I'm fully ready to start using IPv6 but my packets won't get past my antiquated ISP. That seems like a pretty big hurdle, no?
There were proposals back in the day (early 90s) for IPng (IP Next Gen, as IPv6 was called back then) to be a hierarchical routing algorithm, that could have kept backwards compatibility with IPv4 and transparently allow seamless operation and routing of IPng islands over IPv4 infrastructure, taking full advantage of the address space expansion.
Think of a sort of CGNAT that instead of stateful hacking with port numbers and the like, would have dedicated fields in the IPv4.x packet, allowing the gateway to statelesly route between the two domains (public IPv4 internet and internal 10.x.x.x network), while maintaining end-to-end connectivity.
Alas, the ITEF guys really wanted a clean slate design and willfully ignored the economic problem, that IPv6 is only useful when everybody upgrades, and as a consequence nobody upgrades. It's probably one of the most costly failures in the history of computing, along with the NULL pointer, 640kB and the likes.
My public v6 would be like 2345:0425:2CA1:2020:1100:0567:5673:23b5, private is fc00::::903A:1C1A:E802:11E4, DNS 2606:4700:4700::1111 (don't forget those consecutive colons).
It's not that I don't like change, it's that I don't like changes that make things plainly worse for me.
It’s clear to me that IPv6 won’t reach critical mass (e.g. 80% of connected devices/servers using IPv6 addresses).
I’ll just wait for a new IP with an actual transition plan.
- Designers think globally routable internet is a huge achievement
- Users just want to hide their devices from the hellscape that is modern internet, with all its threats
These are fundamentally different approaches
And thanks to Duplicate Address Detection, before a new randomly-generated IP is used, a check is made to ensure it is not in use by someone else.
SLAAC reserves bottom 64 bits for autoconfiguration, and while incredibly wasteful it does ensure every MAC can have its own IP address
In other words, no.
Who's fault is this again?
-------------
"- IPv6 is absolutely ready for prime-time and has been for awhile
BUT
"- About half of the internet sites I rely on support IPv6 natively, so there needs to be more pressure on site admins and CDNs to support IPv6 natively"
That is a contradiction.
-----------
"There seems to be a lack of drive (judging by forum posts) to enable IPv6 on internet services by admins, either because they don’t care to, or it’s more work to manage a public IPv4 and public IPv6 presence"
Again, who's fault is it that its so hard? What is the payoff for the extra work?
-----------
- Networks should be designed IPv6-first instead of IPv4-first, and this design approach largely solves most of the major issues
K thanx, but that's not the way virtually every company works. Mayyyyybe a startup? This is unrealistic.
-----------
"Other operating systems are bit of hit or miss"
so... IPV6 is NOT NOT NOT ready for prime time, is that what you are saying?
-----------
What dream world are the ipv6 people living in?
I love this. Who should be implementing ipv6 stacks in OS's? Probably ipv6 people, but ... where are they again? The amount of blame is crazy.
A protocol switchover of this magnitude is about outreach and assistance. The ipv6 crowd has NEVER displayed that, just arrogance, dismissal, and waited for things to get "so bad" in ipv4 that it transferred.
Which is why ipv6 people HATE HATE HATE NAT. It has delayed their grand moment by decades.
...
In an ideal world, the ip++ protocol would have been easier, not harder. BLog posts wouldn't be victim blaming, throwing around NAT64, 464XLAT, DNS64
DNS64 kills me. WHy is there a totally different service for ipv6? Isn't DNS just a key-value store? People put all types of crap into DNS, including, I believe, ipv6 addresses.
Why isn't there a DNS record type that basically lists both an ipv4 and ipv6 for a name, along with negotiation information? Might that make transition a lot easier? Maybe it does, but it isn't in this article.
Just ... all the same problematic attitudes, no progress on issues, my way or highway, and denial.
Many of the companies/organizations in the IPv6 space are some of the most friendly and easy to work with in the industry
I suspect you mean "e.g." rather than "i.e."
Other operating systems are bit of hit or miss"
My iPhone works, what's wrong with the rest of you for not doing this??!!
But in all seriousness, I think this will be a security nightmare for quite a while if there is some forced conversion to ipv6. I realize IPv6 wasn't created yesterday, but I assume it's got plenty of security holes waiting to be discovered until I see otherwise. The only way you are going to see it be used by end-users is if the various *nix distros roll out IPv4-less images. Same for Windows/etc. Otherwise you are begging for a security nightmare of epic proportions with software that is accidentally using the wrong stack by default, firewalls not filtering anything as expected, etc.
And who thinks it's a good idea to make all the things globally accessible? It's an internet of shit out there already, this would make it even worse.
The alternative, having ambiguous addresses, makes systems hard to reason about and monitor, and add compplexity - eg when inevitably "internal" networks end up connected to each other in various kinds of reorganisations resulting in misconfigurations because nobody can tell anymore what the ambigous rule about a 10.xx address meant. Complexity and anbiguity are main enemies of security because you can only secure what you can understand well.
NATs are also hard to reason about in that there's no real spec about what kind of incoming traffic they allow and when. The NAT function is designed to facilitate communication in face of connectivity hurdle presented by the addressing, not limit communication.
Secondarily, to many users both ipv6 routing and NAT are both incomprehensible. I think most home/sme IT admin people who have to maintain everything in their home/company are not in a position to learn everything about ipv6. Having a solution like NAT where you just cant connect from the outside (unless forwarded) really simplifies many things.
Many people are not in a position where they can understand networking fully.
With attacks like NAT slipstreaming your devices are already globally reachable in any real network anyway. That, or FTP/SIP doesn't work, because ALG exploitation can be mitigated by just disabling those protocols.
Just ask the average gamer behind CGNAT how they feel about the security NAT provides them (and what kind of NAT they need), or your average network application developer about the joys of setting up handshake servers to punch holes through NATs.
The curse that is NAT has led to ridiculous workarounds like Nintendo telling people to put their Nintendo Switch in the DMZ if multiplayer doesn't work.
Only way around that is sniffing the communication (say some cloud service that some IoT device connects to) - which would also give you enough information to send your own packets through the NAT/firewall too. Not very feasible for the average attacker and assumes that the device initiates connections in the first place. If it doesn't, good luck finding it remotely.
Personally, I don’t feel the need for privacy at this level of the protocol stack, and if I did, I would not consider IPv6 Privacy Extensions to be adequate. Also, I might like to keep TCP connections alive for more than a day. Therefore, I personally prefer regular MAC-based SLAAC, or even hard-coded addresses, over randomized and rotating addresses.
But IPv6 is not an alternative to CGNAT. If you don't provide either a routable IPv4 or CGNAT, your customers will ask their money back because their internet is broken. The fact that you provide IPv6 or not is completely irrelevant to the vast majority of consumers or businesses.
This here is the major failure of IPv6 design, confusing what "the internet as a whole and the ISP community" need, with the individual incentives that make a single ISP provide for those needs.
Change is about more than just "how many numbers do I have to remember".
I'm holding out for a new protocol/architecture to come along and supplant IP by recognising that it needs to be fully interoperable with 4 before it can supersede it.
Another nail in the coffin of a graceful upgrade from IPv4 is the widespread filtering of IP options in the backbone, the only practical way I know you could craft an extended IPv4 packet that is still routable by the legacy infrastructure while forwarding and maintaining all the extra header data required for routing in the IPng realms. This was not necessarily true in the early 90s, and many hardware generations would have had the ability to fix it.
So I somewhat disagree with the GP that IPv4 was not forward compatible: it included a mechanism for just that in the form of IP options that seemed like a good idea in 1983, but which proved technically inappropriate for the future needs of the internet. So you can't really fault IETF for wanting to break away from that and earnestly thinking people would just upgrade.
The article mentions NAT64, which works well for IPv6-only computers to talk to IPv4 servers. There is enough space in IPv6 to encode the whole IPv4 connection which makes stateless NAT possible.
The other mechanism is 464XLAT and MAP, where IPv4 isn't tunneled over IPv6 network, but encoded in the IPv6 address. 464XLAT is used heavily on mobile phone and uses software on the device. MAP requires support on gateway. MAP is stateless which is savings over carrier-grade NAT.
Because that's what's required to make it fully interoperable. Anything else and it's not a pure IPv4 network anymore and you are in the exact same situation as we are with IPv6.
Of course, this is not a good reason to not use IPv6, don't get me wrong. It's a problem that's easy to overcome, I just think it's not a good way to get people excited about the transition.
Globally routable ≠ globally connectible.
Your (stateful) firewall will still by default block any incoming connection attempts if they are not replies to an initial outgoing connection. It's just that it will no longer be necessary to go through the rigamarole of STUN, TURN, ICE, etc, that goes along with non-global addresses:
* https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_...
Your end-user device knows its address and the address of the other connection point, and can tell the firewall to open a rule between only those two IPs:
* https://en.wikipedia.org/wiki/Port_Control_Protocol
* http://www.upnp.org/resources/documents/AnnexA-IPv6_000.pdf
Further, because you don't have only one external IP, you don't have to futz around with non-default ports if you want multiple instances of the same service (e.g., Minecraft), because each instance can have its own IP.
Further, if you want certain devices to not able to get outside: (a) give them static assignments and block them at the firewall, (b) don't give them a default route so they are subnet-local, or (c) give them site-local addresses via ULA and do not set up NTPv6 translation.
This is an interesting point though personally I love how easy container technologies made exposing arbitrary ports, without trying to configure the software itself, or checking whether it even supports customizing the port.
For example, I could have 3 database instances, each using 3306, but expose them on 30000, 30001 and 30002 or whatever I want.
Tell us with the next 0 day, because that big problem exist, and unfortunately happens every days.
IPv6 == All your devices are globally ROUTABLE and CONNECTIBLE from Internet, your home network is part of internet. It is an additional rule in the router's firewall what temporarily avoids it. Remark in temporarily, as one day the gifted packet will arrive to the router. This is not cool.
So much so -the home network is part of internet- that if you want to create a simple Video NAS or whatever, one have to use external DNS services, as no one have control over its own local IPs... what are served by the ISP. This is not cool.
Even if it was not designed for it, NAT has been helping to secure and giving flexibility to our local networks along decades, but someones decided to reject it from the specification. Bad decision.
Yes, and that's a very reasonable configuration.
But UDP hole punching (very widely used for VoIP, online gaming etc.) works orders of magnitude better with IPv6 than with IPv4, since there is no address and port translation to worry about.
With IPv4, it's very hit or miss, since it depends on both sides' NATs and also requires additional infrastructure (i.e. STUN discovery servers).
It's also probably impossible if you're with an ISP that does CG NAT.
What is the risk you're picturing here? I'm really curious. Features like RFC4941/8981 mean nobody can infer anything about your network from the source addresses they see making requests out if it.
If you want to use link-local V6 addresses and NAT to a global one, you can do that. But IMHO that's sacrificing one of the greatest advantages of IPv6 for no tangible benefit.
They can infer that one IPV6 address matches to exactly one device. (reverse is not true, one device may have multiple addresses per privacy extensions)
Once device is identified all its past traffic is discernible.
