IPv6 Must Be Enabled On All US Government Sites By Sunday

darthcamaro writes "Agencies of the U.S. Federal Government are racing to comply with a September 30th deadline to offer web, email and DNS for all public facing websites over IPv6. While not all government websites will hit the deadline, according to Akamai at least 2,000 of them will. According to at least one expert, the IPv6 mandate is proof that top-down cheerleading for tech innovation works. 'The 2012 IPv6 mandate is not the first (or the last) IPv6 transition mandate from the U.S. government. Four years ago, in 2008, the U.S. government also had an IPv6 mandate in place. That particular mandate, required U.S. Government agencies to have IPv6-ready equipment enabled in their infrastructure.'"

I blame the ISPs

[GeneralTurgidson]

A lot of the government offices will face challenges with IPv6 connectivity to the internet because a very large number of US ISPs are not IPv6 ready. Especially up here in midwest, you mention "are you IPv6 ready?" and your ISP sales rep gives you a blank look and asks what you're talking about. Maybe if the governments push for this at the ISP level we might see it filter down.

Re:

[geddo]

As a consumer you do not need IPv6 unless your provider does not have IPv4 addresses to assign to you, as a service provider or Internet based company (or in this case a government agency) you do need IPv6 so that customers who only have IPv6 connections can reach you. Most business class ISP's I have dealt with are IPv6 dual-stack capable, so this is not an ISP issue. The government is doing what other companies are doing and trying to get this working now before it becomes an issue for the future. Ther

Re:

[kasperd]

As a consumer you do not need IPv6 unless your provider does not have IPv4 addresses to assign to you

You do if you need to communicate with somebody else who does not have an IPv4 address. And since ISPs have been handing out fever IPv4 addresses than the number of devices to be connected for the last 15 years or so, there is actually already a lot of devices, which do not have IPv4 addresses. Unfortunately, most of those don't have IPv6 addresses either.

Re:

[jhoegl]

Routers convert the protocols... like they have been doing since inception.
How do you think IPX/SPX talked with TCP/IP?

Re:

[jhoegl]

My bad... it just encapsulates it.
But then, it has been 15 years.

hybrid dual-stack

[Chirs]

Since all IPv4 addresses have a unique IPv6 representation, an IPv6-only subscriber using a device with a hybrid dual-stack can access an IPv4 address by specifying the applicable IPv6 address. See rfc3493, "Compatibility with IPv4 Nodes".

Re:

[gmack]

That is for application level compatibility and only works if both hosts have valid ipv4 addresses. If only one side has ipv4 the ipv4 only machine will be unable to reply to the ipv6 only machine thanks to it's much larger address format.

Re:

[unixisc]

That feature requires IPv4-mapped addresses, which is something whose support varies based on implementation. It's been more or less abandoned, while organizations have instead been exploring other transition technologies, be it dual stack, dual stack lite, tunnelling, or even LSNAT translations. Other problem here is that IPv4 mapped addresses wouldn't work in cases where that IPv4 address is a local address behind a NAT, which will often be the case,.

Re:

[kasperd]

an IPv6-only subscriber using a device with a hybrid dual-stack can access an IPv4 address by specifying the applicable IPv6 address.

That will not work. The IPv4 only node will need to communicate with some IPv4 address, and there is none to be used for that purpose. If you read the other replies to your post, you will see that they seem to disagree with each other. That is because there are actually two different formats. There is the deprecated ::/96 prefix, and there is the currently used ::ffff:0:0/96 p

Re:

[unixisc]

Also, if one is using a private IPv4 address behind a NAT, how would either an IPv4 compatible address or an IPv4 mapped address represent it? It can't! I mean, if you have ::ffff:192.168.0.5, IPv6 can't suddently make that IPv4 address routable.

