cancel
Showing results for 
Search instead for 
Did you mean: 

Withdrawl of IPv6 Technical Trial

MJN
Pro
Posts: 1,318
Thanks: 160
Fixes: 5
Registered: ‎26-08-2010

Re: Withdrawl of IPv6 Technical Trial

Quote from: nanotm
halo packets  are a special type of ipv6 "hello please authenticate me" packet and have been around for a lot longer than the game

I'm curious. Have you got a link where I can learn more?
I honestly have never heard of them despite being knee deep in IPv6 for a long time now. I am of course learning new things all the time but I'm surprised it's not a term I've even heard in passing.
paulmh5
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 170
Registered: ‎11-04-2011

Re: Withdrawl of IPv6 Technical Trial

Quote from: nanotm
the major problem's with router firewalls are that not a single one in the consumer price bracket (below £500) and not many below the enterprise level (over £3500) are actually capable of providing any form of security once any forwarding rules are applied, they revert to open NAT routing (allows everything through, which is a major failing of NAT based security)

Far be it from me to continue this conversation, I do agree that you would be better to split this off into a more appropriately named topic (I'll let you pick that as I've no idea) however I still think we are missing the point around firewalling here.
I've been using IPv4 static port translations for years without opening a whole device to the internet.  I have a few ports open and thats all.  This functionality works exactly the same on IPv6 (tested and working).  I think there could be some confusion over the use of large subnets where you have covered the idea of all devices needing to be in DNS for example (just guessing).  ISPs would not list all your home devices, just the /64 or /56 you get allocated. 
Quote from: nanotm
as far as creating a connection to a content provider as a consumer, its actually not currently possible without IPsec implementation and compliance on both consumer and provider locales without using an ipv4 server, as IPsec isn't supported on most consumer connections any content or service provider currently defaults to utilising an ipv4 front end (login/gateway) and 6over4 for the content itself

I'm currently able to access Youtube (for example) over IPv6 and there is no IPSEC in use for that.
Quote from: nanotm
the problems then come round to the IPV6 naming convention and the requirement of every part (routers/switches servers etc) of the network (wan or lan) to be listed in the dns table as a full name not truncated as ;;fbxdfg which is where the real implementation problems spring up on an isp level because most of the old (but perfectly serviceable) backbone equipment isn't able to take the full name assignement or answer it when a dns query packet is sent

DNS works the same in IPv6 as in IPv4, its just a name associated with a number, except now its a hex number.
 
7    72 ms    30 ms    22 ms  2001:4860:1:1:0:1ad7::
8    22 ms    26 ms    22 ms  2001:4860::1:0:15f
9    22 ms    21 ms    22 ms  2001:4860:0:1::d3
10    22 ms    21 ms    22 ms  lhr08s01-in-x18.1e100.net [2a00:1450:4009:806::1018]

Only one hop here has a DNS reply but its all working fine.  You can see its truncated with the double :
Again guessing, but are you talking about routing table size rather than DNS lookups?  That does have the potential to cause problems for older equipment however the current global v6 table is only about 14,000 prefixes so providing peers aggregate routes to large blocks there shouldn't be an issue in the short term.

The rest of your post seems to refer to the Openreach rollout of fibre which I'm not sure is really connected to this thread or forum.  If you have real concerns about this in your area it may be better served in a different place.
Plusnet Staff - Lead Network Design/Delivery Engineer
nanotm
Pro
Posts: 5,756
Thanks: 156
Fixes: 2
Registered: ‎11-02-2013

Re: Withdrawl of IPv6 Technical Trial

to start with the last,
the rollout of fibre is a large part of the problem with readiness for ipv6 adoption, BTOR stopped the upgrade to ipv6 compatible equipment when focus shifted onto getting fibre pushed out (and whilst it might be a bit of a vent its is therefore relevant)
the current size of the global ipv6 table isn't really relevant when you consider there's over a million bits of network equipment in the uk alone and they would all need to be addressable over ipv6 for a rollout to work so that would greatly enhance the size of the table which would of course force the size issues to the fore rather than being a minor background concern, its not so much that ipv4 and 6 work in a similar way but the relatively minor ways in which they differ, if you attempt to establish a connection to an endpoint in say Australia your going to take a few moments for the "least congested route" to be returned, on ipv4 where each network cascade is governed by peering points, under ipv6 though this changes to every switch router hub pipe multiplexer etc to be listed and cached sure the peer points will still govern the discovery of the least congested route to the target, but now instead of say 45 peers returning info you can have anything up to a few thousand bits having there address listed along that route.
youtube isn't a good example of an ipv6 content provider as its totally insecure (open access for any viewing) if it was possible to connect directly to a secure content server without over a native ipv6 connection that would disprove the problem.
I could post so many different examples of the instructions on setting up a port forward rule in a router requires SPI to be disabled its untrue, I could also post various examples where it is detailed just how creating a port forwarding rule in a router sets nat to relaxed
both of which are rather clear indications that using a forwarding rule is not in any way shape or form a secure option
@mjn
in short no, it was from a document sometime between 94 and 98 (because that's when I was "learning things") and was probably earlier rather than later in that time frame remembering back to exactly what I was doing during that time period (which I wont elaborate on)
just because your paranoid doesn't mean they aren't out to get you
paulmh5
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 170
Registered: ‎11-04-2011

