[trout]

Not a flame - your perspective is very typical for people that don't have a lot of experience with networking past the host or server level. (Very little experience with networking in the core, provider, or putting together network services architecture).

1. In theory the routing table with IPv6 can be smaller. The address design should be hierarchical, which means you should be able to have much fewer routes. It's too early to tell if this is actually true or not, but the addresses themselves are 4x larger - which isn't going to be the determining factor in routing table size.

2. Not everything needs to be publically routable, true. IPv6 has the idea of link local and autonomous system local addressing which IPv4 doesn't have. The RFC 1918 block was used instead. But think for a second - there's only 4 billion addresses (less when you count bogons and multicast ranges), and it's only a matter of time until those are taken up. So we can choose to do it now, 2 years from now, or 5 years from now, but devices are growing faster than ever and it's only a function of time.

3. NAT is not a security feature, is not good for the internet, and the sunk costs spent building an ALG for every protocol to work around it is a significant development sinkhole. It's a workaround often masqueraded as security, and does cause many application problems. It's just not normally the application developers that have to fix those problems - it's the network and security teams.

4. IPv6 was created in the late 90's. People have been waiting for brilliance to supercede IPv6 for a while. I'll admit it's not the easiest, but there are a certain set of problems you have when you expand the address space.

5. I'm familiar with all the IPv4 headers, and nearly all of them are used. ID is used for packet identification, particularly through network services, DSCP is used heavily, DF and other flags are used - they're just obscure. If you look at IPv6 those same headers are basically recreated, though with slightly different names. The ones that aren't included are addressable through the extension headers.

So, yeah. That's another perspective that may help you understand why IPv6 is a bit of a quagmire. The faster people understand this, the sooner we get to a place where the chicken-egg problem fades away.

[btilly]

I only care about one point. That NAT is not a security feature.

The original reason that I began using NAT was so that my ISP couldn't charge me per device. You just plugged in a NAT enabled router, and ran everything behind it. That became so ubiquitous that ISPs gave up on trying.

My concern about IPv6 is that ISPs will want to go back to charging per device. I didn't like that then, and I don't want it now.

[mSparks]

From a host perspective it's a great security feature. you have a local address means your host cannot be contacted from the outside world. You want your host to have an IPv6 address, VPN into an IPv6 provider.

The fact that demand for this is so low, just goes to show it's not needed at the moment.

In fact, I can't think of a single reason "why" IPv6 would be needed.

I definately don't want all my devices to have a web reachable address, far from it, total security nightmare.

one entry point - a VPN on IPv4 is just great thanks, secure and easy to manage. want to access my other devices, jump on the VPN.

I that sense, you can describe IPv6 security, as configuring your VPN with no password and letting anyone connect to it.

The other way to look at it, is the successsor to IPv4 is called tor.

[amaranth]

> one entry point - a VPN on IPv4 is just great thanks, secure and easy to manage. want to access my other devices, jump on the VPN.

There are 4 billion IPv4 addresses and 7 billion people on the planet. Before we even get into business use of IPv4 for servers and such we don't have enough addresses to do what you want.

[mikeash]

It's not like NAT stops working with IPv6, it just becomes much less necessary. If your ISP starts being stupid like that, just keep NATting.

[MichaelGG]

> 1. In theory.. IPv6...hierarchical.

Is that even remotely close to being true in practise? Would we expect to see it be smaller than IPv4? Given the quadrupling of address sizes, wouldn't that mean there'd need to be 1/4th the number of routes? And peering destroys the hierarchy, does it not?

I was under the impression that the hierarchical routing had an assumption that networks could renumber at will. So multiple subnets might map to the same host or something to that effect. Is that incorrect?

>3. NAT is not a security feature

Except it turns out that proper NAT is equivalent to a firewall with inbound deny, outbound allow. Which is a pretty good start for security.

>ALG for every protocol

Applications that break with NAT usually do so due to poor design (hey SIP and FTP). With a firewall with default inbound deny, programs can't just accept inbound connections without doing work anyways (UPnP or whatnot). Although sure, it makes known-two-way datagram applications easier since you start transmitting and get a flow opened. Wouldn't help TCP based applications, for instance.

[welterde]

> Is that even remotely close to being true in practise? Would we expect to see it be smaller than IPv4? Given the quadrupling of address sizes, wouldn't that mean there'd need to be 1/4th the number of routes? And peering destroys the hierarchy, does it not?

No.. the point is that each ISP will get only one very large prefix (/32 or bigger) instead of many small ones, which can't be aggregated like it is the case for IPv4.

Right now there are about 46k ASN's in the legacy internet announcing about 490k IPv4 routes. Best case with IPv6 you would end up with 46k routes.

In practise it looks like there are 8k ASNs in the internet announcing about 16k IPv6 routes. So while not perfect, it's still quite a lot better than for the legacy internet.

> Applications that break with NAT usually do so due to poor design

So how would you design a P2P application that has no poor design?

[MichaelGG]

Might the current IPv6 numbers just reflect that a lot of people aren't peering or anything? I was under the impression that a lot of announcements were driven by the need for not relying on a single provider.

>So how would you design a P2P application that has no poor design?

SIP and FTP break even in non-P2P scenarios, so my comment was mainly directed at them. For P2P apps, NAT doesn't pose a whole lot more of a problem than a firewall with the same configuration. So you'd use UPnP or whatever protocol to get around it. At that point, it doesn't really matter, does it? The app talks to local gateway and ask for the IP and port forwarding either way.

[welterde]

> Might the current IPv6 numbers just reflect that a lot of people aren't peering or anything?

Peering doesn't require you to announce more routes per se, although some networks do it for traffic engineering purposes. From an BGP [1] perspective there is not that much difference between peering and transit.

> I was under the impression that a lot of announcements were driven by the need for not relying on a single provider.

Multihoming is another issue. And you can explain the difference in the number of AS [2] as networks not having deployed IPv6 yet. But the number of announced routes per network will be lower for IPv6 than it is for IPv4 (which hasn't even reached the worst case yet).

> For P2P apps, NAT doesn't pose a whole lot more of a problem than a firewall with the same configuration. So you'd use UPnP or whatever protocol to get around it. At that point, it doesn't really matter, does it? The app talks to local gateway and ask for the IP and port forwarding either way.

But that way you are still pushing more logic into the applications (namely that they have to implement UPnP). Which actually might end up requiring more code than your actual application (SAFT [3] for instance..). Now in the firewall you could just allow known-good inbound ports and be done with it.

[1] http://en.wikipedia.org/wiki/Border_Gateway_Protocol [2] http://en.wikipedia.org/wiki/Autonomous_System_%28Internet%2... [3] http://fex.rus.uni-stuttgart.de/saft/sendfile.html