?

For instance, my home network consists of a fairly old Moto Surfboard cable modem, feeding into an Airport Extreme, which in-turn broadcasts a wireless network to three Macs of varying age and OS versions. It's also hard-wired to an iMac and a printer (which it shares on the network). Of course, the Airport is the firewall.
posted by Thorzdad at 1:28 PM on June 1, 2012

You aren't going to have to do anything at all if you have a modern operating system and a router with up-to-date firmware.
posted by empath at 1:29 PM on June 1, 2012

And as far as doing NAT at the ISP level? Never. Maybe cell providers do it for mobile phones, or metro wireless companies, but it never, ever happens for DSL or cable providers.

I know cell providers can do it, but I could have sworn at one point I was running a DSL modem in bridge mode and receiving DHCP 10.0.0.0 addresses over the WAN link.

I don't know about you, I pay extra each month to have a public IP address at home.

What does this have to do with NAT?

It informs my suspicion that the ISP is handing out private addresses by default.

You sure it's not just a static address that you're paying for? I'm always assigned publicly routable addresses at home, but they change on me occasionally.

That's a good point, I set it up long enough ago that I don't remember the details.
posted by Tell Me No Lies at 1:32 PM on June 1, 2012

I don't know about you, I pay extra each month to have a public IP address at home.

I don't think you quite understand how a router works. And pretty much everybody with an internet account has a public IP. You pay to get a static one.
posted by yerfatma at 1:33 PM on June 1, 2012

What about all the code out there that only groks IPv4?
posted by Jestocost at 2:04 PM on June 1, 2012

So, toddler's terms, how does this work for those of us who run a home network with NAT? Right now, I suspect, I'd just buy an IPv6/IPv4 hybrid thing, and run IP6 on the ISP side with an IPv4 private network. A NAT with IP6 translation.

While it is technically possible to do this, to get the grunt to do it in a home router is unlikely.

What is much more likely:

You get a new router that can do both IPv6 and IPv4. Your ISP gives you one IPV4 address (either static or dynamic from a range) as per now. You also get a block of IPv6 addresses*; your router hands these out to your internal network. Windows, Linux and OSX have all supported IPv6 for years, and all have it turned on by default.

So as soon as an IPv6 router shows up on your home network, all your devices get their own personal IPv6 address which is the same one inside and out - a Real IP, so to speak. No NAT needed. In fact, you'll get so many, that your devices will generate new random ones periodically using the Privacy Extensions, so external websites don't see the same IPv6 address all the time.

Your computers will look on the internet when they look up a website address - say, www.google.com via DNS. If they get back an IPv6 address record, they'll connect over IPv6. If IPv6 isn't available, or they don't get an IPv6 DNS record back, they'll connect over IPv4. You won't notice the difference, until one day you look at your bittorrent client and suddenly realise you've got a whole bunch of peers directly connecting to you over IPv6 as without NAT fuckery it's a lot easier to get a direct connection.

And any router manufacturer will turn on automatic blocking of unrequested traffic inbound on IPv6 using the stateful firewall built in, *just like they do with IPv4*.

It's not NAT protecting you on a bog-standard router, it's the standard 'allow all traffic out, but only allow replies to that traffic back in' firewall, and that won't change with IPv6.


* Now, the above is in an ideal world, where ISPs were on top of this years ago as the IPv4 addresses ran out, their techies are all trained up, and the router makers are churning out dual IPv6/IPv4 routers like no tomorrow.

Unfortunately, none of that is true, and the ISPs are barely waking up to IPv6 at all, even now.

So here's what's more likely to happen.

You buy a new router. It doesn't have IPv6. So you take it back, and get an expensive one that does. Your ISP doesn't do IPv6, but has run out of IPv4 addresses so now they do carrier-grade NAT. You don't get a real IPv4 address on your router, but a non-globally-routable one.

What this means is you're behind another router at the ISP, that has the real IPv4 address, and it's shared amongst a bunch of customers. Which means you don't have the ability to port forward any more, because you don't have a real IP. So that breaks:

peer-to-peer traffic i.e. bittorrent.
Xbox peer-to-peer gaming, i.e. most of it.
PS3 peer-to-peer gaming.
PC peer-to-peer gaming.
Skype, and other peer-to-peer video traffic.
VOIP phones.
Using your own IPv6-in-IPv4 tunnel.

