Because adoption of ipv6 allows everyone to be an equal on the internet again. Right now half of the computers hooked up to the 'net aren't even given a routable IP address. They're behind carrier NAT unable to participate like a real computer. They can't use protocols, they can only consume third party services over HTTP/S for the most part.
If everyone is routable it cuts the gordian knot in the "What kind of content should be allowed on our platform?" question by allowing everyone to simply be their own platform. If ipv6 gets adopted fast enough it might just save the 'net from being just a more privacy invasive form of television.
> net from being just a more privacy invasive form of television.
This is such a great analogy.
The Internet has become a dopamine fix. Platforms are generic and inflexible. (Remember when you could change the HTML?) Content is watered down or demonetized for the sake of ad money (Youtube, Tumblr). You can't read the news without getting a video ad shoved down your throat. Commercial video is DRM'd. Browsers (read: Chrome) enables websites to prevent you from copying text or viewing source images. Your every move is tracked to better target ads and sell your profile.
There are websites which can and will manipulate the text you are copying. I am aware of at least one news site which will replace the copied article text with a short summary and a link to the article.
> They can't use protocols, they can only consume third party services over HTTP/S for the most part.
Your comment brings a whole new angle to IPv6 I hadn't before considered. Having each packet routable straight to a TCP/UDP port number eliminates the complexities of NAT. Since the {hard,soft}ware that handles NAT wouldn't be needed, perhaps a shift to IPv6 could also give throughput gains.
We also took advantage of the stupid huge address space to make routing tables smaller, it's not necessary to have every /24 (or /64 in IPv6 equivalents) in your tables because we can assign big blocks and stop dealing with fragmented networks all over the place.
Yes, provided your ISP allocates you a P2P link as well as your prefix. Once you get used to breaking up your prefix into subnets it all starts to work quite nicely.
I have even found that real world IPv6 addresses are not quite as bad as they look. We have all seen the auto-generated ones and they look awful but you don't actually use those as such. For example you are allocated a /48 prefix: 2001:db8:1234:: in general you might think of the ISP as 2001:db8:: and your site as 2001:db8:1234::. Your first subnet might be say 000a or simply "a" for VLAN 10 because you decide not to allocate IPv6 to your default VLAN 1 and start with your current PC VLAN which is 10.123.10/24. In IPv4 you have 10.123.10.1 as the default gateway (VRRP) with .2 and .3 for the physical routers. Hence your PC VLAN routers get given 2001:db8:1234:a::2 and 3 and ::1 for the VRRP address. You can play games with 1337 addresses using 0-9a-f eg face:b00c sigh.
In practice we'll still be traffic shapred on ISP level so not so much P2P. It's far more likely that IPv6 will be used to give everyone one single unique trackable address* and we'll all be easily tracked down by IP again. The practical semi-privacy IPv4 let people have will be gone.
Ultimately, technologies are less important than public opinion, politics and commerce in dictating how the net goes.
* Or a single trackable address range, no matter.
Yes, ISPs could do differently. Why would they? All the incentives are on the other side.
> Because adoption of ipv6 allows everyone to be an equal on the internet again
Sorry, but this is incorrect. No matter how you connect to the internet, someone has to agree to route your traffic. Just having an allocation of "public" address space doesn't mean you are free to do whatever you want. Other people have to actually pick up your traffic.
If you don't have an ASN and a core router on a backbone to announce and carry your traffic, and instead are just using what an ISP gave you, you really have almost no control over whether that address is routable, what protocols you can use with it, etc. They can impose the same limits on IPv6 as IPv4 - and in order to reduce overt abuses of their network resources, they almost certainly will.
Remember: passing packets requires real money. The larger the number of packets, the larger the bandwidth used, the larger the concurrent connections, the more money it costs. Any segment in the network that takes up significantly more traffic than another, will end up costing a disproportionate amount of dollars and maintenance to support. So unless you're paying for all of it, you will have limits. And just like every other resource on the planet, some people will have more resources than others.
IPv6 is identical to IPv4 in terms of what "freedom" you have on the internet.
Sure, but you're talking about using NAT vs not using NAT. You can still get a dozen IPv4 addresses from an ISP and do the same thing as IPv6. But you have to pay for 'em.
