Once you’ve spent a few hours trying to understand the implications of IPv6, you quickly realize that the only significant change is the increase in the address length. All the other goals that some people had been talking about were either forgotten or failed due to huge mismatch between idealistic view of the Internet IPv6 developers had 15 years ago and today’s reality. However, you still find mythical properties of IPv6 propagated across the Internet. Here are a few I’ve found; add your favorites in the comments.
IPv6 provides service/location separation. Total nonsense. The only mechanism used to find services is still DNS and it’s still used from the wrong position in the protocol stack.
IPv6 will reduce IP routing tables. Not true. IETF had 15 years to solve multihoming issues, but failed to do so. SHIM, SCTP and friends are still in a very experimental stage. If anything, the situation will only get worse, as everyone will try to get PI address space.
IPv6 will reduce BGP problems. Just the opposite. Not only will the size of the IPv6 global routing table increase, IPv6 BGP tables use more space (and more bandwidth) than the corresponding IPv4 BGP tables.
IPv6 has better quality of service. Total nonsense; the only widespread QoS mechanism is DiffServ that uses DSCP.
IPv6 has better security. Not true. IPSec might be better integrated in IPv6 headers, but there’s nothing you can do with IPv6 IPSec that you cannot do with IPv4 IPSec.
Residential IPv6 is less secure because it does not require NAT. Anyone who thinks NAT is a security feature deserves to become part of a botnet.
* stateful FW (or at least a reasonable ACL) will have to become a default configuration of low-end ($2.99 ;) CPE routers.
* consumer NAT (not the Cisco IOS implementation) makes inside host vulnerable as soon as it opens an outbound session (at least on UDP).
Modern hosts have grown up in the jungle, and my laptop I take around with me anywhere. Certainly to unprotected networks. What value does that firewall give me anyway? Most of the 'security' issues in the home aren't things which are caught by a firewall anyway.
If you are concerned about simpler devices like printers and sensors; one could give them only a ULA address and virtually keep them off the big bad Internet.
2) vulnerable how exactly? what can the attacker inject from the outside besides packets from the UDP flow?
note that you add a condition "as soon as ...". With ipv6, no condition required, I can send all the bad packets I want to my target since its address is public.
I love it!
For those who aren't getting it: NAT by itself does not provide security. Dynamic NAT (aka PAT, aka overloaded NAT, aka multiplexing multiple conversations onto a single layer 3 address using layer 4 port translations) provides some degree of security because it has the side effect of creating state. You will need to run a simple stateful firewall in front of IPv6 clients to get the same effect. This is not a hard problem. Stateful firewalls have no place in front of servers in the first place; owners of IPv6 server farms will need to ensure that their vendor supports stateless ACLs in hardware for IPv6 just like they do for IPv4.
I think it's great on a site-local level, it's gonna be huge on a global level.
@Ivan: Agree with most of the explanations except:
IPv6 has better quality of service - that's standard in the header, not just recomandation as in v4.
IPv6 has better security - partially agree - in v4 ipsec is in userspace, in v6 in stack. Huge difference.
Overall I agree with Ivan. I specially like the last myth. The last myth to break remains ICMP role in networks - in general. That's hard to understand for some people, specially ones coming strictly from v4 world :)
I agree with all the myths except LISP and not able to understand what exactly the problem is? I think more discussion and debate on LISP will get some fruitful results. O:-)
Major bonus points for "Anyone who thinks NAT is a security feature deserves to become part of a botnet." :)
Many assumptions are made without thinking that the way the Internet works has changed and will change in future.