 Welcome to the annual DEF CON convention. This meeting was held in exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is review table number 33, IPV6. What, when, where, how, why? It's running out of space. And because it comes with down to the glory locks problem of class C being too small and class A being too big and class B being just right. And they try to aggregate, aggregating like sticking together blocks of class C and then add the router, route it together, class of center domain routing. But that's only a temporary fix because our routing tables are getting smaller, yeah. IPV5. IPV5, yes, actually that's, I think on the next page. Yeah, that's on the next page. Yes, there was. IPV5 was a, actually it's in use as a stream transport protocol made by the IETF, the Internet Engineering Task Force. That's what makes most of the protocols. But IPV5 is out there, so they call it IPV6. Actually, competing proposals were IPV7, 8, and 9. And so I don't know what the next one will be, but they had, the routing tables were getting too big and too complex to try to route all these things because everybody wanted a class B address. We have more than 256 machines, we want a class B address. So we need, the other thing, why do we need a new version of the protocol is we need address renumbering. They decided the IETF and some other people were figuring that we needed address renumbering. Whenever we moved from one provider to another, we'd have to renumber all of our addresses and nobody wanted to do that manually anymore. In the original days, it was all set up, the routing tables were just manually entered into the computer in the UNIX boxes. But the mobility of the computers and the computers are switching from one to another. I mean, my Palm Pilot has an IPV4 stack. Everything is getting more and more connected to the Internet, your dishwasher, your microwaves on the Internet. But they decided that they needed more and more stuff and to renumber the addresses. We needed to get real-time traffic because in order to get real-time traffic, say I wanted to get video on demand, I could just go and start watching Terminator 2 over the Internet and I want it not to lag every time, I mean real audio and real video is bad enough. We needed some auto-configuration, meaning that we wanted to be able to take a computer out of the box, plug it in the wall and have it automatically figure out where it is, who its neighbors are, where its routers are, the nearest router, etc. And of course, why we're all here is they needed more security. Currently right now, IPsec or IPsecurity, which is about the last half of the talk here, is on IPsecurity in general. They needed to add that in so they put it as a mandatory feature. So what is it? As I said, it's a complete overhaul. They didn't just extend it. They completely redid the headers. They're working on TCPv6. It started in 1992 through the IETF process. Other protocols were develop, proposals were sent out, the standard protocol development of IETF.org. They wanted to have a larger address space, obviously because of this, because they wanted to be able to waste some space in order to make our routing tables easier. They didn't, right now you've got to have everything just right on the classes. They wanted to make sure the mobility. They've got mobile IP for v6. Different traffic classes, FTP, email, bulk versus, for example, like real-time video. They wanted to make sure security or at least authentication was part of everything available. But you wanted to make sure that IPv4, there wasn't a day in which, all right, at once, we're going to all convert over to IPv6. You can't have that. So we've got to have some way to transition, and I'll talk about transitioning. Okay, addresses. No longer the 128, 173.1.5. We now have, instead of 32-bit addresses, we're now going to 128-bit addresses. 816-bit groups separated by colon. So that is a fully qualified internet address with, well, obviously made up, but that's how long these addresses are going to be. What's that, what? In binary. In binary? 111111110. Okay, so they needed to have shortcuts, so they were able, like, if you have a bunch of zeroes, you can squish it and drop off some of the leading zeroes and have double colons and other stuff like that. But for the most part, people don't need to know where addresses are. I mean, they're not sure if you're doing promiscuous mode and want to find out who's doing what, but you wanted to put more emphasis on the domain name servers, which are also going to be changed because you can't have, and that'll be discussed later. You can't just have an A record, an address resource record. Okay, so some hosts can have more than one interface. Before, it's like I have an IP address, there's my box. I have another IP address, here's my other box. Now, mobility can be, we can have a box connected to multiple providers. We can have a site that's connected to MCI and Sprint, and Sprint goes down, MCI can take over without having to renumber stuff. We can add mobility. So if I move from Virginia out to here, it's automatically renumbered and I don't have to try to retype in the thing. In fact, even on campus, moving from one building to another, moving from one subnet to another requires a renumbering manually, going through an even rebuilding machine. It fits windows sometimes. The boundaries are no longer fixed. We have what we call prefixes. So you see right there, the 3FFE0900, and then a bunch of zeros out, slash 24. And that means the first 24 bits, or 3FFE09, is the prefix, kind of like your subnet address. But that's, and I'll show a picture of how the routing will actually work. Since the addresses can be renumbered, everybody has a lifetime of addresses. There's an address how long it's valid for and how long it's preferred for, so that addresses can be renumbered