As the familiar ‘dotted-quad’ IPv4 addresses are running out, increasing use of IPv6 is probably inevitable. But before IPv6 enabling my services in the datacentres, I thought it would be a good idea to use it on the office network first. I’d like to find out all the problems before deploying it to my clients, for obvious reasons.
So when I decided to change our ADSL provider last year, I chose one which offered native IPv6 access as well as the normal IPv4. Having actually used it for a few months, I’ve got concerns about the reliability of real-world IPv6 deployments and the privacy implications.
Native or tunnelled?
With broadband internet connections, you can access IPv6 servers in two ways: native or tunnelled. Tunnelling makes a link over IPv4 to a tunnel broker, and all your IPv6 traffic goes over that link. Native, on the other hand, just sends IPv6 packets over the same pipe as the normal IPv4 packets without encapsulating them, but your ISP needs to know what to do with them.
Tunnelling adds one more element to the configuration, and is only a stopgap solution, so I decided to do it ‘properly’ and use a provider which offers native IPv6 support. There are only a small number of ADSL providers offering native IPv6 in the UK, and I settled on Goscomb.
Cheap ADSL routers don’t support IPv6. No major ISP supports it, so there’s no demand. For either tunnelled or native IPv6, you can get a high-end consumer ADSL router, and re-flash it with something like DD-WRT. Or you could add another box, and run a something like an OpenBSD router behind a simple ADSL modem. This, however, sounds like hard work, and I always prefer to use out-of-the-box equipment which is supported by a vendor.
In the end I choose a Cisco 887M, at the advice of Goscomb. Of course, being an “Enterprise” product, it wasn’t quite as simple as it might have been. There’s a mass of licensing and ROM size issues to navigate, and getting the higher end 887M rather than the slightly cheaper 877M seemed to make sense.
A rant about Cisco licensing
While I can totally understand the necessity to extract as much money as possible from customers by disabling software features by default, it’s simply unacceptable to fail silently in unexpected ways when these features aren’t enabled.
If you’re getting one of these routers, bear in mind that IPv6 will sort of work, but not quite, until you turn on the “advipservices” license. It’ll appear to work and get an IPv6 address from the remote end, and it’ll even tell other devices on the network which IPv6 address to use, but it won’t route anything.
This wasted a lot of time. I was a bit annoyed when I discovered the cause. Half of IPv6 support is effectively no IPv6 support. You can waste a lot of time to trying to debug a configuration when there’s no indication that licensing is the issue.
IPv6 works, and it’s boring
Once you’ve got IPv6 enabled, absolutely nothing changes. This is by design, because IPv6 is just another way of addressing the same services. And it’s also by necessity, because no one is going to deploy an IPv6 only service if 99% of their audience can’t use it.
This list of IPv6 ‘cool stuff’ is not particularly exciting. I have, however, found a simple IPv6-only game, Loops of Zen, which appears to have been set up solely to allow people to complain to their ISP that they can’t get access to the entire internet.
No one notices IPv6 failures
There’s only downsides to enabling IPv6, mainly because so few people use it that failures tend to go unnoticed.
For example, the bit.ly URL-shortening service accidentally published a bad AAAA record for their service for 24 hours. This meant that our computers, which prefer to use IPv6 by default, tried to connect to a non-existant server, making most links from Twitter inaccessible. This gave a brief illustration of the dangers of URL shortening services, but what was interesting was that I could only find four complaints on twitter about it.
More annoyingly, there was a failure at the BT exchange which broke all the ADSL connections in the local area. When the dodgy equipment was replaced a few days later, my IPv6 started to fail in mysterious ways. I traced this to MTU issues. Because IPv6 requires that hosts only send packets of the right size, rather than routers fragmenting large packets like IPv4, Path MTU Discovery (PMTUD) really must work. This can be thwarted by misguided firewalls blocking ICMP, or just dropped packets. The battle to get PMTUD to work is entertaining, and oddly only necessary after the BT outage.
IPv6 really hasn’t been tested in the real world, and there’s little incentive for anyone to put themselves through the pain of implementing it.
Amusing side effects
Again, because it’s not widely used, people take shortcuts in implementing IPv6 which can lead to interesting side effects. Facebook is an example. You can access it via IPv6 with a different address, http://www.v6.facebook.com/ (which probably won’t work for you as you’re unlikely to have IPv6), but this merely proxies the request to the normal Facebook servers on IPv4.
This has two side effects. Firstly, most of your requests won’t be going over IPv6. To enable efficient delivery of images, scripts and photos, the pages refer to lots of other URLs accessible only over IPv4. Secondly, to Facebook’s security systems, you appear to be connecting from inside Facebook itself. If you enable the right options, you’ll get messages alerting you to the fact you’ve logged in from Palo Alto.
UPDATE — The discussion at Hacker News and the comments below have alerted me to the privacy extensions described in RFC 3041, and pointed out that Windows already supports them by default, and the next Mac OS X will probably be supporting it by default. Current Mac OS X and other operating systems need to be configured to use temporary addresses. The text below has been updated.
IPv6 has lots of interesting features, one of which is Stateless address auto-configuration, which avoids the need to manually assign IPv6 addresses.
Unfortunately, the way it works is to use the MAC address of the hardware as part of the address. The MAC address uniquely identifies the hardware you’re using, and generally can’t be changed. And IPv6 is likely to broadcast it to the internet — one of the big selling points of IPv6 is that you don’t have to use hacks like NAT to get a network of machines onto the internet, so you will get a globally addressable address which reveals your MAC address.
Tell the world who you are!
A few years ago, there was a big fuss about Microsoft Office embeddeding the MAC address of the computer used to create a document in each file. This caused so many privacy concerns, for example, being able to track who created a leaked document, that Microsoft was forced to develop a tool for removing hidden data from Office files.
But with IPv6, your MAC address is revealed to anyone you communicate with over IPv6, unless you take steps to set your own manually configured IPv6 address. This only works if you have a fixed computer — mobile devices need to use auto-configuration when they move between networks, making it hard to hide your MAC address.
Let advertisers track you!
IPv6 will allow them to track your computer, regardless of which network it’s on, and there’s very little you can do about it if you use your computer on more than one network. Since e-commerce companies will know your MAC address and your identity when you complete a purchase, I can see them selling this information to consumer information database providers.
Fixing this isn’t hard
These concerns will be fixed by when operating systems vendors change the default to use the IPv6 privacy extensions. This is gradually happening, but older versions will probably be left as they are. Vendors tend to be reluctant to ship patches which change networking behaviour on existing installations.
In the meantime, enabling temporary addresses is the best solution, although it’s not easy for the average user, and it may not be possible on all devices.
Should you get IPv6?
(Perhaps you have it already… find out with Test IPv6.)
I’ve had this post in draft for a couple of months, making notes on the ‘entertainment’ I’ve been having with IPv6. My first draft was almost a propaganda piece urging everyone to pester their ISPs into supporting IPv6 for the good of the internet.
This version is less positive. It’s expensive and annoying to get equipment which supports IPv6, and the result of this effort is a less reliable internet connection which makes it easier for advertisers to track you.
So no, you probably shouldn’t use IPv6. Not until these issues have been fixed, and ISPs and service providers start to notice when their IPv6 services break.
Or maybe there’s ways of making large scale NAT work so we can all stick with IPv4?
COMMENTSblog comments powered by Disqus