I'm at No. 20 Main Street, where are you?
January 29, 2011 2:51 AM   Subscribe

The final tranches of the net addresses used by most people are about to be allocated, raising the prospect of a web that isn't world wide. In the next few days the last big blocks of the net's dwindling stock of addresses are about to be handed out. These are the days when IPv4 dies and is replaced by IPv6. The deadline arrived a little earlier than expected (previously).
posted by twoleftfeet (68 comments total) 5 users marked this as a favorite
 
Well Fox news had an article that was so bad it was funny. Unfortunately they have corrected it and now it's just bad. Though they still believe web developers write internet protocols.

As for running out of ip addresses, there are tunnelling protocols that can tide us over until IPv6 is up and running.
posted by antiwiggle at 3:26 AM on January 29, 2011


I've been wondering why my ISP(s) don't have any option for choosing an IPv6 address. Maybe you have to ask a high-level tech or something.
posted by DU at 3:30 AM on January 29, 2011


Fox news had an article that was so bad it was funny. Unfortunately they have corrected it and now it's just bad.

It's still funny...

Editors' Note: An earlier version of this story erroneously described an IP address as consisting of four digits, rather than four sets of digits

Address exhaustion will happen once we hit 9999 sites or devices.
posted by twoleftfeet at 3:35 AM on January 29, 2011 [9 favorites]


Oh please. We've been running out of IP addresses for ever.

I'm not saying this can't happen, but there's a while to go before it gets bad.

And, I hope it does get bad. Because if you're a technical person, and you contribute to fixing this problem before people notice it is a problem, you're going to get a heap load of post Y2K nonsense.

Remember that. When you spent the whole of 1998 fixing the Y2K bug so people wouldn't be adversely affected, and then 10 years later everyone remembers that actually, it wasn't a problem and the techies just pretended it was so they could get paid more.

So. Stop working on your IPv6 implementations and your complex NAT solutions. Fuck 'em. I want a land grab on IP addresses so inflationary it makes the housing bubble look like the tiniest gap in the quantum foam. I want iPhones to stop working the world over. I want internet access to be doled out to racist grandmothers one byte at a time. When NYC trading companies move closer to the stock exchange so they can shave milliseconds off trading times, I want the majority of the money they spend to go to greasy bearded network administrators. I want Action Comics #1 to be more expensive than the Mona Lisa.

And when everyone is hurting... When countries are failing and children have forgotten what wikipedia is... When the western world is begging for facebook back. Then, we maybe should give them IPv6.
posted by seanyboy at 3:44 AM on January 29, 2011 [56 favorites]


Editors' Note: An earlier version of this story erroneously described an IP address as consisting of four digits, rather than four sets of digits

In the original version the difference between IPv4 and IPv6 was that the former uses 4 digits and the latter uses 6.
posted by antiwiggle at 3:46 AM on January 29, 2011


"In the original version the difference between IPv4 and IPv6 was that the former uses 4 digits and the latter uses 6."

Oh, how I wish that article was saved somewhere. Did anyone get a copy?
posted by jaduncan at 3:50 AM on January 29, 2011


IPv1 had one digit because the CEO of IBM, Dr James Watson, saw a worldwide need for maybe 9 computers.
posted by DU at 4:03 AM on January 29, 2011 [16 favorites]


I hate computers. That's why I'm sticking with IPv0.
posted by twoleftfeet at 4:09 AM on January 29, 2011


Oh, how I wish that article was saved somewhere. Did anyone get a copy?
posted by jaduncan at 11:50 AM


Here you go
http://img710.imageshack.us/i/foxnewss.jpg/
http://img710.imageshack.us/f/foxnewss.jpg/
posted by Lanark at 4:11 AM on January 29, 2011 [1 favorite]


From what I've seen, IPv6 is messy and unappealing. I'm not speaking from real authority here, not having studied it extensively, but I've looked into it a little. From the standpoint of someone who knows a lot about IPv4, these are (some of) the problems I see so far:

1) The addresses are too long to remember. An example loopback address from a Linux box: fe80::5652:00ff:fe83:4348. And that's leaving a whole bunch of 0s out. (that's what two colons mean in an IPv6 address... some number of zeroes.) And they're using hex coding to keep them shorter. If they were encoded in decimal like IPv4 addresses, they'd be 16 numbers long.... something like 10.18.23.7.85.32.95.88.36.253.98.76.12.73.85.100. I'm not sure which is more intimidating; they both seem pretty dismal to me.

2) DHCP does not, apparently, work properly on an IPv6 network... from the sound of it, it's kind of a mess. From what I can see in the briefest of overviews, it looks like devices are supposed to get a network number from the router, and then use their own MAC address as the bottom bits in the address. This means you can't easily put machines where you want them... your internal address space is always supposed to be mapped to MACs, and it looks like pushing out network changes automatically might not be possible anymore. In IPv4, if you want to change DNS or gateway or something, you can just update your DHCP and wait for all the clients to renew. It sure looks like that will be harder in IPv6.

3) They hand out such gargantuan net sizes to end users that it boggles the mind; they typically give out /64s to end users, which means that you can make, in your HOUSE, 4 billion existing Internets. It's not just that you could run the entire existing Internet in your home, all four billion addresses. No, you could run four billion full existing Internets, each containing 4 billion addresses, out of your cupboard or something.

3) It appears the IPv6 engineers really didn't like NAT, thinking it was just a hacky workaround for address exhaustion, rather than an insulation layer from your ISP. In IPv6, you will get your network from your provider. If you then use those numbers internally, you are getting deeply married to them, and the more complex your network, the more complete the marriage, and the more painful the divorce. In IPv4, you can set up everything on private addresses, and then get competitive bids for bandwidth. If a new provider is lower, you change your firewall and DNS, without really having to touch your internal machines. In IPv6, there doesn't seem to be any such mechanism, so switching providers would be hideously expensive. Providers will know this, and will use that fact to jack up rates.

