Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet Networking

Comcast Begins Native IPv6 Deployment To End Users 326

Posted by Unknown Lamer from the 18-quintillion-addresses dept.
First time accepted submitter Daaelarius writes "Comcast has begun deployment of Native IPv6 access to end users. The deployment is starting out small with a single market, but is expected to expand rapidly. They have provided ... more in depth technical details." Finally; native dual-stack IPv6 for home customers. Perhaps we can avoid a post-exhaustion future of NAT-upon-NAT and use restrictions.
This discussion has been archived. No new comments can be posted.

Comcast Begins Native IPv6 Deployment To End Users More

Comcast Begins Native IPv6 Deployment To End Users

Comments Filter:
  • until every light switch and toaster has its own /64

    • Re: (Score:2, Interesting)

      by nepka ( 2501324 )
      Personally I think not being directly connectable (ie., behind NAT) is good security wise. It acts as a nice and easy firewall.

      • Re: (Score:2, Interesting)

        by characterZer0 ( 138196 )

        Unless you want to be directly connectable.

      • Re:Yeah right (Score:5, Insightful)

        by vlm ( 69642 ) on Wednesday November 09, 2011 @01:50PM (#38001604)

        not being directly connectable (ie., behind NAT)

        WRONG.

        on ipv4 NAT is generally implemented as a stateful firewall that also rewrites addresses.

        There is absolutely nothing preventing a firewall on ipv6 that is stateful, that leaves addresses alone.

        The security gain comes from the stateful firewall, not the rewriting addresses.

        • Re:Yeah right (Score:4, Interesting)

          by dch24 ( 904899 ) on Wednesday November 09, 2011 @02:10PM (#38001932) Journal
          Mod parent up.

          Additionally, many other carriers are already seeing IPv4 exhaustion (due to their own wastefulness in the RFC1918 address space). They are co-opting DoD /8's within their network to try to overcome the problem. [source [ycombinator.com]]

          I'll skip the obvious stupidity of "stealing" IPv4's from the DoD. But instead of deploying Carrier-Grade NAT, they're divvying up the internet. In one place, 28.0.0.0/8 takes you to one machine, in another place it takes you somewhere else.

          It sounds like the IPv4 internet is going to fall apart simply due to negligence. How's that for an IPv6 killer app?

        • Well partially, but I'd argue the addresses have a lot to do with it, too. My home subnet is 192.168.77.0/24. My firewall blocks anything coming from the outside world bound for 192.168.77.0/24. That's nice, but doesn't really ever do anything because damn near every router between me and a potential attacker drops packets that are to or from the reserved networks, because it has no idea where to send them. About the only way it would be a viable attack is from somebody who had control at my upstream IS

      • That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong. Shut down or secure any unneeded port-bound services, and install a basic firewall on the router to only let the ports you need out (just port 80 may be enough).

        Plus, just finding a device on IPv6 can be hard. Given a 64-byte ICMP packet and a gigabit ethernet connection, it would take just under 300,000 years to ping every potential host in a /64. You want security through obscurity? Set your DHCP s

        • Re: (Score:2)

          by 0123456 ( 636235 )

          That relies on security through obscurity. If you rely on not being publicly visible, you're doing it wrong.

          How are you going to hack into my webcam when it has no publically visible IP address? In order to hack it you need to already be on my internal LAN, so my security is already toast.

          • How do you hack into a webcam through a firewall that does not allow incoming connections? I'll tell you how, and its the same way you would do it if were behind NAT (with no publically visible IP). You compromise another computer on the network (or that computer) and have it make the connection to you so you get through the firewall, then use that computer to compromise other computers on the network. That is usually accomplished by getting the dumbass who owns the computer to run a program that you sen

        • Better yet some OS's can generate temp IP's so the IP you used to connect to a web site 2 seconds ago is already turned off and a new one used. OS level fire walling can automatically firewall all inbound to these temp IP's. Meaning you do not ever have to use your real IP for outbound connections. When a computer advertises a local service through something like bonjour or DNS it uses it's main IP. Sure people sill know it's all coming from the same /64 and apps will track it like they track nat ip's n

      • And anything that can do nat can do state-full fire-walling. I'm tunneled ipv6 at my home it's just as secure as my comcast connection since it's using the same firewall rules. Just because nat requires a firewall to function does not make it a good idea. Lets also remember where nat has one IP thats exposed to be attacked, a ipv6 user is given 1*10^24 IP's finding IP's to attack at random is neigh impossible if the firewall has any intelligence. Sure you can attack IPv6 boxes by finding the IP via othe

      • Re:Yeah right (Score:5, Insightful)

        by GPLHost-Thomas ( 1330431 ) on Wednesday November 09, 2011 @02:27PM (#38002176)
        That's reverse thinking. If you need a firewall, setup a firewall, don't setup NAT instead.