Changing addresses means identification needs to be done again but once done it can be associated with past addresses and again, all its history is visible.
Identification might just mean querying a data broker with HTTP headers.
NAT does not have this issue.
Yes there is. I sure as fuck don't want random people from the Internet to know how many devices and what kind populate my home LAN.
If we had networking protocols that took into account the complexities of private addresses it could probably work - but we don't have such a luxury. The entire TCP/IP stack assumes peer to peer connections, and NAT is literally a spanner in the works for all that.
Then... don't route anything on your network.
NAT is address translation, not routing.
NAT makes it difficult for you to host services on your network, forcing dependency on cloud services, and when ISPs do it (CGNAT), it makes it just about impossible unless you want to thread your traffic back through a third-party service. If you want a good chance of keeping some semblance of an Internet around that isn't dominated by huge centralized services, the cargo cult of "NAT is security" needs to die hard.
Imagine if I'm a medium-sized ISP, or a medium-sized software company, or a medium-sized website.
There's a bunch of hassle involved in deploying IPv6. Who knows what it'll do to my users' privacy? Or whether everyone's firewall rules will keep working right? Or whether it'll have some random impact on e-mail deliverability? Or something else?
The main benefit of IPv6 is providing routable addresses for home users, thus avoiding CGNAT.
But zealous firewalling and the rise of mobile devices mean these days almost everything is sent over HTTPS to a cloud server. I haven't had software ask me to open a port on my router in a decade or more. Even games and video conferencing software know they have to work out-of-the-box on networks where the user can't adjust the NAT.
So who's going to benefit from all this hassle - the 0.1% of users who are hosting websites from home?
What's wrong with a firewall that blocks everything by default, yet all your devices have a public IP?
They are, but in practice they are muddled together and I suspect people are going to create subnets with IPv6 in the name of security. In IPv4 NAT is used to make sure your laptop isn't exposed to random script kiddies trying to scan for vulnerable services behind your router. A fun exercise is to plug a RaspberryPi up directly to a public facing IP address and log every packet it receives. Then give those scripts a few services to detect (HTTP server, SSH server, etc.) and look at how the traffic shifts from scanning for ports to scanning for vulnerabilities. Being connected directly to the public internet is a real eye opening experience.
I do believe future IPv6 networks will have gateway machines and/or bastions that are connected to the public internet with public IPv6 addresses. And then they'll have an interior network that they use NAT for. Individual machines will not be routable or discoverable without going through a bastion/gateway that explicitly controls the flow of traffic into a network. Not because this is the ideal way to structure an IPv6 network, but because this pattern is going to carry over from the IPv4 world and there is a lot of momentum in tribal knowledge using NAT as a form of firewall.
I get that an ipv6 router can have a firewall with good defaults blocking incoming connections, emulating that aspect of a NAT.
Even if you never allow anything in from outside that wasn’t established from the inside first, it still removes an added layer of complexity from things.
Of course I do. Why would you not want the option of easily allowing a device to be globally routable if you need it to be?
I think routers should be more explicit about how you set up each new device on a private network anyway. Guest wifi can have a sane default. Private wifi could make a notification pop up on your trusted device, asking you if you want the now device to have access to the internet, and if the internet should have access to the device, and if so, which subnets/countries should be able to access it through which ports.
The whitehouse has a public address, everyone knows its address and yet random people can't just walk in through the front door.
As the parent suggests, IPv6 creates more work to prevent more exfiltration. It is already difficult enough with IPv4.
Could IPv6 fix a web infested with "tech" company intermediaries and return it to one where all participants can connect directly and if desired publish to audiences (without "tech" interplopers). That sort of proposal would make an interesting read for end users.
That should be enough for all your devices to randomly rotate IPs for a lifetime or a few without any NAT.
- Our ISPs support IPv6 but routing quality is way worse than IPv4 including occasional inability to connect to some networks or greater latency than IPv4. I had to create tickets with such issues understood that most probably they just don't have IPv6 BGP sessions to all their upstream providers they connect.
- How the VPN (an employee / road warrior setup) should be configured since from the routing perspective you don't need a VPN to connect from your home to the office? Assuming both have proper IPv6 connection and all devices in the office and your laptop have a globally addressable IP address. Employee can have IPv4 or dual stack at his home, where is dual stack in the office. Very confusing. Looks like Fortigate also don't have an idea and decided to not support such case.
- You have to be careful with site-to-site VPN since even your internal services like database are now globally addressable. You really need proper firewall rules / routing policies to not leak unencrypted packets over internet.
- SLAAC is cool but doesn't provide DNS configuration. (there is RFC8106 but is it supported by all OSes?). You need DHCPv6 for that. You have to choose: use only DHCPv6 or SLAAC + DHCPv6 or just relay on the vast that DNS will be proviedd by DHCP IPv4 in a dual stack setup.
- The way of providing high availability gateway address in a network is different. You need router advertisement where you can provide priorities. That actually is much better than any other VIP mechanisms (no issue with MAC table updates, etc.) but you need to know that.
- OSPF works a bit differently. For example: there is no authentication in router communication in OSPF itself, you are supposed to use IPSec.
The list is longer unfortunately...
Biggest one for me personally is that my current ISP doesn't give stable prefix. Power outages or firmware updates requiring a router reboot thus can cause the PD to be changed and potentially break firewall rules that are sensitive to the PD. In an absolute worst case, it also means that none of your hosts can reach the internet anymore if for whatever reason they're not updated of the prefix change.
No, the ISP is not supposed to that. But I don't see them changing this behavior any time soon. Yes there are ways to mitigate (ULA, mDNS, DNS, DHCPv6, etc) but now you're introducing additional complexity that didn't exist before into the network when I keep hearing how Ipv6 is supposed to reduce complexity. And IPv6 is complex enough to make my head spin without considering those workarounds.
Other issue I can think of off the top of my head is how to deal with an organization that would requires multi-WAN fail over or load balancing? The only solutions I've see thus far are far beyond my level of skill and budget. I assume also that there's similar problems when asking about a load balancer between multiple gateways to the internet.
Let's say I have a very small home lab. I have a handful of hosts that get their IP addresses via DHCP from my router. In the router, DHCP and DNS are tightly coupled such that the router essentially always knows the MAC address, IP address and hostname of each device.
Now I want to run IPv6 on this network as a first-class citizen. Since DHCPv6 is apparently frowned upon by v6 purists, and not all devices on my network support it, that leaves SLAAC. My understanding of SLAAC is that each node essentially picks its own globally unique IP instead of asking a router for the IP. My question then is: is there some standard for the DNS server on the router to somehow know the v6 IPs of the hosts on the network so that it can automatically create the right A records?
If you run a mailserver adding ipv6 support is far more risk to your domain's mailserver reputation than it is worth. And if you're just a human person and not a megacorp that new ipv6 address, even if it it doesn't immediately hurt you, will take a very long time to get accept, longer than an ipv4.
The fight between your average video game and NAT has caused me so many problems over the years (including port forwards to receive traffic because whatever NAT punching mechanism the game used didn't work).
Running dual stack does cause some weird debugging ("why can't my laptop connect to github while everything else works? Oh, DHCP broke") but that's mostly because of problems with the IPv4 part of the network.
I think going IPv6 only isn't the way, not yet anyway. DS-Lite seems to be working fine as a replacement, though: CGNAT for IPv4 and normal IPv6 for real connectivity. Full fat dual stacks would be better, but realistically I don't think that's going to be brought to the masses.
For hosting stuff, not having to remember what SSH port maps to which server in my home lab is a nice addition. Being able to directly reach LXC containers is also quite useful, as is using separate addresses for individual hosted services.
I don't know why everyone here has such terrible ISPs. Unstable IPv6 prefixes, broken routing, weird custom allocations, your ISPs all seem so cursed! No wonder people are so mad at IPv6, your ISPs are sabotaging your internet.
Add that to the list of thousand cuts.
The best idea I can come up with (at least right now) is: put all less trustworthy (read: Closed source) devices into a special legacy IPv4 network and only use IPv6 on my workstation and little Raspis?
This articles section "here are some reasons you should start using IPv6 within your own network" seems to comfirm this. None of the 6 "reasons" speak to me.
My ISP router could do max 800 mbps, which isn't so bad, but it degraded when we were multiple people using the link. With IPv6 it's much less of a problem, we can easily saturate the 1gbps without the router having a meltdown.
I don't know of a single game that supports IPv6, although some consoles might?
I remember reading about this as well. Wouldn't that also apply to stateful firewalling, though? Or is NAT inherently more computationally difficult (e.g. due to having to recompute IP and/or TCP/UDP checksums) than checking a state table?
[citation needed]
>That's why gamers push for IPv6.
[citation needed]
What are the non-network team business benefits to IPv6 over v4? That is what drives adoption.
I don't expect them to move forward on it until significant sites become ipv6 only as they've admitted that they have more than enough ipv4 addresses for their subscriber base, so there's very little incentive for them to do anything atm.
I think I've still got my HE IPv6 t-shirt somewhere, from when I completed their readiness quiz so years ago!
Edit: I actually decided to set up a tunnel, just to see how well it worked, and it turns out my ISP supplied router won't forward the protocol 41 packets anyway, so that's a total no-go.
I suppose I could probably set up a small VPS and Wireguard vpn, then forward the IPv6 packets that way?
I hate this attitude. This is isomporphic to saying "stop thinking of system call interfaces as a security mechanism and think of them as an address space sharing mechanism". It's not technically wrong, but it's wrong in practice.
Even the most naive NAT can't misroute an inbound packet. If you have an internal host and it doesn't talk to anything outside the firewall, then no one else can reach it. They have no name for it, the packets won't go. You get this even if you don't understand how it works. You get this even if the router has no idea about the host.
Give everything a unique address and now the router needs to know who is safe and who isn't. That's a decision point that requires configuration by human beings, and human beings get stuff wrong.
No, NAT is your friend. Use NAT. Use it even if you're an IPv6 nut.
That would be full cone NAT, right? Can't think of anything more naive... :)
And that can definitely bite you in the ass.
heck, they even inventend protocols to do automatic NAT setup (UPNP) because configuring NAT by hand confuses people a lot.
There aren't enough IPv4 addresses, so any ISP using IPv4 addresses is going to give 99.999% of their customers exactly one IPv4 address. Not ten. Not two. One.
So NAT has to work. Grandma has nothing to configure because either NAT works or grandma is calling her ISP to ask why her tablet ain't working.
So when the customer gets exactly one IPv4 address, the ISP is forced to hand a router doing IPv4 NAT. They have no way around it.
While if you take an ISP handing out hundreds of billions of IPv6 addresses to each customer, well... They are not forced to hand a router which does proper firewalling.
It's not a question of whether it'd be easier for the ISP to give a correctly configured IPv6 router firewall vs handing an IPv4 correctly doing NAT.
It's that when they hand one IPv4 address, they don't have the choice. NAT must work and there's no way around it.
Yup. I work at a large, complicated infrastructure organization. Our firewall guy has a lot on his plate. Having him manage the security concerns for IPv4 and IPv6 is a bad idea when considering the tasks we have and the labor available. Similarly, having the networking team implement IPv6 on top of their already significant projects results in less time available to do other things.