for whatever reason. So about 136 years maximum or infinity, and you can renumber a preferred address time before the new one is sought. But they'll have different ones so that you'll know when to renumber. You'll need to know that they've been divided up into a couple of categories. So why did they choose 128 bits and not, say, 64 bits? Because right now it's 32, just number, I mean, 264 is an astronomical number. In fact, 2 to 28, I think it's about 6.7 times 10 to the 23rd addresses per square meter of the Earth's surface. If you heard Bruce's talk yesterday, 2 to the 128 is almost uncountable. So why would we need 6.7 times 10 to the 23rd addresses per square meter? Because of routing inefficiencies, it's more effective to have the route wasting blocks of addresses in order to get our router tables easier and faster. So let me show you how they calculated 128 bits. Okay, so this is the only formula in the talk, but Dr. Christian Hutema, who is a highly respected member of the IETF and the IESG, the Internet Engineering Steering Group, developed this H number, and he said the log of the number of addresses over the number of bits is your percent efficiency. So if we have 10 bits in 1024 hosts, about .30, if you take the log of 1024 and divide it by 10, it should be right at our mission. So they've estimated that I'm looking at large networks in IPv4 right now. The way it is that H is between .22 and .26. Well, if H is .22 to .26, and only 32 bits in IPv4, somewhere between 11 and 208 million hosts, if we had the perfect efficiency. Now what they want to do is they want to connect everybody around the world to IP. They want to have a computer for every person on the planet, sooner be it 10 billion people, you know, and each of those up to 100,000 computers if they wanted to have, you know, with their everything else on there and who knows for those, you know, those objects that aren't with people. So they calculated that at somewhere between 57 and 68 bits. So instead of limiting themselves to 64 bits, they went to 128 bits. So let me explain some new concepts to you. Unicast we've seen, that's from one to one. Uniming one goes from one interface to another. It's a standard address that we use right now. Multicast we've seen right now, that's one to multiple interfaces. This is a Class D address in IPv4. There is no broadcast anymore in IPv6 when it comes around. But they developed Unicast. So if I'm sitting at my site in Kansas, I want to find out where the nearest machine is to a group of similar machines. So if I want to find where CNN is, CNN may have a site in Atlanta and London and Moscow. My computer needs to know where the nearest one is. So what it does is it just searches out through the router table or ring at a time until it finds the nearest server. And it's a new feature in IPv6 called Unicast. So basically any machine within a certain group of machines will be found. Let's talk about some link local, site local and global addresses and then I'll actually show you in the next couple slides what an address, how it will be broken up. So link local, all machines are on, if I just had an Ethernet segment and I want to have all the machines on there, that would be called link local machines. They're not connected to the internet. They're kind of like your 10.0.0.0 machines for the Class A and other ones. You just set it out of the box and away it goes. They have site local, obviously global, but they have site local where you'd have different addresses for a group of machines that are just called site. Now what's a site? Is it a single campus or is it a company that's spread out over the world and called a site? So there's different addresses that are laid out and the next slide, let me show you the different percentage of addresses and you can see the inefficiency and for future expansion. Because right now, the way they've allocated it, global Unicast, which is from one to one through the global, is one eighth of the address space. That's it. And that's the biggest, one of the biggest chunks. The other biggest chunk is geographic-based Unicast, which is based off of GPS or any other kind of address that's based on where the machine is. They've got things in here for IPX, multi-cast addresses, link local, which is what I said on this particular link site local and others. That accounts for about 30% of the address space and that includes every single global Unicast. Another 70% of addresses is not assigned. So theoretically, you could branch this off into space at some point and maybe have IP on other planets or the moon and stuff like that and they'll still work. IPVD out there. So let me show you what a different... The global Unicast address is kind of like the common one, which is what most people use. I took 128 bits and divided it up into... There's the three-bit... Well, I didn't, but the IETF divided it into format prefix, which is the third... There's three bits on the left down there, which kind of tells whether it's a global-based machine or an IPX, something like that. You've got TLA's, NLA's, SLA's, and the interface ID. Now, the TLA is kind of like the overall global providers while the NLA is for particular sites. So like, a TLA would be something like Sprint. And an NLA aggregator, that's top-level aggregator, next-level aggregator, and site-level aggregator. The next-level aggregator could be University. And then each University, instead of giving out little subnets of 256 or 1,024 bits each, each University is given a fixed format prefix, a fixed TLA, and a fixed NLA, so that each University can give out SLA's any way they want to. Well, that's 16 bits right in there that they can give out per network, so up to 65,000 networks per every site. Now, the interface ID is you take the Ethernet card and you run through some IEEE shifting around. You basically take a MAC