Anything else that uses UPNP to open up inbound ports as needed to get round the NAT.

Oddly enough, most of those are competing with the ISP's own services, such as voice, video calls, free copies of tv shows... So don't expect them to fix it.

They will however sell you a premium service for twice the price, where you get a real IPv4 address. And businesses can get IPv6 too, but will pay an eye-watering price for it.

The cell phone carriers have already been deploying carrier-grade i.e. ISP level NAT for some time, including filtering proxies to help lessen the load. I expect that technique to get far more common in the next couple of years on domestic ISPs as there basically no more IPs to allocate. The last blocks are filtering down through the ISPs, and when they're in the hands of end-users, that's it. There are no more.

I expect the general end-user internet to get substantially more restrictive, rather than accept they have to deploy IPv6 at hefty cost now they've put it off so long. And as long as they can still visit facebook, most users won't care. I could be wrong. I hope I am. But I doubt it.
posted by ArkhanJG at 2:12 PM on June 1, 2012 [10 favorites]

A number of big providers, like Google, have tried turning IPv6 on for a day or two at a time for a few years now, to shake out the bugs and see what breaks. TTBOMK, fire has not rained from the sky.

Will I need to get addresses individually for each from my ISP? Is that going to be automagic?

The way it's supposed to work is, your ISP assigns each end user a fairly large subnet¡ª 2⁶⁴ addresses¡ª?and your devices autoconfigure themselves with addresses in that subnet using any of a variety of methods. I'm looking forward to ISPs finding a way to screw that up, though.

Google turning on IPv6 addresses won't affect people who aren't intentionally using IPv6, unless and until their ISPs start sending IPv6 router advertisements down the DSL/cable links. And IPv4-only people won't have trouble until services stop making themselves available over IPv4, which I doubt they will choose to do for a long time.
posted by hattifattener at 2:13 PM on June 1, 2012

FWIW, I've got my own home IPv6 address block assigned via sixxs, and have had for a couple of years now. I'm running the AICCU client on my dlink router flashed with openWRT (I think DDWRT also now supports it), so it connects the IPv6 tunnel at boot, routes it over my IPv4 connection, and hands out IPv6 address to my internal network. All my computers get IPv6 and IPv6 private addresses, and my home fileserver has both IPv4 and IPv6 static addresses. Everything else is dynamic.

It would have been a lot simpler if I had a fixed IPv4 address, then I could have just plugged my sixxs settings into my dlink stock firmware and have it all work automagically, but as my IPv4 external address changes every few hours, I needed the AICCU client.

If I'd not been bothered about all the computers inside my network, I could have just run AICCU on one windows/osx/linux computer, and have that one get an IPv6 for itself only.

The only time I really notice I have IPv6 is when connecting into my network from work (where I've also got IPv6 running), as I can connect to each machine directly with its own DNS address, rather than screw about with VPN, port forwarding or any of that rubbish. My home firewall would block it of course, but I've whitelisted certain ports coming from a small subset of the IPv6 addresses at work, i.e. the ones I'm using.

I expect my ISP to support native IPv6 addresses roughly 5 minutes after hell freezes over.
posted by ArkhanJG at 2:24 PM on June 1, 2012

I don't think businesses or customers are going to be charged extra for ipv6 addresses. I think they'll be begging people to take them instead of ipv4 addresses. T1 and fiber customers will get them first because the edge routers already support it. I have a feeling a lot of dsl customers will not even have the option for a while because there are a LOT of ten year old or more dslams out there that don't support ipv6, and I bet a lot of them are end of life and may not even have a firmware upgrade available to add support. DSL isn't really supposed to touch layer 3, but a lot of dslams do ip filtering and so on, so there are probably going to be some compatibility problems.

I don't know what the infrastructure at cable providers is like, though.
posted by empath at 2:29 PM on June 1, 2012

NAT goes away. All devices would receive public-routable v6 addresses.

please, please, please, oh god, please, can we have our peer-to-peer internet back already!
posted by Mars Saxman at 2:35 PM on June 1, 2012 [2 favorites]

odinsdream wrote...
I worked for a wireless ISP and we did carrier-level NAT. Yes, it was bad.

