IPV6
IPv6 has a plug-and-play feature that makes network auto-configuration possible by simply connecting a device to the network. Is it possible to configure server hardware using plug-and-play?
Answered by: Tomohiro Fujisaki (NTT Information Sharing Platform Laboratories)
When you consider both clients and servers to be IPv6 nodes, IPv6’s plug-and-play features are essentially the same for both. No matter how you look at it, it is a feature to automatically configure the necessary parameters for IP addresses and such used for IPv6 communications. In other words, IPv6’s plug-and-play feature (auto-configuration feature) provides the initial configuration parameters for a node. It does not provide a method for automating configuration for applications that exist at a higher layer (i.e. services running on the server). By using DHCP, which plays a part in IPv6’s plug-and-play feature, it is possible to provide the initial configuration parameters for applications at higher layers; this is the same for IPv4, not just for IPv6.
I heard that the policy on IPv6 address distribution is moving towards becoming more restricted. Is that true?
Answered by: Toshiyuki Hosaka (JPNIC)
In Spring 2005, Geoff Houston (APNIC) announced research findings that showed that up to half of the entire IPv6 address space will be consumed within 60 years if the current pace of allocation is maintained. This led to a proposal at each Regional Internet Registry (RIR) to revise the IPv6 address policy.
Currently, our company is connecting the headquarters and branches with Internet VPN (IPv4 IPsec). Can we move to either of the following two types of IPv6 communications? Are there any products supporting such communications?
1. IPv6 over Internet VPN (IPv4 IPsec)
2. dual stack of IPv4 IPsec and IPv6 IPsec (over IPv4/IPv6 dual protocol services)
Answered by: Koji Yamazaki (System Engineering, NTT Communications)
Let me answer on the two types of communications one by one.
Is it possible to get data encrypted with Windows XP IPv6 networking?
Answered by: Izumi Miki (Impress Corp.)
Windows Server 2003 and Windows XP have IPsec feature. Use of IPsec is supported in IPv6 environment. But this IPv6 IPsec implementation does not support encryption of payload data. Windows family IPv6 IPsec feature at present can be used to authenticate the sender and to prevent data repudiation.
It is also true that IPv6 IPsec in Windows family at present does not support Internet Key Exchange (IKE), an automatic key exchange mechanism.
How can I obtain address space for IPv6 multicast video distribution service?
Answered by: Tomohiro Fujisaki (NTT Information Sharing Platform Laboratories)
In IPv4 world, if you want to offer video distribution and other services using IP multicast, you most likely use the address with AS number embedded, as defined in RFC2770. But this means you have to have AS number already. In this method the number of addresses an organization can use is limited to 8 bits.
With IPv6 multicast, you generally use the multicast addresses based on the IPv6 address space your organizations have, as defined in RFC3306 and RFC3956.
In other words, IPv6 multicast is easier to use than IPv4 because your own unique multicast address is secured.
With IPv4 multicast, there is another method for you to dynamically find unused addresses from among the multicast address block for shared use. But this block is so small that there is a high probability of collision, so that it is indispensable to conduct negotiation using special protocols for this purpose when you want to multicast on global Internet.
What is “multi-prefix”?
Answered by: Izumi Miki (Impress Corp.)
IPv6 allows a single network interface of a device to have multiple addresses. This can be utilized by multiple service providers to home and other end-user networks, to assign different routing prefix to help service separation and differentiation. The word “multi-prefix” should only mean plural prefixes, but some IPv6 researchers are beginning to use this phrase with the above scenario. With multi-prefix, a single PC can use different source address for each application used, and application service providers can apply different security and/or QoS policy for the source address. It is considered a promising method for IPv6 site multihoming as shown in RFC 3582: Goals for IPv6 Site-Multihoming Architectures.
However, actual implementation of services using multi-prefixes is in an initial stage of research by some service providers. There is also a possibility of using other means of service differenciations based on packet destinations. It is unknown how widely multi-prefix will be used in the future.
What will be the relationship between IPv6 and IPsec?
Answered by: Izumi Miki (Impress Corp.)
There are different opinions as to how IPsec will be used in the coming IPv6 world.
IPv6 standard mandates all nodes to implement IPv6. Therefore, we can expect more use of IPsec between nodes. But this issue needs to be considered with specific scenarios in mind. Consumer/non-PC services and corporate networking have different security requirements.
For consumer/non-PC services, IPsec can be actively used for sensitive communication over low-cost Internet connectivity. However, some Non-PC devices are hard to implement IPsec. Some sort of security gateway might be used to perform IPsec functions.
Adoption of IPsec in corporate networking may be slow, because it makes it difficult for companies to maintain their corporate security policy. It is very difficult for administrators to allow users to use IPsec for end-to-end communications, in a way administrator cannot know what these communications are. It is possible that companies will ultimately adopt solutions that automatically allow IPsec communications that meets company security policy only.
If IPsec may only be used for creating secure pipes between different sites, still IPv6 has a significant advantage over IPv4, in that there is no possibility of private address collisions, while it enables more ad hoc secure connections with flexible use of IPsec.
What do you mean by “IPv6 address field is 128bit”?
Answered by: Izumi Miki (Impress Corp.)
Bit is the unit of information handled by computers. It is expressed in binary number. “128bit” is 128 in binary expression, which is 2 to the 128th power, or:
340,282,366,920,938,463,463,374,607,431,768,211,456
128bit can create this many unique numbers. IPv6 address is expressed in 128bit. Therefore, there can be so many unique IPv6 addresses theoretically.
Incidentally, currently-used IPv4 address is expressed in 32bit, so theoretically, there can be:
4,294,967,296 addresses
See how different the number of address is!
Would IPv6 give addresses to anything on earth?
Answered by: Izumi Miki (Impress)
It is true that IPv6 offers a huge address space, and facilitates connectivity of those things that we have never dreamed of connecting. In fact, some consumer electronics vendors appear to feel that I would be convenient for them to give IPv6 addresses to all of their products, irrespective of network connectivity capability. But it is debatable if it is appropriate to allocate IPv6 addresses to things that don't require direct network connection.
Some people think that IPv6 address can be used to identify each object. But emerging RFID technology can do the job. Current barcode usually includes the vender ID and item number, but RFID further includes ID information, for identification of objects. In other words, a milk pack or a melon only needs to have a small and non-powered RFID tag, and ID information is recognized by the RFID reader with IP connectivity, for retrieval of relevant information about this object from databases on the network.
Still, some others are exploring the possibility of mapping RFID and IPv6 address, to enable proxy communications by RFID readers, in order to bring about new applications.
On direct allocation of IPv6 addresses from Regional Internet Registries (RIRs), would a company satisfy the requirement that it shouldn't be an endsite if this company is offering communication services only for its parent company and group companies?
Answered by: Toshiyuki Hosaka (JPNIC)
The company can satisfy the requirement of not being an endsite in this scenario, provided that this company assigns IPv6 addresses to its group companies, not to itself, and (this is important) offer IPv6 connectivity services to these organizations. In such case, this company can be considered an LIR and be conducting assignment of IPv6 addresses and IPv6 connectivity services to other organizations.
Have TLA and NLA been obsoleted?
Answered by: Izumi Miki (Impress)
IPv6 has a rule to allocate address blocks in a hierarchical manner. Organizations meeting certain requirements were able to get IPv6 address blocks directly allocated from RIRs, such as ARIN, APNIC, LACNIC, which were called TLA (Top Level Aggregation) IDs. Organizations with TLA, in turn could allocate address blocks to other organizations (including user organizations), which were called NLA (Next Level Aggregation) IDs. But these terms were obsoleted, to be replaced by a single term, "Global Routing Prefix". Another term, sTLA (sub-Top Level Aggregation) ID, was used for temporary allocation of TLA IDs. But sTLA was also obsoleted. Reasons can be found in RFC3587.
