IPv6 on UPC

Captain Commie

got UPC installed the other week, whilst checking everything was connecting ok i noticed that the router they supplied was issuing IPv6 addresses.

Had no way to test until thisevening when was working with a friend setting up an irc network, one of the servers has IPv6 connectivity so decided to try and use IPv6 to connect and to my shock it worked.

Looks like UPC are getting ready for the big IPv4 dry up, glad to see it

watty

Google IPv6 Security.

If you don't want Pwnd, turn off all IP6 for now.

Jonathan

innovated wrote: »

got UPC installed the other week, whilst checking everything was connecting ok i noticed that the router they supplied was issuing IPv6 addresses.

Had no way to test until thisevening when was working with a friend setting up an irc network, one of the servers has IPv6 connectivity so decided to try and use IPv6 to connect and to my shock it worked.

Looks like UPC are getting ready for the big IPv4 dry up, glad to see it

Out of interest what pool have they been allocated?

Knasher

I'd also be interested to know if its still the same Cisco EPC2425 (I'd be surprised if it isn't) and if so what firmware version it is running.

Its nice to see companies finally start to roll it out, its going to really suck when ISPs have to use NAT because the software support for IPv6 isn't really there yet.

watty

There are 10s of Millions of IP4 addresses held still by companies and universities and Military in states.

IPv6 was designed quite long ago and creates lots of problems. The only one it actually solves is address space.

In reality there may be enough IPs for 50 years without ISPs using NAT, if the USAians shared them equitably.

Captain Commie

seeing as IT Tallaght has over 2000 IPv4 addresses alone, shows where the real waste is

not sure what range have been allocated for IPv6, didnt look into it too much, just saw that had an IPv6 address and decided to test it by connecting to another IPv6 host, based in Germany

macrubicon

innovated wrote: »

seeing as IT Tallaght has over 2000 IPv4 addresses alone, shows where the real waste is

You presume they are being wasted because ?? CIT and Carlow have Class B's - is that a waste ?

It's good to see ISP's taking things in charge and moving over - will be interesting to see if they have an IPv6-v4 gateway anywhere for non IPv6 services if they wanted to go v6 only....

Captain Commie

macrubicon wrote: »

You presume they are being wasted because ?? CIT and Carlow have Class B's - is that a waste ?

It's good to see ISP's taking things in charge and moving over - will be interesting to see if they have an IPv6-v4 gateway anywhere for non IPv6 services if they wanted to go v6 only....

do they REALLY need that many publicly available IP addresses, going on the number of IP's i would ASSUME that they are issueing public IP's to all hosts which IS a waste as they can nat the internal network

watty

If US institutions had single class B that would be one thing. Many have Class A 16,777,216 or multiple 20 bit (1,048,576) addresses.

Most Irish Colleges do NAT internal networks so as to block ports, throttle traffic and protect vulnerable PCs/Servers.

Only specifically "hardened" and up to date patched PCs/Servers are safe to connect to Internet direct without a separate Firewall.

List of SOME of the indecent hoarders of 16 Million IPs blocks or more each
http://en.wikipedia.org/wiki/List_of_assigned_/8_IP_address_blocks

Some of the above are valid users of 16M addresses. Many are not.

There could be half a billion unused/Misused IPs just in North America.
The British Dept. Of Defence certainly doesn't need 16Million.

No organisation needs more than 65K unless they are a public ISP.

You can't switch of IP4 on your PC/Server till last IP4 destination has IP6
They still have not figured out security & privacy issues fully.

Basically they need to scrap IPv6 and invent a new scheme that includes solutions to the major issues and compatibility, not the way IP6 works.

lynchie

watty wrote: »

No organisation needs more than 65K unless they are a public ISP.

True.. Most of the colleges, DIT / TCD / UCD / HEANET / Maynooth, Galway, Cork all have their own class B. Thats 65K for each of em. Doubt they use 65K public IPs between them!

macrubicon

innovated wrote: »

do they REALLY need that many publicly available IP addresses, going on the number of IP's i would ASSUME that they are issueing public IP's to all hosts which IS a waste as they can nat the internal network

As an admin in an IoT - yes. There are a lot of things you cannot do with NAT'd addresses and where possible NAT is used but sometimes and for some applications you need direct out which will involve a large number of addresses when you start talking about labs with dozens of PC's in each.

