Why would IPv6 be necessary for the IoT?

17

7

I recently ran across this quote from Security Intelligence about the Internet of things and IPv6:

Analysts predict that there will be 30 billion connected “things” by 2020, yet the IPv4 address space only accommodates 4 billion and change. Even with network address translation (NAT) and private address space, the IoT’s appetite for addresses will overcome IPv4’s ability to sate it.

Enter IPv6, which expands the address space to 340 undecillion, or 3.4×1038. Well, it’s technically a bit less than that, since some combinations are reserved; nonetheless, that’s still enough usable addresses to allocate about 4,000 to every person on the planet.

What puzzles me is why the Internet of Things would make any difference to the need to switch to IPv6. It seems to me that the vast majority of Things are connected to a router, hence a need only for one world-wide IP.

For instance, your smart oven's (or whatever) IP is 192.168.0.52, that doesn't prevent your neighbour's Echo from having the same IP, because in order to access that IP from outside your home, you have to go through your home's IP address, ex: 148.238.24.9.

Why would the advent of IoT necessitate the switch to IPv6?

anonymous2

Posted 2017-01-27T13:45:02.467

Reputation: 2 980

5I wonder how 340 undecillion unique addresses (save a few reserved) boil down to only 4,000 to every person on the planet?Ghanima 2017-01-27T14:44:15.213

4

See this video: "Nats are good. They provide security" and please try the IPv6 excuse bingo.

Martin Schröder 2017-01-27T21:07:34.053

It won't necessitate the switch in the same way that having electric cars doen't necessitate having electric "petrol stations". But both sure do make it a lot more convenient.immibis 2017-01-28T01:39:46.063

1IPv4 addressing provides 2^32 addresses, while IPv6 provides 2^128 addresses (less overhead). There are < 2^33 people, plus companies, schools, et al. So call it 2^36 person/locations. That leaves 2^92 addresses per person/location, way more that 4000 (2^12) per person/location. IPv6 would have been golden at 2^64, and adopted sooner.ChuckCottrill 2017-01-28T01:56:06.113

See RFC 7368 for how IPv6 is expected to work in a home network.

Michael Hampton 2017-01-28T07:50:44.820

Of course this analysis assumes that every IoT device is an individually addressable IP entity, which will not be the case. Many devices (e.g. Zigbee) will be behind some kind of protocol-changing gateway (e.g. ZigBee to WiFi or Ethernet or broadband). Downstream devices may be using non-IP protocols, or private addressing (NAT etc). Some devices will have sporadic access to the internet, e.g. wake on change, and so can share addresses from a pool.TheMagicCow 2017-02-01T11:26:32.027

Answers

18

There are two reasons.

(1) First is simpler, end-to-end connectivity. If both source and destination have public IPv4 (or IPv6, of course) address, they can connect to each other in any direction anytime.

Your IoT with private IP 192.168.0.52 however can use NAT ONLY to connect to any public IP on the Internet whenever it wants, but the rest of the Internet cannot connect to it. There were kludges like DNAT and uPNP that used to allow you to specify that some incoming connections are enabled, but they are breaking more and more nowadays due to implementation of CGNAT because of IPv4 shortages.

A common (so-called) "solution" to this problem is that all your (NATed) devices connect to some central location with public IP (usually hosted by the manufacturer of device). This makes it work technically, but involves a privacy issue (you're giving all the data from your IoTs), security issue (as you're wide open to them, breach or disgruntled employee can do anything your IoT device can do and access), and reliability issue (when the manufacturer goes out of business or decides to stop supporting old devices or is suffering outages) all your (and everybody elses) perfectly functional devices will stop working.

(2) second problem is that it will stop working anyway (even for outgoing connections) some time in the future (not in a year or two, but still. The more IoT and services catch on, the sooner it will start breaking).

That is because NAT allows private addresses like 192.168.0.52 to reach the Internet at large. It does that by changing source address 192.168.0.52 to public IP of your router, but replaces source port with free one from the pool.

For example, your first connection might be 192.168.0.52:1000 might be (CG)-NATed to (public IP) 198.51.100.1:1000, and your neighbour 192.168.0.77:1000 might get NATed to 198.51.100.1:1001. Your second connection from 192.168.0.52:1001 would then be NATed to 198.51.100.1:1002 etc.

Problem is, even simple stuff like opening a web page will likely open dozens of connections and use a dozen of ports (for DNS queries, HTTP(S) connection for different elements, JS analytics on different sites etc).

More expensive programs, like torrent clients, will easily use up a thousands of ports. And there is only 65535 ports available for any IP.

Which means several of your neighbours sharing the same CGNAT IP use a bigger share of connections (and more IoTs will mean more connections), and suddenly all of 65535 ports on that public IP 198.51.100.1 are used. Which means no new connections can be established for you and your neighbours. Which on bigger scale means lots people are cut from their IoTs, and civilisation as we know it collapses :-)

Since we would like to delay this civilisation collapse as long as possible, we're transitioning to IPv6 instead. Please support continued existence of this civilisation by using IPv6 if possible. Thanks!

