Tales from the Crypto : IPv6, Miscellany - not security

In June: Happy Birthday to me–World IPv6 Launch Day

Alun Jones — Sun, 19 Feb 2012 20:57:51 GMT

I’d like to thank ISOC (the Internet Society) for making my birthday later this year into World IPv6 Launch Day.

This year is a special one for anniversaries – my 45th birthday, 20 years since I arrived in the USA, 10 years since beating cancer – seems like the perfect time for ISOC to honour me by switching everyone to IPv6.

Now, if only I could persuade Comcast to deliver IPv6 to my house, where we are still using Hurricane Electric’s Tunnel Broker.

World IPv6 Day–some likely effects

Alun Jones — Wed, 30 Mar 2011 01:03:03 GMT

Are you ignoring IPv6 for the moment, knowing it’s not going to affect you any time soon? I have news for you – you will be significantly affected in the next two months.

It seems that a large fraction of the world is really rather dismissive about the coming of IPv6, which is, after all, the best IPv.

But there are people who are intent on providing a move to the new world, and they’ve geared up to provide a “World IPv6 Day” on which they will be enabling IPv6 on their main sites. (There is an ever-increasing list of participants)

So what is going to happen when some web sites – some big web sites – turn on IPv6 for a day this June? And what will happen when IPv6 is turned on permanently at those sites?

For individuals – “Consumers”

Individual users are probably thinking “someone will make it all work for me” – and some of that is likely true, if you have someone managing your network for you. Your Internet Service Provider will eventually do what they can to provide IPv6 service to your home, and your employer’s IT department is probably thinking in some terms about what to do when they feel like it’s time to deploy IPv6 to the company. But most home routers are not currently able to provide native IPv6 service.

If your cable modem, DSL router, or other entry device is rented to you by the ISP, then you probably have nothing to worry about, they will eventually get replaced to support IPv6, when the ISP is ready to accept IPv6.

If you have bought your own entry device, or other routers (such as a wireless router), you will have to replace it to support IPv6. Don’t run out and get a new router yet – there are no home routers on the market that currently support IPv6 fully – or even enough to consider upgrading for that functionality. Those of us using IPv6 at home are generally using custom software that we have installed, not something the average consumer wants to do.

This means you are stuck on IPv4 for the foreseeable future, although your computer is most likely capable of using IPv6 when connected to a network that supports it. But you will still be affected – see the section below, “For Everyone” for more.

For businesses – management

If you’re not already engaged in some form of IPv6 project, you really should be.

If your IT department are telling you that IPv4 addresses have not run out, ask them “then why are we flailing around behind a NAT, and having to write or purchase software that specifically knows how to make its way out and back through a NAT?”

The fact is, IPv4 addresses ran out years ago, and we’re really only in this last couple of years in a situation where we can deploy IPv6 to fix the problem. Operating Systems for desktops and laptops now support IPv6, and usually have it enabled by default; business-class routers and switches are available with IPv6 support built in, and firmware for some not-so-new devices in that class is available to provide IPv6 support.

More than that, though, you have to make sure that you have staff on-hand who are trained to understand IPv6, because training your staff may be the investment that takes the longest to get right. When you read the section “For Everyone” below, consider what the impact will be to your support centres and to your customers when something breaks. Will you have to explain away broken links, images or even broken pages? [Any site that has previously seen broken pages because of inability to download ads should know how this comes about]

For businesses – IT

If you’re an IT department, you probably have some people on staff who are into new technology – the more they can get, the better. Quite frankly, everyone in an IT department should have something of that feel, or they’re in the wrong team. So, when you get management approval to start down the IPv6 road, it should be a simple matter of asking “who wants it?” and letting people sign up to work on learning the new technology and finding the solutions. Ideally, when your management asks “who’s the IPv6 guy”, you’ll be able to point him out right away.

You should obviously consider a staged roll-out of IPv6 technology, starting with internal networking, to make sure you have an infrastructure that supports it, and only later considering allowing incoming IPv6 to connect to your web site, or to other externally-facing systems.

As a part of enabling routing, make sure that you match, in your IPv6 environment, the protections you already have for IPv4. Do not try to match feature-for-feature, because of features like NAPT, where there is some accidental / incidental security protection from a feature that is essentially unavailable in IPv6. Match protection-for-protection – an IPv4 NAT’s security protection is that it is a firewall with no holes punched in it. So, its IPv6 equivalent protection is a default-deny firewall.

Consider grouping servers into subnets or address ranges based on their use, so that you can configure your firewall using contiguous ranges, rather than individual address assignments. This will make your IPv6 firewall fast – perhaps faster than when operating on its IPv4 rules – and simple.

For everyone

When external sites turn on IPv6, and start resolving their site names to IPv6 addresses as well as IPv4, there will be some users who have poorly-configured IPv6 installations. Their DNS name servers will say “here’s an IPv6 address”, their operating system and web browser will say “I understand IPv6, so let’s connect to that address!”, and some portion of their network will say “huh? What is this, the future or something? I’m still wearing shoulder-pads and leg-warmers and watching Dynasty, because it’s been the 1980s for the last several decades!”