The ISP can decide to impose exactly the same limit on allocated IPv6 as IPv4, and charge you for more hosts. Your freedom hasn't changed, only your billing has.
I can get a static IPv4 address for a nominal fee with my residential account. My ISP also gives me a /56, so I have quite a few addresses to play with without a 'business account'.
So from where I'm standing IPv6 is not identical to IPv4.
That is the ideal. But i dont see the home router nat going away. Infact in many ways it is a good thing every home has a nat/firewall going, removing that for ipv6 would be a step backwards. Better and more reliable upnp would be nice.
> If everyone is routable it cuts the gordian knot in the "What kind of content should be allowed on our platform?" question by allowing everyone to simply be their own platform.
Do you think the adoption of IPv6 would lead ISPs to drop their ban on running servers from non-business accounts?
Not allowing inbound connections is arguably a feature for most users, not a bug.
I don't think that even given widespread IPv6 adoption, we'll ever go back to a model where residential or mobile internet connections will allow for public reachability by default.
Of course, NATs and firewalls are not the same thing (you just effectively happen to get the latter when deploying the former). But I firmly believe that the bulk of technologies that give us dynamic endpoint lookup and coordinated firewall traversal will outlive IPv4 and NAT.
As an anecdotal example, I used to have a mobile data plan that assigned a public IPv4 address to my phone, including inbound TCP/UDP reachability! That's neither good for battery life, nor for data consumption (on a metered plan). By contrast, my current one puts me behind a carrier grade NAT, but I have no problems whatsoever making peer to peer VoIP calls to friends behind the same type of NAT.
>ipv6 allows everyone to be an equal on the internet again. Right now half of the computers hooked up to the 'net aren't even given a routable IP address.
Given how sht the security on IoTs is I'm not convinced giving everything a routable IP is a good idea frankly. At least not until the IoT players up their game significantly
Unfortunately NAT has made us lazy. If even a small number of a particular type of IOT device is being deployed on native IPv6 networks, you’ve got to face the security consequences anyway.
Also NAT is not a firewall, but that’s a story for another day.
NAT is a poor person's firewall, and even if everybody were to switch to IPV6 I believe that NAT'ing would be here to stay. There are lots of disadvantages to sitting behind a NAT but the positive part of it is that it actually does have some security benefits. I used to absolutely hate NAT but over the years I've come around a bit, and UPnP made it bearable from a tech point of view.
This is completly incorrect. While NAT is almost always combined with a stateful firewall, the NAT itself does not provide any security.
Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not. They are identical in terms of security.
> This is completly incorrect. While NAT is almost always combined with a stateful firewall, the NAT itself does not provide any security.
It most certainly does. If you have an insecure device behind a nat, say something with telnet sitting open, a port scanner from the outside won't be able to find it (unless you've gone to great efforts to allow inbound connections without an established outbound connection). This is objectively better than if that device were directly addressable.
> Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not.
Not always. My last router came with the firewall off and that was just a few years ago. A lot of consumer ISPs don't bother with the firewall because they don't want to field customer service calls about things not working.
When most people say "NAT", they really mean "PAT". Port address translation: multiple private IP addresses behind a single public IP address. When a non-pedantic person sees "NAT", they understand it is actually "PAT." And in the typical consumer configuration, it actually does provide some level of security.
And when people talk about "PAT", they're actually talking about a form of NAT that doesn't block connections.
Here's how you do "PAT" on Linux: `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`. Notice how it's limited to outbound connections ("-o wan0")? That means it doesn't apply to inbound connections, and thus doesn't have any effect on the behavior of inbound connections.
If it doesn't have any effect on the behavior of inbound connections, then how could it possibly block inbound connections?
(The typical consumer configuration pairs "PAT" with a firewall, and the firewall does block inbound connections. It's also typical to pair it with RFC1918 addresses, which doesn't block connections but does make it much harder for most people to make the relevant connections in the first place. None of that changes the fact that "PAT" doesn't block connections.)
