Apple's secret "Back to My Mac" push behind IPv6

Posted:
in macOS edited January 2014
The Internet is running out of addresses. To get around this problem and a host of others not addressed in the existing Internet Protocol (IPv4), a new revision has been in development for years, called IPv6. Uptake has been slow; it requires upgrading all the routers and devices that make up the Internet. Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it. Here's why, and what it means for users on every platform.



Not Enough Numbers



The primary problem with today's IPv4 is that its 32-bit addressing scheme (those IP numbers that look like 192.168.0.1) can only accommodate four billion (4,294,967,296) uniquely addressed devices, minus all the specially reserved numbers. IP addresses aren't handed out per device as needed; they're allocated in sequential blocks to companies.



For example, Apple owns the entire 17.x.x.x "Class A" subnet, which gives the company 16 million addresses to use. HP owns two: 15.x.x.x and 16.x.x.x., while Xerox owns 13.x.x.x; AT&T 12.x.x.x; and IBM 9.x.x.x; Many blocks are reserved for special purposes, including 10.x.x.x. By the time Microsoft got in line for IP addresses, it only got a class B subnet of 65,536 addresses from 207.46.0.0 - 207.46.255.255.



The world's IPv4 numbers run out at 255.255.255.255. The only two options: create a new addressing scheme with more numbers (which IPv6 does, using ten billion billion billion times as many possible numbers as IPv4), or simply hide most devices from public addressing on the Internet, which is what today's NAT (Network Address Translation) does.



The problem with NAT



NAT allows a router to set up a dummy network of addresses, usually using the reserved 10.x.x.x or 192.168.x.x subnets. These reserved numbers aren't valid on the wide open Internet. In consumer settings, the router typically uses one public outside address and then does address translation for all outside traffic between that public IP number and all of the devices inside. The 192.168.x.x subnet allows for over 65,000 devices to be hidden in your home behind a single address assigned to you by your ISP.



NAT dramatically limits the number of public addresses each site needs, but it creates its own problems. The point of an addressing system is to allow devices to find each other. With NAT, and particularly with multiple layers of NAT, it becomes difficult for one device to find another and start a conversation, say to initiate a web conference, trade files, or stream music. The inside address is no good for outside hosts, and the public IP address is often subject to change.



Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can't also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.







NAT as a refuge for the insecure



NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.



Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft's software, which was only ever originally designed to operate within an "assumed to be secure" LAN environment, on the open Internet has resulted in people thinking that PCs shouldn't be publicly addressable for their own good.



This is unfortunate, because there are a lot of good reasons for wanting to be able to talk to your own devices over the Internet. Finding and setting up connections with other devices hiding behind the existing layers of NAT can require some tricky technology. That's the task of Apple's Back To My Mac: allowing mobile systems anywhere on the Internet to talk to home systems to handle file sharing, screen sharing, or other tasks.



The promise of IPv6



IPv6's 128-bit addressing not only brings a virtually unlimited number of available IP addresses for everyone to use (billions of numbers for each person on Earth), but also introduces solutions that solve many of the other problems in today's Internet Protocol, including the barriers erected by layers of NAT.



One big feature is security: all IPv6 traffic can be encrypted via a built-in component of the protocol. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything can be encrypted at the network layer in IPv6 using IPSec. This can be automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."



Rather than relying on Windows' NAT diapers for "security through obscurity," IPv6 makes every device on the Internet routable and securely contactable. If IPv6 is beginning to sound a lot like Back to My Mac, Bonjour, and related technologies Apple is already using, then it might be interesting to note that Apple is already using IPv6.



While most vendors have released IPv6 support for their operating systems, having that support doesn't make it useful without a killer application that demonstrates its usefulness. Microsoft delivered a technology preview of IPv6 support in Windows 2000. In 2002 Windows XP SP1 got official, optional support for it. Apple enabled IPv6 by default in Mac OS X 10.3 Panther in 2003, and it is now enabled by default in Windows Vista, too.



However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don't support it at all.



A killer app for IPv6



The advantages of IPv6 are both obvious and largely invisible. Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background. The paradox is that while the Internet desperately needs IPv6, few see any reason to rush toward it. There's no obvious killer application of IPv6 to offset the considerable expense of upgrading all of the critical routers and other equipment that makes up the Internet.



Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. However, Apple's AirPort Extreme and Time Capsule devices are in widespread use among consumers. Earlier this year, NPD reported that Apple now has greater than ten percent market share among retail sales of WiFi N routers.



Apple's WiFi N routers support acting as an IPv6 node or tunneling through the IPv4 Internet to access IPv6 services (below). They also include an IPv6 firewall supporting incoming IPSec authentication and Teredo tunnels (used to get through NAT on the other end). Apple's nearly silent support for IPv6 is interesting in itself, but what's more interesting is that Apple also has two killer apps in hand for promoting IPv6, the market power to engage uptake, and a strong business model for benefitting from IPv6 adoption.







On page 2 of 2: Why Apple can push IPv6; Apple, MobileMe, Back to My Mac, and IPv6; and IPv6 for MobileMe web apps.



Why Apple can push IPv6



So far, the adoption of IPv6 has appeared to directly offer users too little to warrant much investment. You can currently search Google via IPv6, or stream video, or access USENET newsgroups, but users won't see any real advantage to do that using IPv6. Without any demand for IPv6, the only reason to upgrade or build out support for it is for bragging rights or progressive humanitarianism.



The China Next Generation Internet initiative spent billions to built out an IPv6 backbone in time for the Olympics. The US government recently announced that 26 agencies met a 2005 mandate to support IPv6 traffic over their networks. Other groups provide access to free content over IPv6 in hopes of spurring adoption. Those efforts haven't done much to actually get a sizable proportion of Internet traffic on IPv6. A recent study reported by Arbor Networks Security found only 0.002% of all Internet traffic used IPv6, and that just 0.4% of the Alexa Top 500 sites use IPv6.



While Apple can't single-handedly transfer the Internet to IPv6, it can provide killer apps that will drive adoption among consumers. That kind of thing is right up Apple's Infinite Loop alley. The company pushed for adoption of the MPEG AAC codec with iTunes and the iPod, upgrading the world from MP3 while preventing the world's music from being locked up in Sony's ATRAC or Microsoft's Windows Media DRM. Most other music players now support AAC as well.



Apple then got behind H.264 video and started pushing hard, even while file traders complained that Apple should just stick with the well known old variants of H.263 codecs used by DIVX and others, or use the proprietary codecs used by Windows Media Video and Adobe Flash. The success of iTunes helped push even Adobe's Flash to H.264, and convinced Google and the BBC to serve their video content to iPhones using standard MPEG H.264 rather than Flash or Windows Media.



Apple, MobileMe, Back to My Mac, and IPv6



Apple's relatively small but high-impact market power has pushed a number of other open standards. So how can Apple push IPv6? One killer app for IPv6 is already being sold: Back to My Mac (BTMM ) works by tunneling IPv6 traffic between machines over the IPv4 Internet using IPSec.



This enables users on systems registered with MobileMe to find services on their other systems from anywhere on the Internet, and then initiate a secure connection between them that works as a Virtual Private Network (VPN), with all traffic being transmitted through an encrypted tunnel that pierces through the permissive Internet. Why Apple isn't advertising this service better is a bit of a mystery. Linux and Vista don't do this, and Google can't offer it as a free service.



In order for BTMM to work, subscribers need to have a compatible router that supports either the convoluted "Universal Plug & Play," or NAT-PMP (NAT Port Mapping Protocol), a system Apple developed and released as an open standard. Apple also sells popular AirPort WiFi routers that support it.







IPv6 for MobileMe web apps



A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe's web apps as an IPv6 service. Apple's been getting plenty of criticism for failing to encrypt users' data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren't MobileMe's web apps using encryption? Apple hasn't said.



By promoting MobileMe as an IPv6-savvy service, Apple could not only advertise (and deliver!) IPSec security for web apps users, but also have an additional reason to recommend its own AirPort routers which support IPv6 traffic and tunneling through an IPv4 Internet Service Provider. It would also cast an additional halo around Apple's pioneering technology efforts. Add an IPv6 icon to Safari that lights up when you visit an IPv6 site, and Apple would end up with another marketable feature for promoting IPv6 to consumers.