address, split it apart, put some stuff, put a couple bits in the middle, FFF and zeros in there, flip a couple bits, and you'll come up with your interface address. So that's how your addresses are calculated, basically off of your MAC address, since most people now have Ethernet. But if not, there's other ways of getting the 64-bit. So the 64-bit is just for a machine, much less than the site and all that. Let me show you now the header. Our old IP header is gone. They still have the version number where it's supposed to be, but now they've got some different things in there. We have flows and priorities and class. Priorities used to be class and flow label. That's like saying every frame of Terminator 2 will have a unique flow label. So you can know what frame is coming through and you'll know that this is a Terminator 2 film that's going to this address, needs real-time video so that the routers can go through there, see the header, figure out there's real-time traffic. Not even have to look at the whole packet and send it on. So just with a few bits and everything is fixed. You'll notice that there's no IP options anymore. And I'll cover how those were covered, but there's no IP options. It's a way that they just stick it all in there. Payload length, you can have up to 64K in a packet. However, there's ways of getting more in there. Next header is kind of like into IP. The next header is TCP, top limit is not time to live because people, top limit is you decrement one every time you go through a router because you used to have time to live and no longer are routers one, every router takes less than a second. No router takes three seconds. Because TTL used to be the number of seconds that it was at a router and there's your source and destination bits. But let me show you in... There you go. Payload length is 16 bits, but if you put the length to zero, you can have something called a jumbo gram. Four gigabyte packets. Oh, yeah. Now, because over fiber and whether it's going toward that it makes more efficiency to send larger packets. So they allow for jumbo grams. Minimum MTU is 12 gigabytes. But they haven't really addressed this, but I'm sure I'm not really sure what a ping of death would be with a jumbo gram before a gig. That would be something. I don't know whether it's just like, well, it's coming anyway. That's the kind of vision they see, but from a security point of view I'm kind of wondering, well, it's legal to send a four gig packet, but that's a serious mail bomb or a packet bomb. Don't drop those packets. Type of header, there's different... Instead of using options, they've got headers for authentication and ESP and stuff like that, fragment and destination, so that every packet doesn't have to be looked at until the end. They can just... If they wanted to hop by hop header, they could, but for instance, using a fixed size header without the options and no fragmentation if you need fragmentation, you stick a fragment header. There's no fragmentation. You allow it, but for the most part, they won't have it, so you don't have to look at the fragmentation. So the routers will be at least 40% faster with just a fixed size header in experiments that have been done. Header chaining, you've seen this. You stick an IPv4 and then a TCP and away you go. IPv6 will stick. The next header is routing. The router header will say it's TCP or the next header is routing which will then say it's a fragment. The next thing is a fragment will say authentication. The next thing is ESP and it just chained the headers straight on down. This is ripped out of RFC 1883. Let me show you about routing. In routing, you have... If I'm at router X, we have variable length subnet masks. So now, you know, your classes are A, B, and C, and everything is kind of laid out. Your routers are laid out with, they find the longest prefix. So remember that slash 24, what that means? That means that the first 24 bits of the 128 bits is your prefix header. So it's going to say prefix 1 and router 1, router 2, router 3, and router 4. Here's two examples on the bottom. If I have an IPv6 address, 3FFE 900, 1-1-11, 269, whatever else, what happens is you can see with the bold is it will take the first, the router will say, well, here, let me show you over here. It'll go there in 24 bits because it sees it matches the first and many bits it can and sends it to 1, whereas this one, that router 1 will be matched with a silver router 4 because it's also hard because B64 bits are matched. For those who didn't hear that the 1, router 1 will be taken because it matches only up to the 24 bits. And so the longer the way down the chain, the more easy it'll be to get to the router so that the longer addresses will go there. And that's what's called variable length subnet masks. So any network can have any number of, you could have a slash 24, slash 25, any number of bits. So you can see how your networks are completely aggregated or stuck together. Mobility, one of my favorite topics. The ability to move from one to another. We've got mobile IPv6, which is IP for mobility. They've actually got mobile IPv4. They've done experiments on it. They've got mobile ad hoc networks where a bunch of us get together with our laptops and turn them on and with infrared wireless links. We now have a system set up to play whatever game we're playing just by turning it on. The computer should be able to, that's what they want to do. You should be turning it on and everybody see who's out there and go from there. But not just in a room, but anywhere. So if there is a router port or a network access point in the corner, I should be able to turn on my machine. It should be able to say, wait, there's a wireless link in the corner. My IP address is this. My nearest router is this and automatically configure the computer to go with that. My concern is, while