Re:

[account_deleted]

Comment removed based on user account deletion

Firewall support for IPv6

[unixisc]

Where exactly do these extra addresses come from? The reason it's becoming critical now is that even w/ NAT, they're running out. And once one introduces 2 or more levels of NAT, a major overhaul would be required of NATing software, since your mapping - currently based on mapping a single layer 3 address to a layer 2 address - will have changed, since one would now have to map a combination of a layer 3 routable address and a layer 3 non-routable address to a layer 2 address. Once that level of work wil

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[unixisc]

It's not a 'bazillion' - it's a mere 4 billion. As a reference, the world's population is 7 billion. But even putting that aside, in terms of just real numbers, the public IP addresses multiplied by private IP addresses - assuming that every single one is NATed, has hit its limits. As for the ones being sat on by companies like HP or IBM, recovering them by ARIN or IANA would be a pain, and only add some 16 million or so addresses, even if HP gave up DEC's entire 16.x.x.x. Also note that those 16 millio

Re:I blame the ISPs

[DarwinSurvivor]

Good point, lets wait for the ISP's to run out of IPv4 addresses and suddenly start mandating that people's homes be IPv6 ready out of the blue. We basically have 3 choices.

1) Wait until residents do need it and suddenly give them IPv6 only because there are no IPv4 addresses left. Phone support will have hour-long waiting periods, computer shops will be overloaded with "I need this upgrade tonight so I can submit my college thesus" support requests and a large percentage of Internet users will be SOL until they get their turn in the support line. There's also a VERY good chance we will simply run out of routers, as an alarminly large percentage of consumer (and some professional) routers STILL don't support it and all those people will need upgrades.

2) Wait until we need it and start NAT'ing everyone's internet connection. This may not affect facebook users, but will be a royal PITA for anyone using remote connections, peer2peer networking, etc. If this happens we may not see IPv6 for another 15 years at LEAST.

3) Roll it out NOW in dual-stack configuration world-wide so everyone can get their computers, routers and other devices working with IPv6. ISP's can send out regular (every 2-4 months) letters to consumers still using IPv4 only to warn them about the upcoming switch and give them enough warning to switch over (like they did with digital tv broadcasting). When we finally do run out of IPv4 addresses at the ISP level (and this is ALREADY happening in some areas such as mobile, etc), the ISP's can just disable IPv4 for new customers and/or those already fully using IPv4 and experience a truly smooth transition.

If the analog-2-digial transition for TV broadcasting has taught us anything, it's that consumers need a LONG time to transition between technologies. Considering the TV transition required nothing more than plugging in 1 box with 3 wires on it and IPv6 is going to require computer/OS and router replacement in many cases, we need to start the IPv6 transition on all ISP's about 2 years ago.

Re:

[QuantumRiff]

My rural ISP has always done this.. Its a royal pain in the ass. My CPE device is 192.168.100.62, on the WAN side. Makes VOIP, hosting your own video game server on a console, bittorrent, and a dozen other things very, very much a pain in the butt. I gave up with an IPSec VPN, and use an SSL one now, but its not the same.. its client based, instead of a hardware one I wanted for my home office.

Ubiquity (a major maker of wireless ISP equipment and backhaul) still doesn't support IPv6 very well at all on t

Re:

[geddo]

Good point, lets wait for the ISP's to run out of IPv4 addresses and suddenly start mandating that people's homes be IPv6 ready out of the blue.

Not my point, just not trying to write a dissertation here. My point is the provider's of web based services need to get on IPv6 dual stack, until a large number of these providers offer their services natively through IPv6 we will have a huge scalability problem with translation. Until that happens consumers do not *need* IPv6. It's a pretty massive investment to replace the consumer footprint especially with consumers not exactly happy to pay a premium, businesses will do it because they are willing to

Dual Stack?

[unixisc]

The other thing ISPs can do is go dual-stack lite, where they set up everything in IPv6, and only provide local IPv4 behind IPv6 addresses to those who simply have to have IPv4 to communicate w/ other IPv4 nodes in the internet. After all, complete dual stack is not a solution if they are running out of IPv4 addresses.

Also, businesses and even consumers who consume a high quantity of IP addresses - which in case of IPv4 may be as low as above 16 - ought to implement IPv6 for such applications. That woul

Most consumers are ready

[unixisc]

From what I understand, let's look @ the OSs that natively include IPv6 support, as opposed to those who don't:

• Windows 7 - check
• OS-X - check
• BSD - check
• Linux - check
• Android - check
• iOS - ???

So all new devices that come out w/ an OS already have iPv6 support. Older devices already have all the IPv4 addresses they need, and more likely than not, they are behind NAT and can just keep issueing local IPv4 addresses. So the analogy w/ analog to digital TV fails somewhat as far as domestic customers go - h

Re:

[Lennie]

"If this happens we may not see IPv6 for another 15 years at LEAST"

I think you don't know how well carrier grade NAT* would scale. Which is: not so much.