Nobody else sells routers, online services, and desktop computers together, giving Apple a unique opportunity to promote IPv6 in a way that not only benefits the company and users, but would also help nudge the industry toward IPv6 compliance and adoption in the same way that it has corralled the industry's cats into an orderly herd behind H.264 and AAC. It would also help silence the incessant complaints that suggest Apple is indifferent about security or is somehow unable to deliver secure products.
«1345

Comments

  • Reply 1 of 82
    Quote:
    Originally Posted by AppleInsider View Post


    A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe's web apps as an IPv6 service. Apple's been getting plenty of criticism for failing to encrypt users' data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren't MobileMe's web apps using encryption? Apple hasn't said.



    but you guys said in a recent article http://www.appleinsider.com/articles...ps.html&page=2

    Quote:

    Data transaction security in MobileMe's web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple's cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser's SSL lock icon with web security.





    I find the condescending view of NAT's side benefit of being a hardware firewall as being a diaper to also be offensive. Take the notion that hardware firewalls should be needed since your OS should be written securely farther and you get that software firewalls shouldn't be needed either. After all if every application on your system is written securely (and the user doesn't do anything stupid) it shouldn't be needed. Security is as much about finding the single most robust solutions as it is about theoretical limitations, and hardware firewalls provide a level of security and isolation of vulnerabilities to be lauded.
  • Reply 2 of 82
    irchsirchs Posts: 86member
    Apple's IPv4, never mind IPv6, firewall user interface is completely shocking, needing huge improvement before Mac OS X can be safely deployed directly on the net using IPv6.
  • Reply 3 of 82
    Quote:
    Originally Posted by AppleInsider View Post


    The world's IPv4 numbers run out at 256.256.256.256.



    Sorry to nitpick, but I think you meant 255.255.255.255. Yes, there are 256 values for each octet, but it starts at zero, so 255 is the max...



    Other than that, great article (as always)!





    Bender: Whoa, what an awful dream! Ones and zeroes everywhere! And I thought I saw a two...

    Fry: It was just a dream, Bender. There's no such thing as two!

    -Futurama, "A Head in the Polls"
  • Reply 4 of 82
    The comment "Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. " paints a picture that the routers on the Internet are general purpose systems, which they are not. Most of the Internet routers are proprietary systems made by Cisco or Juniper, and are there to move packets at a very different rate then general purpose OS's.
  • Reply 5 of 82
    Other other thing about NAT is most ISP is you only get 1 ip so you need NAT to use more then 1 system.



    Do you want ISP like comcast to make you pay $5 /mo on top of your internet fee per system to get there own IPv6 IP?
  • Reply 6 of 82
    mr. hmr. h Posts: 4,870member
    Quote:
    Originally Posted by AppleInsider View Post


    Apple ? has corralled the industry's cats into an orderly herd behind ? AAC.



    unfortunately, this just isn't true. Look at all those DRM-free stores (Amazon, eMusic etc.) selling mp3-only tracks when they could just as easily provide an AAC option (which would be cheaper for them - purveyors of mp3 encoded tracks have to pay mp3 licensing royalties, these kind of royalty payments do not exist for AAC).



    Sadly, most of the world thinks that AAC is Apple's proprietary format despite the fact that it was developed by the MPEG. They should have called it mp4 and then average joe would understand that it's an evolution of mp3.
  • Reply 7 of 82
    mr. hmr. h Posts: 4,870member
    Quote:
    Originally Posted by Joe_the_dragon View Post


    Other other thing about NAT is most ISP is you only get 1 ip so you need NAT to use more then 1 system.



    Do you want ISP like comcast to make you pay $5 /mo on top of your internet fee per system to get there own IPv6 IP?



    You only get one IP because there aren't enough addresses to give everyone their own IP. That's the whole point of IP6. With that, an ISP could happily give you one billion unique IP addresses and have no fear of being anywhere close to running out of addresses to give to their other customers.
  • Reply 8 of 82
    "One big feature is security: all IPv6 traffic is encrypted. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything is encrypted at the network layer in IPv6 using IPSec. This is automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free.""



    Whoa, whoa. Source, please!

    I know that implementing IPsec is mandatory in IPv6, but I'm pretty damn sure that all data IS NOT automatically encryted!!
  • Reply 9 of 82
    Quote:
    Originally Posted by AppleInsider View Post


    One big feature is security: all IPv6 traffic is encrypted. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything is encrypted at the network layer in IPv6 using IPSec. This is automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."