Addresses used for subnetting an organizational network was called "Site-Level Aggregation ID", but this was also replaced by "subnet ID".
With IPv6, can we offer P2P game service that users can easily join without firewall and other configurations?
Koji Ogawa
Sony Broadband Solution
I take the question to read "is IPv6 effective as a P2P gaming solution which allows participation without technical knowledge?" I will answer the current problems with IPv4 in building a game site hosting P2P network gaming and if IPv6 can solve these problems.
Problem 2 occurs also because IPv4 global address space is limited. IP masquerade and port forwarding is necessary for this reason. The cause of the problem is the same as Problem 1, so it can be solved with IPv6.
Problem 3 occurs because home router vendor closes all ports usually unused by default as a security measure. This is a port issue, and it occurs with IPv6, too. If home router vendors decide that unused ports should be closed with IPv6, they will close them by default. So IPv6 won't solve it. IPv6 is only one of several solutions. IPv6 is currently in the initial diffusion process, and still to be used at home.
For your information, I listed the example of solutions utilizing a widely-used IPv4 infrastructure. You have restrictions, but there are possibilities in IPv4, too.
If you want to use P2P,
-Try using UPnP to automate router port control
You may decide not to use P2P. You can
-Change the game from P2P to client/server
-Implement you game with Flash/java applet
Still, port control is necessary with these solutions.
You may use a platform other than PCs.
-Implement your game on cellular phones
When can we say a router supports IPv6?
Yoichi Tsukioka
Hitachi, Ltd.
In general, a router is a network device which conducts forwarding of IP packets on network layer (Layer 3). Therefore, we can say a router is IPv6-enabled if it can look at IPv6 packet information and forward them to appropriate routes. An IPv6-enabled router usually supports IPv4, too. It is sometimes called "IPv4/IPv6 dual stack" router.
There are various routers built for different purposes. Naturally, they are required to offer different features. You need to check with each router which routing protocols (RIP, OSPF, BGP, PIM-SM for multicast, etc) are IPv6-enabled. As for other features such as filtering, QoS, and network management, there are routers without IPv6 support for some of them, or without sufficient IPv6 support. Same thing can be said about various tunneling technology used in mixed IPv4/IPv6 environment.
Many routers have come up with commercial IPv6 support, beginning with large routers for mission-critical networking. But you should examine exactly if required features are IPv6-enabled, from datasheets, manuals and other information made public by the vendors.
Some people say that firewalls will not be necessary for IPv6-enabled organizations, because IPv6 terminals can use IPsec for security. I donyr think so.
Answered by: Izumi Miki (Impress)
I can find almost no expert who considers that firewalls will be unnecessary. End-to-end connectivity is one of the greatest advantages of IPv6. I would be great if security can be managed at terminal level. Theoretically, it is possible for an organization to require use of personal firewalls with organizational security policy installed. But it is very difficult to do in reality.
Firewall administrators cannot allow IPsec encrypted communication without questioning. They cannot assure organizational security when they might be allowing an unauthorized terminal inside is conducting encrypted communications to an unknown terminal outside.
Therefore, terminal-level IPsec will be initially limited to specific terminal for specific purpose. For example, a terminal which needs to use IPsec to communicate with a terminal outside, it would specify the opponent and purpose of IPsec communication. Firewalls would automatically decide if this communication should be allowed, based on organizational security policy. Firewalls have to be able to automatically close the hole when the communication is terminated.
Is there any IPv6-enabled wireless LAN access points with 802.1x?
Does 802.1x have to do with IPv4/IPv6 anyway?
Answered by: Hiromi Komiya (Aruba Networks)
802.1x authentication and data encryption protocols are not just for wireless LAN. It was originally designed for wired LAN. But let me take wireless LAN as an example, as that's what you are asking.
In wirelss LAN, 801x authentication process involves client (normally PCs), a wirelss LAN access point, and an authentication server (RADIUS server).
Let's examine communications between client and access point. 802.1x is designed to authenticate clients before association with the access point, as wireless signals can be received by any terminals. Clients attempt to connect with the following procedure.
802.1x is used before client gets IP address. In other words, 802.1x does not run on IPv4 nor IPv6.
On the other hand, access point and RADIUS server communicates with RADIUS protocol which runs on IP. Therefore, if you want to use 802.1x on IPv6-only network, you need to have both access point and RADIUS server IPv6-enabled. But on a network running both IPv4 and IPv6, access point and RADIUS server can talk with IPv4.
In summary, you don't need IPv6 support in any of the 802.1x components unless you have to use RADIUS on IPv6.
I heard IPv6 address blocks have to be returned. Is that true?
Answered by: Izumi Miki (Impress Corporation)
End-user sites or individuals don't get direct allocation of IPv6 address blocks by the Internet Registries, just as they won't get IPv4 addresses allocated directly at present. Your ISP allocates network portion of IPv6 address (network prefix) to your homes or organizations. Therefore, it could be said that end users are only borrowing network prefixes from ISPs. You have to return IPv6 address range you have used when you stop using the ISP.
As for service providers getting direct assignment of IPv6 address blocks from ARIN, APNIC, RIPE NCC, etc., IPv4 address policy says the providers have to return the assigned addresses when they no longer use them. There are cases that organizations are requested to return addresses to the Internet Registries. In IPv6, there is no equivalent rule at present. That's because IPv6 assignment has not reached the stage where people need to discuss address returns. But it's possible that IPv6 address policy defines a similar rule in the future.
IPv6 is not really popular yet. Why is the adoption not accelerated despite governmental push?
Answered by: Izumi Miki (Impress Corporation)
Current Internet, or IPv4 networkinghas shown an explosive growth because a lot of people felt Web and e-mail irresistible. However governments want to promote a specific move, people need to feel the need to go with it. Nothing can become popular without support by the people.
We can say that ultimately, we will use up IPv4 addresses, which makes use of IPv6 inevitable. But IPv4 networking won't disppear overnight. There will be a long transitional phase.
Then, how will IPv6 be adopted before such crucial need arises? To put it simply, IPv6 will be gradually used as a means to make it easier to connect various things to the Internet.Some hard disk video recorder products have Ethernet port for network connection. But few of them allow users to connect directly from outside home for remote control or for viewing recorded video.
As interactive use of the Internet by home computers and consumer appliances common, people will begin to feel the current NAT functionality by home routers obstructive. NAT often requires users to reconfigure home routers for new applications and devices. That may be OK for power users, but unbearable for general users. IPv4 environment prevents net-enabled appliances to be used as appliances. In other words, current net-enabled appliances are limited in functionality and market because we use IPv4 now.
Therefore, IPv6 will be used at home as "real" net-enabled home appliances get popular.
Outside home, we will soon begin to see various devices which could not use the Internet (or IP networking) to get connected on the Net. For devices that have used proprietary protocols for data exchanges, IP networking is irresistible because it enables inexpenside realtime networking to and from anywhere in the world. As various social services get net-enabled, implementers will prefer IPv6 for its ease in configuring and administering connected devices, and for limitation-free networking.
In summary, IP networking will develop further as social infrastructure, in a giant leap from being computer communication technology as it currently is. How fast such move occurs will be directly reflected in the speed of IPv6 adoption.
I have installed IPv6 in Windows XP, and checked interface information at command prompt. But I was overwhelmed by the number of IPv6-related addresses that appeared on the screen. Which ones are used for what?
Answered by: Izumi Miki (Impress Corporation)
Use either of the following two commands to see the network interface information of your PC.
ipv6 if
netsh interface ipv6 show interface level=verbose
Microsoft is phasing out ipv6 commands in favor of netsh interface ipv6 ipv6 commands. But you can still use ipv6 commands with your Windows XP.
The screen image shows ipv6 if 4 commands to show Interface 4, that is ethernet interface in this PC.
