[LAC-TF] IPv6 vs. IPv4: Which is Really Better?

Fri Nov 16 20:36:41 BRST 2012

Estimados,

El articulo de referencia, comentado: ;-)

On 11/16/2012 05:03 PM, Alejandro Acosta wrote:
> IPv6 vs. IPv4: Which is Really Better? by Jennyrichards    November
> 06, 2012
> 
> 
> A lot of people are wondering if IPv4 is better than IPv6. Some
> people still hold this to be true. In fact however, IPv6 has many
> more impressive features than the previous Internet protocol version.

Muchas personas coinciden con ese punto de vista. Algunas referencias:

*
<http://i.chzbgr.com/completestore/2011/3/20/d45812a2-5c1a-49c2-9cb9-c40f4204b5d7.jpg>
* <http://www.truecrimereport.com/smoking-pot.jpg>

> The following are some of the reasons why.
> 
> More Address Space
> 
> Version 4 has 32 bits which permits around 4 billion different IP
> addresses. It seems like a lot. But the exponential growth of the
> Internet has made this inadequate. Version 6 has 128 bits. This
> translates to 340 billion billion billion billion (3.4x1038)
> different addresses. To get an idea of the size difference, imagine
> that the whole v4 is stored in one iPod. In contrast, the whole v6
> space would be the size of the Earth.

En *teoria*. facil, alreadedor de un 40% del espacio se pierde al
utilizar /64s para LANs. Luego, si descontamos los bloques utilizados
apra link-local, multicast, etc., seguimos "perdiendo" direcciones.

Dicho de otro modo, quien crea que la cantidad de direcciones
disponibles a la practica son 2**128, está fumando cosas raras.

> Better Networks
> 

"Better networks" depende de una infinidad de factores. Ver, por
ejemplo, slide 14 de
<http://www.si6networks.com/presentations/firsttc2012/fgont-firsttc2012-ba-seguridad-ipv6.pdf>.
En el corto y mediano plazo, ciertamente no vamos a tener "better networks".

> This ensures there will be more space for future Internet addresses.
> The additional space also means there is no more NAT. Networks are

En absoluto. Datapoint:

* <http://lwn.net/Articles/468671/>
*
<http://serverfault.com/questions/184524/switch-to-ipv6-and-get-rid-of-nat-are-you-kidding>

> easier to set up, Hardware and software become less complicated.

Falso. Comprar la complejidad de:

1) IPv6 + ND + MLD + ICMPv6 + SLAAC + DHCPv6

con al de:

2) IPv4 + ARP + ICMPv4 + DHCPv4

> Another advantage is that you can create a network where various
> appliances and gadgets are on one network. Because there are a lot of
> IP addresses, no conflicts in that area will be occurring.

Falso.

* Datapoint:
<http://tools.ietf.org/id/draft-gont-v6ops-slaac-issues-with-duplicate-macs-00.txt>

> Superior Connectivity End to End
> 
> The extra address space means better end-to-end connectivity is
> assured. For home users it means streaming media, VoIP and similar
> services will work much better.

Falso. Ver slides 20-22 de
<http://www.si6networks.com/presentations/firsttc2012/fgont-firsttc2012-ba-seguridad-ipv6.pdf>

> Auto-Configuration
> 
> Anyone who sets up networks will be happy to know that v6
> configuration is automatic. The system itself has been greatly
> simplified. Compared to the laborious setup of v4, the new Internet
> protocol offers plug-and-play. It has DHCPv6, which streamlines the
> system.

Falso. En la praçtica, usualente terminas necesitando tanto SLAAC como
DHCPv6, lo que resulta ser doblemente complicado.

> Header Structures are Simpler
> 
> Internet protocol version 6 has a simplified packet header structure.
> The reduced complexity means less effort and time goes into
> processing. It became possible because fields that are not essential
> are set only after the protocol header. Because of this, the headers
> are more effectively processed. There is no need for fragment and
> reassemble packets, network-layer checksums computation and headers
> parsing.