Thanks odinsdream, I was beginning to think that *I* was dreaming it :-)

I don't think you quite understand how a router works.

It's possible. I did write networking code at cisco for ten years, starting with the communications servers that terminate all those residential devices and eventually moving into the IP routing group. But that was a while ago; Deployment strategies for residential service have undoubtedly moved on from schemes I was helping to create.
posted by Tell Me No Lies at 3:10 PM on June 1, 2012

NAT goes away. All devices would receive public-routable v6 addresses.

please, please, please, oh god, please, can we have our peer-to-peer internet back already!

Okay, but you probably won't like it. On average it takes 20 minutes for an unpatched Windows box on the internet to be compromised. Shorter than the time it takes to download the patches in other words.
posted by Tell Me No Lies at 3:18 PM on June 1, 2012

Okay, but you probably won't like it. On average it takes 20 minutes for an unpatched Windows box on the internet to be compromised. Shorter than the time it takes to download the patches in other words.

Don't most (at least) major ISPs block those ports already?
posted by junco at 3:22 PM on June 1, 2012

0:0:0:0:0:ffff:3216:b10e: The plastic it's ok to like.
posted by blue_beetle at 3:29 PM on June 1, 2012 [1 favorite]

Okay, but you probably won't like it. On average it takes 20 minutes for an unpatched Windows box on the internet to be compromised. Shorter than the time it takes to download the patches in other words.

a) That was true back with Windows XP pre SP2. SP1 introduced an included firewall. SP2 beefed it up, and more importantly, turned in on by default. That was in 2004, i.e. 8 years ago.
It doesn't apply to Windows vista or 7, which also has a built in firewall turned on by default; it also has substantially less remote root vulnerabilities.

b) No NAT does not mean no router firewall. It is hard to do NAT without one, as you need something to track the packets, but it is very easy to do a firewall without NAT. All Ipv6 routers I know of also have stateful firewalls included, and are turned on to block unexpected (i.e. non reply) packets by default.

c) In fact, it'd be pretty tricky to give your 9 year old XP pre SP2 fresh install an IPv6 address in the first place, as it didn't have IPv6 included.

d) And even with a modern OS, plugging it directly into your modem probably won't work anyway, as the ISP will be expecting you to take responsibility for a block of a few billion IPv6 addresses directly, and won't be handing them out on an individual basis using RADVD or the like, so without some significant manual configuration, you won't be getting an IPv6 address at all. So you'll use an IPv6 router, which will have a firewall.

I wish the 'oh god, no NAT means we're all DOOMED' meme for IPv6 would just die. IPv6 has some drawbacks, but lack of NAT for most use-cases is definitely not one of them. It will also solve a ton of problems, and anyway - there is nothing else. IPv4 is almost out of address space, and our choices are significant deployment of carrier-grade NAT at the ISP level, or IPv6 in the next couple of years. Or we all just stop buying new smartphones, tablets and computers.

Those are basically the choices. Hoping the problem will go away isn't an effective one.
posted by ArkhanJG at 3:51 PM on June 1, 2012 [5 favorites]

Oh, I forgot

e) Your computer on IPv6 will have one of 18,446,744,073,709,551,616 IP addresses. That's a /64, the smallest unit recommend assigned to home users (and the smallest practical unit of addresses in IPv6).

Good luck running a worm that attempts to connect to every single one of those to find that 9 year old XP machine that's just had the IPv6 patch manually added and is going on the internet for the first time without a router firewall but hasn't had a chance to connect to microsoft updates yet.

And even if you're very very lucky lucky, that gets you 1 computer. Now go scan the next house. Don't worry, they'll have one of 18,446,744,073,709,551,616 addresses too. And since privacy extensions are on by default, the computer will be on a new one every couple of hours.
posted by ArkhanJG at 3:59 PM on June 1, 2012 [7 favorites]

Arkhan has it. The chance that an attacker (a) even finds your machine in the infinite sea of addresses, (b) gets through the default firewall in any non-unearthed-from-ancient-caverns version of Windows, and (c) does all this before Windows Update runs automatically is basically 0.