What that user will see is that the IPv6-capable web site just dropped off the Internet. At best, it may simply cause a long delay (several seconds) in reaching the site, as the browser tries – and fails – to connect to IPv6, and then switches to IPv4. At worst, it will cause the big red X to appear, and sites to fail to load completely, as the browser (or other client software) gives up.

You can’t quit the game, either

Fine, so maybe all this means is that those sites who take part in World IPv6 Day will drop off the Internet for a day, to some of their users, and then the next day all will be just perfect.

Not quite.

You see, with “Web 2.0”, everything’s mashed up and interconnected. Google’s everywhere. So are some of the other participants in World IPv6 Day. Each one of those sites being unreachable could affect your favourite mashups, whether you are consumer or service provider. And what is an advertising-laden website if not a mashup of its advertising and its content?

Businesses – what if your adverts fail to load? What about that mapping site you use? Is your technical support ready for an estimated 0.1% of your customers calling in with failures on your site?

Consumers – are you ready to take these errors as a sign that you need to fix your network, or to bug your ISP, or are you going to insist, wrongly, that the problem is with the web sites participating in World IPv6 Day? At least, will you accept that these errors are a necessary part of learning how to move to IPv6?

ISPs – even if you have no plans for IPv6, are you ready for the technical support requests from people who have errors connecting to an IPv6-supporting site?

Quitting, or refusing to take part in the move to IPv6, is not an option. IPv6 will roll out. World IPv6 Day is only the FIRST of many shake-outs that will happen, as sites increasingly add support for IPv6 to their existing IPv4 lineup.

For a preview of what will happen to your machine, try connecting to a system that supports IPv6 and IPv4. The usual example is http://www.kame.net – it displays a picture of a turtle. The turtle dances for IPv6 users, and sits there doing nothing for IPv4 users (although your browser may choose to display the IPv4 version as its default even if you support IPv6).

If you are one of those rare individuals in an IPv6-capable network island that is unreachable by the IPv6 Internet, you will see an error.

Sadly, with new organisations joining World IPv6 Day every day, you can’t really predict what exactly will break – but you can predict how some of it will break, and train your staff to handle this, whether it is by deploying changes, or simply handling support calls.

I’d love to know what effects you’ve anticipated will come on World IPv6 Day, and what work you’ve done to mitigate these issues.

Belkin Play N600 HD – just a toy router.

Alun Jones — Tue, 23 Nov 2010 20:24:38 GMT

I saw the Belkin Play N600 HD router (F7D8301) at Costco a couple of days ago, for a very good price.

I’d been looking for a good price on an 802.11n router for some time – partly to increase coverage through my house, but also to ensure that I had a new router that would cope with improving technology as I buy it over the next few years.

Unsupported protocols

Sadly, this router isn’t it – there are several existing protocols that it just doesn’t support, which is rather odd for a new router.

Specifically, I note that the router does not state support in its interface for PPTP or IPsec passthrough – protocols 47, 50, 51. When I asked the Belkin tech support about this, they directed me to “try forwarding ports on the router”, apparently not aware that there is a difference between port and protocol forwarding. That’s an astonishing lapse in ability and knowledge for technical support on a router, and doesn’t give me much comfort that the router itself is developed with skill or knowledge.

Another protocol not supported by this router, which seems just crazy when we’re one hundred days away from X-day, is IPv6. That’s right, IPv6, the next-generation Internet Protocol, required for numerous features of modern Windows systems such as HomeGroups, DirectAccess, etc (I’m sure there are IPv6-only features for Mac and Linux, but those aren’t my specialisation), and it isn’t supported. You can connect to the router as a wireless client, but the IPv6 protocol, access to local DHCP servers, etc, isn’t supplied to your host computer. My Linksys WRT54GL has supported that for several years, and this new router from Belkin can’t handle it.

Also unsupported is “6in4” (aka v6tunnel), as used in IPv6 tunnel schemes such as http://tunnelbroker.net, which is how I make my network a part of the global IPv6 Internet until Comcast gets around to supporting native IPv6 service. Again, this wouldn’t require the router to understand anything about IPv6, just to forward IPv4 protocol 41 correctly.

Unreliable

In addition to missing such basic functionality, the Belkin Play N 600 HD also fails in the reliability stakes. Two days it’s been in our house, and both mornings, we’ve woken up to a complete lack of Internet service and wireless connectivity, although the light on the front of the router is solid green, indicating that it thinks everything is fine.

Pinging the router does nothing, restarting computers (in the vain hope that it might be a wireless card issue, or some network driver failure, though our network has been fine for many years) does nothing. The only action that has an effect is that of restarting the Belkin router. Clearly, the Belkin can’t make it through the night without locking up.

Not any better range

As if to pour salt onto the wound, this router isn’t even able to increase range in our house – the boy still can’t get a connection from his room on his iPod. Perhaps that’s not such a bad thing, but since we were hoping to increase range with the router’s ability to pick signals out with MIMO technology, it seems like there really isn’t much point to us keeping the router.

