OMB: IPv6 by June 2008

I'm glad you brought that up.

As a follow-up to the two posts that I made earlier about
Congressional hearings and the OMB mandate, let me applaud
Congressman Tom Davis (did I really just say that?!?) for
making a salient point during the hearings yesteday:

  "Asian countries have been aggressive in adopting
   IPv6 technology, because Asia controls only about
   9 percent of the allocated IPv4 addresses and yet
   has more than half of the world's population,"
   Congressman Thomas M. Davis III (R-Va.), chairman
   of the Committee on Government Reform, said at the
   hearings.

   Davis noted that Asian governments have invested
   hundreds of millions of dollars in IPv6 technology,
   which vastly opens up the number of Internet addresses
   over the current IPv4 technology. Among the additional
   advantages of IPv6 are improved security measures and
   additional links for wireless devices.

ref: http://www.techweb.com/wire/networking/164904243

In addition to Davis' point, I think that it bears to
remember that "newer" doesn't mean "better". The Internet
is about end-to-end connectivity, not if one version of
a particluar set of protocols is "newer" than another. It's
all about the connectivity, man. Bear in mind--and as
Congressman Tom Davis mentions in the article above--the
primary reason that Asia (and to a lesser extent Europe)
is primarily interested in IPv6 is that it has a larger
pool of available IP host addresses. Virtually all of
the "newer" functionality that IPv6 offers has been
retro-fitted into IPv4.

No, back to your regularly scheduled programming.

- ferg

I'm glad you brought that up.

As a follow-up to the two posts that I made earlier about
Congressional hearings and the OMB mandate, let me applaud
Congressman Tom Davis (did I really just say that?!?) for

please find some ivory soap and wash out your own mouth...

making a salient point during the hearings yesteday:

...snip...

   over the current IPv4 technology. Among the additional
   advantages of IPv6 are improved security measures and
   additional links for wireless devices.

which 'security measures' are included in ipv6? which additional links for
wireless devices?

This keeps coming up in each discussion about v6, 'what security measures'
is never really defined in any real sense. As near as I can tell it's
level of 'security' is no better (and probably worse at the outset, for
the implementations not the protocol itself) than v4. I could be wrong,
but I'm just not seeing any 'inherent security' in v6, and selling it that
way is just a bad plan.

-dazed and confused in ipv4-land.

>
> This keeps coming up in each discussion about v6, 'what security measures'
> is never really defined in any real sense. As near as I can tell it's
> level of 'security' is no better (and probably worse at the outset, for
> the implementations not the protocol itself) than v4. I could be wrong,
> but I'm just not seeing any 'inherent security' in v6, and selling it that
> way is just a bad plan.
>

Just name a few:
- Possibility to end-to-end IPSec.

exists in v4

- Not feasible scanning of subnets remotely

eh... maybe, I'm not convinced this matters anyway.

- Privacy enhanced addresses - not tracking usage based on addresses

dhcp can do this for you (v4 has mechanisms for this)

- Better ingress filtering

right... because gear that filters so well in v4-land will filter so much
better in v6-land? you == crazy.

All those objections aside, I'd love to see v6 more fully deployed. I'm
not sure I see how it's going to get beyond 'research' or 'play' land,
except for some small cases, for quite some time. It's interesting that
the flood gates on ip space are openning at IANA though, that should
hasten the v6 takeup/deployment

Perhaps paraphrasing what Chris just said: At the end of
  the day, it is very difficult to make the case that IPv6
  offers anything that IPv4 doesn't other than a larger
  address space.

  Dave

Christopher L. Morrow wrote:

This keeps coming up in each discussion about v6, 'what security measures'
is never really defined in any real sense. As near as I can tell it's
level of 'security' is no better (and probably worse at the outset, for
the implementations not the protocol itself) than v4. I could be wrong,
but I'm just not seeing any 'inherent security' in v6, and selling it that
way is just a bad plan.

Just name a few:
- Possibility to end-to-end IPSec.

exists in v4

- Not feasible scanning of subnets remotely

eh... maybe, I'm not convinced this matters anyway.

If your argument is that it is "to hard" to scan that many addresses, do you really think that in an age of 100Gbps broadband 100ghrz home PC's that will really be the barrier you think it is? Or better put: Over the possible lifetime of v6 will that barrier remain real? And the scanner merely has to get lucky once. Or they can have a zombie army of scanners that will be statistically guaranteed to get lucky at least once.

- Privacy enhanced addresses - not tracking usage based on addresses

As if they need to keep 128 bits for the tracking to be accurate.

