A Swiss VM hosting provider has a technical blog post about how to kill IPv4 completely on FreeBSD. That is to say, turning it completely off, not just preferring IPv6. They then solicit concrete solutions describing, along with a proof of concept, how to turn IPv4 completely off in other operating systems and allowing them to communicate with IPv6 only.
Earlier on SN:
Vint Cerf's Dream Do-Over: 2 Ways He'd Make the Internet Different (2016)
You have IPv6. Turn it on. (2016)
We've Killed IPv4! (2014)
Related Stories
APNIC reminds us that "there are now a large number of ISPs, data centres, cloud services, and software that now support IPv6" and "enabling IPv6 can be as simple as clicking a button on your WiFi router."
I turned it on, with Comcast I received an IPv6 route but no DNS server. Fortunately, Google Public DNS has unmemorable addresses, which I was able to configure manually.
2001:4860:4860::8888
2001:4860:4860::8844
It works. "There's only one thing left for you to do: Turn it on!"
[ ed: What are the alternatives to Google's Public DNS? ]
Vint Cerf is considered a father of the internet, but that doesn't mean there aren't things he would do differently if given a fresh chance to create it all over again.
"If I could have justified it, putting in a 128-bit address space would have been nice so we wouldn't have to go through this painful, 20-year process of going from IPv4 to IPv6," Cerf told an audience of journalists Thursday during a press conference at the Heidelberg Laureate Forum in Germany.
IPv4, the first publicly used version of the Internet Protocol, included an addressing system that used 32-bit numerical identifiers. It soon became apparent that it would lead to an exhaustion of addresses, however, spurring the creation of IPv6 as a replacement. Roughly a year ago, North America officially ran out of new addresses based on IPv4.
For security, public key cryptography is another thing Cerf would like to have added, had it been feasible.
Trouble is, neither idea is likely to have made it into the final result at the time. "I doubt I could have gotten away with either one," said Cerf, who won a Turing Award in 2004 and is now vice president and chief internet evangelist at Google. "So today we have to retrofit."
(Score: 0, Funny) by Anonymous Coward on Saturday January 19 2019, @01:36AM (9 children)
Current OS devs are neglecting their duty to prevent their systems being used to do evil, how long will we let them get away with not moderating the use of their service? An OS dev community which permits indiscriminate use of their OS is no different to bluecoat selling equipment indiscriminately.
IPv6 is only a minor improvement in this direction, but stills fails to recognize the need for protocols to permit moderation and filtering as a core design goal.
(Score: 0, Troll) by Ethanol-fueled on Saturday January 19 2019, @01:40AM (3 children)
This is what happens when you allow Jews to infiltrate your repository. Some Jews, like Kissinger, are good. Others, no so much.
(Score: -1, Flamebait) by Anonymous Coward on Saturday January 19 2019, @01:50AM (2 children)
There. FTFY.
(Score: -1, Offtopic) by Ethanol-fueled on Saturday January 19 2019, @02:19AM (1 child)
Modded minus one. I will ensure that the rest of the world knows about unit 8200.
(Score: -1, Offtopic) by Anonymous Coward on Saturday January 19 2019, @08:57PM
Knock yourself out, but the world already knows about the ISNU. [wikipedia.org]
(Score: 2) by NotSanguine on Saturday January 19 2019, @01:41AM
Geez, Louise! We already have the evil bit [ietf.org]. What more do you want?*
*Your in[s]anity doesn't deserve a serious response. So this is what you get.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @03:06AM
Can we substitute "governments" for "Current OS devs"? How about "gun manufacturers"? Or "facebook and twitter"?
(Score: 2) by Arik on Saturday January 19 2019, @03:20AM
Not 'do nothing that could conceivably help someone else who might do harm later.'
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Azuma Hazuki on Saturday January 19 2019, @05:29AM (1 child)
If troll: this is a poor attempt. A little too transparent. If not troll: you're crazier than a bat-shit milkshake with onions on top and about as enticing.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Sunday January 20 2019, @07:42AM
I dunno, put enough habanero sauce on there, it might not be so bad.
