implementing IPv6 on the internet

[Dirk Munk]

This contribution is not about VMS, it is about IPv6 and the way it is
introduced.

Stephen Hoffman tells us we have to concentrate on the introduction and
use of IPv6, en let me be very clear about this, he is absolutely right.
I have been advocating IPv6 for over 10 years now, so we have no
difference of opinion there.

IPv6 has been under development for over 20 years now, so you might
think there is a clear concept how it all has to work, but alas this is
not the case. By far the most global IPv6 addresses will be found in the
home LANs of consumers, so how to deal with those addresses is something
that should have been high on the agenda of the IETF. Should have been,
but it wasn’t, it was completely forgotten.

To explain what I mean, let’s start with IPv4. The only global IPv4
address that you have at home will be the WAN address of your router (if
you’re lucky), all the IPv4 addresses on your LAN are private addresses.
If you’re not lucky, your ISP uses carrier grade NAT, and you will also
have a private address on the WAN port of your router. I will not go
into that.

That IPv4 address usually will also have some cryptic DNS name attached
to it, but since the address will be dynamic, the DNS name will also be
dynamic. To overcome this problem, you may register your router with a
DNS name of your liking at a dynamic DNS organisation like Dyndns. Your
router will take care that its WAN address is kept up to date at that
organization. However that DNS name is always an alias. Reversed name
lookup (address > DNS name) will never show the DNS name you choose, it
will always show the cryptic DNS name of your ISP. After all he DNS
server of your ISP is the authoritative name server for that address
space, not the name server of your dynamic DNS organization.

If you want to reach a device on your LAN from the internet, you address
a certain port number on the WAN address of your router, and by means of
port forwarding it will be translated to an IP address and port number
on your LAN. You will all be familiar with this concept.

With IPv6 things are very different. First of all there are three kind
of IPv6 addresses (actually there are more). The first is the Link Local
address, it is present on very IPv6 enabled interface, whether or not
there is an actual IPv6 network present. It starts with fe80:: , and
these are non-routable addresses. Then we have the global IPv6 address,
it often starts with something like 2001:: . And then we have the
Unique Local Addresses (ULA), they can be seen as the IPv6 equivalent of
IPv4 private addresses. They start with something like fd00:: .

Every device on your LAN will get at least one global IPv6 address. That
address will be used on the internet. If you want to reach that device
from the internet, you will have to use that IPv6 address, not the IPv6
address of the WAN port of your router. It should also have a DNS name.
In fact it is good practice that every IP address on the internet has a
DNS name. That means every global IPv6 address (all IPv6 capable devices
on your LAN) should be registered with a DNS name at some DNS server.

Which DNS server should that be? Very simple, the DNS server of your
ISP. It is the authoritative name server for that address space. Every
consumer should get his own (sub)domain there, and your router will be
responsible for adding the addresses and DNS names, that is the general
idea. You don’t want address spoofing etc, so it has to be done in a
very secure way.

The ideas are there, but nothing has been defined in RFC’s yet. You can
not buy any router that can do this, no ISP is prepared for this massive
task. And yet we are implementing IPv6 with consumers right now,
wonderful isn’t it?
The ULA addresses are also very important. On your home LAN you should
use those addresses for communicating between devices. Your router
should be a DNS server for a local domain. That way if the connection
with the internet is lost, you still have a fully functioning network.

My personal idea is that if you use global IPv6 addresses for
communicating between devices on your LAN, it should be handled as
traffic from the internet. This way you can check accessibility of
devices from the internet. Since there is no ARP with IPv6, I have the
idea that it should be possible to set this up.

After you’ve read all of this, I hope you can understand why I’m so
cynical about IP. It’s not that I don’t want IPv6, on the contrary we
need it badly. In fact we are at least 5 years late with the
implementation. But how stupid must you be if you start implementing a
completely new network architecture (which IPv6 is!) , and leave such an
enormous gaping hole in the concept? After all, most of the IPv6 address
will be at peoples homes, certainly when the Internet Of Things starts
picking up.

Conceptual thinking is lacking, also with security If telnet is not
secure, let’s build something completely new with its own security
(SSH). If FTP isn’t secure, well then let’s use SFTP, or FTPS, or SCP
or …….. Not to mention the different versions of FTP itself of course
(active, passive..).

What we need are clear, well defined concepts, and proper standards that
reflect these. What we also need are proper test suites to check if
everything works as it should, if everything is secure, and so on.

Any comments are welcome.

[John E. Malmberg]

On 9/20/2016 4:47 AM, Dirk Munk wrote:
> This contribution is not about VMS, it is about IPv6 and the way it is
> introduced.

<snip>

> That IPv4 address usually will also have some cryptic DNS name attached
> to it, but since the address will be dynamic, the DNS name will also be
> dynamic. To overcome this problem, you may register your router with a
> DNS name of your liking at a dynamic DNS organisation like Dyndns. Your
> router will take care that its WAN address is kept up to date at that
> organization. However that DNS name is always an alias. Reversed name
> lookup (address > DNS name) will never show the DNS name you choose, it
> will always show the cryptic DNS name of your ISP. After all he DNS
> server of your ISP is the authoritative name server for that address
> space, not the name server of your dynamic DNS organization.
>
> If you want to reach a device on your LAN from the internet, you address
> a certain port number on the WAN address of your router, and by means of
> port forwarding it will be translated to an IP address and port number
> on your LAN. You will all be familiar with this concept.

And every residential ISP I have had in the last 20 years in the U.S.
has a Terms Of Service (TOS) absolutely prohibiting this type of access.

And of those residential ISPs that also offer commercial service, the
main difference in the TOS is that they allocate more e-mail addresses
for a higher fee. All public servers must either be rented from the ISP
or another external service.

Maybe it is different in your part of the world.

A lot of people in the U.S. ignore the TOS and use the dyndns servers,
which risks their ISP disconnecting them. And in many parts of the U.S.
there is only one broadband ISP available.

That is pretty much the case for anyone that is not in a major city.

> With IPv6 things are very different. First of all there are three kind
> of IPv6 addresses (actually there are more). The first is the Link Local
> address, it is present on very IPv6 enabled interface, whether or not
> there is an actual IPv6 network present. It starts with fe80:: , and
> these are non-routable addresses. Then we have the global IPv6 address,
> it often starts with something like 2001:: . And then we have the
> Unique Local Addresses (ULA), they can be seen as the IPv6 equivalent of
> IPv4 private addresses. They start with something like fd00:: .
>
> Every device on your LAN will get at least one global IPv6 address. That
> address will be used on the internet. If you want to reach that device
> from the internet, you will have to use that IPv6 address, not the IPv6
> address of the WAN port of your router. It should also have a DNS name.
> In fact it is good practice that every IP address on the internet has a
> DNS name. That means every global IPv6 address (all IPv6 capable devices
> on your LAN) should be registered with a DNS name at some DNS server.
>
> Which DNS server should that be? Very simple, the DNS server of your
> ISP. It is the authoritative name server for that address space. Every
> consumer should get his own (sub)domain there, and your router will be
> responsible for adding the addresses and DNS names, that is the general
> idea. You don’t want address spoofing etc, so it has to be done in a
> very secure way.

<snip>

Again, since most of the the U.S. residential ISPs do not want to allow
such access, it is unlikely that they are going to allow DNS
registration of my local IP addresses.

> The ideas are there, but nothing has been defined in RFC’s yet. You
> can not buy any router that can do this, no ISP is prepared for this
> massive task. And yet we are implementing IPv6 with consumers right
> now, wonderful isn’t it?

So for me and probably the majority of residential / small business
users in the U.S., this feature of IP V6 will never be able to be used
regardless of what ends up in the RFCs.

The U.S. ISPs are not only not preparing for this, they are opposed to
allowing that type of access, and they have put this in writing of the
ToS document that most people do not read.

These are the same ISPs that used to have a TOS that prohibited home
routers for a long time unless you rented it from them.

To change this would probably require either federal regulation or a
strong threat of federal regulation. And based on the past history of
that, it looks like the residential ISPs currently have the upper hand
in the lobbying, so even that is unlikely.

Current practice of the IofT is for the device to contact a server in
the cloud at a known name.

Regards,
-John
wb8...@qsl.net_work

[Chris]

Interesting post. You seem to be suggesting that IPV6 has been under
development for a decade or more, yet the required standards have
still not been established ?.

If true, any sane risk assessment would suggest the it's avoided like
the plague until it's seen to be fully sorted. Experiment with it,
sure, but ready for production ?.

IPV4 may be running out of addresses, but not a problem if you increase
the use of subneting. Not to mention the fact that some organisations
are sitting on huge blocks of addresses that are not being used.
Perhaps we need a rule that says "if you don't use it within a defined
period, you lose it"...

Regards,

Chris

[Chris]

On 09/20/16 12:45, John E. Malmberg wrote:

>
> And every residential ISP I have had in the last 20 years in the U.S.
> has a Terms Of Service (TOS) absolutely prohibiting this type of access.
>
> And of those residential ISPs that also offer commercial service, the
> main difference in the TOS is that they allocate more e-mail addresses
> for a higher fee. All public servers must either be rented from the ISP
> or another external service.
>
> Maybe it is different in your part of the world.
>

I don't know of any UK isp's that dictate to the customer in that way
and many people run home servers for their interests and hobbies. Unless
there is network disruption or other problems as a result, they
really don't care.

It's weird, in what is possible the most high tech country on the planet
also has the slowest and worst quality internet service. Obviously need
more competition and regulation of restrictive and monopoly practices.

Tried a test from two speed test sites a few days ago, and consistently
get over 76 Mbits/second from Virgin Media, from a claimed 50 Mbits /
second line. The BT business line only managed 38 Mbits second or so,
but Virgin really are pushing the boundaries now, offering up to
200 M bits / second in some areas...

Regards,

Chris


> Regards,
> -John
> wb8...@qsl.net_work
>

[Dirk Munk]

It has been under development for over 20 years now, and indeed the
required standards have not been established yet. In fact IPv6 itself
isn't even an internet standard yet.

> If true, any sane risk assessment would suggest the it's avoided like
> the plague until it's seen to be fully sorted. Experiment with it,
> sure, but ready for production ?.

Well, you would be amazed to find out how many IPv4 'standards' are not
real standards.

>
> IPV4 may be running out of addresses, but not a problem if you
> increase
> the use of subneting. Not to mention the fact that some organisations
> are sitting on huge blocks of addresses that are not being used.
> Perhaps we need a rule that says "if you don't use it within a defined
> period, you lose it"...
>
> Regards,
>
> Chris

Well, we need IPv6, there is no way around it. But somehow the IETF must
get its act together and start producing reliable concepts and standards.

[Dirk Munk]

Chris wrote:
> On 09/20/16 12:45, John E. Malmberg wrote:
>
>>
>> And every residential ISP I have had in the last 20 years in the U.S.
>> has a Terms Of Service (TOS) absolutely prohibiting this type of access.
>>
>> And of those residential ISPs that also offer commercial service, the
>> main difference in the TOS is that they allocate more e-mail addresses
>> for a higher fee. All public servers must either be rented from the ISP
>> or another external service.
>>
>> Maybe it is different in your part of the world.
>>
>
> I don't know of any UK isp's that dictate to the customer in that way
> and many people run home servers for their interests and hobbies. Unless
> there is network disruption or other problems as a result, they
> really don't care.

The same over her in The Netherlands. ISP's may even publish small
manuals how to set up a server on your LAN.

[Kerry Main]

Fwiw, speed of deployment of hi speed links to home is
accelerating. It will change a lot of what we consider "normal"
today.

Earlier this year my son moved into a new Apt complex in Irvine,
CA and he has 750Mbs/down AND up. He has given up on paying cable
TV and now watches exclusively shows and movies streamed from
Inet via various providers like Hulu. He no longer has a home
phone - just the cell.

Reference:
http://www.adrenalineonline.com/?p=367
Japan's So-NET ISP Launches 2Gb Internet Service

"Crazy fast. Japan remains light years ahead of the United States
in ISP offerings. For about the same price in USD as a standard
Comcast account, how does a connection that is 1000 times faster
sound? The connection speed likely exceeds most home PC network
cards. What an excuse to upgrade."

http://www.techcentral.ie/sony-isp-launches-2gbs-home-broadband-i
n-japan/

https://www.wired.com/2015/04/comcast-says-itll-bring-ultra-fast-
internet-us-2016/

The only constant is change ..

