Internet 6.0
By Simson Garfinkel
The Net Effect
January 7, 2004

The next version of the Internet Protocol, IPv6, will supply the world with addresses by the trillions. Too bad it will also make the Net slower and less secure.

You might therefore be tempted to dismiss IPv6 as a technological road to nowhere. But if you did that, you would be making a mistake. IPv6 is happening. The code that lets computers talk on an IPv6-enabled network is now built into the current versions of Windows XP, MacOS, Linux, and many forms of Unix. Every router made by Cisco comes ready to run IPv6. So does every Nokia mobile phone. The whole world is getting dressed up for the IPv6 party.

Will we have anywhere to go? Perhaps Japan or China. IPv6 has been very big in Asia. While the networking protocol was being largely ignored by American academia, the Japanese government funded the KAME Project “to create a single solid software set” of IPv6 and related technologies. KAME involves researchers from Fujitsu, Hitachi, Internet Initiative Japan, NEC, Toshiba, and Yokogawa Electric. KAME software has taken hold in Japan and, large parts of the Japanese Internet backbone are running IPv6. In many ways it looks like the United States is falling behind.

So what is IPv6 anyway, and why does it matter?

To answer that will require a bit of a refresher course on the nature of the Net. The Internet is a huge machine that exists for the purpose of transporting little packages of information called packets. You can think about these packets as tiny digital postcards, each about 500 bytes in length and stamped with the address of its sender and the intended destination. To understand these packets, every computer on the Internet needs to communicate with the same fundamental language. Computer designers call these languages “protocols.” Today’s Internet uses IPv4, the 4th version of the Internet Protocol. (Versions 1 through 3 never made it out of the lab. Neither, for that matter, did Version 5.)

IPv4 is pretty good as protocols go, especially for one that was designed back in the 1970s. But it does have problems—all of them tolerable except for one. Every computer on the Internet needs to have its own Internet address, and IPv4 addresses are just 32 bits in length. The result of this decision made nearly 30 years ago is that the Internet simply cannot handle more than 2³² or 4,294,967,296 devices. For a variety of technical reasons, the actual number of devices is a lot smaller than that—far closer to 2 billion, in fact.

With hundreds of millions of people using the Internet, with Internet addresses being dropped into cell phones to support tiny Web browsers, and with household appliances like refrigerators and washing machines scheduled to get their own Internet addresses within the next few years, it’s easy to see why we could soon run out of those 32-bit addresses.

The most important thing that IPv6 does is quadruple the size of the Internet address field from 32 bits to 128 bits. Because in principle, any combination of these 128 bits is a valid address, this quadrupling results in a massive increase in space. For example, whereas IPv4 could never supply enough addresses for every human being on the planet, IPv6 can do that and then some: in fact, IPv6 could provide each of us roughly 60 thousand trillion trillion addresses. 

Put another way, the switchover will result in roughly 5,000 addresses for every square micrometer of the Earth’s surface. There are so many IPv6 addresses that humanity will never run out of them—never, ever.

  Those extra bits help explain why the Asian nations are so interested in IPv6. According to the trade publication DSL Reports, slightly more than 3 billion of the 4 billion 32-bit IPv4 addresses are now allocated to U.S.-operated Internet service providers, while China and South Korea—with a combined population of more than 1.3 billion—have been allocated 38.5 million and 23.6 million respectively. Is it any wonder that these countries aren’t happy with IPv4? But alas, those extra bits don’t come for free. Deploying IPv6 means that every application that uses Internet addresses needs to be changed. Every Web browser on every computer, every copy of Outlook Express, every e-mail server, and every Web server needs to be upgraded to handle the 128-bit addresses. One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses.  The problem with this approach is that there’s never a good time to have people start deploying systems that are only V6—that’s because somewhere, somebody is going to have a machine that’s V4 only, and they won’t be able to communicate with you.

Another obstacle to IPv6 is that the routers that run the Internet’s backbone circuits aren't set up to handle the longer addresses. Today, most routers come equipped with special-purpose integrated circuits that can route IPv4 packets very quickly. But because there is no demand for it, those routers don’t have similar hardware that can route V6 in hardware: those packets have to be routed in software, which is a slower process. As a result, most experts think that the V4 routers simply couldn’t keep up if the Internet’s backbone were suddenly switched over to IPv6—the router hardware would have to be upgraded, which would be very expensive.  Most corporations would face similar upgrades. At a medium-sized business with perhaps 16 high-speed routers, the cost would easily exceed $1 million.

Yet another problem with IPv6 has to do with all of the impending security problems it will cause. Network aficionados will be quick to point out that IPv6 implementations offer cryptographic security, since the Internet’s IP security (IPsec) standard is “mandatory,” according to the IPv6 spec. But what IPv6 boosters won’t tell you, unless you press them, is that every new IPv6 nameserver, Web server, Web browser, and so on has new code—code in which security problems may lurk. Indeed, security problems with new protocol implementations are to be expected. And while some issues have been found with these new IPv6 servers, more are sure to be discovered.