Windows & Macs are at much much greater risk of trojans/malware than external hacks these days (probably always been true, but protecting against external attack via firewall/etc is much easier than convincing users not to install stupid shit).
posted by wildcrdj at 4:38 PM on June 1, 2012

Okay, but you probably won't like it.

I promise you that I will very much like it, because it means that running servers on my own machines and doing simple things like ssh'ing in to machines at home when I'm at work will once again be practical and not something that requires hours of tinkering with whatever arcane configuration tool the chain of routers lined up between home and the public Internet happens to use.

The patchedness or compromisability of Windows machines bothers me very little, since I have no Windows boxes to begin with. I understand that Windows people all run software "firewalls" and "virus protectors" anyway, so they should be fine, I suppose.
posted by Mars Saxman at 4:55 PM on June 1, 2012 [1 favorite]

I understand that Windows people all run software "firewalls" and "virus protectors" anyway

Firewalls are not just a Windows thing, they are something any computer/network should have (either in the OS or the router, but leaving everything open is a bad idea on Mac/Linux as well).

Macs have had plenty of exploitable vulnerabilities, while the number may be less than Windows thats not much comfort if you get exploited.

Most people have a router with a built in firewall anyway, so this is something you don't have ot think about much.
posted by wildcrdj at 5:16 PM on June 1, 2012

wildcrdj, I know what a firewall is, I just don't consider a piece of software running on the same machine it is supposed to be protecting to be worth the name. The only firewall I would trust is one in a router. But I don't actually know anything about Windows software firewalls first-hand, so maybe there is some way to make them work - it just sounds goofy.
posted by Mars Saxman at 6:52 PM on June 1, 2012

Whatever happened to IPv5?
posted by LastOfHisKind at 10:38 PM on June 1, 2012 [1 favorite]

It doesn't apply to Windows vista or 7, which also has a built in firewall turned on by default; it also has substantially less remote root vulnerabilities.

Here's the numbers from 2010. While it would be nice to believe that the situation has only gotten better as time has gone on and vulnerabilities have been patched, history has shown it doesn't always go that way.

And since privacy extensions are on by default, the computer will be on a new one every couple of hours.

Assuming that privacy extensions will be enabled on the home boxes -- and that they will be honored by hosts -- by default seems a bit of a leap. I believe we're going to see quite a few zero padded mac addresses as endpoints, and needless to say mac addresses are quite predictable.

Watching my coworkers trying to get their drivers to play nice with the Windows 7 firewall has certainly increased my opinion of it, but I'm not sure I believe it's ready for prime time. Fortunately it sounds like Asia is going to have to go first anyway and we'll see what happens.

IPv4 is almost out of address space, and our choices are significant deployment of carrier-grade NAT at the ISP level, or IPv6 in the next couple of years.

Or we punt it for a few more years by reclaiming all of the Class A addresses now that CIDR is ubiquitous. Chop those puppies up responsibly and you can clear another 5 years easy. Brutal and ugly I know, but if large governments find their IPv6 conversions slipping there's all sorts of mischief they can get up to.
posted by Tell Me No Lies at 10:42 PM on June 1, 2012

This guy (PDF) (Fernando Gont, an Argentinian network expert, drafter of a few of the RFCs and one of the people hired by the UKCPNI to evaluate the UK's IPv6 preparedness) categorized as a "myth" the idea that larger address space will make finding other hosts much harder in a practical way.

Delmoi and ArkhanJG made the nifty points in a thread last year that if everyone gets their own /64 block or thereabouts every single process on your system could have its own IP address or even every single HTTP request. It's the IPv4 equivalent of a solid gold toilet or using hundred dollar bills to light your cigar. Our cups runneth over with IP addresses.
posted by XMLicious at 12:32 AM on June 2, 2012 [1 favorite]

rkhan has it. The chance that an attacker (a) even finds your machine in the infinite sea of addresses, (b) gets through the default firewall in any non-unearthed-from-ancient-caverns version of Windows, and (c) does all this before Windows Update runs automatically is basically


Filed away for future claim chowder, somewhere in 640K of RAM...
posted by alex_skazat at 1:12 AM on June 2, 2012

Our cups runneth over with IP addresses.

Addresses yes, networks not so much. Whoever decided to blow 64 bits of the address on host numbers needs to be shot.
posted by Tell Me No Lies at 1:13 AM on June 2, 2012

But there's space for 18,446,744,073,709,551,616 /64 blocks, right? That's not enough networks?