:-)

Regards,

Kerry Main
Kerry dot main at starkgaming dot com

[Phillip Helbig (undress to reply)]

In article <nrrav8$724$1...@dont-email.me>, "John E. Malmberg"

<wb8...@qsl.net_work> writes:

> And every residential ISP I have had in the last 20 years in the U.S.
> has a Terms Of Service (TOS) absolutely prohibiting this type of access.
>
> And of those residential ISPs that also offer commercial service, the
> main difference in the TOS is that they allocate more e-mail addresses
> for a higher fee. All public servers must either be rented from the ISP
> or another external service.
>
> Maybe it is different in your part of the world.

Thankfully, yes, very different.

[Scott Dorsey]

Most of the world is very different in that regard.

In addition, there are large parts of the where IPv6 is commonplace. In
the US, it seemed like addresses were running out, but NAT arrived on the
scene before IPv6 for the most part. But much of the rest of the world
didn't really adopt NAT so enthusiastically, and there were places in Asia
that got very little IPv4 space and so jumped into the IPv6 train as soon
as they possibly could.

In general, home internet service in the US is dreadful, and well behind
what was available in places like rural Poland five or six years ago.
And what is most sad is that Americans just don't seem to realize how bad
it is.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

[David Froble]

I know what to do. Have a congressional committee to research how our internet
compares to the rest of the world. I'm sure the lobbyists for Verizon and
Comcast will volunteer for the committee.

[Dirk Munk]

Seems to me that is a general problem with Americans, they don't know
very much about the rest of the world.

[Dirk Munk]

Yes, it is very, very different over here. Any consumer can set up a
server, no problem. If you are self employed, and you have your own
little company, you can get a slightly different contract with better
speeds and better service. It's not very expensive. Larger companies,
schools, student homes etc. can get even faster fibre connections.

The ISP doesn't provide servers, if you want something like that, then
there are enough other companies where you can rent server capacity. My
ISP will only give you up to 5 email addresses and an internet connection.

We had the router problem too. However there is a EU directive that
tells governments to set up legislation that will allow consumers to use
their own equipment. The interface in your home is the passive
cable/fibre connection of your ISP's network. It also applies to TV
settop boxes etc. The ISP has to publish all details of their network
connections, so that manufacturers can build proper consumer equipment.

Now keep in mind that access from the internet to your LAN is not
limited to web servers etc. There can be TV cameras on your LAN allowing
you to check what is going on at home. You may want to switch on the
heating system or the air conditioning half an hour before you arrive
home, You may have a NAS on your LAN, and you may want to safe or
retrieve documents from it over the internet. And so on.

All these things require a proper network setup, and alas with IPv6 the
IETF completely forgot to draft the proper RFC's.

[Richard Levitte]

Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
> Now keep in mind that access from the internet to your LAN is not
> limited to web servers etc. There can be TV cameras on your LAN allowing
> you to check what is going on at home. You may want to switch on the
> heating system or the air conditioning half an hour before you arrive
> home, You may have a NAS on your LAN, and you may want to safe or
> retrieve documents from it over the internet. And so on.
>
> All these things require a proper network setup, and alas with IPv6 the
> IETF completely forgot to draft the proper RFC's.

I'm curious, exactly what is it that you require? Is it something that must exist at the IP level?

Cheers,
Richard

[Jan-Erik Soderholm]

It is an expansion of the DNS infrastucture to also include all those
"things" that today has a "private" IP address (192.168.n.n or similar)
that today are behind NET'ed routers, so that they will be reachable
using their domain name from anywhere.

It is, as I understand it, an 10-50 *times* expansion of the DNS world
as we see it today.

[Richard Levitte]

Den onsdag 21 september 2016 kl. 10:27:26 UTC+2 skrev Jan-Erik Soderholm:
> Den 2016-09-21 kl. 10:15, skrev Richard Levitte:
> > Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
> >> Now keep in mind that access from the internet to your LAN is not
> >> limited to web servers etc. There can be TV cameras on your LAN
> >> allowing you to check what is going on at home. You may want to switch
> >> on the heating system or the air conditioning half an hour before you
> >> arrive home, You may have a NAS on your LAN, and you may want to safe
> >> or retrieve documents from it over the internet. And so on.
> >>
> >> All these things require a proper network setup, and alas with IPv6
> >> the IETF completely forgot to draft the proper RFC's.
> >
> > I'm curious, exactly what is it that you require? Is it something that
> > must exist at the IP level?
>

> It is an expansion of the DNS infrastucture to also include all those
> "things" that today has a "private" IP address (192.168.n.n or similar)
> that today are behind NET'ed routers, so that they will be reachable
> using their domain name from anywhere.
>
> It is, as I understand it, an 10-50 *times* expansion of the DNS world
> as we see it today.

That's not an IP level issue, as far as I can tell, but an application level one (DNS is on the application layer), and has nothing to do specifically with IPv6 (you're mentioning IPv4), so that didn't quite answer my curiousity.

That being said, what you seem to be asking is for those "private" addresses to become essentially public... or is this more about mobile networking (which comes with its own set of shenanigans)?

Cheers,
Richard

[Dirk Munk]

I explained that in in the first posting of this thread.

In short, you will have global IPv6 addresses on you home LAN.

These addresses with accompanying DNS names have to be registered on a
public DNS server, i.e. the DNS server of your ISP.

There has to be a secure and automatic mechanism on your router that
will take care of this.

Your ISP has to provide you with a (sub)domain where you can store your
entries.

That is the only way you can access devices on you home LAN by a DNS
name, like nas.levitte.org .

I notice that you have your own domain, but I assume you don't have your
own public DNS server. You will use the DNS server of some ISP or so. I
also have a domain, but it is registered at Hurricane Electric.

So levitte.org should be registered at the nameserver of your ISP,
otherwise reversed name lookup is impossible.

[Jan-Erik Soderholm]

I mentioned IPv4 as a reference. The need Dirk is talkning about
is for IPv6. IPv6 will replace IPv4 NAT'ing with individual/unique
world-wide IP addresses for "everything". And they need DNS.

>
> That being said, what you seem to be asking...

I am not Dirk Munk...

> is for those "private" addresses to become essentially public...

That is how *I* understand Dirk, yes. Dosn't have to be correct... :-)

[Dirk Munk]

Richard Levitte wrote:
> Den onsdag 21 september 2016 kl. 10:27:26 UTC+2 skrev Jan-Erik Soderholm:
>> Den 2016-09-21 kl. 10:15, skrev Richard Levitte:
>>> Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
>>>> Now keep in mind that access from the internet to your LAN is not
>>>> limited to web servers etc. There can be TV cameras on your LAN
>>>> allowing you to check what is going on at home. You may want to switch
>>>> on the heating system or the air conditioning half an hour before you
>>>> arrive home, You may have a NAS on your LAN, and you may want to safe
>>>> or retrieve documents from it over the internet. And so on.
>>>>
>>>> All these things require a proper network setup, and alas with IPv6
>>>> the IETF completely forgot to draft the proper RFC's.
>>>
>>> I'm curious, exactly what is it that you require? Is it something that
>>> must exist at the IP level?
>>
>> It is an expansion of the DNS infrastucture to also include all those
>> "things" that today has a "private" IP address (192.168.n.n or similar)
>> that today are behind NET'ed routers, so that they will be reachable
>> using their domain name from anywhere.
>>
>> It is, as I understand it, an 10-50 *times* expansion of the DNS world
>> as we see it today.
>
> That's not an IP level issue, as far as I can tell, but an
> application level one (DNS is on the application layer), and has
> nothing to do specifically with IPv6 (you're mentioning IPv4), so
> that didn't quite answer my curiousity.

I get your point, but that is a bit to easy. Humans do not use IP
addresses to access IP devices, they use DNS names. DNS names are
essential, you can't do without. In fact there is a IETF requirement

that every IP address on the internet has a DNS name.

You're right that DNS names are not IPv6 specific, however since every
device on your LAN gets a global IPv6 address, it's a whole new ball game.

[David Froble]

Dirk Munk wrote:
> Richard Levitte wrote:
>> Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
>>> Now keep in mind that access from the internet to your LAN is not
>>> limited to web servers etc. There can be TV cameras on your LAN allowing
>>> you to check what is going on at home. You may want to switch on the
>>> heating system or the air conditioning half an hour before you arrive
>>> home, You may have a NAS on your LAN, and you may want to safe or
>>> retrieve documents from it over the internet. And so on.
>>>
>>> All these things require a proper network setup, and alas with IPv6 the
>>> IETF completely forgot to draft the proper RFC's.
>>
>> I'm curious, exactly what is it that you require? Is it something
>> that must exist at the IP level?
>>
>> Cheers,
>> Richard
>>
>
> I explained that in in the first posting of this thread.
>
> In short, you will have global IPv6 addresses on you home LAN.

This concept is a bit like ethernet, where every ethernet device manufactured
had a unique 12 character address. However, I don't know if this was
administered by some RFC, or by the group of cooperating companies that
originally set up the concept.

> These addresses with accompanying DNS names have to be registered on a
> public DNS server, i.e. the DNS server of your ISP.

Perhaps not all ISPs have a DNS service.

> There has to be a secure and automatic mechanism on your router that
> will take care of this.

Nor do I understand why a router has anything to do with this? I guess it could.

> Your ISP has to provide you with a (sub)domain where you can store your
> entries.

Again, you seem to be saying this is the job of the ISP. I'm not sure that is
correct.

> That is the only way you can access devices on you home LAN by a DNS
> name, like nas.levitte.org .
>
> I notice that you have your own domain, but I assume you don't have your
> own public DNS server. You will use the DNS server of some ISP or so. I
> also have a domain, but it is registered at Hurricane Electric.

That's a bit different than what you've been writing. Yes, some DNS service
could translate a name into an IP address. But, perhaps it's not the job of
your ISP.

> So levitte.org should be registered at the nameserver of your ISP,
> otherwise reversed name lookup is impossible.

So, I'm not sure that some official RFP is required. Perhaps all that is
required is that your local IP addresses are not masked by ISPs and such. I
think you, or someone, has referred to this as carrier grade NAT, or some such.

[Jan-Erik Soderholm]

Den 2016-09-21 kl. 11:34, skrev David Froble:
> Dirk Munk wrote:
>> Richard Levitte wrote:
>>> Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
>>>> Now keep in mind that access from the internet to your LAN is not
>>>> limited to web servers etc. There can be TV cameras on your LAN
>>>> allowing you to check what is going on at home. You may want to
>>>> switch on the heating system or the air conditioning half an hour
>>>> before you arrive home, You may have a NAS on your LAN, and you
>>>> may want to safe or retrieve documents from it over the internet.
>>>> And so on.
>>>>
>>>> All these things require a proper network setup, and alas with
>>>> IPv6 the IETF completely forgot to draft the proper RFC's.
>>>
>>> I'm curious, exactly what is it that you require? Is it something
>>> that must exist at the IP level?
>>>
>>> Cheers, Richard
>>>
>>
>> I explained that in in the first posting of this thread.
>>
>> In short, you will have global IPv6 addresses on you home LAN.
>
> This concept is a bit like ethernet, where every ethernet device
> manufactured had a unique 12 character address.

Has, not had. That is the MAC address, isn't it?

And it is not "12 characters", it is 12 hexadecimal numbers.
represenentating a 6 byte binary value.

> However, I don't know
> if this was administered by some RFC, or by the group of cooperating
> companies that originally set up the concept.
>
>> These addresses with accompanying DNS names have to be registered on
>> a public DNS server, i.e. the DNS server of your ISP.
>
> Perhaps not all ISPs have a DNS service.
>

Perhaps they have. I'm quite sure they have. If not, they would have
a hard time beeing an ISP at all, I guess.

>> There has to be a secure and automatic mechanism on your router that
>> will take care of this.
>
> Nor do I understand why a router has anything to do with this? I guess
> it could.

