I agree with Ed.
IMNSHO, the "not enough addresses" problem with IPv4 was not due to having too few addresses. Rather, it was due to misallocation. When Hewlett-Packard's 100,000 employees had more IPv4 addresses than all of Brazil (HP owned Net15 and Net16), you know there was an allocation problem. (Today, HP gave up their two /8 ranges for a bunch of /18 - /24 subnets that might be still more than Brazil.)
Every big corporation I've seen uses the same choke-point configuration:
- All outbound traffic goes through a very small number of IPv4 addresses for egress filter and incoming firewall protection.
- Every internal-only computer uses globally routable IPv4 addresses.
They *should* be using NAT!
A single /22 should be any big company that isn't a cloud provider. They should use Net10 or other private network ranges (RFC1819) for all internal-only addresses and use NAT for the outbound conversion.
- The outbound traffic still goes through a very small number of IPv4 addresses for firewall/filtering.
- Now a misconfigured system can't accidentally be routed over the internet.
- And they free up a ton of IPv4 addresses.
The way IPv6 is being allocated? Having "more addresses than IPv4" doesn't prevent the same misallocation problem. It just extends the time before we exhaust IPv6.
The biggest problems I'm seen that prevent IPv6 adoption:
- Complexity: IPv6 is more complicated than IPv4. If you go in with the "IPv6 is like IPv4" mentality, then the complexity will overwhelm you. I've seen way too many admins stick with IPv4 because IPv6 was too complicated.
- Startup time: With IPv4, you get your address, router, and subnet, and you're online. With IPv6, you still have to wait for neighbor discovery to complete. You might think everything is configured correctly but see that it isn't working for the first few seconds (or minutes). When IPv6 isn't ready when you're ready, you assume it isn't working and fall back to IPv4 which is immediately on.
- Firewalls: That whole configuration issue, where corporations have everything route through a single egress filter/firewall service? IPv6 wants direct access and doesn't support NAT. (Is there such a thing as NATv6? Does anyone use it?) This means that IPv6 has the potential of creating a security nightmare by giving internal-only systems bidirectional access to the internet. Even for a residential service, my home IoT devices should never have their own direct connection to the internet. Without the correct configuration, IPv6 is much worse than UPnP.
- Speed: (This is the easiest problem to solve since it's just a perception issues.) People think "IPv6 is bigger than IPV4 so it must be slower." Nope, IPv6 is faster because the packets are saner to parse. The next hard part is convincing them to increase the MTU for better throughput. ("But everyone uses 1500!" Nope, try 9000 for jumbo packets.)
- Hardware: "Our hardware doesn't support IPv6." Sadly, some new hardware today STILL doesn't support IPv6. It should. Dual-stack (IPv4 and IPv6) should be the norm, not the exception. If the hardware doesn't support IPv6, then it needs to be replaced. (The easiest counter-argument: look up all of the vulnerabilities in their old hardware and convince them that replacing it fixes these issues.)
There are likely other reasons that IPv6 still isn't more widely adopted. But in my experience, these are the big excuses I keep running into.
-Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
https://hackerfactor.com/
On Tue, Jul 02, 2024 at 06:28:26AM +0000, Vasilenko Eduard wrote:
> Just 1 problem: some ISPs are giving /56 to users. And even bigger problem: 37% of ISPs replace /56 for every subscriber reconnect.
> One end up on filtering IPv6 /32 very fast.
> Ed/
> -----Original Message-----
> From: Lyndon Nerenberg (VE7TFX/VE6BBM) <lyndon@xxxxxxxxxx>
> Sent: Monday, July 1, 2024 21:11
> To: Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx>
> Cc: Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx>; ietf@xxxxxxxx
> Subject: Re: No, SMTP is IPv4, Was: SMTP and IPv6
>
> Phillip Hallam-Baker writes:
>
> > I don't see that happening for SMTP because the big cost of managing
> > SMTP services is the anti-abuse system, in fact that is pretty much
> > the only cost. And going from 32 bits to 128 bits (or 64 if you want
> > to look at it that way) is simply too much leverage to hand over to the attackers.
>
> I'm not sure that's entirely true. ip6 means a near infinite number of addresses per host, but almost always those come out of a local
> /64 LAN. So instead of doing reputation on ip4 /32s, you do it on
> ip6 /64s. The addresses get longer, but the number of entries you track is going to be similar.
>
> It would be ineresting to examine the "worst 10%" of a few ESP's
> ip6 bad reputation lists to see if this sort of clustering happens in reality.
>
> --lyndon
>