And that's just what's recommended. I read of an ISP that was just giving out /48 blocks to end users. So only 281,474,976,710,656 IP addresses. You would still need a pretty damn big cup for it to not overflow.
posted by XMLicious at 1:31 AM on June 2, 2012

Addresses yes, networks not so much. Whoever decided to blow 64 bits of the address on host numbers needs to be shot.

Eh, not so much. with a 128 bit address space, using half for the routing and half for the client addresss makes it relatively simple to setup. And one thing they didn't do with IPv6 is think small.

Let's say we give 7 billion people their own personal /64. Hell, let's give them 10 each. That's 70 billion /64s, and every person has 184 quintillion personal addresses. That should do for their personal nanobot cloud.

So out of 18.446744073 quintillion possible /64 s.... we have 18.446744003 quintillion left. We can afford it, I think.
posted by ArkhanJG at 3:23 AM on June 2, 2012 [2 favorites]

It depends where you're coming from. By its nature subnetting wastes a lot of space, and it adds up fast.

For example, at the moment I'm considering the problem of 200 sites with 4 million subnets each. So eight bits worth of sites and twenty-two bits worth of subnets.

At 30 bits worth of subnets this scheme is barely going to fit into a /32. Worse, as a responsible engineer I think it would be wise to allocate at least another 12 bits for future proofing. We're going to need a /20 to do this right, which requires special dispensation (literally) from the powers that be.

Now I'm not saying that you're going to run into this problem. All told there are probably only a few thousand people who will ever find themselves frustrated at how quickly you run out of subnets when you try to do something interesting. Speaking for those people however, whoever decided to waste 64 bits on endpoint addresses needs to be shot.
posted by Tell Me No Lies at 10:22 AM on June 2, 2012

18,446,744,073,709,551,616 addresses

And if you somehow have the bandwidth to scan a gig (billion) of those every second, it'll take you 584 years and 202.538487 days to hit them all.
posted by Twang at 10:23 AM on June 2, 2012

Speaking for those people however, whoever decided to waste 64 bits on endpoint addresses needs to be shot.

I think you probably aren't clear on how big a number 64 bits is. If every single person on earth is given a /64, that still leaves enough addresses for 7 billion more earths full of people. You've barely even touched the range of possible addresses. You'd have enough /64s to give one to every single grain of sand on the planet.
posted by empath at 10:34 AM on June 2, 2012 [1 favorite]

And if you somehow have the bandwidth to scan a gig (billion) of those every second, it'll take you 584 years and 202.538487 days to hit them all.

Assuming they are uniformly distributed. If most addresses are in a known subrange, you can target your scanning there. I think, but I am not positive, that this is the situation that is described in the lecture notes in XMLicious' comment, and why IPv6 is not automatically safer, even with the larger pool of addresses.
posted by Blazecock Pileon at 11:10 AM on June 2, 2012 [1 favorite]

Speaking for those people however, whoever decided to waste 64 bits on endpoint addresses needs to be shot.

I think you probably aren't clear on how big a number 64 bits is.

I think we look at the prefix on /64s and see two different things. You see 2^64 networks, and I see 64 bits that need to be chopped into useful subcontainers.

The first useful subcontainer is "what I can get assigned to me", and the largest allocation that is easily available is a /32. So realistically you can only get 2^32 potential networks, or in my terms 32 bits encode all of your layers of subnets.

Of course over in IPv4 land I have already addressed this issue with a 10.0.0.0/24, which gave me -- let's say -- 20 bits to encode all of my layers of subnets.

So I've gained twelve bits to organize my networks. I had 20, now I have 32. Whoopee. And particularly irksome when you realize it could have trivially been 64 instead of 32.

-------------------

People are very fond of tossing around powers of 2 when it comes to internet addressing, but I often feel they miss the practical aspects of the system. Addresses are routes to get somewhere, not just numbers; Having a hydrogen atom in Bali listed next to a gold atom on the beaches of Regulus 3 isn't going to work -- and by the time you've encoded Universe/Galaxy/Sector/Subsector/Quadrant/Star/Planet/Latitude,Longitude you'll have long since run out of the 64 bits IPv6 gives you.
posted by Tell Me No Lies at 1:16 PM on June 2, 2012

For example, at the moment I'm considering the problem of 200 sites with 4 million subnets each. So eight bits worth of sites and twenty-two bits worth of subnets.