I look forward to the day when IPv6 is easy and universal, but I can completely understand why many admins aren't bothering.
HOWEVER,
My ISP regularly messes up with its ipv6 routing (deutsche Telekom (so as big as it can get for me) and if that's not the problem, the mesh networks on my (current gen) fritz networking equipment (very widely used in de) eats itself and sometimes just routes my traffic to nirvana.
This is especially bad with online gaming services like xbox live, who for the love of themselves don't have a fallback to ipv4 implemented, once ipv6 drops. "i have an ipv6 so I'm gonna use it no matter what".
Therefore I have dual stack vpns hooked up to my office network which connect to the datacenters I am using. My private network is ipv4 and sadly will remain like that for a while.
So any address of the current length you just treat it as if it has zeroes in front, otherwise you use the longer length which allows for many more addresses. Problem solved.
If you manage to solve that problem, you'll probably have invented something a lot like NAT64, which TFA talks about.
Something like, I'll-sell-you-my-v4-blocks-at-a-later-date-forfreeipv6-bandwidth-today-as-a-service ...
Re-Send them nostalgic AOL CDs as the advertising...
ping6 news.ycombinator.com
ping6: news.ycombinator.com: Address family for hostname not supported
I’d bet that this will be the source of some gnarly leaks in future. If it does my bet would be it’s going to follow the “API keys on GH” trajectory.
For the most part, yes it's supported by major OSes. (ND RDNSS) https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_...
Uhmm I might be wrong here, but can’t you just not assign global IPv6s then? Keep your local network on ULAs (https://en.wikipedia.org/wiki/Unique_local_address) for network-internal routing
SLAAC can provide DNS configuration, see RFC6106 for instance.
You can do HA in the same way with VRRP or whatever too, as you point out the built in mechanisms are generally better but you don't necessarily have to use them.
The chance of traffic leaking still exists, and does happen a lot with legacy IP too. The difference is that with v6 the traffic will be routed back to you, so you will be able to see it on your border firewalls. With legacy IP, the traffic will be dropped by the ISP or absorbed by the local network so you don't know it's happening and consequently you probably won't try to do anything about it.
I wish there was something in the ipv6 standard that allowed referencing an ipv6 without the prefix on your local subnet (ie: :::10a1:da35:2f4d:3cfc). So you could do all your internal networking with the consistent suffix and just deal with the changing prefix the same way we do with a dynamic ipv4 addresses, dynamic DNS. I'm certain there's a reason something like this couldn't be possible but it just seems like something along these lines is missing.
That's what the link-local address on your interface is for.
Tie all your network config to your IP space provided by your ISP and now suddenly it's a pain to migrate to a different ISP
Or, if you want to carry your own IP space, now you have the administrative overhead of managing that (and, now you have to go with higher-end business internet service that may be more than you need, just to support bringing your own IPs)
Or, if you want to keep things local, run a lightweight nameserver on your LAN to resolve .home or .lan domains. Much nicer to type fridge.home in your browser than 192.168.1.57 or some such.
ULAs are neither "additional complexity" nor "reduced complexity" compared to IPv4 NAT - they're the exact same. Both require you to decide on a private prefix, set up DHCP / DNS / static IPs within that prefix, and set up translation for that prefix.
>Other issue I can think of off the top of my head is how to deal with an organization that would requires multi-WAN fail over or load balancing?
Exactly the same, ULAs.
This is the situation I settled on for my home, because having redundant ISPs means a lot of headaches and I obviously do not qualify for a PI allocation. Every machine on the network gets a ULA address that remains stable, and to deal with ISP failover I have a script on my Mikrotik router to change advertised prefixes when the primary ISP goes down.
Took more work than my v4 NAT setup, and I hope more network vendors build-in support for the WAN failover bit in particular because every consumer/prosumer kit I've used does absolutely nothing for v6 traffic (I literally could not have done it without Mikrotik scripting or rolling my own router because no off-the-shelf distro like opnsense/m0n0wall/etc have support for this).
Stateful DHCPv6 is the bad one. It assigns hosts specific addresses.
> the router essentially always knows the MAC address, IP address and hostname of each device.
You can still have this with ipv6 addresses. They easiest way is to use eui64, the original ipv6 addressing scheme where the address is calculated from the subnet + the MAC address of the interface. That way server VMs get deterministic addresses. If you use network-manager you can configure eui64 with the "add-gen-mode=eui64" setting.
In my homelab, I have a few server VMs that use eui64 addressing whereas the end user devices use privacy addresses randomly selected from the subnet.
It's not a dichotomy between DHCPv6 and SLAAC. You can hard-coded addresses too. Since it's your homelab you presumably already know all the devices that will be connected. It's what I do.
You may not even need to hard-code the prefix everywhere. Eg with systemd-networkd you can configure the device as:
[Network]
IPv6AcceptRA=yes
[IPv6AcceptRA]
Token=static:::1:2:3:4
>My question then is: is there some standard for the DNS server on the router to somehow know the v6 IPs of the hosts on the network
NDP discovery (`ip -6 neigh show`) will let you know about other IPs (and corresponding MAC addresses) on the link. It won't do anything for matching them up to DNS names.
The main hold out against DHCPv6 is Android:
- I’m never going to remember MACs
- Even when IPs are carefully thought out, if something happens to the DHCP server and it needs to be rebuilt, IP no longer tells you anything about what device it is
Whereas hostname/DHCP client name shows up in almost every router UI, is viewable from any *nix machine on the network (when DHCP and DNS work together), and is typically a first-class citizen in the DHCP lease settings themselves. Super handy. As a side bonus: rogue hostnames are immediately obvious, but rogue MACs or IPs require investigation before you know whether they are benign.
The point GP had that it won't work, then DHCPv6 is not used.
I ended up with bind and rfc2136 dynamic updates. Not all devices are capable of doing it, but it is what Active Directory does by default.
There are options for IPv6: PFSense, as an example, has "Assisted" RA mode where devices can use SLAAC or DHCPv6, so you have SLAAC for general clients that don't need more (e.g: phones that don't support DHCPv6), but clients that want more can use DHCP to provide specific reserved addresses and DNS names, etc...
I believe there is another way, but the router has to support it and I forget what it's called.
Everyone is always so quick to jump to how _they_ don't need IPv6. The truth is that we _all_ need it. Eventually, there will become a day when services will start to migrate to IPv6 because the cost and limitations of IPv4 addressing will become prohibitive. Then you'll no doubt care when it affects you personally.
Don't really understand networks yet, but I guess it was because my isp doesn't support ipv6, but linux kept defaulting to ipv6 before trying ipv4.
I think it was an ISP issue. At the time IP6 was in beta. Now it's enabled for everyone and the issues stopped happening.
I understand the support of new technologies but IPv6 is 27 years old.
I keep hearing this, but it doesn’t seem more simple to me. My ISP won’t reserve me a /48, so I can’t control the management ips of devices on my network. The solution is apparently to set up dynamic dns, which I have no interest in doing.
Cracking and Hacking world is awaiting with open arms IPv6 because a pain in the ass called NAT was removed from the specification, and only a tinny exploitable fence was left for Router's future. Now the enterprise environment will have their needed paid additional security devices with their scalability while the average user at home have to cross fingers for not being the target of a zero day. Tracking Advertisers are also very happy.
Its sad to hear about the supposed reduced network complexity when its needed even an external DNS service for being able to manage your own network at home, lets say your NAS with audiovisual content as mere example, what forces one to create additional secondary real local networks if one don't what to rely in external DNS services for to being able to know the IP of your own device.
For networks (order of preference): IPv6 only > IPv4 Only > Dual Stack.
I also have all my IPv4 addresses memorized, and IPv6 addresses are too long to remember with all the hex-double-colon nonsense.
If they could have turned
1.2.3.4
into
1.2.3.4.5.6
I'd probably use it, but instead they opted for some scary stuff that looks like
d0ff::eefa::0010::faff:::://::92::0
which I'd rather not look at. Product management fail.
Anyhow, IPv4 still works for me, so I have no pressing need to even try to understand these hex-colon monstrosities.
My DNS server is 8.8.8.8.
Why the hell isn't the IPv6 DNS server
8888:8888:::8888:8888?
Instead it's 2001:4680::... wtf?
First step of dual-stack networks should've been, every device's IPv6 address is the same as the IPv4 address, just padded technically, and represented textually the same. If I put in 8.8.8.8 and the systems want to speak IPv6 instead, go ahead. A little hacky but addresses (no pun intended) both technical and marketing problems. You could even use a v4 DHCP server and DNS but speak IPv6, instead of trying to sell people on a whole stack change at once.
208.255.238.250.0.16.239.109.89.54.222.189.74.21.22.9In an organisation of any significant size, remembering legacy IP is much worse than v6.
Chances are you will have lots of disparate legacy blocks, some starting 1.x, some starting 80.x etc. Then you have all the RFC1918 space, and the possibility of overlapping address space in different areas of the business. Then you have to keep track of translations, so an internal address 10.1.1.1 could have an external address of 80.1.1.1 but only on port 25, if you're talking over port 443 then actually the traffic is forwarded to 192.168.1.1 instead.
IPv6 is simpler. You have a single prefix for your company, eg 2001:db8:: Then you split it out in a sensible hierarchical way, for instance 2001:db8:1:: is your facility in the US, 2001:db8:2:: is your facility in Canada etc. Beyond that you go down to VLANs and hosts as needed.
So 2001:db8:2:25::1 is a device in your toronto data center... 80.1.1.1 is where?!?!? 192.168.1.1 is where?!? and which one did you mean?!?!
Then there's no NAT, no address overlap, much simpler. 2001:db8:2:25::1 is the same device wether you're talking to it on port 1 or port 65535. Your firewall rules are simpler and more secure as a result.
Microsoft had a presentation about this, and they are a bigger organisation than most.
If you're only small then you don't care, technologies like SLAAC and MDNS exist for exactly this reason.
I wouldn't mind a simpler DNS server IP though seeing as it's one of the few locations you need to treat as an address regularly. Sprint/T-Mobile has 2600::, which is not only short but seemingly a phreaking reference, active so why can't something similar be active for DNS. I get not wanting 8888 or whatnot, those blocks aren't assigned and advertising random bits for vanity can be annoying, but there are plenty of short IPv6 addresses that could be in use for the most common DNS servers on the planet. Even I have my personal DNS server running on an XXXX:XXXX:: public IPv6 address!
For example: d0ff:eefa:10::faff:92:0 (though there are currently no addresses in use that start with d.)
Vanity IPv4 addresses like 8.8.8.8 exist because most addresses have been allocated, so companies with money can go hunting for nice ones. There aren't many IPv6 addresses like 2600:: because internet registries don't allocate them on purpose, and I'm not sure if anyone's cared enough to bribe them.
Dual Stack doesn't "solve" anything. You still run IPv4. With all the downsides, especially every machine will still need an (RFC 1918) IPv4 address.
(Microsoft is running out of their internal 10.0.0.0/8: https://www.arin.net/blog/2019/04/03/microsoft-works-toward-...)
