The question above for the most part, been reading up on it. Also want to it for learning purposes.
There’s a bunch of advantages. IPv6 can be useful since your devices can have the same IP both internally and externally. No dealing with port forwarding. No split horizon DNS (where you have different DNS entries for internal vs external). No NAT. No DHCP required for client systems (can just use SLAAC to auto-generate addresses). Much simpler routing. It’s a bit faster. Proper QoS.
I used to use Comcast, who actually have very good IPv6 support. They were the first major US ISP to roll out IPv6 to everyone, around 10 years ago. Unfortunately my current ISP doesn’t have IPv6, but they’re aiming to roll it out this year.
How does that work, having the same IP internally and externally?
A good ISP that supports IPv6 will give you a /64 range. That’s a huge number of IPs, 2^64. Easily enough for every device on your network to have a lot of public IPs. If you use Docker or VMs, you could give each one a public IPv6 address.
When every device on your network can have a public IP, there’s no longer a reason to have private IPs. Instead, you’d use firewall rules for internal-only stuff (ie allow access only if the source IP is in your IPv6 range).
This is how the internet used to work in the old days - universities would have a large IP range, and every computer on campus would have a public IP.
Of course, you’d still have a firewall on your router (and probably on your computers too) that blocks incoming connections for things you don’t want to expose publicly.
A good isp would give you something bigger than a /64 - /56 or /48. something that you can subnet.
wouldn’t /64 still leave you with 64 bits for you to do whatever? Ipv6 has a 128 bit address. If you can do subnets with a small usable portion of 32 bits, then you certainly can with a full 64 bits
The smallest recommended IPv6 subnet is /64. The biggest issue you will encounter is that SLAAC will refuse to work on anything smaller, and it just so happens that Android still doesn’t support DHCPv6 and will be left without a valid address.
Android still doesn’t support DHCPv6 and will be left without a valid address.
RFC 7934 explains their reasoning, though it’s not exactly an ironclad argument.
til. Thanks
Good point - I should have said “at least a /64 range”.
Definitely dual stack if you do. The real benefit of IPv6 is that, supposedly, each of your internal devices can have its own address and be directly accessible, but I don’t think anyone actually wants all of their internal network exposed to the internet. My ISP provides IPv6, but only a single /128 address, so everything still goes through NAT.
Setting it up was definitely a learning process - SLAAC vs DHCP; isc’s dhcpd uses all different keywords for 6 vs 4, you have to run 6 and 4 in separate processes. It’s definitely doable, but I think the main benefit is the knowledge you gain.
Your ISP is doing it wrong, which I guess you already know. I get a /64 net via DHCPv6 for my LAN which is pretty standard.
+1 to dual stack. Too much of the internet is v4 only, missing AAAA, or various other issues. I’ve also had weird issues where a Google/Nest speaker device would fail 50% of the time and other streaming devices act slow/funky. Now I know that means the V6 net is busted and usually I have to manually release/renew. Happens once every few months, but not in a predictable interval.
Security is different, but not worse IMO. It’s just a firewall and router instead of a NAT being added in. A misconfigured firewall or enabling UPnP is still a bad idea with potentially worse consequences.
Privacy OTOH is worse. It used to be that each device included a hardware MAC as part of a statelessly generated address. They fixed that on most devices. Still, each device in your house may end up with a long lived (at least as long as your WAN lease time) unique IP that is exposed to whatever sites you visit. So instead of a unique IP per household with IPv4 and NAT, it’s per network device. Tracking sites can differentiate multiple devices in the house across sites.
This has me thinking I need to investigate more on how often my device IPv6 (or WAN lease subnet) addresses change.
I get a fat /48 network, just in case I need one septillion, two hundred and eight sextillion, nine hundred and twenty-five quintillion, eight hundred and nineteen quadrillion, six hundred and fourteen trillion, six hundred and twenty-nine billion, one hundred and seventy-four million, seven hundred and six thousand and one hundred and seventy-six individual IPs.
IPV6 is pretty wild, we could effectively give every service connecting to every client, in every direction, for every single individual bit its own dedicated address without getting anywhere near using that address space.
Just wait until IoT takes off and every key on your keyboard has a unique address
And the biggest disadvantage of IPv6 is that each of your internal devices has its own address and can be directly accessible from outside. So you need to completely rethink how you do security.
And can be identified/tracked individually by outside entities. In IPv4, a website sees both my device and my kid’s device as the same IP. In IPv6 they’re different so this just provides more ways for them to track you.
That’s the reason for rcf 4941. It randomises the host part of your IPv6 address.