      • Re: (Score:2)

        by bakuun ( 976228 )
        It doesn't matter whether you're on ipv4 or ipv6 if you want to have a firewall (on a NAT or not). The only difference security-wise is that ipv6 gives better security through the higher number of ip addresses. Currently, bots performing port scans in the ipv4 space have a reasonably chance of hitting something if they choose a random ip address. That problem doesn't exist in ipv4: the sheer number of possible ip addresses means that servers connected at difficult-to-guess ipv6 addresses are very unlikely t

    • Re:Yeah right (Score:5, Informative)

      by BlueParrot ( 965239 ) on Wednesday November 09, 2011 @01:45PM (#38001526)

      People underestimate the address space in IPv6 when they make remarks like this.

      In principle IPv6 could hold more than 10^38 addresses. Now due to structuring and various reservations and so on there is considerably fewer. So for the sake of argument, let's say it is "only" 10^20. That's still enough that for every present IPv4 address you could add an entire internet and still have addresses left over.

      What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.

      • Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.

        • What does that even mean?

          • Re: (Score:2)

            by Piata ( 927858 )
            That even if you make something idiot proof, eventually we'll encounter a better idiot.

        • Re: (Score:3)

          by jc42 ( 318812 )

          Don't worry, the'll find a way of fucking this up too. It my take awhile, but you should never under estimate an idiot, idiots are too inventive.

          Nah; the ISPs already know just how to do it, and it doesn't require an idiot. All they need to do is use the same method they've used with IP4: They only accept one address at your site, and discard any packets that didn't come from that address or is sent to that address. If you want N addresses, you'll have to pay N x $X, where $X is their current price for a routable address.

          It really doesn't matter how many gazillions of addresses IPv6 makes available, you will only get one. Addresses are a comm

          • They can do the same with IPv6, with the code they already have. So if they like, they can also charge you extra for not blocking a port. They do this with IPv4 around here, where you have to pay double for a "home business" account if you want ports 21 or 25 or 80 or anything >1023 unblocked.

            Hmm...I only pay $70/mo for my 'business' account I have at home. I get static IP, no ports blocked, no data caps, can run any servers I want...etc.

            I think its a pretty good deal....with decent speeds. $70 is dou

            • Who is your provider? You're paying less than I pay for consumer grade internet...

              • Who is your provider? You're paying less than I pay for consumer grade internet...

                Cox Cable Business.

                $69/mo....static IP, no caps, all the servers I want to run, basic level SLA (and the few times I've had to call, even in middle of the night, they had a guy out on the pole to look things over in less than an hour)...good service. I'm happy. Speeds are roughly 13-14 Mbps down, and 4-6 Mbps up...the upload used to be faster before I moved and had the service moved with me...

          • Addresses are a commodity, to be leased for a profit.

            That's what many ISP and hosts are trying to let you believe. In reality, when you get your IPs from APNIC / ARIN / RIPE, that's not the way it works. You wouldn't pay more if you were needing more IPs.

      • Well that's my concern in a nutshell. That this huge address space will be fragmented to the point where it will be unable to cope with demand for the next generation of networks, not a rehash of the internet that we know and love, but a new world with new and radically different requirements. It's all well and good having a new system that does a much better job of what we do today, but suppose I want a network for each item of clothing I wear, or each particle in my intelligent dust cloud.

        • Re: (Score:2)

          by Bookwyrm ( 3535 )

          The bigger problem is because of the ideological dead-end-to-dead-end design, when every one's toaster and light bulb have an IPv6 address, and the anti-NAT zealots have one, is that upgrading to the next generation of networks will be impossible. The inertia caused by having to have everyone upgrade every light bulb and toaster to a new standard will block any advancement in networking technology.

          • Re: (Score:2)

            by Imrik ( 148191 )

            I can only think of a few ways we could run out of IP addresses with IPv6. First and most likely, if they are allocated in blocks far too big for any reasonable use. Second, if we develop an interstellar network. Third, if we develop nanotechnology to the point of making self replicating machines, each with their own IP.

      • I should add, that my "for the sake of argument" of 10^20 is an EXTREMELY conservative estimate. In practice the IPv6 address space has an amount of addresses that is greater than the number of stars in the universe.

      • What this means is that even if ISPs were incredibly wasteful and basically trashed 99.9% of the address space due to bad practices, you'd still have millions of addresses for every person in the world.

        And yet, according to the Comcast announcement, if you are paying for just one device, you get just one IPv6 address. They call it "directly connected CPE". Yes, on my home network, I have one directly connected device -- the NAT router.

        I'm also confused by their statement that the device must understand "stateful DHCP6". Why? The cable modem gets assigned one IPv6 address on the cable side, and it serves one IPvX address via DHCP to the CPE. What changes? Why not make the cable modem the IPv6 to IPv4 gat

  • ...what all do I have to do and change to use this?

    I'll not still use NAT for my home network for all my devices that I authorize to use the wireless router...etc?