The goal of the IPv6 transition is to disable IPv4. NAT64+DNS64 or 464XLAT allows us to disable IPv4 on devices before the entire internet is ready.
For internal networks, IPv6 seems like an obvious choice. If you already have company wide subnets, you may as well set up some ULAs/GUAs and use IPv6 internally. Full IPv6 may be better but people worry about adversaries mapping internal networks for some reason so NAT66 may be necessary to placate those fears.
The problems you still keep around by using some kind of dual stacking (DS-Lite being the cheapest) ensures compatibility with servers and entire countries that haven't even begun upgrading their networks yet. You incur the IPv4 penalty, for sure, but only towards services that don't have IPv6. This provides an incentive for the world to move on without breaking existing infrastructure entirely.
The same exact way you do it right now.
Think of NAT as an implicit default-deny firewall rule, that's all it's doing.
Basically any firewall worth using will do exactly the same thing in IPv6, deny unsolicited inbound traffic unless explicitly allowed.
For some reason there's this belief out there that a device having a globally routable IP address inherently means it's globally reachable, and that's just not true. Your firewall still works exactly the same way.
If you're going to say there isn't a way and you need to add the firewall rules manually, then this is absolutely no improvement for 99%+ of consumer users who have absolutely no chance of understanding how to configure that.
Think of for example Xbox users. On ipv4 with NAT it automatically configures it for serving games using upnp. If you had ipv6 only with a default deny rule and no upnp equivalent then the Xbox cannot open itself up to incoming connections. It's actually a downgrade in terms of "P2P" connectivity from NAT.
Firewalls. You configure what traffic should be allowed from who to who. Default deny incoming traffic, and its the same behavior as when you had a NAT.
Something having a routable IP address doesn't mean it needs to receive all traffic addressed to it.
Another option is to use IPv6 Unique Local Addresses (ULA), which are similar to private IPv4 addresses and can only be used within a specific site. This approach enables internal connectivity for devices that do not require direct access to the Internet. I use it for several IoT devices that I do not want reaching out to the mothership.
Stateful firewall that allows outgoing connections and blocks incoming (or maybe blocks both)
In general, you probably don't want to allow unsolicited incoming connections to any devices, regardless of IoT.
I spent a lot of time figuring out how to do all this in the most efficient way (in terms of my time and effort) during covid, and I suggest getting any arbitrary box with 2 ethernet ports and putting freebsd on it.
Often I need to access a device from my local network (think: use my phone to control Wi-Fi LED Strips, Sonos speakers, etc.), which makes it impossible (I guess?) to separate these devices into their own network completely (if they aren't controlled by an online service in general). Or is it possible to allow access from my trusted network INTO the restricted network, but not the other way around?
Total network noob here, in case you haven't figured that out yet. :)
What I did was:
- IPv6 DHPC - private address range within: fc00::/7
- IPv6 NAT, same as for IPv4.
- Firewall.
Why:
- digital ocean only allowed ~16 IPv6 addresses.
- I wanted a local IPv6 network exiting through digital ocean.
- I see no reason to give public route-able addresses to each device in my home (allows remote websites to determine who is calling it and set up profiles/target each remote device).
- Sure, privacy extensions which cycle unique addresses, but it still allows profiling based on source address, even if a bit of work is needed for each new addresses.
Or differently put, you don't need to use the net your isp provides everywhere, ipv6 can still use NAT if you want it to: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6
I think ideally we should also think of new interoperable defenses that fill the NAT gap. Perhaps each device should have an authentication key apart from its IP, which it could pass onto trusted devices like local network routers, which would only allow authenticated incoming data. Maybe even better would be a global scheme including this authentication and also more private addressed (than IP), although that would probably require a redesign of IP and might be a project for the far future.
We are on AT&T Fiber, the router has no issues. I've never seen a router have issues with any speed for that matter, where NAT is concerned.
> That's why gamers push for IPv6.
I'm a gamer, I know a lot of gamers, no one is pushing for IPv6 that I'm aware of.
Yeah, not anywhere close. In ten years I’ll have one maybe.
Rare in the US. Hell, we don't even have a 1Gb connection at work.
fast.com says 50 "Mbps". Whatever that is.
These problems will only get worse from here on out, but they're not as visible to people outside networking because this degradation of quality of service is a slow creep. The IPv4 Internet just gradually gets more and more limited in capability and less reliable for anything beyond the most basic use cases.
IPv4's address space is simply too small. There are already almost twice as many people on Earth as there are possible IPv4 addresses, and that assumes perfectly efficient utilization of IP addresses which is pretty much impossible. In reality there are probably 8-10X as many humans as viable IPv4 addresses. If every human being tends to have a computer and a phone that means there's at least 20X more devices than IPs.
You know, that used to be only "if every human being tends to have a computer", since phones didn't have an IP address. Now it's "a computer and a phone". A few years down the line, you'll have "a computer and a phone and a watch", then "a computer and a phone and a watch and a standalone VR headset", and so on.
However, assuming that I and my organization have enough IPv4 addresses (without requiring any of the tricks of multiple layers of NAT), is there a sufficient reason for us to justify the effort/expense of changing what works?
And if you're already moving away from perimeter defense, to more identity based zero-trust, the move to IPv6 makes much sense.
But upgrading a working network is lots of trouble. Most existing businesses have plenty of public IPv4 addresses and don't have to conserve.
I also got fed up with people discriminating against Hurricane Electric's tunnel broker (streaming services, etc) so now I just have my own tunnel broker. It's really great to have my own addresses, use them in my kubernetes clusters (via calico and cilium) and have my homelab directly advertised to the internet, knowing I will never need to re-number.
Networking is a helluva drug
- What was involved with picking up the ASN and the IPv6 block of addresses (process, bureaucracy, initial and ongoing costs)?
- What networking plumbing is involved in being able to have homelab resources advertised to the internet?
I'm not an expert in this area, but I'd very much welcome the hard work that comes with reproducing such a setup. Thanks.
I think unless we start seeing ipv6-only stuff this will be the case, there's really no incentive for a lot of testing/debugging on at least consumer ipv6 connections until stuff actually breaks.
Would be cool if Google added a 'ipv4' warning to Chrome similar to how they do with HTTPS (maybe not as strong though). That would drive a lot of adoption.
You can kinda already do this by setting search to ipv6.google.com
Images search does not work on that domain, looks like the new Google devs don't know about it.
Can you expand on this? I recently upgraded my network to support ipv6 but a big concern I have is what if they (Verizon Fios) change my assigned block? How can I make sure my PI hole and server has the same static IP address?
The Gods intended for each database service to have its own IP address and I curse the market forces that have trapped so many of us in the quagmire of NAPT!
The type of NAT we're talking about here *only* applies to outbound connections. It doesn't do anything at all to inbound connections.
Right now, my macOS system has four publicly-routable IPv6 IPs, all random. New ones are generated, and old ones removed, regularly.
https://www.internetsociety.org/resources/deploy360/2014/pri...
Maybe it's a ricer thing, but I definitely see a difference and I compared my ISP's router (which didn't display CPU load), an openwrt router without hw flow offloading support (horrible), and an UDM SE.
(I don't have an Xbox, I just see posts on my local ISP's forum)
A lot of would-be P2P applications end up using a relay server to get around that restriction, which adds significant cost and latency. Sure it's a well-established workaround by now, but it'd be nice not to rely on it.
RFC6106 ? You're right that works. I was just trying to communicate the unobjectionable nature of stateless DHCPv6.
Stateful DHCPv6 is bad because it undermines the concept of hosts selecting their own addresses as needed for privacy, tethering, etc.
The decade old Android issue where Google refuses to implement stateful DCHPv6 provides some good background: https://issuetracker.google.com/issues/36949085#comment53
All the 3 ISPs I dealt with in Hungary in the last 10 years provided 0 firewall capability for IPv6 in their integrated router/modem.
Once you start assigning the addresses, every compatible IoT gadget you have is reachable from the public web.
In this state, IPv6 is a pure security stepback for average residential users with 0 upside.
I can't take any comment seriously who is speaking of configuring a stateful firewall in a residential environment.
Makes total sense, thinking about it. I guess, all those years of just sitting behind a NAT makes one forget all these networking basics if you're not using them regularly.
Moving closed-source IoT devices into a special vlan, with some even more rigid rules (something like: only allow http/https traffic into the internal network) might be an additional level of security.
Thank all of you for your replies!
https://atoonk.medium.com/linux-kernel-and-measuring-network...
Just speculating, but I believe the cost comes from all the memory operations of reading/editing/writing every packet, not from the NAT table lookup.
It does not, problem is with outbound connections.
> Whats the difference between "ipv6 Nat" and a firewall when theres not likely to be any address overlap.
Outbound connections can be profiled by remote websites.
With NAT (Well... Port-address-translation to be fair, so single outgoing address), traffic can't as easily be profiled.
Imagine ISPs/Ad providers having easier time identifying you, your spouse, your kids, etc. (and device, and so on just by observing addresses)
With initial SLAAC it is even nicer as MAC address is included in the address... Can look up device much easier just cross reference manufacturer database...
Complains by them? Won't fix (Intended behavior)
NAT does nothing for that. Those incoming connections are dropped on the WAN interface before NAT would even be involved. Which is why it works exactly the same way regardless of whether the destination IP for that traffic was IPv4 or IPv6.
That isn't really feasible with IPV6 though is it? The smallest IPV6 subnet is 18,446,744,073,709,551,616 addresses, so even if you setup a Pi fully open to the world with default passwords the chance of someone scanning it is basically zero. That type of scanning only works because the IPV4 range is so small (& you can efficiently ignore large parts of it like the US DOD space, private addresses, etc).
[0]: https://isc.sans.edu/diary/Targeted+IPv6+Scans+Using+pool.nt...
Yes, it does. While in theory you could "undo" the translation and verify against the re-synthesized A record, nobody is going to do that.
464XLAT shifts the "make an IPv6 address from an IPv4" to the CPE or even end device (Apple Devices are known to work well with 464XLAT). For this the device discovers the prefix, and if software wants to make an IPv4 connection, it sends it to the NAT64 using the prefix + IP. DNS64 would be no longer needed.
You're going to have a minimum of a /64, noone is going to scan that looking for devices.
Even if they do, your firewall is not going to allow the traffic unless you've explicitly configured it to do so.
The only way someone will discover devices, is by analysing outbound traffic you make. Outbound IPv6 traffic will come from randomised addresses so the addressing information is useless. Other things disclosed by the devices (eg user-agent headers on web browsers and other fingerprintable data) are protocol agnostic.
Security through obsecurity is not security.
Yes, let's just flash a giant "welcome, nobody is home right now" sign to burglars whenever you leave the house unlocked.
Huh. IMHO it's the single most desirable feature, and the only reason I care about it at all.
If you're approaching this from the home networking point of view, than I suppose I agree: even the most complex home network is just too simple for anything like this to matter much.
As the network gets bigger, that sweet sweet global routability starts to make a lot of things a lot simpler... I'm lucky to have worked on an enormous deployment of V6-only servers, and it's downright magical in comparison to anything of comparable scale I've seen before or since.
But yes, my home network is three NAT'd /24's because I'm too lazy to figure out how to make prefix delegation work...