So in other words, even without a firewall, it still provides some level of security. If your attacker can't route to your target's addresses because they are private RFC1918, they're "blocked" for all practical purposes. Yes, I know they're not technically blocked... but the typical attacker 10 hops away isn't going to know...
On the other hand, this might also give other people a false sense of security. Most people who tell you that "NAT provides security" think that NAT somehow drops packets, and if your network is actually targeted, this myth might well be the reason why someone ends up downloading all your files by connecting to your file server through your NAT gateway.
In practical terms, it still provides some (low) level of security. If an attacker can't get IP packets to your machine because it's on an un-routable address, they can't attack it. If your attacker is getting "cooperation" from your ISP to route to it, you have bigger things to worry about it.
It won't prevent an attacker from getting IP packets to your machine. How could it do that, when it only acts on outbound connections and its only act is to change the apparent source address of those connections?
The discussion is about NAT and PAT in general. 99% of the time it is used with unrouteable private addresses. This means even in the absence of a firewall there is still some level of security. End of story.
It's common to use it with RFC1918 addresses, but that still doesn't change the behavior of PAT. PAT will not drop connections, and thus won't provide you with security.
In standard consumer networking, say I have a /24 (say 192.168.1.0/24) and one dual-homed host performing Network Address Translation to a Internet routable address, how would an attacker easily initiate a connection to one of the hosts on that internal subnet from somewhere on the Internet?
They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.
> They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.
That's not obvious at all. Now, you obviously can't just inject a packet addressed to 192.168.1.1 anywhere on the internet and expect it to turn up on any particular LAN, but that just excludes a subset of the possible attack vectors for unwanted inbound connections.
Your ISP can still send you packets addressed to 192.168.1.1. Thus, obviously anyone compomising your ISP, or some subset of their routers can as well (hello Cisco hardcoded passwords!). Also, it has happened that ISPs failed to isolate customers from one another (think multiple customers on the same VLAN), so your neighbour could send packets addressed to 192.168.1.1 to your router's WAN interface as well. Or potentially malware on their network, if someone were to systematically exploit such a setup.
It isn't even unheard of that ISPs forgot to disable routing protocols on customer-facing interfaces and some CPE managed to advertise their RFC1918 space via RIP to their ISP's access network.
Or, for that matter, an attacker could just hook into your uplink between you and your ISP, if you are a valuable enough target, to gain access to your CPE's WAN interface.
All of those are actually solved security-wise by having a stateful firewall, which will also prevent inbound connections from anywhere else on the internet.
So it does provide practical protection to use NAT in that you've reduced the set of valid attackers from "anyone on the Internet" to "people with the ability to affect the upstream router in my ISP"
That (for most average consumers) is a vastly reduced attacker set.
> So it does provide practical protection to use NAT in that you've reduced the set of valid attackers from "anyone on the Internet" to "people with the ability to affect the upstream router in my ISP"
Except it really doesn't because you haven't?
There are two practically relevant circumstances where the statement "NAT provides security" is made:
1. With regards to real-world home routers (which also come with a stateful firewall), in which case the statement is simply false: Adding or removing NAT makes no difference whatsoever for security. This is also the scenario that then is used to argue against IPv6, because IPv6 supposedly lacks this security, when it just doesn't, because the IPv6 router also comes with a stateful firewall, and adding NAT (or disabling IPv6 because of a "lack of NAT") achieves absolutely nothing security-wise, because there is no problem in the first place.
2. By people who falsely believe that NAT does in fact prevent all inbound connections and for that reason fail to configure the necessary firewall rules on more business-oriented routers, so the belief that "NAT provides security" keeps them from actually securing their network, and that in particular in scenarios where it is much more relevant than for your typical home user.
So, it is technically true that NAT could have security-enhancing effects under artificial circumstances. But under all real circumstances, it either just doesn't, or the belief that it has is what causes the configuration to be less secure than it easily could be, if only people didn't have the completely not-understood belief that "NAT provides security".
You're technically correct but in practice ever since NAT has been a thing routers have stopped passing on incoming connections to the machines behind it unless specifically - and usually laboriously - configured to do so. This is also why NAT is considered hostile to a peer-to-peer internet, which prompted this very good article:
The router has a public IP and everything behind it has a local one. That you can do NAT in different contexts and that technically you could have NAT without the firewall functionality doesn't change that this is 99.9% of all NAT applications.