As far as address-related information is concerned, you can see link-layer address first. This is MAC address embedded in each of the network adapters on PCs. The latter half of IPv6 global address is generated from this MAC address.
Next thing you see are two "preferred global". The first preferred global is specified as (anonymous), and the scond one carries (public) notation. These are both alobal addresses, but the second one is the fixed global address generated automatically. In this case, global address is
2001:2a0:4ff:0:a00:46ff:fe45:700
of which 2001:2a0:4ff:0 is network address obtained from a router in the same network domain, while a00:46ff:fe45:700 is the host address generated from MAC address.
Anonymous global address carries the same network address as the normal global address, again obtained from a router. But the latter half is generated randomly, and automatically changes periodically. This is a scheme devised to cope with privacy issues, and to be used when fixed address is inapropriate as the host is identified.
"preferred link-local fe80::a00:46ff:fe45:700" is link local address, which is first created when the host gets connected to IPv6 network. It just attaches fe80:: to the host address generated from MAC address. Thus, an address with limited scope is created first in a topology-independent way, to be used for further network configuration.
Although not shown on this screen, you will see valid IPv6 address under "6to4 Tunneling Pseudo-Interface", when you connect to IPv6 Internet using 6to4, a dynamic tunneling technology.
Wouldn't MAC addresses get scarce?
IPv6 stateless address autoconfiguration uses MAC addresses based on EUI-64. Wouldnxr it mean that uniqueness of IPv6 address relies on 48 bit of the MAC address, instead of 128 bit? What do you think about the depletion of MAC addresses? 48 bit can produce 281 trillion of numbers. That may still be enormous compared with 32 bit, but it doesnxr appear to me to be an astronomical number, either. (Question from "yamasan")
Akinori Maemura
Director, JPNIC
Chair, Executive Council, APNIC
Even if there can be duplication of MAC addresses while all IPv6 hosts gets lower 64 bit of its IPv6 address assigned in conformance to EUI-64, there can be no address conflict unless devices with the same MAC addresses get connected on the same network segment. Uniqueness of MAC address needs only to be assured on a segment. One LAN can only have several to about 200 hosts at the most. One can say that using 48 bit ID is quite an overkill.
Let’s consider the possibility of MAC address depletion. MAC address has 48 bits. Upper 24 bits is called Company ID, and are administered by RAC (Registration Authority Committee), assigning them to NIC manufacturers. Lower 24 bits are left for each manufacturer to administer.
Incidentally, 24 bit means 16.8 million, which is not a lot if one company can only get one company ID assigned. But a company can get multiple company IDs. So, when we consider the possibility of MAC address depletion, allocation efficiency is not much of an issue. We just have to think about the lifetime of 48 bit space.
Let’s consider the case when all electric appliances need to have MAC addresses. I recently asked an electric appliances manufacturer how many products one manufacturer would produce worldwide. The answer I got was 1 billion a year for all appliances, including household appliances, A/V devices and information appliances.
For the sake of simple argument, let’s say one appliance is durable for 50 years (meaning uniqueness of the MAC address needs only to be assured for 50 years). Let’s multiply this number by 20 for number management, and we need 1 trillion address for one company. If we can use the 48 bit fully, we can contain 280 of these manufacturers of the same scale.
Above is a very simplified calculation based on pure assumptions. But you’ll get the idea of how large MAC address space is.
If MAC address gets depleted, that’s not the issue for IPv6 only. The issue will impact all networking technology using MAC address, such as Ethernet and FDDI. But we can maintain absolute uniqueness for 50 years. The problem should be small even if the uniqueness could not be maintained completely.
They say IPv6 offers infinite address space. Is it really possible?
Answered by: Kazuhiko Nakahara (BIGLOBE Operation Division, NEC)
The address space is not really infinite. The number of addresses for IPv6 is limited as well, with 3.4 x1038 possible addresses. But due to the vastness of IPv6 addresses is hard to describe. Compared to IPv4, IPv6 has 2^96(7.92x10^28) times larger address space, which is almost an indefinite expansion.
This brings a great benefit for corporate IT managers. The allocation policy of IPv6 addresses has been considerably relaxed. While the IPv4 address application requires a detailed address allocation and assignment policy and even an explanation of topology details, IPv6 offers uniformly /48 addresses per connection point almost unconditionally, which is equivalent to 2^80 addresses on a simple calculation. That means almost an unlimited number of addresses is allocated per person because it only takes 2^64 addresses when 1 billion addresses are allocated to the total world population of 10 billion. In a nutshell, IPv6 has infinitude of possibilities to assign addresses to devices and things to which it has been considered impossible to allocate addresses.
Can we say IPv6 is superior to IPv4 in terms of security? On the contrary, I feel like it can be more vulnerable.
Answered by: Hiroki Ishibashi (Business Network Division, NEC)
IPsec is mandatory in IPv6, but that alone cannot enhance security compared to IPv4. Let us clarify the difference from the security features of current IPv4.
For most of IPv4 environments at home today, NAPT (network address port translation) is considered to be the key element of security. In reality, however, NAPT does not necessarily offer robust security although it can theoretically hinder the penetration of communication initiated outside.
On the other hand, IPv6 does not need NAPT because it basically uses a global IP address. So we cannot expect it to prevent access to IPv6 nodes from outside, as NAPT is not used any more. In such cases, I’d recommend a dynamic filter with stateful packet inspection filtering, which is equipped even in some of the small IPv6 routers today. This will ensure the security level as high as, or higher than, with NAPT. High-performance and high-end firewalls are moving toward IPv6 support as well.
Peer-to-peer (P2P) is the communication architecture that has attracted a lot of attention these days. And IPv6 forms the basis of this. In order for effective P2P communication, it is considered not adequate to use firewalls in the same way as it has been done with IPv4. Therefore, a new security model suitable for IPv6 P2P communication is needed. Currently, various methods are being studied including a mechanism for dynamic IPsec communication.
Would IPv6 make the Internet faster?
Answered by: Izumi Miki (Impress Corporation)
IPv6 in itself is not faster than IPv4, but there are several characteristics that helps efficient communications.
In IP communications, every data packet has a part called “header”. IPv4 header comes in various length, but IPv6 basic header has a fixed length. It helps routers in processing packets, because hardware-assisted packet processing is easier to implement by knowing that packet always comes in fixed length.
IPv6 also has this concept of route aggregation. In IPv4, there is no relationship between address block and connection topology used by a connected organization. But in IPv6, address blocks are assigned by service providers of higher hierarchy. Such alignment between address block allocation and connection topology helps reduce burden on the Internet backbone.
Why is IPv6 indispensable for ubiquitous networking?
Answered by: Izumi Miki (Impress Corporation)
Ubiquitous networking is enabled by connecting various devices other than PCs.
For example, by connecting a home VCR to IP network, we can directly manipulate the VCR by PCs and mobile phones, or watch the recorded TV programs while on the go.
Ubiquitous networking also helps realize efficient device control in various fields, by enabling remote and central management. It also leads to a more intelligent control through use of feedback information from the managed devices.
A company in office building security business might monitor door and human movement in several buildings used by a client organization through IP network. The security management company can make a proactive move in the event that irregularity is found in any of the buildings.
Thus, more and more devices in the offices and homes will be connected to IP network, conducting two-way communications. But current use of IP network in offices and at home is analogous to phones with extension number only. It is easy to phone outside, but it is difficult to determine which phone terminal should receive a particular call from outside, without help from humans or use of some sort of identification number.
In order for independent interactive communications from terminals outside, every device inside need global addresses.
In the present IPv4 world, ISP will charge you for using just one fixed global IP address. The reason is that IPv4 address is becoming a scarce commodity. But with IPv6, you don’t have to worry about it at all.
