Microsoft last week bought just over 600,000 IP addresses (a /10 block and a /11 block if you are counting) for $7.5 million from bankrupt Nortel. For a moment there it was everywhere on the web, a mild reminder of what happens during famine when gluttons hoard food. But what is really going-on here, and what does it mean in the near and longer terms? Well first let’s settle something: it is immaterial to Microsoft. Had the price been $7.5 billion or better yet $75 billion, I’d say that Redmond viewed as central to its survival having that block of addresses. But $7.5 million is pocket change and probably represents to Microsoft just a cheaper way than some other of doing the same thing. What it means in the long haul to the rest of us is yet more chipping-away of our facade of IT empire as we find increasingly complex ways to preserve IPV4 while China, for example, mandates IPV6.
If you aren’t up on this broader story it is simple — there are only around 4.3 billion IPV4 addresses yet a lot more than 4.3 billion people and digital Internet nodes already in the world. There are two ways to deal with this population problem: 1) move on to a new system with more addresses (IPV6 which has more than we think we’ll ever need but didn’t we think that the last time, too?), or; 2) hold the system together with a mixture of internal and external and static and dynamic IP addresses through that happy kludge called Network Address Translation (NAT). IPV6 puts your light switch or, for that matter, every individual light from your Christmas tree on the Internet and NAT can do that, too, but with a lot more effort and a lot less fun.
It’s not that we’re actually out of IPV4 addresses, either. The simple analogy here is to money. The economy is crap right now and yet all the economists talk about trillions of dollars being “on the sidelines” and “waiting” — though it’s never quite clear to me waiting for what. Same, too, with IPV4 addresses, which are all assigned, we’re told, but not all are being used, like those 600-odd thousand snapped-up by Microsoft.
I have no doubt those addresses are for Redmond’s cloud strategy, by the way. If they want to virtualize hundreds of thousands of customer servers they’ll need hundreds of thousands of IP addresses, simple as that. Microsoft actually thinks about stuff like this unlike, say, me.
There are plenty of IPV4 addresses either not in use or improperly in use today. I’m told that Verizon, for example, has two /16 blocks (128K addresses in all) that are external addresses assigned to internal nodes like printers. Those could all be recovered since they are being misused, or Verizon could sell them for close to $2 million, following Microsoft’s act of price discovery.
I’m sure there are millions and millions of IPV4 addresses to be regained just as I am sure that most of them won’t be because the rich don’t see themselves remaining that way by giving their stuff away for free.
Routers from Cisco and Juniper have been ready for IPV6 for a decade or more. In one sense it’s just a matter of turning it on. And doing so would bring us advantages in network performance and security, too. But that isn’t going to happen anytime soon in the USA because of the complexity of all those NAT layers presently in operation, but even more so because of the threat it poses to entrenched network administrators and IT directors.
IPV6, you see, doesn’t differentiate between the workgroup and the galaxy, so workgroup sysadmins and net admins might disappear in droves. This won’t go down well in an industry based on keeping CEOs ignorant and in fear of the network and continually adding IT labor whether it is needed or not. Entrenched IT will fight tooth and nail against IPV6, telling all the appropriate lies to keep us from moving forward until we’re a decade or more behind.
They — maybe you — don’t really care.
This won’t happen — can’t happen — of course in China or India, both of which will shortly need at least a billion addresses each for smart phones alone. IPV6 is their only answer. So thanks to their late entry in this Internet thing and our gleeful willingness to self-destruct, they’ll shortly be ahead and we’ll shortly be behind.
But Microsoft, thinking ahead, will have IP addresses to spare.
BTW Bob!
How big is the block “owned” by IBM?
Interesting point, IBM own the class A range 9.x.x.x in IP v4 which means there are 16 million IPv4 addresses locked up in a private network. How many other corporations are doing the same?
Here’s a list of the /8 address block holders including IBM: http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks. These used to be called A Blocks and, as you say, they are the biggest. Most are owned by telcos and ISPs but IBM is in there as is GE and, for some reason I can’t figure, DuPont. I guess you had to be there…
Too bad routers from Cisco AREN’T ipv6 compatible under the Linksys brand, much less for the last decade. Actually, if you go back to the original Linksys WRT54G you can run opensource software that is compliant.
You’re best bet is to go with DLink, or some cheap no brand Fry’s weekend special. They’ve been ipv6 compliant for years.
I thought this was common knowledge?
https://www.linuxtoday.com/infrastructure/2011021001635NWBZNT
I was referring to Cisco’s enterprise-grade routers that pretty much run the Internet, not Linksys products like the WRT54 line that predate Linksys being acquired by Cisco.