* The NAT at the ISP which would a second NAT for most access customers.

Re:

[kasperd]

If this happens we may not see IPv6 for another 15 years at LEAST.

All 221 /8 networks had been handed out by February of last year. If you extrapolate the growth curve, you'll find the usage would have reached 442 in less than 10 years from now. What it is going to happen to the users who would have been in those other 221 blocks? I think a significant portion will get some sort of IPv6 access. Additionally take into account that the first /8 networks which were handed out are less efficiently utilized than

Re:

[kasperd]

Its being deployed as dual stack, and where folks have IPv6 only I understand that the providers have 6to4 translation devices.

You are mixing up terminology. 6to4 is a tunnelling method. It requires both ends of the connection to talk IPv6, but the network between them can be IPv4 only. It works great as long as both ends are using 6to4. Unfortunately we don't have enough IPv4 addresses to deploy IPv6 that way, and 6to4 and native IPv6 don't play well together. The problem is that in order for 6to4 and nati

Re:

[Mathieu Lu]

What kind of challenges will they face? It's not like they're turning off IPv4. Sites will be dual-stack, and many of them have been for quite some time already.

Google/Youtube, Facebook and many other mainstream sites have already enabled IPv6 on June 6th 2012.

PS: Comcast has been enabling IPv6 by default to some of their customers (5% ?). I was in a small US country-side hotel in March 2012, they had really broken NAT, but their IPv6 was working fine. I also have dual-stack native IPv6 at home (Canada, Tek

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[kasperd]

I actually prefer 6to4. It's less efficient, but reverse DNS is guaranteed to work

What good is reverse DNS if you cannot communicate. 6to4 works great when communicating with another 6to4 address. But as soon as you communicate with a native IPv6 address you are relying on two third party relays to handle traffic in both directions. You won't even know whose third party relay you were using at the point where it stops working.

Comcast

[unixisc]

Is Comcast still handing out single /128s to each customer? Or are they now at least giving out links of /64?

Also, anyone knows whether Comcast does full dual stack, or did they go w/ dual stack lite instead? The former wouldn't solve the issue they had w/ an IPv4 address shortage, but the latter would.

Re:

[RazzleDazzle]

The public facing resources of the government agencies need to be IPv6 enabled, not the internal and external workings of the networks within the various organizations. This simply means in most cases, inbound email servers and web servers need to be hosted on machines somewhere in the world that have full IPv6 access, then the respective DNS records need to be in place for said services, which translates to add "AAAA" records. I bet Akamai is loving this mandate because they are a popular choice for govern

Re:

[Lennie]

T-mobile in the US has it enable for their smartphone users.

Re:

[kermidge]

In talking with a tier-2 tech yesterday on unrelated matter, he said so far as he knew TW had IPv6 (and DOCSIS 3) enabled or ready "pretty much everywhere" end-to-end, but it requires new equipment and higher service level at ~$30 more per month. I can't afford it so don't know if it's true or not (although he offered to switch me to customer service to place the order.)

Re:

[spauldo]

AT&T's new DSL requires you to change your router, and the new routers are IPv6 capable (in name, at least. I haven't actually tested it, but I did get an IPv6 address from one when I tried it).

Mobile devices don't last long enough to be a problem, and AT&T offers free phones when you renew your contract.

No idea about Verizon (my Mifi device I use in the truck doesn't get an IPv6 address, but that's the only Verizon service I use) or Comcast.

Also note that just because an ISP offers IPv6 doesn't me

Legacy support

[unixisc]

Most of the home routers can take a firmware update - the ones that can't are probably already behind NAT. As for mobile devices, the more recent ones all support IPv6 - it's the older ones that don't. But given how often people upgrade their phones, chances are likely that they'll have one that supports IPv6. In fact, mobile IPv6 being adapted is likely to sink a huge portion of the demand on IPv4.

Re:

[norpy]

Most consumer embedded devices that were built with ipv4 in mind don't have the memory to handle ipv6 adressing.

In fact last time i checked my router is actually within 10 bytes of using 100% of the eeprom

Re:

[spauldo]

I wouldn't mind one, if it was written right.

All ISPs with more than, say, 1000 customers are required to offer IPv6 services starting in 2016, for instance.