There's at least a few more major issues that I can't think of right now. It suffers from 'second system syndrome', where everything is massively overengineered and painful to work with. It's gonna have one hell of a time getting traction, no matter how tight IPv4 addresses get.
posted by Malor at 4:25 AM on January 29, 2011 [22 favorites]


In response to 3) in Malor's comment, I think you will move from provider to provider by updating routing tables (like big networks do now when they switch transit providers) so this point may be moot.
posted by bystander at 4:58 AM on January 29, 2011


1. Yup, you can't depend on memorizing IPs any more. Fortunately we have DNS and /etc/hosts.

2. You've described IPv6's stateless autoconfiguration (which I don't know much about). There is also DHCPv6, which isn't any harder than DHCPv4.

3. Not really a problem, is it?

4. IPv6 doesn't prevent you from using NAT, it just means that you're not forced to.

We need this. The amount of effort that goes into making NAT traversal work is really dumb.
posted by cdward at 5:03 AM on January 29, 2011 [8 favorites]


Yeah, evidently by default your MAC address is part of your IPv6 address (meaning that any web site you'd visit would get a hardware serial number off of your computer or phone.) There are "Privacy Extensions" that compensate for this but right now if you have an iPhone it has to be jailbroken to enable the privacy extensions.
posted by XMLicious at 5:13 AM on January 29, 2011 [1 favorite]


The necessity for NAT in cases where NAT isn't necessary makes a lot of applications like VOIP far more complex than they need to be. IPv6 will be a vast, vast improvement.
posted by empath at 5:27 AM on January 29, 2011 [4 favorites]


That sentence didn't really make sense, but you know what I mean)
posted by empath at 5:28 AM on January 29, 2011


The Internet isn't running out of IP addresses; it's just that half of them are being sat upon by cybersquatters and the fucking spammers.
posted by bwg at 5:42 AM on January 29, 2011 [1 favorite]


seanyboy: "Remember that. When you spent the whole of 1998 fixing the Y2K bug so people wouldn't be adversely affected, and then 10 years later everyone remembers that actually, it wasn't a problem and the techies just pretended it was so they could get paid more. "

Shhhhhh! If you keep cool man, we could make a load of money off of this one too.
posted by KevinSkomsvold at 5:51 AM on January 29, 2011 [3 favorites]


Having the MAC address be part of each IPv6 address seems like it should raise some serious privacy concerns. Everything you do on your laptop or other mobile device could then be traced to your machine no matter what network you happen to be connected to. That seems like a pretty big deal when the government is angling for the ability to monitor all internet traffic and/or shut off access in emergencies. But watch for this to show up in TV cop shows to track a criminal to a cafe's Wi-fi network in the very near future.
posted by stopgap at 5:54 AM on January 29, 2011 [1 favorite]


1) The addresses are too long to remember. An example loopback address from a Linux box: fe80::5652:00ff:fe83:4348.

Couldn't you use something like 127::1 as a loopback address if you wanted too?
2) DHCP does not, apparently, work properly on an IPv6 network... from the sound of it, it's kind of a mess. From what I can see in the briefest of overviews, it looks like devices are supposed to get a network number from the router, and then use their own MAC address as the bottom bits in the address. This means you can't easily put machines where you want them... your internal address space is always supposed to be mapped to MACs
Does it really matter if people don't use MAC addresses? Seems kind of like a dumb idea, especially with regards to privacy issues
3) They hand out such gargantuan net sizes to end users that it boggles the mind; they typically give out /64s to end users, which means that you can make, in your HOUSE, 4 billion existing Internets. It's not just that you could run the entire existing Internet in your home, all four billion addresses. No, you could run four billion full existing Internets, each containing 4 billion addresses, out of your cupboard or something.
Which means you only need to remember the first 64 bits, and use some sensible numbering system for your devices if you want. Anyway it's not really a problem
posted by delmoi at 6:07 AM on January 29, 2011


Eli Lilly owns the entire 40.x.x.x block. IIRC, HP has two such blocks. Apparently, someone thought that there would be < 256 entities that would need addresses.

I think that I'm going to knit a pair of gloves that have three fingers each.
posted by double block and bleed at 6:12 AM on January 29, 2011 [1 favorite]


What? No one has posted The Day Routers Died yet?
posted by Slithy_Tove at 6:23 AM on January 29, 2011


There are definitely some quirks with IPv6 but they all seem to fall into one of three categories:
  1. It's New. The tools are still in flux. The idea of router advertisements is that your router broadcasts "hey I'm here" and those are independent from the other configuration done through DHCP. There are several rather complicated ways of controlling routes centrally but nobody is really sure what the 80% case is yet. Once there is there will be HOWTOs and just enough documentation to get it working goddamit just like there is with v4. It doesn't help that lots of software out there has buggy as heck v6 implementations which induces people to turn them off.
  2. It's really, really complicated. There are lots and lots of ways to do simple things that are allowed by the v6 spec. There's provider-independent space that does what it says on the tin. Right now it's expensive to play with but it's likely the registrars will reduce the charges as usage grows. There's an address space similar to RFC 1918 space but with a random number component to reduce collisions (and if you've ever dealt with a big company that has 192.168.1.0/8 allocated six different ways internally you'll appreciate it). There are privacy extensions and encryption standards and and and... Just like #1 (and C++) most people will figure out what half or third of the protocol they actually need an ignore the rest.
  3. You're Doing It Wrong. Really a good chunk of the 'problems' with v6 are due to v4 assumptions. People are used to having to conserve addresses so giving a /64 to end users seems like madness. People are used to having one canonical IP address, v6 is designed to multihome from day one, one interface can have an arbitrary number of addresses and routes, no silliness with virtual interfaces. There are address families for forwarding to a new address when your device roams and with a /64 you could use a new address for each website you visit and still never run out.
That said we've been at this for 15 years now and the state of deployment is still laughable. None of the clever ideas to increase uptake have worked yet but there is some reason for optimism. Google and Facebook are pushing a World IPv6 Day this summer to enable dual-stacking by default and see who breaks. Some ISPs are starting to plan on deploying it to end users and if you're further up the geek scale than most you can start playing with it today or just see if you have it and don't know yet. Most people will end up using v4 for a good long time though via things like NAT64 even though backends may already use v6 in organizations whose subscriber base exceeds what's available in say 10/8.
posted by Skorgu at 6:26 AM on January 29, 2011 [12 favorites]


Remember that. When you spent the whole of 1998 fixing the Y2K bug so people wouldn't be adversely affected, and then 10 years later everyone remembers that actually, it wasn't a problem and the techies just pretended it was so they could get paid more.