It’s true that there are no seat belts in a 1957 Chevy Nomad wagon, but that does not mean General Motors builds no cars with seat belts.
I have a nomad, i put seat belts in it
The Cisco DPC3825 is residential gateway is IPv6 capable. The key point being DOCSIS 3.0 support.
Link to Comcast “approved cable modems and EMTA devices”:
http://mydeviceinfo.comcast.net/
Prior link to Cringe piece mentioning the DPC3825:
https://www.cringely.com/2011/01/2011-predictions-one-word-bufferbloat-or-is-that-two-words/comment-page-1/#comment-48536
Waiting for moderator approval on my follow up reply outlining use of the DPC3825 and HTPC configuration using Ceton InfiniTV quad tuner.
Comcast IPv6 Information Center:
https://www.comcast6.net/
Of course the modern CISCO routers support IPv6.
We just published some notes on configuring NAT-PT (Network Address Translation – Protocol Translation), on CISCO routers – http://su.pr/3ZjTaR
Wow, they should talk to their ISP about converting to IPv6… oh, wait 😛
Then again, good luck with those printers – it’s a good story when we can’t be angry about Microsoft Windows or Apple OS X (or Linux in my case)… it seems to be all the little ethernet based gadgets stuck on IPv4 that are going to be a pain.
all those old printers, SNA gateways, and the like can’t use IPv6 addressing.
and a lot of the consumer spectrum is moderately (or barely) IPv6 compliant. they can recognize the address. but they can’t do much of anything with it. Cringe’s old buddies at IDG took a look at v6 a month or so back, and basically it was the old “we are compliant with the standard, which has so many loopholes in it that we are compatible with nothing that we don’t make” trick.
Sure, but the point about those Verizon IP addresses is that they are being wasted in this role. They could easily be put behind a NAT and the numbers recycled.
There is no reason that IPv4 and IPv6 cannot co-exist (in fact they do right now since some ISPs push their backbone traffic over IPv6).
Thanks for showing that Wiki article on assigned ranges. Amusing that HP actually have two ranges and Halliburton have one as well. Equally amusing that so many have Defence Dept owners… I bet none of them are truly on the net either.
HP has two because they acquired Compaq which had acquired DEC which had an original /8 network assignment
Your conclusion may be right, but your reasoning is way off. IT (as in network tech) have been pushing for IPv6 for a decade, but have been unable to show sufficient short-term ROI to convince management.
Power in IT is based on head count and head count is based on perceived threats and busywork. A CIO who goes to IPV6 at the cost of 20 percent of his head count could easily show ROI, but he never tells that head count part to the CEO or management committee.
What!!!!!!!!! You *mean* Bureaucracy isn’t just in dat damn Gummint???????? You mean the Private Sector does it too!!!!!!!!! Such a damn lie. Capitalists are perfection. Just ask Ayn Rand.
I have to disagree with you there Bob.
CEOs love sacking technical staff. HP, IBM anyone ?
Adding corporate fat like ITIL practitioners, managers and process droids gives them the yesmen and headcount for the insane egos while removing those who still have a connection to reality.
Yes, modern CEOs succeed by eliminating jobs, which is exactly why any government policy based on expecting General Motors to revive Detroit is ludicrous. BUT, modern CEOs also tend to be both stupid AND insulated from reality. Do you think a CIO is going to SUGGEST firing 20 percent of his or her staff? Of course they won’t. They protect their domain by keeping the CEO as ignorant and fearful as possible.
Please, please, please explain how IPv6 reduces head count? What is the magic that makes anything simpler? Longer addresses? Maybe I’m dense, but I see more work and more complexity.
The more addresses, the more routable nodes, the more routable nodes, the more work necessary to manage them. As It is now, NAT is a labor saving technique. Nat is easy. Every reader of this column manages NAT in their home.
Think of the implications of making every Easy-Bake-Oven(TM) publicly addressable over the Internet, for example. Believe me, they will be networked so that Mattel can push Pillsbury advertisements at little girls while their cupcakes burn.
Bob’s stated theory is that the complexity of NAT increases IT headcount.
This might or might not be true in the long run. In the short run, the IPv6 transition (if it happens) is going to grow headcount.
“(IPV6 which has more than we think we’ll ever need but didn’t we think that the last time, too?)”
IPV6 has enough available addresses to assign a unique IP address to every sub-atomic particle in the solar system (plus several others). I’ll go on record as saying that I’m pretty sure that’s enough to last at least for *my* lifetime.
Which is why I spoke of galaxies. But I’ve been around long enough to remember the introduction of IPV4 and wrote about it at the time. There was discussion then about possibly going to some larger number but it was deemed necessary “in our lifetimes,” as I recall one of the original fathers of the Internet telling me at the time.
