There has been a lot of chatter on the CentOS list lately regarding the ups and downs of IPv6. It has not quite boiled down to a flame war yet, but now is a good time to start distilling down what everybody has had to say.
To start, what IS IPv6? Simply put, it is a newer implementation of IP addressing that allows for many more hosts, as we have been running out of IPv4 addresses and will come to the end shortly. In fact, it allows for more than 2^95 or 5x10^28 addresses per person alive on planet earth today. "Overkill!!!" you might exclaim. In the 70s, when IPv4 was designed, and there were less than 1000 hosts internetworked, you would have said the same thing about the mere 4 billion addresses allowed in that system. In an age where having your toaster internet accessible is not unheard of, you'd be surprised at how many you might use.
Ok, let's start with some major benefits (summarized from http://en.wikipedia.org/wiki/IPv6).
- Expanded IP space. We are running out of space, see above. This is a big one.
- Improvements to Multicast
- Auto-Conf: Hosts can configure themselves automatically through router discovery messages.
- Mandatory support for IPsec -- Previously this was optional
- Simplified routing -- New IP headers are simpler, and easier for routers to process
- No NAT (Network Address Translation)
This is the loudest argument that I've heard, mainly based on the fact that a large number of people believe that NAT is a security measure. Many believe that NAT provides a layer of security above having a computer directly on the internet.
To begin this discussion, let us look at what NAT is and why it exists…
In the old days, there were enough IP addresses for everyone who needed one. Pretty much this consisted of a bunch of Universities and the government. And then… The Internet happened (or the WorldWideWeb, or the Information SuperHighway, call it what you like, I just remember it as High School). Compuserve and AOL come online and grow out their userbase, Flash forward to the mid-1990s and every company on the planet figures out that they need a website, and many companies are founded just because they have one. This is about when we figured out that there would be a shortage of IP addresses in a hurry if we did not do something about it, and NAT was born. Continue on to today, and in my house alone there are 2 cell phones 3 laptops 2 desktops, 1 Tivo and 1 firewall. I can only imagine how many devices Google has.
NAT creates the ability for a number of machines in one location to share a single public IP address rather than every device having an IP address on the Internet. Rather than have 9 IP addresses for my house alone, I can get by on only 1. There is a layer in my network that keeps track of which machines are making requests and sends the replies to the correct location. This adds a lot of complexity to packet routing, but bought some time in the need to move to a different system such as IPv6.
So a lot of people believe that NAT adds a layer of security or privacy to their networks. Although there is some validity to these claims, there is no reason to stick with it. Let's examine the claims:
- Computers are not directly on the Internet, therefore cannot be found by attackers (usually referred to as "Russian Mobsters") -- Yes, in a natted situation routing to a particular machine behind the NAT is more difficult, but getting in there can be done.
- My internal address is a secret, so they wouldn't know where to route to anyway -- However, all of your IP information is broadcast all over the place all of the time. If you would like to see this effect look at the mail headers of any email you send. You will see your IP address in the headers of that email.
- But you cant' get past my NAT device to my inside network! -- Right. I can't. You are confusing a firewall with a NAT device. Most people don't know the difference between a stateful firewall and a NAT device. It is the firewall that blocks inbound access, not NAT.
- IPs are going to be harder to remember:
Yeah, you remember the first time you looked at an IP and said "I could never remember that". Same thing. Sure, it's a different format, just like if you moved from the US to France and had to change everything you knew about telephone numbers. Furthermore, this is why DNS exists; because humans don't need to remember IP addresses.
- What if DNS goes down? I'd be screwed.
True, and honestly, you would be screwed anyway. So many things rely on DNS that fixing DNS should be the first priority if for some reason it is horked. Yes, typing in and remembering an IPv6 address for a network admin might be tedious, but that one person is the only one who really has to do it. Furthermore, that person should be the one designing the network, and can make sure that the DNS server is easily typable/rememberable. IPv6 allows for some shortcuts in the address space. For instance, if an address has a bunch of 0s in a row, they can be replaced with a double-colon (ie: aaaa:aaaa:0000:0000:0000:0000:0000:0001 could be just aaaa:aaaa::1). Much easier, yes?
In the end, moving forward is the only way to go. The real question is how to make the transition easily. Unfortunately, most businesses and homes are not prepared, and the time is coming. Hopefully we learned something from the digital TV switch and will figure out how to flip the switch quickly, but most likely we will see another long drawn out endeavor.