    This is wrong.



    http://episteme.arstechnica.com/eve/...m/696007413931
  • Reply 10 of 82
    Quote:
    Originally Posted by AppleInsider View Post


    One big feature is security: all IPv6 traffic is encrypted.



    Okay, I'll nitpick some more. What is your source on this statement? IPSec implementation is mandated by IPv6, but all IPv6 traffic is NOT encrypted by default as far as I know...



    Edit: Looks like two people beat me to it
  • Reply 11 of 82
    asciiascii Posts: 5,936member
    Maybe people don't want every device on their home network to be addressable by the world. In theory it should be safe, if every device vendor implements proper security, but in practice they don't.
  • Reply 12 of 82
    Quote:

    Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background.



    DHCPv6 will (allegedly) handle it, not the domain name system.
  • Reply 13 of 82
    Quote:
    Originally Posted by ascii View Post


    Maybe people don't want every device on their home network to be addressable by the world. In theory it should be safe, if every device vendor implements proper security, but in practice they don't.



    If you don't want external parties to connect to your machines, use a firewall. Either one on your home router, or a software firewall on the machine itself.
  • Reply 14 of 82
    Quote:
    Originally Posted by BostonBoozer View Post


    Okay, I'll nitpick some more. What is your source on this statement? IPSec implementation is mandated by IPv6, but all IPv6 traffic is NOT encrypted by default as far as I know...



    Edit: Looks like two people beat me to it



    Ah you beat me to it!
  • Reply 15 of 82
    Quote:
    Originally Posted by Mr. H View Post


    You only get one IP because there aren't enough addresses to give everyone their own IP. That's the whole point of IP6. With that, an ISP could happily give you one billion unique IP addresses and have no fear of being anywhere close to running out of addresses to give to their other customers.



    Because they can doesn't mean they will. What business school did you go to! j/k
  • Reply 16 of 82
    Quote:
    Originally Posted by jcassara View Post


    DHCPv6 will (allegedly) handle it, not the domain name system.



    Hm? You still need AAAA and ip6.arpa records in DNS.
  • Reply 17 of 82
    Quote:
    Originally Posted by derekmorr View Post


    Hm? You still need AAAA and ip6.arpa records in DNS.



    Yes, but the DNS itself is not doing the background work exclusively.
  • Reply 18 of 82
    Quote:
    Originally Posted by AppleInsider View Post


    The Internet is running out of addresses. To get around this problem and a host of others not addressed in the existing Internet Protocol (IPv4), a new revision has been in development for years, called IPv6. Uptake has been slow; it requires upgrading all the routers and devices that make up the Internet. Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it. Here's why, and what it means for users on every platform.



    Not Enough Numbers



    The primary problem with today's IPv4 is that its 32-bit addressing scheme (those IP numbers that look like 192.168.0.1) can only accommodate four billion (4,294,967,296) uniquely addressed devices, minus all the specially reserved numbers. IP addresses aren't handed out per device as needed; they're allocated in sequential blocks to companies.



    For example, Apple owns the entire 17.x.x.x "Class A" subnet, which gives the company 16 million addresses to use. HP owns two: 15.x.x.x and 16.x.x.x., while Xerox owns 13.x.x.x; AT&T 12.x.x.x; and IBM 9.x.x.x; Many blocks are reserved for special purposes, including 10.x.x.x. By the time Microsoft got in line for IP addresses, it only got a class B subnet of 65,536 addresses from 207.46.0.0 - 207.46.255.255.



    The world's IPv4 numbers run out at 256.256.256.256. The only two options: create a new addressing scheme with more numbers (which IPv6 does, using ten billion billion billion times as many possible numbers as IPv4), or simply hide most devices from public addressing on the Internet, which is what today's NAT (Network Address Translation) does.



    The problem with NAT



    NAT allows a router to set up a dummy network of addresses, usually using the reserved 10.x.x.x or 192.168.x.x subnets. These reserved numbers aren't valid on the wide open Internet. In consumer settings, the router typically uses one public outside address and then does address translation for all outside traffic between that public IP number and all of the devices inside. The 192.168.x.x subnet allows for over 65,000 devices to be hidden in your home behind a single address assigned to you by your ISP.



