Skip to comments.Internet 6.0
Posted on 01/14/2004 12:51:49 PM PST by rdb3
The next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure.
By Simson Garfinkel
The Net Effect
January 7, 2004
It will be the biggest, the most drastic, and the most comprehensive change to the underlying structure of the Internet in more than 20 years. The deployment of IPv6the sixth version of the Internet Protocolwill be a massive undertaking that will require the reconfiguration of more than 100 million computers. Not since the adoption of the Internet Protocol itself in January 1983 has there been such a fundamental shift. But when the IPv6 rollout is finally done, not all the effects will be positive: the new Version 6 Internet will be slower, more friendly to peer-to-peer-based copyright violation systems, and the computers on it will almost certainly be less secure.
You might therefore be tempted to dismiss IPv6 as a technological road to nowhere. But if you did that, you would be making a mistake. IPv6 is happening. The code that lets computers talk on an IPv6-enabled network is now built into the current versions of Windows XP, MacOS, Linux, and many forms of Unix. Every router made by Cisco comes ready to run IPv6. So does every Nokia mobile phone. The whole world is getting dressed up for the IPv6 party.
Will we have anywhere to go? Perhaps Japan or China. IPv6 has been very big in Asia. While the networking protocol was being largely ignored by American academia, the Japanese government funded the KAME Project to create a single solid software set of IPv6 and related technologies. KAME involves researchers from Fujitsu, Hitachi, Internet Initiative Japan, NEC, Toshiba, and Yokogawa Electric. KAME software has taken hold in Japan and, large parts of the Japanese Internet backbone are running IPv6. In many ways it looks like the United States is falling behind.
So what is IPv6 anyway, and why does it matter?
To answer that will require a bit of a refresher course on the nature of the Net. The Internet is a huge machine that exists for the purpose of transporting little packages of information called packets. You can think about these packets as tiny digital postcards, each about 500 bytes in length and stamped with the address of its sender and the intended destination. To understand these packets, every computer on the Internet needs to communicate with the same fundamental language. Computer designers call these languages protocols. Todays Internet uses IPv4, the 4th version of the Internet Protocol. (Versions 1 through 3 never made it out of the lab. Neither, for that matter, did Version 5.)
IPv4 is pretty good as protocols go, especially for one that was designed back in the 1970s. But it does have problemsall of them tolerable except for one. Every computer on the Internet needs to have its own Internet address, and IPv4 addresses are just 32 bits in length. The result of this decision made nearly 30 years ago is that the Internet simply cannot handle more than 232 or 4,294,967,296 devices. For a variety of technical reasons, the actual number of devices is a lot smaller than thatfar closer to 2 billion, in fact.
With hundreds of millions of people using the Internet, with Internet addresses being dropped into cell phones to support tiny Web browsers, and with household appliances like refrigerators and washing machines scheduled to get their own Internet addresses within the next few years, its easy to see why we could soon run out of those 32-bit addresses.
The most important thing that IPv6 does is quadruple the size of the Internet address field from 32 bits to 128 bits. Because in principle, any combination of these 128 bits is a valid address, this quadrupling results in a massive increase in space. For example, whereas IPv4 could never supply enough addresses for every human being on the planet, IPv6 can do that and then some: in fact, IPv6 could provide each of us roughly 60 thousand trillion trillion addresses.
Put another way, the switchover will result in roughly 5,000 addresses for every square micrometer of the Earths surface. There are so many IPv6 addresses that humanity will never run out of themnever, ever.
Those extra bits help explain why the Asian nations are so interested in IPv6. According to the trade publication DSL Reports, slightly more than 3 billion of the 4 billion 32-bit IPv4 addresses are now allocated to U.S.-operated Internet service providers, while China and South Koreawith a combined population of more than 1.3 billionhave been allocated 38.5 million and 23.6 million respectively. Is it any wonder that these countries arent happy with IPv4?
But alas, those extra bits dont come for free. Deploying IPv6 means that every application that uses Internet addresses needs to be changed. Every Web browser on every computer, every copy of Outlook Express, every e-mail server, and every Web server needs to be upgraded to handle the 128-bit addresses. One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that theres never a good time to have people start deploying systems that are only V6thats because somewhere, somebody is going to have a machine thats V4 only, and they wont be able to communicate with you.