I think this distinction is very important, for the following reason: Once you've acknowledged that firewalls are technically optional, but used in 99% of cases, there's no reason to say why home routers wouldn't come out of the box with IPv6 firewalls in 99% of cases too.
And this is in fact what we see in the real world with IPv6 deployments. Roughly 50% of my country has IPv6, and every single provider provisions it with sensible default firewall rules.
By that same logic, NAT provides internet connectivity. 99.9% of all NAT applications come with an internet uplink. Therefore, you need NAT for internet access. Not.
This is just arguing semantics. It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router. This has many of the same effective security benefits as a firewall blocking inbound connections does.
Another way of saying this: the companies that make cheap, crappy routers can do the absolute bare minimum and not end up exposing internal devices to inbound internet traffic. So NAT provides security against the cheap, crappy router manufacturers.
With IPv6, the opposite is true: The router manufacturer has to do deliberate extra effort to block inbound connections, beyond just making the router "work". Will most router manufacturers do this extra effort and include a properly-configured firewall? Probably yes, especially if they don't want to get a terrible reputation for being insecure, which would (hopefully) eventually drive them out of business.
Will absolutely 100% of them always do this properly and never make a mistake? I wouldn't bet on it.
> It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router.
Unless your router has UPnP port forwarding enabled—as most home routers do by default, since popular apps require it—in which case any device can open a hole in the firewall for whatever incoming traffic it wants. In this scenario NAT provides no additional protection beyond what the client device could provide for itself by simply not accepting incoming connections. To get security from a NAT setup you need to disable UPnP and manually configure any required port forwarding, which is at least as much effort as properly configuring an IPv6 firewall.
The right solution IMHO is to have a separate LAN/WLAN/VLAN for the untrusted IoT devices which rejects all inbound connections from the WAN (no UPnP support) as well as all outbound connections to the main LAN. Outbound connections to the WAN for updates or cloud-base control are permitted but logged; inbound connections from the main LAN are also permitted, to control the IoT devices locally. For the main LAN the router should only perform basic filtering for malformed or misrouted packets—ones with an external or multicast destination address or an internal source address, for example. Apart from that, devices on the main LAN are expected to handle their own security. Laptops, smartphones, tablets, and other mobile devices are already required to handle this since they are routinely connected directly to untrusted networks.
My guess is the firewall functionality will stay as long as IPv4 and thus NAT remain relevant. Once IPv4 has faded into obscurity, we'll see the advent of IPv6-only routers that are really only dumb routers ... and wireless access points.
But that just isn't true. There is nothing in NAT that requires dropping inbound connections, so crappy router manufacturers might be failing to do so right now. If there is no firewall on the device, it won't prevent inbound connections, no matter how much NAT it does.
In theory NAT provides no security. In practice it does.
The way common household NAT works is you have hosts on a private IP space behind a NAT device with an ephemeral internal IP/port table. When an internal device initiates a connection outward the NAT device takes a note of the IP address and port it is connecting to and writes them to the table, along with its own port mapping.
When a packet arrives addressed to the NAT device it checks the table and if it finds a matching entry it rewrites the packet and forwards it back to the original host.
So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.
Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device and have somehow routed a packet with a destination address that is on your internal network. In this case, the NAT will just forward the packet onto your internal host and provide no protection as they say. However, it ignores the difficulty of getting your ISP to route an RFC 1918 address to your NAT device in the first place. The very fact that your internal hosts are on non-routeable addresses is a form of protection provided by NAT.
> So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.
The lack of a mapping table entry just means that your packet doesn't get translated. It doesn't mean that inside hosts are unreachable.
> Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device
Yeah, so: NAT isn't a firewall. The firewall is a firewall. NAT is typically deployed together with a firewall precisely because NAT isn't a firewall.
This is an important distinction, because it means that the security you think you're getting from NAT is actually coming from the firewall, meaning you don't need NAT to get that security.