I also remember how in 1998 the phone companies had to start rolling out more and more area codes because companies were buying up phone numbers by the thousands for all the desktop modems everyone needed. Good times, good times.
posted by briank at 6:28 AM on January 29, 2011 [1 favorite]


There are address families for forwarding to a new address when your device roams and with a /64 you could use a new address for each website you visit and still never run out.

I've just been googling IPv6 privacy issues and people keep saying this all over the net, with others reacting the same way I am - if it's your /64 block then simply changing the address within that block does nothing at all for privacy. Am I missing something?
posted by XMLicious at 6:41 AM on January 29, 2011 [1 favorite]


It brings privacy just about back to the current state of v4 NAT, the other end can't trivially tell which of n devices is making any given connection. Importantly it doesn't break end-to-end connectivity the way NAT does.
posted by Skorgu at 6:48 AM on January 29, 2011 [1 favorite]


seanyboy! Fantastic rant. Made my morning.
posted by dno at 6:55 AM on January 29, 2011


seanyboy: "I want internet access to be doled out to racist grandmothers one byte at a time."

I want this too. But not the other stuff, if that's OK.
posted by athenian at 7:05 AM on January 29, 2011


No, you could run four billion full existing Internets, each containing 4 billion addresses, out of your cupboard or something.

You obviously haven't seen my cupboard recently...
posted by DreamerFi at 7:15 AM on January 29, 2011


Ok, most of this i don't actually understand, but this:

Malor: devices are supposed to get a network number from the router, and then use their own MAC address as the bottom bits in the address.

really creeps me out, as far as privacy is concerned.
posted by paisley henosis at 7:20 AM on January 29, 2011


From the Wikipedia link:

IPv6 does not implement interoperability features with IPv4, and creates essentially a parallel, independent network. Exchanging traffic between the two networks requires special translator gateways, but modern computer operating systems implement dual-protocol software for transparent access to both networks.

So what are the implications for me, a typical non-tech-savvy user of the Internet?

Is it up to my ISP to install the dual-protocol software of which Wikipedia speaks? Would that be an expensive and complicated process for them? If I, as an IPv4 user, tried to access an IPv6-based website through this dual-protocol software, would it load more slowly and less efficiently than a website based on the older, more established protocol?
posted by jason's_planet at 7:42 AM on January 29, 2011


I'd like to try IPv6 at home. My ISP even has some IPv6 support. Is there a consumer router that will make this easier? I currently use a WRT54GL with Tomato firmware; I'm a fan of the hacker firmwares like Tomato and DD-WRT. What hardware + software would enable me to do IPv6 at home?

(I've been reading about IPv6 for 10 years, that the answer to this question is not obvious makes me sad.)
posted by Nelson at 7:45 AM on January 29, 2011


Skorgu: It brings privacy just about back to the current state of v4 NAT, the other end can't trivially tell which of n devices is making any given connection.

...obviously the part that's significant to privacy is that it's going from one of n devices associated with your ISP to one of n devices associated with you and you alone.

odinsdream: The ease of enabling IPSEC and other encryption should outweigh any privacy concerns along the MAC address lines, in any case.

But IPSEC isn't going to get you anything better than https/SSL does now, privacy-wise. The issue isn't protecting the pipe between you and the services you use to prevent snooping - though that's always nice - the issue is every service you use down to a company that has a 1×1 pixel image included in someone else's web page you viewed being able to uniquely identify you and accumulate and share data about you based upon that identifier, possibly to be integrated with info from IRL facilities that your phone pings as you walk around during the day.

I agree that any privacy under IPv4 is accidental and far from effective - and that IPv6 has to come and has a number of up sides - but this isn't an insignificant change even though it's just an intensification of existing online privacy problems. It's stupid to whitewash it or dismiss it for the sake of being all rah-rah-telecommunications-standards.
posted by XMLicious at 7:47 AM on January 29, 2011 [1 favorite]


Oh please. We've been running out of IP addresses for ever.
It is like running 30 miles toward a brick wall. It seems like getting to the wall takes forever. But when you actually, finally get to that wall....Wham!

The transition problem is that because there are so many pitfalls in switching over, most ISP haven't done it. Everyone's trying to pretend that it really is many years off. For example, Comcast website talks about starting trials. Verizon has just begun testing.

They shouldn't be starting trials, they should be finishing trials. It won't be a Y2K disaster, but the transition will definitely be very messy and frustrating. It seems clear to me that we really have to run out of addresses to get people to even start treating the issue seriously.

It reminds me of the documentary I once saw of thousands of zebras migrating across the land. They got to this river and halted, because there were alligators in the river. None of the zebras wanted to go first, but the zebras behind were piling up and starting to push the ones in the front. Finally a couple got brave and jumped in. They, of course, got eaten, while the rest of the zebras crossed the river.

No ISP wants to be that first zebra.
posted by eye of newt at 9:43 AM on January 29, 2011 [12 favorites]


This sounds like just the crisis to tide us over until 2038.
posted by TedW at 10:04 AM on January 29, 2011


...obviously the part that's significant to privacy is that it's going from one of n devices associated with your ISP to one of n devices associated with you and you alone.

That's one significant part, yes but there are others. Imagine your laptop stays at home most of the time and grabs a 'normal' v6 address with it's MAC embedded. You do some surfing. You take that laptop to a coffee shop and do some more surfing. The sites you visit can correlate the two source addresses to a single device even if you have no cookies, don't log in, etc.

