IPv6 networking: Bad news for small biz

You may not get fired for buying Cisco, but you can go bust


Sysadmin blog IPv6 is traditionally a networking topic. Yet IPv6 is as much a business consideration as it is a technical one. As world IPv6 day rolls around again, we're going to see an ever-increasing amount of technical IPv6 coverage. Before we do, I think a business interjection is warranted.

IPv6 was neither designed for small biz nor consumers. IPv6 was designed by big-ticket network engineers bearing global infrastructure and enormous enterprise networks in mind. Learned gentlemen who live in a world where buying IBM and connecting it with Cisco never got anyone fired.

High atop this lofty tower of big data and even bigger budgets, RFC after RFC was submitted, debated, refined, revised and eventually implemented in the code we see in our operating systems today. Problems faced by enterprise networks needed solving, and IPv6 evolved into an excellent solution.

But nobody worried about the little guy. There are a lot more of us small and medium enterprises than big heavies. With IPv4 allocations gone we're facing having to adopt a protocol with some significant flaws [PDF]. Well, flaws for normal people; they're pretty much irrelevant if you have a big enough budget.

The elephant in the room is renumbering. In the IPv4 world, you have one internet addressable IP address and the rest of your network lives in a non-routable space. Your internal network is on the other end of a NAT firewall, subnetted and organized into something that makes sense for the local sysadmins. 
If you need to change your internet service provider for any reason, that's perfectly okay. Your external address changes, a few firewall rules are changed and life moves on. If you need to reorganize your address space internally, no problem! You execute the change, and the outside world is none the wiser. Simple, easy and convenient.

In an IPv6 world, this is a no-no. There is no NAT; it was deemed heretical by the priestly caste of network engineers running the holy church of the IETF. Blasphemers are chastened and belittled. So what are our options?

The official answer is a combo deal. You must accept that renumbering is the new order. If you change ISPs and your assigned block changes then you must have every single computer, switch, router, printer, and network-attached doodad change with it.

No more static addresses*, not even for servers. Everything should be configured by DHCP or stateless autoconfiguration. Whereas in an IPv4 world you created firewall rules for servers (and the applications they ran) by IP, in an IPv6 world your firewall will still work because all your systems should have proper fully qualified domain names.

The domain name assignation will "just work" because it will be tied into the DHCP and into a proper, full-blown asset management system. You will record all your MAC addresses for all your servers correctly, and assign them to the right profile. All of this will work together flawlessly, human error somehow won't happen, and the market will create solutions that are easy to use.

Sure it will. It's been 13 years since the original RFC for IPv6 was published, and there is a marked dearth of usable SME or consumer gear that pulls off all of this majesty and wonder.

Right about now, an interjection typically begins "but the Cisco…" and I have to stop everyone right there. If your argument includes the words Cisco or Juniper, we're not talking about the same market.

The budgets available for the IT space I am talking about differ by an order of magnitude. Despite this, we somehow manage to provide uptimes no worse than the big guys and still manage redundancy. At least we do in an IPv4 world.

This leads into the other major issue with IPv6: the inability to do multihoming. In an IPv4 world this is simple and cheap. The IPv6 solution is "get a carrier-independent address assignment and do proper routing".

And I'd like to be the King of all Londinium and wear a shiny hat.

Meanwhile on planet Earth

These folks obviously know nothing about life on the frugal edge. Consumer-grade ISP connections simply don't allow for that sort of thing. Even if you have the cash for your ISP's so-called business-class package, they'll still give you the stink eye the instant you start talking about such tomfoolery.

From a purely technical perspective, is the suggestion on the table really that three-person companies seeking ISP redundancy start doing BGP? That is the single craziest thing I have ever heard.

There are other issues, and the necessary solution is finally getting some attention. Even the IETF has (with great protest) recognized the need for NAT in IPv6. It's called Network Prefix Translation (NPT)[1] now; more traditional NAT implementations having been introduced and shot down already.

Right about here, a network priest is bound to butt in with many and varied horror stories, invariably coming back to "it breaks the holy end-to-end-model whose restoration is of paramount importance".

This is where the business side of the equation is important. IPv6 NAT is here, today. Implementations exist in the real world. It is cheap, simple, and makes nearly all of the IPv6 problems that SMEs and consumers have simply go away. The few remaining bugs with it are being worked out.

In 13 years, the alternatives put on the table have boiled down to "spend more than you have available". Worse, the rationale typically presented simply doesn't matter to the people buying and implementing IT equipment in the SME and consumer space.

The chance for the priestly case of network engineers to reshape the world has passed. A laser focus on the technical came at the cost of any focus whatsoever on the practical. In the end, the high priests of the internet simply didn't give the fuzzy wuzzies reason enough to believe. ®

Bootnote

[1] NPT is a 1:1 form of NAT. You can assign computers behind the firewall addresses according to whatever schema makes the most sense to you. You can use the firewall to map them 1:1 to an external block. So your server on the internal IP fd05:936e:4ab8::0024 can map directly to an external IP such as 2001:cdba:3257:9652::0024.

When you change ISPs you simply change the prefix configuration in the firewall without having to redo all of the rules, and without having to readdress a single network device. fd05:936e:4ab8::0024 now maps to 2001:556e:3311:abfc::0024, and Bob's your uncle.

Updated to add

* This does not mean that static addressing under IPv6 is not possible, certainly it is and nearly every IPv6 implementation supports it. It is however a terrible idea if there is even a remote possibility that renumbering will need to occur, as it would require manually readdressing each statically addresses interface on each system. This contrasts with the configurability that a 1:1 NAT offers, wherein static addressing is made feasible even in the face of renumbering.

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022