Something like that is worth remembering and mentioning, don’t you think?
As Dr. McElhone says: “the world is not linear”. Neither are such progressions.
> in our lifetimes
There’s always the terrifying, but non-zero, probability of eternal life being handed out to everybody in short order.
(as opposed to the absolutely-guaranteed-to-dissolve-civilization small chance of eternal life being bought, as an exclusive, by the owners of the U.S. and a few other equally nasty bastards.)
Bob, you’re not getting more than 640K of memory, you don’t need it. 🙂
Doesn’t IPv6 provde 256^6, or about 10^14 addresses? That’s an enormous amount of addresses (about 40,000 per person on the earth) but I wouldn’t say it’s enough to start identifying atoms (ballparked at about 10^80), much less subatomic particles.
IPv6 is not simply six octets to IPv4’s four.
From Wikipedia: While IPv4 allows 32 bits for an Internet Protocol address, and can therefore support 2^32 (4,294,967,296) addresses, IPv6 uses 128-bit addresses, so the new address space supports 2^128 (approximately 340 undecillion or 3.4×10^38) addresses.
… or about 1 mole of addresses per square yard of the earth’s surface
The math for the number of possible addresses is correct at 3.4e+38.
Even if the world population was at 1 trillion (more than 100 times higher than reality) the 3.4e+26 addresses still available per person is MUCH higher than the 4e+4 estimate posted elsewhere. I also came up with 5.e+11 addresses per gram of earth or about 3.e+11 atoms of earth per possible address in IPv6.
(http://education.jlab.org/qa/mathatom_05.html says 1.33e+50 atoms in earth.)
On the other hand, there are about 1.5 people per IPv4 address in the world. At this time, my wife and I could easily have 3 devices each, all concurrently using the 1 IPv4 address we have available at our home now. (I must say I like having the 1.0-1.5MB/sec download times I have now when I am the main user of the internet. We’re also basically luddites, we use two laptops, total, on the internet.)
The fact that Microsoft can buy any IP addresses anywhere shows how unused the current addressing scheme really is. The author of this article makes some really good points about how slow the conversion to IPv6 is still going to be in some areas of the world. Not enough people are feeling the pain in the industrial nations now. Most businessmen see that the transfer has to happen sooner or later. They’ll choose later.
10^11 cells in a brain. 10^10 brains on Earth. 10^11 stars in each galaxy (let’s assume one Earth-like civilisation per star).
Okay, we’re only up to 10^32 braincells in our galactic empire.
So we’ll need to colonise a million galaxies and allocate every braincell its own static address before we run out of IPv6 addresses.
Does your estimate include the Higgs boson?
Cringely,
I think there are two points that I’d like to make here.
Mis-used IPv4 addresses: Many corporations are using the private IP range for devices located behind the firewall and are not internet route-able. Changing to public internet route-able IP addresses seems like a waste or as you say mis-used IP address. Here’s the motivation: corporate acquisitions, mergers, consolation, etc. Company A buys company B, they are both using the same private IP range. CIO of company A says to the IT staff “move company B’s equipment into our datacenter this weekend.” After several of these buyouts that result in the IT staff working 40 of the 48 hours over the weekend, someone decides that it would be easier if we just had unique IP addresses to begin with.
Migrating to IPv6: You say that current IT staff are motivated to stay on IPv4 because “IT staff might disappear in droves.” You don’t really explain your rationale for this. I would argue that not going to IPv6 is the result of upper management’s decisions. A typical IT staff is in the USA is about 50% of what is needed to do the job. Maintaining the current infrastructure and building out new projects that are high on management’s priority list consume > 100% of the staff’s time. IPv6 has been at the bottom of the ToDo list and will forever stay there until one of two things happen: management makes it a priority (which they won’t) or we are forced into changing.
We worked like crazy for a US Gov. mandate to only buy IPv6 devices by 2008. It was sort of stupid on our part. Engineers take things like this seriously. Everyone else who sells to the Gov. said, “Sure it will, just needs a software update.” Wasted energy.
Things behind the NAT wall can use DHCP. There is no reason for them to have internet IP’s. It is a management issue really. The IT people would have to change things over, find devices that can not do IPv6, or do it wrong, reconfigure, update, and get it all working. In the end, after lots of work and disruption, things are right back where they were before you started.
Consumers do not care how many bits are in their IP address. If they can’t get to the Facebook they get angry. If the reason is because the IT guys are geeking out over IPv6, they get really angry. Firing people angry.
The big companies have these big blocks because they were there as the internet developed. It is more an accident of history than a big corporate land grab.