If everybody gets /64 then I am certain trackers will be quite happy to limit their tracking to that, it will serve them the same purpose.

dhcp can do this for you (v4 has mechanisms for this)

- Better ingress filtering

right... because gear that filters so well in v4-land will filter so much
better in v6-land? you == crazy.

All those objections aside, I'd love to see v6 more fully deployed. I'm
not sure I see how it's going to get beyond 'research' or 'play' land,
except for some small cases, for quite some time. It's interesting that
the flood gates on ip space are openning at IANA though, that should
hasten the v6 takeup/deployment

IPv6 is a classic "second system". And now we are stuck with it.

>
>>>
>>> This keeps coming up in each discussion about v6, 'what security measures'
>>> is never really defined in any real sense. As near as I can tell it's
>>> level of 'security' is no better (and probably worse at the outset, for
>>> the implementations not the protocol itself) than v4. I could be wrong,
>>> but I'm just not seeing any 'inherent security' in v6, and selling it that
>>> way is just a bad plan.
>>>
>>
>> Just name a few:
>> - Possibility to end-to-end IPSec.
>
> exists in v4

Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking
about possibility of e2e security.

this changes how in v6+nat?

>
>> - Not feasible scanning of subnets remotely
>
> eh... maybe, I'm not convinced this matters anyway.
>
>> - Privacy enhanced addresses - not tracking usage based on addresses
>
> dhcp can do this for you (v4 has mechanisms for this)

DHCP does not provide privacy, just address management. Can you
communicate on IPv4 the following way?: - different service - different
source IP address?

yes. look at bitchx, or ssh ... corner cases to be sure, but still
feasible. (or simple example: vhosted webserver) As to dhcp, it can
provide the address privacy you seek, just use very short leases. (yes,
it's messy, but it'd work mostly)

>
>> - Better ingress filtering
>>
>
> right... because gear that filters so well in v4-land will filter so much
> better in v6-land? you == crazy.

No because your address space not scattered in IPv6. Try to setup ingress
filtering in IPv4 if you have a network that was setup several disjoint
/24 and /26s. This is not exceptional in some cases, after mergers, two
sites joined etc. With IPv6 you can re-engineer your network!

that'd be fine if filtering worked reliably... I'd be that ingress
filtering (or egress filtering) will eventually be as 'easy' in v6 as it
is in v4. I'd say that for now, with the wierd multi-homing setup in v6
it's even harder initially...

Anyway you have to wash you mouth.

+

Have you tried to find out in a IPv4 NAT environment where the virus/worm
flood is coming? - Most of the situation it is coming from the NAT box -

actually that's kind of my daily job... it seems to work fine for me so
far.

not because NAT box was infected, but because nodes behind NAT was
infected. Most of the cases admins of the networks behind NAT boxes not
knowledgeable enough where to look in this cases. So IPv6 can improve e2e
accountability that is part of the security.

because it removes the 'requirement' for NAT? or in some other magical
way? If you look/listen to the users of NAT, a large proportion of them
will continue to use NAT in v6 (or have stated they will)... I'm not sure
your above arguement is as valid as you'd like it to be

>
>
> All those objections aside, I'd love to see v6 more fully deployed. I'm
> not sure I see how it's going to get beyond 'research' or 'play' land,
> except for some small cases, for quite some time. It's interesting that
> the flood gates on ip space are openning at IANA though, that should
> hasten the v6 takeup/deployment

This will be be fall of MCI....

this and the 11B fraud and the crooked execs and what else? I'm not sure
why v6 will be anymore of a fall for mci then any of the previously
mentioned locusts-o-doom.... but predict away, it's fun and we add these
to our office pool

Thus spake "Joe Maimon" <jmaimon@ttec.com>

Christopher L. Morrow wrote:
>>- Not feasible scanning of subnets remotely
>
> eh... maybe, I'm not convinced this matters anyway.
>
If your argument is that it is "to hard" to scan that many addresses,
do you really think that in an age of 100Gbps broadband 100ghrz
home PC's that will really be the barrier you think it is? Or better
put: Over the possible lifetime of v6 will that barrier remain real? And
the scanner merely has to get lucky once.

At 100Gbps, you can send about 2^28 probes per second. To scan a /64 subnet
would take 2^36 seconds -- 2177 years. I'm pretty sure that's not within
IPv6's lifetime.

Or they can have a zombie army of scanners that will be statistically
guaranteed to get lucky at least once.