SLAAC scales really, really well, and is fairly stateless compared to DHCPv4 or V6.
Also, slaac allows one to easily change the global prefix of a vm/host if it lives on another layer 3 network.
A good example of this:
you have two seperate datacenter networks based on an EVPN-VXLAN solution, and you do no want to stretch layer 2 across both datacenters because stretching layer 2 is a terrible, terrible idea[0].
Before IPv6, moving VM;s across datacenters which have different public ip space was a major pain for two reasons:
- IPV4 has no concept of using multiple addresses per interface without it having unexpected bahaviour on a host. - address management at scale is a major PITA because DHCP is not scalable.
How to solve this with IPv6? It's fairly easy:
- Use slaac + prefix delegation of your globally unique address space (which is different per Datacenter). - Use a different (site local) address to reach the VM for management purposes. Because this address is not globally routable, you are sure it will never leak into the greater internet and be reachable from the outside world. - If you are using anycast, you can easily announce this prefix to upstream BGP neighbours because you can use BGP Neighbour Autodiscovery[1].
Trying to do this with Ipv4 will result in a mess of administration, not to mention have to do some clever technical hacks to make it work on some operating systems.
With IPv6 solving these issues becomes quite manageable.
[0] https://blog.ipspace.net/2021/06/stretched-vlan-define-probl... [1] https://www.juniper.net/documentation/us/en/software/junos/b...
Fair enough. For me, this is a thing I literally could not care less about.
The availability of IPv4 addresses is something that more people will care about, and getting IPv6 going may help folks. From another comment in this sub-thread:
> I've actually run into this [CG NAT] helping a friend host a game server on their residential internet in a more rural part of Texas. They had to call their ISP and request a static IP address at an extra cost of something like $5/mo.
> It's a complete non-issue that nobody really cares about.
A significant number of people spend a significant amount of time trying to carve out and re-use address space in their existing IPv4 allocations and RFC1918 space. This becomes nightmarish the moment you start thinking about networks of any significant size and complexity. All of these problems go away with IPv6, and we care about that a lot.
New technology has benefits, if you don't know what they are then you need to learn about them properly. Sticking with old technology because you fear the new is not a good plan.
IPv6, however, is not more convenient than IPv4, so the analogy breaks.
ISPs should be forced to let customers get IPv6 prefix reservations. Yes, PD doesn't change for most, but I'd rather not use PD at all.
OK I challenge you to rewrite the IP address you wrote without looking in 5 hours.
Then go try it again with something like 10.10.53.24.
See which is easier.
If I wanted a memorable local address like 10.10.53.24, I'd pick fd53::24 or something.
Shitty ISPs do exist, or at least they existed two years ago.
Also STUN makes your private addresses reachable without you making any mistake at all.
Your comment is a good example of the NAT cargo cult mentality that is damaging to the Internet.
Yes, my home network works exactly like this. I have a vlan called "trusted" which can connect to any other vlan. One line in pf.conf.
My VLANs are something like: trusted, guest, media, cameras, printer, etc.
Many of these aren't allowed inbound or outbound connections (e.g. cameras and printer can only talk to things on their subnet).
Only downside is that stuff that works off broadcast packets (like bonjour) does not work across subnets.
You could, for example, allow only TCP traffic initiated by hosts in the “normal” VLAN to hosts the IoT VLAN. So IoT stuff can’t initiate outgoing connections to any other network, and can only receive TCP connections from one network.
You can also set up an MDNS reflector on your router if your IoT devices use that (e.g. HomeKit) to send data proactively back to “normal network” hosts.
Yes
The apparent issue here is that you're falling back to what's familiar- static IP addressing. How about mDNS?
(Unless you're putting them behind an IPv6 NAT, so thry can have their oen private /64).
It's not great, but it's an option!
The reality is that NAT has greatly improved the security of the internet, because before NAT people were exposing everything, including services like Windows file sharing, to the internet. NAT enabled those people to use multiple devices in their home and in return prevented them from unwittingly hosting things to the internet, which causes them to be hacked and turned into bots that harass the rest of the internet. Yes that still happens but not at the scale it happened before everyone was behind a NAT perimeter. If you want to see what could happen look up the SQL Slammer worm and imagine what could have happened if such a worm would have targeted a service more common than SQL Server.
It’s really nice to be able to host things on a consumer connection but it requires thought and management that most consumers just can’t and won’t care to provide and the damage they can cause is not only to themselves but to the rest of the internet as well. This capability really is better off by default.
And all those handwavy ‘workarounds’ for the ‘cargo cult mentality’, you typically can’t tell everyone on your network how to manage their computer to ‘just have their services listen on the local address’ and you can’t ‘just change the defaults of all routers’. But NAT makes it impossible for the default to be wrong and that is its great advantage.
Sure NAT has a lot of disadvantages and breaks the original idea of the internet with every host equally able to host services. But just as Postel’s law just doesn’t work out, every host being able to host services doesn’t work out. Because the internet is not a playground full of friendly colleagues and hasn’t been for a long time. It’s a war zone that requires strong, watertight defenses by default. And if you’re smart and careful enough to safely host a service to the internet, surely you can manage to forward a port.
NAT created a false sense of security, while also breaking a lot of other things. It is quite easy for the defaults to be wrong, you can end up with all kinds of unexpected scenarios which make internal hosts reachable - eg outbound traffic could open up inbound traffic on the same port from any source not just the one initially communicated with, UPNP can result in ports being opened, NAT slipstream attacks are another possibility, not to mention the fact that "not routable" and "there is no route" are two different things - someone who is on an adjacent network to your wan interface (ie other customers of the same isp) can easily direct traffic to your internal address space.
What reduced external attacks was not NAT, it was improved defaults - such as windows including a software firewall which blocks inbound connections by default, and unix based systems no longer shipping with large number of services (telnet, rpc, finger etc) enabled by default.
Consumer routers with IPv6 support don't allow unsolicited inbound traffic by default. Good luck scanning an IPv6 block in any case.
Slammer and other worms scanned sequential legacy IP addresses, including the well known and predictable RFC1918 space. This method simply couldn't work with IPv6 because the address space is too large, you would be flooding out huge amounts of traffic for years on end before you happened to hit upon an active device.
IPv6 is better, not worse.
You simply do not host services you do want public on your global unicast address but use a private/site local address instead.
IPv6 has private addressing and a form of NAT as well, were it to be the will of router mfg'ers and network admins. No need to stay on a legacy protocol.
No they can't: the whole point of RFC4941/8981 is to prevent that. The source address for external connections is effectively randomized.
All that can be inferred is that it came from your network, but even with NAT you know that anyway.
It's still unique to one device right?, even if random my argument still holds.
Or do you mean to say multiple devices can use the same address?
note: I've read the RFCs and they just mean - initial address is random but unique to a device. Each day the address will likely change but new address is still unique to the device (otherwise how would routing work).
This is what I structured my inital argument on. Do you see any fallacy in logic?
If you set up your device to spin up a new IPv6 address every hour (or even every minute), how will they track you using IPs?
On macOS it's 24h, but it doesn't have to be:
$ sysctl -a | grep temppltime
net.inet6.ip6.temppltime: 86400I really don't understand the fearmongering. Your home router likely runs some flavor of Linux which uses Netfilter/iptables to perform both NAT and filtering. Do you believe that the filtering/firewall modules are inherently flawed, yet the NAT modules are infallible?
I see them as two sides of the same coin. If we're theorizing about a magic packet that not only removes your firewall rules, but also flips the default policy to ACCEPT, the very same packet could also sneak in a few NAT rules into your IPv4-only router.
Regarding firewalls bring prone to accepting by default, either way the packet has to go through the CPU to be routed. I don't believe there's any inherent bias in the design. You could argue that routers that use a single switch and vlan isolate the wan port are inherently biased, though.
Regarding local hostname resolution, there are several options that don't require your ISP. There's mDNS, DHCPv6 and DNS on your router, ULA prefixes, or you can continue using IPv4 for local traffic.
Firstly one ceases to have control of its own home network, what now have to rely on the ISP for to receive the "local" IPs, what are part of internet. And in addition each machine leaves a trace of its "local" ip on the Internet. This if one want internet access in the device, due the absence of NAT in the router's protocol.
Secondly one have to rely on a buggy piece of code called firewall for to make "local" those IPs, due the absence of NAT in the router's protocol.
https://nvd.nist.gov/vuln/search/results?form_type=Basic&res...
https://www.cvedetails.com/google-search-results.php?q=firew...
We are talking about millions of routers provided by the ISPs in each country, barely maintained and updated, what little by little will become exposed. And this without taking in account the unpublished firewall bugs that each artist keeps for themselves and takes 3 to 5 years become detected and fixed by the mainstream. I do not know how to express the negligence is going on, but I can see that Crackers, Advertisers (privacy) and "others" are in good time because things are getting more easier for them than it should be.
Why people keep down-voting the message is a mystery for me. If it is due the local hostname resolution, mDNS, ULA prefixes, etc, all are workarounds due it is a network one does not control, what is one of the main points I exposed (it also needs filters/rules what needs be manually added in the firewall, each user has to make efforts to try to protect the supposed "from internet" separation).
One could create another network as you said, but the main problem keep existing without NAT.
RFC1918 address space IS routable, it just doesn't have a global route. There is nothing to stop devices adjacent to your wan interface (ie other customers) from manually adding a route to your RFC1918 address space via your firewall. Will that traffic be allowed? that depends on the device and its configuration, have you ever tested this scenario? probably not.
NAT is a hack to get around a shortage of address space, nothing more. Once the shortage is gone there's no more need for NAT. That's why although NAT with IPv6 is possible, it's very rarely used because you no longer have any valid reason to use it. If you are think there are any other reasons to use NAT then you need to brush up on your network knowledge because a lot of smarter people than you or I are saying to avoid NAT and designing systems (eg IPv6) to fix the problems it causes.
US government advice is to avoid the use of NAT because of the extra complexity it introduces, which actually reduces security:
https://media.defense.gov/2023/Jan/18/2003145994/-1/-1/0/CSI...
IPv6 has link-local addresses that aren't routable, so you can't really get more local than that. Unlike a typical IPv4 setup, typical IPv6 hosts have multiple addresses, and you can make your own for local traffic and only rely on ISP prefixes for internet access if you want to.
Sure, the internal host's internet routable IP address is visible rather than being masked behind the router's IP address. Pretty much all operating systems periodically randomize the bottom 64 bits, making it effectively as opaque as NAT. You could call that a hack, but people call NAT a hack. There's tradeoffs.
The CVE links you provided are just lists of vulnerabilities with "firewall" in the name. Skimming through them, I don't see how they're specific to IPv6? Most of the vulnerability descriptions I read seem equally problematic for NAT setups. The one IPv6 specific one I saw had to do with a bad firewall rule allowing access to LAN facing services running on the router; it could have just as easily been a bad IPv4 rule.