That gives organizations enough time to plan ahead without forcing the customer to do anything. The mom and pop shops who have less than 1000 customers won't be forced into it (by law at least - they'll have to change eventually).

Normally I wouldn't go for such a thing, but many ISPs seem willing to put it off until the crunch, and some hardware provid

Re:

[kasperd]

All ISPs with more than, say, 1000 customers are required to offer IPv6 services starting in 2016, for instance.

2016 is way too late. Should have said 2008.

Ding IPv4, not IPv6

[unixisc]

You got it the other way around. Make it painful for people to haev IPv4 sites, and easy for them to have IPv6. You always tax something that you want to discourage - in this case, IPv4, and incentivize something you want to encourage - IPv6.

Nice to see

[jbolden]

I've been following the federal government on this. It is wonderful to see the government taking the lead and helping to drive a technology. We often talk about complaints with government but they deserve kudos for doing some hard and doing it right.

Re:

[Medievalist]

Given a choice, I'd rather see them stop forcing private citizens to use proprietary formats (like Microsoft Word) instead of organizing large payouts of taxpayer dollars to favored tech companies.

Re:

[jbolden]

Given that Microsoft is an American company I'd say it is doubtful there is going to be a huge USA led shift away from Microsoft. Probably better looking at Europe to lead the way for desktop, there and things didn't go so well with the European initiatives. OTOH Apple and Google are both American companies so you might see iOS/Android being the ticket.

Re:

[DarwinSurvivor]

It's kind of pointless though if they aren't mandating ISP's to at least provide dual-stack support for both protocols. What's the point of government websites being IPv6 if the country is still stuck on IPv4?

Re:

[Anonymous Coward]

It's kind of pointless though if they aren't mandating ISP's to at least provide dual-stack support for both protocols. What's the point of government websites being IPv6 if the country is still stuck on IPv4?

To enable a smooth transition. By making sure that all government websites are IPv6 compatible it will be safe for consumers to make the transition without having to worry that they will be locked out from vital services.
The problem is that unless there are IPv6 only hosts there is no point for consumers to make the transition and without a lot of IPv6 only consumers it makes no sense for hosts to invest in IPv6 servers.
This is pretty much the government taking a step to move society out of a hen-egg deadlo

Re:

[jbolden]

ARIN which is quasi governmental is handling that part of switching over ISPs. But there is a chicken and egg problem some people have to go first.

Public facing only...

[Bugler412]

Recently worked in a govt facility on a project, they are just as far as most everyone else from being ipv6 ready internally, perhaps a lot farther away than many. Additionally, as you might expect, no one is budgeting for the replacement of infrastructure (like 20 year old printers for instance) that need to go to make it happen. Even though they have a mandate to be ready internally in two years. That mandate ain't gonna fly.

Re:

[Dagger2]

There's a difference between IPv6-ready and IPv6-only. Those 20-year-old printers that only work on v4 will continue to work on the v4 part of the dual-stacked internal network; replacing them isn't a requirement for deploying v6. (It is a requirement for removing v4, but that's the long-term goal, not the immediate one.)

This time it really is happenning

[kevmeister]

I work for the NSP for a large number of government research facilities. Our network has had full IPv6 support for several years, but no IPv6 customers (other than ourselves). The prior IPv6 mandate was primarily satisfied by bring up an IPv6 connection with the customer and their pinging our router, then deconfiguring the IPv6. That was really all the mandate required.

This time we are bringing up full IPv6 connectivity with them. It really is happening this time and it mostly seems to be working.

The mandate is also pressing other providers to get IPv6 up and running. Under the mandate, if you have a provider that can't support IPv6 on Oct. 1, you need to change providers. In simple terms, the general public must be able to access your web services and all publicly linked pages as well as DNS via IPv6 if they have IPv6 connectivity to the Internet. (Admittedly, this is a fairly small subset of Internet users.) The federal governments is a rather large customer of several major providers, so this has probably been the biggest cause of several of them getting IPv6 running, though some still don't offer IPv6 to non-governmental customers.

Between the U.S. Government and Comcast, IPv6 seems to really be happening. Traffic is clearly increasing rapidly, though still very tiny compared to IPv4.

Re:

[Lennie]

He meant in comparison to his IPv4 traffic.

