>>The way IPv6 is being allocated? Having "more addresses than IPv4" doesn't prevent the same misallocation problem. It just extends the time before we exhaust IPv6.
>IPv6 was designed to be big enough that it doesn't matter. IANA has been allocating space from 2000::/4 for the past 25 years, so far given out masybe 2/3 to the RIRs. And 2000:/4 is only 1/16 of the address space.
99% of people do not understand that IPv6 is 64+bit architecture ("+" is because a few bits after 64 are still useful for numbering on the local subnet).
The second half of the address was initially used for the L2 address (inserted inside the L3 address -> strong level of duplication),
Now, the second half of the address is mostly for "privacy" (some OTTs are laughing reading about such mechanisms of "privacy").
Sometimes it is already standardized to be used for service encoding (in SRv6) or other non-addressing matters.
The more time passes -> the more it would be abused for non-addressing, and the more difficult would be to return it to address space.
The consensus in 6man (after huge debates) is to do everything possible to block a prefix on /64, longer prefix is not possible.
Actually, it is not even /64. It is smaller because it is recommended to give /56 to every smartphone, and a draft is at WGLC to give /64 per every virtual or physical host (the "+" in 64+bits would be canceled - it would be strictly 64bit Architecture).
Hence, it is not 400 years as somebody calculated (for 128bits) because the address space is about 2^56 (not 2^128) and shrinking. IETF has so many ideas on how to abuse so many bits.
It is an IETF "consensus", hence, you should enjoy it.
Ed/
-----Original Message-----
From: John Levine <johnl@xxxxxxxxx>
Sent: Tuesday, July 2, 2024 18:13
To: ietf@xxxxxxxx
Subject: Re: why IPv6 is bad, No, SMTP is IPv4, Was: SMTP and IPv6
According to Dr. Neal Krawetz <ietf@xxxxxxxxxxxxxxxx>:
>Every big corporation I've seen uses the same choke-point configuration:
> - All outbound traffic goes through a very small number of IPv4 addresses for egress filter and incoming firewall protection.
> - Every internal-only computer uses globally routable IPv4 addresses.
>
>They *should* be using NAT!
An interesting argument, not totally ridiculous.
>The way IPv6 is being allocated? Having "more addresses than IPv4" doesn't prevent the same misallocation problem. It just extends the time before we exhaust IPv6.
IPv6 was designed to be big enough that it doesn't matter. IANA has been allocating space from 2000::/4 for the past 25 years, so far given out masybe 2/3 to the RIRs. And 2000:/4 is only 1/16 of the address space.
>The biggest problems I'm seen that prevent IPv6 adoption:
>
> - Complexity: IPv6 is more complicated than IPv4. If you go in with
>the "IPv6 is like IPv4" mentality, then the complexity will overwhelm you. I've seen way too many admins stick with IPv4 because IPv6 was too complicated.
>
> - Startup time: With IPv4, you get your address, router, and subnet,
>and you're online. With IPv6, you still have to wait for neighbor
>discovery to complete. You might think everything is configured correctly but see that it isn't working for the first few seconds (or minutes). When IPv6 isn't ready when you're ready, you assume it isn't working and fall back to IPv4 which is immediately on.
Those are reasonable. I suppose you could speed things up with DHCPv6 but it seems to be fast enough as is for most purppses.
> - Firewalls: That whole configuration issue, where corporations have
>everything route through a single egress filter/firewall service? IPv6
>wants direct access and doesn't support NAT. (Is there such a thing as NATv6? Does anyone use it?) This means that IPv6 has the potential of creating a security nightmare by giving internal-only systems bidirectional access to the internet. Even for a residential service, my home IoT devices should never have their own direct connection to the internet. Without the correct configuration, IPv6 is much worse than UPnP.
There is NATv6 but it's not widely used. It is not hard to set up an
IPv6 firewall with the same kind of protection you normally get from NAT. I've done it. But it's not ths same as NAT so I suppose it seems harder.
To me the main issues are that it's different, so it has a learning curve, and for the vast majority of users IPv6 still offers no practical benefit.
R's,
John
--
Regards,
John Levine, johnl@xxxxxxxxx, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