Another obstacle to IPv6 is that the routers that run the Internets backbone circuits aren't set up to handle the longer addresses. Today, most routers come equipped with special-purpose integrated circuits that can route IPv4 packets very quickly. But because there is no demand for it, those routers dont have similar hardware that can route V6 in hardware: those packets have to be routed in software, which is a slower process. As a result, most experts think that the V4 routers simply couldnt keep up if the Internets backbone were suddenly switched over to IPv6the router hardware would have to be upgraded, which would be very expensive. Most corporations would face similar upgrades. At a medium-sized business with perhaps 16 high-speed routers, the cost would easily exceed $1 million.
Yet another problem with IPv6 has to do with all of the impending security problems it will cause. Network aficionados will be quick to point out that IPv6 implementations offer cryptographic security, since the Internets IP security (IPsec) standard is mandatory, according to the IPv6 spec. But what IPv6 boosters wont tell you, unless you press them, is that every new IPv6 nameserver, Web server, Web browser, and so on has new codecode in which security problems may lurk. Indeed, security problems with new protocol implementations are to be expected. And while some issues have been found with these new IPv6 servers, more are sure to be discovered.
But what could be the final nail in the coffin of IPv6 is a black magic technology thats made those extra gazillions of IP addresses far less important than they once were. This technologycalled Network Address Translation, or NATlets dozens or even thousands of computers hide behind a single IP address. NAT is the key technology thats built into most corporate firewalls and practically every home router on the market.
NAT violates one of the fundamental rules of the original Internet. With NAT it is no longer true that every computer on the Internet has its own unique IP address. On todays Internet, most computers use so-called private addresses that are hidden behind firewalls. The firewall then rewrites or translates the packets as they move from inside your home network to the great beyond; the packets from the Internet get similarly translated upon their return.
Because of NAT, most technologists have stopped worrying that the Internet is about to run out of address space. If you have a home network with a home firewalland in the future, practically everybody willthen your toaster, your air conditioner, your furnace, and your refrigerator can all be plugged into it and communicate with their manufacturers, with each device sharing your firewalls IP address.
But for all of its apparent utility, NAT is really the devil. Its a Faustian bargain, a technology that appears to answer all of a network engineers problems, but ultimately causes long-term troubles that are far more profound than the ones that it purports to solve. In fact, one of the big reasons that the Internets early technologists wanted to get IPv6 deployed in the 1990s was to prevent the widespread adoption of NAT.
In its simplest incarnation, NAT creates a kind of one-way fence: computers behind the NAT firewall can open up connections to Web servers and mail servers on the Internet, but random attackers on the Net cant reach back through the NAT and break into your unprotected desktops and laptops. It has worked so well, in fact, that many organizations use NAT as their primary defense against hackers and worms. NAT has let organizations take the lemon of limited IP addresses and make a lemonade of improved security.
But the apparent security that NAT provides is a mirage. The proliferation of laptops, e-mail attachments, and open wireless networks means that there are many opportunities for hackers and worms to get behind a NAT and launch attacks from the inside. Many organizations have learned the hard way that you cannot achieve secure computing by relying upon perimeter defenses (a topic I discussed in a previous column).
At the same time, NATs one-way fence makes it harder for peer-to-peer applications to operate. Thats a problem for file trading programs such as Kazaa, but its also a problem for Internet telephony and the next generation of multimedia groupware applications. For example, the two-way videoconferencing system thats built into Apples iChat software works behind some kinds of firewalls but not behind others. The program comes with an elaborate connection doctor program to help users diagnose problems that their firewall might be causing.
These problems go away when every computer on the Internet really does have its own IP addresssomething thats impossible today with IPv4, but which is the raison dêtre for IPv6. In a world with IPv6 and without NAT, every computer in my house has its own unique IP address on the public Internet. That means my desktop can open up a peer-to-peer connection with my desktop at work, but it also means that my daughter can network her machine directly with some teenybopper P2P network in San Jose. Getting everybodys home machine out from being a NAT box should make possible a lot of interesting applications that are either very difficult or downright impossible today. And in all likelihood, some of those applications will not be popular with the Recording Industry Association of America or the Motion Picture Association of America, both of which have taken the lead against peer-to-peer networks. As soon as they understand what a threat IPv6 is to their police actions, they are likely to start fighting against.
