IoTv6?

[technix]

For new IoT designs, should I put IPv6 capabilities in consideration, at least shared-stack capabilities? The IP stack can be written in IPv6 and IPv4 features and addresses can be mapped to IPv6 equivalents using a shim.

I am probably one of those unicorns that have IPv6 Internet access in my home. And my home network can support IPv6-exclusive hosts thanks to DNSv6/NATv6.

[Jeroen3]

Only if you also fix the year 2038 bug.

[ataradov]

I would say, no. Don't waste your time. There is plenty of IPv4 address space to go around, and it is not going away. If anything, you will be opening up one more attack surface.

[technix]

I would say, no. Don't waste your time. There is plenty of IPv4 address space to go around, and it is not going away. If anything, you will be opening up one more attack surface.

I am interested in what additional attack surface a shared-stack implementation would face.

[Jeroen3]

More code that doesn't get monthly updates.

[ataradov]

I am interested in what additional attack surface a shared-stack implementation would face.

It is more code => more stuff to exploit. I'm not saying there are specific vulnerabilities, but I don't even know what code you are using.

[technix]

I am interested in what additional attack surface a shared-stack implementation would face.

It is more code => more stuff to exploit. I'm not saying there are specific vulnerabilities, but I don't even know what code you are using.

The code as an straight IPv6-only network stack, and a small IPv4-to-IPv6 shim that translates IPv4 packets to IPv6 and vice versa if the addresses falls within the ::ffff:0:0/96 range.

[ataradov]

The code as an straight IPv6-only network stack, and a small IPv4-to-IPv6 shim that translates IPv4 packets to IPv6 and vice versa if the addresses falls within the ::ffff:0:0/96 range.

That kind of attitude leaves wide open holes. I bet Intel though their ME crap was solid, but it turned out not so much. There is no way you can prove there are no holes.

If you want to include that, please do, chances are I'm not going to use your thing anyway.

[technix]

The code as an straight IPv6-only network stack, and a small IPv4-to-IPv6 shim that translates IPv4 packets to IPv6 and vice versa if the addresses falls within the ::ffff:0:0/96 range.

That kind of attitude leaves wide open holes. I bet Intel though their ME crap was solid, but it turned out not so much. There is no way you can prove there are no holes.

If you want to include that, please do, chances are I'm not going to use your thing anyway.

I'd rather see someone at least review some IoTv6 code. IPv6 was created to accommodate IoT in the first place.

[ataradov]

IPv6 was created to accommodate IoT in the first place.

IPv6 was created when IoT fad was not even in the plans.

There is no practical need for IPv6 anywhere. Your device will be behind NAT with any IPv4 address it likes. You need to be incredibly dumb to put it directly on the Internet.

[technix]

IPv6 was created to accommodate IoT in the first place.

IPv6 was created when IoT fad was not even in the plans.

There is no practical need for IPv6 anywhere. Your device will be behind NAT with any IPv4 address it likes. You need to be incredibly dumb to put it directly on the Internet.

When did I say I don't firewall IPv6 traffic?

On IPv4 I often have to resort to protocols like DNS-SD to discover the nodes' addresses, and renumbering mobile nodes is a nightmare.

On IPv6 I can just use fixed 64-bit node addresses and observe NDP router advertisements to establish the network prefix. Yes there is DHCPv4 and DNS-SD but all those protocols require the node to send something before it can be addressed. IPv6 is much easier to set up.

[Kjelt]

I would say any new IoT device should be able to support IPv6.
It does not have to support both IPv4 and IPv6 simultaneously you can let the user choose.
But for some applications like sensors where you want to place a couple of hundred in one building IPv6 might be more convenient than IPv4.
For home use and small numbers of devices I would still choose IPv4 since not many consumers have IPv6 knowledge and might have problems in their home setup with older routers.

[technix]

I would say any new IoT device should be able to support IPv6.
It does not have to support both IPv4 and IPv6 simultaneously you can let the user choose.
But for some applications like sensors where you want to place a couple of hundred in one building IPv6 might be more convenient than IPv4.
For home use and small numbers of devices I would still choose IPv4 since not many consumers have IPv6 knowledge and might have problems in their home setup with older routers.

That is the point of a shimmed IPv6 stack. The main IP stack is IPv6-only so it works under IPv6 environment. The shim performs what is essentially NAT64 for minimized attack surface and IPv4 compatibility.

[mrpackethead]

[/quote] IPv6 was created when IoT fad was not even in the plans.
There is no practical need for IPv6 anywhere. Your device will be behind NAT with any IPv4 address it likes. You need to be incredibly dumb to put it directly on the Internet.
[/quote]

Absolute bollocks.  Its why 30% of the mobile networks in the  world are now ipv6 only.. oh and most users dont' even know. and you'll see the transistion of the rest in the next 3-5 years compelted.

[nctnico]

IPv6 was created to accommodate IoT in the first place.