Another related advantage of IPv6 is plug-and-play. In IPv6, devices can configure IP addresses themselves to join the network, without relying on DHCP or other servers. Much like most home appliances can be used just by getting power supply, IP networking will be enabled by plugging to network. This feature is very effective in connecting hundreds, thousands or tens of thousands of devices.
IPv6 addresses are expressed in various length. Why?
Kazuhiko Nakahara (NEC Solutions)
IPv6 address is expressed differently from IPv4 address. IPv6 address is 128bit. It is separated by ":" as separator to 16bit chunks, and each chunk is expressed in hexadecimal form.
For example, IPv6 addressed can be expressed as follows:
But we don't come across IPv6 addresses with a series of "0"s contained. That's because the following rules are applied:
- A series of "0"s in a 16bit block can by represented by "0".
- A series of blocks containing only "0"s can be suppressed and represented by "::" (this can be done only once)
With the first rule applied, above addresses are expressed as follows:
When IPv6 addresses contain IPv4 addresses, IPv4 address representation can be kept. In this case,IPv6 address representation rules are applied to the uppermost 96bit, while remaining 32bit is expressed using IPv4 address representation rules.
I don't understand what is meant by /48 or /64.
Hiroki Ishibashi (NEC Networks)
This is prefix length. IPv6 address can be expressed as IPv6 address/(prefix length), like fec0:0:0:1000::1/64. In IPv6, one LAN segment usually gets /64 as ubnet prefix, meaning 64bit is used to represent network portion, while remaining 64bit is used as interface ID. Therefore, fec0:0:1000::1/64Åisubnet prefix fec0:0:1000:: and interface ID 1Åjand fec0:0:1000::2/64Åisubnet prefix fec0:0:1000:: and interface ID 2) are in the same subnet.
Figure 1 - IPv6 address format
When an organization gets IPv6 addresses allocated from ISP, the prefix length is 48bit in many cases, as in 2001:260:20::/48. In this case, 16bit is allocated freely as subnet ID to build different subnets. For example, 2001:260:20:1000::/64 (subnet ID 1000) and 2001:260:20:2000::/64 (subnet ID 2000) are subnets in a same network, because uppermost 48bit are the same(2001:260:20::).
Figure 2 - Address format with prefix length of 48
Do we need to give up using IPv4 to start using IPv6?
Kazuhiko Nakahara (NEC Solutions)
No, you don't. IPv6 can coexist with IPv4, although in rare cases, restriction may apply due to computer functionality or the way network is constructed.
Your IPv6-enabled computer can usually speak IPv4 and IPv6 simultaneously. For example, Windows XP can conduct IPv4 and IPv6 communications at the same time. But you can have IPv4-only computers to talk with IPv6-only computers, without introducing some tricks like protocol translation (such as NAT-PT). You can only speak with only IPv4 computers by using IPv4 address. You can speak with only IPv6 computers by using IPv6 address.
Let's think about network. Physical media devices (Ethernet switches, ATM switches, etc) are at different layer from Layer 3 (IP Layer). So, they don't need to support IPv6. Your LAN (unless you use Layer 3 switches)can be used as it is for both IPv4 and IPv6 communications.
But routers have to be replaced with products that support IPv6. When one router does both IPv4 routing and IPv6 routing, the two processes are conducted independently. One easy way to build a network supporting IPv4 and IPv6 is to have IPv4-only router and IPv6-only router separately and connect the two to one Ethernet network.
How would an application choose between IPv6 and IPv4 in an environment supporting both protocols?
Hiroki Ishibashi (NEC Networks)
In IPv6/IPv4 dual environment, each application decides which protocol to use. If an application supports only IPv4, this application communicates with IPv4, of course.
Applications supporting both IPv4 and IPv6 are usually written so that they attempt to use IPv6 first, and it that fails, they try IPv4.
For example, when you input an URL to a Web browser supporting two protocols, the browser sends DNS query to DNS, in order to find the IP address of the specified host. DNS returns either IPv4 address only, IPv6 address only, or both. Web browser tries to find IPv6 address from the DNS reply. If the browser finds IPv6 address, it accesses the destination host with IPv6 address. If not, IPv4 address is used.
In this way, application usually makes the choice between two protocols transparent to user. But in some cases, users need be able to specify which protocol to use. Some applications are designed so that users can configure IP version.
の記事のトラックバック
IPv6 has a plug-and-play feature that makes network auto-configuration possible by simply connecting a device to the network. Is it possible to configure server hardware using plug-and-play?
Answered by: Tomohiro Fujisaki (NTT Information Sharing Platform Laboratories)
When you consider both clients and servers to be IPv6 nodes, IPv6’s plug-and-play features are essentially the same for both. No matter how you look at it, it is a feature to automatically configure the necessary parameters for IP addresses and such used for IPv6 communications. In other words, IPv6’s plug-and-play feature (auto-configuration feature) provides the initial configuration parameters for a node. It does not provide a method for automating configuration for applications that exist at a higher layer (i.e. services running on the server). By using DHCP, which plays a part in IPv6’s plug-and-play feature, it is possible to provide the initial configuration parameters for applications at higher layers; this is the same for IPv4, not just for IPv6.
Regarding methods for dynamically discovering services on the network, the only way the server can let clients know about its existence is to announce it periodically. That is inefficient, and so a general-purpose method of making this work is still missing. Regarding methods for clients discovering a server, you can give a fixed name (FQDN) to the server and use Dynamic DNS with it, or you can use the general-purpose protocol for discovering services, SLP (Service Location Protocol). However, though these methods have IPv6-ready features and protocols, it doesn’t mean that a special method specific to IPv6 exists.
However, regarding methods that can be implemented more easily by using IPv6, there is one for searching services using multicasting with a scope. On a core network, such as NTP (Network Time Protocol), multicast addresses for services are defined. (see endnote 1) Especially, if you limit services to the same link, with IPv6, link local multicasting is always possible. So, if you use this, discovering the server will become simpler compared to IPv4. Also, although the number of services that currently can use this is very limited, you can use unicast technology, which is used for DNS these days.
In summary, IPv6’s plug-and-play feature is something that supports auto-configuration basically up to the point where the node connects to the network. For autodiscovery and configuration of application servers, you need some other method. Features for implementing this functionality are available for IPv4 as well, but depending on the case, you can do it more easily if you use IPv6 instead.
Endnote
1. Listing of permanently assigned IPv6 multicast addresses
http://www.iana.org/assignments/ipv6-multicast-addresses
 |
I heard that the policy on IPv6 address distribution is moving towards becoming more restricted. Is that true?
Answered by: Toshiyuki Hosaka (JPNIC)
In Spring 2005, Geoff Houston (APNIC) announced research findings that showed that up to half of the entire IPv6 address space will be consumed within 60 years if the current pace of allocation is maintained. This led to a proposal at each Regional Internet Registry (RIR) to revise the IPv6 address policy.
The content of the proposal can be divided into the following two elements:
(1) Change the HD-ratio from the current 0.8 to 0.94.
(2) As a recommended allocation size for end sites, define a new size, /56.
The HD-ratio mentioned in (1) is a standard value that allows a Local Internet Registry (LIR), such as an ISP, to receive an additional allocation. At the same time, this value also decides the size when making the first IPv6 allocation based on the IPv4 infrastructure.
When this value is changed from 0.8 to 0.94, the LIR will require a higher usage rate in order to meet the criteria for an additional allocation. When the allocation is done to the IPv4 infrastructure, its size becomes smaller.
Here is an example. The LIR, which has already been given a /32 allocation, can receive an additional allocation if it currently provides 7,132 /48 allocations. However, if the HD-ratio becomes 0.94, it must provide 33,689 /48 allocations to receive an additional allocation.
