Apple Under Fire For Backing Off IPv6 Support 460
alphadogg writes "Apple Computer came under fire for back-pedaling on its support for IPv6, the next-generation Internet Protocol, at a gathering of experts held in Denver this week. Presenters at the North American IPv6 Summit expressed annoyance that the latest version of Apple's AirPort Utility, Version 6.0, is no longer compatible with IPv6. The previous Version, 5.6, offered IPv6 service by default. While home networking vendors like Cisco and D-Link are adding IPv6 across their product lines, Apple appears to be the only vendor that is removing this feature."
Re:Because 32bits of addressing... (Score:2, Informative)
I was really puzzled about this, so I went to 'investigate' the issue a bit. Turns out Airport is not a router, but a sort of wireless switch (no modem). So this is probably another speed optimization as packets are 96bit smaller and your home network probably isn't filled with more than 4294967296 devices.
The first thing that comes to my mind is how in the hell this is going to work when you want to access the internet in such a configuration. The utility or physical Airport station probably converts this. I don't think Apple is that retarded...
This is non-sense (Score:5, Informative)
They did not remove IPV6 at all. They new confit utility (v.6) doesn't let you configure it, but they say so right in the docs that it is one of th feature the new version does not yet support. They also give you a download link the previous 5.6 version if you want to configure those rarely used features. IPV6 is even enabled by default.
Re:Airport Utility 6.0 is awful (Score:2, Informative)
Indeed, they still offer the download for previous version (5.6) which happily coexists with version 6.0. I can only imagine they wanted to get the new version out fast, and extend it with non-essential features over time.
PS: The download link for those interested: http://support.apple.com/kb/DL1482
Re:Features (Score:5, Informative)
You know, I've been waiting for it to become "mainstream" for over a decade now. Constantly, people have said "It's coming! It's coming!". Support has been added to just about everything. The problem is still that all those pesky web sites that people want to reach haven't converted. I went cruising through the IPv6 migration sites, they show the dozens of sites that are available.
Here's a quick look.
So, if you just switch over, you can't use google.com, unless you remember to use ipv6.google.com. You can't reach Slashdot. Try all the sites you frequent. Of my daily reading list, the only one that works by its normal name is xkcd.com. Most of them are big sites.
I'd expect to see ISP wide NAT deployed before IPv6. IPv6 is a novelty that may get adopted sometime in the future, but I wouldn't hold my breath on it.
Re:Because 32bits of addressing... (Score:4, Informative)
Source on this? It seems to do the important parts of routing, at least for a home network configuration--assigns IP addresses, allows port forwarding, etc. And it certainly can do IPv6--the option was removed, for some reason, from the newest configuration utility. Also, it obviously works when connecting to the Internet, unless it has a really sophisticated Slashdot emulator :)
You can still download the old Utility: http://support.apple.com/kb/DL1482?viewlocale=en_US&locale=en_US [apple.com]
Re:ipv4 is dead, long live ipv4! (Score:5, Informative)
IPv6 is actually very easy to remember when done right. Further, we have DNS for address resolution - how many of the websites you visited today do you know the IPv4 address for?
For an enterprise, once they get their allocation, it's really not that bad. I will make up an allocation as an example:
2600:123:b000::/48
With 5 more octets left (octets isn't the right term, but divisions seperated by colons), you can do a large amount of intelligent numbering, and even just reuse all of your VLAN and IPv4 numbering right inside your IPv6 addressing.
For instance, if you have a server network at 172.16.2.0/24 and it is vlan 203, you can assign 2600:123:b000:203::/64 (with the nodes getting ::172:16:2:yyy), so a given server node with 172.16.2.105 would be 2600:123:b000:203:172:16:2:105 . It's wasteful, but with IPv6, who cares?
If you have more than one site, then each site should get you your own /48. When applying for addreses, you should do so for all sites at once. We have a /44 (x:x:b000 - x:x:b00f) as we have 9 sites. We can then assign each site based on their site numbers (2600:123:b001 - 2600:123:b009). We use 2600:123:b000 for infrastructure, and still have 2600:123:b00a - 2600:123:b00f left over.
