What’s Good About IPv6? More Addresses.
Anything else? Umm…. *cricket noises*
In Breakroom, WeBreakTech staffers staffers chat about the last couple of weeks in tech. What’s new? What’s broken? What are we working on? What makes us want to hurl things into traffic? Sarcasm, salty language, and strong opinions abound.
Trevor.Pott: So we could discuss the transition to IPv6, which is apparently what I need to do for a client this weekend.
Josh.Folland: F*ck IPv6.
Josh.Folland: I get that it’s a necessary evil and it’s got all kinds of great things, but I like remembering *.*.*.40
Katherine.Gorham: What great things? I thought the foot dragging about the move to IPv6 was because there WEREN’T great things. Just vulnerabilities and administrative headache.
Trevor.Pott: There aren’t. But we have now reached the point where ISPs aren’t handing out IPv4 addresses to people in the North, and other not-major-urban-centers. If you aren’t on IPv6, you’re not going to be able to serve all customers anymore. And that is a big switch that I have only started to see in the past few months.
Katherine.Gorham: Wait… IPv4 doesn’t talk to IPv6?
Trevor.Pott: It does not. IPv4 is 32-bit addressing. It CAN’T talk to Ipv6, which is 128 bit addressing. It simply has no way to do so. In order to “transition” to Ipv6, you need to get IPv6 from your ISP (or ask Sixxs nicely for a tunnel and a subnet), then implement BOTH stacks.
Katherine.Gorham: But most of the world is still IPv4. Surely someone thought up a workaround?
Josh.Folland: …There is not an algorithm to translate it? I never thought they were entirely mutually exclusive.
Trevor.Pott: No, there is no direct, supported workaround. There are totally unsupported ways to do it, but in general it was decreed by the ivory tower gods 20 years ago when IPv6 was created that we wouldn’t NEED a work around. Dual stack would be the transition mechanism and transition would occur rapidly. *ahem*
Katherine.Gorham: It’s only the internet. It’s not like interconnectivity is the whole basis of it or anything. /sarcasm.
Trevor.Pott: That arrogant lack of foresight on behalf of the Ipv6 engineers is the reason it hasn’t been adopted. That, and their blind obsession with the “end to end model”, which means no IPv6 NAT is officially supported in the spec, which has prevented decent and easy-to-use consumer routers, etc. etc.
Josh.Folland: That much I remember, yeah. NAT = good. I don’t want my individual device’s address totally exposed to the harsh waves of the interbutts.
Trevor.Pott: With IPv4, the publicly addressable address space ended at the router. You had to do ALL your defense there, at the router, and this FORCED router manufacturers to create (reasonably) easy to use routers for managing IPv4 NAT issues.
This never happened with IPv6. Router manufacturers _at best_ simply set up IPv6 so that clients could grab an IP from the router, but made handling firewall issues nearly impossible, made static IPv6 IP addresses nearly impossible and thus made controlling what can and can’t pass through to client systems behind the router nearly impossible.
This moves the defense layer from the edge (the router) to the individual device, making using IPv6 far more complicated.
Katherine.Gorham: So this IPv6 transition is going to be an enormous headache.
Trevor.Pott: It’s a HUGE headache. On the one side, you have the ivory tower engineers who refuse to accept that protocol design should take ease of use into account. On the other you have vendors who don’t want the burden of trying to make that steaming turd simple.
So the end users suffer, as everyone is trying to place the burden of understanding the intricacies of the new protocol and its entirely new defense model on them, without giving them tools to make defense remotely easy.
Josh.Folland: Do you think it’s just going to be transitioned as-is or are router manufacturers going to have to come up with something similar to NAT for security reasons?
Trevor.Pott: NAT isn’t security. NAT is ease of use. And there already ARE IPv6 NAT implementations, much to the bellyaching of the end-to-end model purists. The thing is, none of them are in consumer routers.
Josh.Folland: I mean NAT is useful for security in so far as you have a central device to put your security shields on to, instead of souping up your laptop, phone and soon-to-be IoT toaster oven. I’m not saying security on the inner devices isn’t necessary.