There’s another question: will we ever actually run out of IPv4 addresses, so that cloud providers and ISPs no longer offer them?
That’s already happened, which is why some ISPs use CGNAT. CGNAT is “carrier-grade NAT” which means the internet provider does NAT on their network.
Only having CGNAT with no IPv6 is a pain since you can’t do any port forwarding. It’s double-NAT which slows things down a bit (you use NAT on your network, then your ISP uses NAT on their network).
Some cloud providers also have IPv6-only servers for cheaper. IPv4 address are still available but the price to acquire them is significantly higher than it used to be.
Ah, I never encountered that. I see. Is it mostly in remote areas?
I’m all for IPv6, it’s just that there’s always something extra you have to do to set it up.
It’s really common in cellular connections as well as smaller regional ISPs. I work for a rural fiber co-op with about 50,000 members/customers and we do CGNAT for all our members by default because we only have about 36,000 IPs allocated to us. We also have full ipv6 support as well with every customer getting a /56.
To get a big enough block for all our enterprise/business/residential customers to do 1:1 NAT for ipv4 would probably require an entire /16 which costs somewhere in the neighborhood of 2 million dollars last I checked. And even then we would eventually run out because we are constantly expanding to cover rural areas that have been ignored for decades by the big ISPs. Right now if a member needs a static or routable we just charge 10$ a month, and we have enough in reserve for all our members to operating like this likely until the entire internet abandons ipv4.
Why do some ISPs charge a monthly fee and others a one off fee? I paid one off with my ISP several years ago for my static IPv4.
Honestly I don’t have a good answer for that. The ones who charge a one time fee are honestly being pretty generous (depending on the price you paid) considering there are yearly dues to ARIN/RIPE/APNIC/etc for IP allocations depending on their aggregate block size as well as the fact that IPs are generally very valuable right now, and go up in value depending on the block size.
If they have a legacy registration they also don’t have to pay those dues, though the downside is they don’t get the newer features like RPKI without signing a LRSA/RSA (and therefor paying those dues) and getting their routes certified. Usually doesn’t cause an issue as not many peers drop unvalidated BGP prefixes on IPv4.
That being said, if your ISP has been in the game for decades, they probably have owned their blocks for decades and got them for pennies on the dollar when ARIN and other registries were handing out IP addresses like candy. I know the last /24 my company had to buy cost us somewhere in the neighborhood of $14,000 when it was all said and done, and that was just for 256 IPs.
Eventually IPv4 addresses will become so prohibitively expensive, that is what will eventually push mass IPv6 adoption on the ASN side of things.
Thank you that was really informative. I paid <$50 for my IP address in 2015. My ISP has been around since 1990 so I suppose they may have been one of the lucky companies. Not sure if they do RPKI, first I’m learning of it. Maybe they’re cross subsidizing from other areas of the business. Their monthly fibre fee isn’t the most competitive but the service is reliable and haven’t had anything to complain about.
They are a little behind in speeds though. They only offer 900mbps asymmetrical max, while you can get 2, 4 and 8gbit in my area from other providers. I don’t need that kind of speed so I’m happy for now.
$50 one time is a great price. We charge our members $10 a month if they request a static. We’re also a not for profit coop, so all that money gets either dumped back into network infrastructure and expansion plans, or capital credits for our members.
deleted by creator
There aren’t many benefits from using IPv6 on LAN, as far as I can tell, unless you need more addresses than are available in the private address ranges.
And that point you’re not in a home, you’re in a data center lmao
I mean, if you have around 17 million containers running services, maybe.
@BaldProphet
What’s the smallest container around? How much RAM would that take?edit: FROM scratch let’s you run bare binaries on Docker.
Would be very interesting to see how far that could get. What sort of payload/task would be interesting for all those containers?
@Sandbag @bdonvrDoesn’t need to be a “traditional” container. Modulo noisy-neighbour issues, wasm sandboxing could potentially offer an order of magnitude better density (depending on what you’re running; this might be more suited to specific tasks than providing a substrate for a general-purpose conpute service).
@gedhrel
wasm sandboxes can take IPs? Regardless, if we’re just talking density, I can put multiple IPs on a single interface or create a ton of virtual interfaces. That’s boring, though.Yes. The sandbox gets whatever capabilities you expose to it.
No, I like living in my nat cocoon so I don’t have to worry as much about all the devices on my network. Jk it’s turned on, but I don’t usually enable it on devices
Because devices in your LAN will all be accessible from the internet with IPv6, you need to firewall every device.
It becomes more of a problem for IoT devices which you can’t really control. If you can, disable ipv6 for those.
Wait, ipv6 doesn’t require port forwarding to expose something to the internet?