The big push here is mobile. In three years there won’t be any mobile phones anywhere that aren’t smart phones. That’s three billion of those 4.3 billion IPV4 addresses accounted for. Yes, they could be behind a NAT but this is an instance where not being behind a NAT is better for the network, for the operator, AND for the operator’s app strategy.
Here is something else that I don’t think has been widely appreciated, which is the equipment replacement schedule for the mobile Internet. Desktop PCs last an average of three years in service before being recycled or handed-down, while phones last 18 months. As smart phones and smart phone-like devices become more popular they’ll push the adoption cycle shorter and shorter with an equivalent effect on the mobile software business. That’s good because unit prices are lower but customer expectations aren’t. The result will be for awhile an effective turbocharging of Moore’s Law that will have huge across-the-board impact as long as it lasts.
I also would be interested to hear Bob’s rationale for IT resistance to IPv6.
My guess goes something like this:
I know of a well-established small business of about 60 employees, 2 of which are full-time IT people, both of them very well paid and not overworked.
These 2 represent what I call the IT priesthood. They purport to do magick, and management understandeth not. They hide the keys to the digital temple in darkness, and ransom them dearly.
But I suspect if all the 100 or so devices on their network used IPv6 addressing, then the increasing simplicity of remotely administering the workstations, the servers, the VPNs, etc. might soon become apparent; the outsourcing process would accelerate; and the annual savings would be substantial.
The IT budget could easily be cut by half.
I have no reason to think the situation is very different at thousands of other businesses right here in my hometown. And so on.
I disagree. IPv6 is fundamentally just an addressing scheme with more numbers. I don’t see anything in it that would make it any easier to administer. I’d really appreciate it if people could point out what I’m missing here?
On the other hand, there is a lot of stuff that would make for a bumpy ride during transition – new software, bugs, potential lack of – or untested – support in management systems, application issues, old hardware that doesn’t support IPv6 etc. This is the real problem – it’s an upgrade/migration cycle that has no immediate benefit, but instead seeks to avoid a future risk that has yet to materialise.
I work in a large finance institution, we really have almost zero drivers to implement IPv6 internally (potentially Internet facing ALGs might need IPv6). It would be a great waste of time, effort and man power. If the theories here were true then we ought to be pushing for it!
Going to IPV6 eliminates the need for NAT. Eliminating the need for NAT eliminates the need for a local router. There is one less device needed to purchase and administer. One less device TIMES EVERY HOME AND WORKGROUP, which means 100+ million devices in the USA alone. Now think of this in terms of the cloud transition that is very clearly happening. Moving services to the cloud pushes them upstream past your ISP’s router, which in turn becomes unnecessary. Not today, but eventually. That’s easily 20,000 devices in the USA alone, many of which have a dedicated professional administrator. Eliminate the router and eliminate the admin and the network just becomes faster and more powerful. Is this starting to make sense? It won’t happen soon because of the political reasons I have mentioned, but it WILL happen eventually.
I’ve had only routable addresses from my ISP for the past decade. I still need a router to assign those addresses to devices as they are added to the network, to create the LAN, and share the internet connection; yet another device for switching and/or wi-fi. So eliminating NAT pe se won’t reduce the number of boxes.
You won’t necessarily need a local router (although it’s not clear you won’t, either), but you will still need a local firewall.
How, how, how does IPv6 make anything simpler? Somebody explain it to me. I know a bit about the topic, and I really don’t see where the simplicity is supposed to come from. NAT is not complicated, there’s no mystery there. Every reader of this blog uses NAT at home. VLANs/routing/firewalls/firewalls are all still necessary no matter how many bits are in your IP address.
In some cases, NAT complicates things plenty. Try configuring a p2p application (e.g., voice or video) to go point-to-point. It wants two IP addresses that are routeable. But neither node behind NAT knows its IP address. Without this, your traffic has to go between some well-connected box in the middle.
there is some ability for systems to ask their local router to open up an incoming port for them, and tell them what the routable IP address is. Some NATs implement it, some don’t. But what happens when you’re behind two NATs? That’s what is being suggested for dealing with address depletion (“carrier-grade NAT”).
Meanwhile, all the effort spent traversing NAT may screw up the way your application wants to work. Lots of video apps use TCP, when UDP would be a much better choice. Why? NAT & firewall traversal. You can get out on tcp port 80.
NAT sucks. I won’t miss it if it goes.
Well what drive the price of anything? Supply and demand. Want to make something pricey, simply reduce supply in the face of demand. You alluded to this when during the Carter energy crisis you noticed barges parked on the Mississippi (I’ve always wanted to type Mississippi in a blog post – now I’ve done it).
