It's not too surprising to see SPAWAR [0] up so high; the US Department of Defense has required IPv6 compatibility for devices being added to their networks for a while now (I think around 2003)[1]. If you scroll a bit further down the list, Defense Research and Engineering Network (DREN) is at 8.32% as well.
At first read I thought the headline meant that 25% of consumer traffic was going to IPv6 sites, which seems impossibly high. But the article says "This reflects the fact that IPv6 is part of Verizon’s rollout of LTE". Does that mean IPv6 is all just internal in Verizon's network and invisible to consumers? If I have an LTE iPhone on Verizon, is it even capable of talking to an IPv6 site?
> If I have an LTE iPhone on Verizon, is it even capable of talking to an IPv6 site?
Yes. All LTE devices on Verizon are given real, globally routable IPv6 addresses. You can test this here:
http://test-ipv6.com.
This presentation [1] is pretty interesting, showing how aggressive Verizon was with IPv6 on their LTE network.
> At first read I thought the headline meant that 25% of consumer traffic was going to IPv6 sites, which seems impossibly high.
Keep in mind that many popular websites--Yahoo, Facebook and Google among them--now publish AAAA records in DNS. With that in mind, this statistic isn't that unreasonable. If you have a Verizon iPhone, you're probably reaching Google via IPv6 without realizing it.
Unfortunately, if IPv6 is invisible it doesn't provide any feedback against the "IPv6 is not happening and will never happen" narrative (example: https://news.ycombinator.com/item?id=5586519 ).
> Yes. All LTE devices on Verizon are given real, globally routable IPv6 addresses.
With globally routable addresses, where is the protection for attached devices from global attacks? Does VZW firewall their network, or are they relying on their supported devices not having open, vulnerable ports?
Verizon runs an IPv6 firewall on their LTE network. This means that even with a public IPv6 address you still can't make a connection to your phone from the outside. I understand why they did it, but it is sad to not be able to SSH into my LTE device over the WAN.. Maybe that will be an optional feature in the future?
I was a little surprised by your comment. Maybe I'm reading it wrong but it seems that you expect your service provider to filter traffic for you. I have the exact opposite expectation. Do you expect the same thing from your ISP at home?
I do expect my service provider to filter packets for me. Not for any freedom-loving perspective, but for very practical ones:
My phone is battery powered. My cell phone link uses a lot of power when active compared to when inactive. I don't want some random ass killing my battery life by packet spamming me.
My cell phone provider charges me for data. Would that include random UDP packets spammed at my device?
The abuse potential is high enough that it concerns me. Having some sort of firewalling on the provider side seems straight up useful.
Of course not, but most consumers rely on default home router NAT configurations to at least protect them from drive by attacks on insecure devices. That's not an option in a mobile context, so I was curious at what level VZW expected their customers to be protected.
The parent doesn't seem to be arguing for NAT, just asking what sort of protections are in place. Verizon has done the correct thing here. No NAT, global addresses, firewall in place. That said, their firewall rules are very conservative, to the point where they provide NAT-like default deny of all unsolicited incoming traffic.
How ISP level firewalls should be configured is an interesting and open question for consumer level connections. For mobile connections default deny seems like an OK place to start, given that mobile connections tend to be shared and metered. I hope that this doesn't stifle the innovation that could come from true peer to peer mobile connectivity though.
If your device is open by default, it's open on WiFi or to other VZW customers. In every case, the wrong answer is trusting the network to protect you.
The typical WiFi network is NAT'd with a default no-forward policy (or even more locked down), so even an insecure device is vulnerable only to other devices on the same network. That's much smaller than the universe of folks running portscans against globally routable addresses.
Presumably VZW's IPv6 configuration is similar, though I'd be interested to hear exactly what connections are allowed between devices at different locations within their own network. Wouldn't be surprised if they're completely forbidden.
Of course the network should not be trusted to protect you. But in the real world, everyday consumers are connecting insecure devices, and I'm curious how VZW is going about saving them from themselves.
> That's much smaller than the universe of folks running portscans against globally routable addresses.
You do realize just how many IPv6 addresses there are? The good old days of randomly scanning the interwebs in the hopes of finding an IP are gone, at least, for IPv6.
The minimum assignment form RIPE/ARIN etc to an ISP is a /32. Meaning Verizon on it's own has at least the same number of /64's as the entire IPv4 internet has IPs..
That's 4,294,967,296 /64's.
A single /64 is 4 billion times the entire IPv4 address space.
It's true that NAT reduces the risk of portscans but that's not much of a benefit any more. For at least a decade the accepted best practice has been host rather than perimeter level security and that's only become more important over time. It took awhile but the average device sold today doesn't have anything listening by default; at this point you're just subsidizing a few market-trailing manufacturers.
From what I can gather the traffic figures reported by the ipv6 launch site (25% for Verizon Wireless) are traffic in/out of the various ASNs listed. So it is in fact 25% of Verizon Wireless's customer traffic is over IPv6 to IPv6 enabled content.
This is actually not as strange as it might seem. Google/Bing/Facebook/Youtube/Netflix/Wikipedia and the iTunes store are all available over IPv6. These properties represent a significant portion of typical mobile device traffic. That 11% of the remaining Alexa top 1000 properties are IPv6 enabled doesn't hurt either. Lastly, practically 100% of VZW's LTE customers are using handsets and operating systems that support IPv6 so they don't have the issues Comcast has with ancient home routers and modems stopping people from using the v6 service that is provided.
Thanks for clarifying this! So this 25% really is consumer traffic, and Verizon is so high because they default to preferring IPv6 servers when available? That's great news for IPv6 adoption. It's also consistent with what's reported later in the article, about IPv6 prevalence at various other installations.
As zaphoyd said, Verizon doesn't default to IPv6. Dual-stack devices should be using the Happy Eyeballs [1,2] algorithm to choose whether to use IPv4 or IPv6.
"defaulting" to IPv6 is something that is done on the DNS/client end. Verizon is so high because they have a brand new network that was built from the ground up with mandatory IPv6 support for all devices required. See the presentation notes that ejdyksen posted above for more information.
For mobile networks IPv6 has a better business case than most networks. Mobile networks are new enough that they don't typically have large blocks of addresses ready to use so every IPv6 packet is one that doesn't take resources on your expensive CGN gear. T-mobile's wireless network is also fully IPv6 enabled.
I just checked whatismyipv6.com from my LTE Verizon phone and it returned an IPv6 address. The site itself can be access from IPv4 as well but it will inform you if this happens.
Dreamhost was one of the first major shared hosting providers to make adding IPv6 addresses to your sites dead simple. I wouldn't be surprised if this has attracted a number of early adopting IPv6 customers.
They also account for an infinitesimally small amount of global net traffic. Their rapid adoption of IPv6 is more symbolic than anything else. And it got them mentioned here, so presumably it was a success.
[0]: http://en.wikipedia.org/wiki/Space_and_Naval_Warfare_Systems...
[1]: http://www.usipv6.com/ppt/IPv6SummitPresentationFinalCaptDix...