I went to an IETF meeting in Washington, D.C. once, they were kind of like, well, we'll put off security toward later. And that's what really concerns me is these same attacks have been coming over and over and you know that this is going to be a problem. But for mobility, they've got address space now to move around. You don't have to keep just one IP address. You could have any number of IP addresses and anything can be on the internet now. Co-located means that it's going to another place through agents, and David discovers what I had talked about there about being able to just turn it on, figure out what the prefix is, what the MTU minimum transfer unit is, maximum transfer unit, figure out the hop length. People could address detection. Is my box already out there? Does somebody already have my IP number or not? And stuff like that. So I've kind of answered the questions of what it is. And now I try to figure out, well, who's using it? You know, I like my IPv4. I don't care. But you know, right now it is in universities. It is in research institutions. People are starting to come around to testing this out. And I'll go through later what the mechanism is, how we are going to transfer over what the plan is. There are IPv6 stacks out there for Unix. And Windows 2000, they had said at one point, did anybody know where they'd be in there or not? Looks like it's in there. Nah, yeah. I don't know. But they're trying to establish it in there. In fact, one of the ways to get transition is to use dual stacks, dual IP stacks. But that's on the next slide. So there's a couple ways. How would we transfer this over? How would it work? Well there's the six bone, which is similar to the M bone, the multicast backbone. If you hop on and you want to see NASA's space shuttle downlink, you can get an address on the M bone and go through that. But they've got different islands of IPv6. University A has an IPv6 network. University B has an IPv6 network. And they want to talk to each other over the global IPv4. So they use through the IPv4C, they connect it through gateways, which translate IPv6 to IPv4, unwraps the packets and packs it back up and sends it across. You can either have dual stacks, which are one machine. You have two different stacks to handle the packets. If an IPv4 packet comes in and knows that, if it's an IPv6 packet, it goes with that. Or you can have tunneling, which they place one packet inside of another. Just like you encapsulate the TCP inside of an IP, you encapsulate an IPv4 packet inside of an IPv6 packet. This can be done, but it's inefficient because now if you've got, the only way I can reach my, the other IPv6 is through these sets of tunnels, where it may just be the machine right next door and I may have to go all the way around the internet to find my next door machine. It's inefficient, but they're trying to put it together. Okay, well that's a general overview of IPv6 and I'll come into more detail later. Let's switch gears here and talk about DEF CONS about security. Security for IP. Now IP security, some haven't heard of it. For IPsec, they've got different headers and different, you have an authentication header and an encapsulating security payload. Actually this will work for IPv4 as well. But for IPv6, authentication is required for every transaction, except when you put in like a null authentication, which I don't figure that one out, but they put security associations and tells which, you know, this machine is using DEFs to talk to this connection. You know, we're using IDEA to talk to this machine. And Beleven wrote a paper a couple years ago which goes through and they fixed a lot of the problems that he mentions, but problem areas for the IP security protocols and their references is in the back. But the IETF had IPsec working on it. RFC 1825, 1826 and 1827. Various crypto techniques to put it in there. You can use... The reason why they have, you may ask, why didn't they just have a crypto header? The reason why is because when they developed this, some countries would allow authentication. You know, I am really Dr. Byte coming from Las Vegas. They wouldn't allow encryption through your country. So you could have it so that people could just use authentication or you could use authentication and encryption or you could just use encryption. But that's why the selected use of it. A little bit about the authentication header but we'll read Atkinson's RFC. Basically, the base level is MD5 but you can add other stuff in there. They've got, for those security associations, you could say, well, I'm using this type of authentication protocol or even a new protocol that's been developed and you just stick it right in there. I'll show you the header format in a later slide. DEZ is the CBC, is the ESP-based thing that we can stick in any other kind of encryption on there. So this is the header format, ripped out of the RFC, where everything is based off of header chaining. The next header is this, that and the other. There's a listing, what is it, through IANA, the Internet Assigned Number Authority. But now it's gone up, Postel has passed away, so they shifted it over to somebody else. But there's different things, the length of the header, the different types of authentication. Your index is basically a 32-bit number as to like this machine, you can have up to, I guess, four billion connections. It says, you know, connection number one has got this type of authentication header, so it knows which connection is going to which machines. That's one thing, host-based authentication versus user-based authentication. I have a host-based authentication, where my machines are talking to each other, and there's lots of attacks you can do, and Belvin describes those in his paper. Dr. Belvin describes how you can, if you're using the same key for everybody on the same host, then