Even worse, imagine a smartphone. It associates with access points all over the place, now any site that you visit can tell not only where you're browsing from but that it's the same device as previous visits.

MAC addresses are even creepier in some areas, see the (kind of risque) talk at Defcon How I Met Your Girlfriend in which a MAC address combined with online databases of wifi access points and some router insecurities let an attacker locate your current physical location with reasonable accuracy just by getting you to execute some javascript.

jason's_planet: that's a surprisingly hard question to answer. Check out test-ipv6.com to see what you currently have set up. In brief you almost certainly don't have native ipv6 but you may have a Teredo or 6to4 tunnel that gives you a real IPv6 address but sends traffic over the v4 internet. The issue with v6 is that protocol stacks (rightly) prefer v6 over v4 connectivity but in some cases they're not bright enough to tell if your v6 connectivity is actually real. When that happens it will effectively try the nonexistent v6 link and wait to time out before trying the "legacy" v4 connectivity. Every time. This makes people think "v6 is slow" and turn it off.
posted by Skorgu at 10:04 AM on January 29, 2011


But IPSEC isn't going to get you anything better than https/SSL does now, privacy-wise. The issue isn't protecting the pipe between you and the services you use to prevent snooping - though that's always nice - the issue is every service you use down to a company that has a 1×1 pixel image included in someone else's web page you viewed being able to uniquely identify you and accumulate and share data about you based upon that identifier, possibly to be integrated with info from IRL facilities that your phone pings as you walk around during the day.
That's no different then using a regular IP address today. If you're using your MAC address as the lower 64 bits, then they can trace when the top half changes. But if the bottom half changes, you won't be any more traceable then you are now.

Besides, not all network interfaces even have MAC addresses. Modems don't, do cell phones? I don't think so. They may have some ID number, but it's not specifically a MAC.
posted by delmoi at 10:14 AM on January 29, 2011


Check out test-ipv6.com to see what you currently have set up.
checks...
The most likely cause is NoScript or AdBlock+. NoScript can be told to permit all scripts on this page (you may need to do this more than once). At minimum, permit the urls listed below. [more info]
Heh. Let me try it in chrome (which doesn't have adblock)
Your IPv6 address on the public internet appears to be ...
Your IPv6 service appears to be: Teredo

Your IPv6 connection appears to be using Teredo, a type of IPv4/IPv6 gateway; currently it connects only to direct IP's. Your browser will not be able to go to IPv6 sites by name. This means the current configuration is not useful for browsing IPv6 web sites. [more info]

Your DNS server (possibly run by your ISP) appears to have no access to the IPv6 internet, or is not configured to use it. This may in the future restrict your ability to reach IPv6-only sites. [more info]
Huh.
posted by delmoi at 10:19 AM on January 29, 2011


Oh I forgot to include this:
Your browser is blocking the test urls. We will try alternate methods, but they may fail to show your IP address; and may affect the quality of the advice given. [more info]
That was what was 'most likely caused' by adblock/
posted by delmoi at 10:20 AM on January 29, 2011


I don't see a reason to freak out about this particular aspect of the protocol, honestly.

More importantly, it's not a choice between staying with 4 or moving to 6. 6 is coming, no questions asked. 4 is going away, regardless of opinion.


Yeah, as I said right above "IPv6 has to come". No one is suggesting a "freak out" over IPv6, just awareness of its significance: that any accidental anonymity you might have lucked out and had under IPv4 will be gone and that unless you take intentional anonymizing measures like using Tor, everywhere you go on the internet you'll be leaving tracks that are like a combination between your fingerprints and your social security number.

It's a transition from there being more people on Earth than IP addresses to there being something like 1030 - 1,000,000,000,0... oh God I'm not going to bother free addresses per person. That's so sparse that whereas right now you could have an IPv4 address and not have any clue where it's coming from, with an IPv6 address you could probably literally lose half the digits and still have a good chance of tracking down exactly which person or device it came from.

Talking about IPSEC balancing out privacy concerns or hiding of the MAC address component making privacy issues "easily solved" is extremely misleading, I think, because this isn't a problem that some tech guy somewhere is going to solve for you: unless you're able to take steps to anonymize yourself, people need to anticipate that their real identity can be associated with every little thing they do on the web. They should already be thinking that way, of course, but the transition to IPv6 is effectively the end of getting privacy or anonymity on the internet accidentally or through good luck.
posted by XMLicious at 10:23 AM on January 29, 2011


Besides, not all network interfaces even have MAC addresses.

The thing is that MAC addresses won't be needed to uniquely identify you if you and your devices are the only things that are ever behind your IP addresses.
posted by XMLicious at 10:26 AM on January 29, 2011


See this comment.
posted by XMLicious at 10:57 AM on January 29, 2011


For end users one of the most notable things will be errors from websites. Many websites assume ipv4 addresses and won't properly handle ipv6. Now, I don't mean the routers and stuff, but more like application code that uses IPs to geolocate or puts IP addresses in a database, etc. Or call an internal API that only expects IPv4 addresses with an IPv6 address, fail to properly handle the error, and return a stack trace to the user (what? I would never make that kind of mistake. Don't know where you heard that....)
posted by wildcrdj at 10:58 AM on January 29, 2011


Metafilter: "a land grab on IP addresses so inflationary it makes the housing bubble look like the tiniest gap in the quantum foam"

stopgap writes "Having the MAC address be part of each IPv6 address seems like it should raise some serious privacy concerns. Everything you do on your laptop or other mobile device could then be traced to your machine no matter what network you happen to be connected to."

Just change your MAC periodically, randomly or on every connection. In the unlikely even of a collision, change it again.
posted by Mitheral at 11:02 AM on January 29, 2011


The thing is that MAC addresses won't be needed to uniquely identify you if you and your devices are the only things that are ever behind your IP addresses.
Who is talking about having a single address for every person? The top 64 bits should change as often as your IP address.
posted by delmoi at 11:52 AM on January 29, 2011


Malor: 1) The addresses are too long to remember. An example loopback address from a Linux box: fe80::5652:00ff:fe83:4348.

fe80:: is the link-local subnet. Only devices on your local network can see these addresses. Nothing is stopping you from manually assigning something like fe80::5652:0000:0000:0001.


delmoi: Couldn't you use something like 127::1 as a loopback address if you wanted too?

