January 7, 2004

Internet 6.0

Continued from page 2

By Simson Garfinkel

But the apparent security that NAT provides is a mirage. The proliferation of laptops, e-mail attachments, and open wireless networks means that there are many opportunities for hackers and worms to get behind a NAT and launch attacks from the inside. Many organizations have learned the hard way that you cannot achieve secure computing by relying upon perimeter defenses (a topic I discussed in a previous column).

At the same time, NAT's one-way fence makes it harder for peer-to-peer applications to operate. That's a problem for file trading programs such as Kazaa, but it's also a problem for Internet telephony and the next generation of multimedia groupware applications. For example, the two-way videoconferencing system that's built into Apple's iChat software works behind some kinds of firewalls but not behind others. The program comes with an elaborate "connection doctor" program to help users diagnose problems that their firewall might be causing.

These problems go away when every computer on the Internet really does have its own IP address-something that's impossible today with IPv4, but which is the raison d'tre for IPv6. In a world with IPv6 and without NAT, every computer in my house has its own unique IP address on the public Internet. That means my desktop can open up a peer-to-peer connection with my desktop at work, but it also means that my daughter can network her machine directly with some teenybopper P2P network in San Jose. Getting everybody's home machine out from being a NAT box should make possible a lot of interesting applications that are either very difficult or downright impossible today. And in all likelihood, some of those applications will not be popular with the Recording Industry Association of America or the Motion Picture Association of America, both of which have taken the lead against peer-to-peer networks. As soon as they understand what a threat IPv6 is to their police actions, they are likely to start fighting against.

Given that the full-blown transition to IPv6 hardly seems imminent, technologists are struggling to at least chart some kind of workable path between where we are and the wondrous world of 128-bit addresses. One approach that's been proposed is called Realm Specific Internet Protocol, or RSIP. Designed as a replacement for NAT, RSIP allows organizations to keep using 32-bit IP addresses, keep their private address space, and eliminate the problem of packets being rewritten or translated. The good thing about RSIP is that it doesn't require changing application programs like browsers and e-mail clients; the bad thing is that it still requires making fundamental changes to operating systems.

A more likely path is that some small-but-influential organizations will start to adopt IPv6 internally as a kind of example, and these organizations will then link up and slowly build a new IPv6 landscape. Still, it's hard to see major U.S. Internet service providers spending the money to upgrade their backbones from IPv4 to IPv6 unless the transition is mandated by the some big customers or the federal government. The latter is less far-fetched than you might think: the U.S. Department of Commerce recently set up a task force to look at the issue, since it's widely believe that IPv6 will be more secure than IPv4 thanks to its use of IP-level encryption. Of course, that same encryption is available in IPv4 through the IPsec standard.

Asia, Africa, and India will all probably adopt IPv6, but IPv4 will not die in the United States-or even in the federal government. It's simply too easy for U.S. homes, businesses, and government offices to keep using what they have, and let the ISP set up gateways between the IPv4 Internet and the IPv6 Internet. Eventually, these gateways will grow into firewalls, passing some kinds of traffic between the United States and the rest of the world, but blocking other data-for example, unauthenticated e-mail that might be spam. The IPv4/IPv6 divide could be similar to the English/metric divide that we face today, and plans to move the U.S. Internet to IPv6 could end up being as successful as plans in the 1970s to change all the speed limit signs to kilometers per hour.

IPv6? Perhaps my seven-year-old daughter will use it when she goes to college, but probably only if she goes to Oxford.