I agree, consumer network gear all sucks. IPv6 is bolted on as an afterthought, and is probably buggy in a lot of them. More features means more opportunity for bugs, but that's true of anything. IPv6 isn't being deployed for no reason; there's limited IPv4 addresses to go around. I still don't follow why IPv6 is fundamentally riskier than IPv4 when traversing a router. Sure, with NAT an incoming packet needs to have a port number that's been dynamically mapped back to an internal host and port, or have a static port forward. In IPv6, an incoming packet needs to have a destination address and port that's been dynamically mapped back to an internal host and port, or have a static firewall rule. It's basically the same, but also less complicated for the router because there's no translation involved. In time, less complexity is good for software hardness.
I also get anxiety from trying to wrap my head around IPv6 address assignment. It is nuts. It's very comforting to work in the effectively 8-bit address space of a /24 IPv4. I suppose it's true that you can't control internet routable IPv6 addresses in that they are dynamic and ephemeral in their nature. Coming from IPv4, it feels messy. I've experimented in detail with configuring my own ULA, DHCPv6 configuration, and SLAAC. I've tried to embrace the benefits of IPv6, and having used a few of the features I can appreciate them for what they are.
With IPv6 instead of NAT deciding that port 2000 maps to 192.168.1.3 port 22, you have a firewall that may or not choose to route to xx:yy:zz or not, and to allow an incoming connection over port 22 to that host or not.
If you don't want to accept incoming connections to a given machine or network on IPv6 without NAT that's very easy to have.
Now, sometimes NAT is needed anyway: QubesOS supports IPv6 using NAT because it splits things up into many different VMs on one computer. But that's a pretty rare case.
For example, I'm in the US, and my mobile device has an IPv4 IP sitting behind the mobile provider's CG-NAT. My mobile device also gets IPv6.
Since you only provide your site over IPv4, that means my opinion of your site is governed in part by my ISP's CG-NAT, which you do not control. If the CG-NAT is overloaded, or otherwise having issues, that will manifest to me as problems with your site. I will assume the problem is with your site, and take my business elsewhere. In this example, if your site was also provided over IPv6, then my phone would have skipped the IPv4-only CG-NAT, and things would be fine.
Perhaps you will diagnose the issue as caused both by the combination of your ISP flaws and my choice to be IPv4, however, the vast majority of users definitely won't, they will notice that most of the web (i.e. IPv4 web) sucks for them but doesn't suck for other ISPs and will put on the pressure on your ISP to get their stuff working to properly support the IPv4 net (or take their business to another ISP) instead of putting the pressure on IPv4 sites to switch to IPv6 or taking their business to another site.
IPv4-only still has enough critical mass (and will have for quite a few years still) to ensure that 100% of ISPs in the world have to support decent service for IPv4 only servers; IPv6-only does not yet have enough critical mass to ensure that all or even half of servers have to support decent service for IPv6-only clients - this is a quite literal chicken-and-egg problem for the motivation to switch.
Regardless, Google's chart of IPv6 adoption (https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6...) continues to trend towards IPv6 adoption. I expect that if you looked at a chart of web site IPv6 adoption, it would also be trending upwards (though not at as steep a rate).
If that's true, then it stops being a chicken-and-egg problem, and turns in to a game of chicken: Who starts supporting IPv6 first, you or your competitors?
No, unless you're running servers for users who might have those issues on their side (e.g. anyone accessing your servers from mobile). May as well wait until you can save money by giving up your IPv4 addresses.
I was illustrating why there is zero incentive for 99.99% of people to not care, which is the reason why it isn't getting adopted.
If moving my home network to IPv6 came along with some incentives -- e.g. significant tax breaks, free symmetric gigabit for a year for IPv6 traffic, discounts on rent, tax-free early IRA distributions to buy networking equipment, free electric car charging for 5 years, I'd move to IPv6 in a heartbeat.
For a small network it makes no difference, everything is auto configured, mdns is used to lookup names, you can makes your hosts ::1 ::2 etc if you want to. Many ISPs around the world provide IPv6 by default, and users are using it without even realising, so it is being adopted just not fast enough. Global usage is around 42% based on published stats, and is well over 50% in many countries, as high as 80% in some.
IPv6 does provide benefits to end users, it reduces cost for the ISP and makes end to end connectivity viable which opens up a whole new set of opportunities. End to end is immensely beneficial for gaming, voip etc. Having everything centralised because users are encumbered by NAT is a big problem - increased latency, high costs (recouped from the users somehow - eg selling their data), single point of failure, applications which become useless once the central servers are shut down etc.
Consecutive colons aren't readable or easy to remember.
Configure your ntp clients to use the name, and maybe add a pool.ntp.org entry or two into your configs.
So how do you do this hands-off, ie without manually changing things on the clients, without DHCPv6?
NAT is bad because somehow magically a machine with an unroutable address can become routable. Because magically UPnP forwards every protocol in existence, not only a select group of programs that explicitly support it. And of course a connection opening up a theoretical hole to a specified host is just as bad (actually worse!) as opening it up to the whole internet.
Yet all routers have the right defaults and nobody ever makes a mistake. Oh and there’s so many addresses it’s so obscure it’s secure, and noone would guess to scan one’s own subnet in the absence of NAT.
These arguments are really grasping for straws, mostly nonsensical and the rest describes attacks so impractical they are pretty much impossible to carry out and are so much harder than simply sending a thousand emails with a link to an executable that pretty much nobody ever bothers.
Note I never said that IPv6 is worse, I said that NAT has relevant advantages and mostly irrelevant disadvantages. I really don’t care ftp doesn’t work with NAT.
Ports on router are allocated by it and not client machines. So far my experience has been they're usually sequential without any preferrence.
Local firewalls on devices, maybe, but network firewalls generally are default-deny on untrusted interfaces, and between 0 and 1 interfaces are trusted by default.
Back in 2007 Apple's Airport Extreme Base Station shipped with a firmware that defaulted to allowing all IPv6 traffic, which was quickly pointed out in the tech media and fixed in a patch a few months later. A few of the garbage pile combo modem/router devices distributed by ISPs have had similar issues over the years as well. That's not normal behavior though, when it's observed it's rightfully considered a security flaw and tends to get the kind of attention vendors don't want.
If you know of a mainstream device that would "fail reachable" as you claim here, name and shame please.
> without explicit port forwarding or exposed hosts, NATs fail unreachable.
I work in VoIP and can say from plenty of direct experience this is not true. In the modern work from home era I've had to deal with a lot of the aforementioned garbage pile consumer devices and a recurring issue with some of our clients who had older phones is that their users' home routers did the laziest NAT possible and literally just opened a two way hole on port 5060 (SIP) so as long as the phone was communicating with our server and keeping the pinhole open *ANY* other traffic that hit port 5060 was also sent to the phone, which meant they got all kinds of "phantom calls" from bots looking for unprotected SIP relays.
Newer phones generally have an option to only accept SIP messages from trusted servers, but older ones sometimes don't so when combined with badly implemented NAT that happens.
And yea, obviously that's a consequence of a particularly bad NAT implementation, but your complaint is about an issue that would only occur in a particularly bad IPv6 implementation.
Of course, if the protocol added workaround for NAT and NAT is modifying that application layer data then it can cause another set of issues.
The reason Xboxes need port forwarding in the first place is that IPv4 relies on NAT. The unreliability and unpredictability of NAT means remote devices won't know what ports to talk to or if those ports will even be mapped to the right device. IPv6 removes that problem all together! It alleviates the need for 99% of the port forwarding cases that UPNP provides, assuming you've manually enabled it in the first place.
If port forwards are really necessary for Xboxes to work, then IPv6 brings another advantage: you can run multiple Xboxes behind the same IPv4 address. That IPv4 address can be your home connection, or it can be a thousand people behind CGNAT. In countries where CGNAT is the norm (India comes to mind) you can't possibly expect UPNP to be a requirement for Xbox to work!
But IPv6 doesn't solve the problem at all if all incoming connections are blocked on the firewall - which they have to be for security! You need some protocol for the xbox to be able to tell the firewall to open ports, which doesn't exist. Or users have to manually set the firewall rules, which is the same as port forwarding on NAT from a users perspective (ie impossibly complicated)
You can run multiple xboxes behind NAT right now, they get different ports.
Again, for a non technical user there is no major difference between being behind CGNAT IPv4 (impossible to get incoming connections), and firewalled IPv6 (possible to get incoming connections, but the firewall is too complicated to use so it may as well be impossible). If there was a protocol which would allow devices to open ports on IPv6 firewalls programmatically similar to UPNP it would be entirely different, but there isn't.
Most consumer routers I've seen these days come with UPNP disabled by default, though.
For most P2P traffic (which includes a third party handshake server) you can probably skip port forwarding entirely; just send UDP packets both ways and the firewall will figure it out. For stateful protocols like TCP and friends (SCTP etc.) that's harder to accomplish this, that's where you need pinholing.
It's possible that your router simply doesn't support IPv6 pinholing but I think the more likely scenario for breakages is that client software doesn't bother implementing it.
First The firewalls are stateful. Client inside your network attempts to connect to some system outside. The firewall adds an entry to the state table with client ip, destination ip, protocol, ports, and so on. If an incoming packet is received by the firewall, the state table is checked. If there is an matching entry for the ips, proto, ports, etc, then the packet is forwarded. If there is no match the packet is dropped or rejected depending on your config. So it is easy to permit packets based on the interface it was received or transmitted on.
Ports can be opened for some incoming traffic pretty much the same with as IPv4 using STUN, TURN, and so on.
Past that, you can do manual port forwards the same way you do with IPv4.
Then if you're using STUN and TURN (which you'll have to, because non technical users do not find configuring firewalls easy) then what is the advantage of IPv6 to a consumer? There is no real p2p benefits.
I'm trying to call out this contradiction:
1) You need a firewall on IPv6 instead of relying on NAT, otherwise everything is routable globally and insecure 2) There will be this glorious new p2p world for consumers with ipv6
If you need a firewall, then really for non technical users you cannot have this p2p world. It is too complicated.
https://en.wikipedia.org/wiki/Port_Control_Protocol, which also allows for UPnP-like functionality when NAT64 is in play.
That said most "P2P" traffic is still mediated by a central server though and does not need this. The lack of port remapping from NAT means that tricks like UDP hole punching work simply and reliably rather than the semi-random performance seen through NAT. Multiplayer gaming, VoIP, voice/video chat, etc. where a central server does the setup doesn't need ports opened to the world, it just needs to punch a hole for that specific session. A SIP phone opening a port forward on 5060 for itself is a bad thing, but it's sometimes needed in the NAT world.
True unsolicited incoming traffic will still need an allow rule but that's a lot more rare.
> If you're going to say there isn't a way and you need to add the firewall rules manually, then this is absolutely no improvement for 99%+ of consumer users who have absolutely no chance of understanding how to configure that.
I disagree. These days the sorts of things normal people do that deal with P2P connections are pretty good at dealing with NAT, but far from perfect. You don't have to look far in to the gaming world to find people complaining about not being able to join a session, not being able to connect to voice, etc.
Any VoIP provider serving users on their own internet connections is going to be doing things like regular keepalives, setting their media systems to accept RTP from and send it back to whatever port it comes out of the user's NAT on instead of the one it's supposed to be on, etc.