The router knows about the local hosts behind the router and could
handle the registration of these hosts in the up-link DNS environment.
Of course using some automaticly generated domain names.

>
>> Your ISP has to provide you with a (sub)domain where you can store
>> your entries.
>
> Again, you seem to be saying this is the job of the ISP. I'm not sure
> that is correct.

They have to be registred somewhere.

>
>> That is the only way you can access devices on you home LAN by a DNS
>> name, like nas.levitte.org .
>>
>> I notice that you have your own domain, but I assume you don't have
>> your own public DNS server. You will use the DNS server of some ISP or
>> so. I also have a domain, but it is registered at Hurricane Electric.
>
> That's a bit different than what you've been writing. Yes, some DNS
> service could translate a name into an IP address. But, perhaps it's
> not the job of your ISP.

It is the job of the DNS servers. Due to load balancing and having
the translation as close to the requestor as possible, the (all)
ISPs will have their own DNS servers.

>
>> So levitte.org should be registered at the nameserver of your ISP,
>> otherwise reversed name lookup is impossible.
>
> So, I'm not sure that some official RFP is required. Perhaps all that
> is required is that your local IP addresses are not masked by ISPs and
> such.

That is not enought, they have to have a domain name also. And that
domain name has to be registred somewhere.

[Chris]

On 09/21/16 08:49, Jan-Erik Soderholm wrote:

>
> I mentioned IPv4 as a reference. The need Dirk is talkning about
> is for IPv6. IPv6 will replace IPv4 NAT'ing with individual/unique
> world-wide IP addresses for "everything". And they need DNS.
>
>>
>> That being said, what you seem to be asking...
>
> I am not Dirk Munk...
>
>
>> is for those "private" addresses to become essentially public...
>
> That is how *I* understand Dirk, yes. Dosn't have to be correct... :-)
>

If true, that's a great security risk in it's own right.
I'm quite happy to the isp to use whatever standard they like to
talk to the wan side, but none of that reaches the internal network
unless it's needed and defined in the rules. I don't trust the
ISP's router either and have hardware firewalling following that
for isolation.

NAT is a fundamental and cost effective part of network security
and I don't see it going away any time soon...

Regards,

Chris

[Dirk Munk]

David Froble wrote:
> Dirk Munk wrote:
>> Richard Levitte wrote:
>>> Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
>>>> Now keep in mind that access from the internet to your LAN is not
>>>> limited to web servers etc. There can be TV cameras on your LAN
>>>> allowing
>>>> you to check what is going on at home. You may want to switch on the
>>>> heating system or the air conditioning half an hour before you arrive
>>>> home, You may have a NAS on your LAN, and you may want to safe or
>>>> retrieve documents from it over the internet. And so on.
>>>>
>>>> All these things require a proper network setup, and alas with IPv6 the
>>>> IETF completely forgot to draft the proper RFC's.
>>>
>>> I'm curious, exactly what is it that you require? Is it something
>>> that must exist at the IP level?
>>>
>>> Cheers,
>>> Richard
>>>
>>
>> I explained that in in the first posting of this thread.
>>
>> In short, you will have global IPv6 addresses on you home LAN.
>
> This concept is a bit like ethernet, where every ethernet device
> manufactured had a unique 12 character address. However, I don't know
> if this was administered by some RFC, or by the group of cooperating
> companies that originally set up the concept.

In principle it is no different from IPv4. However the 32 bit IPv4
address range is far to small to give every IP device its own global
IPv4 address. That is why we use private IPv4 addresses on our home
LANs, and use NAT to access the internet. With the 128 bit IPv6
addresses we don't need NAT any more, every device has its own global
IPv6 address.

>
>> These addresses with accompanying DNS names have to be registered on a
>> public DNS server, i.e. the DNS server of your ISP.
>
> Perhaps not all ISPs have a DNS service.

Yes, they *must* have a DNS server. The ISP is distributing public IP
addresses, and then it must have a public DNS server to register the IP
addresses and DNS names.

>
>> There has to be a secure and automatic mechanism on your router that
>> will take care of this.
>
> Nor do I understand why a router has anything to do with this? I guess
> it could.

A CE router is not 'just' a router. It has far more functionality, it is
the device that connects your home network with the internet, and it
must also provide DNS services.

>
>> Your ISP has to provide you with a (sub)domain where you can store
>> your entries.
>
> Again, you seem to be saying this is the job of the ISP. I'm not sure
> that is correct.

Yes it is. The IPv6 addresses are registered to the ISP, the ISP has the
authoritative DNS name server for that address range. Their name server
is the only one that can do reversed name lookup.

>
>> That is the only way you can access devices on you home LAN by a DNS
>> name, like nas.levitte.org .
>>
>> I notice that you have your own domain, but I assume you don't have
>> your own public DNS server. You will use the DNS server of some ISP or
>> so. I also have a domain, but it is registered at Hurricane Electric.
>
> That's a bit different than what you've been writing.

No, it isn't. The IPv4 address of my router belongs to the address range
of my ISP. I have an *alias* for that address registered at Hurricane,
so a reversed name lookup will never point to that name.

I also have an IPv6 tunnel from Hurricane, so my IPv6 addresses are
owned by Hurricane. A reversed name lookup will result in the DNS name I
have registered at Hurricane.

> Yes, some DNS
> service could translate a name into an IP address. But, perhaps it's
> not the job of your ISP.
>
>> So levitte.org should be registered at the nameserver of your ISP,
>> otherwise reversed name lookup is impossible.
>
> So, I'm not sure that some official RFP is required. Perhaps all that
> is required is that your local IP addresses are not masked by ISPs and
> such. I think you, or someone, has referred to this as carrier grade
> NAT, or some such.

Carrier grade NAT is for IPv4. The whole idea behind IPv6 is that we
don't use NAT any more, and that every device has its own unique global
IPv6 address.

[Chris]

On 09/21/16 08:46, Dirk Munk wrote:

>
> I explained that in in the first posting of this thread.
>
> In short, you will have global IPv6 addresses on you home LAN.
>
> These addresses with accompanying DNS names have to be registered on a
> public DNS server, i.e. the DNS server of your ISP.
>
> There has to be a secure and automatic mechanism on your router that
> will take care of this.
>
> Your ISP has to provide you with a (sub)domain where you can store your
> entries.
>
> That is the only way you can access devices on you home LAN by a DNS
> name, like nas.levitte.org .
>
> I notice that you have your own domain, but I assume you don't have your
> own public DNS server. You will use the DNS server of some ISP or so. I
> also have a domain, but it is registered at Hurricane Electric.
>
> So levitte.org should be registered at the nameserver of your ISP,
> otherwise reversed name lookup is impossible.
>
>

I don't see it in such draconian terms and there will be other solutions
no doubt. For example, my isp holds domain names, which when accessed
forward the request to any ip address that you choose.

There is no way that organisations will want all the machines on
their internal subnets out there in public view, so NAT and routing
will have an important role for the forseeable future...

Regards,

Chris

[Dirk Munk]

That is the traditional mistake people make about IPv6. The fact that a
device has a global IPv6 address and a DNS name doesn't mean that it is
reachable, or reachable without any constraints.

A IPv6 capable CE router will have all IPv6 access from the internet
blocked by default. If you want a devcie to be accessible from the
internet, you have to make an entry in the router for the address of
that device, and the ports you want to be open. Essentially no different
from IPv4.

And by the way, NAT was never designed to be a safety feature, blocking
access from the internet is merely a consequence of the way it works.

[Dirk Munk]

Chris wrote:
> On 09/21/16 08:46, Dirk Munk wrote:
>
>>
>> I explained that in in the first posting of this thread.
>>
>> In short, you will have global IPv6 addresses on you home LAN.
>>
>> These addresses with accompanying DNS names have to be registered on a
>> public DNS server, i.e. the DNS server of your ISP.
>>
>> There has to be a secure and automatic mechanism on your router that
>> will take care of this.
>>
>> Your ISP has to provide you with a (sub)domain where you can store your
>> entries.
>>
>> That is the only way you can access devices on you home LAN by a DNS
>> name, like nas.levitte.org .
>>
>> I notice that you have your own domain, but I assume you don't have your
>> own public DNS server. You will use the DNS server of some ISP or so. I
>> also have a domain, but it is registered at Hurricane Electric.
>>
>> So levitte.org should be registered at the nameserver of your ISP,
>> otherwise reversed name lookup is impossible.
>>
>>
>
> I don't see it in such draconian terms and there will be other solutions
> no doubt. For example, my isp holds domain names, which when accessed
> forward the request to any ip address that you choose.

Yes, alias names, nothing new.

>
> There is no way that organisations will want all the machines on
> their internal subnets out there in public view,

If organizations have machines they don't want to be reachable from the
internet, or to be able to *access* the internet, then they should give
those systems ULA addresses only.

> so NAT and routing
> will have an important role for the forseeable future...
>
> Regards,
>
> Chris

No, NAT is gone with IPv6. Of course there are a few brain-dead guys who
designed IPv6 NAT, but as always with IP you can design any idiotic
protocol you like.

[Chris]

On 09/21/16 11:30, Dirk Munk wrote:

>
> No, NAT is gone with IPv6. Of course there are a few brain-dead guys who
> designed IPv6 NAT, but as always with IP you can design any idiotic
> protocol you like.
>

"Brain Dead" ?, Shurley just an opinion :-)...

Perhaps gone in the future, but IPV4 and subnetting will be around
probably for decades yet. Where there is a demand, vendors will produce
kit to translate whatever IVP6 uses to access an address and port, to
IPV4 addresses and ports. Probably quite a healthy demand for such kit
until IPV6 settles down, proper standards are established and is as
consistently reliable and easy to configure as is IPV4.

The idea of one global address to access anything on the net may sound
like a good idea, but goes against all best practice design in terms
of layering of functionality and isolation of sub domains.

While i'm not against change, change for it's own sake is to be avoided
imho. If it ain't broke etc...


Regards,

Chris

[Richard Levitte]

Den onsdag 21 september 2016 kl. 13:06:30 UTC+2 skrev Chris:
> NAT is a fundamental and cost effective part of network security
> and I don't see it going away any time soon...

No. NAT was never designed for network security, but can be used as a cheap'n'dirty piece of shit firewall.

With IPv6, you'll have to do firewalling for real.

Cheers,
Richard

[Chris]

On 09/21/16 12:00, Richard Levitte wrote:

>
> No. NAT was never designed for network security, but
can be used as a cheap'n'dirty piece of shit firewall.
>
> With IPv6, you'll have to do firewalling for real.
>
> Cheers,
> Richard

Just another opinion and whatever it was originally designed for,
it's turned out to be quite a sound and cost effective solution
to the problem.

With IPV6, just what is meant by "firewalling for real" ?...

Regards,

Chris

[Dirk Munk]

Chris wrote:
> On 09/21/16 11:30, Dirk Munk wrote:
>
>>
>> No, NAT is gone with IPv6. Of course there are a few brain-dead guys who
>> designed IPv6 NAT, but as always with IP you can design any idiotic
>> protocol you like.
>>
>
> "Brain Dead" ?, Shurley just an opinion :-)...

No, not with IPv6. You really don't want IPv6 <> IPv6 NAT, that is
totally against the principles of IPv6.

>
> Perhaps gone in the future, but IPV4 and subnetting will be around
> probably for decades yet.

IPv6 has subnetting too! A normal IPv6 subnet is a /64 subnet. So you
have 64 bit address space in one subnet. The total IPv4 internet has a
32 bit address space.

A consumer will get a /56 bit address space, so he can build 256 /64 bit
subnets at home.

> Where there is a demand, vendors will produce
> kit to translate whatever IVP6 uses to access an address and port, to
> IPV4 addresses and ports.

Why? Every OS has IPv6, any new device has IPv6, IPv4 is on life support.

> Probably quite a healthy demand for such kit
> until IPV6 settles down, proper standards are established and is as
> consistently reliable and easy to configure as is IPV4.

IPv6 is more or less self configuring by default.

>
> The idea of one global address to access anything on the net may sound
> like a good idea, but goes against all best practice design in terms
> of layering of functionality and isolation of sub domains.

I don't understand what you mean. My PC has a global IPV6 address, so
does my printer, my phone, and so on.