There is no reason we can’t go to IPv6, like China. But there’s no money to be had in infinite supply is there? (Note I’m actually being sarcastic). So instead we have shortage and some people profit. For the same reason why we are falling behind in broadband speeds. Someone wants to make a profit.
There was an xkcd episode on this. What if we’ll assign ip’s to all 100 billion nanobots we’ll each have at our disposal? Would be nice to have a web panel to control them.
Or what if we suddenly discover 10 billion inhabited planets nearby and start a galactic empire?
So the going rate for an IPV4 address (bulk) is about $12 according to this Microsoft purchase. That is presumably cheaper than investing in the transition. If so, there is no gold rush here. The residual value of addresses that can be harvested behind NATs will have to be at least an order of magnitude larger for companies to bother putting bodies onto this. As availability of IPV4 addresses decreases, the cost to transition to V6 will fall too as more tools are implemented. Pretty soon, the value of IPV4 addresses will drop. This isn’t the case of a limited commodity like oil. It’s more akin to switching from horses to internal combustion, or propellors to jets. Someone at Microsoft just calculated that this premium makes sense right now. Presumably, the company is not bullish on IPV6 migration tools.
Yes, things can be easier to manage when using IPv6. No NAT!!
But it does take some extra effort to get over the hump to IPv6.
Some extra effort in enabling IPv6, and in the short term simultaneously supporting IPv4 and IPv6.
So, you can’t save headcount immediately.
The easy way to upgrade is to enable IPv6 in one small corner, and then declare that all new/upgraded things will _use_ IPv6. Avoids massive forklift upgrades.
This takes time (2..4 years of natural replacement cycles). Start ASAP. The longer you delay, the more work will be required to do in a rush later.
IPv6 lends itself quite handily to DHCP, in fact, it’s nearly impossible to deploy without using it. One problem Enterprise IT still faces is that devices from Laser Printers to BladeChassis are not setup by default to use IPv6, you still have to either use a 192.x.x.x address or manually enter a IPv4 address.
It should however be relatively painless to begin converting externally facing devices to IPv6 by running in tandem. We just need the ISP’s to offer it freely.
After a few of these high-priced sales go through, you can bet that GE and Ford will start to look at their huge address blocks and think “hey, we can sell or lease these puppies and make a nice bonus on this quarter’s balance sheet”. They need, what, a few thousand of those 16.7M addresses? If Microsoft’s price of $12.50 an address is what they’re worth, that’s over $200M in assets they don’t really need.
Ah Robert Young, the difference is that companies with too much bureacracy can and often do die, unless sometimes bailed out by govt ( see GM). Government usually tries to “solve” the bureacracy problem by hiring more government employees. 🙂
Well, no. I’ve worked Federal Gummint, State Gummints, Fortune 100, dotBomb startups, small private, medium private; just about the gamut. Fact is, head count (not a better mouse trap) is what managers care about. When failure happens, as it inevitably does, then the most adept at shifting blame gets to keep (or even expand, yes, I’ve seen that) head count; rinse, repeat. The game is head count, not moving the chariot forward. Doesn’t matter whether it’s private or Gummint. Making good stuff isn’t the goal. If it were, coders wouldn’t still be writing the same damn way their grandpappies did in the days of COBOL and tape drives (VSAM came later and they devolved DASD into a tape drive that didn’t need a rewind).
Have a look at this tale:
https://www.yafla.com/dforbes/The_Impact_of_SSDs_on_Database_Performance_and_the_Performance_Paradox_of_Data_Explodification/
If managers weren’t intent on preserving The Olde Ways, 30 gig wouldn’t be transformed into 1.5 terra so commonly. But it is. I’ve seen the same thing, especially in the Fortune X00 world, where milking the last dime out of grossly bad software is the rule, not the exception. Whole industries do it, so no one company is found to fail; they all waste gobs of resources in about the same measure. That’s what bureaucracy does.
Actually, the problem with IPv6 is twofold.
(a) The conversion would need to be done over time. The last big change for the internet was suppose to take a day and ended up taking about a week when implemented. With the network at this size now…. if we took the hole thing down it would probably take about 1-year to get it back up and that is being very optimistic. So, IPv4 and IPv6 have to co-exist for some time after and durring the change to keep the network up.
(b) The conversion will need lots of $$$$$$$$. There is a lot of hardware that would need to be changed and/or software for OLD equipement that would need to be written to support IPv6. This is probably the biggest problem facing management right now. The current state of the economy isn’t helping this reallity either.
Just my 2-cents.
so are we talking the Internet version of the conversion from Analog to Digital TV transmissions? I can’t see the difference between having all ISP’s do the same thing that broadcast TV stations had to do… which was support both modes for a couple years, have all them provide IPV6 modems/routers and then cut over with a ‘hard date’ in June, and a softdate in November of 201x.
