According to Dr. Neal Krawetz <ietf@xxxxxxxxxxxxxxxx>: >Every big corporation I've seen uses the same choke-point configuration: > - All outbound traffic goes through a very small number of IPv4 addresses for egress filter and incoming firewall protection. > - Every internal-only computer uses globally routable IPv4 addresses. > >They *should* be using NAT! An interesting argument, not totally ridiculous. >The way IPv6 is being allocated? Having "more addresses than IPv4" doesn't prevent the same misallocation problem. It just extends the time before we exhaust IPv6. IPv6 was designed to be big enough that it doesn't matter. IANA has been allocating space from 2000::/4 for the past 25 years, so far given out masybe 2/3 to the RIRs. And 2000:/4 is only 1/16 of the address space. >The biggest problems I'm seen that prevent IPv6 adoption: > > - Complexity: IPv6 is more complicated than IPv4. If you go in with the "IPv6 is like IPv4" mentality, then the complexity will overwhelm you. I've seen way too many admins stick with IPv4 >because IPv6 was too complicated. > > - Startup time: With IPv4, you get your address, router, and subnet, and you're online. With IPv6, you still have to wait for neighbor discovery to complete. You might think everything is >configured correctly but see that it isn't working for the first few seconds (or minutes). When IPv6 isn't ready when you're ready, you assume it isn't working and fall back to IPv4 which is >immediately on. Those are reasonable. I suppose you could speed things up with DHCPv6 but it seems to be fast enough as is for most purppses. > - Firewalls: That whole configuration issue, where corporations have everything route through a single egress filter/firewall service? IPv6 wants direct access and doesn't support NAT. (Is there >such a thing as NATv6? Does anyone use it?) This means that IPv6 has the potential of creating a security nightmare by giving internal-only systems bidirectional access to the internet. Even for >a residential service, my home IoT devices should never have their own direct connection to the internet. Without the correct configuration, IPv6 is much worse than UPnP. There is NATv6 but it's not widely used. It is not hard to set up an IPv6 firewall with the same kind of protection you normally get from NAT. I've done it. But it's not ths same as NAT so I suppose it seems harder. To me the main issues are that it's different, so it has a learning curve, and for the vast majority of users IPv6 still offers no practical benefit. R's, John -- Regards, John Levine, johnl@xxxxxxxxx, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