At 30 bits worth of subnets this scheme is barely going to fit into a /32. Worse, as a responsible engineer I think it would be wise to allocate at least another 12 bits for future proofing. We're going to need a /20 to do this right, which requires special dispensation (literally) from the powers that be.

OK, that's a big network. Considering there's only 32 bits in the entire IPv4 network, and you've only got 24 bits for the largest non-routable address block for private LANs, that's gotta be a lot of address duplication in private VLANs.

That many subnets in a single site makes sense in a IPv4 world, where address space in /24 or even /16 subnets is so limited - but I'm pretty sure such a site design is sub-optimal in the IPv6 world. Massive consolidation of subnets - in the extreme example, to a single /64 per site for users plus a few /64s for intra-router subnets etc would still give you more than enough addresses for every device trillions of times over, and won't cause the routers to explode by trying to use a /20 for internal addressing - if you could even get it, which seems unlikely!

Ah, but security? stopping traffic routing between segments of the network? That's not the job of NAT, or the subnet space. It worked in IPv4 doing it that way - and I can see who you'd end up with that design - but having 4 million subnets in one site is a poor way of doing something that's better done with internal firewalling in an IPv6 world. The point of subnetting is a way to tell devices what is and isn't local traffic, not to determine access or not. A physical site is going to be at most a handful of /64s per building depending upon the LAN setup and even that is likely overkill.

I mean you could start using /126 subnets with say DHCPv6 but it's the wrong way to solve the problem. As is trying to force the current IPv4 design into a IPv6 /32 or worse, a /20!
posted by ArkhanJG at 1:59 PM on June 2, 2012

Tell Me No Lies, am I misunderstanding something then - even being in control of the network at the highest level, you are not at liberty to decide to give end-users /32 blocks so that you can have the /64 for organizing that you want?
posted by XMLicious at 2:18 PM on June 2, 2012

Tell Me No Lies, am I misunderstanding something then - even being in control of the network at the highest level, you are not at liberty to decide to give end-users /32 blocks so that you can have the /64 for organizing that you want?

I'm not sure I'm following you... Here's an IPv6 address as I experience it:

+-------------------------------------------------+
|         32 bits assigned by registrar           |               
+-------------------------------------------------+
|            32 bits I use to subnet              |  
+-------------------------------------------------+
|          Upper 32 bits of node address          |  
+-------------------------------------------------+
|          Lower 32 bits of node address          |  
+-------------------------------------------------+

There's no way for me to chew into the node address space if that's what you're asking...
posted by Tell Me No Lies at 10:10 PM on June 2, 2012

Yeah, I guess I was misunderstanding in thinking that the subdivision of the address space into subnets could use what you've labeled "node address" there.
posted by XMLicious at 10:29 PM on June 2, 2012

Yeah, unfortunately those are off-limits unless you want to start in on some serious ugliness.

(not that I'm proud. ArkhanJG's DHCPv6 approach would allow you to unofficially chop up the lower 64 bits; If it didn't add too much complexity to the wrong part of our system it's the direction I would have taken things)
posted by Tell Me No Lies at 10:41 PM on June 2, 2012

It worked in IPv4 doing it that way - and I can see who you'd end up with that design

Just to be clear my gloom and doom about the IPv4 to IPv6 transition has nothing to do with the pure IPv6 network layout I'm working on. I've only had this network layout problem a few months now; I've been talking doom and gloom about NAT removal for at least twelve years :-)

Ah, but security? stopping traffic routing between segments of the network? That's not the job of NAT

Agreed. NAT got drafted into firewall duty.

... or the subnet space.

That bit confuses me a bit. To me it seems that network layout and firewall are both integral to security.
posted by Tell Me No Lies at 11:28 PM on June 2, 2012

... or the subnet space. OK, to be fair that does need expanding on, and I will. Look, I'll be honest here. I'm not an IPv6 expert. I play one on the internet, and I've been working on IPv6 for the last couple of years to decide how to migrate my own network so I've got a decent working knowledge of it, but I'm not a specialist by any means. Nor do I know your network. Please don't take this next bit personally, it's honestly not meant as a slight - but I don't think you're an IPv6 expert either. Given the scale of the network you're dealing with, you would probably benefit from talking to one as a consultant or whatever.