Since the gov’t can’t ‘reuse’ the IPV4 address space (it resold the frequency ranges for wireless), what incentives can se use to get this done?
If Facebook offered a super dooper feature that was only enabled by turning on IPV6…. The network would convert itself in hours;-) (my only thought…. facebook TV… broadcast to your friends (and only your friends) using IPV6 multicasting capabilities;-)
More like Y2K than DTV
I find it odd that nobody has mentioned the efforts to get the IPv6 stack actually functioning for the world at large, and efforts to educate and prepare, like https://www.test-ipv6.com/ and http://isoc.org/wp/worldipv6day/
We can test our situation, then start applying pressure on our ISPs (or network admins) to at least start engaging in meaningful discussions about the IPv4/IPv6 situation. With vision, good planning and some luck, the IPv6 switchover may become a non-event, like Y2K.
I am not a network admin, but have done some of that, including setting up firewalls and NAT routing for a combination Linux/FreeBSD/Windows network and subnetworks. It didn’t take that much. In fact, NAT made sense, since the world is organized hierarchically, and I wouldn’t want to make all of my internal addresses reachable by the outside world, for security reasons. Even without NAT, IPV4 address spaces are organized in blocks, so, although some big organizations may have thousands of unused IPV4 addresses, they can’t simply sell them, because they are parts of blocks that they do use. Anyway, I am not fighting IPV6, but it has to start at the top with the ISPs, and work in parallel with IPV4 for a long long time. A lot of software has to be rewritten, and a lot of that never will be, because it has been abandoned by the companies who wrote it. And as far as saving time goes, it takes a lot longer to copy down an IPV6 address (something that I need to do a lot when setting up new computers and devices), than to copy down IPV4 addresses. We will still need firewalls and routers for security and organization, and they will take as much to administer as IPV4, if not more.
Exactly. ipv6 is badly designed. I can remember all the 30 or 40 ips on our network, and type ’em in easily. Try holding a bunch of ipv6 addresses in your head!
And all those ip aware devices *have* to be behind a fat firewall, compared to which NAT is dead easy.
Also – there are 65000 ports per IP. We have 1000s of net aware devices – using a port each – all on one static IP.
Lastly – if you want a static IP from your ISP you have to pay a few $ per month. That’s been the case for years. So $12 to outright own one is a bargain…
Yes, we should free up mis-used ext IPs assigned to int devices that should never see the internet. That would be more secure as well.
And yes, we should transition to IPv6 as soon as we can.
But do we really want the utopia of every thumb drive and every device having it’s own IP?
Can the average small to medium-sized business afford to pay for the heavy admin infrastructure costs, authentication costs and managed firewall that will be necessary because of the security headache that arises when some bad actor tells the office vending machine to direct your blackberry to wipe the exchange server because every device is internet enabled but they have unmanaged vulnerabilities, non-compliant chipsets, and use non-standard protocols.
Not to mention the purchasing of newer technology.
Better hire some IT people.
No it’s probably best to do the first 2 point points while continuing to use NAT, which is a wonderful tool for segregating your local network from the internet and have your existing devices work in the security evnvironment they were designed for.
And of course to hope something as simple as NAT is retained in the final IPv6 implementation.
Just my 3¢ worth, adjusted for inflation.
See: http://apenwarr.ca/log/?m=201103#28
No one seems to address network security? Yes I should read more on the IPv6 networking, but a couple of things have to happen for me to seriously embark on an IPv6 deployment to internal *corporate* PCs that are directly addressed into this directly-internet-routed IPv6 protocol that will save much time with NAT which isn’t a problem (for me at least).
Firstly, someone has to go a looong way to convince me of a robust security model. I’m sure someone has one out there, but hey, I have a low budget, some IPv4 firewalls that are working fine and a NATted internet corporate network of users that generally done give a stuff about a few extra bits in packet they dont even get to see. You see, two things scare me most about IT and security: 1) People who don’t understand, and 2) People who think they do. – and this is in the ‘stable’ and ‘understood’ world of IPv4 . Right now when discussing IPv6 security I put myself into both of those categories. Why would I put my corporate PCs with sensitive data ‘directly’ onto (v6) the internet when right now I proxy them, filter them, categorise traffic, inspect, virus check etc having some comfort that I (think) I am successfully controlling he ingress points for IPv4 borne menaces?
