Breaking Protcol

The times they are a-changin’.

This post seems to be older than 18 years—a long time on the internet. It might be outdated.

As the last days of 1999 tick off and the mother of all bug fixes is in its final hours, the Internet Engineering Task Force (IETF), networking managers, and backbone operators are beginning another heroic netware upgrade: the switch to IPv6.

The Internet Protocol was born in the 1970s, as the Net began spreading beyond Darpa into academia and private-sector R&D labs, and has become standard for routing data. According to Vint Cerf, the Internet – or actually its predecessor, Arpanet – burned through the first three versions of IP back in the early days. Today, most packet headers start with a 4, signifying IPv4, our current standard. The 6 in the header pictured here will replace the 4 as IPv6 is established. (IPv5, now retired, was an experimental protocol.)

In 1996 the IETF began testing an IPv6 prototype, called 6BONE, now running on roughly 450 sites in 42 countries. Apple, DEC, IBM, Novell, Sun, and others
are already churning out IPv6-ready machines and servers (not surprisingly, Microsoft is cagey about whether it plans to integrate IPv6 with Windows 2000). And in July, the Internet Assigned Numbers Authority officially agreed to let network admins start allocating IPv6 addresses.

Yet some, such as Steve Deering, a lead IPv6 designer, believe that old standards die hard, and binary buttresses to IPv4 could keep the current protocol limping along for decades. In the meantime, the IETF has announced a contingency plan – an interim standard called Realm Specific Internet Protocol, which smooths out some of IPv4’s kinks. But RSIP is just a stopgap and has yet to be implemented. The most likely scenario will be a gradual move to IPv6 over the next 5 to 10 years, with both IPv4 and IPv6 (and possibly RSIP) functioning at the same time until machines running the earlier standard fizzle out.

Twenty years ago, the Internet’s forebears surely never imagined today’s fat streaming-media files, which is probably why the current protocol peppers real-time multimedia audio and video downloads with snaps, crackles, and pops. IPv6 not only enhances streaming but provides for crystal-clear voice-over-IP.

The traffic class, designated in the first two 0s, is where IPv6 ensures that when the network clogs, routers won’t chop up crucial bits of real-time streams into multiple packets. Instead of receiving the first half of the stream and losing the second half – something you’ve surely experienced when a RealAudio broadcast drops out midsentence – IPv6 gives you the whole stream at one-half quality. That sounds like a drawback, but if you’re using voice-over-IP, it means you can depend on the network to not cut off your phone call during heavy traffic.

The remaining five digits represent the flow label, which tags all the packets that belong to a single stream of audio. As streaming data arrives at your PC, IPv6’s flow label and traffic class combine forces: The flow label links all the packets in a stream, and the traffic class tells routers to let the whole bunch pass through at the same time.

This is the payload length, which is the size of the packet. Theoretically, in both IPv4 and IPv6, this field allows packets to be as big as 64K. But in practice, most servers are configured to divide data into 1,500-byte chunks so that they can pass through the narrow pipes of Ethernets. There’s no difference between the way IPv4 and IPv6 use this data.

These numbers indicate the type of the next header. In IPv6, additional headers may appear between the header dissected here and the payload. These headers allow IPv6 to perform authentication and encryption at the packet level. Security can become ubiquitous – a property of the network, not merely a special mode. IPv6’s authentication will put an end to spoofing, in which hackers dupe secure servers into believing the intruder is someone with authorized access. To authenticate a message, the sending node computes a sum using a secret key. This sum then goes into IPv6’s authentication header. When the packet arrives, IPv6 calculates the sum, then compares the result to make sure it hasn’t been hacked en route.

Currently, encryption – when it’s done at all – happens at the application level: Two techies exchange PGP-encrypted email, for instance. But IPv6’s Encapsulating Security Payload protects personal email against packet sniffing, even for those who don’t use PGP. ESP leaves the header as plaintext and
encrypts everything else, including all the actual data. In a corporate intranet with nodes around the world, ESP can construct an additional outer wall of security by wrapping the original packet in a second layer of encryption. As the packet travels across the Net, the final destination and source addresses remain invisible. To get where it’s going, the packet simply reveals the address of a machine on the outskirts of a company’s network. Only when the packet gets handed off to the corporate intranet is it decrypted and routed to the recipient.