IPv6 was created when IoT fad was not even in the plans.
There is no practical need for IPv6 anywhere. Your device will be behind NAT with any IPv4 address it likes. You need to be incredibly dumb to put it directly on the Internet.

I agree. An IoT device doesn't belong on internet.

[westfw]

An IoT device doesn't belong on internet.

that would be "irony", right?

[nctnico]

An IoT device doesn't belong on internet.

that would be "irony", right?

IntranetOfThings 

[dimkasta]

IPv6 would be very interesting in a big IoT architecture with MANY nodes.
With its enhanced auto configuration, enhanced network administration abilities, improved QoS control etc, it can fit very well with simplifying and fine-tuning the management and operation of a big fleet of connected devices.
However, as we have discussed before, most IoT applications today are limited in numbers and basically just glorified networked devices.

If you are just interested in covering the most basic functionality (address assignment and/or basic routing), then I would not bother. I do not see IPv6 becoming a requirement for mainstream connectivity any time soon.

[mrpackethead]

IPv6 was created to accommodate IoT in the first place.

IPv6 was created when IoT fad was not even in the plans.
There is no practical need for IPv6 anywhere. Your device will be behind NAT with any IPv4 address it likes. You need to be incredibly dumb to put it directly on the Internet.

I agree. An IoT device doesn't belong on internet.

It can, and it may well be quite safe to do so.  Its no dumber than putting a web server on the intenret.. and theres a lot of those....

[dimkasta]

It can, and it may well be quite safe to do so.  Its no dumber than putting a web server on the intenret.. and theres a lot of those....

The amount of how dumb it is to put something on the internet, is a matter of doing your due diligence both on how fit it is for the internet, and on how to implement it. Oh and on how legal it is to put it on the internet.
It is the same with web servers. It is pretty dumb to put all of them on the internet. Some of them belong in an intranet, or in a DMZ.
And not all of them are fit for applications that require extra security. Think bank server vs blog server.

That is the real challenge of IoT today.
Creating safety standards, implementations and/or regulations for an architecture that is not well defined yet, to cover applications that do not yet exist.

Anyway, for now, for all intents and purposes, IoT is pretty much a marketing hype thing.
Treat your devices as any other networked device and you should be fine if you do your homework and you do not do stupid stuff

[technix]

IPv6 was created when IoT fad was not even in the plans.

When IETF created IPv6 they were anticipating a quick increase of Internet-connected devices and decided to assign each grain of sand on Earth its address block. Increase of Internet-connected devices eh?

[gmb42]

FYI,

Verizon have announced that there'll be no static public IPv4 addresses issued after June 30 2017, here.

[nctnico]

IPv6 was created when IoT fad was not even in the plans.

When IETF created IPv6 they were anticipating a quick increase of Internet-connected devices and decided to assign each grain of sand on Earth its address block. Increase of Internet-connected devices eh?

But at that time worms, ransom ware, hacked internet routers, etc where unheard off. Making something possible from a technical point of view doesn't mean it is a wise thing to do.

[janoc]

But at that time worms, ransom ware, hacked internet routers, etc where unheard off. Making something possible from a technical point of view doesn't mean it is a wise thing to do.

That you are quite mistaken, actually. IPv6 was formalized in 1998, at that time we had stuff like the Morris worm, CIH, OneHalf, Happy99 worm. Melissa worm appeared in 1999, ILOVEYOU worm in 2000, 2001 brought Nimda, Sircam and plenty of other such self-propagating plague. Spam and hacking attacks were also completely routine.

That we didn't have hacked home routers and ransomware doesn't mean that internet security wasn't a major problem already, especially with the millions of Windows PCs that have just gained Internet connectivity back in that era and had more holes than Swiss cheese.

Also, why do you think IPv6 originally included IPsec as mandatory if not for security reasons?

I personally wouldn't be worried by IPv6 stack being a security hole - by itself it cannot do that much. If the rest of the system is decent, it wouldn't be any more a security hole than an IPv4 stack. A more relevant question is whether that IoT device will have useful life long enough to actually see the rollout of IPv6 in its intended application. If not, then it is a pointless exercise and waste of resources. Right now it is still really rare to see consumer electronics to support IPv6 meaningfully, including things like domestic routers and such - many don't support it at all (!) or at best can handle packet routing and DHCPv6. So if OP is planning to rely on some of the more advanced features of IPv6, they will likely be very disappointed and face nightmarish support issues due to all kinds of broken hardware out there.

Autodiscovery is still best handled using things like Zeroconf or DNS-SD, regardless of whether the device uses IPv4 or v6 - you will likely want to configure/advertise more things than only an IP address and DNS. That is where Zeroconf or DNS-SD shine, literally allowing to advertise and discover every coffee machine in the building.

[Kjelt]

IPv6 had a huge boom thanks to the mobile phone industry. If you look at the charts, it is going slow in absolute numbers but the growth is exponential.
The wait is for big countries like China to switch, the most IP providers are already ready for it, and it is for the customer to set the switch on it home router to support it or not.