So, site 3, vlan 405, network 172.24.5.0/24 would be assigned 2600:123:b003:405::/64 with nodes having 2600:123:b003:405:172:24:5:yyy. For workstations that use SLAAC and/or DHCPv6, you don't care about the last 64 bits and you rely on DNS. But you still know the site and VLAN if you use the same numbering. 2600:123:b002:464::/64, which is site 2, vlan 464.
All the IT staff has to do is learn that 2600:123:b000 - b00f is our assignment and explain the rest of our addressing plan. It's actually rather natural to do it this way and makes a ton of sense.
Oh, and personally I would skip doing any decimal to hex conversion where it can be avoided. For instance, I would not make vlan 165 be A5 (the hex value), but rather just 165. This does mean you'll "waste" something like 37.5% of your address space - but again, who cares? I'll take readability over maximum use any day.
Re:Good for them! PRIVACY gone in 128bits (Score:4, Informative)
That's bunk. NAT doesn't provide real security, and in fact a false sense of security. Your firewall should always deny/drop traffic by default, except where permitted otherwise, either explicitly or by a stateful connection originating from the inside.
If you want pseudo anonymity on the level of what you have with IPv4, then leave the global randomize identifiers on. It's on by default in Windows. You actually have to disable it with netsh interface ipv6 set global randomizeidentifiers=disabled.
Re:Features (Score:3, Informative)
Every device gets an address, but that address is not a GUID. The address is different if you go to a different network. The address changes every day. It's not useful for tracking you, at least no more so than your v4 address was.
Not much to discuss here.
Re:Good for them! PRIVACY gone in 128bits (Score:4, Informative)
Time to learn some networking, bro.
Re:Because 32bits of addressing... (Score:5, Informative)
I don't believe, for a second, that all addresses in companies or homes need to be public addresses!
Not every IPv6 address is a "public" address - private addresses can be assigned to a local subnet, very much like RFC1918 addresses, except now called Unique Local Addresses.
and, of course, there is some security to NOT being directly touchable on the net.
I don't WANT my address to be easily and directly reachable
Second of all, I can only assume by "directly reachable" you remain the loss of NAT/PAT. Again, Unique Local Addresses invalidate your statement. Furthermore, NAT/PAT can still be implemented. Not that it gives you any security whatsoever today.
running ipv6 is about as useful, to home users, as running BGP.
You do know that BGP is a routing protocol and IPv6 is a routed protocol, right? Please take a moment and read through the Wikipedia page on IPv6. Maybe even try running it for a week or two in a virtual environment?
Re:Because 32bits of addressing... (Score:5, Informative)
So this is probably another speed optimization as packets are 96bit smaller...
Actually, an IPv6 packet can be smaller than an IPv4 packet. The IPv4 header contains a lot of garbage not required by IPv6. See for yourself. [cisconet.com]
Secondly, IPv6 addresses can be concatenated. Only if you're using an extremely complex IPv6 address will your router need to process a large source or destination header.
Re:Because 32bits of addressing... (Score:5, Informative)
You'd think IPV6 people would be smarter... (Score:5, Informative)
Apple didn't back off on anything. The version of Airport Utility discussed is the pretty, dumbed-down version of the application intended for folks who just barely understand what a router is about. It matches the similar version deployed on iOS.
The "previous version" isn't. The feature-complete 5.6 was released at the same time as the simple version, and has the same support for IPv6 as it ever did.
A.
Re:Because 32bits of addressing... (Score:5, Informative)
"can be smaller", but won't.
IPv4 header: "Variable length of 20-60 bytes, depending on IP options present." (if you don't use any options, 20 bytes).
IPv6 header: "Fixed length of 40 bytes. There are no IP header options." (if you don't use any options either, 40 bytes)
IPv6 is terrible if those "20 bytes more" are relevant for your application.
Src: http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=%2Frzai2%2Frzai2compipv4ipv6.htm [ibm.com]
5.6 *is* the latest version (Score:4, Informative)
5.6 is not the previous version! 6.0 and 5.6 were released simultaneously! The problem lies with their product naming, not versioning. That is, 6.0 really should have been called Airport Utility Lite or something like that. 5.6 could have been Airport Utility Pro or something like that. 5.6 is very much the latest version. Want all the features? Use 5.6. Want a simplified interface? Use 6.0.