This superstrong security involves a lot of overhead in terms of number crunching. But it creates an almost impenetrable barrier, known as a steel pipe, securely linking corporate firewalls for a lot less money than a virtual private network.

Routing errors can bounce packets aimlessly around the Net. To prevent such situations from clogging the backbone, each router subtracts 1 from this number, called the hop limit, every time it handles a packet. If the hop limit reaches 0, the packet expires, and the user may get an error message. The highest hop limit for IPv6 is 255 –
the same as for IPv4. Why 255? Each character is equivalent to 4 bits, and 255 is the largest number that, in binary, fits into 8 bits.

Sometimes a packet makes a hop along a particularly narrow path. If a packet is too big, the data can still get through, but the whole thing can’t go at once. Just as an oversize supertanker approaching the Panama Canal must disgorge its load into several smaller ships to get everything through, a packet encountering a narrow path has to fragment its data into a number of smaller bundles. In IPv4, this fragmentation occurs whenever a packet reaches a bottleneck. The packet may get broken up several times as it encounters progressively narrower
network paths. In IPv6, the sending node finds the narrowest point on the entire path at the start by sending test transmissions, so fragmentation and reassembly (which take time and processing power) occur only once.

This is the source address, which identifies the sending computer and underlies those familiar domain names, such as wired.com. It’s also where IPv6 has some of its greatest (and most hyped) advantages over the current protocol.

Every networked device has a four-part numerical code, or IP address – the Internet equivalent of a snail-mail address. Whenever you upload a GIF to a Web page or download an email, the binary road map stored in the header carefully guides the bits through cyberspace to their destination.

The 32-bit addresses in IPv4 allow for more than 4 billion addresses. This may seem like a lot, but when the Network Information Center doled out addresses in the early 1980s and ’90s, organizations like AT&T and MIT received more than 16 million apiece. Now, as more and more devices hit the market online-ready, IP addresses are becoming scarce. Half the total
available addresses have already been assigned; some say we could run dry in five years.

Since the IETF confronted the problem in 1990, several band-aids (allocating addresses temporarily to computers that only dial into networks via modem, for instance) have fended off crisis. But as we slowly run out of available addresses, smaller networks could be cut off from the backbone abruptly. Home workers who dial in may not be able to get an IP address when they want to log on.

The 128-bit header in IPv6 makes for a tremendously expanded range of addresses. If you could fit all the IPv4 addresses in a space the size of a BB, a sphere encompassing all the new IPv6 addresses would easily eclipse the moon.

Another benefit is IPv6’s autoconfiguration, which lets computers assign themselves a permanent IP address. IPv4 forces IT managers to assign new IP addresses to every node on the network whenever a company switches ISPs. Dynamic Host Configuration Protocol (DHCP) partially automates this task, and Network Address Translators (NAT) can redirect packets to nodes behind
corporate firewalls using a generic front-door IP address. But DHCP requires lengthy setup time and continual maintenance, and NATs gum up the Net by adding an extra processing step.

To use a telephone analogy, IPv6 eliminates extensions and gives every user their own direct line. However, this also potentially eliminates online anonymity by including in the address space the manufacturer of your PC’s network card and your 48-bit Ethernet address. Privacy groups, of course, are pressing the IETF to revamp the autoconfiguration architecture, as
well as to refuse to support wiretapping or related law enforcement activities.

The destination address starts with a lot of 0s. That’s because an IPv6 machine is sending this packet to an older computer that still uses the shorter IPv4 addresses.

IPv4 computers will stick around long after most of the world upgrades to the newer protocol, but machines on these networks will need Network Address Translators to talk to the rest of the Net. Otherwise, the older networks – dubbed IPv4 "clouds" – won’t be able to handle the long IPv6 addresses. Even with the help of NATs, IPv4 clouds won’t benefit from IPv6’s
remarkable enhancements, such as packet-level encryption – unless users add more NATs for each ad hoc upgrade.

The new protocol also lets backbone designers create more expandable hierarchical addressing. Much like the US telephone system, in which three-digit area codes forward long distance calls to local exchanges, IPv6 backbone routers relay packets using a prefix embedded in the destination address, instead of having to revise and store information continually for every network
in the world.

The times they are a-changin’.

Related