>
> While i'm not against change, change for it's own sake is to be
> avoided
> imho. If it ain't broke etc...

That IPv4 is broken has been known for over 25 years by now. Its 32 bit
address space is ridiculously small for what we want to do with it.

>
>
> Regards,
>
> Chris
>
>
>
>
>

[Dirk Munk]

I've explained that already. By default IPv6 access from the internet is
blocked on a CE router.

If you want to allow access to an IPv6 device on your LAN, you have to
configure on your router access to that IPv6 address *and* to the
appropriate ports.

With IPv4 you have to route a port number on the WAN port of your router
to an IPv4 address and port on the LAN. (port forwarding)

No real difference.

[Jan-Erik Soderholm]

Den 2016-09-21 kl. 14:28, skrev Dirk Munk:
> Chris wrote:
>> On 09/21/16 12:00, Richard Levitte wrote:
>>
>>>
>>> No. NAT was never designed for network security, but
>> can be used as a cheap'n'dirty piece of shit firewall.
>>>
>>> With IPv6, you'll have to do firewalling for real.
>>>
>>> Cheers,
>>> Richard
>>
>> Just another opinion and whatever it was originally designed for,
>> it's turned out to be quite a sound and cost effective solution
>> to the problem.
>>
>> With IPV6, just what is meant by "firewalling for real" ?...
>>
>> Regards,
>>
>> Chris
>>
>>
>
> I've explained that already. By default IPv6 access from the internet is
> blocked on a CE router.
>
> If you want to allow access to an IPv6 device on your LAN, you have to
> configure on your router access to that IPv6 address *and* to the
> appropriate ports.

Do you have any reference to such an router? I'd just like
to read up some on what it looks like in the router GUI
then doing the config work.

And what about some non-technical customer that just would
like to have access to some IPv6 home security device?
Is it easy enough for non-technical people to use?

Today, that is solved by having the device announcing itself
to some publicaly available server where the user from the
"outside" can get the IP and port to access the device.
Like TeamViewer does today.

I guess there will be similar solutions using IPv6 also,
since that is much easier to use for non-tech people.
You never see or have to know any IP addresses at all.

[Dirk Munk]

Jan-Erik Soderholm wrote:
> Den 2016-09-21 kl. 14:28, skrev Dirk Munk:
>> Chris wrote:
>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>
>>>>
>>>> No. NAT was never designed for network security, but
>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>
>>>> With IPv6, you'll have to do firewalling for real.
>>>>
>>>> Cheers,
>>>> Richard
>>>
>>> Just another opinion and whatever it was originally designed for,
>>> it's turned out to be quite a sound and cost effective solution
>>> to the problem.
>>>
>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>
>>> Regards,
>>>
>>> Chris
>>>
>>>
>>
>> I've explained that already. By default IPv6 access from the internet is
>> blocked on a CE router.
>>
>> If you want to allow access to an IPv6 device on your LAN, you have to
>> configure on your router access to that IPv6 address *and* to the
>> appropriate ports.
>
> Do you have any reference to such an router? I'd just like
> to read up some on what it looks like in the router GUI
> then doing the config work.

Yes, by far the best routers in this respect are Fritz!box routers made
by AVM in Berlin.
This is the address of the Swedish distributor:

http://www.datanat.se/egensida/avm-ac-n-1300mbps-routers/529

I don't think there is a Swedish manual, but you can find a English
manual on their web site.

>
> And what about some non-technical customer that just would
> like to have access to some IPv6 home security device?
> Is it easy enough for non-technical people to use?

Well, if they can setup port forwarding with IPv4, then I see no reason
why you can't do it with IPv6.

>
> Today, that is solved by having the device announcing itself
> to some publicaly available server where the user from the
> "outside" can get the IP and port to access the device.
> Like TeamViewer does today.
>
> I guess there will be similar solutions using IPv6 also,
> since that is much easier to use for non-tech people.
> You never see or have to know any IP addresses at all.

You will not use IP addresses, more likely DNS names.

[Scott Dorsey]

David Froble <da...@tsoft-inc.com> wrote:
>
>I know what to do. Have a congressional committee to research how our internet
>compares to the rest of the world. I'm sure the lobbyists for Verizon and
>Comcast will volunteer for the committee.

It's happening. Talk a look at NYC mayor de Blasio's comments on the FiOS
implementation in the city and the city auditing of the process. But there
is only so much anyone can do; Verizon is a lot more powerful than the City
of New York.

[Scott Dorsey]

In article <nrtta6$rm4$1...@gioia.aioe.org>, Chris <sys...@gfsys.co.uk> wrote:
>
>Just another opinion and whatever it was originally designed for,
>it's turned out to be quite a sound and cost effective solution
>to the problem.

But, it's really not. It just hides the problem, and it opens up a whole other
set of troubles.

>With IPV6, just what is meant by "firewalling for real" ?...

Your firewall has a list of internal device that can talk to the outside and
a list of internal devices that cannot. It denies traffic from the ones that
cannot. This is what large IPv4 sites have done for decades, and allows ready
reconfiguration. It allows multiple devices inside the firewall to be seen
outside, if that's what you want, which you can't do when you're hiding behind
a single NAT address.

It's all clean and straight and there is a 1:1 mapping between systems, and
everybody is effectively equal in terms of how their system appears to others
(even if not in performance). It's just like the internet used to be, before
it got crowded.

[Scott Dorsey]

Jan-Erik Soderholm <jan-erik....@telia.com> wrote:
>
>Do you have any reference to such an router? I'd just like
>to read up some on what it looks like in the router GUI
>then doing the config work.

Check the manual that came with your home router, it likely has the
features.

>And what about some non-technical customer that just would
>like to have access to some IPv6 home security device?
>Is it easy enough for non-technical people to use?

It is WAY easier than using some dyndns horror to make a dynamic
internal address have a fixed fqdn. WAY easier. You can't believe
how much easier.

>Today, that is solved by having the device announcing itself
>to some publicaly available server where the user from the
>"outside" can get the IP and port to access the device.
>Like TeamViewer does today.

Which means NOW your system becomes dependent on some external server
and on connectivity to that server. Yucch.

>I guess there will be similar solutions using IPv6 also,
>since that is much easier to use for non-tech people.
>You never see or have to know any IP addresses at all.

Back in the late eighties we got dns so that you wouldn't ever need to
know any IP addresses. And that worked pretty well until the congestion
got bad and people started having to use cheesy workarounds like dynamic
addressing and NAT. Once those workarounds go away, we'll be back in a
world of straight DNS.

[Jan-Erik Soderholm]

Yes, but my point is that most users can't no matter the IP version. :-)
Even IPv4 port forwarding is way above the majority of users.
That is why new "home" devices in many cases uses help from
an internet server that handles the IP addresses and ports.
Like TeamViewer works, it works client-to-client without any
port forwarding at any end (both can be behind NAT routers).

>
>>
>> Today, that is solved by having the device announcing itself
>> to some publicaly available server where the user from the
>> "outside" can get the IP and port to access the device.
>> Like TeamViewer does today.
>>
>> I guess there will be similar solutions using IPv6 also,
>> since that is much easier to use for non-tech people.
>> You never see or have to know any IP addresses at all.
>
> You will not use IP addresses, more likely DNS names.

Doesn't make any difference, if you haven't "opened" your
router for the traffic a domain name will not get you
anywhere.

[Jan-Erik Soderholm]

Den 2016-09-21 kl. 16:09, skrev Scott Dorsey:
> Jan-Erik Soderholm <jan-erik....@telia.com> wrote:
>>
>> Do you have any reference to such an router? I'd just like
>> to read up some on what it looks like in the router GUI
>> then doing the config work.
>
> Check the manual that came with your home router, it likely has the
> features.

I'll check. I just noted that IPv6 is "disabled" b.t.w.

>
>> And what about some non-technical customer that just would
>> like to have access to some IPv6 home security device?
>> Is it easy enough for non-technical people to use?
>
> It is WAY easier than using some dyndns horror to make a dynamic
> internal address have a fixed fqdn. WAY easier. You can't believe
> how much easier.
>
>> Today, that is solved by having the device announcing itself
>> to some publicaly available server where the user from the
>> "outside" can get the IP and port to access the device.
>> Like TeamViewer does today.
>
> Which means NOW your system becomes dependent on some external server
> and on connectivity to that server. Yucch.
>

It still works "out of the box" by any non-tech people.
Nothing to configure in your local router at all.

>> I guess there will be similar solutions using IPv6 also,
>> since that is much easier to use for non-tech people.
>> You never see or have to know any IP addresses at all.
>
> Back in the late eighties we got dns so that you wouldn't ever need to

> know any IP addresses. And that worked pretty well until...

In that time, *all* users of/on the internat was techincaly
knowledable people. One cannot compare that time with "today"
or "tomorrow".

[Chris]

On 09/21/16 12:16, Dirk Munk wrote:

>
> No, not with IPv6. You really don't want IPv6 <> IPv6 NAT, that is
> totally against the principles of IPv6.
>

That's great from an idealistic tech point of view, but in the real
world, do you really think organisations will toss out all their
IPV4 routers, switches etc and rebuild the whole system just to use
IPV6 ?.

No, they will use IPV6 where there is a good business case and the
rest of the infrastructure will stay at V4 until it's time to upgrade
the whole network, or for very good reasons. It's cost, cost and cost
every time vs real benefit. Network kit vendors will produce edge
routers with V6 at the wan and both V4 and 6 for the internal networks.

>
> That IPv4 is broken has been known for over 25 years by now. Its 32 bit
> address space is ridiculously small for what we want to do with it.
>

Yes, we know all this, but IPV6 is not necessarily the best solution for
all such network problems.

Being a passionate evangelist doesn't make a belief system true :-)...

Regards,

Chris

[Kerry Main]

> -----Original Message-----
> From: Info-vax [mailto:info-vax...@rbnsn.com] On Behalf
> Of Jan-Erik Soderholm via Info-vax
> Sent: 21-Sep-16 10:17 AM
> To: info...@rbnsn.com
> Cc: Jan-Erik Soderholm <jan-erik....@telia.com>
> Subject: Re: [Info-vax] implementing IPv6 on the internet
>

[snip..]

> Doesn't make any difference, if you haven't "opened" your
> router for the traffic a domain name will not get you anywhere.
>

As I recall, many (most?) routers and appliances today ship with
IPV6 enabled out of the box.

That is also true of all Windows Laptops and desktops shipped
since WIN8 (might even have been enabled on Win7).

There was actually a few articles written in the past about
hackers using IPV6 to tunnel into systems/desktops/sites that
were not aware their FW's/routers had IPV6 open.
https://www.wired.com/2008/07/the-ghost-in-yo/

[snip]


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

[Dirk Munk]

Kerry Main wrote:
>> -----Original Message-----
>> From: Info-vax [mailto:info-vax...@rbnsn.com] On Behalf
>> Of Jan-Erik Soderholm via Info-vax
>> Sent: 21-Sep-16 10:17 AM
>> To: info...@rbnsn.com
>> Cc: Jan-Erik Soderholm <jan-erik....@telia.com>
>> Subject: Re: [Info-vax] implementing IPv6 on the internet
>>
>
> [snip..]
>
>> Doesn't make any difference, if you haven't "opened" your
>> router for the traffic a domain name will not get you anywhere.
>>
>
> As I recall, many (most?) routers and appliances today ship with
> IPV6 enabled out of the box.
>
> That is also true of all Windows Laptops and desktops shipped
> since WIN8 (might even have been enabled on Win7).

Actually since Vista, since Vista was the first Windows version with the
new IP stack.

By default IPv6 always is the proffered stack, so if an IPv4 and an IPv6
connection are possible, the IPv6 connection will be chosen, and I'm
sure you know this.

[Dirk Munk]

Chris wrote:
> On 09/21/16 12:16, Dirk Munk wrote:
>
>>
>> No, not with IPv6. You really don't want IPv6 <> IPv6 NAT, that is
>> totally against the principles of IPv6.
>>
>
> That's great from an idealistic tech point of view, but in the real
> world, do you really think organisations will toss out all their
> IPV4 routers, switches etc and rebuild the whole system just to use
> IPV6 ?.