(Score: 4, Funny) by Anonymous Coward on Saturday January 19 2019, @01:53AM (13 children)
Nobody talks/needs ipv6, the security profile of ipv4 is known to me - why would I want ipv6? I'll wait for them to improve things in ipv8.
(Score: 2) by PartTimeZombie on Saturday January 19 2019, @02:09AM (3 children)
I feel like I don't know enough about any of this to really have opinion, but I do know how to secure an IPv4 network, (within reason) and subnet it if needed, and I can wrap my head around vlans and routing and whatnot.
IPv6 makes my head hurt. I might be missing something I suppose.
(Score: 0, Troll) by Ethanol-fueled on Saturday January 19 2019, @02:16AM (2 children)
The Jews are behind it. Trust me on this, brother.
(Score: 1) by Ethanol-fueled on Saturday January 19 2019, @02:37AM (1 child)
I didn't say that! They're fucking with you
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @02:43AM
I like to be in front of it. But still I kill ipv6 on all my systems. Useless UUID like garbage that forces using DNS.
(Score: 2) by EETech1 on Saturday January 19 2019, @08:37AM (8 children)
I've noticed that my ipvû addresses often contain my MAC address.
Especially when using wireless.
Discuss...
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @10:22AM (6 children)
There are (privacy) extentions to IPv6 that allow to randomize the last part of the address instead of using your MAC address.
(Score: 2) by EETech1 on Saturday January 19 2019, @10:32AM (5 children)
Are your saying this is "standard practice"
(Score: 4, Informative) by VLM on Saturday January 19 2019, @02:32PM (3 children)
Yes as with many things, that which was intended to be "helpful" sometimes gets perverted into a privacy PITA.
The term you don't know, that google will return a useful explanation of, is EUI-64 address. Its a lame way to turn a 48 bit MAC which is guaranteed unique into a guaranteed unique 64 bit LAN address. Combine that with a link local 64 bit subnet address and you can have IOT type appliances access each other on a non-routable LAN. Your link local EUI-64 address is, plus or minus not much caffeine this morning, your MAC addrs split in half with FFEE inserted in the middle.
Now then combine that with weird stacks and weird apps that don't properly ignore the EUI-64 addrs and report "my ip address is linklocal:mac1:ffee:mac2" to higher level "ISO layer 8+" applications and suddenly you got a privacy leak.
Its "unusual" although perfectly acceptable for ipv4 interfaces to have multiple ipv4 addrs, and "usual" for ipv6 to have multiple and if weird or old or crappy software asks for "the" ip address its quite possible you'll get the ipv6 link local which is essentially your MAC.
The problem isn't located at any specific individual level, although its mostly an application layer problem.
There are even higher level problems in that... knowing your MAC isn't necessarily very useful as a practical attack vector; not exactly mom's maiden name (from FB) plus your SSN (from an infinite number of historical leaks).
As with many standards issues, the classic XKCD about creating more standards infinitely is a problem; ipv6 is VERY old. I remember CGA address generation was proposed as the final solution to this EUI-64 privacy leak about fifteen years ago, or maybe one of a bazillion other standards.
Conceptually EUI-64 is merely a larger version of ipv4 autoconfig (those 169.254/16 addrs you see when your DHCP server is down on a DHCP configured device). Its a typical dumb (or smart????) software dev mistake to "upgrade" from random /16 host addrs to a privacy leaking MAC in the EUI-64 scheme. The problem isn't so much the concept of a EUI-64 as it is the implementation.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @04:34PM (2 children)
MAC addresses have not been guaranteed unique since Linux let you set them.
(Score: 3, Informative) by RS3 on Saturday January 19 2019, @04:53PM
I remember Ethernet cards in the early '90s that let you set MAC address in the driver. Even if it was set in hardware there are people who can spoof it.
