Suggested discussion topic: IPv4 address exhaustion and IPv6 adoption
16 views
Skip to first unread message
Barton Chittenden
Sep 16, 2012, 3:25:37 PM9/16/12
to kyoss-discuss, lv...@googlegroups.com
On September 14, RIPE NCC, the European regional internet registry, started allocating IP addresses from its last /8 address block. This is the beginning of the end of the allocation of the IPv4 address space (i.e. addresses of the form xxx.xxx.xxx.xxx) as we know it. Allocation of IPv4 addresses in Europe is now strictly rationed.
ARIN (American Registry of Internet Numbers) will be down to its last /8 by this time next year.
The long term solution to this problem is to start using IPv6 addresses, which are essentially unlimited (The address space is so large that you could assign about a thousand times the current internet address space to each cell of every one of the 7 billion people on earth).
The problem of switching to IPv6 is a chicken-and-egg problem: internet users won't switch to IPv6 addresses because there are very few sites that they can connect to which use IPv6, and no content providers use IPv6 addresses because no-one visits via IPv6. Most ISPs don't provide IPv6 addresses (or if they do, no-one realizes that they do).
There are some short-term solutions, but they destroy the point-to-point nature of the internet which can cause problems.
I have a decent handle on what's happening and why, but I have zero experience with setting up a network using IPv6... in many ways, it should be transparent (as IPv4 is... you connect your computer to a router via cat5 cable or wireless, and you're connected). Obviously, it's not quite that easy, if it was, we would all be using IPv6 and we wouldn't be worrying about running out of address space.
I was wondering if some of the local network gurus could give a talk about this:
- A primer on IP addresses in general
- What physical steps do I need to take to set up an IPv6 network? (e.g. a LAN).
- Are there any issues involved with running both IPv4 and IPv6 on the same network?
- How do I connect to the internet via IPv6?
- Will my ISP provide IPv6 addresses?
- Are there security issues involved with using IPv6, and if so, how do I fix these?
- ...
Any takers? I would be willing to do the presentation, but, as I said, I have zero practical experience, and I think that the topic deserves more than hand-waving.
--Barton
Mike Andrews
Sep 16, 2012, 4:33:54 PM9/16/12
to lv...@googlegroups.com
Yup.
I first got interested in v6 when I discovered it running on my home network without my having set it up ever... so you might be running at least some v6 without knowing it. (Especially if you have an Apple Time Capsule on your network.) That was both scary and interesting at the same time, so that's why I decided to dive into it.
So yeah, you don't switch from v4 to v6, you run both concurrently. For the most part, it just works, once your router and ISP support it, and router support is the big stumbling block these days -- ISPs are starting to get on board at last. Most operating systems have supported it for aaaaages. Bluegrass.net has v6 on their network, so LVL1 could probably get a /48 or /56 block. Over here in Lexington, QX.net does too. Collexion doesn't yet have a v6 block, partly because we haven't asked, and partly because our good router died (grumbleasusgrumble). :p
The security side of it is a bit more complicated, mostly because NAT goes away and you have to be sure you've still got a stateful firewall in its place... and that you're blocking/allowing the same ports on v6 that you are on v4... Spoofing attacks are a bit different because address assignment and layer 2 stuff is a bit different (ARP vs ND, DHCP vs SLAAC)... But a lot of stuff is the same... TCP and UDP are identical so everything you know about those still applies...
A lot of major websites (Google, Facebook, etc) added the DNS records for v6 back on June 6. We (Fark) did the same about a year earlier. Not much broke. :)
I did a talk on this at Notacon earlier this year -- though I could have done a better job with it, it was my first talk about anything ever and I was nervous as hell. There are people that'll be at Derbycon in 2 weeks that know the security side of it way better than me. But we've been running it for about 2-3 years so I've got a pretty good handle on it.
ARIN is already tightening the screws on allocations, btw. I know a company in Lexington that already can't get the v4 space they want from ARIN.
Will trade v6 knowledge for DNSSEC help (it works about 95%) and help w/ why both Shruthi-1 synth CPU boards I built blew up, whether I either shorted something out or blew something up with the wrong power supply, or if my soldering is just consistently that bad...
I first got interested in v6 when I discovered it running on my home network without my having set it up ever... so you might be running at least some v6 without knowing it. (Especially if you have an Apple Time Capsule on your network.) That was both scary and interesting at the same time, so that's why I decided to dive into it.
So yeah, you don't switch from v4 to v6, you run both concurrently. For the most part, it just works, once your router and ISP support it, and router support is the big stumbling block these days -- ISPs are starting to get on board at last. Most operating systems have supported it for aaaaages. Bluegrass.net has v6 on their network, so LVL1 could probably get a /48 or /56 block. Over here in Lexington, QX.net does too. Collexion doesn't yet have a v6 block, partly because we haven't asked, and partly because our good router died (grumbleasusgrumble). :p
The security side of it is a bit more complicated, mostly because NAT goes away and you have to be sure you've still got a stateful firewall in its place... and that you're blocking/allowing the same ports on v6 that you are on v4... Spoofing attacks are a bit different because address assignment and layer 2 stuff is a bit different (ARP vs ND, DHCP vs SLAAC)... But a lot of stuff is the same... TCP and UDP are identical so everything you know about those still applies...
A lot of major websites (Google, Facebook, etc) added the DNS records for v6 back on June 6. We (Fark) did the same about a year earlier. Not much broke. :)
I did a talk on this at Notacon earlier this year -- though I could have done a better job with it, it was my first talk about anything ever and I was nervous as hell. There are people that'll be at Derbycon in 2 weeks that know the security side of it way better than me. But we've been running it for about 2-3 years so I've got a pretty good handle on it.
ARIN is already tightening the screws on allocations, btw. I know a company in Lexington that already can't get the v4 space they want from ARIN.
Will trade v6 knowledge for DNSSEC help (it works about 95%) and help w/ why both Shruthi-1 synth CPU boards I built blew up, whether I either shorted something out or blew something up with the wrong power supply, or if my soldering is just consistently that bad...
Christopher Cprek
Sep 16, 2012, 8:24:22 PM9/16/12
to lv...@googlegroups.com
I can help with the Shruthi Mike. :-)
Chris
Chris
Mike Andrews
Sep 17, 2012, 3:58:10 PM9/17/12
to lv...@googlegroups.com
I dunno that I can retool any slides by tomorrow, but I can try to drop
by and at least yak about it some.
It's the digital control boards on the Shruthis that are dead. The
analog stuff is ok. They both worked for a while, then both quit.
Swapping the AVR didn't help. Maybe I shorted something out on both of
'em...
by and at least yak about it some.
It's the digital control boards on the Shruthis that are dead. The
analog stuff is ok. They both worked for a while, then both quit.
Swapping the AVR didn't help. Maybe I shorted something out on both of
'em...
Reply all
Reply to author
Forward
0 new messages