Oh, for what it's worth, I see things like this:
If there's sufficient consumer demand for IPv6, then . ISP's will roll it out and charge extra for the premium service. That's the definition of "sufficient consumer demand" in this case: the ISP's see sufficient demand, that they feel it's in their own best interests to do something about it. But evidently, that's not what's happening. Instead, if there's insufficient consumer demand. Then ISP's will still want to make money on it somehow. They wait around. They enable IPv6 everywhere, and when there is an opportunity for public perception of IPv4 starting to cost more, then they charge extra to use IPv4. It's in their best interest to make IPv6 wait till the last minute, so all the hulu's and facebooks (and your employer's VPN) out there might still only offer service via IPv4. The quieter things stay for now, the more profit they're able to extract from it. But they don't want to be caught with their pants down, so they'll perform some regional test rollouts. (Sound familiar?) Surely, the results of the present Comcast / Verizon test regions are: "It works, but there's no DNS and that's a showstopper." Also, they know approximately how long their routers last at peoples' homes. So they're planning the slow and systematic upgrade strategy. I have good reason to believe, for my house on FiOS, they only need to push out a firmware upgrade when they want to. But a lot of people are still living on "the shark fin" or similar devices. Old, archaic cable and DSL modems that haven't been replaced in a decade. The ISP's want people to get as much life out of these things as physically possible, to avoid the upgrade expense. You will see the IPv6 DNS problem solved before there's any serious effort by ISP's. It may be DHCPv6, or RFC a,b,c,d. But there's positively no way ISP's can charge extra for IPv4, as long as IPv6 is insufficient by itself. So for now, they wait. You will see the Hurricane Electric countdown reach zero. And then IPv4 will start to become more expensive. And finally, things start moving. Those are my predictions. Booweeeewwwooooo.. In the year 2000. Magic. From: [email protected] [mailto:[email protected]] On Behalf Of Edward Ned Harvey Sent: Thursday, May 13, 2010 8:25 AM To: [email protected] Subject: [BBLISA] Last night's IPv6 talk Even though I wasn't the organizer last night, I want to thank everyone who showed up and participated. I found it very informative and interesting, and apparently so did many other people, reluctantly getting up to go home after 9, for the sake of needing to go home *some* time. ;-) There were several points of interest I thought were valuable to stab a little deeper into: Even as ISP's roll out IPv6, they will not kill IPv4 anytime soon (not in the next 5 yrs.) So for now, that's the solution to the DNS problem. Apple, MS, etc have plenty of time to work out the details of DNS deployment, DHCPv6 and so on. Someday, you might have to pay extra to have IPv4 enabled on your network connection. The references that I cited were: Running IPv6, Iljitsch van Beijnum. It's good for an understanding of IPv6, but since it's like 5 yrs old, it's out-of-date in terms of configuring IPv6 on your system. Fortunately, that doesn't matter at all, because nowadays, enabling IPv6 is trivial. I could share it with anyone if they want, up to 2 weeks, if you happen to have a kindle (or willing to use the mac or windows amazon kindle reader). That should be enough to read the whole thing for all the interesting parts. Also, I said it was $10. Sorry, my mistake, it's $35 to buy. I mentioned NAT-PMP. http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol And I couldn't remember the name of IGD. http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol These are protocols that allow a NAT IPv4 device to communicate with the perimeter firewall, to auto-configure a hole through the firewall, to enable inbound traffic, to support peer-to-peer traffic. Today, these protocols are not widely built-in to firewalls. But some do support it. Generally speaking, professional level security appliances don't support it, but hopefully that will become optional in the near future (and controllable via system policy), because I feel it's a very valuable thing, to enable peer-to-peer video conferences for example. The thing that's nice about NAT-PMP and IGD is that the client must explicitly request the hole opened at the perimeter firewall before it's allowed in. So this is an additional layer of security, above just your software firewall. Obviously, nobody feels very comfortable simply exposing all their internal IP's to the Internet. So this helps facilitate communications without sacrificing security. Today, if you want to do p2p, the recommendation would be IPv4, with one of these. Most p2p apps support it (skype, bit torrent, and many H323 or SIP clients, etc). The question that remains is whether or not your perimeter firewall supports it. Moving forward, if you have world routable IPv6 addresses, there's no need for NAT and hence no need for NAT-PMP or IGD. However . As mentioned before, the only security that NAT offers you is implicitly blocking inbound unknown traffic. Moving forward, the recommendation would be to still enable the firewall to block inbound unknown traffic. In which case, the recommendation would be to use IPv6, *and* NAT-PMP or IGD, or the alternative du-jour. Not previously mentioned, the other security that NAT offers is internal network roadmap masking. That is, somebody outside has no way of knowing your internal network topology or subnet ranges and possible router hops. Believe it or not, IPv6 can be NAT'd if you want to. (Though implementation may be sparse or nonexistent right now.) Many of the IETF idealists would scoff at that as being sacreligious and defeating the purpose, but you can see how slowly things move when you're trying to be ideal. If striving for perfection, then critical components (DNS, DHCP) get left out by the time you need to use them. So, just as you can expect people to use DHCPv6 despite extremist objections, so you can expect some organizations to do IPv6 NAT sometimes despite the extremist views of individuals in the IETF. Specifically because they don't want to expose the internal network roadmap. One thing that's cool is: If you do NAT your IPv6, you have a very large number of external IP's. So you could do a one-to-one mapping of internal IP's to external IP's, instead of the many-to-one mapping that's generally used in IPv4. Thus, you eliminate the p2p problems that IPv4 NAT has, and you're still able to do NAT.
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