Falso (http://www.kcconfidential.com/userfiles/national-pot-smoking-day.jpg)

La estructura del encabezamiento resulta ser jodida. Datapoints:

* http://tools.ietf.org/id/draft-ietf-6man-nd-extension-headers-01.txt
* http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-02.txt

Y lo cierto es que debido a esta complejidad, es probable que no podamos
usar opciones
(http://tools.ietf.org/id/draft-carpenter-6man-ext-transmit-01.txt), y
que ni iquiera funcione el mecanismo de fragmentación
(http://tools.ietf.org/id/draft-taylor-v6ops-fragdrop-00.txt).

> Routers overhead processing is reduced. The end result is that more

Solo si asumimos que el router no debe mirar nada mas allá del
"fixed-length IPv6 header" -- lo que no es el caso (menos aun si el que
envia paquetes es un atacante).

> packets can be processed. The extension header makes protocol
> inclusions more flexible. Version 4 has size restrictions; version 6
> does not. 

Too bad. Resulta que *si* deberia haberlas tenido:
http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-02.txt

(Y por otras consideraciones, os headers deberian estar todos en, aprox,
os primeros 128 bytes, o algo asi).

> It is possible to expand them for data accommodation.
> Standard version 6 protocols do not have an extension header. They
> will only be added of required. This is in cases of special handling.
> The design makes version 6 more than capable of handling any given
> situation.

More capable of handling the theoretical situation in which pakets do
not employ extension headers, and middle-boxes do not need to follow the
entire IPv6 header chain.... (sigh)

> Security Improvements
> 
> Version 6 has also improved in the security aspect. 

Falso (https://www.youtube.com/watch?v=U0X-SzmvY_0).

Referencias:

*
<http://www.si6networks.com/presentations/firsttc2012/fgont-firsttc2012-ba-seguridad-ipv6.pdf>
*
<http://www.si6networks.com/presentations/h2hc2012/fgont-h2hc2012-recent-advances-in-ipv6-security.pdf>

> Data
> communications are secured by cryptographic protocols. Three security
> protocols are used: Internet Key Exchange (IKE), Encapsulating
> Security Payload (ESP) and Authentication Header (AH). These measures
> assure end to end mechanisms are in place to secure information. It
> means programs no longer need to have these features integrated.

(Overdose total :-) )

No solo es falso, sino que, tal como fuera mencionado por ej., en la
reunión del opsec WG en la ultima reunion de IETF, por ejemplo se
dispone de contadas clientes/servidores de VPN para v6:
<http://recordings.conf.meetecho.com/Recordings/watch.jsp?recording=IETF85_OPSEC&chapter=part_10>

(ver comentario de Paul Hoffman, cuando se lanza la discusión (luego de
la resentación del sujeto de remera verde e inglés rudimentario :-) ).

> There are many computer users who are not familiar with either type.
> However, it is still important for people to know if iPv4 is better
> than iPv6.

Bullshit. Who cares? (al fin y al cabo, es como decía mi amigo:
<https://www.youtube.com/watch?v=RsK2AuMbUyo>)

Lo importante es identificar posibles/potenciales problemas, y arreglarlos.

> Knowing these facts is essential for anyone who is running
> a network or uses the Web a lot.

En realidad, la mayoría de la gente que "usa mucho la web" utiliza
explorer (o similares) con la cuenta root (o similar). Esta situacion
(http://votebits.com/wp-content/uploads/2011/09/Suicide-Gun-Point-Man.jpg),
hace que dichos usuarios tengan cosas bastante mas importante por
preocuparse. :-)

> Charlie is a free lancer of www.tech-faq.com/ and he is explaining
> everything about 127.0.0.1.

(no comments) :-)

De cualquier modo, no se trata de afectar los animos de nadie
(http://www.serenejourney.com/wp-content/uploads/2009/09/unhappy.jpg)...
sino simplemente de desmantelar esos mitos que vienen desde hace años.

(http://images2.fanpop.com/image/photos/11900000/Peace-be-with-you-peace-on-fanpop-11975528-363-470.jpg)

Un abrazo,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1