Port forwarding is exclusively a NAT phenomenon.
In IPv6 every device should in theory have a public address - just like how every computer had a public IPv4 address back in the 1980s ~ 1990s.
However, most sensible routers will have a firewall setup by default that blocks all incoming connections for security reasons. You still need to add firewall rules.
This is correct. My router however doesn’t have that level of firewall. It’s either all allowed or nothing is.
It’s not necessary to firewall every device. Just like how your router can handle NAT, it should be able to handle stateful firewall too.
Mine blocks all incoming connections by default. I can add (IP, port range) entries to the whitelist if I need to host a service, it’s not really different to NAT port forwarding rules.
So even though the device has a public address, the route is through the firewall, hence the ability to filter traffic?
Right. Packets still have to go through your router, assuming that your router has firewall turned on, it goes like this:
-
Your router receives a packet.
-
It checks whether the packet is “expected” (a “related” packet) - by using connection tracking.
For example, if ComputerA had sent something to ServerX before, and now the packet received by router says “from ServerX to ComputerA”, then the packet is let through - surely, this packet is just a reply to ComputerA’s previous requests.
-
If step 2 fails - we know this is a new incoming packet. Possibly it comes from an attacker, which we don’t want. And so the router checks whether there is a rule that allows such a packet to go through (the assumption is that since you are explicitly allowing it, you know how to secure yourself.)
If I have setup a firewall rule that says “allow packets if their destination is ComputerB, TCP port 25565”, and the received packet matches this description, the router lets it through.
-
Finally, the packets that the router accepts from the previous steps are forwarded to the relevant LAN hosts.
I understand this part :) I use a fairly complex firewall at work though I only know bits and pieces from reading different manuals. I think the part I didn’t understand was how exactly the routing worked differently in IPv4 vs v6. I get that because NAT happens in IPv4, packets can’t be routed at all without the firewall/router but I wasn’t sure what was the mechanism by which v6 made sure that packets went through the router, especially when you have stuff like v6 DHCP relays.
Ah, I misunderstood your original comment, oops! But yes, IPv6 packets are routed just like IPv4 ones, just without the NAT’ing process i.e. the packet remains untouched the entire trip.
-
The argument for IPv6 that there could be a unique address for 200 devices for every person living on the planet was much more compelling when network security was a more simple space.
Nothing has changed about why that is compelling: NAT sucks and creates nothing but problems.
Network security is almost the same with IPv6.
If you rely on NAT as a security measure you are just very bad at networking.
I mean that, when IPv6 started filtering out to non-specialists, network security wasn’t nearly as complex, and nor was the frequency of escalation what it is today. Back when IPv6 was new(ish), there weren’t widespread botnets exploiting newly discovered vulnerabilities every week. The idea of maintaining a personal network of internet-accessible devices was reasonable. Now maintaining the security of a dozen different devices with different OSes is a full time job.
Firewalling off subnets and limitting the access to apps through a secured gateway of reverse proxies is bot bad networking. That’s all a NAT is, and reducing your attack surface is good strategy.
Haha, no not really. IPv6 has the ability to provide public IP address for each device, but that doesn’t mean it will have to. Other than number of possible addresses, nothing is different. Routing, firewalls, NATs, etc. All remains the same.
IPv6 doesn’t support NAT… Or am I woefully out of date.
But your home router will just firewall like it does already but you don’t have NAT as a simple fall back for “security”. It does make running internal services much easier as you no long need to port forward. So you can run two webservers on port 80 and they be bother allowed inbound without doing horrible load balance or NAT translation.
Ipv6 doesn’t need NAT
The router does have a firewall but it blocks everything inbound by default. Some routers (at least mine) do not offer the granularity to filter traffic for certain devices (no NAT either). It’s either allow all in or nothing.
When you enable IPv6 and switch off the firewall (since you can’t host anything otherwise), every device becomes exposed to the internet.
Then unless the devices have a firewall themselves, all is exposed. Not just the web services, ssh and the rest as well.
There was a way around it however but not something everyone will be able to do with their home router. I had to ssh to the router using ISP admin credentials leaked on the internet, then create a file in init.d that loads a custom iptables file with the firewall rules I needed for IPv6. NAT for IPv6 however was not supported by the kennel used for my router.
IPv6 has NPTv6, which allows you to translate from one prefix into another.
Useful if you’ve got dual WAN, and can’t advertise your own addressing via the ISP. You can use NPTv6 to translate between your local prefix and the public prefixes. But NPTv6 is completely stateless. It’s literally a 1:1 mapping between the prefixes.
TIL. Thanks!