Trevor.Pott: The transition this weekend will be relatively painless if someone can get me a subnet. Only because I’ve taken the time to study IPv6 by implementing it here. I will be building a Linux router and using IP6tables as my firewall, and basically copying out my firewall rules from here. Those rules took a LONG time to develop.
Katherine.Gorham: Does “End-to-end” mean that the whole internet supposedly goes entirely IPv6 at the same time? Because that was always a fairy tale.
Trevor.Pott: End-to-end means that the IoT toaster has a publicly addressable IP address that the cloud service that controls it can talk to. So, in IPv4 you might have 1 IP address for a whole house. That address belongs to the router. Everything inside the house then has an INTERNAL IPv4 address (the internet cannot address it). By default, nothing from the internet can talk to anything behind that router. You have to forward specific ports to specific IPs in the firewall. That’s NAT.
With IPv6, every device has an external address. So every device on the internet can talk to every other.
Katherine.Gorham: (except the IPv4 ones)
Josh.Folland: For better or worse.
Katherine.Gorham: Exactly. Did you guys see the picture of the hacked IoT fridge? (Warning: if you zoom in on the image it becomes decidedly NSFW.)
Trevor.Pott: You can have your router block all inbound traffic to IPv6 devices behind it, and in this sense it behaves like the IPv4 routers we have come to know and thus you get your security.
Where this all goes sideways is when you want to allow some ports on some devices to be accessible. Let’s say you have a computer with the IPv6 address 2604:8800:100:8333::2. You can tell your router “let 2604:8800:100:8333::2 port 80 through”. That’s simple enough. The problem is that the IPv6 ivory tower types have created the whole system to make giving a computer the static address 2604:8800:100:8333::2 as hard as possible. Everything is supposed to be dynamically configured addresses, etc. Which means everything is supposed to rely on DNS.
You can give a static address, but that then is the address you actually have to publish. With IPv4, I could publish one address (the external facing one) and either have dynamic addresses behind the scenes, or scripts that failed over between nodes with a simple router tweak…all sorts of neat stuff. Do this with IPv6 and you’re breaking the sacred end-to-end model, and religious types will appear out of a portal and shank you. Or, you can do it, but rely on ultra-low-TTL DNS (which not everything honours) to pick up the changes in the external address. Or you can run multiple IPv6 addresses and fade over, with all the additional firewall jiggery-pokery that requires…
Long story short, it’s just more miserable to properly defend IPv6 devices hosting services, while taking maintenance and so forth into account.
Katherine.Gorham: Yeah. Wasn’t there a DNS problem on one of the client sites after a power outage?
Trevor.Pott: A) DNS never works properly and B) routers and firewalls LIKE using layer 2 addresses, not using layer 3 addresses. So consumer or SMB gear that would talk to webserver.youripv6cluster.onprem.com instead of 2604:8800:100:8333::2 is not exactly cheap to obtain or easy to use.
So you have to get really creative with how addresses are handed out, etc. And it usually means choosing which of the ivory tower rules you want to break or bend, because a fully “proper” implementation never works right at a budget mortals can afford.
Oh, and to make matters even more fun, IPv6 is designed so that individual systems grab _more than one IPv6 address_ on a regular basis.
Trevor.Pott: Even if you DO static your server, expect it to grab at least one of the dynamic addresses too.
Katherine.Gorham …providing more leeway for DNS to screw up?
Trevor.Pott: Bingo! Especially with a Windows infrastructure. You get into all sorts of weirdness around which IPs the clients automatically register with DNS.
So you end up needing a whole separate (usually quasi-manual) DNS infrastructure for the critical servers to use, because suddenly you can’t trust the auto-registration of DNS, but all this stuff is supposed to be automatic, or it isn’t “proper”…oh, and try managing this at scale.
Katherine.Gorham: …manual…DNS…. Get me to the time machine. I have to get back to 2016.