Much of what we know, our best practices from decades of IPv4 network design basically gets thrown out of the window when it comes to IPv6. It's trite, but it's pretty much an entirely different way of thinking about things.

Anyway, so back to subnetting and routing. Fundamentally, all a subnet says to a machine is 'can I send this myself, or do I need to give it to a router to do it for me?'. Nothing more. Forcing machines to talk to the router becomes a convenient place to stick the firewall rules to block or allow traffic between different segments of the network, but it's not a fundamental requirement.

If I was to hazard a guess on the network layout, it'd go something like this:

You're using the 10.0.0.0/8 internal address space. That's been divided into a lot of subnets where each individual VLAN gets a /24 or 2^8, so 253 hosts per vlan effectively. Maybe a few with a slightly bigger subnet such as a /20 , but I'll assume a /24 is the standard subdivision. Each subnet maps to a vlan, each subnet has a default router which is probably the layer 3 switch. The layer 3 switches enforce via firewall rules which other subnets each vlan can talk to, which isn't most of them - most subnets are only allowed to route to a subset of other subnets where you have shared servers etc, but not to 'parallel' subnet with other clients in. Individual departments have their own personal servers, again enforced by the layer 3 firewalls so they're not accessible. You then have default gateways for the routers so that non-intranet traffic goes out to beefy routers to handle WAN and internet traffic.

Now, with 200 sites, you'd need 8 bits to give each site it's own segment and to allow WAN traffic routing; which only leaves you 16 bits in the 10.0.0.0/8 space per site to play with; and 8 bits for client addresses means you only have 8 bits left for subnets, or 250 odd per site. So you end up with massive address duplication between sites; to give each site 4 million subnets, that's 22 bits out of 24 available leaving only 2 bits left for clients per subnet, which is what, 2 clients per subnet plus router plus broadcast, plus no place for intra-site routing (unless you use the 172.16/12 too?) so I'm struggling a bit on how that actually works.


But let's retrench. Let's say you're allocated a single /48 IPv6 block. That's 256 /56s or 64k /64s. So each site gets a /56, each actual in use vlan/ipv4 subnet gets a /64, assuming you do have more than 2 machines in a given subnet and you've get less than 64k vlans actually in use across the whole network. Use stateless addressing or DHCPv6 per subnet, and then the routing map looks much like you're used to; each vlan gets a /64, and to get out of that subnet it has to talk to the switch router which then firewalls off each segment from each other. Shared devices (i.e. printers) specific to a subnet go inside the /64; shared devices outside a given subnet go in more /64s and so go via the layer 3 switch/firewall. Or you want to go bigger; each physical site gets a /48. That's 64k vlans per site; your whole network fits in a /40.

But let's assume you're actually using 4 million active vlans per site. Those have got to be stupendous systems as the ones I use top out at 4k vlans!

So what we do is separate vlans from subnets. we don't keep the 1-1 mapping. Use DHCPv6 and dhcp forwarding on the switches to assign a small subset of a /64 address space to each vlan, or even manual addressing - but each vlan still uses a /64 subnet because otherwise it's gonna go all pete tong.

The devices think everything in that /64 is local and doesn't need to go to the router. But that's fine. We don't WANT the traffic shared between most vlans. That's why they're in separate vlans in the first place! So the devices will try to send it direct if it wants to, but it'll never get there as they're separated at the VLAN level. For simplicity, put the shared servers in separate /64s, and the clients will know to use the layer 3 switch gateway to get to those - put in firewall rules etc as per normal. Or put shared servers/printers for a given segment in the same vlan, and the clients will get to it on their own without needing to talk to the router at all.

So we're not using subnetting to restrict traffic between segments; we're using physical separation of the vlans to do it for us. That's what I meant by network security - you only need to use subnets to tell clients when they need to talk to the router to get out of their own area. Physical separation, i.e. layer 2 vlans or physically separate switches, is what separates the network into segments, and always has. Adding layer 3 subnets that match the physical layout makes sense, but it is not necessary to do so.
posted by ArkhanJG at 2:56 AM on June 3, 2012 [1 favorite]

Please don't take this next bit personally, it's honestly not meant as a slight - but I don't think you're an IPv6 expert either.