(Score: 2) by VLM on Sunday January 20 2019, @04:10PM
ARP protocol will be unhappy if you set every ethernet card on your lan to 1:2:3:4:5:6, so in the sense that they're unique on a link-local lan that actually works remains correct.
(Score: 2) by rleigh on Saturday January 19 2019, @05:26PM
It is the default behaviour of all modern operating systems, and has been for years. You can disable it if you want the address to be static.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @01:20PM
So? Request a specific address instead of using autoconf.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @02:37AM
you know, if you need a device to be universally find-able on the internet and you don't want to spend money for a fixed IP4 address and/or a domain name then by all means give your device a IPv6 address (*)...
some of use don't have the time to help you collapse the wave function that is IPv6, so go learn how to use a stick on monkey island without bothering us leechers ...
(*)good and bad can find it?
(Score: 1, Insightful) by Anonymous Coward on Saturday January 19 2019, @03:10AM (22 children)
The quicker IPv4 dies, the better. NAT can DIAF.
(Score: 4, Funny) by Azuma Hazuki on Saturday January 19 2019, @03:25AM (4 children)
You can NAT in IPv6 you know...
I am "that girl" your mother warned you about...
(Score: 5, Interesting) by VLM on Saturday January 19 2019, @02:49PM (3 children)
When old timers talk about NAT in ipv6 they usually don't mean NAT, they mean a stateless FW instead.
You can stateless firewall in ipv6 pretty easily:
ip6tables -A OUTPUT -o your_isp_interface -j ACCEPT
ip6tables -A INPUT -i your_isp_interface -m state --state ESTABLISHED,RELATED -j ACCEPT
NAT on ipv4 in the olden days was merely the above, for ipv4 obviously, plus an extra line:
iptables -t nat -A POSTROUTING -o your_isp_interface -j MASQUERADE
You don't need to "fake" and remap the addrs for ipv4 like you do for ipv6, so you'd not include the ipv6tables equivalent of the line above.
As with most linux type things, a lot of effort has been put into making impossible to use "simpler" systems so on systemd-redhat non-unix-like OSes, god only knows what layers of hell you'd have to go thru to avoid one or two straightforward lines of clear and obvious ip6ables from the old days.
(Score: 2) by VLM on Saturday January 19 2019, @02:50PM
Disclaimer entire post above was from memory and might work and might be secure for some values of "work" and "secure" you'd best hit up the mighty Google search bar if you're doing this for realzies but for discussion purposes its mostly accurate enough in the sense of hand grenades being close enough and so forth.
(Score: 2) by Deeo Kain on Sunday January 20 2019, @04:18PM (1 child)
Of course you know that the rule you wrote define a state*ful* FW, do you?
(Score: 2) by VLM on Monday January 21 2019, @10:09PM
Yeah I know... caffeine levels too low etc. Heart was in the right place at least.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @03:42AM (7 children)
Cause you just need your office printer to have a direct line to China.
(Score: 3, Informative) by janrinok on Saturday January 19 2019, @09:26AM
Firewalls still work with IPv6 you know? If you have identified an IP address that you don't want your boxes to access, it is simple to block it. What do you do now?
(Score: 2, Disagree) by VLM on Saturday January 19 2019, @02:35PM (5 children)
A lot of ipv4 old timers seem to confuse the concept of a stateless firewall with the concept of NAT, because cheap ipv4 appliances have always marketed them as a package deal for a quarter century now.
Believe me, a stateless ipv6 fw has not been much of a hassle for most of that quarter century.
(Score: 4, Informative) by TheGratefulNet on Saturday January 19 2019, @03:18PM (4 children)
you DO mean stateful and not stateless, right?
a firewall has to keep track of the state of the tcp connection so that it can allow incoming pkts that are 'part of' previously outgoing-init'd comms.
yeah?
"It is now safe to switch off your computer."
