IPv4 Declared Historic – Draft
datatracker.ietf.orgEveryone take note that this is an individual v0 draft, it says "Type: Active Internet-Draft (individual)" and "Intended status: Standards Track". Before this becomes and RFC (if it ever does at all) it has to go through discussions as an individual draft, then it has to be voted to become standards track, at which point it will become a working group draft where it goes through more comments, editing, and waiting, and only then does it become an official RFC. To give you an idea of the time scale this is talking about, see that this version of this draft expires in September.
This is in no way some proclamation that IPv4 is no more, it's more like the obituaries that news papers have sitting around for public figures just in case they die. The IETF isn't quick at getting RFCs published, and it definitely won't be with something as big as this.
It's not voting exactly at the IETF, they nominally reject it[1]. Approximately it goes through the relevant working group (without voting but by "rough consensus"), IESG, various reviews and RFC editor.
[1] “We reject kings, presidents, and voting. We believe in rough consensus and running code” - Dave Clark, quoted by http://arstechnica.com/tech-policy/2011/01/25-years-of-ietf-... for example
>IETF isn't quick at getting RFCs published
That's not entirely true. An RFC can get published very quickly. At this point there are almost 8000 of them.
Perhaps you are thinking of an Internet Standard document:
Good. The longer we build as if v4 isn't legacy support, the more drawn-out and uglier the already uncomfortable transition will be.
IPv4 reminds me non-Unicode applications from 90s Or ATM, or frame-relay or IPX, or SNA, or 16bit DOS apps. All above were gone eventually. SAme going to happen with IPv4, but I guess at slower rate.
Frame Relay and ATM are still very much living, so are non-Unicode applications, SNA and 16-bit DOS applications a little less so, IPX I think is all but dead however.
It's interesting to see this looks like it was drafted by a Time Warner Cable employee, and yet my twc internet still doesn't support IPv6. Though it gives me hope that maybe it's coming soon?
If your equipment is all IPv6-capable, you may just need to have swap out your modem. Time Warner Cable has achieved 100% IPv6 availability (possibly excluding certain phone customers):
http://www.timewarnercable.com/en/support/faqs/faqs-internet...
.. except no static ipv6 even for commercial / business class users? wt---
What's the point? The addresses TWC assigns are extremely stable in my experience. Are you trying to run a public-facing DNS server or do you have some other need to hard-code IP addresses?
Well, DNS needs you to "hard"code the IP addresses you are available at against your domains.
Before you suggest DDNS, for some companies, the length of unavailability between a changed IP and the DDNS client noticing and updating can be fatal.
why are they hosting services on their dynamically addressed business line? everyone offers static addressing on business lines. it's a completely rip off; and conveniently makes the proper route -- colocation, a dedicated server, "the cloud" -- more financially sound.
The draft is written by a Time Warner Cable employee, Lee Howard. Lee has been an outspoken advocate for IPv6 for many years and has been very involved with TWC's rollout of IPv6. (I am a TWC customer and did get IPv6 in Keene, NH, about 2 years ago.)
This feels optimistically premature.
Sure, it's been superseded, and it's great to move the ball forward. But somehow I think this legacy technology will be in use for a long, long time.
Agreed.
The few use cases I see that have a hard requirement for IPv6 typically involve arbitrary drivers like government regulations for unique addressing. I have yet to see much demand for IPv6 driven by functionality.
I think the same, IPv4 isn't going anywhere soon.
Sorry, but containerization and SDN needs addresses. I can spawn dozen of networks on my computer using docker/flannel/kubernetes, but I have only 1 white IPv4 address for all of them, so I need to use NAT and step-stone server. I have no such limitation with IPv6: each host has it own white IPv6 address and addressing becomes flat. Sorry, but I have no choice, so I use IPv6 today.
Wow, I released and RFI 12 years ago on IPv6 when I was working in a Telco, and every vendor talked about it as a reality... I am still waiting for that reality to be an actual one. I am still waiting for my ISP to activate IPv6 in my WLAN at home... after all those years
> Current and future work builds on IPv6, making it better for every purpose than the old protocol.
Not for purposes like:
* I want the IP header I'm transmitting between these two nodes to be as small as possible
* I want a CPU and memory efficient TCP/IP stack for an embedded system.
Pretty much no successor of anything is better than its predecessor for "every purpose", just every purpose that the speaker happens to care about.
IPv6 headers should be easier to parse than IPv4.
What's your opinion of 6LoWPAN?
I know it pains neckbeards to hear this, but IPv4 is not going anywhere, as long as it remains in the business interests of major cloud providers, and as long as people continue to deploy NAT based firewalls as a security feature.
Re: business interests: Cloud businesses can acquire IP addresses at price points far higher than the average developer can. Now that the ARIN address space is exhausted, cloud providers will begin to buy more and more IPv4 space until they have a complete monopoly and large portions of IPv4 are controlled by just a few companies. This will price other companies out of offering cloud services that are IPv4 compatible.
Re: security: Sure, the original intended purpose of NAT was not security, but people use it for that, and will continue to do so. If you want to put multiple boxes behind a single IP address, IPv4 is the easiest way to do it. In fact, IPv6 seems to be a step backward in terms of security. Every device does not need to be openly addressable from anywhere on the Internet, and developers will always choose the path of least resistance, especially when it's more secure.
NAT is not a security feature, it never was and it will never be. Stateful connection tracking however is a security feature. NAT uses it to route the right packets to the right computers, but firewalls can also use the same feature to drop unsolicited packets. It's nearly trivial to do this with iptables, OpenWRT does it by default, and I'm sure most other IPv6-capable routers do it too. I'm just as secure on IPv6 as I'm on IPv4.