Secondly, IPv6 proposes a massive paradigm shift in security beyond traditional defence-in-depth corporate security structures. Doesn’t it? Oh wait, that isn’t being discussed…anywhere. Where is IPv6 security *going* is my question really. What is the the fundamental security model that everybody will be expecting to deploy in the v6 only internet? Are we moving towards a per-node security platform? Centralised control but decentralised deployment? Each corporate PC is its own firewall but controlled centrally by something akin to group policy? Everything relies on concept of ‘identity’ and ‘trust’ . This sounds somewhat feasible in going a long way to realising the benefits of IPv6 in the corporate environment: So long as your PC is on the ‘internet’ and you can establish your identity and trust then maybe you can reduce those ‘complicated’ IPv4 things such as NAT.
What I’m expecting to see is the big boys (China / India ) being the leaders in the IPv6 deployment because, well, they have to. Next is the big carriers and ISPs. However, for my relatively small secure corporate environments, I’m going wait as long as possible until the magic killer app comes along with some massive ROI. But then, I’m going to secure the heck out of it, in the very least stop un-solicited internet traffic getting to my nice new IPv6 internal PCs (i.e. firewall), and because I can’t trust the content out there I’m probably going to force everyone inside to go through some sort of outbound proxy (i.e. NAT)….so why did I go to v6 ???
Don’t get me wrong, the idea of deploying and IPv6 network sounds like great challenge to undertake – nerdy and rewarding, however I cant stand in front of, well, anybody, from CIO to the janitor and convince them that security concepts presented in the current ‘Getting started with IPv6’ and ‘Why you MUST move to IPv6’ type books have any credibility to be deployed into a commercially sensitive network environment. This is aside from the general ROI problems discussed here anyway.
Anyway’s just clearing my head 🙂
As a side note: What should IT managers be scared of? A customer’s IT guy said to me quite proudly ” I have deployed IPv6 onto all my servers! ” Well good for him. I know he has an old IPv4 firewall which probably wouldn’t know what to do with a tunnelled v6 packet – just pass it through as configured probably. He would fit into the ‘knows just enough to hurt himself’ category and now has a direct connection to the (v6) internet to all his internal servers. Hum.
Yep, wherever I plug my laptop in 48+ bits of its IPv6 IP address will always be the same. That makes me super easy to trace using only public information (it’s IP address). No need for cookies! “THEY” can even tell what kind of hardware I using based on the static part of my address.
In my humble opinion, IPv6 is a privacy nightmare. NAT will be even more important than ever, so will random MAC address generation software.
This is a recognized problem, and has been addressed reasonably.
https://www.ietf.org/rfc/rfc4941.txt
This is a decent read:
http://www.ipv6forum.com/dl/books/the_second_internet.pdf
Regarding security, one interesting thing to note is that it is impossible to scan such a large IP range looking for active nodes. There just isn’t enough time. I’m not saying that provides complete security but it certainly helps a lot. In IPv4, it’s easy to scan IPs looking for unsecured nodes.
Any idea how long it would take to scan the IPv6 range? I have no idea but I would guess hundreds of thousands or millions of years.
Which /10 and /11 address ranges were involved in the sale?
Nortel also have a /8 class A (47.x.x.x) which I doubt they are using much of these days.
[…] 3. IPV6 приближается […]
Bob, your assertion that moving to IPv6 will be resisted by IT people or that lots of them will lose their jobs is complete hogwash. Your job is to speculate about tech trends and you usually do a pretty good job, but this one is way off.
Your argument is like saying that a building is renumbering their rooms from letters to numbers so they can number all the closets. As soon as that’s done, will they be able to fire half the maintenance staff? Of course not!
Do you really think IT staff spend a large amount of time dealing with IPv4 addressing? Come on, seriously?! Network admins setup a DHCP server, connect PCs and that’s about it. Occasionally they spend a few minutes troubleshooting IP conflicts between static devices (printers) and workstations. Sometimes a rogue DHCP server appears and makes the day more exciting. But the vast, vast, majority of IT time is spent on desktop support, server support, database administration, etc. How does IPv6 change any of that?
IPv6 is just an addressing scheme. IT departments will switch over to IPv6 when they’re forced to do so by external forces — e.g. their ISP only offers IPv6 addresses or charges a lot more money for “legacy” IPv4 addresses. After switching over, most companies will still use IPv4 internally because too many devices/softwares will have to be replaced for full IPv6 compliance — VoIP phones, print servers, printers, etc. There will be some pain in the switchover as edge routers and software will need upgrade or replacement, but afterwards life will go on.
With IPv6, DHCP will still exist. NAT will still exist. Routers, firewalls, and all the rest will still exist. If n IT staffers are needed now, n IT staffers will be needed afterwards.
I have a JOB?
You answer to a higher being, Mrs Cringely 😉
oh, please… the people who argue in favour of NAT obviously don’t get TCP/IP – and do not understand all of the additonal security threats created by having to have interposing servers (third part controlled) everywhere to get anything done.
