On 7 May 2020, at 12:00, Tim Chown wrote:
I doubt there's a correlation between owning legacy IPv4 space and not
implementing IPv6. The organisations I've dealt with who have no
interest in IPv6 also have very little IPv4 address space and use
RFC1918 extensively internally. The problem seems to be that
networking is rarely their core function - they are in some other
industry and the amount of expertise they have for networking is
spread thin, which limits their ability to embrace change. Their
engineers don't attend UKNOF, they aren't in our sphere of influence,
they barely realise IPv6 is a thing - to them it's some research
project that someone mentioned once. Until their customers demand it,
they won't react. They might as well engrave "If it aint broke, don't
fix it" on their computer room door.
Most corporate networks are like this.
Even where there is some clue and interest in IPv6, it tends to be
prevented by a number of factors:
* perceived to be a nonessential activity/cost
* reliance on ipv4 bodges & abuses not available in ipv6
* reliance on software/services/hardware which doesn’t speak v6
There are a lot of horrible things done to intercept, inspect, mangle,
and otherwise interfere with network traffic.
There’s also a lot of reliance on v4-isms for network and address
management and access control and so on..
Even the humble VPN for remote employees is a “sorry, can’t do
IPv6” in many cases.
Very much of this is outsourced by most organisations because running IT
infrastructure isn’t what they exist to do.
The outsource providers don’t see any need to do anything different
because there’s no competetive or monetary incentive to do so.
My employer probably ought to to be able to run IPv6 everywhere (if the
network equipment can’t do it then it’s no-ones fault but our own) -
but it’s all RFC1918 behind little islands of v4 PI in each region.
Yes, we’ve ASNs and PI, and don’t do v6..
Because I need to simultaneously access my own employer’s network, and
my customer’s network, which overlap addressing, I have to run a
virtual machine on my workstation to connect to one of them and provide
port-forwarding/nat for some applications and a proxy for a second web
browser.
This also results in the perverse situation of running one VPN over
another (more so when the UK endpoint one is running over an overseas
endpoint one & I’m in the UK..) because the security policy on one of
them won’t let me carve out a non-vpn route.
It’s annoying, and hacky, but it works well enough.
It also makes security folk a little less nervous than the
more-technically-correct-and-elegant solution which would be so easy
with IPv6 :)
IPv6 adoption /should/ be much better amongst web hosts and similar,
with real benefits for eyeballs on v6-providing ISPs. It’s really
quite easy to add v6 to the web, mail, and dns servers..
d.