All these things work pretty well, most of the time. But they're not perfectly reliable because every NAT implementation is different in subtle ways.
> Think of for example Xbox users. On ipv4 with NAT it automatically configures it for serving games using upnp. If you had ipv6 only with a default deny rule and no upnp equivalent then the Xbox cannot open itself up to incoming connections. It's actually a downgrade in terms of "P2P" connectivity from NAT.
As noted previously, in IPv6 it doesn't need to open the port at all. Anything the Xbox, or any other modern game console, will be doing is server-mediated P2P for which standard basic UDP hole punching is a perfect fit.
Basically anything that definitely always requires a port forward in IPv4 NAT will probably still require an allow rule in the firewall, but anything where port forwards aren't supposed to be required but sometimes they help some people more reliably connect is a problem caused entirely by the NAT and those problems go away. Hosting a dedicated game server is in the former category, playing games is in the latter category.
There's a reason all the modern consoles include NAT tests in their network diagnostics, but can only offer vague suggestions at the fix, because how the NAT is breaking things varies by the NAT and may or may not be fixable. The only real fix is to eliminate the NAT.
FWIW Xbox prefers IPv6 when available and Xbox Support specifically recommends having it enabled if you can. That tells me that it works either equally well or better than IPv4 in the real world, which fits my view of things.
I put the CVE links with the generic word "firewall" because it is the point where the "local" vs "internet" resides with blind faith within IPv6 (without indicating an specific exploit, just vulnerabilities exist). For this case, the DDOS and buffer overflows that force the firewall to shut down, or code execution, what are periodically discovered, is what I wanted to show for being considered as a serious problem. Not everyone reports firewall bugs, and others I guess even wickedly insert them.
With NAT setups, the local and internet networks are different between them, what requires the packets to be filtered and rewritten by NAT for the address what solicited it, while unsolicited packages are discarded. The NAT in consumer gear is run mainly by software, but a poisoned packet will not aim to shut it down for network penetration because it would be the end. If the NAT stops working, the doors close for everyone.
It is about the double checking,
-IPv6 without NAT: If the firewall stop working, opened doors. Feast.
-IPv6 with NAT: If the firewall stop working, many rules get unfiltered, wild. But NAT keeps the local/internet separation besides filtering unsolicited packages. Not absolutely secure, nevertheless keeps being a complex target.
Like all of we, I suffered some problems that NAT can bring losing countless hours trying to make work some specific services, but when I first read IPv6 didn't implemented NAT nor something similar in the protocol (for whom whish to use it at least...) and what the supposed local IPs are merely part of internet (link-local addresses that aren't routable as first target, devices with internet connection are), each device with its own public address, I doubted seriously about what was going on.
Given that even Mikrotik RouterOs periodically have security vulnerabilities related with the firewall, I can't conceive the idea of people relying on firewalls rules to do the home/internet separation within IPv6 (plus the public address of each device gives me also anxiety), as it is a matter of time before such separation ceases to exist; it is like the crossing of fingers.
I mean, it is not a matter of misfit, it is more like the users will not even notice the router's firewall was shut down.
Bad IPv6 is as simple as not having a firewall or default-allowing it like AirPort did. If Apple can make that mistake, a lot of random manufacturers can too. I can see the whole NATless firewall setup but wouldn't use it for a very long time, to let things settle.
It gets even worse with higher level protocols like FTP. There is such a thing as FTPS (FTP over SSL) but it's rarely used because if you encrypt the traffic then the NAT gateway can't inspect and rewrite the traffic.
The same is true of IPSEC/ESP, if you have an encrypted TCP packet encapsulated with ESP the NAT gateway can't keep track of which internal host to forward it to because it can't see the source and destination ports.
A normal router does not need to care about anything further up the stack than IP. A firewall does, but even when a firewall doesn't explicitly support a particular protocol you could write a rule allowing any traffic with a particular protocol number between specific hosts is allowed, and anything else denied.
It's security through obscurity at best, i.e: not security. You shouldn't be relying on size of address space to protect you from anything. An IDS/IPS that alerts on abnormal ICMP behavior will be useful whether an attack is 1GiB of traffic in size or 1024EiB of traffic in size. (Also you don't even need automated scanning to find some juicy targets: I've seen a lot of routers on the edge of a prefix configured at ::1/64 and ::2/64 for instance.)
I did not have to do anything to get this. My macOS system has IPv6 set to Automatic. My home ASUS router picks up the /64 allocation from my ISP, passes the info on to things on the LAN, and acts as a firewall for IPv6 (while continuing to act as a NAT for IPv4).
According to https://www.internetsociety.org/resources/deploy360/2014/pri..., this has been common for some time.
(Hand waving a bit here with terminology don't shoot me)
Examples: https://docs.opnsense.org/manual/how-tos/transparent_bridge.... https://docs.netgate.com/pfsense/en/latest/bridges/index.htm... https://www.fortinet.com/resources/cyberglossary/transparent...
I'm not very familiar with DS-Lite. My ISP also uses CG-NAT but I get my connection details over DHCP - both native v6 with /56 PD and the v4 CG-NAT 100.x.x.x IP. That means I connect my OpenWRT router directly to the ISP's plug in the flat.
You said v6 is native for you, but if you put the modem in bridge mode you lose v6 connectivity. Why is that so? Shouldn't you lose v4 instead, which relies on tunneling?
Early hardware implementations could have settled on 32-bit, but 48-bit would make more sense to be in line with EUI-48/MAC-48 (ethernet frame). The world could then gradually upgrade hardware over the decade to handle a larger address.
It's because you could get through the firewall without a four month review with the firewall team.
Well, and you could reuse web tools and software. Ok, that's probably it, but the firewall convenience is DEFINITELY a thing.
The reason IPv6 on a home network is still difficult is because the routers everyone buys at Best Buy still blow at supporting IPv6. Ubiquiti blows at supporting IPv6. It is laziness and/or incompetence of device manufacturers, primarily, holding us back. (and incompetence around IPv6 in general - I talked to a network guy at a large company recently and they were deploying /58s. WHY?!)
The benefits of IPv6 may not be just for you - it's for the planet, it's for the developing nations, it's for the future where IPv4 does not cut it. It's bigger than your home network.
> IPv6 does not do anything to save the planet.
The world doesn't have enough IPV4 addresses. It literally solves the problem. It is crazy to me so many people here are arguing for multileveled NAT instead of the obvious solution we have had for 20 years.
CGNAT is not the Internet working well. CGNAT makes you have to have your ISPs permission and coordination to originate outgoing traffic--imagine if you had to ask the power company for permission to operate each electrical device in your house.
Look at what they did with broadcast digital TV : it was announced that it would be illegal in a couple of years to sell hardware not compatible with the new standard, then a couple of years later on illegal to sell hardware compatible with the old standard...
The US has mandated IPv6 support for federal contracts since 2009, although they don't get involved outside of those directly providing services to the government itself. They now have plans to go IPv6-only, and eliminate the use of legacy IP within the federal government.
Allocation of legacy address space was always based on first come first served, so developed countries got the lions share of address space and left developing countries with scraps. This creates a severe inequality, and holds developing countries back. This is also why India and China are leading, as they have a huge disparity between their population and the number of legacy addresses available.
It costs that third party real money to run that server...
What happens when they decide to shut if off because they no longer want to bear the costs? Your applications are a ticking timebomb...
What about privacy? What if the operator of that server decides to fund it through selling your data?
Sending your traffic through a third party server adds latency, sometimes a LOT of latency if that server is far away. This is very bad for certain latency sensitive things (gaming, calls etc).
If you're dependent on a third party server then you're screwed if it goes down, even if your own connection is fine.
Doing away with that and going back to peer to peer is MUCH better in most cases.
IPv6 will fix that.
Behind a NAT, observers can only make that connection (using only addresses) for the network as a whole, instead of an individual device on the network. So the privacy extensions are weaker than NAT
(If the IPv6 privacy extensions used a different address for each connection, they would be more like NAT in this regard.)
That said, other observable clues still allow connections from a single device to be associated, NAT or not. There's TCP OS fingerprinting for example, and the close timing of related connections.
In this scenario it's a lot more work trying to map out your infrastructure than to try performing a MITM connection against some of your outbound traffic.
I'm curious to know: what (attack) do you hope to protect against?
I would think that most attacks come in two fashions: the first being that you run a service of some kind and that there's some JSP/PHP/whatever exploit for a public facing service, and someone does a 'magic' PUT/GET that has the application server execute some code, which downloads a larger malware attack package. After which point the black hats start scanning from the inside.
The second being that someone clicks on a link in a phishing e-mail or executes some attachment, after which malware code starts scanning from the inside and phones home.
(A third being an insider attack, who presumably know about internal topology.)
What attack are you thinking to protect against by hiding subnet and VLAN topology?
And what are those vector(s)?
Besides compromising a machine that is already inside per the above (which can then do scanning / lateral moves), or perhaps physically getting inside the premises (in which case a scanner can be physically installed to examine the network), what attack are you protecting against?
Can you give me a link about an attack that knowing the topology of the network ahead of time would allow, but that not knowing would prevent?
the only thing you'd "leak" is the prefix, which is no different than a IPv4 WAN address that you'd get with a v4 NAT.
They’re obviously doing recommendations based on IP address. (And this is purely over ipv4).
Assuming you block unsolicited packets (that is, packets not related to existing connections/streams) at your border (the connection to your ISP), then outsiders won't be able to use tools like traceroute to learn anything. All that an outsider has is an IPv6 IP, and since you're not doing BGP with anything, all they'll know to do is to send the traffic to your ISP.
Once identity is known for address X you know its traffic for the day, including past traffic for the day.
once address changes you do the whole identification again.
All these logs where address is identified goes to bucket X.
On addresses where you couldnt identify that day you put them in unknown bucket.
Once you have a profile of the network, you can do exclusion (Only 4 people in household, 3 active with known addresses, not X, one unknown address, you can assume its X)
The “I don’t care if they track my household but it’s critical that Daddy’s activity not get disambiguated from my dealing daughter” is just not a valid reason to abandon the benefits of IPv6.
Please stop with this line of argument.
If you’re really desperate to ensure that the ads shown to your daughter are based on your porn viewing habits, then just set up IPv6 NAT.
That's a broad assumption, and I can assure you they will due to lower costs (no need to pay data broker if you already know target, no need for extra traffic, load, etc). Also due to better targetting you get better prices per ads served.
> just not a valid reason to abandon the benefits of IPv6
What are the benefits to allow each device its own address if I'm going to firewall them anyway?
> Please stop with this line of argument.
Why?, my concern is valid, all you've said so far is nobody cares. I disagree.
> If you’re really desperate to ensure that the ads shown to your daughter are based on your porn viewing habits, then just set up IPv6 NAT
That says a lot about yourself if you resort to this sort of snarky comments, I have no wish to continue this conversation.
Note: I said in another comment I have set up IPv6 NAT and it works great.
I don’t quite feel convinced yet by this argument.
For example, one essential difference is that while it’s true that my web browser does have those leaks, I can be reasonably sure that it’s only leaking to specific hosts, i.e. the one I’m visiting and its embedded resources.