Note that I'm not ignoring the issue of reaching non-routeable addresses either. Your ISP can route to your LAN range easily, and there are plenty of people who could trick or force your ISP into cooperating. If you want to be secure, you can't rely on "probably I won't receive any evil connections, it'll be fine", you need to actually block them. If you're in a situation where non-routeability is relevant then you were already insecure.
You've also forgotten that NAT doesn't provide you with non-routeable addresses, even if it's typically deployed with them. It works on any address range and it has no impact on the routeability of the range you use. NAT is also not required to use non-routeable addresses (which as mentioned aren't even secure in the first place). So, again, it provides no security.
A bit incorrect. There are IPv6 protocol changes (ex. ICMP vs ICMPv6) where the newer protocols are more secure. But actually having a private IP behind a NAT gateway is more secure in general, because nobody can directly route to a host behind your NAT, without exploiting reverse NAT traversal. IPv6 will allow easier exploitation of default host configurations due to being able to route to them easier.
Will it? You'd still have to get around the router firewall, the host would have to have no firewall of its own and be exploitable and also you'd have to _find_ the host first.
This also needs to be balanced against the difficulty of exploiting servers that have been deliberately exposed to the internet, for example cameras or NASs. People often expose those deliberately (via port forwards on v4) so they can access them remotely.
v6 will make it harder to exploit those devices, because it makes it harder to find them in the first place. Most botnets that run on cameras etc spread via random network scanning, so making those devices harder to find makes it harder for botnets to spread. You can consider this akin to vaccination's effect on the R value for a contagious disease: vaccination can eliminate a disease even when it doesn't eliminate 100% of infections. If a botnet can't find enough vulnerable hosts to exploit, it'll die out.
NAT with port forwards makes it far easier to find devices like that, because it reduces the search space. v4 reduces the search space further still, to the point where it's quite feasible to do an exhaustive search.
On balance, I think this makes the larger address space (without NAT) less exploitable.
A stateful firewall that rejects incoming connections is conceptually simple even without NAT.
NAT itself does have the security benefit of masking more bits of client identity though. If I had a bunch of machines on an ip6 prefix, I would still want their outgoing connections to be NATted, to avoid address-based tracking.
That isn't really necessary any longer. Modern IPv6 stacks devices use and periodically rotate through temporary IPv6 auto-allocated addresses for privacy reasons.
AFAIK "privacy extensions" are just designed to avoid putting the (customarily) fixed MAC address onto the wider Internet. If each device still has a specific /128 at any given time, then the number of devices and the connections from the same device can be inferred - the statistical distribution is still drastically different than per-connection NAT.
We can envision a better version where each device pulls multiple addresses at a time and rotates through them basically per-topic, but I don't think stacks are really set up to do that. But sure we could get there eventually, at least modulo outdated firmware stuck with said vulnerabilities. On the other hand, if we already need maintained premise routers to manage incoming connections, they can simply NAT outgoing connections and get a perfect probability distribution across IP6+port that fully masks the internal network.
Ultimately I think the distinction between "outgoing" and "incoming" connections is only going to continue increasing, regardless of IP6.
NAT is really firewalling at all. It just accidentally implies a "default block new inward" policy, which any good actual firewall setup for IPv4/IPv6/other would have as a default anyway.
Were it not for home routers supporting NAT because they need to with IPv4, the same routers would have a basic firewall with that default block rule in place.
> If everyone is routable it cuts the gordian knot in the "What kind of content should be allowed on our platform?" question by allowing everyone to simply be their own platform
No, it really doesn't. It makes easier one aspect of developing peer to peer software. Which sure is a good thing, but it's not some panacea. Our regressive software landscape didn't come about because end users simply didn't have easy access to routeable IP addresses. But rather because tinkering with software can be tedious, developing easy to use software takes resources, and the most straightforward way of recouping that investment through surveillance and control.
Right now, you can get a VPS with perfectly routable addresses for $5/mo. And if you're not interested in or able to afford that, you're certainly not going to leave your own machine up 24/7 as a server. In reality, IP/DNS is a namespace that's terrible for user-facing systems - it itself causes centralization by necessitating that singular authoritative servers answer requests for a named object. What we actually need for a non-corporate net is higher level addressing such as content concentric networking (IPFS et al).