The bandwidth into that subnet will be the limiting factor, but let's
somehow assuming you could get 100Gbps for _each_ attacker. You'd need to
commandeer 2^31 hosts (difficult, but not impossible) connected at 100Gbps
and coordinate them all probing the same subnet without duplication to scan
it within one minute. More than a few hosts per subnet would bring that
number down a bit, but not enough to make it feasible for worms to spread
via scanning.

What this really does is change the detection method. Instead of scanning
randomly, you sit and watch what other IP addresses the local host
communicates with (on- and off-subnet), and attack each of them. How many
degrees of separation are there really between any two unrelated computers
on the Internet? You could probably collect half of all addresses in use
just by infecting Google...

S

Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov

* jmaimon@ttec.com (Joe Maimon) [Fri 01 Jul 2005, 17:38 CEST]:

>
>>
>>
>>>>>
>>>>> This keeps coming up in each discussion about v6, 'what security measures'
>>>>> is never really defined in any real sense. As near as I can tell it's
>>>>> level of 'security' is no better (and probably worse at the outset, for
>>>>> the implementations not the protocol itself) than v4. I could be wrong,
>>>>> but I'm just not seeing any 'inherent security' in v6, and selling it that
>>>>> way is just a bad plan.
>>>>>
>>>>
>>>> Just name a few:
>>>> - Possibility to end-to-end IPSec.
>>>
>>> exists in v4
>>
>> Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking
>> about possibility of e2e security.
>
> this changes how in v6+nat?
>

There is not need for NAT in IPv6. Use instead NAP (i.e. Network
Architecture Protection).

you are ignoring the reality... people WILL want v6 and nat it might be
ugly and distasteful, but the fact remains that people will want and will
require nat.

>>>> - Privacy enhanced addresses - not tracking usage based on addresses
>>>
>>> dhcp can do this for you (v4 has mechanisms for this)
>>
>> DHCP does not provide privacy, just address management. Can you
>> communicate on IPv4 the following way?: - different service - different
>> source IP address?
>>
>
> yes. look at bitchx, or ssh ... corner cases to be sure, but still
> feasible. (or simple example: vhosted webserver) As to dhcp, it can
> provide the address privacy you seek, just use very short leases. (yes,
> it's messy, but it'd work mostly)

Are you speaking about the following? :
What I am talking to x service my source address is a1. x see me as a1.
In the same time when I am talking to y service my source address is a2. y
see me as a2.

I am speaking of that yes. with the 2 applications I named above (bitchx
and ssh) you can indeed appear to be 2 different ip address to 2 different
services/destinations...

Can I have more than 1 address with DHCP in the same time?

I believe you could do multiple dhcp addresses for multiple interfaces on
one box. atleast with a modernish unix that seems quite feasible.

>>
>> Have you tried to find out in a IPv4 NAT environment where the virus/worm
>> flood is coming? - Most of the situation it is coming from the NAT box -
>
> actually that's kind of my daily job... it seems to work fine for me so
> far.

Because you have all the tools and knowledge. But most of the
users/admins do not have these.

perhaps... but tcpdump/snort/<pc-sniffer-of-choice> will make that problem
easy for them as well.

>
>> not because NAT box was infected, but because nodes behind NAT was
>> infected. Most of the cases admins of the networks behind NAT boxes not
>> knowledgeable enough where to look in this cases. So IPv6 can improve e2e
>> accountability that is part of the security.
>>
>
> because it removes the 'requirement' for NAT? or in some other magical
> way? If you look/listen to the users of NAT, a large proportion of them
> will continue to use NAT in v6 (or have stated they will)... I'm not sure
> your above arguement is as valid as you'd like it to be

Probably they will use NAT for IPv4, because they don't have other option,
but they will use IPv6 with proper stateful firewall. Argument that NAT is
providing security is not valid....

the arguement is that NAT is required because people want it, regardless
of your engineering arguement about how ugly nat and v6 is/will-be

Stephen Sprunk wrote:

What this really does is change the detection method. Instead of scanning
randomly, you sit and watch what other IP addresses the local host
communicates with (on- and off-subnet), and attack each of them. How many
degrees of separation are there really between any two unrelated computers
on the Internet? You could probably collect half of all addresses in use
just by infecting Google...

Or just send email with IMG SRC tag pointing to a server you control and harvest the addresses from there?

Pete

Good luck finding an implementation. The v6 designers have recommended
against it due to the sheer *stupidity* of the concept, and as a result, I
know of no extant implementations of NAT on v6 out there.

The whole point of 128 bits of space is to allow, essentially, embedding of
routing metadata into the address with *still* enough address bits left over
for any possible size of subnetwork.