Re: Withdrawl of IPv6 Technical Trial

Quote from: nanotm
the rollout of fibre is a large part of the problem with readiness for ipv6 adoption, BTOR stopped the upgrade to ipv6 compatible equipment when focus shifted onto getting fibre pushed out (and whilst it might be a bit of a vent its is therefore relevant)

The OR rollout of fibre isn't as tied to IPv6 as you think.  The traffic that transits the OR fibre equipment in your street cab doesn't really care if its v4 or v6.  I know people running native IPv6 over fibre products and those over ADSL, no problems there.
Quote from: nanotm
the current size of the global ipv6 table isn't really relevant when you consider there's over a million bits of network equipment in the uk alone and they would all need to be addressable over ipv6 for a rollout to work so that would greatly enhance the size of the table which would of course force the size issues to the fore rather than being a minor background concern.....

I'm not sure you are fully up to speed on how routing protocols work here.  Not every device on IPv6 will exist in the global table.  The IPv4 table is around 520,000 prefixs and there are a lot more devices than that on IPv4.  Your 'explanation' of how traffic is routed via IPv6 is incorrect, it works the same as v4 on the whole.  The internet routing protocol BGP does not take path congestion into consideration for v4 or v6.
Quote from: nanotm
youtube isn't a good example of an ipv6 content provider as its totally insecure (open access for any viewing) if it was possible to connect directly to a secure content server without over a native ipv6 connection that would disprove the problem.

I think you really need to explain this 'secure' website/content that you are talking about.  Youtube is available over https which is a form of security, beyond that you have usernames/passwords or 1 time tokens (that I can think of) and they will all work just fine over IPv6.
If you are concerned about accessing content thats filtered by IP on one end, then the access lists will just move from using /32s to using /128s if you have a static assignment on the client device.  If you can provide an explain of a 'secure' content server it may help, however I feel this may need breaking off into a new topic.
Quote from: nanotm
I could post so many different examples of the instructions on setting up a port forward rule in a router requires SPI to be disabled its untrue, I could also post various examples where it is detailed just how creating a port forwarding rule in a router sets nat to relaxed
both of which are rather clear indications that using a forwarding rule is not in any way shape or form a secure option

All that is fine, however the only reason you would open a hole in a firewall is if you wanted something to have access inbound.  Trying to keep this on a IPv6 topic, firewall configuration regarding inbound access is going to be broadly the same on IPv6 as v4.  Yes every device has a public address on it, however that doesn't mean they are all accessible when sat behind a firewall.

If you have multiple topics of discussion (which you seem to) I suggest you create new threads relevant to them either in the IPv6 forum or else where if not tied to IPv6.
Plusnet Staff - Lead Network Design/Delivery Engineer
MJN
Pro
Posts: 1,318
Thanks: 160
Fixes: 5
Registered: ‎26-08-2010

Re: Withdrawl of IPv6 Technical Trial

I'd like to echo Paul's comment on this.
Nanotm, given that I am bound by forum rules I will hesitate to write what I really want to as I fear my frustration will make me overstep the line. Suffice to say though; you really do not understand the topic yet believe you do. That is a dangerous combination.
jelv
Seasoned Hero
Posts: 26,785
Thanks: 965
Fixes: 10
Registered: ‎10-04-2007

Re: Withdrawl of IPv6 Technical Trial

It seems to me that the biggest problem with IPv6 implementation is going to be scaremongering and duff information from people who think they know how IPv6 works. The trick for the ordinary user will be identifying those who really know what they are talking about when they have questions/issues.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
MJN
Pro
Posts: 1,318
Thanks: 160
Fixes: 5
Registered: ‎26-08-2010