If I don't convert, what will you do?

[Compaqt]

That's the question which a lot of overworked federal agency heads might be asking.

I.e., "What's in it for me?"

And, "If we miss the deadline, what will happen." It would be nice if every federal agency just did whatever they were told to do, as if they were merely the organs of one single body. But actually, they are multiple bodies. And if the answer to the question is "nothing", then some wily agency heads will choose to simply ignore the directive.

Re:If I don't convert, what will you do?

[kevmeister]

This is an Office of Management and Budget (OMB) mandate. They can reduce or completely halt funding. It has been made very clear that, while there will be failures and missed dates, they better not be because you were not trying. Oddly, management tends to take the possibility of losing funding very, very seriously.

Re:

[Azghoul]

Yeah right. As if any program in this Federal government was seriously in danger of being defunded. They'd just go whine to a Congressional staffer who will get that nonsense squashed.

cheerleading?

[nurb432]

I don't know if id call forced deadlines as 'cheerleading'.

Most Agencies Have Made "No Progress"

[PineHall]

NIST statistics [nist.gov] show that over half the agencies have made "no progress" in their IPv6 deployment. It is good that the government is doing this, but too many agencies are asleep at the wheel [gcn.com]. It does no good when the agencies will not do what they are required to do.

Re:

[phil_aychio]

If Romney gets elected, he'll just repeal it back to IPv4

Pols & IPv6

[unixisc]

Flamebait indeed! This initiative started long before Obama, during the Bush administration. Not to mention that neither Clinton, Bush, Obama nor Romney have the slightest idea what IPv4 is. And speaking of the GOP, if they knew that IPv6 has 3.4028236692093846346337460743177x10^38 addresses, as opposed to a mere 4,294,967,296 addresses, they'd all be champions of IPv6.

Re:

[kelemvor4]

If Romney gets elected, he'll just repeal it back to IPv4

More likely, he'll switch the internet over to lantastic.

Re:wha?

[Anonymous Coward]

Romney or IPv4?

Re:

[kasperd]

Romney or IPv4?

Both.

Re:

[spauldo]

I agree. It's funny, I didn't have any real issue with McCain (although his idea to shut the government down was a bit out there), and I don't have much problem with Romney based on his time in Massachusetts, but I didn't support either of them primarily because I want a Democrat with the veto stamp. (That, and the Republicans need to be punished for Bush. WMDs my ass.)

I never really cared that much for Obama - I wanted Clinton.

Not that it matters. I'm in Oklahoma, where a non-Republican vote doesn't co

Re:And on Monday, the headline will be

[heypete]

Why would a publicly-facing web server be behind NAT? That doesn't make any sense. NAT offers no security benefits.

Please note that "NAT" != "stateful firewall", though the two functions are often combined in a single piece of hardware.

My home network has been dual-stack for years (with NATed IPv4 and IPv6). All the systems on the network are behind a stateful firewall and even though my internal devices have globally-unique IPv6 addresses none of them are accessible from the outside world.

Re:

[bill_mcgonigle]

Why would a publicly-facing web server be behind NAT? That doesn't make any sense.

When you have more services than public IP's. I have 5 IP's at the office, and run over a dozen services from them. These days, you spin up a VM for each service, for isolation, and NAT the ports where they need to go.

Re:

[unixisc]

If you need the services to run on routable IPs, you have the routable addresses. If you need them to run on non routable IPs, you can use either the link-local or the unique local addresses. Either way, you won't be short.

Re:

[Lennie]

These are websites, you don't use NAT for websites.

The websites are port 80 (http) or port 443 (https). If you have 5 public IP-addresses, then you have 5 ports 80.

What you can do use a HTTP/1.1 virtual hosts or a reverse proxy/loadbalancer so you can choose to redirect requests based on URL or domainname.

To bad some older systems don't support the same for HTTPS (called SNI) so you can have is 5 websites with HTTPS.

Re:And on Monday, the headline will be

[cbhacking]

I can't tell if you're a troll or just spouting off about things you don't understand in the least, but...

It's a hell of a lot easier to find a vulnerable machine behind NAT than it is to find one across a search space 40 bits wide (which is wider than the entire IPv4 search space, and less than a cube root of the search space of IPv6 as a protocol).