No, because if these are recent routers and switches, they will also
have IPv6. So it is just a matter of enabling IPv6.

>
> No, they will use IPV6 where there is a good business case and the
> rest of the infrastructure will stay at V4 until it's time to upgrade
> the whole network, or for very good reasons. It's cost, cost and cost
> every time vs real benefit. Network kit vendors will produce edge
> routers with V6 at the wan and both V4 and 6 for the internal
> networks.

No, they will produce dual stack routers. These routers will also be
able to tunnel IPv4 over IPv6 for carrier grade IPv4 NAT.

What they will not do is producing routers that 'translate' IPv6 traffic
to IPv4 etc.

>
>>
>> That IPv4 is broken has been known for over 25 years by now. Its 32 bit
>> address space is ridiculously small for what we want to do with it.
>>
>
> Yes, we know all this, but IPV6 is not necessarily the best solution > for
> all such network problems.

IPv4 is dying, and no one wants to use duals stack for applications if
it can be avoided. So the future is IPv6.

[Richard Levitte]

Except you're into a world of complication of you want to open up port 22 to every device at home... Ah-yup, let the fun begin.

Cheers,
Richard

[Richard Levitte]

It doesn't have to be "the best solution", it just has to be better. Plus, IPv6 is already deployed even though not everywhere, that's a plus as well. If you'd want to replace IPv4 with something today, what would you choose, pragmatically speaking?

Cheers,
Richard

[Richard Levitte]

Den onsdag 21 september 2016 kl. 16:45:04 UTC+2 skrev Kerry Main:
> As I recall, many (most?) routers and appliances today ship with
> IPV6 enabled out of the box.

Errrrr, really? I've been looking at off the shelf home routers for a while here in Sweden, and finding one that even mentions IPv6 in the specs is still hard work! Maybe I'm looking in the wrong places... "pro" graded hardware is a different story, of course.

Cheers,
Richard

[Dirk Munk]

I had a look at TeamViewer, and I'm sure it will be useful for certain
purposes.

However why it should be simpler then opening a port escapes me, it is
quite a big software package.

Furthermore I doubt if it even knows about IPv6, most likely it just
IPv4 aware.

And I very much doubt if consumers will want to pay €360 per year for
TeamViewer.

[Dirk Munk]

Get a Fritz!box, they are by far the best consumer routers. Their market
share in Germany is > 50%.

[Chris]

On 09/21/16 15:40, Dirk Munk wrote:

>
> No, because if these are recent routers and switches, they will also
> have IPv6. So it is just a matter of enabling IPv6.
>

Recent, yes, but not otherwise. I just logged in the Virgin Superhub
here to check and its IPV4 all the way through, even the WAN address.
It was free upgrade only a few months ago, so should be fairly up to
date.

Ok, devil's advocate, but i'm always suspicious when people make
statements that are clearly not true. Telling others what they should
be doing is never the best way to gain acceptance for any plan, no
matter how good. IPV6 may be the way forward
and looks like a far better solution long term. That is, when it's fully
sorted, proven and there is a good business case.

Judging by the multinet announcement elsewhere, you will have IPV6 on
VMS, so problem solved then...

Regards,

Chris

[Dirk Munk]

No. it is very simple, far more simple then with IPv4.

IPV6-address-1 open port 22
IPV6-address-2 open port 22
IPV6-address-3 open port 22
IPV6-address-4 open port 22
IPV6-address-5 open port 22

Ready.



> Cheers,
> Richard
>

[Richard Levitte]

Yes, that's what I was talking about. Sorry for being unclear.

> IPV6-address-1 open port 22
> IPV6-address-2 open port 22
> IPV6-address-3 open port 22
> IPV6-address-4 open port 22
> IPV6-address-5 open port 22
>
> Ready.

Yup.

Cheers,
Richard

[David Froble]

I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
perspective, I have to ask, how many people, organizations, etc; behind a IPv4
NAT router really need the extended address space. Right now, as you state, you
can forward any ports to any device on today's NAT routers. So, what's the
rush, for this issue anyway, for IPv6?

Now, where I do see a problem, and IPv6 will not address it if I understand it
correctly, is that if some device can be accessed from outside, and it's not so
secure, it's inside your router and can get at the rest of the devices on the
internal network.

[Dirk Munk]

Chris wrote:
> On 09/21/16 15:40, Dirk Munk wrote:
>
>>
>> No, because if these are recent routers and switches, they will also
>> have IPv6. So it is just a matter of enabling IPv6.
>>
>
> Recent, yes, but not otherwise. I just logged in the Virgin Superhub
> here to check and its IPV4 all the way through, even the WAN address.
> It was free upgrade only a few months ago, so should be fairly up to
> date.
>

Oh, I'm sure. Liberty Global really isn't very fast with implementing
IPv6. As soon as they ready you will get new firmware with IPv6.

> Ok, devil's advocate, but i'm always suspicious when people make
> statements that are clearly not true. Telling others what they should
> be doing is never the best way to gain acceptance for any plan, no
> matter how good. IPV6 may be the way forward
> and looks like a far better solution long term. That is, when it's fully
> sorted, proven and there is a good business case.
>
> Judging by the multinet announcement elsewhere, you will have IPV6 on
> VMS, so problem solved then...
>

Well, it already was on OpenVMS, but very half-baked.

> Regards,
>
> Chris
>

[David Froble]

Dirk Munk wrote:

> Well, if they can setup port forwarding with IPv4, then I see no reason
> why you can't do it with IPv6.

And just how many non-technical users do you know who can set up port
forwarding? It's more like "what's a port?" Unless the user interface is
drastically improved, not just fool-proof and idiot-proof, I know technical
users who cannot do so.

>> Today, that is solved by having the device announcing itself
>> to some publicaly available server where the user from the
>> "outside" can get the IP and port to access the device.
>> Like TeamViewer does today.
>>
>> I guess there will be similar solutions using IPv6 also,
>> since that is much easier to use for non-tech people.
>> You never see or have to know any IP addresses at all.
>
> You will not use IP addresses, more likely DNS names.

Doesn't address the set-up issues ....

[Chris]

On 09/21/16 16:06, Richard Levitte wrote:

>
> It doesn't have to be "the best solution", it just has to be better.
Plus, IPv6 is already deployed even though not everywhere, that's a
plus as well. If you'd want to replace IPv4 with something today, what
would you choose, pragmatically speaking?
>
> Cheers,
> Richard

Unfortunately, business doesn't buy new kit because its "better".
The first question must be "how is it better" and if that solves a
problem, the next question is: How much will it cost in time and
materials to change, vs the benefits. V6 has been around n Linux
and others for years now, so if there is such a valid USP, why
hasn't the whole world converted ?.

At this stage V6 still has no definite specs, which is a recipe
for compatibility chaos, unproven software and security
loopholes for the bad guys to exploit. In comparison, V4 has had
decades of development, debugging, is pretty solid and is a known
quantity.

If i'm arguing at this, it's partly because I don't like people
coming along dictating solutions while rejecting all others.
It's neither rational, not likely to produce the best engineered
result. The devil is in the detail and one size fits all rarely
works in practice...

Regards,

Chris

[Kerry Main]

> -----Original Message-----
> From: Info-vax [mailto:info-vax...@rbnsn.com] On Behalf
> Of Richard Levitte via Info-vax
> Sent: 21-Sep-16 12:10 PM
> To: info...@rbnsn.com
> Cc: Richard Levitte <ric...@levitte.org>
> Subject: Re: [Info-vax] implementing IPv6 on the internet
>

I suspect the cheaper home router / fw appliances ship with IPV6
enabled to simplify user setup.

One of the more popular home routers is Dlink:
http://ca.dlink.com/technology/dlink-ipv6-solutions/

Extract - "More importantly, D-Link IPv6 supports home gateway
will enable IPv6 by default, which means D-Link IPv6 support CPE
will not require any IPv6-specific configuration by users."

[David Froble]

Jan-Erik Soderholm wrote:
> Den 2016-09-21 kl. 11:34, skrev David Froble:
>> Dirk Munk wrote:
>>> Richard Levitte wrote:
>>>> Den onsdag 21 september 2016 kl. 10:01:55 UTC+2 skrev Dirk Munk:
>>>>> Now keep in mind that access from the internet to your LAN is not
>>>>> limited to web servers etc. There can be TV cameras on your LAN
>>>>> allowing you to check what is going on at home. You may want to
>>>>> switch on the heating system or the air conditioning half an hour
>>>>> before you arrive home, You may have a NAS on your LAN, and you
>>>>> may want to safe or retrieve documents from it over the internet.
>>>>> And so on.
>>>>>
>>>>> All these things require a proper network setup, and alas with
>>>>> IPv6 the IETF completely forgot to draft the proper RFC's.
>>>>
>>>> I'm curious, exactly what is it that you require? Is it something
>>>> that must exist at the IP level?
>>>>
>>>> Cheers, Richard
>>>>
>>>
>>> I explained that in in the first posting of this thread.
>>>
>>> In short, you will have global IPv6 addresses on you home LAN.
>>
>> This concept is a bit like ethernet, where every ethernet device
>> manufactured had a unique 12 character address.
>
> Has, not had. That is the MAC address, isn't it?
>
> And it is not "12 characters", it is 12 hexadecimal numbers.
> represenentating a 6 byte binary value.
>
>> However, I don't know
>> if this was administered by some RFC, or by the group of cooperating
>> companies that originally set up the concept.
>>
>>> These addresses with accompanying DNS names have to be registered on
>>> a public DNS server, i.e. the DNS server of your ISP.
>>
>> Perhaps not all ISPs have a DNS service.
>>
>
> Perhaps they have. I'm quite sure they have. If not, they would have
> a hard time beeing an ISP at all, I guess.
>
>>> There has to be a secure and automatic mechanism on your router that
>>> will take care of this.
>>
>> Nor do I understand why a router has anything to do with this? I guess
>> it could.
>
> The router knows about the local hosts behind the router and could
> handle the registration of these hosts in the up-link DNS environment.
> Of course using some automaticly generated domain names.
>
>>
>>> Your ISP has to provide you with a (sub)domain where you can store
>>> your entries.
>>
>> Again, you seem to be saying this is the job of the ISP. I'm not sure
>> that is correct.
>
> They have to be registred somewhere.
>
>>
>>> That is the only way you can access devices on you home LAN by a DNS
>>> name, like nas.levitte.org .
>>>
>>> I notice that you have your own domain, but I assume you don't have
>>> your own public DNS server. You will use the DNS server of some ISP or
>>> so. I also have a domain, but it is registered at Hurricane Electric.
>>
>> That's a bit different than what you've been writing. Yes, some DNS
>> service could translate a name into an IP address. But, perhaps it's
>> not the job of your ISP.
>
> It is the job of the DNS servers. Due to load balancing and having
> the translation as close to the requestor as possible, the (all)
> ISPs will have their own DNS servers.
>
>>
>>> So levitte.org should be registered at the nameserver of your ISP,
>>> otherwise reversed name lookup is impossible.
>>
>> So, I'm not sure that some official RFP is required. Perhaps all that
>> is required is that your local IP addresses are not masked by ISPs and
>> such.
>
> That is not enought, they have to have a domain name also. And that
> domain name has to be registred somewhere.
>
>
>

Yes, it does. I'm aware of that.

I'm also aware that in the US, (you non-US people don't have all these features,
or actually, lack of), some ISPs have been cutting back on what early ISP
delivered, such as news, DNS, and such. It's already been mentioned that the US
has some of the worse internet services.

Now, I'm not sure, but perhaps Verizon Wireless doesn't provide DNS services.
I'm also pretty sure they do not provide news.

Capitalism has all too often been converted to gouging ....

:-(

[Dirk Munk]

There are no more IPv4 addresses available on the internet. The internet
can only expand with IPv6. If you want to connect to such a server, you
will need IPv6.

You don't want tu use dual stack for a long time, so the sooner we can
say goodbye to IPv4, the better.

>
> Now, where I do see a problem, and IPv6 will not address it if I
> understand it correctly, is that if some device can be accessed from
> outside, and it's not so secure, it's inside your router and can get at
> the rest of the devices on the internal network.

