Chinese IPv6 in CIO

The 15 July 2006 issue of CIO magazine featured China Builds a Better Internet by Ben Worthen. I have multiple problems with this article, but I also think it's great to publicize what the world outside the US is doing! Here are some excerpts and commentary.

[I]n research labs throughout China, engineers are busy working on another project that the Chinese government plans to unveil at the Olympics: China's Next Generation Internet (CNGI), a faster, more secure, more mobile version of the current one...

CNGI is the centerpiece of China's plan to steal leadership away from the United States in all things Internet and information technology.

The strategy, outlined in China's latest five-year plan, calls for the country to transition its economy from one based almost entirely on manufacturing to one that produces its own scientific and technological breakthroughs—using a new and improved version of today's dominant innovation platform, the Internet. "CNGI is the culmination of this revolutionary plan" to turn China into the world's innovation capital, says Wu Hequan, vice president of the Chinese Academy of Engineering and the chairman of the CNGI Expert Committee.

There is nothing more inherently secure about IPv6 compared to IPv4. As I've argued before, I think security will degrade when IPv6 is adopted. It might improve as people become familiar with it, but expect chaos in the short-to-medium term.

This is only the first of many "secure" adjectives used to describe IPv6 in this article, unfortunately.

If China gets too big a head start, U.S. CIOs could be in the unfamiliar position of having to play catch up to the rest of the world—while paying as much as 30 percent more to manage their networks, according to estimates by the National Institute of Standards and Technology. Worse, organizations that lag behind the world in IPv6 adoption will be more vulnerable to hackers and other security threats.

Here we have a security and cost argument -- you'll see that again. Uh-oh, CIOs take notice. I think this paragraph refers to a report summarized well by Network World. This report, by NIST, seems less enthusiastic than the CIO article.

China, which is expected to surpass the United States as the world's biggest Internet user later this year, has just 2 percent of the world's IP addresses, or around 60 million—about as many as Stanford University...

Given that China will have almost twice as many broadband users as the United States by the end of 2007, the sense of injustice among China's Internet officials is palpable. "When 26 Chinese share one Internet protocol address, while each American possesses six IP addresses…this is the quandary facing China in the IPv4 era," Zhao Houlin, director of the International Telecommunications Union, said in 2005. The bottom line for China, says Jiang Lintao, chief engineer at the China Academy of Telecommunications Research, is that "We cannot survive without IPv6."

Wow, that's a great way to think about the problem facing China!

Parts of this sidebar are comical.

Benefits: Improved security. Longer IP addresses mean that each device has a unique identifier. This will allow for device and user-level authentication—meaning spammers and hackers can’t hide behind constantly shifting IP addresses, as they do today. The security paradigm will have to change from firewall-centric to application-centric, but once it does the Internet will be a much safer place.

How is the first part of this even remotely true?

Paul Francis weighs in with an alternative point of view below.

Some Internet experts, such as Paul Francis, a computer science professor at Cornell University who also happened to invent NAT devices, say that upgrading networks to IPv6 will cost so much and take so long that engineers will develop workarounds -- be it improvements to NAT devices or something new -- that solve the problems with IPv4, keeping the current Internet in place forever.

I was glad to read Mr. Francis' comments. Contrast them with the following.

But most people familiar with IPv6 say that the protocol has too much promise and can save CIOs too much money for it not to be adopted. Plus, most equipment makers are already selling IPv6-capable equipment today, meaning you could be building a next-generation network without even knowing it.

"In the next 10 years everyone will [begin] moving to IPv6," says Robert Atkinson, president of the Information Technology and Innovation Foundation, a technology policy think tank. "That is not in doubt." (emphasis added)

Not in doubt? With a ten-year window, who will check on this? Maybe I will if this blog is still around!

Finally, this sidebar mentioned military issues.

China’s NextGeneration Internet (CNGI) has U.S. national security implications as well. While the level of Chinese military involvement in CNGI is unclear, the People’s Liberation Army has designed its own IPv6 router, and a recent China IP Council white paper mentions that IPv6 networks have "military and intelligence" uses. Unrestricted Warfare, a widely translated treatise on military doctrine written by two People’s Liberation Army officers, calls for China to engage the West in nontraditional combat, and suggests tactics such as computer hacking and cyberterrorism.

Hmm, it's more like the PLA stole its own router. In any case, I think it's time for me to read Unrestricted Warfare, which I found here and here.

Finally, would you trust advice like this?

If China moves to an IPv6 network while the United States is still running IPv4, Internet traffic coming from China will be impossible to track back to its source, says James Mulvenon, deputy director of the Center for Intelligence Research and Analysis, which advises the U.S. intelligence community.

"Imagine if you are running an army network at Fort Hood and you detect hostile packets," he says. If the packets are coming from or through China, "you can’t tell anything about them. It turns China into a big anonymizer."

Welcome to 1989 (.pdf, Security Problems in the TCP/IP Protocol Suite). If you discount spoofing, welcome to the rise of botnets. Any exit host for which you cannot trace back is a "big anonymizer." Who cares if IPv4 or IPv6 is used?