    NAT dramatically limits the number of public addresses each site needs, but it creates its own problems. The point of an addressing system is to allow devices to find each other. With NAT, and particularly with multiple layers of NAT, it becomes difficult for one device to find another and start a conversation, say to initiate a web conference, trade files, or stream music. The inside address is no good for outside hosts, and the public IP address is often subject to change.



    Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can't also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.







    NAT as a refuge for the insecure



    NAT has also become an important part of the external security diapers that are used to protect Microsoft's Windows. Without a layer of NAT in the router's firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.



    Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft's software, which was only ever originally designed to operate within an "assumed to be secure" LAN environment, on the open Internet has resulted in people thinking that PCs shouldn't be publicly addressable for their own good.



    This is unfortunate, because there are a lot of good reasons for wanting to be able to talk to your own devices over the Internet. Finding and setting up connections with other devices hiding behind the existing layers of NAT can require some tricky technology. That's the task of Apple's Back To My Mac: allowing mobile systems anywhere on the Internet to talk to home systems to handle file sharing, screen sharing, or other tasks.



    The promise of IPv6



    IPv6's 128-bit addressing not only brings a virtually unlimited number of available IP addresses for everyone to use (billions of numbers for each person on Earth), but also introduces solutions that solve many of the other problems in today's Internet Protocol, including the barriers erected by layers of NAT.



    One big feature is security: all IPv6 traffic is encrypted. There's no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything is encrypted at the network layer in IPv6 using IPSec. This is automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption "for free."



    Rather than relying on Windows' NAT diapers for "security through obscurity," IPv6 makes every device on the Internet routable and securely contactable. If IPv6 is beginning to sound a lot like Back to My Mac, Bonjour, and related technologies Apple is already using, then it might be interesting to note that Apple is already using IPv6.



    While most vendors have released IPv6 support for their operating systems, having that support doesn't make it useful without a killer application that demonstrates its usefulness. Microsoft delivered a technology preview of IPv6 support in Windows 2000. In 2002 Windows XP SP1 got official, optional support for it. Apple enabled IPv6 by default in Mac OS X 10.3 Panther in 2003, and it is now enabled by default in Windows Vista, too.



    However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don't support it at all.



    A killer app for IPv6



    The advantages of IPv6 are both obvious and largely invisible. Most users won't even notice the move to IPv6, as DNS handles the IP addressing details in the background. The paradox is that while the Internet desperately needs IPv6, few see any reason to rush toward it. There's no obvious killer application of IPv6 to offset the considerable expense of upgrading all of the critical routers and other equipment that makes up the Internet.



    Routers typically run BSD or Linux; Microsoft's software dominance on the desktop isn't even relevant in the world of routers. However, Apple's AirPort Extreme and Time Capsule devices are in widespread use among consumers. Earlier this year, NPD reported that Apple now has greater than ten percent market share among retail sales of WiFi N routers.



    Apple's WiFi N routers support acting as an IPv6 node or tunneling through the IPv4 Internet to access IPv6 services (below). They also include an IPv6 firewall supporting incoming IPSec authentication and Teredo tunnels (used to get through NAT on the other end). Apple's nearly silent support for IPv6 is interesting in itself, but what's more interesting is that Apple also has two killer apps in hand for promoting IPv6, the market power to engage uptake, and a strong business model for benefitting from IPv6 adoption.







    On page 2 of 2: Why Apple can push IPv6; Apple, MobileMe, Back to My Mac, and IPv6; and IPv6 for MobileMe web apps.



    Why Apple can push IPv6



    So far, the adoption of IPv6 has appeared to directly offer users too little to warrant much investment. You can currently search Google via IPv6, or stream video, or access USENET newsgroups, but users won't see any real advantage to do that using IPv6. Without any demand for IPv6, the only reason to upgrade or build out support for it is for bragging rights or progressive humanitarianism.



    The China Next Generation Internet initiative spent billions to built out an IPv6 backbone in time for the Olympics. The US government recently announced that 26 agencies met a 2005 mandate to support IPv6 traffic over their networks. Other groups provide access to free content over IPv6 in hopes of spurring adoption. Those efforts haven't done much to actually get a sizable proportion of Internet traffic on IPv6. A recent study reported by Arbor Networks Security found only 0.002% of all Internet traffic used IPv6, and that just 0.4% of the Alexa Top 500 sites use IPv6.



