Thursday, 21 October 2010

Kick starting IPv6

One way to kick start IPv6 is to try and convince the likes of google to rank IPv6 accessible web sites higher than IPv4 sites.

They don't have to say how much higher or anything, just make it a published factor in the ranking.

I suggest they give the world a couple of months notice so people do not whinge, though no special reason they have to.

As soon as they do this we will have a mad scrabble to get web sites enabled on IPv6 to increase peoples rankings. There will suddenly be commercial pressure on hosting companies to provide IPv6 access (hence it would be nice to give a bit of notice).

Obviously these hosts would be dual stack for now, but it would make a big chunk of the internet IPv6 accessible, and would push deployment of IPv6 routers and firewalls and servers.

It is not the whole battle - you have to get consumers moved over too, but it is a big step forward. One side will have to move first.

So, google, please rank IPv6 hosted sites higher - simples.

Of course, if google won't do this we just need to start an urban myth / rumour that they already do it or are about to do it and are keeping it secret. The myths and rumours about search engine ranking are mad enough already this would be quite believable.

As someone else said, this close to Y2K we had massive take up and everything was "Y2K compliant" even toasters. We have almost no take up with domestic router manufacturers and are now only a few months away from trouble...


  1. You should offer a 2% usage discount on ipv6 data or something. It would encourage ipv6 usage, and hopefully get you some free publicity publicity to offset the cost.

  2. I don't like IPv6 and I will not switch over until the day I am forced to. The reason: No NAT. I do not want my laptop, my PC, my home server, my iPad, my Blackberry, my PVR, my wireless bridge, etc. etc. all exposed to world and dog with their own IPv6 address.

    I just like the way it is with IPv4: my NAT router is exposed, I secure it, and the rest of my network is private.

    No NAT on IPv6 is being stuffed down our throats by a dogmatic minority. The consequences will be devastating. If you thought spam and malware was out of control now, you wait until every device down to your Internet enabled fridge is exposed to the big bad Internet.

  3. There are plenty of protocols that work they way you seem to want, but IP is not one of them and never has been. A fundamental aspect of IP has always been globally unique endpoint addresses. NAT is a bodge on IP and causes no end of issues because it breaks those fundamental principles.

  4. Any decent IPv6 router will do exactly the same filtering that your IPv4 filter does now, except it will not do NAT. So, while every device will have a globally unique address (and this is good!), inbound connections will still be mostly blocked.

  5. Indeed! Also, the IPv6 addresses do not have to expose your network. IPv6 can even provide additional means to obfuscate your network - e.g. you could use a different IPv6 address for each outgoing connection if you wanted to (and I bet some apps on some machines will provide that option).

  6. Yes, IPv6 has all these features.....BUT: 99% of Internet users are cluesless, technically ignorant noobs and have no idea how to protect a private network, and this will never change. Inevitably, mass market IPv6 routers will be sold with a default configuration that lets all traffic through, otherwise they won't be "plug and play". The net result will be malware, virus and hacking mayhem on a scale two orders of magnitude higher than today. Hackers will scan the ports of and plant their nasty payload in everything from iPods to internet enabled toasters.

  7. What on earth makes you think :-

    "mass market IPv6 routers will be sold with a default configuration that lets all traffic through"

    I personally find that highly unlikely. I expect they will have just the same annoying session tracking and filtering they have now.

    As for "Hackers will scan the ports " you can't scan IP addresses on an IPv6 subnet!!! Yes, if you had an IP address you could scan ports on that (as now).

    But, at the end of the day your argument is not for maintaining IPv4 or NAT, but for having rudimentary inbound fire-walling on domestic routers - something they manage now as a side effect of IPv4 NAT. I agree with that entirely. Its not a reason to not have IPv6 though.

  8. Oi, that was my idea! Can't remember if I mentioned it in front of you though... I probably should have patented it :).

  9. Anyone got an ipv6 enabled sample config for Cisco IOS 15.1?

  10. Thought it was my idea, but that is often the ways with ideas so sorry if I did pick it up from you. Still a good idea though :-)

  11. Just another couple of points for Rschu:

    i) (Well, this isn't another one - Adrian's already alluded to it) Any additional security that IPv4 NAT offers is by happenchance, not by design.

    ii) Malware that gets in via connection from an external address to an internal service is ancient news - drive-by web attacks and other ways of getting straight in at the application layer are the methods of choice these days. Makes no odds how you're connected if that sort of vector is used.

    Whatever is claimed, NAT was a hack. A grievous hack that breaks the principles of IP.

  12. Yes, rschu seems to under a misunderstanding that having a public IP address somehow opens up your network.

    rschu: I have a consumer grade router (an old Netgear) running IPv4 without NAT - so every device on my network has a publicly addressable IP address. Yet the default rule is to BLOCK incoming - NAT or no NAT. My network is just as private as if it was NAT and no more or less open to the "big bad Internet"

    Is there any reason to suspect that this would be different with IPv6? Will router manufacturers suddenly decide to go a bit bonkers and ship all routers with ALLOW on all incoming?

    (Oh and very good point RevK, incremental scanning IP ranges for open ports will suddenly become a herculean task)

  13. I think we can put it down to parallel evolution :).

    I particularly like the fact that it would take advantage of the lunacy of the SEO 'industry' to get something useful done for a change.

  14. Can our FireBrick 105 do IPv6? If not, then sorry but there is no chance of us going IPv6 until the FB2700 is out (assuming that has support).

  15. FB2500 and FB2700 have IPv6 and expected to be out some time before IANA run out of IPs :-)

    Yes, that has taken way too long.

  16. I like the thinking - get the SEO people raving about IPv6 enabled sites, and suddenly hosting companies have a reason to offer IPv6.

    The only downside is that Google could only rank IPv6 sites higher to clients accessing Google through IPv6. And then there's the issue of IPv6-only sites...

  17. I understand all the points:

    - Having a public IP address and allowing access/firewalling are two different issues
    - NAT provides basic firewalling for the unitiated masses by accident.
    - Malware payload is nowadays delivered via social engineering.


    - IPv6 throws the baby out with the bathwater, throwing away the existing Internet and introducing a new one, just to solve the problem of limited IP resources
    - 99% of all users are complete idiots, who will not even know what a firewall is, let alone understand how to protect their network
    - Manufacturers of consumer grade products will always err on the side of convenience rather than security. They will not make their products secure by default with the user having to open up the firewall as needed. This is because 99% of their customers would be too stupid to do that and the manufcaturers and their distribution chain would be flooded with product returns and support calls because "it does not work"
    - The end result will inevitably be millions of wide open home networks with devices publicly reachable that would previously have been hidden behind a NAT. There is nothing to stop Malware going back to the old days of delivery if the environment is there again.


    IPv4 addresses have been predicted to run out "next year" for about 10 years now. Somehow they never do. If we put all consumers with dynamic IPs behind ISP NATS the problem would be solved, Internet security would be improved and illegal filesharing would be killed off as a little side effect too.

  18. If Google would offer it's Google Apps to enterprises for no-cost if they access it exclusively over IPv6 until x% of the Internet was IPv6, I think that would generate some movement. Businesses follow the money.