::1 is the loopback address for IPv6.


Addressing in IPv6 is very clever. It can't come soon enough.
posted by narwhal bacon at 11:54 AM on January 29, 2011 [2 favorites]


2) DHCP does not, apparently, work properly on an IPv6 network... from the sound of it, it's kind of a mess. From what I can see in the briefest of overviews, it looks like devices are supposed to get a network number from the router, and then use their own MAC address as the bottom bits in the address.

This isn't required. You can assign addresses to mac addresses if you like.


3) It appears the IPv6 engineers really didn't like NAT, thinking it was just a hacky workaround for address exhaustion, rather than an insulation layer from your ISP. In IPv6, you will get your network from your provider. If you then use those numbers internally, you are getting deeply married to them, and the more complex your network, the more complete the marriage, and the more painful the divorce.


With the size of the address space, this doesn't matter. You just use a lower subnet and the upper parts can change with the provider. The local address space is 4 billion+ addresses for this reason.


IPv6 is pretty amazing in a lot of ways, but it is going to require relearning a good deal of network theory. NAT cannot die fast enough.

And Apple's IPv6 implementation sucks naked donkey balls.
posted by Pogo_Fuzzybutt at 12:18 PM on January 29, 2011 [1 favorite]


Actually, given the results of test-ipv6.com I think if I used google public DNS I would be fully compliant. But they already know everything I search for, all my emails, etc. Would I really want to give google access to every DNS query my system requests?

I looked and they don't even have a privacy policy, or tell you whether or not they record data in their FAQ!
posted by delmoi at 12:29 PM on January 29, 2011


I've been running a v6-routable network at home for the past five years or so (not sure exactly how long) via a tunnel to Hurricane Electric. There were some problems at first, mostly the timeout problem Skorgu mentions, but I haven't had any problems in years. I assume the client stacks are smarter about that situation now; I haven't really looked into it. Most of my traffic still goes over v4, of course, but from time to time I talk to some website that has a v6 address and that works too. There's no user-visible difference unless I check the logs (or am using wget, which prints the other end's ip address).

Touching on Malor's points:

1) Yeah, v6 addresses are harder to remember, I agree. But if you want to increase the number of publically-visible machines there's no way around this.

2) That's how address autoconfiguration works, yes. It's possible to have a functioning v6 network with automatically-assigned addresses with no DHCP. (There's an equivalent technology for v4, which I hate.) Personally I run DHCP.

3) I don't see why this is a problem.

4) NAT is just a hacky workaround for address exhaustion. You can still run your internal network with scoped addresses if you really want to, just like you do with your NATted RFC1918 addresses today. And there's no reason NAT won't work on v6, for that matter. But you don't have to do these things anymore. v6 is also supposed to make it easier to renumber your network when your allocation changes, though I'm sure there are pitfalls and annoyances there. (Of course, if you've published any addresses in DNS or the like, you'll have to update those separately, just as if they were NATted v4 addresses.)

second system syndrome) I get what you're talking about, but I don't think the core of IPv6 really has that problem. What I think is happening is that a lot of people are angling to tie their favorite underdeployed technologies (multicast, IPSEC, address autoconfiguration) to the v6 rollout, hoping that since everyone's redoing their routers anyway, they'll add these extra technologies as well. None of those things are inherently v6-y, and all of them work (or not) with ipv4, but they suffer from a lack of adoption. Why not use the enforced v6 rollout to do some additional technology deployment? I think this is a misguided approach; it makes IPv6 look more complicated than it really is, and mostly doesn't address the underlying reasons those technologies aren't deployed.

MAC addresses embedded in your v6 address) Yeah, this bothers me too, but it's not a big problem because it's easily worked around. My publically-visible IPv6 addresses embed the machine's rfc1918 ipv4 address where the MAC would be.

Interestingly, what's really holding up v6 adoption is the consumer ISPs. The core of the internet is pretty much v6-capable, as I understand it, and end-user OSs all support it (Windows, MacOS, Linux, the BSDs, iOS). In fact you may well be using IPv6 already for local communication; Macs and Linux boxes will happily advertise their link-local v6 addresses in their MDNS/Bonjour advertisements and if you ssh to hostname.local you're often going over ipv6.

tl;dr: IPv6: It's not so bad.
posted by hattifattener at 12:50 PM on January 29, 2011 [2 favorites]


NAT cannot die fast enough.

NAT is indeed horrible; among other things it breaks a core design principle of the internet. But in the real world, it breaks it in an almost necessary way. I don't know how many hundreds of millions of corrupt XP installations there are out there seething with malware, but the lack of true end-to-end connectivity -- the fact that they cannot easily become servers without hijacking the gateway in some very crafty way* -- may the only thing that allows the internet to function at all.

I suspect that for a transitional period of at least some years, retail ISPs are going to want to implement NAT by default to their customers even with IPv6, simply because most people don't have a firewall that's worth shit, and if they did they wouldn't know how to manage it. The alternative is for ISPs block all inbound (from the customer point of view) connections, kind of like Comcast with rabies, and that's going to cause a lot of administrative problems at least.

*Of course the introduction of uPnP in home routers makes this a whole lot easier.
posted by George_Spiggott at 12:54 PM on January 29, 2011 [2 favorites]


"IPv6 has 1038 addresses, so for all practical purposes, we can never run out of them." - Thomas Watson, chairman of IBM, 1943
posted by crapmatic at 1:59 PM on January 29, 2011 [1 favorite]


Crapmatic, I assume you jest, but just to put things into perspective:

With IPv6, Every single cell in every person on Earth could have their own IPv4 address space. With lots more to spare.