NAT is not a security measure. You can (and should) still have a firewall with IPv6; your firewall box just won't also have to perform NAT. That's fine, though; a NAT has a maximum search space of 24 bits (10.0.0.0/8) while IPv6 has enough addresses to assign one to every atom in the solar system, and no, that's no an exaggeration, guess, or line of BS.

Re:

[bytesex]

Your argument is all about the lack of bits in an IPv4 address, not about NAT per se.

Re:

[bytesex]

Besides that, NAT *is* effectively a security measure - it masks your source address. It's like half-tunnel mode.

Re:

[unixisc]

Masking the source address is less of a solution than blocking an entire link from the attacker's nodes.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bytesex]

Yes it is. Because inverse NAT requires you to specify where to send the traffic *to*. I'm a great proponent of IPv6 myself, but this argument of the IETF is bogus. Besides, 'centrally administered firewall' on each machine ? I think I see a flaw in your method.

NAT implies a firewall

[Chirs]

but you can also just implement the firewall without NAT and get the same level of security.

Re:

[Compaqt]

Except that now you know the exact address a reply is coming from, and you can do all sorts of network mapping. Do that and keep that info aside.

Next, the moment you find a vulnerability in the firewall, pull out your premade network map, and go to town.

Re:

[Lennie]

Really ? IPv6 on Windows has privacy extensions enabled by default*, which means it will use a different randomly generated IPv6-address every day when it needs to setup a client-connection. Like for example connecting to a website.

What is there to map ?

* other operatings systems like Linux and Mac also support this, but not all versions have it enabled by default

Re:

[Compaqt]

How do you enable this on the latest Linux kernels? Ubuntu 12.04?

Re:

[kasperd]

but you can also just implement the firewall without NAT and get the same level of security.

I think the firewall without NAT is more secure. Getting rid of NAT means you reduce complexity a lot. Less complexity means less risk of security bugs in the implementation.

Re:

[Compaqt]

I'm as much a fan of IPv6 as the next guy (and disagree with the guy saying just keep on IPv4 forever).

But I hate the IPv6 fundamentalists who won't allow any deviation from the IPv6 dogma.

Come on, just let people have their NATs, why don't you?

Re:

[Lennie]

It isn't that people don't want others to run their networks as they see fit.

The argument you hear a lot is: NAT is more secure then just a firewall.

Which is something a lot of people disagree with, it only adds some obfuscation.

And obfuscation does not make it more secure.

Re:

[kasperd]

Come on, just let people have their NATs, why don't you?

NAT wasn't part of the IPv4 standard. It got implemented anyway. Some standards got written at some point. But vendors can still produce IPv4 NAT solutions however they please and ignore the standards. Nothing stops vendors from producing IPv6 NAT solutions. There aren't any written standards. But in reality IPv6 is better suited for NAT solutions than IPv4 was.

• IPID field was eliminated from the IP header. I am not aware of any IPv4 NAT even trying to

Re:

[Compaqt]

> I think the people who ask for NAT with IPv6 just wants an excuse to not have to work on upgrading their network.

I'm not one of them. And I wasn't saying that I wouldn't want IPv6 without NAT, just that the IPv6 fundamentalists won't allow people to say that NAT has been useful in some circumstances.

I.e., I just want people to advocate for IPv6 without feeling that they have to defend the anti-NAT ideology 100%.

I think I'm in the vast middle of Slashdotters who really want to move to this cool new thin

Re:

[kasperd]

And I wasn't saying that I wouldn't want IPv6 without NAT, just that the IPv6 fundamentalists won't allow people to say that NAT has been useful in some circumstances.

It has been useful. But I think with IPv6 I think there are better solutions in every situation, where you would use NAT66. If a customer came to me asking for NAT66, I would try to reason with them. I don't want customers to deploy an inferior solution due to being uninformed. But if a customer who understands what the options are still want

Re:

[Compaqt]

> I don't think the minor differences in command lines between different operating systems have any influence on the speed at which IPv6 is being deployed.

The clumsiness of IPv6 tools (ping, ssh, scp, and others) and basically the whole ecosystem working together acts as a stumbling block to those admins (and even devs and power users) who just want to get their feet wet. When they get their hands burned (ok, mixed metaphor), they back off because they perceive that you have to become an IPv6 guru (like

Re:

[kasperd]

For you, a DNS server is nothing. You've probably got 20 of them running in your labs.