    What does the regular user have to do to use this...and what exactly is going to push him to change his whole home network along with all the devices he currently has on there (tv's, ipads, laptops, desktops, toasters...etc)?

    • Re: (Score:3, Informative)

      by tuffy ( 10202 )

      The idea is that the end user is still going to keep all his devices behind a firewall so everybody on the internet can't probe them. But since your toaster has its own actual address, it can connect directly to the Online Toasting Database server without having to kludge all that traffic through a NAT.

    • Most modern OS's already have dual stack support (windows vista forward on the windows side, I know red hat had it as far back as version 5) so there shouldn't be any change there. But because it is a dual stack deployment, your average home user wont have any issues or need to swap out any equipment - at least for the time being.

  • Kudos for Comcast for finally getting the ball rolling on IPv6. A /128 address gets their foot in the door, and as their post says, they can expand it later.

  • It's rare to see companies take such a long term view of their business, but Comcast sure is doing it now. I know from seeing it being done at work, huge IPv6 deployments are not trivial things!

    • Rolling out IPv6 could have been considered taking a long term view a decade ago. With IPv4 exhaustion looming, starting the roll-out now is just short of required. Sadly, looking out past the end of the current quarter is considered "long term" nowadays.

    • If cabletown was a thinking long term, they wouldn't have bought that buggy whip manufacturer that calls itself NBC.

  • With IPv6 addresses being so plentiful, does that mean it should never have to change? I've been running a webserver and mailserver on my Comcast account since it was an @Home account (10+ years) and my IP rarely changes, but occasionally it still does.

    • IPv6 addresses change all the time. They're really good at it. You should learn how DNS works, because it's going to be your new best friend if you ever want to find your needle in the v6 haystack. Even better, you can have a pile of v6 addresses on a single interface, instead of the paltry one v4 address.

    • Re: (Score:2)

      by laffer1 ( 701823 )

      You could always get a business class account like I did. Then you get 5 static IPs allocated to you that never change. I've even moved and they ported the IPs with my account. Not to mention it's faster and you get more upstream bandwidth.

  • IPv6 deployment - Yea! Wait, it is Comcast. Ok, what's the catch?

    • The catch is that they ran out of 10/8 space for their Internal network and weren't stupid enough to overload it. They deployed v6 to manage the cable modems, and then cable modems needed to be v6, and that was convenient since they're starting to run out of public space addresses, too. Those addresses can't be helped, and they're going to get sucked back into the ISP on the NAT level. Yes, all that malarkey about sharing public v4 addresses with your neighbors is a mathematical inevitability. Read thro

    • I've been using Comcast's IPv6 6rd since it launched over a year ago. In the first few months, there were several instances with parts of the IPv6 global network were down, but those problems were corrected within a couple days.

      All said, Comcast has been out in front of this compared with the other US ISPs. They should be commended (on this issue, at least).

  • It's lock-in. Once you've gone IPV6, who's going to want to go back. You'll be a Comcast customer until FIOS, DSL or whatever other competition might actually exist catches up.

    • Once you've gone IPV6, who's going to want to go back.

      Do you think a significant proportion of their users actually would know or care what the difference is?

    • Charter was about a year behind with IPv6 6rd, but they are likely to catch up quickly.

    • Why is it lock-in? It's not like going with IPv6 makes it impossible to go back and connect to a network using IPv4. From a user perspective, it should be a relatively transparent change. What am I missing?

    • not lock in at all, you can have IPV6 even if you move to ISP with only ipv4. I do it through a tunneling router to ipv6 provider (several do it for free and give you monstrous static ipv6 subnet), and I can saturate my adsl line with ipv6 traffic so no bottlenecks by tunnel. it's nice having static addresses even though my ipv4 connection is dynamic!

  • The problem is that there is no benefit in using IPv6 as long as there are no IPv6-only services.

    Therefore, it is unlikely that IPv6 can be rolled out successfully [in-other-news.com].

    • The linked article echoes what I've been saying for years now: IPv6 is lab technology, cool, interesting but essentially pointless as anything other than a conversation piece in real life. Converting all of the internet would require 40,000 man-years of labor to complete... Conservatively. And that doesn't count even a second of work for changes to internal networks to get to an "All IPv6" network so we can actually have "end-to-end" connectivity. Honestly, who wants it? Who needs it? If I need end-to-end c

    • First of all, that's bullshit. There are some IPv6 only services (google for it if you don't trust me). Then, having so many IPs at home for your own use *IS* convenient. I have my wife's laptop IPv6 in my /etc/hosts, so when she need, I can ssh from work to her laptop, and do apt-get dist-upgrade for example. Yes, I know, I could have also setup a port forwarding on my router, but why should I remember the port and all? It's just more convenient to just ssh the standard port isn't it?
    • Comment removed based on user account deletion
  • Did you hear that Verizon? Your "next generation optical network" is now behind the clunky old cable modem guys on this issue. Where is your update? Hmmmm?

Slashdot Top Deals

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

Close