29
Jan
image

This post is going to be a bit more technical than most people are probably comfortable with, but I'll try to explain it as simply as possible. T-Mobile USA is running an open beta for enabling IPv6 address assignment to some devices on its network in place of the traditional IPv4 addresses.

If you have one of these devices, you can sign up for IPv6 support here right now, change a few settings on your device, and start rocking testing your IPv6 address as soon as you're approved:

Additionally, if you're in the San Francisco Bay Area, you don't even need to fill out a form - IPv6 is already live here, and you just need to change some settings for it to take effect.

IPvWhat?

So, why is this IPv6 testing important and what benefits does it bring to the table?

Every device connected to the Internet needs to have an IP address assigned to it. IPv4, the current scheme, only allows 2^32 or 4.3 billion different addresses, which we have been running out of lately.

In order to alleviate the shortage, some ISPs (your mobile carrier is also an ISP) have been using NAT, or Network Address Translation, or IP masquerading, to connect multiple devices to the web using only a subset of unique IPs. This allows them to only use 1 IP per tens, and probably hundreds or even thousands of individual devices, but has all the downsides of NAT, the most important one being the inability to connect to your device directly from the Internet. If you ever wanted to SSH or VNC into your Android device, stream a video directly to it, etc, all from somewhere outside of your LAN, NAT is the reason you can't (since you can't set up port forwarding or control the NAT configuration of your carrier).

image

NAT visualized - image credit

Guess what - IPv6 has such a huge address space - 2^128, or 340 undecillion (also search that page for Googol and Googolplex, you may be surprised) - that we don't need NAT anymore. And never-ever will, even if we conquer the whole galaxy and set up billions of devices on every star (this is a highly scientific fact I just made up, but go ahead, do the math).

IPv6 deployment has been complex, with many obstacles along the way (you can read about them here), so we commend T-Mobile for being the first second U.S. carrier (at least known to us) to run an open trial as well as one of its technical staff architects, Cameron Byrne, for leading the charge. In comparison, Verizon, for example, mandated that all of its LTE devices need to be IPv6-compatible, but hasn't run an open test like T-Mobile is doing. Update: Apparently, VZW has already rolled out dual IPv6/IPv4 support on such devices, but only when on LTE, and they are blocking all inbound traffic at the moment. Other carriers are likely to follow, but we don't know how soon just yet.

No More NAT, Are You Sure?

Yup, at least right now. We were able to sign up for the trial, get it enabled within 10 minutes (on a Saturday too!), and then configure the Nexus S with an IPv6. We then opened up port 22 by running sshd, and I was able to port scan the acquired IPv6 address, showing port 22 wide open. Brilliant.

# nmap -6sT -p1-100 2607:fb90:400:ef14:0:a:85ac:ce01

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-29 09:29 PST
Interesting ports on 2607:fb90:400:ef14:0:a:85ac:ce01:
Not shown: 99 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds

Of course, having your device directly accessible to the outside world opens up an array of security issues, which a lot of devices may not currently be ready for (a proper firewall needs to be put in place for one), but the important bit is that IPv6 works, NAT is gone, and the future is just one little step closer.

wm_ipv6

So, is anyone else excited about the progress we're seeing with IPv6 in the mobile space or is it just the uber-geek engineer in me?

Source: T-Mobile IPv6 Beta via tmoipv6beta forums

Big thanks to Justin Case for participating in the IPv6 test

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • TheEngineer

    Finally. Now bring it to the rest of the world please.

  • Nocturnhaboe

    now avast and all the other security companies are going to create firewalls for your phones :P

  • Spydie

    Avast already has a great Android firewall program.

    • http://www.AndroidPolice.com Artem Russakovskii

      Except it doesn't protect your device from outside services, but the other way around.

  • SlimDan22

    Those cant be the only IPv6 enabled T-Mobile phones?

    I thought most phones now had IPv6 capabilities out of the box, much like everything shipped with internet capabilities today does (I.E Computers, Home Routers, Consoles, etc).

    • Daniel

      Yes, but only for wifi.

  • SlimDan22

    I wonder how android apps work that are not IPv6 accessible (Youtube, Pandora, etc) and if you are able to access Non IPv6 sites.
    I'm sure T-Mobile is doing some sort of tunneling or a dual IP stack on the phone or at the gateway, but it is a beta =) .

    • http://www.AndroidPolice.com Artem Russakovskii

      From the IPv6 beta page:

      T-Mobile's IPv6 service is an IPv6-only service that uses NAT64 and DNS64 in the network to connect IPv6 mobile users with IPv4 content. We believe that the majority of the bandwidth consumed by IPv6 subscribers will be native end-to-end IPv6 without any translation required by the end of 2012 as major content providers like Google, Yahoo, Facebook, Microsoft, and many others have demonstrated during World IPv6 Day

  • daves

    verizon LTE is ipv6 too.....

    • jcase

      no it is not, or atleast was not recently.

      Only ICS supports ipv6 out of the box for mobile data (GB can be modified to, as with LG).

      LTE devices "can" support ipv6, with a firmware and network update.

      • jcase

        I guess they implemented it after I left, neat.

        Charge, and Galaxy Nexus at the very least support it

    • http://www.AndroidPolice.com Artem Russakovskii

      Updated the story with this info upon doing some more research.

  • Bob

    Avast firewall requires root as all firewalls will need the low level access to the hardware, ipv6 needs a firewall as you will not be behind the nat so carriers are either going to have to allow rooting or build them in, which i fear will be insecure. Probably why Verizon is dragging its feet.