We don't have to worry about IPv6 running out until we have colonized most of the galaxy.
posted by ymgve at 3:05 PM on January 29, 2011


so google has public IPv4 DNS servers, but doesn't have IPv6 DNS servers? what should I use so I don't use Comcast's IPv6 for DNS?
posted by garlic at 4:59 PM on January 29, 2011


Delmoi: google's privacy policy for their public DNS servers.
posted by garlic at 5:01 PM on January 29, 2011


Do we need some kind of IP survivor contest where really dumb websites get voted off the internet?
posted by jefbla at 8:11 PM on January 29, 2011


George_Spiggott: what you're referring to is the need for firewalls, which is unchanged either way. The fact that firewall boxes often also perform NAT doesn't mean they're required to do so.
posted by adamsc at 7:24 PM on January 30, 2011


Do we need some kind of IP survivor contest where really dumb websites get voted off the internet?

Websites can share IP addresses pretty easily.
posted by delmoi at 12:09 AM on January 31, 2011


So change your MAC address.

My servers come with four NICs, all set to the same MAC address -- but I can and do change them via software. *shrug* Have a script use a random string to change your MAC every time you boot up or something.
posted by wenestvedt at 6:47 AM on January 31, 2011


Change your MAC address?
I was astounded when I read this, but Google searching shows that there are lots of sites suggesting how to do this.

I always thought that this was one of the fundamental facts of Ethernet--every MAC has a unique address, hard coded into the hardware, that comes from one single universal list of numbers. That way there is never any clash of addresses throughout the world. Switches and routers and protocols all rely on this assumption.

Telling me that you can't even rely on this assumption is like telling me that gravity is going to stop working or that Fox news is going to start honestly reporting the news. I just don't know what to think anymore.
posted by eye of newt at 8:23 AM on January 31, 2011


Part of the concern with the MAC address is also the fact that in IPv4 it's a unique identifier which, if it were included in every packet end-to-end, would be a way of distinctly identifying your traffic from other IPv4 traffic across the entire internet.

But the fact that the MAC address fits inside an IPv6 address means of course that an IPv6 IP address is more uniquely identifying than a MAC address - so much more so that just the first half of the IPv6 address, what we've been assuming as the location of your personal subnet granted to you by your ISP in this thread, is as uniquely identifying or more uniquely identifying than a 48-bit or 64-bit MAC address.
posted by XMLicious at 1:10 PM on January 31, 2011


Part of the concern with the MAC address is also the fact that in IPv4 it's a unique identifier which

Nooo MAC addresses don't show up in IPv4 packets at all. IPv4 is used to rout over the internet, when it gets to the final segment the router creates an Ethernet frame with your MAC address and the IP packet stuffed inside and sends it too you. But that's only on your local network. The IP Packet doesn't contain the MAC.

Remember, IP can be sent over any kind of link, such as a modem.
posted by delmoi at 6:30 PM on January 31, 2011


delmoi, note the "if" that is the first word in the part of that sentence you left out of your quote. I did not say that the MAC address is part of an IPv4 packet.

You're missing some kind of key things in this thread. Up about when you quoted a statement I made about someone's "IP addresses" - explicitly plural right in the quote, i.e. their IPv6 /64 block or whatever their subnet is - you responded by saying, Who is talking about having a single address for every person?
posted by XMLicious at 7:22 PM on January 31, 2011


Meant Up about above..., of course
posted by XMLicious at 7:31 PM on January 31, 2011


Up about when you quoted a statement I made about someone's "IP addresses" - explicitly plural right in the quote, i.e. their IPv6 /64 block or whatever their subnet is - you responded by saying, "Who is talking about having a single address for every person?"
I meant single 64 bit address space, rather then a single 128 bit address, so that was a little sloppy on my part. The whole comment was:
Who is talking about having a single address for every person? The top 64 bits should change as often as your IP address.
As in, you seemed to imply that the top 64 bits would uniquely identify you, when in fact it wouldn't do any better at identifying you as IP address do now. The concern was whether or not the lower 64 bits would identify you even if you changed networks, since they are supposed to be your MAC address. But in actuality, the MAC address isn't really used as the lower 64 bits.

Also with regard to the MAC address in IPv4 you said: "in IPv4 it's a unique identifier" which could lead some people to think you thought MAC address was in IPv4 at all.
posted by delmoi at 9:35 PM on January 31, 2011


Well, possibly some crossed wires here. Whenever I have said "IP address" in the context of IPv6 I have been referring to the full 128 bit address. So,

The concern was whether or not the lower 64 bits would identify you even if you changed networks,

- I have never been meaning to discuss that at any point. What I've been talking about basically is the way that people who have gotten a bit of accidental anonymity via the top 8 or 16 bits of their IPv4 address changing when their cable modem or other device releases its DHCP address (as well as some people I know who do this intentionally instead of using a proxy or Tor or other anonymizing approach) aren't going to get that any more because your identity will essentially be an entire subnet under IPv6 rather than an individual IP address and your subnet / lower 64 bits won't be changing with any frequency under normal conditions.

(Except insofar as you change networks / ISPs, you're correct to point out.)

Just to get it out of the way, as I said way up above and you've quoted, MAC addresses won't be needed to uniquely identify you - so no concerns on my part about MAC addresses being indelibly or unchangeably embedded in your IP address or packets or anything, I don't know if anyone else is proposing that but I am not.

Certainly, in this comment when speaking about MAC addresses I should have said "in the context of IPv4 it's a unique identifier which..." lest anyone think that I was saying that MAC addresses are themselves part of the IP protocol.



So... all that out of the way hopefully, I do think that I have to disagree with you on one new (to me) point, where you say

you seemed to imply that the top 64 bits would uniquely identify you, when in fact it wouldn't do any better at identifying you as IP address do now

This may be a sort of picky technical disagreement on my part, since neither of us apparently were talking about the same thing at the point when it was first said, but here goes: with 264 possible addresses in each person's subnet (or 256 in odinsdream's case, which perhaps means that our common assumption in this thread of /64 personal subnets is incorrect - but in any case, a staggeringly large number many orders of binary magnitude higher than the total number of IPv4 addresses in today's entire internet) - with that many possible addresses in your own subnet, it will be quite possible that you'd have a device whose top 64 bits is actually unique in the entire world - i.e. no one else's subnet contains any nodes with the same top 64 bits to its IP address.

