IPv6 networking: Bad news for small biz
You may not get fired for buying Cisco, but you can go bust
Sysadmin blog IPv6 is traditionally a networking topic. Yet IPv6 is as much a business consideration as it is a technical one. As world IPv6 day rolls around again, we're going to see an ever-increasing amount of technical IPv6 coverage. Before we do, I think a business interjection is warranted.
IPv6 was neither designed for small biz nor consumers. IPv6 was designed by big-ticket network engineers bearing global infrastructure and enormous enterprise networks in mind. Learned gentlemen who live in a world where buying IBM and connecting it with Cisco never got anyone fired.
High atop this lofty tower of big data and even bigger budgets, RFC after RFC was submitted, debated, refined, revised and eventually implemented in the code we see in our operating systems today. Problems faced by enterprise networks needed solving, and IPv6 evolved into an excellent solution.
But nobody worried about the little guy. There are a lot more of us small and medium enterprises than big heavies. With IPv4 allocations gone we're facing having to adopt a protocol with some significant flaws [PDF]. Well, flaws for normal people; they're pretty much irrelevant if you have a big enough budget.
The elephant in the room is renumbering. In the IPv4 world, you have one internet addressable IP address and the rest of your network lives in a non-routable space. Your internal network is on the other end of a NAT firewall, subnetted and organized into something that makes sense for the local sysadmins. If you need to change your internet service provider for any reason, that's perfectly okay. Your external address changes, a few firewall rules are changed and life moves on. If you need to reorganize your address space internally, no problem! You execute the change, and the outside world is none the wiser. Simple, easy and convenient.
In an IPv6 world, this is a no-no. There is no NAT; it was deemed heretical by the priestly caste of network engineers running the holy church of the IETF. Blasphemers are chastened and belittled. So what are our options?
The official answer is a combo deal. You must accept that renumbering is the new order. If you change ISPs and your assigned block changes then you must have every single computer, switch, router, printer, and network-attached doodad change with it.
No more static addresses*, not even for servers. Everything should be configured by DHCP or stateless autoconfiguration. Whereas in an IPv4 world you created firewall rules for servers (and the applications they ran) by IP, in an IPv6 world your firewall will still work because all your systems should have proper fully qualified domain names.
The domain name assignation will "just work" because it will be tied into the DHCP and into a proper, full-blown asset management system. You will record all your MAC addresses for all your servers correctly, and assign them to the right profile. All of this will work together flawlessly, human error somehow won't happen, and the market will create solutions that are easy to use.
Sure it will. It's been 13 years since the original RFC for IPv6 was published, and there is a marked dearth of usable SME or consumer gear that pulls off all of this majesty and wonder.
Right about now, an interjection typically begins "but the Cisco…" and I have to stop everyone right there. If your argument includes the words Cisco or Juniper, we're not talking about the same market.
The budgets available for the IT space I am talking about differ by an order of magnitude. Despite this, we somehow manage to provide uptimes no worse than the big guys and still manage redundancy. At least we do in an IPv4 world.
This leads into the other major issue with IPv6: the inability to do multihoming. In an IPv4 world this is simple and cheap. The IPv6 solution is "get a carrier-independent address assignment and do proper routing".
And I'd like to be the King of all Londinium and wear a shiny hat.
Meanwhile on planet Earth
These folks obviously know nothing about life on the frugal edge. Consumer-grade ISP connections simply don't allow for that sort of thing. Even if you have the cash for your ISP's so-called business-class package, they'll still give you the stink eye the instant you start talking about such tomfoolery.
From a purely technical perspective, is the suggestion on the table really that three-person companies seeking ISP redundancy start doing BGP? That is the single craziest thing I have ever heard.
There are other issues, and the necessary solution is finally getting some attention. Even the IETF has (with great protest) recognized the need for NAT in IPv6. It's called Network Prefix Translation (NPT) now; more traditional NAT implementations having been introduced and shot down already.
Right about here, a network priest is bound to butt in with many and varied horror stories, invariably coming back to "it breaks the holy end-to-end-model whose restoration is of paramount importance".
This is where the business side of the equation is important. IPv6 NAT is here, today. Implementations exist in the real world. It is cheap, simple, and makes nearly all of the IPv6 problems that SMEs and consumers have simply go away. The few remaining bugs with it are being worked out.
In 13 years, the alternatives put on the table have boiled down to "spend more than you have available". Worse, the rationale typically presented simply doesn't matter to the people buying and implementing IT equipment in the SME and consumer space.
The chance for the priestly case of network engineers to reshape the world has passed. A laser focus on the technical came at the cost of any focus whatsoever on the practical. In the end, the high priests of the internet simply didn't give the fuzzy wuzzies reason enough to believe. ®
 NPT is a 1:1 form of NAT. You can assign computers behind the firewall addresses according to whatever schema makes the most sense to you. You can use the firewall to map them 1:1 to an external block. So your server on the internal IP fd05:936e:4ab8::0024 can map directly to an external IP such as 2001:cdba:3257:9652::0024.
When you change ISPs you simply change the prefix configuration in the firewall without having to redo all of the rules, and without having to readdress a single network device. fd05:936e:4ab8::0024 now maps to 2001:556e:3311:abfc::0024, and Bob's your uncle.