Trevor.Pott: At large scale people just break the spec to make it more manageable. There are a few instances where everything is implemented to spec, but as a general rule critical infrastructure is assigned addresses and DNS using different approaches than they expect client systems to use, because otherwise the critical infrastructure would be unmanageable. Nobody seems to see a conflict with this, which brings me back to “why Trevor hates everyone involved with making Ipv6 what it is today”.
I don’t know about anyone else, by I am emphatically not using a 20-year-old network design today. Not only was that network design created by people who never had to worry about money, but it’s just not practical today.
IPv6 was designed on the premise that everyone from ISPs to vendors would implement it exactly as they said it should be implemented, and that systems administrators would do things exactly as they were told, and that networks would be designed in exactly one way and it would stay like that _forever_.
And we haven’t even touched the renumbering issues for WAN handoff between ISPs that won’d give customers BGP control. You know, like the majority of SMB and midmarket connections in the world…
Josh.Folland: …Has there ever been a standard adhered to that perfectly?
Trevor.Pott: Well, it is adhered to in certain academic and large enterprise networks. But even there…”perfectly”? Not so much.
Josh.Folland: I mean, it’s human nature to bend the rules a little bit. Leave it to engineers to leave the human part out of it though.
Katherine.Gorham: Why are we even using a 20-year-old standard? Is that just reflective of how long it takes to agree on any standard? As the pace of technological change speeds up, this kind of thing could become even more of a problem.
Trevor.Pott: Short version: IPv6 was so badly designed it was difficult and expensive to implement so nobody did so. We ran out of IPv4 addresses like two years ago, and Canadian ISPs _still_ don’t hand out IPv6 addresses or subnets for general consumption. It is actually cheaper and easier to start using double NAT on IPv4 than it is to implement IPv6. And yes, that _is_ a lesson to be learned by standards committees…one which, in tech, they are determined _not_ to learn.
Katherine.Gorham: I guess I’m wondering why an IPv6 alternative didn’t develop.
Trevor.Pott: Because the people who designed IPv6 are the ivory tower leaders of tech and they have fought tooth and nail against the creation of an alternative. They believe they’re right. And they’re in charge. The rest of the world will adapt to suit them. That’s all there is to it.
Katherine.Gorham: You’re holding the internet wrong.
Trevor.Pott: I should probably add that for all my bellyaching, there are lots of good things about IPv6.
IPv6 is like Windows 10. Under the hood, it’s a significant improvement over its predecessor. But…
Josh.Folland: Yeah it’s pretty great in theory. But there’s just so many jackasses with their fingers in the cookie jar it can’t really get where I at least want it to be.
Katherine.Gorham: Forgive me for being dense, but where’s the great part?
Josh.Folland: We don’t run out of address space for one (at least not for a loooooong time). And in theory, if it could drive manufacturers to shore up security at EVERY LEVEL that’d be pretty neat.
Trevor.Pott: All of the issues are self-inflicted. They’re issues that occurred because one group of people thought they knew better. They’re issues because one group of people thought it was okay to remove choice from others, and force their viewpoint on others, rather than leave options open and let the market. IPv6’s issues aren’t technological, they’re _bureaucratic_.
Do not remove _control_ from businesses and end users. Do not _decrease_ ease of use. And make sure if you introduce something new, that those who build products upon it understand the importance of both things. Like everything in tech, that’s what this boils down to. Control and, above all, _ease of use_.
Ease of use for end customers, I might add. Not for developers. I have no sympathy for the poor, overworked developers having to go to such great lengths as to import a module into their code that gives them all the tools to cope with various flavours of NAT that they’ll ever need.
And that’s the lesson, I think, that should come from this. Make good tech. Just don’t spend all your time dictating how it can and should be used. Let the market decide what to do with it, and let the market use it in new, innovative and exciting ways. That’s how you succeed: make something great and let everyone else make it even better. You don’t succeed by trying to make something great, only to use it to whip the whole world until they comply with your personal vision of how things should run.