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @06:46PM (1 child)
thank you. that was making me think i had fallen into some opposite world.
(Score: 2) by VLM on Sunday January 20 2019, @04:07PM
Yeah the blood percentage in my caffeine system was too high when I wrote that. TheGratefulNet is correct.
(Score: 0, Disagree) by fakefuck39 on Saturday January 19 2019, @09:24PM (1 child)
no, he means stateless. no one is talking about TCP here. we are talking about IP.
(Score: 2) by Deeo Kain on Sunday January 20 2019, @04:23PM
No, he means stateful. The rules he wrote are TCP, not IP:
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @08:49AM (8 children)
And you expect thousands of net providers will just give their customers public IPs for free? They will pay more for something not much useful for everyone except geeks.
(Score: 5, Insightful) by janrinok on Saturday January 19 2019, @09:29AM (5 children)
(Score: 3, Interesting) by TheGratefulNet on Saturday January 19 2019, @03:22PM (1 child)
in the US (perhaps its wider than that) there is an expression "leaving money on the table". meaning, if you negotiate a deal, did you get the very best deal you could have gotton, or did you get less than you could have, if you were a more skilled bargainer.
that says a whole lot about our (US) culture. if you are don't charge your customers for every little thing, you are not 'doing it right'.
I completely disagree with that, but then again, I'm an engineer and not a businessman. those are the guys who are ruining things, not us. we don't care if we leave a few microfarads on the table, here and there ;)
"It is now safe to switch off your computer."
(Score: 2) by captain normal on Saturday January 19 2019, @06:30PM
There is no "bargaining" with a monopoly, near monopoly nor dictator for that matter.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 1, Interesting) by Anonymous Coward on Saturday January 19 2019, @08:08PM
Not France, but also EU. NATted networks with hundreds of customers are ultra-popular here as the opinion about Internet is that it's Google and FB. Yes, the Internet :(.
There is a nice question for a network test: How many NAT routers are between you and the world? I traced my network and there are 5. One is mine, so I can configure it as I want. One is from my provider. Third one is from provider of my provider, fourth and fifth are in computational center being the proper "provider" of Internet. Summing up: 5 NATs to pinch a hole in.
When I wanted to get a single-port pass-through (my computation machine returned its state... by periodically throwing strings through netcat, I'm lazy) I had to go to 3 people and the hole disappeared a few months later when computational center upgraded their routers.
The problem is that you may get a really poor telecommunication-grade Internet (fortunately not a famous 9600/8/n/1, but it started this way), with world IP but expensive and really slow, or faster and cheaper one without IP.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @09:19PM (1 child)
IPV4 is 'filled up'.
I have a /60 for IPV6 from my provider. My router asks for a /64 from that.
That is the state of the 'US'.
(Score: 2) by hendrikboom on Wednesday January 23 2019, @11:06PM
I can never remember if /60 indicates the number of bits you get to play with, or the number of bits that are fixed for the entire subnet.
(Score: 1, Interesting) by Anonymous Coward on Saturday January 19 2019, @01:10PM
I live in Germany. I have a free /62 assigned to me. But I don't have an IPv4 at all. I only connect to these legacy networks via an ISP tunnel
There is as much reason for using IPv4 on internal network as there is for having an yeast infection.
(Score: 2) by rleigh on Saturday January 19 2019, @05:28PM
Yes. It's common practice for IPv6 to give every customer a /64 allocation. This is used for SLAAC on your internal network, and you can use any address within that range as you see fit.
(Score: 3, Insightful) by fyngyrz on Saturday January 19 2019, @03:36AM (20 children)
...the first thing that struck me was how much stuff this would outright break.
There's a bunch of stand-alone and stand-between stuff that can't be updated. There are a bunch of OSs, even the computers themselves with fixed network hardware, that can't be updated. There are a bunch more of all of those things where there is zero chance that the users would be able to manage to update whatever it is even were it nominally possible and something available for the fix.
Seems like...
