January 7, 2004

Internet 6.0

Continued from page 1

By Simson Garfinkel

Those extra bits help explain why the Asian nations are so interested in IPv6. According to the trade publication DSL Reports, slightly more than 3 billion of the 4 billion 32-bit IPv4 addresses are now allocated to U.S.-operated Internet service providers, while China and South Korea-with a combined population of more than 1.3 billion-have been allocated 38.5 million and 23.6 million respectively. Is it any wonder that these countries aren't happy with IPv4?

But alas, those extra bits don't come for free. Deploying IPv6 means that every application that uses Internet addresses needs to be changed. Every Web browser on every computer, every copy of Outlook Express, every e-mail server, and every Web server needs to be upgraded to handle the 128-bit addresses. One transition strategy calls for most computers to simultaneously have both IPv4 and IPv6 addresses. The problem with this approach is that there's never a good time to have people start deploying systems that are only V6-that's because somewhere, somebody is going to have a machine that's V4 only, and they won't be able to communicate with you.

Another obstacle to IPv6 is that the routers that run the Internet's backbone circuits aren't set up to handle the longer addresses. Today, most routers come equipped with special-purpose integrated circuits that can route IPv4 packets very quickly. But because there is no demand for it, those routers don't have similar hardware that can route V6 in hardware: those packets have to be routed in software, which is a slower process. As a result, most experts think that the V4 routers simply couldn't keep up if the Internet's backbone were suddenly switched over to IPv6-the router hardware would have to be upgraded, which would be very expensive. Most corporations would face similar upgrades. At a medium-sized business with perhaps 16 high-speed routers, the cost would easily exceed $1 million.

Yet another problem with IPv6 has to do with all of the impending security problems it will cause. Network aficionados will be quick to point out that IPv6 implementations offer cryptographic security, since the Internet's IP security (IPsec) standard is "mandatory," according to the IPv6 spec. But what IPv6 boosters won't tell you, unless you press them, is that every new IPv6 nameserver, Web server, Web browser, and so on has new code-code in which security problems may lurk. Indeed, security problems with new protocol implementations are to be expected. And while some issues have been found with these new IPv6 servers, more are sure to be discovered.

But what could be the final nail in the coffin of IPv6 is a black magic technology that's made those extra gazillions of IP addresses far less important than they once were. This technology-called Network Address Translation, or NAT-lets dozens or even thousands of computers hide behind a single IP address. NAT is the key technology that's built into most corporate firewalls and practically every home router on the market.

NAT violates one of the fundamental rules of the original Internet. With NAT it is no longer true that every computer on the Internet has its own unique IP address. On today's Internet, most computers use so-called "private addresses" that are hidden behind firewalls. The firewall then rewrites or translates the packets as they move from inside your home network to the great beyond; the packets from the Internet get similarly translated upon their return.

Because of NAT, most technologists have stopped worrying that the Internet is about to run out of address space. If you have a home network with a home firewall-and in the future, practically everybody will-then your toaster, your air conditioner, your furnace, and your refrigerator can all be plugged into it and communicate with their manufacturers, with each device sharing your firewall's IP address.

But for all of its apparent utility, NAT is really the devil. It's a Faustian bargain, a technology that appears to answer all of a network engineer's problems, but ultimately causes long-term troubles that are far more profound than the ones that it purports to solve. In fact, one of the big reasons that the Internet's early technologists wanted to get IPv6 deployed in the 1990s was to prevent the widespread adoption of NAT.

In its simplest incarnation, NAT creates a kind of one-way fence: computers behind the NAT firewall can open up connections to Web servers and mail servers on the Internet, but random attackers on the Net can't reach back through the NAT and break into your unprotected desktops and laptops. It has worked so well, in fact, that many organizations use NAT as their primary defense against hackers and worms. NAT has let organizations take the lemon of limited IP addresses and make a lemonade of improved security.