Re: Withdrawl of IPv6 Technical Trial

You make a very good point.
I think it goes beyond the scaremongering i.e. the inflated 'negative' aspects, but also the inflated 'positive' aspects too. The benefits of IPv6 have been oversold in many respects and so when the realities are discovered there is inevitably an anti-climax which leads to disappointment.
Using the Gartner Hype Cycle we are very much in the 'Trough of Disillusionment' with IPv6 which can be a very difficult place to get out of however we are definitely on the upward slope. Of course, the real problem is that the IPv4 clock is ticking yet there's no scale on the x-axis... (and they are always keen to point out that it is not necessarily linear) so it is difficult to predict how long it is going to take to make progress.
benoh
Grafter
Posts: 272
Thanks: 1
Registered: ‎24-08-2007

Re: Withdrawl of IPv6 Technical Trial

Wow, this threads got some real FUD in here!
First off, NAT provides no security, its trivial to bypass a NAT device in the exiting v4 world!  Stateful firewalling in IPV6 is ALOT more secure that doing NAT, yes every device has a globally routable address (if you want it to) but the firewall blocks inbound access at the network perimiter.  Its also totally possible to use ULA scoped addresses which arnt globally routable for anything that never needs to hit 'the internet'
BGP for v4 and v6 exactly the same as far as the global internet is concerned.  As someone else posted, currently around 14k v6 prefixes vs 520k ipv4, there will be less v6 prefixes in the table even when v4 has been turned off, the whole deployment of v6 is based on aggregation and not conservation, its only possible to announce >/48 into BGP for v6, no home prefix is every going to end up in the global table, just 1 aggregate /32 or larger from the ISP.  If your an end site running BGP, then yes, you'll announce a /48, but you'll also be getting this from an RIR as a 'portable address space', any space from your ISP is advertised as just their agreggate.
As for the 'secure' function of IPv6, im guessing someones confused with the inbuilt IPSEC side of things with ipv6, yes, it has ipsec 'mandated' (As per the RFC) which means the whole tcp transport can be secured with ipsec (without using other 'vpn' software) but there has to be key management and distribution and none of this is currently being used.  Its the same as v4 at the moment, if you want to secure traffic then you either tunnel over ipsec or encrypt it with TLS/SSL.
The main advantages of ipv6 isnt just the vastly increased address pool, although its quite high up there...existing ipv4 address pool isnt even large enough to number the current global population, let alone when everyone has 3-4 devices and the populations increased.
Gettting back to the original design spec of the internet, end to end host communications will enable loads of new features in the future, want to check whats in your fridge, turn the heating on from your phone before gettting home....this is all simple with v6, poking holes through NATs is not, keeping state anywhere in the network is a bad bad bad idea!
IPv6 is the future, its here to stay, all the large global providers are using it, all the main content providers deliver traffic over v6, if you've got v6 connectivity, you'll probably find ALOT more traffic goes over v6 than you'd think, our office network is around 70% IPv6 traffic to 'the internet'
Bring on the day we can turn off v4 and finally stop duplicating all the work for dual stacking things, it will be so much nicer!
If your happy for prices to go up so your ISP can go out and buy a load of CGN boxes (and not deploy v6 - yes, they;ll be needed even with v6 but in a much smaller scale) then go ahead, its your money after all, but personally id rather and isp did what they do best and shift packets, not keep billions and billions of state entries and got only knows how much logging to be able to track anything back to the end user!
Lots and lots of info on IPv6 and BGP configuration for ISPs, how it all works here http://thyme.apnic.net/ftp/isp-workshops/ - currently presenting this in a workshop in cambodia, feel free to sign up for one of our training courses if you want to know how it all works Smiley
Ben
Anonymous
Not applicable

Re: Withdrawl of IPv6 Technical Trial

Thanks 'benoh' for a great reply, and the useful link !  Smiley

Quote from: jelv
The trick for the ordinary user will be identifying those who really know what they are talking about when they have questions/issues.

I think we just found someone who really knows what they are talking about !  Cool

Hopefully sanity will return to this thread now  Roll_eyes
nanotm
Pro
Posts: 5,756
Thanks: 156
Fixes: 2
Registered: ‎11-02-2013