Only 19. But then again, this is a one man company, and I don't have a big lab. What I really like about working with IPv6 is that whenever I need to add a component to my system, I just assign another IPv6 address to it without even having to think twice, because I know there will be enough IPv6 addresses. 11 of the DNS servers I have running at this time are authoritative DNS servers, which I actually run IPv6 only. On e

Re:

[Compaqt]

Also, I think your's is a pretty moderate response: that you can have NAT on IPv6, but the vendors haven't supported it yet.

By contrast, on /. IPv6'ers usually take the line of "Don't do NAT." That would be like Windows users saying, "How can you do X on Linux", and the response being "Don't do X."

Also, doing SSH to IPv6 hosts named in /etc/hosts has been problematic for me to the extent that I've just forgone my initial attempts at local IPv6. scp even works differently than ssh in this regard. In one or t

Re:

[Azghoul]

The headline should be "there's well over 2,000 Federal government agencies and we can't find any worth closing".

Re:Too Complicated

[kasperd]

IPv6 is too complex, which is what has hampered its slow adoption from the beginning.

IPv6 is simpler than IPv4.

Instead of simple address space extension, the brains behind it decided to add all sorts of fun features to it that just aren't necessary, thus leading to people not wanting to put the effort in to figure it out.

That's just a lame excuse. There are some new features, but those are mainly important to the endpoints. For routers in between, the job they need to do became simpler. And it is the network, which has been lacking, not the endpoints. The excuse that it is too complicated has mainly been used by those who didn't need to deal with the complexity.

Since those features have died off, it's getting less terrible, but now it's a moving target.

Name one change that affected a network provider, who just has to move packets between two endpoints.

KISS would have gotten us to IPv6 5 years ago.

No. There were only two approaches that could have speeded it up. Top down regulation or customer demand. But both of those were in the hands of people who won't understand the problem until they can no longer get online. Actually, there is one other thing that could have speeded it up. If we had never gotten any sort of NAT for IPv4 in the first place, then the transition would have gone faster.

Re:

[j2.718ff]

IPv6 is too complex, which is what has hampered its slow adoption from the beginning.

IPv6 is simpler than IPv4.

True, but dual stack is more complex than either.
I don't see flipping a switch and transitioning from IPv4 to IPv6. Instead, I see living with a dual-stack environment for a while. It will not be pretty.

Re:

[unixisc]

Dual stack will only be around as long as IPv4 is. Once IPv4 runs out of addresses, the need for dual stack will be gone.

Re:

[kasperd]

Once IPv4 runs out of addresses, the need for dual stack will be gone.

In the ideal world, that would be true. In the real world, IPv4 addresses have run out in some parts of the world already. And yet more than 95% of the Internet is still IPv4 only.

Re:

[kasperd]

True, but dual stack is more complex than either.

True. But dual stack would have been the simplest way to transition from IPv4 to IPv6, as long as it was done before IPv4 addresses ran out, and all sorts of workarounds got in the way. The fact that dual stack is more complicated than running just one protocol by itself is of course a contributing factor to people hesitating with deploying IPv6. But you cannot blame that on the design of the IPv6 protocol. Nobody have provided a serious suggestion for a bett

Re:

[allo]

nope.
The address-space expansion is the only problematic part. if you want to support more addressspace, you need to go incompatible.
the other stuff would not break compatibility, and was added, so there is more reason to migrate than just "we need more addresses", because with only "we need more addresses", you cannot motivate the people who still have enough addresses to migrate as well.

Re:

[kasperd]

That joke was funny April 1st of last year. http://packetlife.net/blog/2011/apr/1/alternative-ipv6-works/ [packetlife.net]

Major transition was unavoidable

[unixisc]

Problem was that even if they had increased the address to 33 bits, it would still have expanded the address space to 8 billion, would not have gotten rid of NAT, and therefore, would not have solved the problem that the internet was having. Also, the amount of effort needed would have still been the same - all routers & gateways in the world would have had to support it, all applications using layer 3 APIs would have needed to get upgraded, and so on. Which is why expanding it all the way to 128 bits

Re:

[Lennie]

IPv6 isn't too complex, it's just different from IPv4 and that is what you are used to.

actually it's ::ffff:192168.0.1

[Chirs]

The one you quote is deprecated.

