Re: 6to4 security questions

[Joshua Graessley <jgraessley@apple.com>]

On Wednesday, November 20, 2002, at 03:10 PM, Jeroen Massar wrote:

> Microsoft will be releasing many tools, which currently use IPv4, with
> IPv6 support.
> At least that's what their program manager said :)
>
> Application vs Network is ofcourse a very big chicken and egg problem
> and one has to push it from both sides. Many freesoftware programmers
> fortunatly realise this and are doing the right thing(tm).
>
> One 'killer' program will certainly be a videoconferencing tool.
> Say Netmeeting but then IPv6 capable. Another one will ofcourse be
> a Peer to Peer application where people can transfer their files.
>
> I am currently seeing a move to IPv6 support on news servers which is
> a good thing as it is a huge amount of data every day. Xs4all even have
> their big (2Tb or something) news server open for the public.
> (news://newszilla6.xs4all.nl).
So if something works over IPv4 and IPv6, and I've already got IPv4, 
why would I worry about getting IPv6 connectivity?

A game developer certainly has a compelling reason to use IPv6. Instead 
of supporting a massive server with a huge pipe, the developer could 
use a small server that allows gamers to find each other. All of the 
traffic could be sent directly between the peers with IPv6. A game 
developer can not deploy an application that relies on IPv6 because it 
isn't widely deployed. They could develop a protocol for communicating 
over IPv4 if IPv6 isn't present, but then IPv4 nodes couldn't play with 
IPv6 nodes. As a game developer, I would write only the IPv4 code. 
There is no incentive to develop an IPv6 only application.

This is a chicken and egg problem. That is why transition tools are 
important. Apple could develop and ship a system that implemented 6to4 
and shipworm/teredo to fall back on when IPv6 wasn't immediately 
available. Apple could also ship an application that made use of IPv6. 
Microsoft is in a similar position. Once that's done, third party 
developers can take advantage of that, assuming all of the transition 
mechanisms work. Shooting down 6to4 eliminates one transition 
mechanism. Not even acknowledging Teredo is another shot at transition.

Pointing us at configured tunnels as a solution to deploying IPv6 to 
our customers is not a reasonable solution. If Apple and Microsoft ship 
their next releases configured to automatically use one of the free 
tunnel brokers, overnight that service will be barraged with millions 
of requests and probably become unusable. The only reason those 
services are available for free and work is because the vast majority 
of people don't know about them or don't care.

> > If the transition to IPv6 relies on ISPs making a
> > multi-billion dollar gamble that deploying IPv6 without any customer
> demand will pay off,
> > IPv6 will never be widely deployed. Tunnel brokers don't
> > scale, unless they charge. If they charge, only corporations and the
> few
> > individuals that care enough will have IPv6 connectivity.
> IMHO Tunnel brokers _will_ and can scale well of correctly built
> ofcourse.
> Both freenet6 (www.freenet6.net) and XS26 (www.xs26.net) have many
> (10K+)
> users who apparently are quite content with it.
Will it scale to millions? Who's going to pay for all that bandwidth? 
These solutions are only used by enthusiast. As long as that's the 
case, they will continue to work. These solutions will not work for a 
wide deployment of IPv6. Without a wide deployment, no applications, 
and no demand for IPv6. No solution to the chicken and egg problem.

-josh

P.S. I'd like to apologize to SBC, I know there are some smart people 
there that are interested in IPv6, I just don't think the company's 
management is likely to approve spending money on deploying IPv6.