(I've gotten some downvotes, and I would be really interested in hearing the actual disagreement. I know we're all biased to think this paradigm of IP4/6 could do everything we want, if only it were used "correctly". But after a few decades of watching things evolve I just don't see how it's sufficient for de-centralization).
The public commercial platforms offer far more than just a routable IP. You get reach, reliability, resilience, and security (the kind you don't get to build yourself).
Being your own YouTube/FB/Twitter/someChan/etc. platform means almost nobody will ever hear about you, the ones that do can easily wipe you off the internet, coming back is a real hassle, and that your data will leak is basically a forgone conclusion. Being your own Dropbox/GDrive may not need the reach but still relies the other three to provide value. And the list can go on for almost anything you can think of for "being your own platform".
The overwhelmingly vast majority of people have little to no interest in building and maintaining any such platform. It's why so few people actually do it today even when having a routable address. It's inconvenient even for skilled people, let alone regular ones.
Yes, by comparison, approximately no one in the world has heard of PeerTube, Friendica, Mastodon or Disapora. And even of those that have heard of them, few actually use them. Centralized platforms for these things are simply so much more convenient and discoverable that there really is no competition.
Look at the speed with which WhatsApp was adopted (talking about before the FB acquisition), and compare to Mastodon or Diaspora - there is no contest.
Mastodon is big news in India at the moment, to the point that some newspapers are trying to pretend it's centralised and "hates right-wing people" (because one instance refused an account to a police organisation).
If it's getting newspaper coverage, it's probably not all that niche.
None of those are your own platform. You have a share in them. Their value isn't in being "your own", it's explicitly in being "nobody's own" or "everyone's", depending on how you read it.
If you somehow use them only for yourself so they run effectively as "your own" (assuming you can and want to isolate them) you run into the same issues I mentioned above.
Your comment in brackets applies very much now ;).
But that wasn't your own platform was it? It was explicitly distributed. The crux of my comment was the "own" part. You don't just have a share in it, it's yours.
The comment I was replying to clearly states "be their own platform" which is why I replied to it. What you're saying is a completely different conversation and the arguments don't dismiss what I said: the number of people who can successfully "be their own platform" is statistically insignificant so IPv6 is irrelevant for this purpose in particular.
I still don't understand how bittorrent (or any decentralized platform) is "your own platform". Most people will always just be part of someone else's platform. Whether it's YouTube, PeerTube, or friendica, it's never their own and IPv6 won't change that. And they explicitly sell themselves as distributed which by definition makes them shared, everybody's, or nobody's. They can never really be your own and that's exactly what their appeal is.
Most people are unable (due to skill, money, or effort constraints) to manage their own platform. And the ones who can don't need to wait for IPv6.
While people seem to be unhappy with this argument and are downvoting it, it gets at a fundamental truth about "big silos" vs. "own your own content": the vast majority of the world isn't on Facebook and Twitter rather than individual Jekyll and Mastodon instances because they're waiting for widespread IPv6 adoption. There are substantial usability hurdles for the Average User in doing this sort of thing, and if we're really serious about letting more than tech nerds "be their own platform," that needs to be addressed.
Having said that, it's still possible to hear about independent websites, nobody can "easily wipe me off the internet," and I'm pretty sure my data is far more likely to leak from actual YouTube/FB/Twitter/someChan/etc. than it is from a non-monetized, advertising-free Mastodon instance, let alone my static website. But it's also absolutely true that the best way for me to drive traffic to my web site is getting linked from Twitter or Reddit; discovery is one of the big problems for federated, decentralized networks.
Not OP, but I can tell you why I as a consumer am very much not interested in IPv6. My ISP supports it, but I have intentionally disabled it.
It only causes problems for me with absolutely no gain. There isn't a single website I can't reach, and no website that I've found runs any quicker when using IPv6.
But at the same time, if I have v6 on, it causes delays in name resolution and sometimes I just can't connect to a site until I disable v6.
I still have an addressable v4 address, so I can still run a home server.
I don't know how to fix this. I know that v6 is good for the planet, and I know these problems won't get better until more people are using v6, but it's definitely a chicken/egg problem.