But what could be the final nail in the coffin of IPv6 is a black magic technology that’s made those extra gazillions of IP addresses far less important than they once were. This technology—called Network Address Translation, or NAT—lets dozens or even thousands of computers hide behind a single IP address. NAT is the key technology that’s built into most corporate firewalls and practically every home router on the market.

NAT violates one of the fundamental rules of the original Internet. With NAT it is no longer true that every computer on the Internet has its own unique IP address. On today’s Internet, most computers use so-called “private addresses” that are hidden behind firewalls. The firewall then rewrites or translates the packets as they move from inside your home network to the great beyond; the packets from the Internet get similarly translated upon their return.

Because of NAT, most technologists have stopped worrying that the Internet is about to run out of address space. If you have a home network with a home firewall—and in the future, practically everybody will—then your toaster, your air conditioner, your furnace, and your refrigerator can all be plugged into it and communicate with their manufacturers, with each device sharing your firewall’s IP address.

But for all of its apparent utility, NAT is really the devil. It’s a Faustian bargain, a technology that appears to answer all of a network engineer’s problems, but ultimately causes long-term troubles that are far more profound than the ones that it purports to solve. In fact, one of the big reasons that the Internet’s early technologists wanted to get IPv6 deployed in the 1990s was to prevent the widespread adoption of NAT.

In its simplest incarnation, NAT creates a kind of one-way fence: computers behind the NAT firewall can open up connections to Web servers and mail servers on the Internet, but random attackers on the Net can’t reach back through the NAT and break into your unprotected desktops and laptops. It has worked so well, in fact, that many organizations use NAT as their primary defense against hackers and worms. NAT has let organizations take the lemon of limited IP addresses and make a lemonade of improved security.

  But the apparent security that NAT provides is a mirage. The proliferation of laptops, e-mail attachments, and open wireless networks means that there are many opportunities for hackers and worms to get behind a NAT and launch attacks from the inside. Many organizations have learned the hard way that you cannot achieve secure computing by relying upon perimeter defenses (a topic I discussed in a previous column). At the same time, NAT’s one-way fence makes it harder for peer-to-peer applications to operate. That’s a problem for file trading programs such as Kazaa, but it’s also a problem for Internet telephony and the next generation of multimedia groupware applications. For example, the two-way videoconferencing system that’s built into Apple’s iChat software works behind some kinds of firewalls but not behind others. The program comes with an elaborate “connection doctor” program to help users diagnose problems that their firewall might be causing.

These problems go away when every computer on the Internet really does have its own IP address—something that’s impossible today with IPv4, but which is the raison d’être for IPv6. In a world with IPv6 and without NAT, every computer in my house has its own unique IP address on the public Internet. That means my desktop can open up a peer-to-peer connection with my desktop at work, but it also means that my daughter can network her machine directly with some teenybopper P2P network in San Jose. Getting everybody’s home machine out from being a NAT box should make possible a lot of interesting applications that are either very difficult or downright impossible today. And in all likelihood, some of those applications will not be popular with the Recording Industry Association of America or the Motion Picture Association of America, both of which have taken the lead against peer-to-peer networks. As soon as they understand what a threat IPv6 is to their police actions, they are likely to start fighting against.

Given that the full-blown transition to IPv6 hardly seems imminent, technologists are struggling to at least chart some kind of workable path between where we are and the wondrous world of 128-bit addresses. One approach that’s been proposed is called Realm Specific Internet Protocol, or RSIP. Designed as a replacement for NAT, RSIP allows organizations to keep using 32-bit IP addresses, keep their private address space, and eliminate the problem of packets being rewritten or translated. The good thing about RSIP is that it doesn’t require changing application programs like browsers and e-mail clients; the bad thing is that it still requires making fundamental changes to operating systems.

A more likely path is that some small-but-influential organizations will start to adopt IPv6 internally as a kind of example, and these organizations will then link up and slowly build a new IPv6 landscape. Still, it’s hard to see major U.S. Internet service providers spending the money to upgrade their backbones from IPv4 to IPv6 unless the transition is mandated by the some big customers or the federal government. The latter is less far-fetched than you might think:  the U.S. Department of Commerce recently set up a task force to look at the issue, since it’s widely believe that IPv6 will be more secure than IPv4 thanks to its use of IP-level encryption. Of course, that same encryption is available in IPv4 through the IPsec standard.

Asia, Africa, and India will all probably adopt IPv6, but IPv4 will not die in the United States—or even in the federal government. It’s simply too easy for U.S. homes, businesses, and government offices to keep using what they have, and let the ISP set up gateways between the IPv4 Internet and the IPv6 Internet. Eventually, these gateways will grow into firewalls, passing some kinds of traffic between the United States and the rest of the world, but blocking other data—for example, unauthenticated e-mail that might be spam. The IPv4/IPv6 divide could be similar to the English/metric divide that we face today, and plans to move the U.S. Internet to IPv6 could end up being as successful as plans in the 1970s to change all the speed limit signs to kilometers per hour.

IPv6? Perhaps my seven-year-old daughter will use it when she goes to college, but probably only if she goes to Oxford.