Also, if, for example, an LIR which already has four million customers on IPv4 applies for an initial IPv6 allocation based on that, the LIR can receive up to /20 allocations right now; however, if the HD-ratio becomes 0.94, /24 is the biggest allocation size.
As for (2), if the end site needs multiple sub-nets, it can allocate /48 under the current policy. However, if the expected number of sub-nets is less than 256, it makes /56 the recommended allocation size.
At the APNIC meeting held in September 2005, a proposal that combined (1) and (2) above was made. (1) was able to gain consensus, however, (2) didn’t reach a consensus, because there were concerns that it will greatly affect users, etc.
This proposal is a policy that needs to be applied worldwide. So, it will take at least one year or so, even if the consensus at this APNIC meeting were to be applied, because it can be done only after being gradually proposed, discussed and reaching a consensus at each future RIR meeting. At any rate, I think, as stated above, proposals and discussions on constraining allocations will move forward in the immediate future.
| |
Currently, our company is connecting the headquarters and branches with Internet VPN (IPv4 IPsec). Can we move to either of the following two types of IPv6 communications? Are there any products supporting such communications?
1. IPv6 over Internet VPN (IPv4 IPsec)
2. dual stack of IPv4 IPsec and IPv6 IPsec (over IPv4/IPv6 dual protocol services)
Answered by: Koji Yamazaki (System Engineering, NTT Communications)
Let me answer on the two types of communications one by one.
1. IPv6 over Internet VPN (IPv4 IPSec)
There are two ways to do this, depending on whether you want to capsule IPv4 or IPv6 packets.
IPv6 over IPv4 IPsec
You can communicate on IPv6 by capsuling IPv6 packets with IPv4 IPsec using IPv4 IPsec tunnel mode.
IPv4 IPsec and IPv6 over IPv4 tunneling
You can conduct VPN communications by applying IPv4 IPsec, after capsuling IPv6 packets in IPv4 packets with IPv6 over IPv4 tunneling. There is yet another way: you can capsule IPv6 packets in IPv4 packets by IPv6 over IPv4 tunneling after encrypting IPv6 packets with IPv6 IPsec.
Incidentally, you can conduct IPv4 VPN (IPsec) over IPv6 Internet, by applying the above idea.
The former function is implemented in routers such as NEC IX1000/2000/3000 series, and the latter function can be seen in such routers as YAMAHA RT series.
2. Dual stack of IPv4 IPsec and IPv6 IPsec (over IPv4/IPv6 dual protocol services)
This can be made possible by the following:
Running both IPv4 IPsec and IPv6 IPsec on one router
Terminate dual protocol ISP service by one IPv4/IPv6 dual stack router, and conduct IPv4/IPv6 VPN (IPsec) communications by running IPv4 IPsec and IPv6 IPsec on the same interface.
Running both IPv4 IPsec and IPv6 IPsec on separate routers
Terminate dual protocol ISP service by a LAN switch connected to a IPv4 IPsec router and a IPv6 IPsec router, for IPv4/IPv6 IPsec communications.
The former has cost advantage, but we recommend the latter at larger sites for performance issues.
Running IPv4 IPsec and IPv6 IPsec on the same interface may not be supported by the devide when your IPv4 network uses NAT or uses dynamic IP address. You need to check the detailed requirements with your system integrator or vendor before you deploy it.
| |
Is it possible to get data encrypted with Windows XP IPv6 networking?
Answered by: Izumi Miki (Impress Corp.)
Windows Server 2003 and Windows XP have IPsec feature. Use of IPsec is supported in IPv6 environment. But this IPv6 IPsec implementation does not support encryption of payload data. Windows family IPv6 IPsec feature at present can be used to authenticate the sender and to prevent data repudiation.
It is also true that IPv6 IPsec in Windows family at present does not support Internet Key Exchange (IKE), an automatic key exchange mechanism.
| |
How can I obtain address space for IPv6 multicast video distribution service?
Answered by: Tomohiro Fujisaki (NTT Information Sharing Platform Laboratories)
In IPv4 world, if you want to offer video distribution and other services using IP multicast, you most likely use the address with AS number embedded, as defined in RFC2770. But this means you have to have AS number already. In this method the number of addresses an organization can use is limited to 8 bits.
With IPv6 multicast, you generally use the multicast addresses based on the IPv6 address space your organizations have, as defined in RFC3306 and RFC3956.
In other words, IPv6 multicast is easier to use than IPv4 because your own unique multicast address is secured.
With IPv4 multicast, there is another method for you to dynamically find unused addresses from among the multicast address block for shared use. But this block is so small that there is a high probability of collision, so that it is indispensable to conduct negotiation using special protocols for this purpose when you want to multicast on global Internet.
| |
What is “multi-prefix”?
Answered by: Izumi Miki (Impress Corp.)
IPv6 allows a single network interface of a device to have multiple addresses. This can be utilized by multiple service providers to home and other end-user networks, to assign different routing prefix to help service separation and differentiation. The word “multi-prefix” should only mean plural prefixes, but some IPv6 researchers are beginning to use this phrase with the above scenario. With multi-prefix, a single PC can use different source address for each application used, and application service providers can apply different security and/or QoS policy for the source address. It is considered a promising method for IPv6 site multihoming as shown in RFC 3582: Goals for IPv6 Site-Multihoming Architectures.
However, actual implementation of services using multi-prefixes is in an initial stage of research by some service providers. There is also a possibility of using other means of service differenciations based on packet destinations. It is unknown how widely multi-prefix will be used in the future.
| |
What will be the relationship between IPv6 and IPsec?
Answered by: Izumi Miki (Impress Corp.)
There are different opinions as to how IPsec will be used in the coming IPv6 world.
IPv6 standard mandates all nodes to implement IPv6. Therefore, we can expect more use of IPsec between nodes. But this issue needs to be considered with specific scenarios in mind. Consumer/non-PC services and corporate networking have different security requirements.
For consumer/non-PC services, IPsec can be actively used for sensitive communication over low-cost Internet connectivity. However, some Non-PC devices are hard to implement IPsec. Some sort of security gateway might be used to perform IPsec functions.
Adoption of IPsec in corporate networking may be slow, because it makes it difficult for companies to maintain their corporate security policy. It is very difficult for administrators to allow users to use IPsec for end-to-end communications, in a way administrator cannot know what these communications are. It is possible that companies will ultimately adopt solutions that automatically allow IPsec communications that meets company security policy only.
If IPsec may only be used for creating secure pipes between different sites, still IPv6 has a significant advantage over IPv4, in that there is no possibility of private address collisions, while it enables more ad hoc secure connections with flexible use of IPsec.
| |
What do you mean by “IPv6 address field is 128bit”?
Answered by: Izumi Miki (Impress Corp.)
Bit is the unit of information handled by computers. It is expressed in binary number. “128bit” is 128 in binary expression, which is 2 to the 128th power, or:
340,282,366,920,938,463,463,374,607,431,768,211,456
128bit can create this many unique numbers. IPv6 address is expressed in 128bit. Therefore, there can be so many unique IPv6 addresses theoretically.
Incidentally, currently-used IPv4 address is expressed in 32bit, so theoretically, there can be:
4,294,967,296 addresses
See how different the number of address is!
| |
Would IPv6 give addresses to anything on earth?
Answered by: Izumi Miki (Impress)
It is true that IPv6 offers a huge address space, and facilitates connectivity of those things that we have never dreamed of connecting. In fact, some consumer electronics vendors appear to feel that I would be convenient for them to give IPv6 addresses to all of their products, irrespective of network connectivity capability. But it is debatable if it is appropriate to allocate IPv6 addresses to things that don't require direct network connection.
Some people think that IPv6 address can be used to identify each object. But emerging RFID technology can do the job. Current barcode usually includes the vender ID and item number, but RFID further includes ID information, for identification of objects. In other words, a milk pack or a melon only needs to have a small and non-powered RFID tag, and ID information is recognized by the RFID reader with IP connectivity, for retrieval of relevant information about this object from databases on the network.