IPv6 is already in place. New devices and OSs and so forth already support it. Leave IPv4 alone. You want to use IPv6? Even only IPv6? By all means. Enjoy. Leave the rest of the world out of your nefarious plans.
--
Neque porro quisquam est qui dolorem ipsum quia dolor sit
amet, consectetur, adipisci velit...
Well, Cicero clearly didn't know some of the women I've known.
(Score: 2, Informative) by janrinok on Saturday January 19 2019, @09:23AM (5 children)
Well I could easily counter your argument by saying that I use IP6 and have not found anything that doesn't work. My internal network, websites, internet access, and NAT all function perfectly well, but without the security implications and fudges that are associated with IP4. So I suggest that your statement should be amended thus:
(Score: 2) by fyngyrz on Saturday January 19 2019, @03:26PM (4 children)
And that's just fine. But what you can't do is claim that this is true in general. Which was my actual, you know, point. So as it turns out, you can't counter my argument that way. Sorry. 😊
--
Money can't buy love, but it can sure buy a yacht to pull up next to it on.
(Score: 3, Insightful) by janrinok on Saturday January 19 2019, @06:34PM (2 children)
The longer one clings to older systems and refuse to update them for fear that they will not work, the more likely you are to reach the stage where you will encounter a problem that it is too late to resolve.
I don't support stopping IPv4 completely, but I do believe that we should not cling to old technology when there is something better and more secure available to replace it.
(Score: 2) by Apparition on Saturday January 19 2019, @08:30PM (1 child)
It reminds me of the few people that still use Microsoft Windows XP on the Internet to this day and insist that it still works just fine.
(Score: 2) by hendrikboom on Wednesday January 23 2019, @11:09PM
For the once a year or so I needed it, it worked just fine. Now I use Wine,
(Score: -1, Troll) by fakefuck39 on Saturday January 19 2019, @09:56PM
ACtually, your actual, you know, point, is you underline your text with a comment of some type. Your posts - I've never seen an actual point, hence no point needs to be countered. You replied that we shouldn't take IPv4 out of general operating systems. You're the only one talking about that in your straw man. You're arguing with yourself, not the rest of us.
The directions were posted on how to remove v4 from operating systems, so now people like the OP can easily do so and not have stuff sitting around they don't need, worry about what it does or its security. Then comes underline idiot yelling "things will break" - well guess what - they won't, for use cases where they won't.
Hey, you ever go on a sports car forum and complain a supra can't transport pianos? They'll love your underlines there. Here, we'll just shit in your mouth as you open wide for us.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @12:13PM (3 children)
What's preventing owners of these devices from NATing the 4 to 6 addresses?
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @01:12PM
..... that's not a NAT my friend. That's called a proxy.
(Score: 2) by fyngyrz on Saturday January 19 2019, @03:29PM
Not everyone has money to spare for new devices, you know.
It's all too easy to say "just buy..."
--
Yes sir, two copies of "Math For Dummies" at $16.95.
That'll be $50.00
(Score: 2) by hendrikboom on Wednesday January 23 2019, @11:11PM
The IPv6 protocols are not identical to the IPv4 protocols. More has changed than the number of bits in the address.
(Score: 2) by VLM on Saturday January 19 2019, @02:39PM (6 children)
You permanently have a cognitive load of ipv4 firewalls, MITM type attacks, ipv4 DDOS, stuff like that.
Aside from obvious kernel level security attacks (buffer overflows or whatevs)
Can't have a security issue with something not installed.
For something like an IOT device, a link local ipv6 subnet, and a EUI-64 unroutable host addrs, is a nicely secure situation for LAN-local IOT "stuff". You literally can't be hacked from China if you don't have a network protocol and network address thats accessible from China (Well, not hacked directly, given that Big Brother and every nation state on the planet probably has zero-days and pownership of your router unless you have an *bsd box or whatevs as a router, LOL)
(Score: 2) by fyngyrz on Saturday January 19 2019, @03:33PM (5 children)
Except that you certainly can, since retransmission through point B (and C, and D, and... ZZZZZZZZZZ) is a thing. Other than that, of course not!