Christopher L. Morrow wrote:

This keeps coming up in each discussion about v6, 'what security measures'
is never really defined in any real sense. As near as I can tell it's
level of 'security' is no better (and probably worse at the outset, for
the implementations not the protocol itself) than v4. I could be wrong,
but I'm just not seeing any 'inherent security' in v6, and selling it that
way is just a bad plan.

Just name a few:
- Possibility to end-to-end IPSec.

exists in v4

Is broken by NAT

Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking
about possibility of e2e security.

this changes how in v6+nat?

That is why there is no NAT in IPv6 and God help there will never be NAT in v6.

There is not need for NAT in IPv6. Use instead NAP (i.e. Network
Architecture Protection).

you are ignoring the reality... people WILL want v6 and nat it might be
ugly and distasteful, but the fact remains that people will want and will
require nat.

People will want IPv9 with total gouvernement control. Especially in China
and the US.

P2P is broken with NAT. They are 90% of internet users.

With NAT there is no VoIP, no FTP, no DNS, no ...
Just try and put two servers behind NAT - that is, if your server and your
NAT-box support eachother.

- Privacy enhanced addresses - not tracking usage based on addresses

dhcp can do this for you (v4 has mechanisms for this)

DHCP does not provide privacy, just address management. Can you
communicate on IPv4 the following way?: - different service - different
source IP address?

yes. look at bitchx, or ssh ... corner cases to be sure, but still
feasible. (or simple example: vhosted webserver) As to dhcp, it can
provide the address privacy you seek, just use very short leases. (yes,
it's messy, but it'd work mostly)

Are you speaking about the following? :
What I am talking to x service my source address is a1. x see me as a1.
In the same time when I am talking to y service my source address is a2. y
see me as a2.

I am speaking of that yes. with the 2 applications I named above (bitchx
and ssh) you can indeed appear to be 2 different ip address to 2 different
services/destinations...

Can I have more than 1 address with DHCP in the same time?

I believe you could do multiple dhcp addresses for multiple interfaces on
one box. atleast with a modernish unix that seems quite feasible.

Have you tried to find out in a IPv4 NAT environment where the virus/worm
flood is coming? - Most of the situation it is coming from the NAT box -

actually that's kind of my daily job... it seems to work fine for me so
far.

Because you have all the tools and knowledge. But most of the
users/admins do not have these.

perhaps... but tcpdump/snort/<pc-sniffer-of-choice> will make that problem
easy for them as well.

not because NAT box was infected, but because nodes behind NAT was
infected. Most of the cases admins of the networks behind NAT boxes not
knowledgeable enough where to look in this cases. So IPv6 can improve e2e
accountability that is part of the security.

because it removes the 'requirement' for NAT? or in some other magical
way? If you look/listen to the users of NAT, a large proportion of them
will continue to use NAT in v6 (or have stated they will)... I'm not sure
your above arguement is as valid as you'd like it to be

There never was a need for flat tyres or NAT. The only reason for NAT is
a lot of peaple running out of IPv4 address space.

Whatever security nonesense was told of NAT was just hype to justify NAT
breaking almost every existing or newly invented protocol.

Probably they will use NAT for IPv4, because they don't have other option,
but they will use IPv6 with proper stateful firewall. Argument that NAT is
providing security is not valid....

the arguement is that NAT is required because people want it, regardless
of your engineering arguement about how ugly nat and v6 is/will-be

NAT is only good to prevent people from communicating with eachother.

The perfect NAT is IPv9 as deployed in china. You dont need IPv6. Stay
with IPv4 and we will map all addresses that are good for you into your
personal IPv4 address space. You dont need to send emails directly to
everybody. We will do that for you. You dont need to be afraid of SPAM.
We will take care of that for you.

What do you need of PC for? Free tv for erybody is good enuf for you!

Have a nice weekend,
Peter and Karin Dambier

The fact that something is neither available nor technically feasible has
never stopped people from wanting it...

this was made as an example and would mean we are stuck here , aren t we?

No, it means that we need to progress in directions that are available and
technically feasible.

I recently went to a car dealer *wanting* to spend $400 on a 2005 car that
got 4,000 miles to the gallon and guaranteed perfect safety in any conceivable
crash. Of course, said car is neither available nor technically feasible.
That didn't stop the salesman and myself from coming to acceptable terms
on a slightly older Toyota Camry for slightly more money, said Camry being
both available and technically feasible...