We have had an IPv6 assignment since very early on in the days of IPv6 but to be frank there are simply not enough endponts to warrent moving to it quickly. We would end up with a monster IPv6-4 gateway that would quickly get unmanageable from a traffic point of view.

Thats why things like UPC moving are good news days - there is a huge base of users ( I'm presuming it's a global UPC move ) who now can access our limited IPv6 services. There is a whole chicken and egg thing with IPv6 and this type of thing helps create momentum.

bricks

And the previous company I worked for had 1 class A.
They could defo hand one of them class A's back.
I'm suprised there isn't some sort of market value put on a Class 'A' range where it would be sold to a large ISP.

watty

There is a market value

Class As are now even sold piecemeal.

This is why don't believe we will run out of IP4.

Jonathan

IPv6 full cone NAT + IPtables solves some of the privacy issues.

This would still allow internal hosts to be accessed from the internet but protect against people tracking a persons location when using autoconfigured IPv6 addresses (lower 60 bits of IP address = [upper MAC address]:FFFF:[lower MAC address])

Knasher

Admittedly there is a lot of under utilization of IPv4 for certain ranges, fact of the matter is that reclaiming those ranges is unfeasible. Stanford relinquished their /8 back in 2000 and its estimated that that only pushed back the exhaustion by a month. Making full use of the IPv4 range may push back exhaustion but that would be at the expense of vastly completely routing tables as well as a huge amount of effort on the part of the relinquishers both in switching over their networks as well as tightening their firewalls.

Anything short of IPv6 will be just postponing the inevitable, esp considering that the rate of IP usage has been increasing, and companies won't take IPv6 seriously until their customers are using it.

I'm not saying that I'd be comfortable with switching over to IPv6 just yet, but I do think that people need to have the option.

maggy_thatcher

watty wrote: »

There is a market value

Class As are now even sold piecemeal.

This is why don't believe we will run out of IP4.

To increase the number of available IPv4's that way would be to cause the routing tables to jump in size as they fragment the address space more and more. This means that those responsible for the internet backbone are left with two choices:

1. Upgrade the routing hardware to support longer and longer routing tables in IPv4. In addition, get all the ISPs to introduce NAT to reduce the number of IP addresses they actively use.
2. Upgrade the routing hardware to support IPv6

Given the two choices, I would hope they'd focus primarily on the latter.

watty

There needs to be a plan.

I'm just not convinced by the current one.

maggy_thatcher

If you don't mind my asking - watty, why don't you like IPv6?

Security - it has IPSec built in as a mandatory part of it, unlike an optional extension with IPv4.
Privacy - Do you mean something in particular? If you mean the idea of the MAC address being part of the address, that's optional (some routers can swap it for a different number on exit, and there's no actual requirement that it must be the MAC address -- it can be any random number, as long as it's unique within a particular subnet).
Compatibility - IPv4 can run in parallel with IPv6 until IPv4 runs out of space. If we give everybody that has an IPv4 address an IPv6 address, then everyone currently on the internet can access the material on IPv6 space, and everyone can access the material on IPv4. As more and more content becomes IPv6 only, only those that haven't migrated will be affected. There are also IPv6-IPv4 converters, which, while cumbersome, can provide connectivity to IPv4 services to those without IPv4 addresses. Whatever option is taken, those who stick with the old network will not be able to access those on the newer ones, but even if we found some other new IP to replace IPv4, there's nothing that's going to replace that.

IPv4 has a limit of 3,706,452,735 globally accessible addresses (once we exclude reserved addresses). Assuming there are more than 3 billion unique client/servers around, and assuming we don't want to introduce hacks such as NAT to try and "hide" parts of the network, a new protocol is necessary. If IPv6 isn't the right answer, why isn't it?

As an example, in this house, I've 4 computers, 3 DLNA clients, 1 games console, 1 smartphone and 1 printer all sharing the same public IP address, but with different internal addresses). I then have a bunch of IP forwarding rules set up in the router to allow me to access (some of) them remotely. It's rather frustrating having to remember "machine X is running ssh on port Y not 22" rather than just letting them have their own AAA records and use the standard port the odd time I have to go and get something. The sooner we all get IPv6 addresses (properly firewalled, of course), the better.