IPv6 also allows you to do weird stuff like using a single IP address per connection, which makes it even harder to address a single computer from the internet.
IPv6 is just as safe if not safer than IPv4, if you use it correctly.
I use IPv4 (NAT) and IPv6 at home. I can access my desktop behind NAT using IPv6, which is good, but I see attempts to bruteforce root password via SSH, which is bad.
Definitely don't permit root to log in with a password. It's strongly recommended that you don't allow anyone to log in with a password, only with (password protected) keys stored on their machines.
So why don't you just run a firewall on your router?
NAT is not a security feature. Please stop repeating this toxic drivel.
NAT is not the same as firewalls, and firewalls do not require NAT. NAT is just an ugly hack to stretch IPV4's inadequate address space, and it's one that breaks quite a few protocols and generally makes a lot of things painful and complex.
Remember back when there were two dozen different networking layers vying for the ability to link Docker containers? (There still are, but Docker's hype wave has crested so you don't see them every 5 minutes on here.) With IPv6 and no NAT, none of that is necessary. Just give every container a real address, set your firewall rules accordingly, and every container anywhere can talk directly to every other container without any added complexity. Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host. Since IPv6 specifies that an ISP should hand out /64's to customers, each customer can have 4 billion container hosts.
Getting rid of NAT makes everything orders of magnitude simpler.
I do wonder about monopoly resistance. I wonder if IPv6 has been shunned by Amazon, Google, and Microsoft clouds because they see a long term advantage in preventing adoption. IPv6 makes peer to peer systems a lot easier to build, and peer to peer is direct competition to the 'run absolutely everything through the cloud' model. IPv6 could actually reduce the cloud's importance (especially for data transit) if it were widely deployed.
I didn't say NAT is a security feature. I said developers use NAT to benefit security. The security benefit of NAT is that it forces developers to assign a predictable, private IP address to each device/container/vm/box behind its "firewall," which the gateway can then use for enforcing QoS policies or port whitelisting. Sure, you can do this on IPv6. But IPv6 is more complicated to implement, because all tools support IPv4, and only some support IPv6.
How does that help security?
IPv6 has usability problems (I've written on this), but these are unrelated to security in any direct way.
The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption. It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.
There's a ton of superstition and cargo cultism in network security, since most people -- even developers -- don't understand much about how networks work.
NAT is so painful. Even the specs are written with grossly overloaded terminology.
>The reason I call it toxic is that the idea that NAT helps security is a harmful superstition that spooks people about IPv6 adoption.
In all fairness, the common NAT implementation involves L4 params and the requisite state for ingress traffic. It makes like a filter that is "drop any" with respect to the NAT IP address (with the exception of in-state traffic). Further, it also limits the IP protocols available. Example, you will not likely be doing SCTP across your NAT and certainly it would be difficult to send directed OSPF packets during this[0] fun thing. It still leaves things to be done (like dropping internal IP space traffic on the external IFs), but the requisite components supply a lot.
I think I've seen the problem though. In general, network engineers have failed to break down the components of NAT: 1) State, 2) Rewrite, 3) A filter dropping traffic not matched by state. Fundamentally, the only thing we need to do in IPv6 is 1) state and 2) a filter. Their failure, combined with the packaging of components that NAT provides, feeds the valid points of the superstition while neglecting the details (what happens when we look at too big of a picture, or philosophical thing).
>It's also driven some to actually implement IPv6 NAT, which is kind of like strapping a horse feed bag on the front of your car.
The ignorance of management and "netwerk sekurity esperts" aside, NAT does have use cases in IPv6. Example, if we're performing renumbering frequently, does it make operational sense to roll over prefixes with RAs/DHCP? Maybe the expectation is for multiple prefix advertisement, but then which IP should be used for internal vs. external? Should all applications always rely on DNS? What are the implications for routing networks that may be designed with separate number spaces? The reasons for why these things may be done are not absolutely "wrong" or "bad design" and should not necessarily adopt a purist model.
[0]https://tools.cisco.com/security/center/content/CiscoSecurit...
> Give each container host a /96 address and let it assign container IPs from the remaining /32, for up to four billion containers per host.
A /80 for Docker is preferred because it can map 1 to 1 onto the mac address for SLAAC.
see also: https://docs.docker.com/v1.5/articles/networking/#ipv6
> I know it pains neckbeards to hear this
Please edit acerbic swipes out of your comments to HN. It's distracting, provoking and detracts from your otherwise substantive comment.
> In fact, IPv6 seems to be a step backward in terms of security. Every device does not need to be openly addressable from anywhere on the Internet...
Today I blow your mind: https://en.wikipedia.org/wiki/Unique_local_address https://www.sixxs.net/tools/grh/ula/
Now that the ARIN address space is exhausted, cloud providers will begin to buy more and more IPv4 space until they have a complete monopoly and large portions of IPv4 are controlled by just a few companies. This will price other companies out of offering cloud services that are IPv4 compatible.
I don't see that being effective. IPv6 is here, and you can't put the genie back in the bottle. See above where somebody linked to the TWC page where they point out that they have reach 100% IPv6 coverage. And they are one of the largest ISP's around. (And from my subjective perception, one of the laggards on implementing IPv6). Common home routers have been shipping with IPv6 support for years, and probably a huge swathe of the 'net population (in America anyway) have dual-stack and just don't know it.
And IPv6 adoption is only going to keep growing. Pretty soon there won't be any consumers who are stuck on v4, so there will be no reason to try and establish a monopoly on v4 addresses.
Regarding the path of least resistance for developers eventually, hopefully, perhaps traversing NAT will prove to be a bigger pain for the average developer than just using IPv6.