there's attacks that can be done. But for the most part, that's the AHR authentication header, which is used in anything. It's coming along. Our ESP, or encapsulating security payload, is done with just another security association and just various sets of data in here that may have keys and other such stuff. I have a feeling I forgot to put in the next header chain, but for the most part, that's that. So what is this security association that I keep talking about? The security association is what kind of security are we going to have for this connection? Let's make like a record or a structure or whatever else you want to call it, an aggregate of different data that says what security we're going to use, what authentication method, what authentication keys, which encryption method are we going to use, and which encryption keys are we going to use. Initialization vectors on various crypto, how long the key should last, et cetera. And there's an index into the database of different security associations that determine which things are in there through a table lookup. And you can use different ones for different connections and different machines and different sessions and other stuff like that. Belevin, here's some of the, there's two pages of, two slides of, I summarized Belevin's paper, which was a great paper where he listed, you know, the ESP provides a confidentiality and the authentication provides authentication integrity and non-repudiation. You know, like, I didn't send that stock certificate. No, it's, failures, we need to have, he pointed out there was failures, you could have encryption broken, you could have spoofing attacks, you could read encrypted data, because if you send a, you know, a telnet session is one character at a time, so you encapsulate one, one character in a packet. So if you know if it's the same host key for everybody's using the same keys, with different initialization vectors, you should have fragmentation attacks if you ever read Tom's tax paper on evasion and insertion attacks, I think it's the NAI, that's firewalls can be brought around through fragmentation attack. We can use fragmentation attack and ruin about everything, session hijacking. All these problems, I mean, IPsec is supposed to solve all these, there's still plenty of things out there. But for defense, let's see how we're going to help solve some of this. You know, we want to have, you don't want to have just encryption without integrity, because you can change anything in there and read it, you want to have per user, you want to have different keys per that, you don't want to have, you want just a general overall attack that people use sometimes, they'll send them a plain text and they'll encrypt something in back, like give an error message, or you'll send something in cipher text and they'll send it back in plain, they'll send an error message in plain text. You want to have, because then that helps you with the crypt analysis, which is not my expertise, but plain text to plain text and cipher text to cipher text, that's what you want to do. DNS, I'll talk about DNS later because that's going to have to be changed with all this. It'll have to be added on, no longer will you be able to send an IP address and get back a 32-bit number. DNS security is a separate working group, DNS SAC on that, where your DNS stuff will be, and that's some neat stuff to be able to try to pose your DNS servers. Okay, so in summary, for IP SAC that is, we have the IETF has standards coming out, IP SAC has been around, you can do that, you can split the headers for restricted countries, like I was saying, if you just want authentication. Sometime, now, my main, when I went to IETF, it's a catch-off for all of that. We won't just stick IP SAC on there, or we'll figure out security later. Let me just design a protocol, or a mobile protocol, and that would work, but we're sticking security on as an afterthought, and you can't do that. You cannot stick security on as an afterthought, you've got to build it in. When the internet was developed, security was an afterthought, and look where that's leading us. So they're trying, say, authentication header for everything, go with that. There's the key distribution protocols, how do we do key exchanges? If everybody's doing authentication, now the key's flying everywhere. If there's keys flying everywhere, how do you distribute this? 228 bits, and many places out there. These problems have been, some have been fixed, but every new protocol is going to have problems, and they'll come out with it at some point. By where, IPv6, where's the, where's the beef here? The, we're now having a new resource record in DNS. If you're not familiar with DNS, there's A records for addresses, and HNFO, and other sort of stuff. Go read the RFC, but they're going to return Quad A records for 128 bits, because their addresses are now four times as long. And for the first look up, there's a, that's how you get the, well, the name from the number, IPv6.int domain classes, there are different domain classes to go backwards. It's kind of the same thing we did with the new domain class. DNS, you know, I said something about new number, where if I go from there to here, to the east coast to the west coast, that's, you know, I get a new IP number. DNS needs to know now where my new number is, so that if anybody wants to send me addresses, if I have a mail server set up, it needs to know where to send it. So DNS needs to know where the new renumbering is. And DNS needs to be renumbered. So they're working on DNS. There's the IPNG working group is in the IETF, and they've set out all these RFCs. And if you go to ietf.org and look through them, that's actually where the internet, if anybody doesn't realize, that's where the internet protocols are developed. That people from all over get together, and they get