[Info-vax] implementing IPv6 on the internet

[Chris]

On 09/20/16 09:47, Dirk Munk wrote:
> This contribution is not about VMS, it is about IPv6 and the way it is
> introduced.
>
> Stephen Hoffman tells us we have to concentrate on the introduction and
> use of IPv6, en let me be very clear about this, he is absolutely right.
> I have been advocating IPv6 for over 10 years now, so we have no
> difference of opinion there.
>
> IPv6 has been under development for over 20 years now, so you might
> think there is a clear concept how it all has to work, but alas this is
> not the case. By far the most global IPv6 addresses will be found in the
> home LANs of consumers, so how to deal with those addresses is something
> that should have been high on the agenda of the IETF. Should have been,
> but it wasn’t, it was completely forgotten.
>
> To explain what I mean, let’s start with IPv4. The only global IPv4
> address that you have at home will be the WAN address of your router (if
> you’re lucky), all the IPv4 addresses on your LAN are private addresses.
> If you’re not lucky, your ISP uses carrier grade NAT, and you will also
> have a private address on the WAN port of your router. I will not go
> into that.
>
> That IPv4 address usually will also have some cryptic DNS name attached
> to it, but since the address will be dynamic, the DNS name will also be
> dynamic. To overcome this problem, you may register your router with a
> DNS name of your liking at a dynamic DNS organisation like Dyndns. Your
> router will take care that its WAN address is kept up to date at that
> organization. However that DNS name is always an alias. Reversed name
> lookup (address > DNS name) will never show the DNS name you choose, it
> will always show the cryptic DNS name of your ISP. After all he DNS
> server of your ISP is the authoritative name server for that address
> space, not the name server of your dynamic DNS organization.
>
> If you want to reach a device on your LAN from the internet, you address
> a certain port number on the WAN address of your router, and by means of
> port forwarding it will be translated to an IP address and port number
> on your LAN. You will all be familiar with this concept.
>
> With IPv6 things are very different. First of all there are three kind
> of IPv6 addresses (actually there are more). The first is the Link Local
> address, it is present on very IPv6 enabled interface, whether or not
> there is an actual IPv6 network present. It starts with fe80:: , and
> these are non-routable addresses. Then we have the global IPv6 address,
> it often starts with something like 2001:: . And then we have the Unique
> Local Addresses (ULA), they can be seen as the IPv6 equivalent of IPv4
> private addresses. They start with something like fd00:: .
>
> Every device on your LAN will get at least one global IPv6 address. That
> address will be used on the internet. If you want to reach that device
> from the internet, you will have to use that IPv6 address, not the IPv6
> address of the WAN port of your router. It should also have a DNS name.
> In fact it is good practice that every IP address on the internet has a
> DNS name. That means every global IPv6 address (all IPv6 capable devices
> on your LAN) should be registered with a DNS name at some DNS server.
>
> Which DNS server should that be? Very simple, the DNS server of your
> ISP. It is the authoritative name server for that address space. Every
> consumer should get his own (sub)domain there, and your router will be
> responsible for adding the addresses and DNS names, that is the general
> idea. You don’t want address spoofing etc, so it has to be done in a
> very secure way.
>
> The ideas are there, but nothing has been defined in RFC’s yet. You can
> not buy any router that can do this, no ISP is prepared for this massive
> task. And yet we are implementing IPv6 with consumers right now,
> wonderful isn’t it?
> The ULA addresses are also very important. On your home LAN you should
> use those addresses for communicating between devices. Your router
> should be a DNS server for a local domain. That way if the connection
> with the internet is lost, you still have a fully functioning network.
>
> My personal idea is that if you use global IPv6 addresses for
> communicating between devices on your LAN, it should be handled as
> traffic from the internet. This way you can check accessibility of
> devices from the internet. Since there is no ARP with IPv6, I have the
> idea that it should be possible to set this up.
>
> After you’ve read all of this, I hope you can understand why I’m so
> cynical about IP. It’s not that I don’t want IPv6, on the contrary we
> need it badly. In fact we are at least 5 years late with the
> implementation. But how stupid must you be if you start implementing a
> completely new network architecture (which IPv6 is!) , and leave such an
> enormous gaping hole in the concept? After all, most of the IPv6 address
> will be at peoples homes, certainly when the Internet Of Things starts
> picking up.
>
> Conceptual thinking is lacking, also with security If telnet is not
> secure, let’s build something completely new with its own security
> (SSH). If FTP isn’t secure, well then let’s use SFTP, or FTPS, or SCP or
> …….. Not to mention the different versions of FTP itself of course
> (active, passive..).
>
> What we need are clear, well defined concepts, and proper standards that
> reflect these. What we also need are proper test suites to check if
> everything works as it should, if everything is secure, and so on.
>
> Any comments are welcome.
>

Interesting post. You seem to be suggesting that IPV6 has been under
development for a decade or more, yet the required standards have
still not been established ?.

If true, any sane risk assessment would suggest the it's avoided like
the plague until it's seen to be fully sorted. Experiment with it,
sure, but ready for production ?.

IPV4 may be running out of addresses, but not a problem if you increase
the use of subneting. Not to mention the fact that some organisations
are sitting on huge blocks of addresses that are not being used.
Perhaps we need a rule that says "if you don't use it within a defined
period, you lose it"...

Regards,

Chris