Apple’s secret “Back to My Mac” push behind IPv6
August 19th, 2008
The Internet is running out of addresses. To get around this problem and a host of others not addressed in the existing Internet Protocol (IPv4), a new revision has been in development for years, called IPv6. Uptake has been slow; it requires upgrading all the routers and devices that make up the Internet. Apple has a few tricks up its sleeve for pushing IPv6 adoption, and many Mac users are already chin deep in the technology without even knowing it. Here’s why, and what it means for users on every platform.
Apple’s secret “Back to My Mac” push behind IPv6
Not Enough Numbers
The primary problem with today’s IPv4 is that its 32-bit addressing scheme (those IP numbers that look like 192.168.0.1) can only accommodate four billion (4,294,967,296) uniquely addressed devices, minus all the specially reserved numbers. IP addresses aren’t handed out per device as needed; they’re allocated in sequential blocks to companies.
For example, Apple owns the entire 17.x.x.x “Class A” subnet, which gives the company 16 million addresses to use. HP owns two: 15.x.x.x and 16.x.x.x., while Xerox owns 13.x.x.x; AT&T 12.x.x.x; and IBM 9.x.x.x; Many blocks are reserved for special purposes, including 10.x.x.x. By the time Microsoft got in line for IP addresses, it only got a class B subnet of 65,536 addresses from 18.104.22.168 – 22.214.171.124.
The world’s IPv4 numbers run out at 255.255.255.255. The only two options: create a new addressing scheme with more numbers (which IPv6 does, using ten billion billion billion times as many possible numbers as IPv4), or simply hide most devices from public addressing on the Internet, which is what today’s NAT (Network Address Translation) does.
The problem with NAT
NAT allows a router to set up a dummy network of addresses, usually using the reserved 10.x.x.x or 192.168.x.x subnets. These reserved numbers aren’t valid on the wide open Internet. In consumer settings, the router typically uses one public outside address and then does address translation for all outside traffic between that public IP number and all of the devices inside. The 192.168.x.x subnet allows for over 65,000 devices to be hidden in your home behind a single address assigned to you by your ISP.
NAT dramatically limits the number of public addresses each site needs, but it creates its own problems. The point of an addressing system is to allow devices to find each other. With NAT, and particularly with multiple layers of NAT, it becomes difficult for one device to find another and start a conversation, say to initiate a web conference, trade files, or stream music. The inside address is no good for outside hosts, and the public IP address is often subject to change.
Additionally, each hidden system on the inside needs some way to map the ports it uses to the ports of the outside, public address. If the NAT forwards public port 80 web traffic to one internal machine acting as a web server, it can’t also forward traffic on port 80 to another machine. This causes problems for any service that wants to use specific ports, including video conferencing, torrent downloads, media streaming, file transfers, screen sharing, and so on, blocking multiple machines hidden behind NAT from being accessible at once over the same customary port.
NAT as a refuge for the insecure
NAT has also become an important part of the external security diapers that are used to protect Microsoft’s Windows. Without a layer of NAT in the router’s firewall, a Windows PC would expose all number of unsecured ports to public tampering. A remotely addressable Windows PC on the Internet will almost instantly become infected by malicious probes looking for its wide-open back doors.
Neither NAT nor an external firewall is really required when a computing system is property secured. The security crisis resulting from putting Microsoft’s software, which was only ever originally designed to operate within an “assumed to be secure” LAN environment, on the open Internet has resulted in people thinking that PCs shouldn’t be publicly addressable for their own good.
This is unfortunate, because there are a lot of good reasons for wanting to be able to talk to your own devices over the Internet. Finding and setting up connections with other devices hiding behind the existing layers of NAT can require some tricky technology. That’s the task of Apple’s Back To My Mac: allowing mobile systems anywhere on the Internet to talk to home systems to handle file sharing, screen sharing, or other tasks.
The promise of IPv6
IPv6’s 128-bit addressing not only brings a virtually unlimited number of available IP addresses for everyone to use (billions of numbers for each person on Earth), but also introduces solutions that solve many of the other problems in today’s Internet Protocol, including the barriers erected by layers of NAT.
One big feature is security: all IPv6 traffic can be encrypted via a built-in component of the protocol. There’s no need to wrap the old FTP protocol with a layer of encryption or use SSH, no need to turn on SSL to secure the web, no need to encrypt each email or each IM conversation and each video conference. Everything can be encrypted at the network layer in IPv6 using IPSec. This can be automatic and invisible to applications; existing, higher level security protocols such as SSL or TLS require applications to be specifically designed to support them. With IPv6, apps get network encryption “for free.”
Rather than relying on Windows’ NAT diapers for “security through obscurity,” IPv6 makes every device on the Internet routable and securely contactable. If IPv6 is beginning to sound a lot like Back to My Mac, Bonjour, and related technologies Apple is already using, then it might be interesting to note that Apple is already using IPv6.
While most vendors have released IPv6 support for their operating systems, having that support doesn’t make it useful without a killer application that demonstrates its usefulness. Microsoft delivered a technology preview of IPv6 support in Windows 2000. In 2002 Windows XP SP1 got official, optional support for it. Apple enabled IPv6 by default in Mac OS X 10.3 Panther in 2003, and it is now enabled by default in Windows Vista, too.