Re:Because 32bits of addressing... (Score:5, Informative)
You're breaking the internet because you don't understand it. There's not really a nicer way to say it. Every host is *SUPPOSED* to be addressable. It's called the end-to-end principle. The fact that NAT prevented unsolicited connections was a consequence of its design, not a feature. Firewalls do it better, and with more control. They even do it by default! The reason the iptables authors are religiously opposed to it is because the internet isn't meant to be like that, and there are perfectly good solutions (in iptables!) to do what you want without a broken end-to-end principle.
For what it's worth, I've been running IPv6 at home for a few years without the slightest trouble. My clients get NATted IPv4 addresses, and a public IPv6 address. They have the same security, since the firewall prevents unsolicited connections. But since it's a firewall and not shitty NAT, I have three SSH servers on port 22 and two webservers on port 80 that are publicly routable. Try doing that with NAT
Re:Because 32bits of addressing... (Score:5, Informative)
:) As one of the original authors of some of the software that makes this Internet run (you probably are using it too, at least indirectly) I have a vague idea :)
Not every host is supposed to be addressable. There is a very specific reason private non-publicly-addressable subnet ranges were created, for example. So, your claims are false - you simply don't know what the Internet is "supposed" to be like.
Re:Because 32bits of addressing... (Score:5, Informative)
And IPv6 can do better, without all the ugly side-effects of NAT: https://www.rfc-editor.org/rfc/rfc4941.txt [rfc-editor.org]
Re:Because 32bits of addressing... (Score:5, Informative)
Re:Because 32bits of addressing... (Score:5, Informative)
Turns out Airport is not a router, but a sort of wireless switch (no modem).
Your terminology is not quite standard.
So this is probably another speed optimization as packets are 96bit smaller and your home network probably isn't filled with more than 4294967296 devices.
My comparatively ancient and underpowered WRT54G manages IPv6 just fine.
But more to the point, the Airport Extreme itself is perfectly capable of routing IPv6, so your point is moot. It's just that IPv6 support is no longer included in the configuration utility.
Re:Because 32bits of addressing... (Score:3, Informative)
Re:Because 32bits of addressing... (Score:4, Informative)
The impression I get (since I'm part of the group that runs the network for a major southeastern university) is that everyone should be running dual-stack for a while. Any infrastructure equipment you get that runs v6 should also be able to run v4 fairly easily. Any time we upgrade all the equipment in a building, or put in a new building, the addressing for the switches gets done via IPv6. For a majority of desktops, dual stack is available. For servers
But we have the money available to us to have IPv6 capable equipment. At home, FiOS has yet to provide me anything that provides IPv6 connectivity natively (ignoring tunneling). From what I've ready recently, say what you will about Comcast, at least they're deploying it.
The impression I get from your post is that you have equipment (both infrastructure and otherwise) that's more than 10 years old. I feel for you; we do, too. To a large extent, I'm not so sure you want an OS that old to have any kind of Internet access anyway. From a "It makes me feel good" stand-point, it would be nice if there were an easily implemented v4-v6 translation method available, but there just isn't.
So, what am I trying to say? Well, I've never talked to the "IPv6 crowd," but I don't doubt that they can be obsessive. But need to maintain an internal IPv4 network? Oh my, that can't be that hard. IPv4 isn't going away any time soon, and I seriously doubt there's anything out there on the services side (IE, a website) that you couldn't easily get to via IPv4 (unless it's an IPv6 proof of concept site).
It's going to be outside-in. Until all the major providers of home internet are providing at least a majority of their customer base IPv6 access, it's not going to be that big a deal. And even after they're doing that, you've got to assume that they'll be dual-stacking it, too. At least for a while.
Re:In other news.... (Score:2, Informative)
Apple on the other hand, is not allowing users to configure IPv6 - even if it is present and enabled, what good does it do if it can't be configured?
Wrong. Fundamentally wrong. As I explained in my first post, the first release of this new version of the utility doesn't allow you to configure it, but the old version does, and it still works. It's a non-issue for 99% of users because most people can't yet get IPv6 support from their ISP. The device still fully supports IPv6, but if you need it right now, you have to use the older version of the configuration utility, that's all.