Re:

[camperdave]

The one you quote is deprecated.

... and that is why IPv6 isn't being rolled out. We haven't even gotten started, and already parts are deprecated. IPv6 is in too much of a state of flux. Is what I've learned and am learning about IPv6 even valid anymore? How can I roll out a solution if I can't know that it is the Right Way (TM) to do things? There needs to be a feature freeze so that the folks who build end user equipment can implement IPv6.

Re:

[spauldo]

It's the same with IPv4, really. Stuff gets updated all the time.

Maybe not IP and TCP anymore, but there have been lots of changed to the basic protocols in recent years.

That particular change doesn't affect you anyway unless you're a programmer. The IPv4 in IPv6 address space was only meant for applications to use internally (so you could use the same data type for IPv4 and IPv6 addresses). Those addresses aren't valid over the wire.

Re:

[unixisc]

Having a mixed notation - like 2001:456:789:2::192.168.0.1 makes it hell for software developers who'd have to support 2 notations for this, and in the end make such code bulky & unwieldy, thereby blowing up the costs of IPv6 gear. It's good that that notation was deprecated.

Note that IPv4 mapped addresses are not deprecated - IPv4 compatible addresses are (even though the local network address and the loopback address fall within the same range) However, support for IPv4 mapped addresses is not un

Re:

[Jeremi]

Having a mixed notation - like 2001:456:789:2::192.168.0.1 makes it hell for software developers who'd have to support 2 notations for this, and in the end make such code bulky & unwieldy, thereby blowing up the costs of IPv6 gear. It's good that that notation was deprecated.

Huh? No, it doesn't make any difference to developers how complex the string notation is, because any developer who isn't clueless or insane just calls the standard conversion functions (inet_ntop() and inet_pton()) anyway, rather than rolling his own string parsing and generation functions.

The guy who has to implement and maintain those two functions might have some extra work to do, but I have faith that he can handle it.

Re:

[unixisc]

It's not about the programmers - it's about the software becoming more complicated and eating up more memory. And that doesn't even factor in human errors. As it is, people are complaining about going hex, and if you have a mixed notation that is part IPv6, part IPv4, that only helps confound things even more.

In short, it's good that this stuff got deprecated, and a major mess got averted that way. inet_ntop() and inet_pton() notwithstanding. The guy who manages them can instead write IPAM software th

Re:

[camperdave]

Yes, America! Send a message to Washington and the big parties. Don't vote for either Obama or Romney. Vote for Virgil.

Re:

[unixisc]

I agree w/ this. Also, Going IPv6 only for a business could mean forcing employees to use only the essential intranet services they need, and only going to websites that have an IPv6 presense, and dealing only w/ those organizations that do. The US government is one of the few organizations big enough to do this.

Re:

[Lennie]

You are kidding right ? They are just dropping ping-requests.

It would be incredibly stupid if they added the AAAA-record and you couldn't connect to it. Older browsers would need to wait half a minute to try the address from the A-record.

It really does work:

$ telnet whitehouse.gov http
Trying 2001:218:2007:2:8800::fc4...
Connected to whitehouse.gov.
Escape character is '^]'.

Re:

[kasperd]

They are just dropping ping-requests.

Which will make the server inaccessible to anybody using Teredo. And that is not the only system doing something like that. I have a system which will ping the site through two different tunnels to use the most reliable path to the server.

It would be incredibly stupid if they added the AAAA-record and you couldn't connect to it.

I know of an ISP who did that for their homepage. When I questioned them about it, they said it was a deliberate choice.

But in this case of wh

Re:

[kasperd]

I am connecting from Europe. Some routing issues, perhaps?

A routing issue is a possibility. But I am connecting from Europe as well, and it works for me.

Through HE tunnel server in Frankfurt:

traceroute to 2600:1406:12:1:8700::fc4 (2600:1406:12:1:8700::fc4), 30 hops max, 80 byte packets
1 2a01:d0:839a:babe:d19e:266e:d66c:545c 4.919 ms 0.154 ms 0.172 ms
2 2001:470:1f0a:1e45::1 45.807 ms 49.123 ms 54.393 ms
3 2001:470:0:69::1 60.570 ms 39.561 ms 41.584 ms
4 2001:470:0:21b::2 48.480 ms 48.813 ms 48.700 ms
5