However, a real barrier to wide adoption of IPv6 lies with the routers everyone uses; if they are unable to accommodate IPv6 traffic, they will prevent users inside from accessing IPv6 traffic outside, even if their OS supports it. Many commercial routers are just now adding support for IPv6, and many consumer routers don’t support it at all.
A killer app for IPv6
The advantages of IPv6 are both obvious and largely invisible. Most users won’t even notice the move to IPv6, as DNS handles the IP addressing details in the background. The paradox is that while the Internet desperately needs IPv6, few see any reason to rush toward it. There’s no obvious killer application of IPv6 to offset the considerable expense of upgrading all of the critical routers and other equipment that makes up the Internet.
Routers typically run BSD or Linux; Microsoft’s software dominance on the desktop isn’t even relevant in the world of routers. However, Apple’s AirPort Extreme and Time Capsule devices are in widespread use among consumers. Earlier this year, NPD reported that Apple now has greater than ten percent market share among retail sales of WiFi N routers.
Apple’s WiFi N routers support acting as an IPv6 node or tunneling through the IPv4 Internet to access IPv6 services (below). They also include an IPv6 firewall supporting incoming IPSec authentication and Teredo tunnels (used to get through NAT on the other end). Apple’s nearly silent support for IPv6 is interesting in itself, but what’s more interesting is that Apple also has two killer apps in hand for promoting IPv6, the market power to engage uptake, and a strong business model for benefitting from IPv6 adoption.
Why Apple can push IPv6
So far, the adoption of IPv6 has appeared to directly offer users too little to warrant much investment. You can currently search Google via IPv6, or stream video, or access USENET newsgroups, but users won’t see any real advantage to do that using IPv6. Without any demand for IPv6, the only reason to upgrade or build out support for it is for bragging rights or progressive humanitarianism.
The China Next Generation Internet initiative spent billions to built out an IPv6 backbone in time for the Olympics. The US government recently announced that 26 agencies met a 2005 mandate to support IPv6 traffic over their networks. Other groups provide access to free content over IPv6 in hopes of spurring adoption. Those efforts haven’t done much to actually get a sizable proportion of Internet traffic on IPv6. A recent study reported by Arbor Networks Security found only 0.002% of all Internet traffic used IPv6, and that just 0.4% of the Alexa Top 500 sites use IPv6.
While Apple can’t single-handedly transfer the Internet to IPv6, it can provide killer apps that will drive adoption among consumers. That kind of thing is right up Apple’s Infinite Loop alley. The company pushed for adoption of the MPEG AAC codec with iTunes and the iPod, upgrading the world from MP3 while preventing the world’s music from being locked up in Sony’s ATRAC or Microsoft’s Windows Media DRM. Most other music players now support AAC as well.
Apple then got behind H.264 video and started pushing hard, even while file traders complained that Apple should just stick with the well known old variants of H.263 codecs used by DIVX and others, or use the proprietary codecs used by Windows Media Video and Adobe Flash. The success of iTunes helped push even Adobe’s Flash to H.264, and convinced Google and the BBC to serve their video content to iPhones using standard MPEG H.264 rather than Flash or Windows Media.
Apple, MobileMe, Back to My Mac, and IPv6
Apple’s relatively small but high-impact market power has pushed a number of other open standards. So how can Apple push IPv6? One killer app for IPv6 is already being sold: Back to My Mac (BTMM ) works by tunneling IPv6 traffic between machines over the IPv4 Internet using IPSec.
This enables users on systems registered with MobileMe to find services on their other systems from anywhere on the Internet, and then initiate a secure connection between them that works as a Virtual Private Network (VPN), with all traffic being transmitted through an encrypted tunnel that pierces through the permissive Internet. Why Apple isn’t advertising this service better is a bit of a mystery. Linux and Vista don’t do this, and Google can’t offer it as a free service.
In order for BTMM to work, subscribers need to have a compatible router that supports either the convoluted “Universal Plug & Play,” or NAT-PMP (NAT Port Mapping Protocol), a system Apple developed and released as an open standard. Apple also sells popular AirPort WiFi routers that support it.
IPv6 for MobileMe web apps
A subsequent way Apple could push IPv6 would be to deliver and promote MobileMe’s web apps as an IPv6 service. Apple’s been getting plenty of criticism for failing to encrypt users’ data between its client web apps and the cloud, a notable omission given that it encrypts data between the desktop and the cloud, and between push updates to the iPhone and iPod touch. Why aren’t MobileMe’s web apps using encryption? Apple hasn’t said.
By promoting MobileMe as an IPv6-savvy service, Apple could not only advertise (and deliver!) IPSec security for web apps users, but also have an additional reason to recommend its own AirPort routers which support IPv6 traffic and tunneling through an IPv4 Internet Service Provider. It would also cast an additional halo around Apple’s pioneering technology efforts. Add an IPv6 icon to Safari that lights up when you visit an IPv6 site, and Apple would end up with another marketable feature for promoting IPv6 to consumers.
Nobody else sells routers, online services, and desktop computers together, giving Apple a unique opportunity to promote IPv6 in a way that not only benefits the company and users, but would also help nudge the industry toward IPv6 compliance and adoption in the same way that it has corralled the industry’s cats into an orderly herd behind H.264 and AAC. It would also help silence the incessant complaints that suggest Apple is indifferent about security or is somehow unable to deliver secure products.