No, you can't get to the rest of the devices. You can only get to the
devices that you have enabled on your router. Besides that, there are
more then 4 billion x 4 billion possible addresses on one subnet.

[Richard Levitte]

Den onsdag 21 september 2016 kl. 18:17:58 UTC+2 skrev Dirk Munk:
> Get a Fritz!box, they are by far the best consumer routers. Their market
> share in Germany is > 50%.

I just looked through the manual for one of the models, and while it does mention IPv6 a lot and the capability to tunnel over IPv4 (which I'm forced to do because more or less all ISPs in Sweden are pieces of shit who won't even look at IPv6), I'm tunneling via tunnelbroker.net (HE), and it seems not all appliances know how to handle that one. Sure, I could go for one that supports TSP, but the only that's acceptable (because it has an end point in Europe) that I know off is gogo6, which seems to be unavailable for the moment...

I'm actually currently looking at getting a small box with two network ports, install Linux, doing a quick network and iptables setup and stop searching further. That, at least, is something I know will work (I've had this setup on my laptop for quite a while).

Cheers,
Richard

[Dirk Munk]

It is really very simple, and many devices can also use UPnP to open ports.

[Jan-Erik Soderholm]

It is way easier to use then managing a router. And what the
heck does the size of the package/download has to do with that?

>
> Furthermore I doubt if it even knows about IPv6, most likely it just IPv4
> aware.
>
> And I very much doubt if consumers will want to pay €360 per year for
> TeamViewer.
>

You are totally missing the point. I'm not sure that it is worth
trying, but anyway...

1'st, Teamviewer is free for the basic functionallity, but irrelevant.

2'nd, TW was only mentioned as an example of how communication
between clients behind NAT'ed routers is solved without forcing
the user to learn about "port forwarding".

There are also other equipments (home security, home automation)
that works in very much the same way. The equipment annonces itself
to some service on the net, and your client (like phone app) asks
this server for the actual IP/port to use. (The the domain has
been resolved to an IP is totaly irrelevant).

[David Froble]

Chris wrote:

> Being a passionate evangelist doesn't make a belief system true :-)...

That's sort of a "bullseye"

:-)

[David Froble]

That assumes he wants to replace IPv4 today ....

And I think that's the point ....

[Dirk Munk]

Richard Levitte wrote:
> Den onsdag 21 september 2016 kl. 18:17:58 UTC+2 skrev Dirk Munk:
>> Get a Fritz!box, they are by far the best consumer routers. Their market
>> share in Germany is > 50%.
>
> I just looked through the manual for one of the models, and while it does mention IPv6 a lot and the capability to tunnel over IPv4 (which I'm forced to do because more or less all ISPs in Sweden are pieces of shit who won't even look at IPv6), I'm tunneling via tunnelbroker.net (HE),

So am I, the Fritz!box handles that brilliantly. It even automatically
updates the tunnel settings at Hurricane if the IPv4 WAN address on your
router changes.

[Johnny Billquist]

I bought an Asus wireless router last year at Teknikmagasinet, and it
does IPv6 out of the box. You must be looking in the wrong places. :-)

(Yes, wireless, but it still have four wired ports as well.)

Johnny

[Chris]

On 09/21/16 16:50, Richard Levitte wrote:

> I'm actually currently looking at getting a small box with two

network ports, install Linux, doing a quick network and iptables

setup and stop searching further. That, at least, is something

I know will work (I've had this setup on my laptop for quite a

while).
>
> Cheers,
> Richard

Perhaps I could suggest pfsense, opnsense or ipcop. First two
are FreeBSD based, while the latter is Linux based. All very
capable router / firewall solutions. Have used pfsense and
ipcop here for years and they are more or less fit and forget.
opnsense is a fairly new variation on pfsense, but seems to
work well.

Run one of the above with an embedded / or any x86 pc with
two or more network interfaces and you are good to go...

Regards,

Chris

[Richard Levitte]

Den onsdag 21 september 2016 kl. 19:01:30 UTC+2 skrev Johnny Billquist:
> I bought an Asus wireless router last year at Teknikmagasinet, and it
> does IPv6 out of the box. You must be looking in the wrong places. :-)

That, or finding it very hard to find out whether a router has IPv6 support. Dunno about you, but I don't see that being advertised much. Following the dlink URL from another post, I had to go all the way to the manual if a DIR-868L to find any mention of IPv6, while it is sold at easily accessible places such as Webhallen and Kjell&Co! Asking around in those places mostly has the personell shrug and go "I dunno" or "I'm not sure"...

So, speaking of why the home users don't care, I'm thinking the sheer lack of promotion, even basic information might be as much a problem as anything else.

Anyway, there are some useful leads to follow, thank y'all.

Cheers,
Richard

[Stephen Hoffman]

On 2016-09-21 14:31:47 +0000, Chris said:

> On 09/21/16 12:16, Dirk Munk wrote:
>

>> No, not with IPv6. You really don't want IPv6 <> IPv6 NAT, that is
>> totally against the principles of IPv6.
>
> That's great from an idealistic tech point of view, but in the real
> world, do you really think organisations will toss out all their IPV4
> routers, switches etc and rebuild the whole system just to use IPV6 ?.

Yes, we do. Not immediately. But it's happening. In the real
world, I expect folks to replace their older gear as warranty and
support ends, or as the gear itself fails, or as the gear no longer
meets their needs. So, yes, I expect to see newer devices. It'll
take — it's already taken — a very long time for this to happen, and
some users and some vendors will try to avoid this.

> No, they will use IPV6 where there is a good business case and the rest
> of the infrastructure will stay at V4 until it's time to upgrade the
> whole network, or for very good reasons. It's cost, cost and cost
> every time vs real benefit. Network kit vendors will produce edge
> routers with V6 at the wan and both V4 and 6 for the internal networks.

We're already running IPv4 and IPv6 dual-stack all over the place.
Systems with macOS and Windows clients and more than a few Linux
systems are already running both. This is already the case on most
networks, whether the users realize it. Transparently. If sites can
get away with running just IPv4, great for them. In the US, more
than a few are kept with IPv4 uplinks by their ISPs, due to no small
investment in gear. But for not the first time I've had to state this
around comp.os.vms or other discussions, OpenVMS itself needs to move
forward. Or it dies. The market for folks depending on older
software and older hardware and on IPv4-only configurations will only
shrink over time, and newer software and newer systems and newer
network widgets have to deal with our current and upcoming needs.
End-user customers can ignore this. At their discretion, or at their
own peril. ISPs can try to defer this. Software and hardware
vendors and software developers cannot, however. Not without risking
getting caught out.


--
Pure Personal Opinion | HoffmanLabs LLC

[Dirk Munk]

Lots of configuration possibilities? Lots of things to read?

>
>>
>> Furthermore I doubt if it even knows about IPv6, most likely it just IPv4
>> aware.
>>
>> And I very much doubt if consumers will want to pay €360 per year for
>> TeamViewer.
>>
>
> You are totally missing the point. I'm not sure that it is worth
> trying, but anyway...
>
> 1'st, Teamviewer is free for the basic functionallity, but irrelevant.

Nice, but I had a short look and saw "buy" with €360 per year as
cheapest option.

>
> 2'nd, TW was only mentioned as an example of how communication
> between clients behind NAT'ed routers is solved without forcing
> the user to learn about "port forwarding".

Fine, but it still assumes both end-points have TeamViewer.

>
> There are also other equipments (home security, home automation)
> that works in very much the same way. The equipment annonces itself
> to some service on the net, and your client (like phone app) asks
> this server for the actual IP/port to use. (The the domain has
> been resolved to an IP is totaly irrelevant).
>
>

I know, but then you're always dependant on some other service.

[Jan-Erik Soderholm]

Nop. Close to nothing. Just run, and pass the "user" and "pw"
to your partner that then can connect to your system.
I use TW to support my mother with her laptop.

It sounds as you haven't use TW at all...

>
>>
>>>
>>> Furthermore I doubt if it even knows about IPv6, most likely it just IPv4
>>> aware.
>>>
>>> And I very much doubt if consumers will want to pay €360 per year for
>>> TeamViewer.
>>>
>>
>> You are totally missing the point. I'm not sure that it is worth
>> trying, but anyway...
>>
>> 1'st, Teamviewer is free for the basic functionallity, but irrelevant.
>
> Nice, but I had a short look and saw "buy" with €360 per year as cheapest
> option.

Look for "download" instead. :-)

>
>>
>> 2'nd, TW was only mentioned as an example of how communication
>> between clients behind NAT'ed routers is solved without forcing
>> the user to learn about "port forwarding".
>
> Fine, but it still assumes both end-points have TeamViewer.

Of course! That's is the whole point with TeamViewer.
I think you are still misunderstanding.

>
>>
>> There are also other equipments (home security, home automation)
>> that works in very much the same way. The equipment annonces itself
>> to some service on the net, and your client (like phone app) asks
>> this server for the actual IP/port to use. (The the domain has
>> been resolved to an IP is totaly irrelevant).
>>
>>
>
> I know, but then you're always dependant on some other service.
>

Doesn't matter. Still far easier then configuring a router.

[Stephen Hoffman]

On 2016-09-21 15:56:06 +0000, Richard Levitte said:

> Den onsdag 21 september 2016 kl. 14:28:20 UTC+2 skrev Dirk Munk:
>>
>> No real difference.
>
> Except you're into a world of complication of you want to open up port
> 22 to every device at home... Ah-yup, let the fun begin.

There's little difference. If you port-forward TCP port 22 with IPv4,
you get poked at. If you open TCP port 22 with IPv6, you get poked
once your IP address is known. The port forwarding and NAT mess
becomes a simpler set of manual and automatic rules configurable in
your firewall for source and destinations, for the folks that want or
need that control. As for finding the target IP addresses, the
sparseness of the address space makes it far more difficult to massscan
all of IPv6 than IPv4. (The massscan tool can run through all of the
active IPv4 address space in a few minutes, or use Shodan, etc) But
open ports on known IP addresses will get probed, whether on IPv4 or on
IPv6.

[Scott Dorsey]

David Froble <da...@tsoft-inc.com> wrote:
>
>I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
>perspective, I have to ask, how many people, organizations, etc; behind a IPv4
>NAT router really need the extended address space. Right now, as you state, you
>can forward any ports to any device on today's NAT routers. So, what's the
>rush, for this issue anyway, for IPv6?

If you have a dozen computers in a NATted subnet that want to connect out,
everything is great. They can all share one address.

The problem is when you have more than one computer that wants to accept
connections in. Then it all falls apart.

Since NAT has become almost universal for home systems in the US, a lot of
systems now rely on horrible cheesy workarounds to deal with this. It would
be very good to get out of that situation.

>Now, where I do see a problem, and IPv6 will not address it if I understand it
>correctly, is that if some device can be accessed from outside, and it's not so
>secure, it's inside your router and can get at the rest of the devices on the
>internal network.

Yes, but this is the case whether you are running IPv6 or IPv4. If it's not
so secure, don't allow incoming access to it.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

[Scott Dorsey]

In article <nrudaa$1nmf$1...@gioia.aioe.org>, Chris <sys...@gfsys.co.uk> wrote:
>
>Unfortunately, business doesn't buy new kit because its "better".
>The first question must be "how is it better" and if that solves a
>problem, the next question is: How much will it cost in time and
>materials to change, vs the benefits. V6 has been around n Linux
>and others for years now, so if there is such a valid USP, why
>hasn't the whole world converted ?.

Much of the world HAS converted. It's really in the US where you see the
insistence on sticking with v4.

>At this stage V6 still has no definite specs, which is a recipe
>for compatibility chaos, unproven software and security
>loopholes for the bad guys to exploit. In comparison, V4 has had
>decades of development, debugging, is pretty solid and is a known
>quantity.

I think you're a decade behind here. IPv6 is in place and running in most
of Asia and has been for some time now.

[Stephen Hoffman]

On 2016-09-21 16:31:11 +0000, David Froble said:

> I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
> perspective, I have to ask, how many people, organizations, etc; behind
> a IPv4 NAT router really need the extended address space. Right now,
> as you state, you can forward any ports to any device on today's NAT
> routers. So, what's the rush, for this issue anyway, for IPv6?

