The Internet is running out of addresses. To get around this problem and a host of others not addressed in the existing Internet Protocol (IPv4), a new revision has been in development for years, called IPv6. Uptake has been slow; it requires upgrading all the routers and devices that make up the Internet. Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it. Here's why, and what it means for users on every platform.
The primary problem with today's IPv4 is that its 32-bit addressing scheme (those IP numbers that look like 192.168.0.1) can only accommodate four billion (4,294,967,296) uniquely addressed devices, minus all the specially reserved numbers. IP addresses aren't handed out per device as needed; they're allocated in sequential blocks to companies.
For example, Apple owns the entire 17.x.x.x "Class A" subnet, which gives the company 16 million addresses to use. HP owns two: 15.x.x.x and 16.x.x.x., while Xerox owns 13.x.x.x; AT and IBM 9.x.x.x; Many blocks are reserved for special purposes, including 10.x.x.x. By the time Microsoft got in line for IP addresses, it only got a class B subnet of 65,536 addresses from 207.46.0.0 - 207.46.255.255.
The world's IPv4 numbers run out at 255.255.255.255. The only two options: create a new addressing scheme with more numbers (which IPv6 does, using ten billion billion billion times as many possible numbers as IPv4), or simply hide most devices from public addressing on the Internet, which is what today's NAT (Network Address Translation) does.
The problem with NAT
NAT allows a router to set up a dummy network of addresses, usually using the reserved 10.x.x.x or 192.168.x.x subnets. These reserved numbers aren't valid on the wide open Internet. In consumer settings, the router typically uses one public outside address and then does address translation for all outside traffic between that public IP number and all of the devices inside. The 192.168.x.x subnet allows for over 65,000 devices to be hidden in your home behind a single address assigned to you by your ISP.
NAT dramatically limits the number of public addresses each site needs, but it creates its own problems. The point of an addressing system is to allow devices to find each other. With NAT, and particularly with multiple layers of NAT, it becomes difficult for one device to find another and start a conversation, say to initiate a web conference, trade files, or stream music. The inside address is no good for outside hosts, and the public IP address is often subject to change.
Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can't also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.
NAT as a refuge for the insecure
NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.
Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft's software, which was only ever originally designed to operate within an "assumed to be secure" LAN environment, on the open Internet has resulted in people thinking that PCs shouldn't be publicly addressable for their own good.
This is unfortunate, because there are a lot of good reasons for wanting to be able to talk to your own devices over the Internet. Finding and setting up connections with other devices hiding behind the existing layers of NAT can require some tricky technology. That's the task of Apple's Back To My Mac: allowing mobile systems anywhere on the Internet to talk to home systems to handle file sharing, screen sharing, or other tasks.
The promise of IPv6
IPv6's 128-bit addressing not only brings a virtually unlimited number of available IP addresses for everyone to use (billions of numbers for each person on Earth), but also introduces solutions that solve many of the other problems in today's Internet Protocol, including the barriers erected by layers of NAT.
One big feature is security: all IPv6 traffic can be encrypted via a built-in component of the protocol. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything can be encrypted at the network layer in IPv6 using IPSec. This can be automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."
Rather than relying on Windows' NAT diapers for "security through obscurity," IPv6 makes every device on the Internet routable and securely contactable. If IPv6 is beginning to sound a lot like Back to My Mac, Bonjour, and related technologies Apple is already using, then it might be interesting to note that Apple is already using IPv6.
While most vendors have released IPv6 support for their operating systems, having that support doesn't make it useful without a killer application that demonstrates its usefulness. Microsoft delivered a technology preview of IPv6 support in Windows 2000. In 2002 Windows XP SP1 got official, optional support for it. Apple enabled IPv6 by default in Mac OS X 10.3 Panther in 2003, and it is now enabled by default in Windows Vista, too.
However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don't support it at all.
A killer app for IPv6
The advantages of IPv6 are both obvious and largely invisible. Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background. The paradox is that while the Internet desperately needs IPv6, few see any reason to rush toward it. There's no obvious killer application of IPv6 to offset the considerable expense of upgrading all of the critical routers and other equipment that makes up the Internet.
Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. However, Apple's AirPort Extreme and Time Capsule devices are in widespread use among consumers. Earlier this year, NPD reported that Apple now has greater than ten percent market share among retail sales of WiFi N routers.
Apple's WiFi N routers support acting as an IPv6 node or tunneling through the IPv4 Internet to access IPv6 services (below). They also include an IPv6 firewall supporting incoming IPSec authentication and Teredo tunnels (used to get through NAT on the other end). Apple's nearly silent support for IPv6 is interesting in itself, but what's more interesting is that Apple also has two killer apps in hand for promoting IPv6, the market power to engage uptake, and a strong business model for benefitting from IPv6 adoption.
On
No comments:
Post a Comment