And in that case, technically, this part of your top-64-bit subnet could be uniquely identifying in a fashion such that even if you switched networks / ISPs and the lower 64 bits of all your addresses changed, if you didn't change the top bits at the same time that device with the distinctive top 64 bits would be salient so that traffic from it on your new network could be matched up with traffic that had come from it on your old network. So in that particular way of possibly being identifying across multiple subnets (which, depending upon how autoconfiguration and DHCPv6 work, for all I know might be a very unusual situation) it seems to me that the top 64 bits alone out of an IPv6 address could potentially be uniquely identifying in a way that an IPv4 address would not be. (But in any case easily taken care of by someone who knows what they're doing even if it's not an unusual situation.)

Whew, that was long. It's past my bedtime where I am so I'm bowing out for now but I'll be back tomorrow.
posted by XMLicious at 11:57 PM on January 31, 2011


Malor, you're normally great with computer questions, but I'd thought I'd tackle some of these concerns - I'm no expert, but I have done some work with ipv6, including my previous ISP allocating IPv6 blocks, and I've currently got an IPv6 sixxs tunnel going.

1) The addresses are too long to remember. An example loopback address from a Linux box: fe80::5652:00ff:fe83:4348. And that's leaving a whole bunch of 0s out. (that's what two colons mean in an IPv6 address... some number of zeroes.) And they're using hex coding to keep them shorter. If they were encoded in decimal like IPv4 addresses, they'd be 16 numbers long.... something like 10.18.23.7.85.32.95.88.36.253.98.76.12.73.85.100. I'm not sure which is more intimidating; they both seem pretty dismal to me.

3) They hand out such gargantuan net sizes to end users that it boggles the mind; they typically give out /64s to end users, which means that you can make, in your HOUSE, 4 billion existing Internets. It's not just that you could run the entire existing Internet in your home, all four billion addresses. No, you could run four billion full existing Internets, each containing 4 billion addresses, out of your cupboard or something.



Ipv6 is huge. It's utterly, mind boggling, ungraspable large. There are 5×10^28 addresses for every person on earth. A /64 is only 18x10^18 or so. The one thing they didn't do is think small. Assuming you use the 2nd half of the space for host addresses, i.e. MAC length, the routable part of your space gives you 65,000 'blocks' - ideal for assigning to vlans! Admittedly, they're being a little generous in the early days - I've actually been given a /48 - but compared to IPv4, it's a way, way smaller percentage than the equivalent of a single IP address under the old system.

Still, it is big - which means remembering the addresses is harder. Which is where dynamic dns comes in. Your machine gets an IP, registers it with your DNS service on your router or DNS server, and you only need to know the machine name and domain, as currently.

Still, it's not that bad - 2a01:348:xxx::1/48 is my router address (x for privacy). The numbers after the double colon changes for my hosts; dns takes care of that, they're dynamic anyway, I only need to know the first bit, as that's my routable address space, and only when I'm fiddling with my routing setup - something a home user won't have to bother with. How many home users can quote their current Ipv4 external 'real' address?

If you look at a linklocal address, fe80::5652:00ff:fe83:4348, fe80 is the non-routable section (all local non-routable ipv6 addresses are fe80, it's like the old 192.168.x.x range) but machines on local can talk to each other - the part after the double colon is the random host address. You don't need to remember that bit. Hell, if you want to just use local ipv6 and know the addresses by heart, manually set your addresses to fe80::1, fe80::2, fe80::3 etc. Local loop, i.e. 127.0.0.1 is ::1.

2) DHCP does not, apparently, work properly on an IPv6 network... from the sound of it, it's kind of a mess. From what I can see in the briefest of overviews, it looks like devices are supposed to get a network number from the router, and then use their own MAC address as the bottom bits in the address. This means you can't easily put machines where you want them... your internal address space is always supposed to be mapped to MACs, and it looks like pushing out network changes automatically might not be possible anymore. In IPv4, if you want to change DNS or gateway or something, you can just update your DHCP and wait for all the clients to renew. It sure looks like that will be harder in IPv6.

DHCP works fine on IPv6. It's just not needed most of the time. Your router broadcasts the routable part (the part before the double colon), the host makes up and adds the 2nd half (the host address), and bingo, it has an IPv6 address. You just change the routable part for each VLAN segment, if you're running multiple internal address spaces, the hosts don't need to know about that. By default, current IPv6 stacks use the MAC address as the host part, simply because it's fairly unique. However, windows 7 by default uses the privacy extensions, which randomly generates a new host address that it actually uses. If there's a conflict (unlikely, given there's 18 quintillon or so) it picks a new one. Its easy enough to turn that option on in other OSes. DNS and gateway are given this way too, better than DHCPv4, to boot. The machine gives its address to the DDNS server, and you're done. If you really want you can use DHCPv6 instead, or even manually assigned instead.

Remember - the whole point of the IP address space is that every device has its own, utterly unique address. Any machine can talk to any machine anywhere, directly, when they know each others address.

3) It appears the IPv6 engineers really didn't like NAT, thinking it was just a hacky workaround for address exhaustion, rather than an insulation layer from your ISP.

Masquerade NAT (which is what we're talking about usually) is an utter, utter hack. It's nasty. You'll see what I mean once ISPs start deploying carrier-grade NAT to end users - i.e. you don't a real IP address, just one internal non-routable address. Anything which requires P2P connectivity to work - like say, VOIP, or video conferencing, will get badly, badly broken by the double NAT.

Again - the whole point of an IPv6 address - and what IPv4 was about, before they realised they'd made a major underestimation of how big the network needed to be, and had to resort to NAT - is that every machine is unique routable.