From an ISP point of view, I would imagine they'd probably like to introduce IPv6 too so that they could see that I have 10 devices attached to their "single IP" product and bill me accordingly, but hopefully that won't happen

I'm not saying there isn't work to be done, in particular end-users who have hardware firewalls will need to make sure that they don't just blindly pass IPv6 traffic straight into their network, but it's work that should be done sooner, rather than later imho.

I've done a lot of work in schools around north Kerry and west Limerick and noticed that their Cisco and MSI UDgateway routers give out public IP addresses in the 87.34.xxx.xxx range. I'd assume it's done for security reasons (easier to isolate a PC which might be infected) but I find it quite wasteful.

Jonathan

Karsini wrote: »

I've done a lot of work in schools around north Kerry and west Limerick and noticed that their Cisco and MSI UDgateway routers give out public IP addresses in the 87.34.xxx.xxx range. I'd assume it's done for security reasons (easier to isolate a PC which might be infected) but I find it quite wasteful.

Might not be the full 87.34.0.0/16 (old Class B network) though. It could actually be 87.34.0.0/20 for example which only contains 4096 hosts.

watty

Most UPC modems are indeed just modems. No NAT or Router. So you get a public IP.

Captain Commie

watty wrote: »

Most UPC modems are indeed just modems. No NAT or Router. So you get a public IP.

i am using the cisco ones that have router and nat built in (actually hat the cisco router, which is strange cause i love cisco stuff)

watty

Cisco bought Scientific Atlanta (cable Modems) a few years ago, more recently they bought Linksys (Other Consumer Internet products). I suspect there is little in common between an Enterprise Edge Router and a Cable Modem/Router or Home Ethernet Router other than the Branding.

Captain Commie

watty wrote: »

Cisco bought Scientific Atlanta a few years ago, more recently they bought Linksys. I suspect there is little in common between an Enterprise Edge Router and a Cable Modem/Router or Home Ethernet Router other than the Branding.

yeah, wondering if there is a way i can get it changed out as really starting to annoy me.

Seeing as we are speaking on the subject of ip4 drought etc etc, anyone know if UPC give out dedicated IPv4 addresses on their net connections? would be handy for server admin

watty

They can.

but a UPC IP changes so infrequently that dyndns will work. Some Routers have dyndns auto-update client, or you can run one on your LAN. But the IP changes so infrequent you can update manually.

Anyway, there will be a Drought of IP4s but not as soon as people wanting to sell IP6 gear claim. Currently only Network/Computer Gurus only know how to make a box on IP6 secure. Conflicker will be nothing compared to mayhem if home users are on IP6

watty

Some light reading. The IETF are not gods.

http://www.theregister.co.uk/2010/10/15/sysadmin_dns_heretic/

Graph *HUGELY* understates free IP4
http://arstechnica.com/business/news/2010/09/there-is-no-plan-b-why-the-ipv4-to-ipv6-transition-will-be-ugly.ars

They need a plan B now. I've talked to Cisco experts and they say IPV6 as it is today is a disaster for home users and smaller Businesses without security and network gurus.

Splitting old Class As into 65K IP blocks happens already. No big deal for routers or root DNS.

http://arstechnica.com/apple/news/2007/02/7063.ars

We have been getting the "Sky is falling in" we need to move to IPv6 now warning for over 6 years. Yet only 2008 did IETF set up a IPV6 Firewall taskforce.

Today a Tiny fraction of Internet Traffic is using IPV6, a fraction of the hosts (a tiny fraction) that could run IPV6.

The fact is that for

Security
Privacy
DNS
DHCP
IPv4 interworking
Packet overhead, esp on Mobile

the IPv6 is almost a failure. That's why uptake is so low.
The amount of free IPv4 Addresses has been consistently understated which doesn't help the case for IPv6, which almost only helps address space.

Real ISPs can't use full NAT. It's only appropriate for LANs. Though Mobile ISPs frequently do use it because basically Mobile isn't much use for other than casual browsing and email fetching. You'd be mad to host anything or run serious p2p (not just Torrents, but Skype, Konteki video players, SIP, some games etc) on Mobile. LTE won't cure Mobile http://www.techtir.ie/blog/watty/mobile-never-broadband. So Mobile can continue to mostly use NAT.

It's Real Broadband that can't use ISP NAT

Hosting of any kind or any kind of p2p (plenty of legitimate, it's not just for filesharing) won't work over ISP NAT. It works on your own LAN nat as there is a 1:1 correspondence between port usage on public IP and LAN, as long as there is only one of each kind of server that uses a fixed port.

