IPv6: Everyone’s an expert

One of the great things about the Internet, it might be argued, is that it gives everyone who wants one a voice.  One example of this in action might be this blog.  But equally, there’s ways of expressing your opinon all over the Internet, most popularly using social media web sites, and comment sections of ‘normal’ web sites.

One of my slightly weird pastimes is reading the comments on IPv6 articles.  Inevitably, every time an article about IPv6 is published on a major news web site, it tends to attract people who have something to say on the subject but at the same time have absolutely no idea what they are talking about, and I doubt very many of them have even read an RFC on the subject anyway, let alone understand how it works under the bonnet, so it’s all mostly conjecture on their part and it shows.

For example, a popular comment is that IPv6 should have been developed to be backwards-compatible with IPv4, in other words an IPv6 packet should be like an IPv4 packet, but with  optional  extensions that  only newer equipment can understand. If you think about it, there are some problems with this:

  • IPv4 is binary, and although humans might find “just add an extra digit to the address” easy to understand, computers simply don’t.  Converting an address such as 10.5.3.27 to 10.5.3.27.14 is not trivial because routers and switches need the address to be a fixed length otherwise the processing speed of each packet would be unacceptably slow.
  • Although IPv6 is much the same as IPv4, it’s not exactly the same.  Improvements were made in the protocol to make certain things work better, such as different rules on fragmentation and routing.
  • I don’t really buy the argument that IPv6 needs to be directly backwards-compatible with IPv4, because first of all you’d still need to update operating systems, switches, phones, and everything else to handle what might best be described as IPv4.5, and if you’ve done that you might as well just do it properly without having to worry about all the legacy mistakes you made last time.  (Although, you might argue IPv6 as it stands now has made some new mistakes.)

Another popular comment you see is that no-one needs IPv6 because NAT is already the answer to all our problems.  These comments are usually based on one of two fallacies:

  • “NAT is a firewall”.

NAT is in fact not a firewall, although it is easy to see how people might add 2 and 2 to make 5 on this point.  It seems to me that a lot of the general public who think they are in some way “technical” perceive that NAT is a way of preserving their privacy, in that their entire networking topology is hidden behind usually one  (but can be more than one) IPv4 address and that because their network is nominally  hidden, security by obscurity will save them.  In fact, this tends to cause more problems than it solves, especially as these same people fail to understand that NAT on its own is not enough for security.   Another misconception is that IPv6 does not support firewalls, even if this is not explicitly stated, it’s quite often implied in the comments made.  And of course many of these commenters fail to realise that what they are calling “NAT” is more often than not NAT (which does the address translation only) combined with a stateful firewall.  This seems to then lead to the erroneous conclusion that IPv4 is secure and IPv6 is not, whereas the opposite is usually true.

  • “Every device having a unique IPv6 address is a gross invasion of my privacy”

This was never a problem for people in the early days of IPv4, pre-1995, before NAT was invented.  Just like everyone has a postal address, which is (usually) unique to the property, it was assumed that each computer on the Internet had a unique address, and the system works well.

NAT of course broke this unique link and effectively anyone who has a NATed connection to the Internet effectively has to go through the digital equivalent of a shared mailbox or a PO Box.  We are now living in a world where at least one or two generations of IT workers cannot remember what life was like before NAT was invented.  I’m one of the fortunate ones who does remember what the Internet was like before NAT (just), and therefore I think I’m more keen to move to IPv6 than many of the people who don’t remember a world without NAT because I remember the “good old days” (which weren’t all good, but having a unique IPv4 address was good).

The two main objections to unique IP addresses appear to be:

  1. IPv6 addresses contain your MAC address or EUI-64 hardware address, so not only can they track you by your address, they can even tell what specific piece of hardware you are using
  2. I don’t like being tracked by <insert organisation here>

Again, although the first point is absolutely true in certain cases, this isn’t necessarily the case now.  IPv6 Privacy Extensions were invented for just this case where people in “extreme paranoia” mode wanted random addresses.  Windows desktop operating systems and Android at least have this turned on out of the box, and probably others too now, where effectively you are given a random 64-bit interface identifer (which changes  every so often) which has no meaning whatsoever to anyone.  This doesn’t make a lot of sense for servers, but it can be turned on and off at will.  Also, there’s no compulsion to use autoconfigured addresses at all in IPv6 if you don’t want to, you are still free to allocate them statically just like you did in IPv4 if you really want.

The second point is also a bit fallacious.  Even with NAT, it’s still possible to in theory track you down but just like in the IPv4 world, if you want to track down a customer of an ISP who is using a dynamic IPv4 address, the ISP can still tell you who is paying the bill for that address.  It may not be able to tell the exact device you’re using, but if you’re up to no good then IPv4 doesn’t really give you much more protection than IPv6 does.  Plus, there’s better ways of tracking you than IP addresses –  just ask companies like Facebook or the advertising networks.

  • IPv6 is not backwards compatible with IPv4, which means it’s bad.

Again, this isn’t much of an argument because what people forget is that both protocols can run  side-by-side on the same Internet connection.  This means it doesn’t need to be backwards compatible!  I mean, people might have a point if your ISP required to you buy a special second Internet connection on a second phone line to make use of it, but that’s not how it works.  (And I suspect a lot of people don’t understand this point because they’ve never seen IPv6 dual stack in action for themselves).  The reason they can run side by side is because both protocols have a different Ethertype value (IPv6 is 0x86DD, and IPv4 is 0x8000), so any equipment that can’t understand IPv6 will just ignore the packets.  On the vast majority of operating systems, you’ll know if you have IPv6 because you’ll get an IPv6 address as well as an IPv4 address, and the two run side by side.  I’m pretty sure now that (at the time of writing), now that Sky have almost completed their rollout of IPv6, most of their customers not only don’t know what IPv6 is, they’re probably not realising that their connections to Facebook, Google, YouTube, Netflix etc. are even using it!

Having a separate protocol is good for many reasons, because it gave them the chance to fix bugs in a way that didn’t need to be compatible with the bodges of yesteryear.  Granted, I don’t think everything was got right in IPv6, but it certainly solved a few problems in IPv4 that needed to be solved.

Oh well, everyone’s an expert – the problem is if you don’t know what you’re talking about, you might think that someone who posts a comment that sounds a little bit ‘authoritative’  must know what they’re talking about  – but they  are likely to  be equally wrong.

Social media web sites such as Twitter and Facebook  have a lot to answer for, is all I can say…

And why should you believe me any more than anyone else on this subject?  Well, at least I can say I’ve read the RFCs!  (And had IPv6 running on the public Internet for over 10 years).

PS   Feel free to post clueless IPv6 comments to this article, cos it will make me laugh.