There's no rush at all, right up until you really need that connectivity.

For VSI or for software developers, this means that most folks won't
use IPv6 right up until they really need to light it up and use it.

Same as usual, in terms of the pattern of adoption of newness.

> Now, where I do see a problem, and IPv6 will not address it if I
> understand it correctly, is that if some device can be accessed from
> outside, and it's not so secure, it's inside your router and can get at
> the rest of the devices on the internal network.

Sure, but you can make the same mistake with IPv4.

As for IPv6, consider that VPNs and such connections want or need to
know the addresses of the end-points of the connection, and NAT is
specifically intended to make those end-points not visible. This...
tension... makes the whole IPv4 connection and management process much
more complex. Port forwarding with NAT around means playing games
with which ports go where. of you're fanning out incoming connections.
With IPv6, you don't need to use different ports to fan out
connections. It's simpler. Now if you do open up all inbound TCP
port 22 — or TCP port 23, for folks still running telnet — to
everything at your gateway-firewall, then — once the remote users find
the target addresses — those internal hosts are going to see login
attempts throughout. But nothing mandates opening up all inbound
access, and that open access almost certainly won't be the default on
any gateway-firewall device.

[Johnny Billquist]

Oh, I totally agree that most of the time information can be hard to
find, and most people selling things are clueless. But honestly, I doubt
you will find any router today that does not do IPv6. And I think most
ISPs also deal with it nowadays.

It was different 10-15 years ago when I first started trying to do IPv6
in Sweden (well, it was tricky anywhere in the world back then). But I
have been handling a host that have been IPv6 enabled for more than 10
years now. In Sweden. At a University, though... So not exactly dealing
with ISPs.

Johnny (with that VAX 8650 by the name 130.238.19.20 or
2001:6b0:b:fff0::14).

[Stephen Hoffman]

On 2016-09-21 17:38:42 +0000, Scott Dorsey said:

> Much of the world HAS converted. It's really in the US where you see
> the insistence on sticking with v4.

Ayup. Similar to the use of US ASCII in existing computing. Or of
DEC MCS, for those a little further from the trailing edge.

> I think you're a decade behind here. IPv6 is in place and running in
> most of Asia and has been for some time now.

OpenVMS is a decade or so behind the times here too, so that works out
about the same, right?

[Chris]

On 09/21/16 17:38, Scott Dorsey wrote:

>
> Much of the world HAS converted. It's really in the US where you see the
> insistence on sticking with v4.
>

From what I can see, looks like the majority of uk domestic isp
subscribers on V4 at present as well, so it looks like we may
have a two tier internet at present isp's and top level, V6,
with the end point subscribers are on V4.

>> At this stage V6 still has no definite specs, which is a recipe
>> for compatibility chaos, unproven software and security
>> loopholes for the bad guys to exploit. In comparison, V4 has had
>> decades of development, debugging, is pretty solid and is a known
>> quantity.
>
> I think you're a decade behind here. IPv6 is in place and running in most
> of Asia and has been for some time now.
> --scott

Asia is not the whole world and while V6 may in general use,
it's 5-10 years away or more for more general adoption
worldwide, afaics.

It took decades to shake out all the bugs from V4 and all the
unknown corner cases not thought of in the design, not to mention
all the security issues which still surface from time to time
even now. Expect the adoption of V6 to be the same.

Look, i'm not arguing against V6 for it's own sake and it
is obviously needed. But please, enough of the prosletisation,
assumptions and arm waving about how good it is and what the
rest of the world is using and their reasons for doing so :-).

Regards,

Chris

[Craig A. Berry]

On 9/20/16 7:45 AM, John E. Malmberg wrote:
> On 9/20/2016 4:47 AM, Dirk Munk wrote:

>> If you want to reach a device on your LAN from the internet, you address
>> a certain port number on the WAN address of your router, and by means of
>> port forwarding it will be translated to an IP address and port number
>> on your LAN. You will all be familiar with this concept.
>
> And every residential ISP I have had in the last 20 years in the U.S.
> has a Terms Of Service (TOS) absolutely prohibiting this type of access.

You've had very bad luck as I've never seen that. However, I have been
in the big city (Chicago), where there are mulitiple ISPs competing for
business, including SOHO business, which they often explicitly mention
in their advertising for residential services.

Comcast's residential agreement is here:

<http://www.xfinity.com/Corporate/Customers/Policies/SubscriberAgreement.html>

As far as I can tell that applies U.S.-wide and is not specific to my
location. It's very long and I'm not about to spend the whole day
reading it, but I did note in 17.2.c that they exclude themselves from
liability for anything that happens to you as a result of someone on the
Internet accessing your equipment via "certain applications" with FTP
and HTTP given as examples of those applications. Which essentially
assumes that you are running a server.

While the entrenched players win many of the battles over decent
Internet access in the U.S., they don't win all of them. Google Fiber
just won the second round of its fight that would allow it to deploy in
Nashville without having to fight AT&T one telephone pole at a time:

<http://arstechnica.com/tech-policy/2016/09/att-comcast-fail-in-latest-effort-to-stall-google-fiber-in-nashville/.

[Kerry Main]

> -----Original Message-----
> From: Info-vax [mailto:info-vax...@rbnsn.com] On Behalf
> Of Stephen Hoffman via Info-vax
> Sent: 21-Sep-16 1:59 PM
> To: info...@rbnsn.com
> Cc: Stephen Hoffman <seao...@hoffmanlabs.invalid>
> Subject: Re: [Info-vax] implementing IPv6 on the internet
>

Well, not if you have been running Multinet.

And now with today's new TCPIP stack announcement, VSI OpenVMS
just made a major jump forward into the current world.

extract from announcement link:
"Some of the major updates include: OpenSSL 1.0.2, SSH (V1 & V2),
DHCP v3, IPv6 (complete application protocols supported), IPSEC
(full support), Bind 9.9, Kerberos 5, and advanced features such
as IPS, paired network interface support, and improved
performance monitoring capabilities."

[Stephen Hoffman]

On 2016-09-21 18:29:24 +0000, Chris said:
>
> Asia is not the whole world...

Whole? No. Though at ~60% of the planet, Asia is most of the population.
North America and Europe combined don't even reach the population of
Africa, either.
Some parts of the world are going to get dragged forward, kicking and
screaming.
IPv6 and UTF-8 and other computing-related changes are part of this
forward-dragging.
End-users can ignore this. Particularly if they have "enough" IPv4
addresses for now.
Vendors — vendors that want to be or to continue to be successful — cannot.

[Stephen Hoffman]

On 2016-09-21 19:24:29 +0000, Kerry Main said:

> Well, not if you have been running Multinet.
>
> And now with today's new TCPIP stack announcement, VSI OpenVMS just
> made a major jump forward into the current world.

Ayup. Migrating from the vendor-licensed and supported IP stack to an
extra-cost third-party IP stack is forward progress, oddly enough.

There are miles more to go, though I'm sure VSI is aware of that.

Hopefully the integrated IP management user interface gets overhauled
and massively simplified from the interface complexity that both TCP/IP
Services and Multinet offered.

[johnwa...@yahoo.co.uk]

> Furthermore I doubt if it even knows about IPv6, most likely it just
> IPv4 aware.
>
> And I very much doubt if consumers will want to pay €360 per year for
> TeamViewer.
>
> >>
> >>>

> >>> Today, that is solved by having the device announcing itself
> >>> to some publicaly available server where the user from the
> >>> "outside" can get the IP and port to access the device.
> >>> Like TeamViewer does today.
> >>>
> >>> I guess there will be similar solutions using IPv6 also,
> >>> since that is much easier to use for non-tech people.
> >>> You never see or have to know any IP addresses at all.
> >>
> >> You will not use IP addresses, more likely DNS names.
> >
> > Doesn't make any difference, if you haven't "opened" your
> > router for the traffic a domain name will not get you
> > anywhere.
> >
> >
> >>
> >>>
> >>>
> >>>
> >>>>
> >>>> With IPv4 you have to route a port number on the WAN port of your
> >>>> router to
> >>>> an IPv4 address and port on the LAN. (port forwarding)
> >>>>
> >>>> No real difference.
> >>>
> >>
> >

Consumers (personal/home use) don't currently have to pay
for TeamViewer at all. Except in the sense of having their
accounts and/or machine details leaked when TeamViewer's
servers have a bad security day:
http://www.bbc.co.uk/news/technology-36459015

The bit about home users not paying money may change. The
bit about not really trusting a third party with account
details etc seems likely for the foreseeable future.

[David Froble]

Anything is "simple" if one knows what one is doing ....

Anything can be impossible if one doesn't know what one is doing ....

[David Froble]

Dirk Munk wrote:
> David Froble wrote:
>> Dirk Munk wrote:

>>> Chris wrote:
>>>> On 09/21/16 12:00, Richard Levitte wrote:
>>>>
>>>>>
>>>>> No. NAT was never designed for network security, but
>>>> can be used as a cheap'n'dirty piece of shit firewall.
>>>>>
>>>>> With IPv6, you'll have to do firewalling for real.
>>>>>
>>>>> Cheers,
>>>>> Richard
>>>>
>>>> Just another opinion and whatever it was originally designed for,
>>>> it's turned out to be quite a sound and cost effective solution
>>>> to the problem.
>>>>
>>>> With IPV6, just what is meant by "firewalling for real" ?...
>>>>
>>>> Regards,
>>>>
>>>> Chris
>>>>
>>>>
>>>
>>> I've explained that already. By default IPv6 access from the internet
>>> is blocked on a CE router.
>>>
>>> If you want to allow access to an IPv6 device on your LAN, you have to
>>> configure on your router access to that IPv6 address *and* to the
>>> appropriate ports.
>>>

>>> With IPv4 you have to route a port number on the WAN port of your
>>> router to an IPv4 address and port on the LAN. (port forwarding)
>>>
>>> No real difference.
>>

>> I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
>> perspective, I have to ask, how many people, organizations, etc; behind
>> a IPv4 NAT router really need the extended address space. Right now, as
>> you state, you can forward any ports to any device on today's NAT
>> routers. So, what's the rush, for this issue anyway, for IPv6?
>

> There are no more IPv4 addresses available on the internet. The internet
> can only expand with IPv6. If you want to connect to such a server, you
> will need IPv6.

You avoid the question. Yes, maybe IPv6 to get to my NAT router. But inside, I
cannot imagine using all the address space available to me. How many cannot say
that?

> You don't want tu use dual stack for a long time, so the sooner we can
> say goodbye to IPv4, the better.

Sounds like we're into the chores ....

>> Now, where I do see a problem, and IPv6 will not address it if I
>> understand it correctly, is that if some device can be accessed from
>> outside, and it's not so secure, it's inside your router and can get at
>> the rest of the devices on the internal network.
>

> No, you can't get to the rest of the devices. You can only get to the
> devices that you have enabled on your router. Besides that, there are
> more then 4 billion x 4 billion possible addresses on one subnet.

Bullshit! If someone can get to one device, and somehow from that device get to
other nodes on the in-house network, that is a problem.

You seem to do a good job at avoiding topics that don't fit what you're trying
to push ....

[David Froble]

Scott Dorsey wrote:
> David Froble <da...@tsoft-inc.com> wrote:
>> I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
>> perspective, I have to ask, how many people, organizations, etc; behind a IPv4
>> NAT router really need the extended address space. Right now, as you state, you
>> can forward any ports to any device on today's NAT routers. So, what's the
>> rush, for this issue anyway, for IPv6?
>
> If you have a dozen computers in a NATted subnet that want to connect out,
> everything is great. They can all share one address.
>
> The problem is when you have more than one computer that wants to accept
> connections in. Then it all falls apart.

That's if you want to accept connections on the same port with multiple systems.
While i haven't used it, the NAT routers I've got seem to be able to select
the in-house system based upon incoming port number, and even re-direct that to
a specific system and alternate port number.

> Since NAT has become almost universal for home systems in the US, a lot of
> systems now rely on horrible cheesy workarounds to deal with this. It would
> be very good to get out of that situation.

I can agree.