Thank goodness we bought it at Costco

Costco’s return policy is pretty reliable in cases like these – we take the failed device back, say that it wasn’t capable of reliable, basic use, and they refund us our purchase price. I’ll be giving it just a couple more days, in case Belkin has any hope to offer in terms of support of basic network router functionality, but I suspect I’ll just have to suck up the extra cost of using plain old reliable Linksys.

US Government Mandates IPv6–are you ready?

Alun Jones — Wed, 13 Oct 2010 04:29:45 GMT

White House CIO Vivek Kundra released a memo last month to US Federal CIOs on transitioning to IPv6, at a workshop on the importance of adopting IPv6.

Put simply, the memo gives a timetable for moving the US Federal government to using native IPv6 for all public-facing web and Internet sites. The end of Financial Year 2012 is the deadline for that. There’s also a deadline of end of FY 2014 for all internal client apps to support IPv6.

Here at Texas Imperial Software, we’ve provided basic support for IPv6 in WFTPD and WFTPD Pro for some time.

Because of a lack of significant expressed customer interest, we’ve basically kept the IPv6 support out of the interface, despite a personal interest on my part in supporting IPv6. Now it’s time to change that and bring IPv6 in as an equal platform, rather than hiding it in the background.

Are you interested?

We’re looking for beta testers for this IPv6 support. Drop me a line at betatest@wftpd.com if you are able to test out an IPv6-capable FTP server. Priority is given to registered users, but if you can test out WFTPD or WFTPD Pro, on a native IPv6 network, we’d love to hear from you.

You don’t have to be associated with a government, or even enterprise, just interested, capable, and ready to give your feedback.

X-Day–less than a year away!

Alun Jones — Sat, 17 Jul 2010 03:12:26 GMT

As you can see from the IPv4 Exhaustion Counter to the left (snapshot taken 7/16/2010, 7:30 pm PDT), IPv4 addresses are dwindling.

OK, so that’s perhaps a rather simplistic description of what’s going on – these are a count of the IANA blocks that have not yet been handed out to other providers. Usually what happens is that the IANA hands blocks out to regional network block managers, and they hand them out, piece by piece, to the local providers, who hand them out one (or more for larger organisations) at a time to consumers.

So, even when all these blocks have been handed out (known as “X-Day”), there will still be addresses to be handed out to consumers – but it is a key indicator to follow in realising that IPv4 is a dead-end strategy, and something else needs to be investigated.

What, again?

Yes, we’ve had these calls to move to a new addressing format for years – back in 1993, when I first got on the Internet, there was a lot of discussion about “IPng – Internet Protocol, the Next Generation” (STNG was current then, you must understand).

Later, as IPv6 came along, NATs (Network Address Translators) were brought out as the saviour to IPv4. The idea was that we’d all use the same internal addresses as one another (so each company has their own local 10.* netblock behind the NAT), and a single external IP address for each NAT. To put it mildly, this is not a solution to the problem, it merely postponed it a little – if anything the fact that we have to use NATs is indicative that we have already run out of IPv4 addresses. Until you look into it, you really have no idea how much work we have already put into changing our applications to work with NATs in an effort to prop up IPv4, when we could have spent that time in adopting IPv6.

So we are closer to having to go to IPv6?

Sure – but hey, what's not to like about IPv6? Unless you're the developer of a piece of network software, it all just plain works.

Applications accessing file shares by name - can still access file shares over IPv6, without a line of change. Only if you're dealing specifically with the IP layer and IP addresses will you see a problem. It doesn't take a lot to turn an app from IPv4-only to IPv6-capable, and users will hardly notice a difference, if you expose names, rather than IP addresses. [It took me two hours to convert the underlying engine of WFTPD and WFTPD Pro to use IPv6. The user interface took/is taking me longer, because I'm not so good at UI, and haven't had the focused time I need. But it’s coming.]

You have to reconfigure your routers a little - they at least need to either act as DHCPv6 sources, or handle DHCPv6 traffic to/through a redirector. Ask your router manufacturer what they recommend. And, since you won’t be using a NAT as an accidental firewall, you’ll want to make sure your routers have real firewall functionality.

Technology leaders should be asking to beta test our ISPs' IPv6 support, and if your ISP isn't at least beta testing IPv6 support, get them to catch up, or move to one that does. Good gracious, even laggard Comcast is testing IPv6 for its customers!

Some things to look forward to with IPv6:

Multicast supported natively - maybe Internet radio stations will pick up on this and make their live feeds take up less global bandwidth.
IPsec supported natively - no excuse any more.
Because IP addresses are longer and impossible to remember, names will become more prevalent. That’s a good thing, because it discourages you thinking of numeric IP addresses as secure, static or necessary to know.
Every machine now becomes a "first class citizen" on the Internet. This means FTP works, H.264 and other protocols that require transmission of IP address in the protocol. [That makes IPsec easier and more efficient, too]
No more NATs. [Except for the pesky IPv4 <-> IPv6 translation layers] No more kludges to deal with NATs.
There are currently a number of services that are either only available on IPv6, or are available for free on IPv6. That will only grow as time goes on.