    While Apple can't single-handedly transfer the Internet to IPv6, it can provide killer apps that will drive adoption among consumers. That kind of thing is right up Apple's Infinite Loop alley. The company pushed for adoption of the MPEG AAC codec with iTunes and the iPod, upgrading the world from MP3 while preventing the world's music from being locked up in Sony's ATRAC or Microsoft's Windows Media DRM. Most other music players now support AAC as well.



    Apple then got behind H.264 video and started pushing hard, even while file traders complained that Apple should just stick with the well known old variants of H.263 codecs used by DIVX and others, or use the proprietary codecs used by Windows Media Video and Adobe Flash. The success of iTunes helped push even Adobe's Flash to H.264, and convinced Google and the BBC to serve their video content to iPhones using standard MPEG H.264 rather than Flash or Windows Media.



    Apple, MobileMe, Back to My Mac, and IPv6



    Apple's relatively small but high-impact market power has pushed a number of other open standards. So how can Apple push IPv6? One killer app for IPv6 is already being sold: Back to My Mac (BTMM ) works by tunneling IPv6 traffic between machines over the IPv4 Internet using IPSec.



    This enables users on systems registered with MobileMe to find services on their other systems from anywhere on the Internet, and then initiate a secure connection between them that works as a Virtual Private Network (VPN), with all traffic being transmitted through an encrypted tunnel that pierces through the permissive Internet. Why Apple isn't advertising this service better is a bit of a mystery. Linux and Vista don't do this, and Google can't offer it as a free service.



    In order for BTMM to work, subscribers need to have a compatible router that supports either the convoluted "Universal Plug & Play," or NAT-PMP (NAT Port Mapping Protocol), a system Apple developed and released as an open standard. Apple also sells popular AirPort WiFi routers that support it.







    IPv6 for MobileMe web apps



    A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe's web apps as an IPv6 service. Apple's been getting plenty of criticism for failing to encrypt users' data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren't MobileMe's web apps using encryption? Apple hasn't said.



    By promoting MobileMe as an IPv6-savvy service, Apple could not only advertise (and deliver!) IPSec security for web apps users, but also have an additional reason to recommend its own AirPort routers which support IPv6 traffic and tunneling through an IPv4 Internet Service Provider. It would also cast an additional halo around Apple's pioneering technology efforts. Add an IPv6 icon to Safari that lights up when you visit an IPv6 site, and Apple would end up with another marketable feature for promoting IPv6 to consumers.



    Nobody else sells routers, online services, and desktop computers together, giving Apple a unique opportunity to promote IPv6 in a way that not only benefits the company and users, but would also help nudge the industry toward IPv6 compliance and adoption in the same way that it has corralled the industry's cats into an orderly herd behind H.264 and AAC. It would also help silence the incessant complaints that suggest Apple is indifferent about security or is somehow unable to deliver secure products.





    And how many security applications currently run on IPv6? To my knowledge no AV product last time I checked (last nine months). Apple's internal firewall is a joke, so tunneling IPv6 traffic is asking for some serious issues. Safari broswer and OS can fully run IPv6 unlike Windows Vista/IE junk. Oh besides only two or three US ISP vendors currently offer IPv6 services still going to loose performance do to running dual stacks. To better understand the issues the must read IPv6 book in my opinion is Running IPv6.



    1Gremlin
  • Reply 19 of 82
    crees!crees! Posts: 501member
    Quote:
    Originally Posted by Axcess99 View Post


    but you guys said in a recent article http://www.appleinsider.com/articles...ps.html&page=2







    I find the condescending view of NAT's side benefit of being a hardware firewall as being a diaper to also be offensive.



    Offensive? A self-evaluation might be in order here.



    (non-directed)

    Everyone is so damn "offended" these days. Grow a pair, live your life, and stop dragging everyone else down in the gutter. Enough of this me, me, me crap.
  • Reply 20 of 82
    ajmasajmas Posts: 597member
    Quote:
    Originally Posted by BostonBoozer View Post


    Sorry to nitpick, but I think you meant 255.255.255.255. Yes, there are 256 values for each octet, but it starts at zero, so 255 is the max...



    Actually you can't have an address containing 255, since that is used as a mask value.
Sign In or Register to comment.