So LANs don't ever need public IPs. Though SIP was pretty problematic. (SIP proxies, ICE, TURN etc are solutions). NAT on a LAN inherently blocks most unwanted "attacks" and hides what you have. There is no easy IPv6 equivalent. You are supposed to make each machine secure. Even the Intranet Web & email servers that are never accessed from Public Internet.

We are going to run out of IP4, eventually. We do have maybe 5 to 10 years, not the 2 years claimed by IPv6 vendors.

IETF needs to rethink and come up with IPv7. IPv6 isn't a solution. There needs to be Plan B, because IPv6 isn't flying.

maggy_thatcher

If I recall correctly, in the earlier days of IPv4, it was also a security nightmare for anybody other than network gurus. The difference between then and now of course is that network is substantially bigger (so most people didn't care). Remember the days when Windows9x and Windows3.11 were plugged directly into the internet?

Security/Privacy/DNS issues are all solvable at the ISP level, leaving end-user safely protected (if desired). That post regarding Apple's routers providing IPv6 addresses is more that Apple really should have the IPv6 firewall set to the same settings as the IPv4 firewall by default. It's a configuration issue more than anything else.

IPv6 is sometimes actually better than IPv4 in terms of packet overhead -- an optionless IPv4 header may be half the size of an (optionless) IPv6 header, but an IPv4 header is quicker/easier to parse for routing hardware (the way the options are handled). For mobile, it has the distinct advantage of there being explicit support for keeping services/connections alive while a mobile node moves around. While right now, mobile networks are unsuitable for running long-term services, give it a couple of years and that won't necessarily be the case. An IPv4 header is also more likely to have options, making the header bigger again.

The only big issue remaining is IPv4 internetworking -- and that's what dual-stacks are for.

watty

In Win3.x & Win9x days I installed Firewalls and Proxies. I've been configuring Network security since 1993. But I'm not confident about securing an IPv6 based system.

You can't solve security at ISP level unless all you have is the sort of service offered by Mobile for casual browsing and email. Security is the user's issue, not the ISPs. The ISP is a pipe.

There is no simple concept as an IPv6 firewall in sense that there is on IPv4.

Captain Commie

watty wrote: »

They can.

but a UPC IP changes so infrequently that dyndns will work. Some Routers have dyndns auto-update client, or you can run one on your LAN. But the IP changes so infrequent you can update manually.

I use several servers and try to restrict my ssh access to specific IP's and to have to change that is a PITA, talking about 10 servers at present, hence why i would like a static ip

maggy_thatcher

watty wrote: »

In Win3.x & Win9x days I installed Firewalls and Proxies. I've been configuring Network security since 1993. But I'm not confident about securing an IPv6 based system.

You can't solve security at ISP level unless all you have is the sort of service offered by Mobile for casual browsing and email. Security is the user's issue, not the ISPs. The ISP is a pipe.

I know that - it could be an optional service - so that people who know what they're doing can turn it off and set up their own environments, whereas the "general" public can have basic protection if they need it.

watty wrote: »

There is no simple concept as an IPv6 firewall in sense that there is on IPv4.

What's wrong with ip6tables? (and the equivalent for other OSes)? If the default settings on any environment was accept link-local addressing only, with explicit access enabled to particular port/addresses I don't see what the difference is?

kippy

macrubicon wrote: »

As an admin in an IoT - yes. There are a lot of things you cannot do with NAT'd addresses and where possible NAT is used but sometimes and for some applications you need direct out which will involve a large number of addresses when you start talking about labs with dozens of PC's in each.

We have had an IPv6 assignment since very early on in the days of IPv6 but to be frank there are simply not enough endponts to warrent moving to it quickly. We would end up with a monster IPv6-4 gateway that would quickly get unmanageable from a traffic point of view.

Thats why things like UPC moving are good news days - there is a huge base of users ( I'm presuming it's a global UPC move ) who now can access our limited IPv6 services. There is a whole chicken and egg thing with IPv6 and this type of thing helps create momentum.

Can you give me an idea of these applications?
I can think of one or two but NONE that would be on labs of PC's.......
IPv6 seems like a dead squib to be honest.
This is an interesting topic though.