No slight taken. You've certainly hit that nail on the head :-)

I read your analysis with interest, although I was dismayed to see DHCPv6 chopping up the /64 host address appear again. You would think 64 bits of network address would get us out of these problems!

However, I think I may have misled you as to the nature of the problem I'm solving. I'm not doing a migration, it's a greenfield.

I've been racking my brain for a way to talk about the issues involved without getting shot in the back by my CTO (startup executives are always so touchy) and here's what I've come up with. BTW, if you thought 4 million subnets was a lot, you may want to get out the oxygen mask :-)

--------------------

So, you and I are taking over AT&T operations and because we're nice people we're going to turn on tethering for all of our smartphones. Right now we only have 50 million out there but we should probably plan for 500 million total.

Heady with the large numbers being thrown around about IPv6 we decide we're not doing dynamic anything. Every phone gets a /64 for a tethering network.

However, given the terrible state of our backbone we are willing to compromise in one area: when the phones travel to different parts of the world we would like to give them addresses local to that area so we can route their IP traffic without having to tunnel it all the way back home. Since we're not feeling dynamic, the easiest way to do this would be to allocate every phone a locally routed /64 network at each of our main locations -- let's say there are 200 of them -- around the world.

So it appears to me that if we want to pre-allocate everything (wasteful yes, but very desirable from a simplicity standpoint as moving parts are anathema when you've got hundreds of millions of users) we're going to need 200 * 500 million = 100 billion /64 networks.

On one hand ... this is IPv6. What's 10¹¹ (also known as 2³⁷) networks between friends?

On the other hand, how do we organize all of these networks in a meaningful way? Obviously starting them with 8 bits of location data makes our top level routing decisions a lot easier. But beyond there it all gets a bit fuzzy for me.

As you say IPv6 requires a different way of thinking. Do you have any ideas for how to approach this in an IPv6-ish fashion? Fortunately my problem will top out around 2²² networks, but I suspect a lot of the principles will be the same.
posted by Tell Me No Lies at 1:55 PM on June 3, 2012 [1 favorite]

Why on earth would you not do that with dhcp?
posted by empath at 5:29 PM on June 3, 2012

I like simplicity. I can autocalculate all of my addresses, my L3 traffic/event logs are trivial to trace because my endpoints never change addresses. My GGSN can handle 1000 connections per/second without worrying about the DHCP server crapping out from the load.

From a network stability and maintainability standpoint, it seems to me that adding dynamic allocation needs to offer some benefit to outweigh the extra complexity. I'm not sure I see the benefit in this particular situation?
posted by Tell Me No Lies at 12:08 AM on June 4, 2012

I am not a network engineer, but sometimes I need to translate their musings into English.
The feedback I had from our large ISP IPv6 trial is two bugs were picked up in the router code (one Alcatel, one Cisco, one in a core, the other in a distribution edge). One was probably a memory leak as it only occurred after a reasonable time under load (several days) but the other was a straight up defect that caused network errors straight out of the box.
Our customers running the trial are mainly ISPs in their own right, or government/large enterprise agencies with big IT staff. The message the engineer I was talking to gave was that IPv6 hasn't had enough testing in robust environments to be ready for prime time. He suggested the big (mainly academic/research) sites that are using 6 now aren't pushing the envelope in some of the areas commercial networks do.
Quite apart from that, there is a whole heap of assurance work to do to make it all get along, for example upgrading reporting and rating platforms. So yeah, we will be able to offer IPv6 by the end of the year, it might have a bunch of rough edges compared to the nicely mature service offering in place for IPv4.
posted by bystander at 3:56 AM on June 4, 2012

To be fair I'm totally willing to take over the world of wired networks as well.
posted by Tell Me No Lies at 6:33 PM on June 4, 2012

Hmmm... Linode's Fremont servers are having horrendous network problems this morning. Given that they're hosted at Hurricane "Tunnel Broker" Electric I wonder if this is an indirect result of IPv6 day...
posted by Tell Me No Lies at 12:42 PM on June 7, 2012