    • http://www.AndroidPolice.com Artem Russakovskii

      Yeah, on-device firewalls need to be put in place first before they would open them up. Surprised T-Mo is doing it now, frankly. Maybe they'll equip every new device with IPv6 support with a firewall in the future.

  • Paul

    Giving every device a public ip is scary, security wise. So many irresponsible or unknowledgeable people on the internet, giving them a public ip is a hackers wet dream.

    • http://www.AndroidPolice.com Artem Russakovskii

      It's true, which is why the devices should be firewalled. But think about it - our home networks are not NATed by default, why should I devices be (in the future, when on-device firewalls are common)?

      • Spartacus

        "our home networks are not NATed by default"

        And how many PCs on non-NATed home networks are botnet zombies?

    • SlimDan22

      It should be fine if they enable IPv6 address privacy.
      As of now most IPv6 implementations by default includes the network (I.E. T-Mobile) generating a unique broadcast that tells the host the network portion to use of the address (Beginning portion) and when a device receives it, it then creates its own address (host portion) based off its own MAC address (Unique Identifier) and you are left with a unique Ipv6 address that wont change.
      With Ipv6 address privacy enabled, the host will get the unique broadcast from the network and adds its own suffixes to the host portion of the address (Again based off MAC address) and it always randomly changes .
      So it will be unlikely of the device always having the same IPv6 address.
      Also it could be possible to use the local IPv6 branch of addresses (Beings with fe80:) which technically wouldn't be able to be accesses from the internet without a gateway.
      Although with the number of public Ipv6 addresses available, its kind of stupid to continue to use IPv6 NAT
      http://tools.ietf.org/html/rfc4941

      • Mikkel Markussen

        Coincidentally, this will effectively constitute an ND exhaustion attack. Even if the vendors got off their rears and gave us the knobs, switches and table capacity necessary to mitigate the issue, RFC 4941 seems pretty far from ideal, and not a very elegant direction to take IPv6 in.

    • matt

      Good luck finding your address from the Undezillions of others.

  • http://tools.ietf.org/html/rfc5157 tmojoe

    These security concerns are not well founded. Ipv4 and ipv6 are quite different, notice how random that number is in the screen shot. And that ipv6 address changes regularly. My guess is that address is already off his phone and will not be assigned again in our lifetime. Ipv6 is not ipv4. Android is not windows xp. You do not need a firewall, you need users who don't give their ssn to the Nigerian prince :)

    Also http://tools.ietf.org/html/rfc5157

    • http://www.AndroidPolice.com Artem Russakovskii

      I'm not sure I agree.

      1. You shouldn't rely on the user when taking security considerations into account. Users can download random apps that have vulnerabilities and start a server for some reason (say, remote management for your tablet). I could think of ways where default server setups are used but never changed. Etc. And the burden of this would fall on the carrier's heads.

      2. While scanning may no longer be feasible, finding out IPs via other means would still remain very possible. Just like you shouldn't rely on security by obscurity, you shouldn't rely on lack of viable port scanning tools to protect you. Plus, sometimes you can figure out an IP range and do a scan on a subset of IPs.

  • http://tools.ietf.org/html/rfc5157 tmojoe

    In case #1, the user has already rooted the phone and installed malware. All bets are off.

    In case #2, what is the value of knowing an ipv6 address that changes?

    In any event, it is just like ipv4 dsl, users who want firewalls can install them.

  • http://www.facebook.com/sickopsycho Andrew Vincent

    "So, is anyone else excited about the progress we're seeing with IPv6 in the mobile space or is it just the uber-geek engineer in me?"
    It's great that I have a place I can seclude to at least once or twice a day and just relish in the geek that is me. =) Thank you, AP, for giving us all of this great info! Not to mention the giveaways and deal info...

  • craig simpson

    Well a vpn would be a good way of protecting things...I would use a openvpn connection or ipsec and l2pt.. just to be sure on this..and I would have a firewall as well.

  • Dan

    I am trying to figure out something with this, and WiFi and all of that, basically, Will there be a way to have your phone detect an external camera as it's own or as an option to use, through a network connection, or WiFi, and the same with speakers.

    I know Bluetooth can do this already, i am wondering for long distance or WiFi range.

    Plus, does my question even correlate to where this update will eventually bring us?

  • http://tools.ietf.org/html/rfc5157 tmojoe

    Yes and no. Yes ipv6 makes it possible for ipv6 devices to connect, yes Panasonic makes
    Ipv6 cameras, but making them talk might be time consuming http://panasonic.net/pss/security/products/bbbl/lineup/bl-c131/index.html

  • http://go6.si/ Jan Zorz

    We did that in Slovenia in March 2010 at 2 mobile operators - at that time with Nokia phones (E52, N900). T-Mobile was doing the same thing at the same time, so Cameron told us then.

    Nowadays in general production status and also works with Galaxy Nexus. :)

  • Tee

    Some might get confused about the NAT-part of the article.

    If you have multiple devices in your LAN at home, your router (or modem) uses the NAT feature. This affects only your devices in the internal network. The NAT works so that all your gadgets connected to thy LAN have only one address outside the LAN, to the internet, that is.

    The NAT of your ISP needs to be IPv6-compatible, but the NAT for your own gadgets dont need to be.

  • DaX05

    Well here's a list of which apps will work or not on the Nexus S with Android 4.0.3 ICS on the T-Mobile USA IPv6 network.

    https://docs.google.com/spreadsheet/ccc?key=0AnVbRg3DotzFdGVwZWlWeG5wXzVMcG5qczZEZloxWGc#gid=0

Quantcast