>> Now, where I do see a problem, and IPv6 will not address it if I understand it
>> correctly, is that if some device can be accessed from outside, and it's not so
>> secure, it's inside your router and can get at the rest of the devices on the
>> internal network.
>
> Yes, but this is the case whether you are running IPv6 or IPv4. If it's not
> so secure, don't allow incoming access to it.
> --scott
>

Agree

[steve...@verizon.net]

On Tuesday, September 20, 2016 at 5:58:48 PM UTC-4, Dirk Munk wrote:
> Seems to me that is a general problem with Americans, they don't know
> very much about the rest of the world.

That’s not how I see it at all. I see the Americans triggering the third industrial revolution (and the second although we can credit the brits, if we have to), and quickly advancing it beyond the ability of policy engines to keep up.

[Scott Dorsey]

In article <nruji2$366$1...@gioia.aioe.org>, Chris <sys...@gfsys.co.uk> wrote:
>
>Look, i'm not arguing against V6 for it's own sake and it
>is obviously needed. But please, enough of the prosletisation,
>assumptions and arm waving about how good it is and what the
>rest of the world is using and their reasons for doing so :-).

Well, it's there, and we have been running dual stack here on most systems
for much of a decade and it's been just fine.

It's not a matter of how good it is, it's a matter of the fact that there are
a lot of people out there who use it, and if you want to connect to
their machines you may well need to use it too.

This isn't 2005 any longer.

[Jan-Erik Soderholm]

I guess that you with "get to" imply "log in to and get a command shell".

I guess that Dirk ment more like "reach a web server" or similar.

You are simply talkning around each other.

[Jan-Erik Soderholm]

Den 2016-09-21 kl. 22:47, skrev David Froble:
> Scott Dorsey wrote:
>> David Froble <da...@tsoft-inc.com> wrote:
>>> I'm not anti-IPv6, just as I'm not anti-quadword. But from a practical
>>> perspective, I have to ask, how many people, organizations, etc; behind
>>> a IPv4 NAT router really need the extended address space. Right now, as
>>> you state, you can forward any ports to any device on today's NAT
>>> routers. So, what's the rush, for this issue anyway, for IPv6?
>>
>> If you have a dozen computers in a NATted subnet that want to connect out,
>> everything is great. They can all share one address.
>>
>> The problem is when you have more than one computer that wants to accept
>> connections in. Then it all falls apart.
>
> That's if you want to accept connections on the same port with multiple
> systems. While i haven't used it, the NAT routers I've got seem to be able
> to select the in-house system based upon incoming port number, and even
> re-direct that to a specific system and alternate port number.
>
>> Since NAT has become almost universal for home systems in the US, a lot of
>> systems now rely on horrible cheesy workarounds to deal with this. It would
>> be very good to get out of that situation.

Some routers can port forward to another port, some always
port forward using the same port number. In the later case
you have to have alternate ports on some servers if they
have the same service. Like alternates to 80 for web servers.

But all this discussion about servers behind NAT'et networks
probably is about 1 NAT'ed network out of 10.000. Most users
simply "surf the net" and read their mail and are happy. :-)
And they could not care less about IPv6... :-)

[Dirk Munk]

Well, that's great, but what has it got to do with knowing about the
rest of the world?

Unfortunately average Americans don't seem to be very well informed
about the rest of the world, at least that is their reputation.

[Dirk Munk]

Yes, I know. Unfortunately if you want to be a bit more then just
browsing the internet, you have to understand what you're doing. A nice
example is the scandal with IP cameras. People bought one or more of
these cameras, and had no idea that the cameras were accessible from the
internet. You can guess what happened.

[Jan-Erik Soderholm]

Den 2016-09-21 kl. 22:56, skrev Scott Dorsey:
> In article <nruji2$366$1...@gioia.aioe.org>, Chris <sys...@gfsys.co.uk> wrote:
>>
>> Look, i'm not arguing against V6 for it's own sake and it
>> is obviously needed. But please, enough of the prosletisation,
>> assumptions and arm waving about how good it is and what the
>> rest of the world is using and their reasons for doing so :-).
>
> Well, it's there, and we have been running dual stack here on most systems
> for much of a decade and it's been just fine.
>
> It's not a matter of how good it is, it's a matter of the fact that there are
> a lot of people out there who use it, and if you want to connect to
> their machines you may well need to use it too.

If *they* want *me* to connect, they'd better use something that
lets me connect to them.

The fact is that Swedens largest ISP has IPv6 disabled by default
in the routers they send to their customers. And very few of
these customers even have the admin password to the router.

I read about one site that published statistics about the IPv4
and IPv6 traffic to their site. The IPv6 traffic showed a small
increase but close to none of that traffic originated from Sweden.

Users in general just don't have any issues with the current IPv4.
They can access Facebook and are happy with that...

[Richard Levitte]

Den onsdag 21 september 2016 kl. 23:34:40 UTC+2 skrev Jan-Erik Soderholm:
> Den 2016-09-21 kl. 22:56, skrev Scott Dorsey:
> > In article <nruji2$366$1...@gioia.aioe.org>, Chris <sys...@gfsys.co.uk> wrote:
> >>
> >> Look, i'm not arguing against V6 for it's own sake and it
> >> is obviously needed. But please, enough of the prosletisation,
> >> assumptions and arm waving about how good it is and what the
> >> rest of the world is using and their reasons for doing so :-).
> >
> > Well, it's there, and we have been running dual stack here on most systems
> > for much of a decade and it's been just fine.
> >
> > It's not a matter of how good it is, it's a matter of the fact that there are
> > a lot of people out there who use it, and if you want to connect to
> > their machines you may well need to use it too.
>
> If *they* want *me* to connect, they'd better use something that
> lets me connect to them.

That's kind of an arrogant attitude towards those that simply can't get a decent IPv4 address, rather than won't. 'cause that's the argument, right, that there are areas in Asia where IPv4 just isn't?

With regard to IPv4, we are quite privileged here in "the west".

> Users in general just don't have any issues with the current IPv4.
> They can access Facebook and are happy with that...

They'll be just as happy with IPv6, so that's a rather nonsensical argument.

Cheers,
Richard

[Dirk Munk]

Everybody, if you use the 10.0.0.0 private address range. But that's not
the point. You seem to assume that you can easily route messages from
IPv6 (WAN) to IPv4 (LAN). That is not the case.

>
>> You don't want tu use dual stack for a long time, so the sooner we can
>> say goodbye to IPv4, the better.
>
> Sounds like we're into the chores ....
>
>>> Now, where I do see a problem, and IPv6 will not address it if I
>>> understand it correctly, is that if some device can be accessed from
>>> outside, and it's not so secure, it's inside your router and can get at
>>> the rest of the devices on the internal network.
>>
>> No, you can't get to the rest of the devices. You can only get to the
>> devices that you have enabled on your router. Besides that, there are
>> more then 4 billion x 4 billion possible addresses on one subnet.
>
> Bullshit! If someone can get to one device, and somehow from that
> device get to other nodes on the in-house network, that is a problem.

Like Jan-Erik wrote, I don't mean a system with interactive login. I
means systems like web servers, a NAS etc. Furthermore, it is no
different with IPv4.

[Dirk Munk]

True, and from my own experience I know that people don't even know that
they have IPv6 and are using it.

[Dirk Munk]

Jan-Erik Soderholm wrote:
> Den 2016-09-21 kl. 22:56, skrev Scott Dorsey:
>> In article <nruji2$366$1...@gioia.aioe.org>, Chris <sys...@gfsys.co.uk>
>> wrote:
>>>
>>> Look, i'm not arguing against V6 for it's own sake and it
>>> is obviously needed. But please, enough of the prosletisation,
>>> assumptions and arm waving about how good it is and what the
>>> rest of the world is using and their reasons for doing so :-).
>>
>> Well, it's there, and we have been running dual stack here on most
>> systems
>> for much of a decade and it's been just fine.
>>
>> It's not a matter of how good it is, it's a matter of the fact that
>> there are
>> a lot of people out there who use it, and if you want to connect to
>> their machines you may well need to use it too.
>
> If *they* want *me* to connect, they'd better use something that
> lets me connect to them.
>
> The fact is that Swedens largest ISP has IPv6 disabled by default
> in the routers they send to their customers. And very few of
> these customers even have the admin password to the router.

Of course it is disabled, Telia still doesn't have IPv6 enabled on their
network, so there's no need to enable it on their routers. But don't
despair, you will get it.

>
> I read about one site that published statistics about the IPv4
> and IPv6 traffic to their site. The IPv6 traffic showed a small
> increase but close to none of that traffic originated from Sweden.

Of course not, your ISP's were sleeping. But it is improving! Look at
Belgium, 45% of all internet connections have IPv6 enabled.

[Chris]

On 09/21/16 21:43, Dirk Munk wrote:

>
> Everybody, if you use the 10.0.0.0 private address range. But that's not
> the point. You seem to assume that you can easily route messages from
> IPv6 (WAN) to IPv4 (LAN). That is not the case.
>

That's just a software engineering problem. If there is the need, the
code will be written to provide a solution. For an incomplete but
adequate for the task solution, the design may not be that complex.

I see the spread of IPV6 as a downward spread from the top, with one
of the last stages being home and sm business routers that do in fact
translate the V6 on the Wan to V4 on the private local net. Any other
way would cause far too much disruption for all concerned. Example:
those who use fixed ip addresses on the local net, not those provided
by the router dhcp. That's just the start of the problems. The whole
idea of any rollout like this is for it to be seamless and disruption
free. Sure, it will come, but not overnight and it will take years to
complete...

Regards,

Chris

[Dirk Munk]

Keep on dreaming :-)

It's quite simple. Since Windows Vista IPv6 is the preferred IP stack
for Windows. Mac OS and Linux have IPv6. Every CE router you can buy
today has IPv6, or can get it by means of a firmware upgrade. Dual
stacks or tunnels are standard for these routers. In Belgium 45% of the
internet connections have IPv6.

There is no IPv6 <> IPv4 translating CE router on the market.

Not only that, but it can't work like that. Your PC will do an
nsloookup, and will get a IPv4 and IPv6 address in return. If there is
no IPv6 network present on your LAN, the PC will make an IPv4
connection. Your router can only send that traffic to its IPv4
destination. It will never know it can also translate it and send it to
an IPv6 address.

I have been using IPv6 for 7 or 8 years now without a glitch.

So I'm sorry to say this, but your ideas are completely besides the reality.

[Robert A. Brooks]

On 9/21/2016 4:16 PM, Stephen Hoffman wrote:
> On 2016-09-21 19:24:29 +0000, Kerry Main said:
>
>> Well, not if you have been running Multinet.
>>
>> And now with today's new TCPIP stack announcement, VSI OpenVMS just
>> made a major jump forward into the current world.
>
> Ayup. Migrating from the vendor-licensed and supported IP stack to
> an extra-cost third-party IP stack is forward progress, oddly
> enough.

I'm not sure how "extra-cost" is relevant here, since it isn't an extra cost
to the customer.

--

-- Rob

[Scott Dorsey]

Jan-Erik Soderholm <jan-erik....@telia.com> wrote:
>
>Some routers can port forward to another port, some always
>port forward using the same port number. In the later case
>you have to have alternate ports on some servers if they
>have the same service. Like alternates to 80 for web servers.

Yes, this is the sort of horrible crap that I was referring to when
I mentioned "cheez-whiz workarounds."

>But all this discussion about servers behind NAT'et networks
>probably is about 1 NAT'ed network out of 10.000. Most users
>simply "surf the net" and read their mail and are happy. :-)
>And they could not care less about IPv6... :-)

There was a time when a lot of major protocols required external
connections. As NAT has become popular and one-way "internet"
service has become popular, those protocols have generally been
replaced with central-server based systems. (The transformation
of Skype over the years is worth looking at.)

So in fact as this has taken place, fewer users have needed to
provide services from their desktop, but that's bad. For one
thing, it makes for a two-tier internet which kind of defeats
the original idea intended by the founders....

[David Froble]

Ok, quiz time. Ask me 10 questions about things you think I should know.

[David Froble]

Well, maybe you should not be giving your mistress the high hard one in front of
the camera? Your wife just might see it ....

:-)

It's sort of like, don't pull the pin on a grenade and then just stand there
holding it ....