340,282,366,920,938,463,463,374,607,431,768,211,456 (2^128) addresses ought to be enough for anybody
Today’s XKCD got me thinking:
The joke, of course, is about the Great IPv6 Debate. If you’re lucky, you’ve never heard of it. Basically, the debate is being fought by folks over at Slashdot and the other tech news sites. Whenever an IPv6 story comes up, you end up with dozens of comments along the lines of “why is this necessary?” or “this is just excessive” or “it’s too hard!” or “but NAT works” or my favorite – “NAT is my security”.
Well, those are all wrong. Let me try and address some common misconceptions.
- IPv6 has more addresses than anybody will use! Sure, but that’s the point. Aside from simply not running out of addresses any time soon, it’s more about routing. With so many more addresses, you can route much more intelligently than you can nowadays. Give a corporation a flabbergastingly large (but still relatively small) number of addresses and they can address every device in their network in a logical fashion. To avoid fracturing the IP space, they can allow for hundreds of thousands of offices with thousands of floors each with a thousand devices per cubicle. This makes the IP address properly hierarchical, which speeds up routing. At the moment, a single organization can have a wildly fractured address space, with several small blocks of IPs all mapping to the same router. Let each router handle progressively smaller blocks, and you’ll speed up routing.
- I use NAT for security! That works at the moment, but it’s still a bad idea. Outside attackers can’t address individual computers unsolicited, because they wouldn’t have an entry in the mapping table from one inside address/port to one outside address/port. In my younger and more vulnerable years, I relied on this as well – but now I run a proper firewall. Your IPv6-capable router (as well as pretty much any router sold in the last 5 years) should have a stateful firewall that’s on by default, that does the same thing. Computers basically all come with a stateful firewall on by default as well (Win/Linux, though Mac is off by default). Security shouldn’t be an artifact.
- But MIT and Apple have 16 million addresses (a whole /8) each! HP has 2 /8s! Just take some back! Isn’t that excessive? HP has 32 million IPv4 addresses. Estimates are that the IPv4 space is about 14% utilized, even now that it’s basically exhausted. Why not just reclaim some of these? Well, basically it’s a time and effort thing. 26 million addresses were allocated in the last 30 days. Assuming a large enterprise with an /8 block could completely relinquish it and move somewhere else in a month (which is a ridiculous proposition), it still wouldn’t be fast enough. And how long do you keep that up? There’s maybe 5 easy(-ier) targets, in the form of single organizations or corporations that both clearly don’t need that much and are under one authority. But once you run through those, you need to start breaking up the more general purpose blocks – and that’s effectively impossible because thousands of organizations and individuals need to move. And you need to do this in substantially faster than 30 days to matter. Clearly a dead end.
- It’s too much at once! We should be doing (xyz) instead and scrap IPv6! There’s a bunch here. Most of the ones I’ve heard talk about carrier-grade NAT – which is an abomination. Imagine getting a private IP address that you NAT even further at home. NAT already sucks; why add a second layer? It’s just exponentially worse when you can’t do your own port-forwarding, which is already unpleasant. The ISPs might like this because it blocks peer-to-peer, but nobody else should. The entire point of the internet was that any two addresses could communicate, much like the phone system. With some exceptions (like an office PBX), you can call any phone in the world from any other. NAT breaks that, and pushes the Internet towards the TV distribution model – not a good thing for anybody but the “channels”.
- It’s too much at once! We should be doing (xyz) instead to ease into it! You can ease into IPv6. That’s what everybody should’ve been doing for the last several years, running dual-stack to make sure everything worked while there was still the possibility of using the tried-and-true v4, and producing devices like routers that defaulted to IPv6 if available. Then, new IPv6-only sites would work seamlessly for most people, and a v4 address would be less essential. There’s already mechanisms for addressing v4 hosts from a v6 site, so it’s mostly seamless for those with only v6. The protocol itself is a clean break from v4, this is true, but there’s a number of backwards-compatibility mechanisms. It’s time we used them.
I could appeal to how awesome it would be to never have to port-forward, or always have a public IP, but I think you get it. We’re coming into the crunch – the /8s are allocated to the regional registries, who will quickly allocate those, and even though Comcast will have plenty of time to continue issuing new addresses, it’s going to get steadily more painful. And for what? IPv6 works, and it works now. I’m not just saying that – for the last several years I’ve have a free tunnel through SixXS for my home network, and it’s worked just fine with literally no issues. They’ve allocated me a /48, which if you’d like to do the math, is 1,208,925,819,614,629,174,706,176 addresses – 2^80, well more than is necessary to hold the entire IPv4 address space. In other words, I could address the entire IPv4-space through my prefix. Sure, I only use about a dozen addresses out of it, but there’s just so many bits that it doesn’t matter! They’re all automatically configured because my router announces the prefix and allows the individual computers to pick their own address, which they randomize for security purposes. But the point is, on a network with a Mac, Linux boxes, a TiVo, and several Windows machines (XP+) it just works. Compared to setting up NAT, DHCP, and port-forwarding, it’s like a cool breeze. Nothing to forward, just enable routing and point the subnet at your router. Basically all automatic.
Yes, if your hardware or corporation’s fancy Juniper or Cisco isn’t IPv6 compatible, you need a new one – or at least enable the software-routing mode, though that doesn’t make use of the ASICs. Yes, it sucks. But it sucks much less than running out of addresses, and it sucks much less than any of the other solutions.
Mark your calendar for June 8th – World IPv6 Day. All the cool kids (Facebook, Google, Cisco, Juniper, Akami, Yahoo, Bing, Rackspace…) will be flipping the switch to flush out any issues. Will you be ready?