in working groups as a volunteer organization. And if you're interested in a certain protocol, you follow their mailing list. They have discussions, and they have meetings about three times a year, and they discuss these protocols. And a rough, working code and rough consensus is they try to get the code to different implementations, and that's how protocols are developed. That's how the new IPv6 is going to be developed. So if you have any problems with protocols or want to get involved, just go to ietf.org and check it out. But people are putting it into place. Site operators are putting it into place at different universities. They've got IPv6 network within the university. So you're able to tack in and have islands. And it's starting to come around. It's a very flexible protocol, but things still need to come around. There's still problems out there. What happens if we have a socket and all of a sudden the machine changes addresses? Well, that's a problem. The address remembering, hopefully it will be able... That's what you have... It's kind of like when they first created stoplights, they had red and green. And that was it. And so you're going all of a sudden, turn to red, and people would have tons of accidents. So they said, well, we should have a yellow light so we could have that kind of the tri-level buffer. So the same kind of thing here with the preferred length of how long it's going to be around versus valid. So you know, I'm past the time. This thing is going to be number soon. I need to read number soon. Here's another problem. When there's colons, if you ever do different addresses in the HTTP, then you go, well, here's my... CNN.com, colon, port 1026 for a new protocol in there, a new page or whatever. Has it nowhere to parse it? So they're still working on stuff like that. I'm not... So there's plenty of... Because right there, I intended the address to be 3FFE 2800000 all the way down to A, and port 8080. But yeah, you could probably pick the last colon, but then if you... Well, if you work to the last colon, then if the address like that is supposed to be 3FFE 2800000 A colon 8080, then it wouldn't be able to tell which... Which it is. Huh? Differentiating character. I don't know how they're solving that, but I'm just... That's just a general problems, and they're still... They're still working on stuff. Do you just keep it down? I have no idea. People decided that they wanted colons, I guess in the IETF, and they went with that. I don't know. Yeah, it could be... I mean, it could... Just different ways of addressing, and I don't know why they did that, but that's the way it's done with different addresses. The MAC address is also colons. Well, the MAC address, you actually just take it, and they split it apart and stick it in there. The MAC has colons, but it's like six... Six bits, or no, six different sections of eight bits each, or six different bytes, and they flip that apart. I don't know whether they did that or not, or whether they're like colons, or whether they're going to change it to a different separator, put semicolons, or backslashes, or whatever. Why didn't we just keep... Why did MS-DOS put backslashes instead of slashes? I mean, we'll come around to figure out a way to get around these things. But there's still problems that are still out there. But where is it coming? I mean, people will ask me, it's like, well, IPv6 will never make it because there's IPv4, and none of the knocks will want to switch, and none of the IPs, ISPs will want to switch. But when the web or the new IANA is says, sorry, you can't get any more IP addresses to deal with it, and people want more servers, and they start putting everything on the internet from the palm pilots to your microwaves, to the dishwashers, that you're going to run out of addresses, and something is going to break soon. Yeah. Network address translating for those is the ability to stick a box on your site and say, okay, coming in here, this looks like one big machine. When you come in, it switches the addresses and figures out, well, actually it's going to the mail server here, or it's going to this one right here, and when you call out, the NAT knows that box A in this site is talking to somewhere over here, so when it comes back in, it knows the same session of the packet and knows to go back to A versus B versus C. Yes, that's doable, and that's one of the midterm solutions. But first of all, if you have a site, you're now creating a bottleneck unless you stick multiple gnats. If you stick multiple gnats, and there's a problem of which side it comes in and how do you route it back, so you start getting bottlenecks into the gnats, and so that becomes a problem. I've read a few papers in a report on gnats last year. They're neat, and they're, because if you're only giving one IP address, you can try to make that out, but it's a temporary solution, yeah. Sometimes it does. Yeah, I mean, it's just, it's a temporary hack, but it's not going to be a long-term solution, yeah. Okay, the questions was, should I download IPv6 now and play with it, and the second question was, is it going to be compatible with anonymous service like Freedom? You could probably play with it now through dual stacks. There's, I think Linux has got one, and they've started to play in different types of stacks. Yeah, play with it. You might want to do that. I'm not sure whether, and I'm not familiar with them playing around with the Freedom sites, but they may be, they may not. I'm not sure. But they've got it here now, but people are like, well, you know, I'm not going to change, you know, I'm not going to write an IPv6 stack for my Vax, which is sitting on the internet right now. And so IPv4 will eventually, IPv4 will always be around. There will always be legacy systems. That's why Microsoft Windows is so lousy because they have to keep