--
I'd agree with you, but then
we would both be wrong.
(Score: -1, Flamebait) by fakefuck39 on Saturday January 19 2019, @10:03PM (4 children)
retransmission of IPv4 traffic is not a thing if your system doesn't have a 4 octet IP address. what is it you're not getting here sherlock? You're claiming the failure points existing in v6 leave in place the extra failure points of v4? I gotta ask - are you wearing velcro shoes (stupid people have a hard time w/ laces)? Does you not having laces on your short bus shoes mean you still have trouble with shoe laces, on your dummy shoes? I bet you do. I bet you do.
Seriously, it's rare to find someone who keeps purposely drawing attention to their own idiocy. When you were a kid, did you ever shit your pants in the middle of a grocery store and start yelling it smells bad? I bet you did. I bet you did.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @10:41PM (1 child)
You seem to have an unhealthy obsession with feces. I guess with a prick that tiny, you gotta get your jollies somehow.
(Score: -1) by fakefuck39 on Saturday January 19 2019, @11:38PM
I'd say the person swallowing my shit with a ready and wide open mouth is the one with a feces obsession - you. I guess according to your logic we all have a shit obsession, since we shit daily. The person who keeps eating it though and coming back for more - an idiot who does not know the difference between NAT and a firewall, or between TCP and IP, and keeps talking about other people's genitals, just so those people can keep pointing out how dumb you are.
You can talk about my dick and keep eating my shit all you want buddy. I get my jollies by pointing out you're on a tech site, know nothing about basic networking protocols, and keep coming back for people to point that out. Kid who has shit his pants yelling it smells. Now open up that mouth a little more for me, human toilet.
(Score: 2) by hendrikboom on Wednesday January 23 2019, @11:13PM (1 child)
Some of us are smart enough to ignore societal conventions and use velcro shoes because they save us time.
(Score: 0) by fakefuck39 on Saturday January 26 2019, @01:57PM
undoing the velcro then putting it back takes less time than doing nothing? lemme axe you: do you think you're smart enough for shoelaces, or do other people think that also (if you know other people)?
(Score: 3, Insightful) by Anonymous Coward on Saturday January 19 2019, @05:00PM
There are a large number of people who want to control what you do with your computer, and one key way to enforce that is by destroying backwards compatibility and forcing you to choke down whatever shit they cram into updates. This is just a part of that philosophy, because according to them, peons can't be allowed to own computers or commit WrongThink.
(Score: 2) by rleigh on Saturday January 19 2019, @05:35PM (1 child)
Actually, it's far less bad than you say.
Look into NAT64 and DNS64. You (or your ISP) sets up a proxy which maps a range of IPv4 addresses into the IPv6 address space. All DNS requests for an IPv4 host will return the mapped IPv6 address. All connections to IPv4 hosts use IPv6 to talk to the proxy, which then talks using IPv4 to the host in question. All your hosts internally are IPv6 only, but still transparently access the IPv4 network. You can even have it proxy for internal IPv4-only hosts as well on a private subnet, so you can keep legacy devices around. The reverse also applies; you can have external IPv4 connections proxy to an internal IPv6 host.
This is a typical way you would set up a new network. It pushes IPv4 to the edge of your network, leaving the internal network with just IPv6 to support. It keeps things both simple and future proof. I definitely appreciate this for running virtual machines, which can bridge directly to the internal network with a global IPv6 address. No different than a regular host. Just maintain the appropriate firewall rules to control access, as you would for IPv4 with or without NAT.
(Score: 0) by Anonymous Coward on Saturday January 19 2019, @09:22PM
Comcast and TW/Spectrum have native IPV6 stacks. AT&T not so much (as you have seen). Not sure on the VZ/Fronter setup currently as I have not seen it.