Still, some others are exploring the possibility of mapping RFID and IPv6 address, to enable proxy communications by RFID readers, in order to bring about new applications.
| |
On direct allocation of IPv6 addresses from Regional Internet Registries (RIRs), would a company satisfy the requirement that it shouldn't be an endsite if this company is offering communication services only for its parent company and group companies?
Answered by: Toshiyuki Hosaka (JPNIC)
The company can satisfy the requirement of not being an endsite in this scenario, provided that this company assigns IPv6 addresses to its group companies, not to itself, and (this is important) offer IPv6 connectivity services to these organizations. In such case, this company can be considered an LIR and be conducting assignment of IPv6 addresses and IPv6 connectivity services to other organizations.
| |
Have TLA and NLA been obsoleted?
Answered by: Izumi Miki (Impress)
IPv6 has a rule to allocate address blocks in a hierarchical manner. Organizations meeting certain requirements were able to get IPv6 address blocks directly allocated from RIRs, such as ARIN, APNIC, LACNIC, which were called TLA (Top Level Aggregation) IDs. Organizations with TLA, in turn could allocate address blocks to other organizations (including user organizations), which were called NLA (Next Level Aggregation) IDs. But these terms were obsoleted, to be replaced by a single term, "Global Routing Prefix". Another term, sTLA (sub-Top Level Aggregation) ID, was used for temporary allocation of TLA IDs. But sTLA was also obsoleted. Reasons can be found in RFC3587.
Addresses used for subnetting an organizational network was called "Site-Level Aggregation ID", but this was also replaced by "subnet ID".
| |
With IPv6, can we offer P2P game service that users can easily join without firewall and other configurations?
Koji Ogawa
Sony Broadband Solution
I take the question to read "is IPv6 effective as a P2P gaming solution which allows participation without technical knowledge?" I will answer the current problems with IPv4 in building a game site hosting P2P network gaming and if IPv6 can solve these problems.
[Problem 1]Problem 1 occurs because IPv4 global address space is limited. On the other hand, IPv6 address space is huge, so IPv6 can solve Problem 1.
With IPv4, not enough global address is available for P2P games. So it is physically difficult to make everyone enjoy the game.
[Problem 2]
All hosts participating in P2P games need to have global addresses allocated. For this purpose, home routers need to do IP masquerade or port forwarding, in IPv4 environment. Such configuration is difficult and requires expert knowledge. Not everyone can do this to play games.
[Problem 3]
Home routers need to open the port used for the P2P games. Such configuration is difficult and requires expert knowledge. Not everyone can do this to play games.
Problem 2 occurs also because IPv4 global address space is limited. IP masquerade and port forwarding is necessary for this reason. The cause of the problem is the same as Problem 1, so it can be solved with IPv6.
Problem 3 occurs because home router vendor closes all ports usually unused by default as a security measure. This is a port issue, and it occurs with IPv6, too. If home router vendors decide that unused ports should be closed with IPv6, they will close them by default. So IPv6 won't solve it. IPv6 is only one of several solutions. IPv6 is currently in the initial diffusion process, and still to be used at home.
For your information, I listed the example of solutions utilizing a widely-used IPv4 infrastructure. You have restrictions, but there are possibilities in IPv4, too.
If you want to use P2P,
-Try using UPnP to automate router port control
You may decide not to use P2P. You can
-Change the game from P2P to client/server
-Implement you game with Flash/java applet
Still, port control is necessary with these solutions.
You may use a platform other than PCs.
-Implement your game on cellular phones
| |
When can we say a router supports IPv6?
Yoichi Tsukioka
Hitachi, Ltd.
In general, a router is a network device which conducts forwarding of IP packets on network layer (Layer 3). Therefore, we can say a router is IPv6-enabled if it can look at IPv6 packet information and forward them to appropriate routes. An IPv6-enabled router usually supports IPv4, too. It is sometimes called "IPv4/IPv6 dual stack" router.
There are various routers built for different purposes. Naturally, they are required to offer different features. You need to check with each router which routing protocols (RIP, OSPF, BGP, PIM-SM for multicast, etc) are IPv6-enabled. As for other features such as filtering, QoS, and network management, there are routers without IPv6 support for some of them, or without sufficient IPv6 support. Same thing can be said about various tunneling technology used in mixed IPv4/IPv6 environment.
Many routers have come up with commercial IPv6 support, beginning with large routers for mission-critical networking. But you should examine exactly if required features are IPv6-enabled, from datasheets, manuals and other information made public by the vendors.
| |
Some people say that firewalls will not be necessary for IPv6-enabled organizations, because IPv6 terminals can use IPsec for security. I donyr think so.
Answered by: Izumi Miki (Impress)
I can find almost no expert who considers that firewalls will be unnecessary. End-to-end connectivity is one of the greatest advantages of IPv6. I would be great if security can be managed at terminal level. Theoretically, it is possible for an organization to require use of personal firewalls with organizational security policy installed. But it is very difficult to do in reality.
Firewall administrators cannot allow IPsec encrypted communication without questioning. They cannot assure organizational security when they might be allowing an unauthorized terminal inside is conducting encrypted communications to an unknown terminal outside.
Therefore, terminal-level IPsec will be initially limited to specific terminal for specific purpose. For example, a terminal which needs to use IPsec to communicate with a terminal outside, it would specify the opponent and purpose of IPsec communication. Firewalls would automatically decide if this communication should be allowed, based on organizational security policy. Firewalls have to be able to automatically close the hole when the communication is terminated.
| |
Is there any IPv6-enabled wireless LAN access points with 802.1x?
Does 802.1x have to do with IPv4/IPv6 anyway?
Answered by: Hiromi Komiya (Aruba Networks)
802.1x authentication and data encryption protocols are not just for wireless LAN. It was originally designed for wired LAN. But let me take wireless LAN as an example, as that's what you are asking.
In wirelss LAN, 801x authentication process involves client (normally PCs), a wirelss LAN access point, and an authentication server (RADIUS server).
Let's examine communications between client and access point. 802.1x is designed to authenticate clients before association with the access point, as wireless signals can be received by any terminals. Clients attempt to connect with the following procedure.
| 1) | Client requests connection with 802.11 |
| 2) | Client gets authenticated with 802.1x |
| 3) | Client gets associated with the access point with 802.11 |
| 4) | Client makes DHCP request (unnecessary for sdtatic address, but IPv4 wireless users usually use DHCP for obtaining address) |
| 5) | Client gets IP address and other information |
| 6) | Client starts IP communication |
802.1x is used before client gets IP address. In other words, 802.1x does not run on IPv4 nor IPv6.
On the other hand, access point and RADIUS server communicates with RADIUS protocol which runs on IP. Therefore, if you want to use 802.1x on IPv6-only network, you need to have both access point and RADIUS server IPv6-enabled. But on a network running both IPv4 and IPv6, access point and RADIUS server can talk with IPv4.
In summary, you don't need IPv6 support in any of the 802.1x components unless you have to use RADIUS on IPv6.
| |
I heard IPv6 address blocks have to be returned. Is that true?
Answered by: Izumi Miki (Impress Corporation)
End-user sites or individuals don't get direct allocation of IPv6 address blocks by the Internet Registries, just as they won't get IPv4 addresses allocated directly at present. Your ISP allocates network portion of IPv6 address (network prefix) to your homes or organizations. Therefore, it could be said that end users are only borrowing network prefixes from ISPs. You have to return IPv6 address range you have used when you stop using the ISP.