taking in everything from the past. That's why Intel architectures have to carry baggage from 1978 when they created the first stuff, and they just kind of keep adding it on. Backwards compatibility, that's the mantra for the computing world. There's backwards compatibility. So I don't think IPv4 is not going to go away, but they want to try to shift it over to IPv6 as a primary, so then IPv4 will be using these gateways and tunnels, and it will be slower, but it will still be useful. And there's different addresses. I didn't go in here, but there's ways of putting addresses like FFFF calling in the address and funding IPv4 in order to make it an IPv6 address, and other stuff like that, which you're using to kind of transform it over. So then eventually you can get an IPv6 address. I mean, I've had IPv6 addresses for boxes and IPv4. So, yeah. Sorry, yeah, you're next. Go ahead. The same thing. The question is, is whether an IP masquerading on Linux or a Nathbox is able to convert one address to another. I played a little bit around with it, but I don't know the answer to that question. Technically, there should be no problem. Technically, there should be no problem. Yeah, I mean, you could go... Well, you can convert it over. Or you can write the stuff to convert it. As long as you know, because you've got to have the right headers and the right addresses, you probably could, but I don't know. Honestly, yeah. Oh, okay. With Linux and BSD, OpenBSD, you can do it. So it's probably... It's coming. It's out there. And because, you know, people wonder when IPv4 is going to run out of addresses. I mean, about 4.2 billion addresses. Now, obviously, you can't have perfect because if you have a Class A network, if you don't have 16.7 computers, but only even 8 million computers on a Class A network, then another 8 million addresses is wasted. And you keep doing that, and the internet is going to be broken up into different chunks. So they, you know, you can... It's going to... They estimate somewhere between 2005 and 2015. This was like a year or two ago by plotting out the curves and figuring out about when it'll cross over. So there's some time. I mean, I... You know, you're not going to go out. You're not going to lose IPv4 tomorrow. Yeah, this is kind of like the future. What is it coming? Talk of whatever. But, you know, like the CIDR, the Class of Center to Mean Routing, you've got to manually renumber your addresses, you know, but now more and more are coming on to this thing. Yeah. Well, I have a question on this point. It's about the CIDR. I have a little bit of a check on the CIDR. What's going on? What organization is doing that? Do we have a message for the thousands of people who are doing that? It's very rare. Well, our first one is a local company. These things. And it's resolution protocol? Yeah. Okay, the question was, his company's done like 3,000 machine boxes on the net. It works fairly well. Okay, it works better than fairly well. And what point does ARP play in this address resolution protocol? Obviously, with an IP and ARP, you give it an IP, and you say, here's this IP address. What's the MAC address? It's how ARP works. And with ARP, the reverse address protocol. Here's a MAC address and try to find an ARP. That's how you find, that's how diskless workstations boot up and stuff like that. Yeah, I probably have to be changed with IPv4. There's probably an ARP v6. I just haven't messed around with it. Yeah, well, yes it will. And you probably could find, yeah, that's probably why they did it, but you take the, yeah, the MAC address is theoretically in there. But some people don't have ethernet. I mean, Token Ring is still out there. And other such new, you know, type Token Ring is what? Okay, Token Ring has a MAC address, but is it the same block? It's reverse order. I don't know. Different types of physical layers and data link layers, they may have to be converted. They may not. I mean, we could develop a new one tomorrow. Yeah. The question is, will I get an IPv6 address from? Is there a NIC that I can go to and get an IPv6 address? The university, Virginia Tech, had a section. They were on the six bone. I don't think I have an address. Maybe sixbone.net is what was out there. And they would allocate you a set of test addresses even now that you could hook up and try to play with. And basically the six bone right now is like ping, or it was like last year or two. Can I ping this guy over here? Can I get through the routers? Can we run router tests? Can we do real-time video over this? Do we need to change this and stuff like that? So I would sixbone.net or try to find itf.org and try to see where that goes to. Yeah. So the question is if you have a toaster and you're dishwashing everything else to the internet, how do you think the ISPs will give you a block of addresses at the course of a network? Probably what they'll do is they may actually give you a... you could probably request, you know, with a different number of networks. I mean an ISP if you just give them a site level. And that thing that I put up there is just one particular format. They could say you're within this southeast region ISP so we're going to go through and use geographic-based addresses and here's your chunk of your house is on this GPS location so everything is going to be on this. I mean they could do... who knows what they could do but they could aggregate it out. The whole point of using larger and larger addresses is so they could have router inefficiency. So yeah, they could probably give you a thousand addresses and not really, you know, care. Yeah. First of all, there's something that just came out. The intent is to have the ISP set up a first 64 bit so that they can do by going to the internet. Right. And then you can switch to C4 and your lower 64 bits are essentially guaranteeing you need to