Tracking on the IP source address level, however, would be a whole other thing: that means that whoever happens to see the byte stream can now track who is visiting what. That includes, for example, my ISP, all large Internet exchanges, and anyone tapping into those.
If I told my security information officer "We don't protect against foreseeable threat X because we assume no one will bother to try X" she would not be very happy with me.
When a valid data concern has been expressed and described, putting your head in the sand is the incorrect response. I want IPv4 to die as much as the next person but at a minimum organizations such as hospitals and government installations will not accept that sort of outside visibility into their network.
I mean look, a few days ago Comcast had an outage and I plugged my phone into my USB port to tether it for internet access. It hijacked my DNS entirely, and I couldn't turn on my damn lights or change my thermostat which were on my LAN. Thankfully I know their LAN IPv4 addresses from memory, 10.10.10.x and 10.10.10.y, and I was able to issue CURL commands directly to their local, non-cloud APIs to manipulate them. With IPv6 hell knows what their hex-colon monstrosities would be.
dns: maniacal laughter
You would know exactly, because every IPv6-enabled interface has a link-local predictable IPv6 address derived from its MAC address.
The reality is with IPv4 I can memorize all of the IPv4 addresses of every light bulb, every robot, every thermostat, every plant watering device in my residence, and I can hammer out CURL commands to control everything almost from muscle memory in the event of a DNS hijacking.
Windows and many Linux distros by default enable the privacy extensions on the link local address; it's randomized for a period of time. This is right off a Windows 10 VM:
ipconfig:
Link-local IPv6 Address . . . . . : fe80::9aaf:a280:d593:db1%2
RHEL 9:
[user@localhost ~]# ip addr | grep fe80
inet6 fe80::3544:fe14:5cf:5ad9/64 scope link noprefixroute
[user@fedora ~]$ ip addr | grep fe80
inet6 fe80::7752:d2c6:82c3:482c/64 scope link noprefixroute
user@ubuntu:~# ip addr | grep fe80
inet6 fe80::5ffe:c565:9de2:58f8/64 scope link noprefixroute
If the problem wasn't obvious, the problem is that IPv6 addresses (and also MAC addresses) are not human readable. IPv4 addresses, on the other hand, are.
IPv6 adoption might be farther along if the addresses were human readable instead of eye-rolling machinations of a small subset of people who speak strictly in hexes.
(Though the sooner we ban IPv4, the sooner they will stop using it too...)
Minutes or less I guess would defeat tracking, but then what's the point?, it's almost equivalent to NAT it still breaks reverse connectivity? and does it actually work?
It also feels like a workaround for an oversight.
But how would they know it is to the same node?
I have my DSL router-modem reboot every night, and I get all sorts of crazy results for ads: I'm in southern Ontario, as is my ISP, but they service folks in Quebec, and so sometimes I get Youtube ads in French since (per my IP) I'm "in" Quebec.
Similarly with the reboot I get a new /64 prefix delegation (actually /56), so I would hazard to guess if IPv6 starts getting tracked, I'd get the same crazy results.
No one cares about tracking by port. Folks are tracking by IP(v4) address.
I know this first hand because I have my DSL router-modem auto-reboot every night (built-in Asus functionality), and I get all sorts of crazy results for ads: I'm in southern Ontario, as is my ISP, but they service folks in Quebec, and so sometimes I get Youtube ads in French since (per my IP) I'm "in" Quebec.
And given that I have IPv6, most OSes generally use that as a first preference for connectivity, and so my IPv6 address/prefix is "in" Quebec.
And this is even with cookies enabled, which should make tracking by browsing easier (esp. since I get decently-accurate recommendations based on viewing history), but yet I still get French ads because my IPv4/IPv6 address is "in" Quebec.
So I have no idea what people are talking about when they say IPv6 will make tracking easier than IPv4. With RFC 4941 it's a solved problem IMHO and no worse under dual-stack than it is under single-stack.
With IPv6 chances are your ISP has a single large address block, and then they split out parts of that address space to users in ontario and quebec. Unless the ISP publishes details of where they've allocated those blocks, any external site is just guessing.
With legacy IP chances are they have multiple small fragmented blocks, some of which are routed to ontario and some of which are routed to quebec so they're a bit easier to keep track of unless the ISP decides to move them.
Also when you address changes, the legacy address space is probably quite close to full so your previous address is released and probably taken by another customer fairly quickly. The IPv6 space will be much larger, and so recycling occurs far more slowly.
Either way youtube is just guessing, it only knows that the address space belongs to a canadian isp and it has to use the behaviour of whoever used those addresses last. If the previous user set their browser language to french and searched for french sites, youtube will remember that and is more likely to serve you french ads.
It's been available for some time: https://www.internetsociety.org/resources/deploy360/2014/pri...
On my macOS system, I currently have four IPv6 IPs (excluding the link-local IP), all of which are random.
For decades we have generally allowed all outbound and worried and fretted about and filtered inbound. I think it is time for us all to get a grip and do the job properly. However, with the delights of DNS over http and the like, the horse has not only bolted but has a new paint job, far better shoes than you can afford, eats grass that was prepared by a Michelin starred chef and belongs to someone else now.
We all need to be far more sophisticated about how traffic (knowledge/ideas/data) flows in and out of our networks/lives. Packet filtering is just one tool in the box and worrying about an addressing scheme being global (IPv6) instead of a weird hybrid (IPv4) is completely missing the real issue stabbing you in the nadgers.
If 8 billion people wanted to host their own email and web, yes, we'd not have enough addresses for each person to have one. That isn't the case though. It will never be the case. If we look into the future and say well in 2023 5% of the world's population ran their own email and web for personal or business purposes and that number were to grow by 5% every year then in 20 years we would run out. That's a worse case, contrived scenario but even in that case, we'd still have 20 years to come up with something better than IPv6 that truly respects privacy and doesn't track each person.
Try starting a new ISP. You’ll either do CGNAT on a single /24 of v4 space, or you’ll have to spend tens of millions for some pointless, legacy IP addresses.
Linux will use EUI-64 if left to its own devices, or privacy extensions if you're using something like networkmanager. This makes sense because a desktop oriented distro will typically use networkmanager while a server oriented distro will not, and having a predictable eui-64 address is usually beneficial for a server.
With any usable N, a clever observer would still easily work out what you were doing and still map out your infrastructure.
More reasonable is to use new address for each connection. Then nobody can tell if 10 addresses and 10 connections are one device or ten.
You've saved the translation in the router, but now routing lookups and ARP caches have grown by TEMP_VALID_LIFETIME / TEMP_PREFERRED_LIFETIME.
What are valid values in the scenario you are proposing? The defaults are 1 week / 1 day, so 7X. If you chose to rotate each second, and say allowed addresses to only be valid for say 20 minutes, this still appears to be a ~1200X blowup in routing overheads.
Seems intellectually dishonest not to acknowledge that making things easier, just y'know, makes things easier. Keeping attackers, who want to do you harm, in the dark as much as possible seems important to me.
An attacker looking to be stealthy is not going to blast the network with nmap...
ARP is broadcast, NDP is solicited node multicast so simply by passively listening on the network you will discover nodes in the same layer 2 segment, with v6 and properly configured switches your passive discovery will be a lot more limited.
Other passive techniques would be monitoring things like DNS, and things the host you've compromised is actively communicating with. This isn't any different regardless of the protocol used.
You can also actively communicate with services like DNS or Active Directory and query information about the network, depending on your level of risk.
Just knowing the in-use IPv6 block is useless, the blocks are massive so even just identifying active hosts in a single known IPv6 block is a lot harder than simply scanning the entire RFC1918 legacy address space.
For active discovery, IPv6 is harder to attack - you can't scan the entire address block looking for hosts. The fact that such scans should be detected is exactly the same for either protocol. You also have to consider response time and what an attacker may be able to achieve before your response kicks in.
IPv6 makes it harder for attackers, not easier.
I have IPv6 at home and connect to Youtube over IPv6 (that's generally the default behaviour on macOS and many other OSes). I reboot my DSL modem-router every night and get a new IPv4 address and new IPv6 prefix every day.
Now: I live in Ontario, and my ISP is based in Ontario, but they serve clients in Quebec. Every so often, when surfing Youtube, I get served ads in French because according to my (IPv6) address I am "in" Quebec.
And, while I am not logged into any Google service, I do not block cookies. So even with cookies, Youtube seems to be fairly dumb about serving ads correctly just based on IP addresses (or at least IPv6 addresses and/or IPv6 prefixes), since cookies don't seem to be useful.
So I'm not quite sure about what people are talking about when they say "IPv6 tracking" if even Google/Youtube can't get their act together.
Iechyd Da!
eBay uses IPs showing content, too. I see 'items you've viewed recently' show items I've never looked at, since when on a mobile connection my IP changes fairly frequently and eBay carries over the recently viewed state from whoever else was previously using that IP.
It had puzzled me until I came across this[1] eBay topic where others had experienced this, from shared offices to spouses, etc.
[1] https://community.ebay.com/t5/Share-eBay-Technical-Issues/Re...
Yes but my phone hijacked all the LAN DNS when I plugged it into a USB port for tethering when Comcrap went down for a few hours
Also separately, when Comcrap is working, my phone on Wi-Fi refuses to ever use the router DNS, http://xyz.local addresses are only available on desktops/laptops and not phones, therefore IPv4 addresses it is when trying to visit a LAN site on a phone.
Sometimes we need to deal with raw IP addresses instead of abstraction layers, and IPv6 fails hilariously because it clearly goes beyond the realm of direct human consumption.
You saying a non-human readable thing is human readable if it's passed through an abstraction layer to make something human readable only reinforces the argument IPv6 is not human readable.
They have not?
The global routing table size for ipv6 at max is a /32 (if i remember correctly) every customer gets a /56 prefix to use in their network, so the routing table entry would still be the same, no matter how many addresses you use to cycle through in your /64.
ARP caches do not exist in IPv6, and Neighbour discovery does not have the same "cache" mechanism as ARP does, it uses an entirely different mechanism for neighbour discovery. (which is also far more lightweight considering it is using multicast, compared to the broadcast of ARP).
The ISPs have the ability to see what is on your network by IPv4 egress. They have been able to do this for a decade.
Worrying that an IPv6 address divulges the network forgets that IPv4 devices betray their existence through DNS, their destinations and other network behavior.
The ISPs know.
Many of these routers are managed by the ISP using protocols such as TR-069, several ISPs have already been found to not only manage the devices but also monitor certain data including what devices are present.
2. You can't say anything about the percentage with just the absolute market value. At the very least you need something else to compare it too.
Please, be serious.
So, I mean, I dunno, 2 billion dollars seems serious to me, but maybe we just have different barometers for what counts as "serious amounts of money". Especially considering these devices that are like $300.
Finally, might I remind you of the guidelines? in particular:
> When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Oh and I'd actually prefer the 65520.
The huge prefixes allow for a simple hierarchical network structure and gives us room to redo the address scheme if we end up wanting to (only a portion of addresses space is currently allocated right now) without having to go through this entire upgrade the internet again.
As an end user who has a choice, they have to give me something that's not harder to use than before. I think they could have managed that if it were a priority.