Your 'internal' host scheme doesn't need to change. Only the routable address block, which comes from your ISP, just like your current external address. Change ISP, change the routable block on your routers to the new one, and you're done - the hosts pick up the new routable block, use their host address as before, and off you go.

And given you don't have to screw about with NAT, updating your routers is *easier* than it is under IPv4. Trust me, I've done it - it took me all of 2 minutes to change my IPv6 routing entries for home - and that included the googling to refresh my memory. I didn't alter my pcs at all, they just picked up the new range and ran with it.

Now, the other major concern I've seen is that now every machine has a globally reachable address, it might get hacked - on NAT, it was nice and private, now it's all visible! Which is the job of the firewall. Relying on NAT for security was always a bad idea, as it's breachable. Every consumer router has a built in firewall. Hell, windows has a built in firewall these days. Deciding what comes in and out at the edge of your network is properly the job of the stateful firewall, and always has been.

Addressing the privacy concerns expressed over machines having 'visible' addresses - well, that's rather the point. Your current IPv4 is visible, and your routable address part will be static and trackable, that's necessary. The network wouldn't work if it wasn't!

The MAC address used to generate IPv6? That's useful if you want an static service available on your network, for either internal file sharing, or external web sharing, or whatever. Anything where you're not a passive consumer of a stream of data from someone else (and even then, you need to send them data, and they need to know where to send it back, i.e. your address), you'll probably want a static address, and of course a public DNS entry for your published, and firewall allowing, ipv6 address.

The great thing is, everything is reachable, uniquely. No more munging with non standard port numbers for multiple web servers behind one IP. No more fixed port forwarding for anything, no uPnP. Hosting a game on your xbox 720 will 'just work' with no munging of ports required! Several people at once can play steam games behind the same network! You won't have to send your video calls through someone else (a supernode) to talk to each other, making it faster, and far more reliable. Remote desktop into any machine you want, have them all visible from the outside if you want to open up the firewall for that. So you can do all that, with a static address;
but with IPv6, it's way easier to have multiple IPv6 addresses if you want to hide your machine's identity. Windows does this by default, so your MAC address is safe when you visit a random site, and it's a simple option on linux. Hell, there's no reason you couldn't generate a new host address for every http outbound request - and I bet we see some form of browser plugin that does exactly that.

It's gonna have one hell of a time getting traction, no matter how tight IPv4 addresses get.

New is always scary. And expensive. And complicated. ISPs and routers don't support IPv6, most haven't even started trials. Right now, we should be deep into rollout. This is going to be hard, and messy. Not because IPv6 sucks, but because we've left the transition far, far too late.
posted by ArkhanJG at 12:59 AM on February 1, 2011 [1 favorite]


And in that case, technically, this part of your top-64-bit subnet could be uniquely identifying in a fashion such that even if you switched networks / ISPs and the lower 64 bits of all your addresses changed, if you didn't change the top bits at the same time that device with the distinctive top 64 bits would be salient so that traffic from it on your new network could be matched up with traffic that had come from it on your old network.
Ah, I see. Even if you're not using your actual MAC address, picking a random number for your IP could still mean uniquely identify you. I guess it depends on how often those lower 64 bits are rotated. I would guess the way to handle that would be for the OS to change those bits randomly whenever it gets put on a new subnet.

I think it would be better to try to separate privacy from IP routing. Using a proxy would still safer for people.

Here's an interesting thought: With so many IP address available, why not use a new IP for every process rather then for every physical machine? Obviously if you use virtual machines now you can have lots of separate logical machines with their own IPs. Why not extends that to processes themselves? In that case, each time you restart your browser it would have a new IP, and different browsers would have different IPs. Or even browser windows.

(heh, I just noticed ArkhanJG said the same thing :P)
posted by delmoi at 12:40 PM on February 1, 2011


I totally agree that it's best to separate privacy from IP routing. I don't think that there's anything wrong with IPv6, it's a vastly superior architecture that will provide new options for privacy and anonymity once everything is rolled out and well-understood.

What I've been saying is just that the significance of the IPv4-to-IPv6 transition, from a privacy perspective, is that any accidental anonymity you'd garner through the various IPv4 NAT mechanisms is gone, so now every single internet user really and actually has to think about anonymity and take their own anonymity measures, otherwise they must expect that the internet is a *public place where everyone can see you* by default now.

As far as the OS changing the top 64 bits regularly, I checked out the Privacy Extensions RFC and it says
Use of the extension causes nodes to generate global scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier.
Emphasis mine - so at least on OSes like Windows that have the Privacy Extensions enabled and are running with autoconfigured IP addresses, you won't have that problem. Hopefully DHCPv6 has some similar measure or DHCP vendors are thinking along these lines too.

So Privacy Extensions and measures like it, such as every individual process getting its own IP out of your subnet as you suggest or a browser plugin that gets you a new IP address with every HTTP connection as ArkhanJG, are going to be great but they'll only be defeating old-fashioned tracking mechanisms, the ones left over from the IPv4 internet that track individual IP addresses; because like I said above, in IPv6 your identity is going to be your entire subnet / lower 64 bits and you're still going to need a Tor-like anonymity mechanism to get out of your subnet.

I'm imagining some mechanism so that you can "donate" a batch of a million IP addresses to a Tor-like project, if we can figure out a way so that you're moving the addresses around rather than moving the data around to different addresses the way Tor does now.

But anyways, so yeah it looks like every security mechanism everywhere that is based on tracking individual IP addresses is going to break. This and a bunch of other security issues I've come across seems like it's worth a new post, so here goes.
posted by XMLicious at 5:01 PM on February 1, 2011


At the risk of saying something nice about Comcast, I thought I'd forward this relevant note (snipped from a message to Dave Farber's list): [Y]esterday we at Comcast announced that we've started native dual stack production trials on our DOCSIS network … The trial will soon expand beyond Colorado and each user receives a /64 allocation …
posted by hattifattener at 10:38 PM on February 3, 2011


« Older Mega-City One   |   Just one planet like it Newer »


This thread has been archived and is closed to new comments