As for service providers getting direct assignment of IPv6 address blocks from ARIN, APNIC, RIPE NCC, etc., IPv4 address policy says the providers have to return the assigned addresses when they no longer use them. There are cases that organizations are requested to return addresses to the Internet Registries. In IPv6, there is no equivalent rule at present. That's because IPv6 assignment has not reached the stage where people need to discuss address returns. But it's possible that IPv6 address policy defines a similar rule in the future.
| |
IPv6 is not really popular yet. Why is the adoption not accelerated despite governmental push?
Answered by: Izumi Miki (Impress Corporation)
Current Internet, or IPv4 networkinghas shown an explosive growth because a lot of people felt Web and e-mail irresistible. However governments want to promote a specific move, people need to feel the need to go with it. Nothing can become popular without support by the people.
We can say that ultimately, we will use up IPv4 addresses, which makes use of IPv6 inevitable. But IPv4 networking won't disppear overnight. There will be a long transitional phase.
Then, how will IPv6 be adopted before such crucial need arises? To put it simply, IPv6 will be gradually used as a means to make it easier to connect various things to the Internet.Some hard disk video recorder products have Ethernet port for network connection. But few of them allow users to connect directly from outside home for remote control or for viewing recorded video.
As interactive use of the Internet by home computers and consumer appliances common, people will begin to feel the current NAT functionality by home routers obstructive. NAT often requires users to reconfigure home routers for new applications and devices. That may be OK for power users, but unbearable for general users. IPv4 environment prevents net-enabled appliances to be used as appliances. In other words, current net-enabled appliances are limited in functionality and market because we use IPv4 now.
Therefore, IPv6 will be used at home as "real" net-enabled home appliances get popular.
Outside home, we will soon begin to see various devices which could not use the Internet (or IP networking) to get connected on the Net. For devices that have used proprietary protocols for data exchanges, IP networking is irresistible because it enables inexpenside realtime networking to and from anywhere in the world. As various social services get net-enabled, implementers will prefer IPv6 for its ease in configuring and administering connected devices, and for limitation-free networking.
In summary, IP networking will develop further as social infrastructure, in a giant leap from being computer communication technology as it currently is. How fast such move occurs will be directly reflected in the speed of IPv6 adoption.
| |
I have installed IPv6 in Windows XP, and checked interface information at command prompt. But I was overwhelmed by the number of IPv6-related addresses that appeared on the screen. Which ones are used for what?
Answered by: Izumi Miki (Impress Corporation)
Use either of the following two commands to see the network interface information of your PC.
ipv6 if
netsh interface ipv6 show interface level=verbose
Microsoft is phasing out ipv6 commands in favor of netsh interface ipv6 ipv6 commands. But you can still use ipv6 commands with your Windows XP.
The screen image shows ipv6 if 4 commands to show Interface 4, that is ethernet interface in this PC.
As far as address-related information is concerned, you can see link-layer address first. This is MAC address embedded in each of the network adapters on PCs. The latter half of IPv6 global address is generated from this MAC address.
Next thing you see are two "preferred global". The first preferred global is specified as (anonymous), and the scond one carries (public) notation. These are both alobal addresses, but the second one is the fixed global address generated automatically. In this case, global address is
2001:2a0:4ff:0:a00:46ff:fe45:700
of which 2001:2a0:4ff:0 is network address obtained from a router in the same network domain, while a00:46ff:fe45:700 is the host address generated from MAC address.
Anonymous global address carries the same network address as the normal global address, again obtained from a router. But the latter half is generated randomly, and automatically changes periodically. This is a scheme devised to cope with privacy issues, and to be used when fixed address is inapropriate as the host is identified.
"preferred link-local fe80::a00:46ff:fe45:700" is link local address, which is first created when the host gets connected to IPv6 network. It just attaches fe80:: to the host address generated from MAC address. Thus, an address with limited scope is created first in a topology-independent way, to be used for further network configuration.
Although not shown on this screen, you will see valid IPv6 address under "6to4 Tunneling Pseudo-Interface", when you connect to IPv6 Internet using 6to4, a dynamic tunneling technology.
| |
Wouldn't MAC addresses get scarce?
IPv6 stateless address autoconfiguration uses MAC addresses based on EUI-64. Wouldnxr it mean that uniqueness of IPv6 address relies on 48 bit of the MAC address, instead of 128 bit? What do you think about the depletion of MAC addresses? 48 bit can produce 281 trillion of numbers. That may still be enormous compared with 32 bit, but it doesnxr appear to me to be an astronomical number, either. (Question from "yamasan")
Akinori Maemura
Director, JPNIC
Chair, Executive Council, APNIC
Even if there can be duplication of MAC addresses while all IPv6 hosts gets lower 64 bit of its IPv6 address assigned in conformance to EUI-64, there can be no address conflict unless devices with the same MAC addresses get connected on the same network segment. Uniqueness of MAC address needs only to be assured on a segment. One LAN can only have several to about 200 hosts at the most. One can say that using 48 bit ID is quite an overkill.
Let’s consider the possibility of MAC address depletion. MAC address has 48 bits. Upper 24 bits is called Company ID, and are administered by RAC (Registration Authority Committee), assigning them to NIC manufacturers. Lower 24 bits are left for each manufacturer to administer.
Incidentally, 24 bit means 16.8 million, which is not a lot if one company can only get one company ID assigned. But a company can get multiple company IDs. So, when we consider the possibility of MAC address depletion, allocation efficiency is not much of an issue. We just have to think about the lifetime of 48 bit space.
Let’s consider the case when all electric appliances need to have MAC addresses. I recently asked an electric appliances manufacturer how many products one manufacturer would produce worldwide. The answer I got was 1 billion a year for all appliances, including household appliances, A/V devices and information appliances.
For the sake of simple argument, let’s say one appliance is durable for 50 years (meaning uniqueness of the MAC address needs only to be assured for 50 years). Let’s multiply this number by 20 for number management, and we need 1 trillion address for one company. If we can use the 48 bit fully, we can contain 280 of these manufacturers of the same scale.
Above is a very simplified calculation based on pure assumptions. But you’ll get the idea of how large MAC address space is.
If MAC address gets depleted, that’s not the issue for IPv6 only. The issue will impact all networking technology using MAC address, such as Ethernet and FDDI. But we can maintain absolute uniqueness for 50 years. The problem should be small even if the uniqueness could not be maintained completely.
| |
They say IPv6 offers infinite address space. Is it really possible?
Answered by: Kazuhiko Nakahara (BIGLOBE Operation Division, NEC)
The address space is not really infinite. The number of addresses for IPv6 is limited as well, with 3.4 x1038 possible addresses. But due to the vastness of IPv6 addresses is hard to describe. Compared to IPv4, IPv6 has 2^96(7.92x10^28) times larger address space, which is almost an indefinite expansion.
This brings a great benefit for corporate IT managers. The allocation policy of IPv6 addresses has been considerably relaxed. While the IPv4 address application requires a detailed address allocation and assignment policy and even an explanation of topology details, IPv6 offers uniformly /48 addresses per connection point almost unconditionally, which is equivalent to 2^80 addresses on a simple calculation. That means almost an unlimited number of addresses is allocated per person because it only takes 2^64 addresses when 1 billion addresses are allocated to the total world population of 10 billion. In a nutshell, IPv6 has infinitude of possibilities to assign addresses to devices and things to which it has been considered impossible to allocate addresses.
| |
Can we say IPv6 is superior to IPv4 in terms of security? On the contrary, I feel like it can be more vulnerable.
Answered by: Hiroki Ishibashi (Business Network Division, NEC)
IPsec is mandatory in IPv6, but that alone cannot enhance security compared to IPv4. Let us clarify the difference from the security features of current IPv4.
For most of IPv4 environments at home today, NAPT (network address port translation) is considered to be the key element of security. In reality, however, NAPT does not necessarily offer robust security although it can theoretically hinder the penetration of communication initiated outside.