run the entire internet. The question is, is... so yeah, is that the... That's what I understood when I was reading the guy who did that and I thought, well then I can do 64 bits. Who, Tima? Yeah. Yeah. I guess if the LAA... the question was if I have a TLA and an LAA in a format prefix or each ISP is given 64 bits do I have 64 bits that I can play around with or if they give me an address would that be unique? Yes, it would probably be unique if they use global based addressing but it depends on whether they... like a university who's given a TLA and an LAA may say, okay, the computer science department has this site level aggregator and they only need, you know, a million machines so we'll only give them this many bits but the biology department may need half of that so we'll give them a bigger SLA. It depends on how they put the SLA in there. The UI, the interface on the end, the 64 bits... Yeah, the 64 bits on the end will be unique because it's based off of your MAC address but it depends on how they... Yeah, that's right, because the SLA is in the first 64 bits so it depends on how the ISP gives it out. Yeah, I got... Let me just finish one more slide here and then I'll take questions for us at the time. So, you know... Tools need to be ported and there's a great... Stevens came out with the next Unix Network Program Book and he covers IPv6. How do we program IPv6? B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. B-O-V-6. Right now it's so... In such an infancy stage there's plenty of opportunity out there to play. And there are probably still... There's tons of security falls out there, I'm sure. They're just getting, you know, they're just kind of getting rolling. And I just kind of just rambled for a few guesses here. And I put some question marks. Renumbering how you make sure your renumbers are going to... from a correct source. If I go from there to here, how do you prevent routers from doing this? How do you prevent machines? Because now I can renumber and say, if I'm in a new network, oh, well, yeah, you know, I am the router right now. You can send everything through me and have a big black hole. People have set Windows boxes up wrong in the labs that I've been at. And then all of a sudden, you know, where it just kind of comes to them and everything gets routed to them and it doesn't know what to do with it and it just drops everything. You know, mobility, the ability to say or in a mobile ad hoc network, here I'm the new router for this room. I can route everything out because I have a connection out the wall. So just send everything to me. You know, you've got to have security for some of these things and they'll come around. But things need to be ported. Tools need to be out there. Anything that's for IPv4 will be for IPv6. And so there's plenty of stuff out there to do. Yeah, go ahead. So this is where I'll take questions right now. Before I take questions, here's the RFCs for IPv6, the Belevin paper I referenced, Bradner's book was developed in 96, kind of told like the theory like why we did this. He took the IETF minutes and said, well, why don't we decide 128 bits? And why didn't we do this? That's a good book. It's different essays. That's the base IPv6 protocol. That's the Hutima book we were talking about, IPv6. Paper ripped a lot of the slides off of and Richard Stevens at Network programming books a few. The notes, I guess I'll give them the DT or something like that, but we'll see how it goes. So I guess from now I've been talking for 50 minutes until they kick me out. Yeah. Sites with references. IETF.org will have those refs off of there. The books and the papers, I guess look them up in the library. Six Bone. Some of the sites are listed in some of those papers and books. So I'd go to the Lee paper and Hutima probably has some sites in there that you could go play around with and probably download it and install it and get a test address and put yourself on IPv6 and get a million addresses to yourself. Yeah. Let's go with that in the back over there. The question is how do we deal with multi-homing? Because if we put more than the question was if I have multi-homed hosts which are different, basically gateways, anything that has more than one, I still got to advertise all of these. How does it deal with this? That's the question. Probably based off, I guess it would be based off those prefixes like it was down there. You still have to do that but in order for a go to three or four, that slide back yonder at all. All right, so I'm from the south, aren't I? Yeah. I guess right here if you had different, this would be some of the ways that things were up and if I had, if my machine both had prefix three and prefix four, I guess it would go to the nearest one. I'm not really sure how that would, I guess it would be done off of the variable length subnet masks. I'm not really sure. Anycast? Well, anycast actually does an expanding ring search and you talk about that in the lease paper where you just sit there and try to find that where it goes and eventually you'll find something. Now, that's not like the nearest, that's nearest isn't hops. So it may not be nearest isn't geographic, but as far as broken links going down, yeah, there's stuff that can be done with that. With the quantity four, because we've been playing with it so long, we can exploit it. Let's say we reach there. It's not a lot of approach. We're starting all over again, the life will be saved. The way life is often used in this, it's probably the stuff. There will be a lot of activity in the beginning of the month, so I'll leave you to think of that. Yeah. There's a new attack there. I think I can follow this. I said a second. Okay, if anybody wants a question, I'll be outside. They just said we only have this room till one and then set up for something else. So I'll meet you outside. Thank you.