Re: Withdrawl of IPv6 Technical Trial

good to see teaching policy of teaching whats easy rather than whats correct is still going strong .....makes me wonder why people think its easier to understand something that's completely wrong and then wonder why its even harder to dislodge the incorrect concept .....
ipv6 without IPsec relies wholly on running 6 over 4, there isn't any true native ipv6 service, its all 6 over 4, even when utilising sixes your still running through an ipv4 tunnel.
the routing system that it uses has always been a problem, making ipv6  into ipv4 (making them work exactly the same) is the reason why IPsec isn't possible, and it will mean ipv6 will actually end up being slower than ipv4 traffic, none of that is scaremongering or incorrect.
seeing as its not necessary to understand how the ipv6 system of routing and communication is being bastardized to work on legacy equipment or that to create a routing table you will need to add in manual route assignment values for the passive kit (completely ignored on ipv4) on ipv6 routing tables to cover the gaps between peer node ipv6 equipment (were talking thousands of hours worth of work) where path discovery wont work, if as you suggest routing assignments for new connections don't take into account congestion on the route then monetization trials by a certain French company would have had no effect on internet data, unfortunately however there bgp router was falsely advertising itself as empty (when it was infact over capacity) and for 24hours it was impossible to ignore that "bad node" until various carriers and isp's adjusted there systems to change it into an ignored (*do not use*) flag,

normaly routing tables are created on the fly and change on the fly, to take advantage of the congestion advertising to ensure faster throughput of data, (ipv4) with ipv6 this is still possible but it takes significantly longer to establish a path (far more bits on the network to get returns from) because instead of a single bgp router at each end of a transit network it requires answers from all the interconnected routers (specifically set up as ignored on ipv4 over the years as more junk got added and set to ignore in the routeing tables) when someone incorrectly configures an new piece of kit (doesn't put it in the table with an ignore flag) it can cause huge problems in connectivity, just a few years ago someone in a certain eastern European country caused the internet to freeze with an incorrectly configured router as an example (it took a few days to cause trouble and another few days for the cascade updates to clear it)
ipv6 has the potential to be a lot better than it will end up being (a bigger address pool and nothing much else), without serious investment there wont be any native ipv6 rollout, there will be a lot of 6over4 solutions (which games companies have been using for years anyway)
@benoh
I doubt you would make anyone believe that creating a port forward rule disables all router security, and puts you in the fall back position of user device security software by default, certainly it seems even the company rep doesn't understand this (despite that info being available in the product manual for the router they give out)  most people refuse to believe it any way because the box says it contains a firewall .....

just because your paranoid doesn't mean they aren't out to get you
MJN
Pro
Posts: 1,318
Thanks: 160
Fixes: 5
Registered: ‎26-08-2010

Re: Withdrawl of IPv6 Technical Trial

Quote from: nanotm
ipv6 without IPsec relies wholly on running 6 over 4, there isn't any true native ipv6 service, its all 6 over 4, even when utilising sixes your still running through an ipv4 tunnel.

Complete nonsense. Native IPv6 is, well, native IPv6. There's no IPv4 involved.
Just as per the Plusnet trial - native IPv6 was what we were given with not a hint of IPSec in sight. Native IPv4 was of course provided alongside it but there was no interaction or reliance between the two.
paulmh5
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 170
Registered: ‎11-04-2011

Re: Withdrawl of IPv6 Technical Trial

@nanotm
Unfortunately you don't seem to be taking on board what community members or staff are saying when trying to help with the understanding on IPv6.  Its possible there is just a breakdown of communication so in this situation I think the best option would be for you to self-learn some more details around IP and routing as I can't really give you any new information.
Plusnet Staff - Lead Network Design/Delivery Engineer
MJN
Pro
Posts: 1,318
Thanks: 160
Fixes: 5
Registered: ‎26-08-2010

Re: Withdrawl of IPv6 Technical Trial

Do you think there is merit in locking this thread? I don't wish to inhibit the free exchange of thoughts on the subject but it feels like we've driven down a cul-de-sac in an articulated lorry and between us can't seem to reverse back out.
Perhaps if we just abandon it this may force the creation of some new threads that can be specific and focussed rather than this 'catch all' that doesn't seem to be getting anywhere...
I might be being optimistic, if not outright naive, to think we won't get sucked into the same rabbit hole elsewhere but at least we'll have given it a chance.
Maybe I should lead by example and start another thread... just not sure on what subject so if anyone's got any ideas..?
Kelly
Hero
Posts: 5,497
Thanks: 373
Fixes: 9
Registered: ‎04-04-2007

Re: Withdrawl of IPv6 Technical Trial

I've asked the Mods to lock the thread.  Feel free to open new specific threads for learning/questions etc and we'll start a new thread with news once we've got some for you.
Kelly Dorset
Ex-Broadband Service Manager
MJN
Pro
Posts: 1,318
Thanks: 160
Fixes: 5
Registered: ‎26-08-2010

Re: Withdrawl of IPv6 Technical Trial

Thanks Kelly.
(and we'll hold you to the update promise!  ;))