> But at the same time, if I have v6 on, it causes delays in name resolution and sometimes I just can't connect to a site until I disable v6.
That sounds like your ISP does not actually support IPv6, eg. doesn't have the full Internet routing table for v6. I've seen this happen.
DNS v4/v6 resolutions can also hang with glibc because of a well known bug with Happy Eyeballs when ISPs that fuck up outgoing DNS packets (eg. messed up stateful NAT/DPI). "options single-request-reopen" in /etc/resolv.conf is a workaround. See https://bugzilla.redhat.com/show_bug.cgi?id=505105.
I would contact your ISP, or at least publically shame them. This is not how IPv6 Internet should work (source: we provide IPv4/v6 as an ISP and take care to prevent issues like this).
Even if the ISP does everything right, there are a lot of small sites with broken IPv6 setups caused by incorrect server and DNS configurations. While my ISP appears to provide a solid IPv6 setup, I've ran into quite a few issues with sites either:
- Serving different content on IPv4 vs. IPv6, e.g. just showing Apache2's "It Works" page
- Serving some subresources behind a reverse proxy on IPv4 only (and 404ing on IPv6)
- Forgetting IPv6 AAAA Records after a server change
Trying to debug this as a user is annoying and even if I identified the issue before leaving the site, working with sites to get it fixed has been an issue. I quickly ran into the "Works for me" issue, when the administrators (and a majority of their users) ran on IPv4 only networks.
Ultimately I just disabled IPv6 on all my systems because it ends being more trouble than it's worth.
It's AT&T (UVerse). If they can't get it right, I don't have much hope for anyone else.
Also, I don't even use my ISPs name servers, I use Cloudflare or Google, so I don't think it's that unless the ISP is somehow munging the packet in transit, which I suppose is possible.
Honestly I think it is all due to issues with the v6 stack in MacOS.
But my point is, I shouldn't have to be a network engineer to make v6 work. I should be able to turn on my computer and just have it work.
> Also, I don't even use my ISPs name servers, I use Cloudflare or Google, so I don't think it's that unless the ISP is somehow munging the packet in transit, which I suppose is possible.
That's exactly the problem. You send out two v4 DNS UDP packets one after another (one for A, another for AAAA), both go via your ISPs CGNAT, the CGNAT gets confused, one of the packets gets dropped. I've seen this exact behavior when talking to 8.8.8.8 on Orange in Poland (and they do DS-Lite). It didn't occur with the ISP's DNS, because a) they were also on v6 b) they weren't getting CGNATed.
> But my point is, I shouldn't have to be a network engineer to make v6 work. I should be able to turn on my computer and just have it work.
By disabling IPv6 you're letting shit ISPs get away with this. Your ability to debug this and to figure out it's the ISP's issue should be used to voice your concerns, and not just let this slide.
Oh yes of course what I meant was they are a huge ISP and have lots of customers, and if it doesn't "just work" for them, then what chance does anyone have of v6 taking off?
I've never had any issues with IPv6 on Comcast, and I've been using it almost since day one. AT&T is not a company you should ever hold up as some kind of good example of network engineering.
I was never able to get ipv6 to work when I was on AT&T, couldn't even get addresses assigned. When I got on Cox at my new house it worked out of the box. So some ISPs get it right.
> With RIRs running out of addresses, that's about to change
I doubt it. Websites that want to be reachable will find a way to be reachable.
> As techs, I think it's our responsibility to push this forward and keep the Internet free and decentralized
I agree, but there is only so much I'm willing to sacrifice for that effort. I've tried to use v6 for at least two weeks on three separate occasions. I do that about once a year. That's the level of sacrifice I'm willing to make for this effort.
My hope is that one year it goes so smoothly I forget to switch back.
For web servers it will be CGNAT in reverse. One overloaded IPv4 load balancer trying to keep up with too many servers behind it. But you'll be able to use its IPv6 address directly.
One benefit I've found of having IPv6 enabled is that it allows me to use certain sites (particularly gmail) while my PC is connected to my work network via a VPN.
Edit: I should point out that I had no idea my machine was using IPv6 until I wondered why I was able to use Gmail and not other sites (such as HN).