Given that the full-blown transition to IPv6 hardly seems imminent, technologists are struggling to at least chart some kind of workable path between where we are and the wondrous world of 128-bit addresses. One approach thats been proposed is called Realm Specific Internet Protocol, or RSIP. Designed as a replacement for NAT, RSIP allows organizations to keep using 32-bit IP addresses, keep their private address space, and eliminate the problem of packets being rewritten or translated. The good thing about RSIP is that it doesnt require changing application programs like browsers and e-mail clients; the bad thing is that it still requires making fundamental changes to operating systems.
A more likely path is that some small-but-influential organizations will start to adopt IPv6 internally as a kind of example, and these organizations will then link up and slowly build a new IPv6 landscape. Still, its hard to see major U.S. Internet service providers spending the money to upgrade their backbones from IPv4 to IPv6 unless the transition is mandated by the some big customers or the federal government. The latter is less far-fetched than you might think: the U.S. Department of Commerce recently set up a task force to look at the issue, since its widely believe that IPv6 will be more secure than IPv4 thanks to its use of IP-level encryption. Of course, that same encryption is available in IPv4 through the IPsec standard.
Asia, Africa, and India will all probably adopt IPv6, but IPv4 will not die in the United Statesor even in the federal government. Its simply too easy for U.S. homes, businesses, and government offices to keep using what they have, and let the ISP set up gateways between the IPv4 Internet and the IPv6 Internet. Eventually, these gateways will grow into firewalls, passing some kinds of traffic between the United States and the rest of the world, but blocking other datafor example, unauthenticated e-mail that might be spam. The IPv4/IPv6 divide could be similar to the English/metric divide that we face today, and plans to move the U.S. Internet to IPv6 could end up being as successful as plans in the 1970s to change all the speed limit signs to kilometers per hour.
IPv6? Perhaps my seven-year-old daughter will use it when she goes to college, but probably only if she goes to Oxford.
Wanna be Penguified? Just holla!
God, root, what is difference?
Criminal Number 18F
Every computer on the Internet needs to have its own Internet address...
Not strictly true, since many computers connect to the internet through address translation. In fact, the reason we haven't run out of addresses and are still using v4 today is because so many computers live behind firewalls without real-world network addresses. Most computers on corporate intranets don't need real world addresses anyway.
NAT is a *good* thing, not the devil that is to be worked around with IPv6 as suggested by the tone of the article. Having a real-world address does have drawbacks. Does anyone have cable-modem notice how many scans and attacks there are? I have a home/small office router at home that does address translation, and I have yet to be unable to do someting on the internet that I want to do. Game-playing, file sharing, chatting, etc, I've had no problems with NAT. In fact, I recommend that people who want to get cable or DSL buy one of the consumer-grade routers. No cracking attempt has yet succeeded in getting through, and believe me judging from the honey-pot I left out on my DMZ last year, there are plenty of kids on broadband out there looking for unprotected computers.
And this is a good thing. Aside from the legal uses (downloaded a Linux ISO on BitTorrent lately?), it is the P2P phenomenon that pushed the RIAA into now allowing what the consumer wants in the form of online download services, and in the future will probably push them to a more realistic business model.
but IPv4 will not die in the United Statesor even in the federal government.
The federal government mandated IPv6 compatibility a long time ago, giving ample time for old equipment to replaced with compatible equipment. They'll be ready when it hits.
My Linksys wireless router is sweet, and for a very low cost. I did the same thing and found I was being positively hammered at times, so now everything just sits behind it and I have no problems. It's also locked down tighter than Hillary's butt.
What has been left out is that due to NAT technologies the demand for IP addresses has actually been rather flat as of late. My office has hundreds of workers who all get on the net, send mail, ftp files, ... Because of VPN and NAT my company has less than 20 IP's we need for the outside world (could be shaved a bit lower than that).. A more practical solution to any issues is breaking up the Class A ranges and not letting companies like Apple keep so many real addresses..
They just want my 98 second edition to be upgraded. I will hold out until all other avenues are exhausted.
I felt the same way -- until I bought a new computer that already had XP installed. Now that I've had a chance to use it for several months, I vastly prefer it over 98SE, and look forward to upgrading my other computers.
Hell yes I'm keeping NAT even with IPv6. The author can dangle his stuff out into the internet if he wants, I'm keeping mine nice and safe.
I want autonomy over my choice of internal addresses, too. The author is going to end up gettign issued new ones from whatever beurocracy every time he needs to make a change, or moves to a new building.
Once upon a time,
Spain ruled the world. Then Britain.
Looks like the New World
will be run run out of Asia.