Y Safle

IPv6 is an important topic, and Steve Gibson pretty much botches it in his Security Now! episode 25.

Now I should add a copule of quick disclaimers: for all the controversy around Steve Gibson (and this is not the Steve Gibson of Truth Driven Thinking incidentally), we should really cut him some slack on this podcast. What he is trying to do on this show is huge, and the breadth of reading he must undertake to understand the issues must not be underestimated. He is bound to make mistakes.

But maybe the problem is that he is trying to do too much himself. He is setting himself up as an expert in all things, but we know the Jack of all trades is the master of none. Certainly there are often large gaps in his knowledge that would be better filled by bringing in some other expert to discuss the issues of, say, NAT or CSMA/CD.

But on IPv6 Gibson’s gap of knowledge is so large that he fails to direct listeners adequately at all. He writes:

If it weren’t for NAT router technology that basically allows many machines to share a single public IP, we really would be in trouble already with IP space depletion. But NAT routers happened, and they’re just a good thing for everybody. Corporations are using them. There are even some ISPs that are using NAT routers and putting all their customers behind a big NAT router because it really works very well, not perfectly, but very well, as most home users know. And so the prevalence and birth of NAT routing technology has hugely reduced the pressure on the move to IPv6.

Steve Gibson is wrong as follows:

• NAT is not a good security solution. The part of NAT that is adding security is the same part that adds security in a non NAT perimeter firewall.
• The gains from NAT have largely been achieved with respect to address depletion. NAT extended IPv4 to give us time to migrate to IPv6, but the gains are not limitless. See the Internet Protocol Journal Volume 8, number 3 for more on this.
• NAT actually doesn’t work that well. We are just getting good at working around its limitations. This is why Gibson endlessly pushes the proprietry non-standard Hamachi solution for encrypted tunnels, and other mechanisms to make some kind of peer to peer work
• IP address depletion is more imminent than the Steve Gibsons of this world think. We are certainly in the last decade of IPv4, and we may see address depletion in as little as four or five years. Again see the Internet Protocol Journal at http://www.exio.com/web/about/ac123/ac147/archived_issues/ipj_8-3/from_the_editor.html

IPv6 has so much more to offer than Steve Gibson realises. Zero configuration, IP mobility, multiple addresses per interface, router discovery, link level encryption (he mentioned that one in passing), authentication… the list goes on.

He also says:

The problem is that it’s not easily compatible with IPv4. The problem that IPv6 is having is, you know, the manufacturers who are making the routers, I mean even, for example, the PC manufacturers are supporting Version 6, though no one’s using it yet. You know, Windows Server 2003 and XP can do IPv6. But you can’t get it anywhere. I mean, there’s nowhere to plug it in to get Version 6

Actually IPv6 does play very nicely with IPv4, and you can get it now. See for instance the BT Exact tunnel broker service.

The real worry here is that Gibson clearly does not understand the mechanism by which we must transition from IPv4 to IPv6. There is not going to be a single big switch over. We must create islands of IPv6 (falling back on IPv4 automatically when we must). We connect these islands by one of the many tunnelling protocols, and as the islands grow, the sea of IPv4 is slowly pushed back. Before you know it we are all using IPv6 - just in time to stave off address depletion.

But whilst the Gibsons of this world stick their head in the sand and pretend this is just not an issue, because we have NAT, we continue to drown in the IPv4 sea.

You want security now? Implement IPv6. Learn how to rewrite your firewalls for IPv6 (yes you need to do that). Learn about its encryption and authentication mechanisms. That is the way to secure networking (well more secure at least).

So in closing - Steve Gibson should keep up his podcast, but until he starts consulting with IT security and networking experts, the podcast will always dissapoint. A pity, as the idea is good.

But I wouldn’t want to do it on my own!