Good luck finding an implementation. The v6 designers have recommended
against it due to the sheer *stupidity* of the concept, and as a result, I
know of no extant implementations of NAT on v6 out there.

This is no market. Stunningly enough, IPv4 didn't have NAT back in the early 80's either. I'm guessing that as soon as someone trying to get real work done discovers that they have to renumber their network and all the places where IPv6 addresses have become embedded when they change providers that a market for NATv6 will magically appear.

The whole point of 128 bits of space is to allow, essentially, embedding of
routing metadata into the address with *still* enough address bits left over
for any possible size of subnetwork.

The whole point of 128 bits was that it wasn't NSAPs.

Rgds,
-drc

David Conrad wrote:

Good luck finding an implementation. The v6 designers have recommended
against it due to the sheer *stupidity* of the concept, and as a result, I
know of no extant implementations of NAT on v6 out there.

This is no market. Stunningly enough, IPv4 didn't have NAT back in the early 80's either. I'm guessing that as soon as someone trying to get real work done discovers that they have to renumber their network and all the places where IPv6 addresses have become embedded when they change providers that a market for NATv6 will magically appear.

The good thing with IPv6 is autoconfiguration. There is no need to renumber.
With the radvd daemon running your box builds its own ip as soon as you
plug it in.

Configure your radvd to assign only local addresses is like having DHCP
assign only 192.168.xxx.xxx

Your box will not pass a router to the outside. Nobody will see your
box from the outside.

If your box is allowed then give it a global address from the radvd.
Your box does not care about the changed address. It will happyly use it.

The whole point of 128 bits of space is to allow, essentially, embedding of
routing metadata into the address with *still* enough address bits left over
for any possible size of subnetwork.

The whole point of 128 bits was that it wasn't NSAPs.

Rgds,
-drc

I have given up writing a new peace of software every now and then to
fix a new protocol broken on my NAT-router.

Things broken because of NAT-routers do run happyly via tunnels to
IPv6 tunnel brokers. You can run 64K servers behind that single ip your
NAT-router has in use. Of course it does not make sense. But try to
run two DNS-servers behind a single NAT using IPv4 addresses. You
may as well try two ftp-servers or two whatever you like.

Today we have software that is able to cross NAT-routers. That software
is a security risk because it is breaking the NAT-router just as
are viruses that break firewalls. Not having to care about NAT we
would have lighter software that was able to take care of itself.

Have a nice weekend
Peter and Karin

Peter Dambier wrote:

David Conrad wrote:

The good thing with IPv6 is autoconfiguration. There is no need to renumber.
With the radvd daemon running your box builds its own ip as soon as you
plug it in.

If your box is allowed then give it a global address from the radvd.
Your box does not care about the changed address. It will happyly use it.

Unfortunately the autoconfiguration did not fix the combined identifier and network address issue both ipv4 and ipv6 have.
If it would have done that, multihoming would not be an issue with ipv6 today. (and probably neither with ipv4)

Pete

The good thing with IPv6 is autoconfiguration. There is no need to renumber.

I wasn't aware IPv6 auto-configuration:
- updated AAAAs and PTRs for all possible entries DNS associated with the old address, including the glue records maintained by other folks.
- updated filters, firewalls, and security credentials bound to the old address.
- updated router configurations, network management, and monitoring systems.
- updated node locked software licenses (should they exist).
- updated configuration files that include IP addresses.
- provided a mechanism to transfer long running TCP sessions to the new address.
etc.

Of course, if you talk to many large enterprise IT folks about IPv6 stateless auto-configuration, they look at you in horror and ask "why in the world would I want to let simply anyone attach to my network and get a valid address?!?".

Auto-configuration (stateless or statefull) helps in renumbering. It doesn't remove the requirement however. And since there will be the requirement, someone will address it in the obvious (if arguably stupid) way: NATv6.

I have given up writing a new peace of software every now and then to
fix a new protocol broken on my NAT-router.

I'm well aware of the many problems NAT creates, particularly when folks come up with protocols that (perhaps even purposefully) don't recognize the simple fact that NAT exists. However, pretending that IPv6 is a panacea is silly. IPv6 dealt with the address space limitations found in IPv4 (although there are those who believe the way IPv6 is being allocated results in the IPv6 truck trying to drive into the IPv4 swamp yelling "me too! me too!" (paraphrasing and with apologies to Dave Clark)). IPv6 didn't deal with routing scalability or insuring packets are coming from and/or going to where they should. However, I'm sure something will be hacked together if IPv6 takes off. Necessity is a mother and all that...

Rgds,
-drc