On the other hand, IPv6 does not need NAPT because it basically uses a global IP address. So we cannot expect it to prevent access to IPv6 nodes from outside, as NAPT is not used any more. In such cases, I’d recommend a dynamic filter with stateful packet inspection filtering, which is equipped even in some of the small IPv6 routers today. This will ensure the security level as high as, or higher than, with NAPT. High-performance and high-end firewalls are moving toward IPv6 support as well.
Peer-to-peer (P2P) is the communication architecture that has attracted a lot of attention these days. And IPv6 forms the basis of this. In order for effective P2P communication, it is considered not adequate to use firewalls in the same way as it has been done with IPv4. Therefore, a new security model suitable for IPv6 P2P communication is needed. Currently, various methods are being studied including a mechanism for dynamic IPsec communication.
| |
Would IPv6 make the Internet faster?
Answered by: Izumi Miki (Impress Corporation)
IPv6 in itself is not faster than IPv4, but there are several characteristics that helps efficient communications.
In IP communications, every data packet has a part called “header”. IPv4 header comes in various length, but IPv6 basic header has a fixed length. It helps routers in processing packets, because hardware-assisted packet processing is easier to implement by knowing that packet always comes in fixed length.
IPv6 also has this concept of route aggregation. In IPv4, there is no relationship between address block and connection topology used by a connected organization. But in IPv6, address blocks are assigned by service providers of higher hierarchy. Such alignment between address block allocation and connection topology helps reduce burden on the Internet backbone.
| |
Why is IPv6 indispensable for ubiquitous networking?
Answered by: Izumi Miki (Impress Corporation)
Ubiquitous networking is enabled by connecting various devices other than PCs.
For example, by connecting a home VCR to IP network, we can directly manipulate the VCR by PCs and mobile phones, or watch the recorded TV programs while on the go.
Ubiquitous networking also helps realize efficient device control in various fields, by enabling remote and central management. It also leads to a more intelligent control through use of feedback information from the managed devices.
A company in office building security business might monitor door and human movement in several buildings used by a client organization through IP network. The security management company can make a proactive move in the event that irregularity is found in any of the buildings.
Thus, more and more devices in the offices and homes will be connected to IP network, conducting two-way communications. But current use of IP network in offices and at home is analogous to phones with extension number only. It is easy to phone outside, but it is difficult to determine which phone terminal should receive a particular call from outside, without help from humans or use of some sort of identification number.
In order for independent interactive communications from terminals outside, every device inside need global addresses.
In the present IPv4 world, ISP will charge you for using just one fixed global IP address. The reason is that IPv4 address is becoming a scarce commodity. But with IPv6, you don’t have to worry about it at all.
Another related advantage of IPv6 is plug-and-play. In IPv6, devices can configure IP addresses themselves to join the network, without relying on DHCP or other servers. Much like most home appliances can be used just by getting power supply, IP networking will be enabled by plugging to network. This feature is very effective in connecting hundreds, thousands or tens of thousands of devices.
| |
IPv6 addresses are expressed in various length. Why?
Kazuhiko Nakahara (NEC Solutions)
IPv6 address is expressed differently from IPv4 address. IPv6 address is 128bit. It is separated by ":" as separator to 16bit chunks, and each chunk is expressed in hexadecimal form.
For example, IPv6 addressed can be expressed as follows:
2001:0260:0000:0010:0000:0000:0000:0001This way, all addresses are in the same length.
0000:0000:0000:0000:0000:0000:0000:0001
fe80:0000:0000:0000:0200:4cff:fe43:172f
But we don't come across IPv6 addresses with a series of "0"s contained. That's because the following rules are applied:
- A series of "0"s in a 16bit block can by represented by "0".
- A series of blocks containing only "0"s can be suppressed and represented by "::" (this can be done only once)
With the first rule applied, above addresses are expressed as follows:
2001:260:0:10:0:0:0:1With the second rule applied, these addresses are shortened further to:
0:0:0:0:0:0:0:1
fe80:0:0:0:200:4cff:fe43:172f
2001:260:0:10::1The reason that IPv6 addresses appear to be in various length is because the above two rules are applied.
::1
fe80::200:4cff:fe43:172f
When IPv6 addresses contain IPv4 addresses, IPv4 address representation can be kept. In this case,IPv6 address representation rules are applied to the uppermost 96bit, while remaining 32bit is expressed using IPv4 address representation rules.
0:0:0:0:0:0:192.168.1.1can be shortened to:
0:0:0:0:0:ffff:192.168.1.1
::192.168.1.1Note that 2001:260:0:0:10:0:0:1 can be expressed as 2001:260::10:0:0:1 or 2001:260:0:0:10::1. The "::" can be used only once in an address.
::ffff:192.168.1.1
| |
I don't understand what is meant by /48 or /64.
Hiroki Ishibashi (NEC Networks)
This is prefix length. IPv6 address can be expressed as IPv6 address/(prefix length), like fec0:0:0:1000::1/64. In IPv6, one LAN segment usually gets /64 as ubnet prefix, meaning 64bit is used to represent network portion, while remaining 64bit is used as interface ID. Therefore, fec0:0:1000::1/64Åisubnet prefix fec0:0:1000:: and interface ID 1Åjand fec0:0:1000::2/64Åisubnet prefix fec0:0:1000:: and interface ID 2) are in the same subnet.
Figure 1 - IPv6 address format
When an organization gets IPv6 addresses allocated from ISP, the prefix length is 48bit in many cases, as in 2001:260:20::/48. In this case, 16bit is allocated freely as subnet ID to build different subnets. For example, 2001:260:20:1000::/64 (subnet ID 1000) and 2001:260:20:2000::/64 (subnet ID 2000) are subnets in a same network, because uppermost 48bit are the same(2001:260:20::).
Figure 2 - Address format with prefix length of 48
| |
Do we need to give up using IPv4 to start using IPv6?
Kazuhiko Nakahara (NEC Solutions)
No, you don't. IPv6 can coexist with IPv4, although in rare cases, restriction may apply due to computer functionality or the way network is constructed.
Your IPv6-enabled computer can usually speak IPv4 and IPv6 simultaneously. For example, Windows XP can conduct IPv4 and IPv6 communications at the same time. But you can have IPv4-only computers to talk with IPv6-only computers, without introducing some tricks like protocol translation (such as NAT-PT). You can only speak with only IPv4 computers by using IPv4 address. You can speak with only IPv6 computers by using IPv6 address.
Let's think about network. Physical media devices (Ethernet switches, ATM switches, etc) are at different layer from Layer 3 (IP Layer). So, they don't need to support IPv6. Your LAN (unless you use Layer 3 switches)can be used as it is for both IPv4 and IPv6 communications.
But routers have to be replaced with products that support IPv6. When one router does both IPv4 routing and IPv6 routing, the two processes are conducted independently. One easy way to build a network supporting IPv4 and IPv6 is to have IPv4-only router and IPv6-only router separately and connect the two to one Ethernet network.
| |
How would an application choose between IPv6 and IPv4 in an environment supporting both protocols?
Hiroki Ishibashi (NEC Networks)
In IPv6/IPv4 dual environment, each application decides which protocol to use. If an application supports only IPv4, this application communicates with IPv4, of course.
Applications supporting both IPv4 and IPv6 are usually written so that they attempt to use IPv6 first, and it that fails, they try IPv4.
For example, when you input an URL to a Web browser supporting two protocols, the browser sends DNS query to DNS, in order to find the IP address of the specified host. DNS returns either IPv4 address only, IPv6 address only, or both. Web browser tries to find IPv6 address from the DNS reply. If the browser finds IPv6 address, it accesses the destination host with IPv6 address. If not, IPv4 address is used.
In this way, application usually makes the choice between two protocols transparent to user. But in some cases, users need be able to specify which protocol to use. Some applications are designed so that users can configure IP version.
の記事のトラックバック