Matija Nalis

Posted 2017-01-27T13:45:02.467

Reputation: 346

1"And there is only 65535 ports available for any IP." but connections are identified by the four-tuple of source IP, source port, destination IP and destination port. So the NAT can use the same public source port for multiple destinations (whether it actually will or not depends on the implementation)Peter Green 2017-01-27T20:02:52.770

2@PeterGreen that is correct, as there are two IPs (src and dst) there are two pools of ports. I was already getting to technical so I didn't get in depth there. And implementation might reuse same source port for different destinations (or not, as it would drive up load on routers due to searching of lists). However, note that destination would usually be fixed for some purpose - you'd for example always connect to 8.8.8.8:53 to get google DNS resolver, or to port 80 (or 443) to connect to HTTP(s) of some web server. But NAT only has luxury of changing source ports, not destination ones.Matija Nalis 2017-01-27T20:44:02.577

I still think overall your answer is unduly pessimistic about how far IPv4 can be stretched. Torrent clients may make thousands of connections but they all go to different places. DNS is a potential issue but in the worst case connections to popular DNS servers can be intercepted and dealt with on the client-sie of the NAT.Peter Green 2017-01-27T21:05:50.680

Don't forget address autoconfiguration. IPv6 stateless autoconfig is much simpler to deal with than DHCP, especially if you start getting a bunch of devices on a network.chrylis 2017-01-27T22:50:21.320

Technically the privacy and security can be avoided when IoT devices use end-to-end encryption and central server serves only as ISP.Maciej Piechotka 2017-01-27T23:07:43.747

3

@PeterGreen There have already been reports of CGNAT hardware failing in the manner described here. This exhibits itself as strangely unreliable connections with no obvious cause. See for instance this Ofcom report. Anyway, CGNAT is just throwing good money after bad, keeping IPv4 going when IPv6 deployment is long overdue.

Michael Hampton 2017-01-28T07:47:32.587

3I have seen plastic routers’ NAT die from simply trying to resolve a few DNS names from scratch, i.e. without using a recursive DNS nameserver in the public DNS, but doing the recursion locally.Jonas Wielicki 2017-01-28T13:32:22.593

Note that having the devices connecting to some publicly known IP address isn't necessarily bad for privacy. It's the technique many Dark Web websites use to hide their servers.v7d8dpo4 2017-01-28T14:30:21.660

2@v7d8dpo4 not necessarily bad - true, but in case of IoT devices in vast majority of instances it is bad - IoT device will usually send its data (sometimes even encrypted, but not all that often) to manufacturer, who then in almost all cases decrypts the data to show you nice HTML page (or whatever). Thus manufacturer (or whoever runs that public ip) has all your data at disposal and can command your IoT device at their will. Now in few cases you can instruct device to connect to your own public IP and run opensource server-side software provided to you there, but that is very rare :(Matija Nalis 2017-01-28T14:45:48.780

@v7d8dpo4 while for example with HTTPS over TOR and similar darkwebs you describe, all your communication would be end-to-end encrypted, and no TOR node (servers with public IPs) could access it. So, such technique could be used to allow to allow secure end-to-end communications (the ends being your IoT and your web browser or app, for example), without manufacturer being able to spy on you but just providing TOR-alike routing. However (to my knowledge) that is not at all how it works today in vast majority of cases.

Matija Nalis 2017-01-28T14:55:38.253

13

IPv6 is a necessity now; we're nearly out of IPv4 addresses already. As more and more people come online, we're starting to reach the point where IPs have to be shared across multiple people, not just one household (carrier-grade NAT), which is unacceptable, and not just a problem for IoT.

IPv6 allows us to move to a more semantic representation where one IP = one device, which has several advantages. If you're directly able to address your smart device (be it a toaster, oven, light bulb, TV, or something else), you can just send your commands directly to the device, rather than needing to go through a hub. At the moment, NAT makes this difficult to set up, because it requires specifically port forwarding your IoT devices (and this may not work at all for carrier-grade NAT).

It might be worth reading 'Switching to IPv6 implies dropping NAT. Is that a good thing?' from Server Fault if you're worried about the security implication; having all your IoT devices given a public IPv6 address is not really a big security flaw; it's something that would still cause a problem on a NAT-enabled network.

This IEEE article has some good points:

The next logical step from networks of mobile devices to networks of communicating "Things" is IoT. That next step will mirror the sequence of events experienced by mobile networks. Proprietary protocols came first, because an individual company’s profits often come before consideration of the common good. But the use of IP and transparency (i.e., open source protocols) is fundamental to IoT development, just as the ease of use and the invisibility of the technology is important to end users. Our view, based on our research, is that the value of transparency and ease-of-use, and even more importantly the need for interoperability, will favor IPv6 adoption by the IoT market.

So, in short:

  • At the moment, 1 IPv4 address represents... who knows? Sometimes a device, sometimes a router, sometimes a whole network of different customers.

  • Using an IPv6 lets you give each IoT device a 'name' on the Internet.

  • Being able to address your devices lets you control them, and simplifies setup and management.

Aurora0001

Posted 2017-01-27T13:45:02.467

Reputation: 11 277

3It's better than that. One device may have numerous IPv6 addresses, and is expected to.Michael Hampton 2017-01-28T07:50:01.943