I disable v6 on any linux install unless I specifically plan on using it. The fact that it can easily be accessible over lan and over the internet due to how good the auto addressing and link local addresses work is a concern.
Please don't do this. Any firewall will work for security concerns, and RFC4941 support will work for privacy concerns.
I haven't seen a consumer CPE that both supports v6 and doesn't firewall off incoming v6 connections, and I haven't seen any operating system in years that doesn't enable RFC4941 by default.
I will continue to do this. Like I said,if it is planned use it will be enabled and specific firewall rules will be implemented to allow safe use. Not everyone has same requirements.minimizing attack surface ,reducing admin overhead and being explicit about configuration items are some of my needs. V4 is no different, i almost never enable dhcp and might even disable ARP. V4 happens to just be configured explicitly by default.
My ISP provides me with a CGN IPv4 address. I have no ability to access any self-hosted services, unless I pay them money for a static globally routable address, or pay some other company to provide this through some other means (e.g. VPN, VPS, etc)
If they supported IPv6, and gave me a globally routable address that was unfiltered except at my gateway, I'd be happier.
>Our free tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6 enabled host or router to one of our IPv6 routers.
(It's still obviously less direct, and inferior to your ISP supplying native IPv6, but it may improve your situation.)
That solution requires a routable, Non-RFC1918, IPv4 address somewhere to work. If I understand CG-NAT correctly, you don't get a routable address on your equipment.
Not OP, but with more and more IPv4 traffic behind CGNATs, IPv6 begins to be a much better experience. CGNATs tend to be massively overloaded, and as such accessing IPv4 Internet (especially CDNs for multimedia) will tend to result in low speed and dropped connections at peak hours.
IPv6 was always about maintaining the status quo. It doesn't become "better" than IPv4 until CGNAT makes IPv4 worse. (Or if your internal network reaches the scaling limits of RFC1918.)
I’m not a regular consumer, because my views are based on being a system administrator for a company that have a ton of dual stacked and IPv6 only server, but I want IPv6 at home because I want IPv4 to go away completely. No IPv4 would remove a lot of confusion and silly work-arounds.
This is an incredibly niche concern, but I fought to get IPv6 working for myself because I have an EC2 instance that auto-sleeps when I'm not using it (to save money) and every time it wakes up the IPv4 address changes. Amazon will give me a static address but unless the machine is running the static address costs money. Again the whole point was to save money... and static IPv6 addresses are free on AWS.
So as long as I connect to the EC2 instance over IPv6, I get a free static IP address on my server.
That's a direct side affect of the difference in cost between IPv4 addresses and IPv6 addresses. If IPv4 addresses weren't economically rare, AWS would charge for them.
There were a number of good choices. I chose ipv6 mostly because I wanted an excuse to try ipv6. I did consider dynamic dns but didn’t explore it much.
a) for one as a response against CGN, thankfully my ISP isn't using one right now but I have a hunch they're going to start becoming a lot more common in the future.
and b) as a hacker I'm interested to finally set it up and play around with it.
Also IMO even if it doesn't bring any improvements to the general consumer given all the pressure to start switching to IPv6 it is a good thing to be interested about it, pressuring more ISPs to start supporting it.
the casual user at home, with no exposed services to the public, has no real need for a short ipv4 address. ipv6 would suffice just fine for the end user, and the isp can handle the v6-to-v4 translation in their own infrastructure. this would free up a substantial amount of ipv4 space.
the isp could also provide dynamic dns as part of their package for users who do want to access their devices at home. why remember a 4-octet ip when you can get your own subdomain from your internet provider?
That’s not entirely true. Everything p2p is complicated with nat2nat and requires things like STUN, which are not working reliably all the time. Casual users need IPv6 to get better video and voice chats, as well as interactive gaming experience.
Likewise, curious. Would be neat to have it but as someone who supported consumers,v6 is a pain(or rather v4 is still so easy people prefer it when making new software).
I would be if I could pick and choose different parts of the protocol. I don't want each interface to have multiple IPs, and I don't want to jump through hoops to assign static IPs to devices. I don't want to have each device reporting its domain to circumvent the IP problem, and I certainly never wanted 128 bit numbers.