Firewalls work (or not) exactly as they do now.
Configuration gets _easier_ not harder.
Link level encryption is built-in, not bolt-on.
Multi/many-cast has opportunities to reduce bandwith consumption and create whole new classes of applications.
Unfortunately….
firewalls potentially work just as now, but in practice the firewalls don’t work worth a crap for ipv6 (today).
Encryption isn’t really built-in. One of the selling points was that “IPSec is mandatory for ipv6 support” but many, many systems do not support it and there is no easy key exchange built in.
Multicast doesn’t really work significantly differently in IPv6 than it does in IPv4. And pretty much nobody uses it outside their own network.
I’d personally argue that they didn’t work worth a crap yesterday either. Show me a significant port based exploit that hasn’t had a patch for ten years and I’ll grant you this argument. Firewalls and NAT-for-security arguments go in the same bucket for me.
I was under the impression that all the IKE style protocols for IPv4 IPSEC worked just as well for IPv6, on Windows, Linux, Cisco etc.
That would be for pretty much the same political and business reasons that no one passes IPv4 multicast traffic now, even after many of the technical arguments were knocked down with IPv6.
If the whole argument for not going ahead with IPv6 consists of “well, we’ve always done it this way” kinds of arguments or “well, they’re not using it” kinds of arguments then really, what’s the point?
People ask the technologists to come up with solutions to problems. The solutions are ignored until absolutely the last minute… at which point the problems and costs for deployment are way beyond those of a reasonably paced and considered deployment. No one benefits.
How hard would it be if you went to each of your vendors, one a week, for the next year and said “your key exchange stuff is borked. Fix it or next capex round we go with your competitor”.
Ditto for IPv6 addressing in your software, or IPv6 support in your printers.
I mean, it’s not like it’s not a free market or anything with totally transparent, open intellectual property like RFCs for all the protocols involved…
Seeing the general tenor of the arguments here makes me think of the US attitude to SI. While the rest of the world moved on YEARS ago, the US remains stuck in this ghetto of stupid and obsolete units. And the reasoning is exactly the same — “I don’t want to do anything that will take effort now, regardless of what the future benefit might be”. Likewise for energy policy.
Ultimately this is a co-ordination issue, and in the rest of the world co-ordination is possible because the attitude towards government is still functional, and it is accepted that co-ordination is a legitimate government role. Given that the US has always disputed this, and that the disputes have become more angry in our time, I don’t see this ending well. Like the US cell phone system, eventually reality will kick in — all this dicking around with moving addresses and playing with NAT simply means more time to delay the inevitable. But when that reality is finally accepted, the end result of all these ” let’s just put it off for one more week” will be twenty years of wasted time and effort.
Blaming management here is silly. The underlying problem is certain pathological attitudes throughout US society.
Bob mentioned China.
I attended an interesting talk last fall by some engineers from CERNET, (the? a?) chinese research & education network (roughly analogous to Internet2 in the US, which is my employer).
The CERNET2 network was built from the ground up as an IPv6 only network. It is a very nice, very high capacity network, with almost no usage. Everyone still uses creaky old congested IPv4 CERNET network.
cernet presentation slides at: http://events.internet2.edu/2010/fall-mm/agenda.cfm?go=session&id=10001342&event=1159
I chuckle every time I read about IPV6. Supposedly it was urgent at least 10 years ago and its roll-out going to happen Real Soon Now.
From this perspective, it’s actually quite apparent why their economy has gone through 4 recessions in the last 20 years, and will continue to slide after the reconstruction blip. The aging population is the cause, not for the reason of an “aging-workforce” but “stubborn idealism” that is threatened like a guillotine on the younger workforce.
great submit, very informative. I wonder why the opposite specialists of this sector don’t understand this. You should proceed your writing. I’m confident, you’ve a huge readers’ base already!
rick otton…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
full time cheap seo services…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
best all in one printer l all in one printers…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
magazine cover…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
itil v4…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
seo agency loughborough…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
Nice Post…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
how to get back with your ex girlfriend…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
Compliments for this post, I am glad I noticed this website on yahoo.
buy office outlook 2010…
[…]I, Cringely » Blog Archive » IPV6 is coming (yeah, right) – Cringely on technology[…]…
Very nice post. I simply stumbled upon your blog and wanted to say that I have really enjoyed browsing your blog posts. In any case I will be subscribing on your rss feed and I hope you write once more soon!
Great article! I loved the insight and advice given. Also, your blogging style is very pleasing to read. If you have enough time please check out my brand new website and let me know what you think.
Bob, you’re not getting more than 640K of memory, you don’t need it