Updated to add
* This does not mean that static addressing under IPv6 is not possible, certainly it is and nearly every IPv6 implementation supports it. It is however a terrible idea if there is even a remote possibility that renumbering will need to occur, as it would require manually readdressing each statically addresses interface on each system. This contrasts with the configurability that a 1:1 NAT offers, wherein static addressing is made feasible even in the face of renumbering.
They can have my IPv4 static IP...
...when they prise it from my cold, dead router,
Note to those folks who feel I am "recommending NPT66" here.
I'm not. In fact, I only have the one network with it at the moment; one I set up specifically so that I could figure out how it worked for the article. At the moment I have 16 IPv6 networks up, 4 of which are isolated testbeds. (8 new networks planned for this year alone!)
The article exists for one reason: to let the high priests of the internet know “oh, BTW, that NPT66 thing that? It’s in products and in use in SME shops all over the damned place already.” In other words: the utter failure of the priesthood to engage care for the issues faced by SME outfits resulted in them (shockingly!) going out and choosing the cheap and simple alternative that actually already existed! Note the two key words: “cheap” and “simple.”
“Right” and “wrong” aren’t in there. Surprisingly, SMEs and consumers don’t give a damn about IP morality.
I see a lot of talk about “use link local or ULA for internal addressing, and that solves everything.” No. It doesn’t. You would still have to re-address all your external-facing servers. I don’t think you quite grasp what that entails. Let me spell it out for you:
For ages upon ages, the big thing holding any SME back from spewing an unlimited number of servers all over the internet has been that they just can’t enough external IPs. They had to be conservative. They had to put time and effort into using as few servers as possible to use as few IPs as possible.
In an IPv6 world, we have functionally unlimited addresses at a time where we also have the ability to spin up hundreds of VMs on a single physical box. So what do these people do when you give them this ability? They spin up an instance of $server for every conceivable need, attach it to $external_ip and virtual sprawl sits on the internet to a magnitude you cannot possibly comprehend.
Renumbering these servers is an absolute bitch. It’s lunacy. Madness of the sort that makes SME admins pale, and then spontaneously vomit. “Flag days” are simply not allowed in 2012.
In a NPT66 environment, you don’t have to renumber. Ever. Because none of those servers have an external IP address. The only thing holding an external anything is the firewall. It holds the external subnet. It then 1:1 maps addresses back to the servers. The address issues NPT66 solves are not for internal use, but the addresses they will use to serve content to the outside world. Cheaply and simply.
Could you sit there and berate these admins for being “wrong?” Tell them they “aren’t doing it right” and that they need “education” to understand your point of view? Well…you could try. They don’t – and won’t – ever care to hear what you have to say. They are generally overstretched, working against impossible budget constraints, and usually have IT as a secondary or tertiary job.
The article is an exercise in pointing this out. That 13 years of belittling and berating instead of addressing cheap and simple are now biting everyone in the ass. Do I want the high priests angry? Yes. I want to slap each and every one across the face with their own hubris. That is 100% the intent.
Mocking and belittling me will earn you nothing. I am one individual. There are millions of SME admins out there, and I seriously doubt that the priesthood has the time to chasten and belittle each and every one of them thoroughly enough to cause them to change.
No; quit the opposite. The solution to this problem must come from the priesthood itself. You need to get your nerdrage on. You need to get out there and solve cheap and simple with extreme prejudice. You need to advocate and educate that your cheap and simple solution works, works well and works as easy as the alternatives.
Because cheap and simple IPv6 has shown up on our doorstep. And it is NPT66. 13 years of abject failure to address the practical issues have resulted in NAT being the easy choice for millions.
So hey, insult me if it makes you feel better. Question my manhood, technical ability, parentage, DNA sequencing and whatever else gets your happy on. I’m from the internet, I can handle it.
But when you’re done venting your spleen…please go make those cheap and simple products that the SME space needs, okay? Otherwise NAT will quite simply never die.
This topic always depresses me
I admin a number of small networks, IPv4 addressing allows workstations to have a meaningfull, memorable and deduceable address, based off the workstation ID, VPN to a site and remoting onto a workstation is easy.
If time is wasted, it's finding machines on DHCP, or sorting problems associated with broken leases or DNS, my clients don't have the budget for kit that works flawlessly, hence the bulletproof static addressing, with DHCP left for mobile equipment.
It's not just that IPv6 isn't going to solve any problems for my clients, it's going to create them, it's going to increase their IT costs, it's going to make finding machines on DHCP harder, lengthening support calls and it's going to smother their networks with additional complexity that none of them are ever going to understand, or even want to understand. This last point may seem counterintuitive given that their lack of knowledge is what keeps my rent paid, but the value of having someone on site that has basic IT skills cannot be overstated.
IPv6 addresses seem to have been designed to infuriate, we're clearly not supposed to remember them or try and make them relevant to the equipment they're assigned to, instead we're apparently supposed to trust a service to track where everything is, I suppose that makes perfect sense when there's thousands, millions of things to track and the equipment doing the tracking is appropriately priced, but when you've got less than 30 workstations to a site it's not just overkill, it's insane.